![\"image-20240320172456611\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403201954978.png\")
<\/div><\/p>\n\u914d\u7f6e\u9776\u573a<\/h2>\n
\u611f\u89c9\u8981\u574f\u4e8b\uff0c\u626b\u4e00\u4e0b\uff0c\u4e0d\u80fd\u626b\u51fa\u6765\u8fd8\u662f\u8001\u8001\u5b9e\u5b9e\u7528 \u4f3c\u4e4e\u626b\u5230\u4e86\u4e3b\u673a\u7684 ip \uff1a<\/p>\n \u4ec0\u4e48\uff1f\u4f60\u6000\u5ff5\u90a3\u4e2a\u9ab7\u9ac5\u5934\uff1f<\/p>\n<\/blockquote>\n \u67e5\u770b\u4e00\u4e0b\u90a3\u4e2a\u4e3b\u673a\u7684IP\u5bf9\u4e0d\u5bf9\u5427\uff1a<\/p>\n \u611f\u89c9\u54ea\u91cc\u4e0d\u5bf9\u52b2\u3002<\/p>\n \u8fde\u63a5\u4e0a\u7aef\u53e3\u770b\u4e00\u4e0b\u6709\u4e9b\u5565\uff1a<\/p>\n \u5bc4\uff0c\u73af\u5883\u6ca1\u914d\u597d\u4e00\u70b9\uff0c\u6de6\uff0c\u65e9\u77e5\u9053\u770b\u4e00\u773cmac\u5730\u5740\u4e86\u3002<\/p>\n \u91cd\u65b0\u914d\u7f6e\uff0c\u628akali\u548c\u9776\u673a\u90fd\u641e\u6210NAT+\u6865\u63a5\u4e86\uff0c\u7136\u540e\u987a\u4fbf\u5207\u6362\u6210\u70ed\u70b9\u4e86\uff0c\u8bd5\u8bd5\uff1a<\/p>\n \u7591\u4f3c\uff0c\u626b\u63cf\u4e00\u4e0b\uff1a<\/p>\n \u5e94\u8be5\u662f\u8fd9\u4e2a\u4e86\u3002<\/p>\n \u8bbf\u95ee\u4e00\u4e0b\u626b\u51fa\u6765\u7684\u76ee\u5f55\uff0c\u6ca1\u5565\u6536\u83b7\uff0c\u5c1d\u8bd5ftp\u8fde\u63a5\u4e00\u4e0b\uff0c\u53d1\u73b0\u626b\u63cf\u7ed3\u679c\u663e\u793a\u53ef\u4ee5\u4f7f\u7528 \u5c1d\u8bd5\u83b7\u53d6\u4e00\u4e0b\u8fd9\u4e2a\u6587\u4ef6\uff1a<\/p>\n \u6211\u64e6\uff0c\u5927\u6982\u5c31\u662f\u5b89\u5168\u5458\u8981\u79bb\u5f00\u4e00\u4e0b\uff0c\u8ba9\u522b\u4eba\u5e2e\u5fd9\u770b\u4e0b\u673a\u5b50\u3002\u3002\u3002\u3002<\/p>\n \u65e2\u7136\u6709 \u8fd9\u6837\u624d\u626b\u5230\uff0c\u770b\u6765\u4ee5\u540e\u5f97\u5c0f\u5fc3\u8fd9\u79cd\u4e8b\u60c5\u53d1\u751f\u4e86\u3002<\/p>\n \u5c1d\u8bd5\u4e0a\u4f20\u4e00\u4e2a\u4e00\u53e5\u8bdd\u6728\u9a6c\uff01\u53d1\u73b0\u4f3c\u4e4e\u7981\u6b62\u4f20\u8f93 \