$ nmap -A -Pn -T4 -p- 10.10.10.110 Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-01 21:42 EDT Nmap scan report for 10.10.10.110 Host is up (0.29s latency). Not shown: 65462 closed ports, 70 filtered ports
PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u5 (protocol 2.0) | ssh-hostkey: | 2048 bd:e7:6c:22:81:7a:db:3e:c0:f0:73:1d:f3:af:77:65 (RSA) | 256 82:b5:f9:d1:95:3b:6d:80:0f:35:91:86:2d:b3:d7:66 (ECDSA) |_ 256 28:3b:26:18:ec:df:b3:36:85:9c:27:54:8d:8c:e1:33 (ED25519) 443/tcp open ssl/http nginx 1.15.8 |_http-server-header: nginx/1.15.8 |_http-title: About | ssl-cert: Subject: commonName=craft.htb/organizationName=Craft/stateOrProvinceName=NY/countryName=US | Not valid before: 2019-02-06T02:25:47 |_Not valid after: 2020-06-20T02:25:47 |_ssl-date: TLS randomness does not represent time | tls-alpn: |_ http/1.1 | tls-nextprotoneg: |_ http/1.1 6022/tcp open ssh (protocol 2.0) | fingerprint-strings: | NULL: |_ SSH-2.0-Go | ssh-hostkey: |_ 2048 5b:cc:bf:f1:a1:8f:72:b0:c0:fb:df:a3:01:dc:a6:fb (RSA) 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port6022-TCP:V=7.80%I=7%D=5/1%Time=5EACD7D6%P=x86_64-pc-linux-gnu%r(NUL SF:L,C,"SSH-2\.0-Go\r\n");
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 2030.05 seconds
主要看编号为 c414b16057 and 10e3ba4f0a这两个commits,其中c414b16057 代码执行漏洞:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
@@ -38,9 +38,13 @@ class BrewCollection(Resource): """ Creates a new brew entry. """ - - create_brew(request.json) - returnNone, 201 + + # make sure the ABV value is sane. + if eval('%s > 1' % request.json['abv']): + return"ABV must be a decimal value less than 1.0", 400 + else: + create_brew(request.json) + returnNone, 201 @ns.route('/<int:id>') @api.response(404, 'Brew not found.')
try: with connection.cursor() as cursor: sql = "SELECT `username`, `password` FROM `user`" cursor.execute(sql) result = cursor.fetchall() print(result)
Secure, store and tightly control access to tokens, passwords, certificates, encryption keys for protecting secrets and other sensitive data using a UI, CLI, or HTTP API.
[email protected]:~$ vault ssh -role root_otp -mode otp [email protected] Vault could not locate "sshpass". The OTP code for the session is displayed below. Enter this code in the SSH password prompt. If you install sshpass, Vault can automatically perform this step for you. OTP for the session is: a66d769f-f1e3-e3bd-9b52-2cfb7edcd85b