https://blog.qife122.com/tags/%E6%8F%90%E6%9D%83/ Recent content in 提权 on 办公AI智能小助手 Hugo zh-cn qife Tue, 13 Jan 2026 05:15:14 +0800 https://blog.qife122.com/p/%E5%88%A9%E7%94%A8%E5%A0%86%E9%A3%8E%E6%B0%B4%E4%B8%8Exfg%E7%BB%95%E8%BF%87%E7%9A%84cve-2024-26230%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/ Tue, 13 Jan 2026 05:15:14 +0800 https://blog.qife122.com/p/%E5%88%A9%E7%94%A8%E5%A0%86%E9%A3%8E%E6%B0%B4%E4%B8%8Exfg%E7%BB%95%E8%BF%87%E7%9A%84cve-2024-26230%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/ <h1 id="一个技巧cve-2024-26230的故事">一个技巧：CVE-2024-26230的故事</h1> <p><strong>作者：k0shl，来自Cyber Kunlun</strong></p> <p><strong>摘要</strong></p> <p>2024年4月，微软修复了电话服务中的一个释放后使用漏洞，该漏洞由我报告并被分配为CVE-2024-26230。我已经完成了漏洞利用，并采用了一个有趣的技巧来绕过Windows 11上的XFG缓解措施。</p> https://blog.qife122.com/p/%E5%8D%95%E6%BC%8F%E6%B4%9E%E6%8F%90%E6%9D%83pixel-6-pro-mali-gpu%E5%86%85%E6%A0%B8%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90%E4%B8%8E%E5%88%A9%E7%94%A8/ Mon, 12 Jan 2026 16:30:12 +0800 https://blog.qife122.com/p/%E5%8D%95%E6%BC%8F%E6%B4%9E%E6%8F%90%E6%9D%83pixel-6-pro-mali-gpu%E5%86%85%E6%A0%B8%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90%E4%B8%8E%E5%88%A9%E7%94%A8/ <h1 id="solo-a-pixel-6-pro-story-当仅需一个漏洞时--star-labs">Solo: A Pixel 6 Pro Story (当仅需一个漏洞时) | STAR Labs</h1> <p><strong>June 5, 2025 · 36 min · Lin Ze Wei</strong></p> <h2 id="目录">目录</h2> <ul> <li><a href="https://blog.qife122.com/p/%E5%8D%95%E6%BC%8F%E6%B4%9E%E6%8F%90%E6%9D%83pixel-6-pro-mali-gpu%E5%86%85%E6%A0%B8%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90%E4%B8%8E%E5%88%A9%E7%94%A8/#root-cause-analysis">Root Cause Analysis</a> <ul> <li><a href="https://blog.qife122.com/p/%E5%8D%95%E6%BC%8F%E6%B4%9E%E6%8F%90%E6%9D%83pixel-6-pro-mali-gpu%E5%86%85%E6%A0%B8%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90%E4%B8%8E%E5%88%A9%E7%94%A8/#cve-2023-48409">CVE-2023-48409</a></li> <li><a href="https://blog.qife122.com/p/%E5%8D%95%E6%BC%8F%E6%B4%9E%E6%8F%90%E6%9D%83pixel-6-pro-mali-gpu%E5%86%85%E6%A0%B8%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90%E4%B8%8E%E5%88%A9%E7%94%A8/#what-is-config_hardened_usercopy">What is CONFIG_HARDENED_USERCOPY?</a></li> <li><a href="https://blog.qife122.com/p/%E5%8D%95%E6%BC%8F%E6%B4%9E%E6%8F%90%E6%9D%83pixel-6-pro-mali-gpu%E5%86%85%E6%A0%B8%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90%E4%B8%8E%E5%88%A9%E7%94%A8/#the-missing-piece-cve-2023-26083">The Missing Piece: CVE-2023-26083</a></li> </ul> </li> <li><a href="https://blog.qife122.com/p/%E5%8D%95%E6%BC%8F%E6%B4%9E%E6%8F%90%E6%9D%83pixel-6-pro-mali-gpu%E5%86%85%E6%A0%B8%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90%E4%B8%8E%E5%88%A9%E7%94%A8/#one-bug-to-root">One Bug to Root</a> <ul> <li><a href="https://blog.qife122.com/p/%E5%8D%95%E6%BC%8F%E6%B4%9E%E6%8F%90%E6%9D%83pixel-6-pro-mali-gpu%E5%86%85%E6%A0%B8%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90%E4%B8%8E%E5%88%A9%E7%94%A8/#physmap-spraying">Physmap Spraying</a></li> <li><a href="https://blog.qife122.com/p/%E5%8D%95%E6%BC%8F%E6%B4%9E%E6%8F%90%E6%9D%83pixel-6-pro-mali-gpu%E5%86%85%E6%A0%B8%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90%E4%B8%8E%E5%88%A9%E7%94%A8/#pagetable-spraying">Pagetable Spraying</a></li> <li><a href="https://blog.qife122.com/p/%E5%8D%95%E6%BC%8F%E6%B4%9E%E6%8F%90%E6%9D%83pixel-6-pro-mali-gpu%E5%86%85%E6%A0%B8%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90%E4%B8%8E%E5%88%A9%E7%94%A8/#from-physical-to-virtual-converting-our-primitive">From Physical to Virtual: Converting Our Primitive</a></li> </ul> </li> <li><a href="https://blog.qife122.com/p/%E5%8D%95%E6%BC%8F%E6%B4%9E%E6%8F%90%E6%9D%83pixel-6-pro-mali-gpu%E5%86%85%E6%A0%B8%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90%E4%B8%8E%E5%88%A9%E7%94%A8/#androids-unique-challenges">Android&rsquo;s Unique Challenges</a> <ul> <li><a href="https://blog.qife122.com/p/%E5%8D%95%E6%BC%8F%E6%B4%9E%E6%8F%90%E6%9D%83pixel-6-pro-mali-gpu%E5%86%85%E6%A0%B8%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90%E4%B8%8E%E5%88%A9%E7%94%A8/#bypassing-androids-app-sandbox">Bypassing Android&rsquo;s App Sandbox</a></li> <li><a href="https://blog.qife122.com/p/%E5%8D%95%E6%BC%8F%E6%B4%9E%E6%8F%90%E6%9D%83pixel-6-pro-mali-gpu%E5%86%85%E6%A0%B8%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90%E4%B8%8E%E5%88%A9%E7%94%A8/#disabling-selinux-enforcement">Disabling SELinux Enforcement</a></li> </ul> </li> <li><a href="https://blog.qife122.com/p/%E5%8D%95%E6%BC%8F%E6%B4%9E%E6%8F%90%E6%9D%83pixel-6-pro-mali-gpu%E5%86%85%E6%A0%B8%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90%E4%B8%8E%E5%88%A9%E7%94%A8/#a-surprise-discovery">A Surprise Discovery</a> <ul> <li><a href="https://blog.qife122.com/p/%E5%8D%95%E6%BC%8F%E6%B4%9E%E6%8F%90%E6%9D%83pixel-6-pro-mali-gpu%E5%86%85%E6%A0%B8%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90%E4%B8%8E%E5%88%A9%E7%94%A8/#understanding-the-timeline-stream-leak">Understanding the Timeline Stream Leak</a></li> <li><a href="https://blog.qife122.com/p/%E5%8D%95%E6%BC%8F%E6%B4%9E%E6%8F%90%E6%9D%83pixel-6-pro-mali-gpu%E5%86%85%E6%A0%B8%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90%E4%B8%8E%E5%88%A9%E7%94%A8/#command-stream-frontend">Command Stream Frontend</a></li> <li><a href="https://blog.qife122.com/p/%E5%8D%95%E6%BC%8F%E6%B4%9E%E6%8F%90%E6%9D%83pixel-6-pro-mali-gpu%E5%86%85%E6%A0%B8%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90%E4%B8%8E%E5%88%A9%E7%94%A8/#the-golden-object-kbase_context">The Golden Object: kbase_context</a></li> <li><a href="https://blog.qife122.com/p/%E5%8D%95%E6%BC%8F%E6%B4%9E%E6%8F%90%E6%9D%83pixel-6-pro-mali-gpu%E5%86%85%E6%A0%B8%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90%E4%B8%8E%E5%88%A9%E7%94%A8/#cleaning-up-making-the-exploit-practical">Cleaning Up: Making the Exploit Practical</a></li> </ul> </li> <li><a href="https://blog.qife122.com/p/%E5%8D%95%E6%BC%8F%E6%B4%9E%E6%8F%90%E6%9D%83pixel-6-pro-mali-gpu%E5%86%85%E6%A0%B8%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90%E4%B8%8E%E5%88%A9%E7%94%A8/#conclusion">Conclusion</a></li> <li><a href="https://blog.qife122.com/p/%E5%8D%95%E6%BC%8F%E6%B4%9E%E6%8F%90%E6%9D%83pixel-6-pro-mali-gpu%E5%86%85%E6%A0%B8%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90%E4%B8%8E%E5%88%A9%E7%94%A8/#references">References</a></li> </ul> <h2 id="root-cause-analysis">Root Cause Analysis</h2> <h3 id="cve-2023-48409">CVE-2023-48409</h3> <p>在12月2023年的Pixel安全公告中提到了该漏洞。通过回滚设备版本至UP1A.231005.007进行验证。漏洞描述为：在<code>gpu_pixel_handle_buffer_liveness_update_ioctl</code>函数中，由于整数溢出可能导致越界写入，本地攻击者无需额外权限即可提权。</p> https://blog.qife122.com/p/%E5%88%A9%E7%94%A8tensorflow%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E6%BC%8F%E6%B4%9E%E4%B8%8Ebackrest%E6%8F%90%E6%9D%83%E5%AE%9E%E6%88%98/ Sun, 26 Oct 2025 12:52:57 +0800 https://blog.qife122.com/p/%E5%88%A9%E7%94%A8tensorflow%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E6%BC%8F%E6%B4%9E%E4%B8%8Ebackrest%E6%8F%90%E6%9D%83%E5%AE%9E%E6%88%98/ <h1 id="初始侦察">初始侦察</h1> <h2 id="端口扫描">端口扫描</h2> <p>nmap扫描发现两个开放端口：</p> <ul> <li>SSH (22)</li> <li>HTTP (80)</li> </ul> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">nmap -p- -vvv --min-rate <span class="m">10000</span> 10.10.11.74 </span></span><span class="line"><span class="cl">nmap -p 22,80 -sCV 10.10.11.74 </span></span></code></pre></td></tr></table> </div> </div><p>网站重定向到artificial.htb，将其添加到/etc/hosts文件。</p> https://blog.qife122.com/p/htb-lustroustwo%E6%B8%97%E9%80%8F%E6%B5%8B%E8%AF%95%E5%85%A8%E8%A7%A3%E6%9E%90%E4%BB%8Ekerberos%E8%AE%A4%E8%AF%81%E5%88%B0velociraptor%E6%8F%90%E6%9D%83/ Tue, 23 Sep 2025 14:35:54 +0800 https://blog.qife122.com/p/htb-lustroustwo%E6%B8%97%E9%80%8F%E6%B5%8B%E8%AF%95%E5%85%A8%E8%A7%A3%E6%9E%90%E4%BB%8Ekerberos%E8%AE%A4%E8%AF%81%E5%88%B0velociraptor%E6%8F%90%E6%9D%83/ <h1 id="htb-lustroustwo">HTB: LustrousTwo</h1> <h2 id="box-info">Box Info</h2> <table> <thead> <tr> <th>属性</th> <th>值</th> </tr> </thead> <tbody> <tr> <td>名称</td> <td>LustrousTwo</td> </tr> <tr> <td>发布日期</td> <td>2025年7月31日</td> </tr> <tr> <td>操作系统</td> <td>Windows</td> </tr> <tr> <td>难度</td> <td>困难 [40分]</td> </tr> <tr> <td>创建者</td> <td>xct</td> </tr> </tbody> </table> <h2 id="侦察阶段">侦察阶段</h2> <h3 id="初始扫描">初始扫描</h3> <p>nmap发现24个开放TCP端口，包括典型的Windows域控制器服务：</p>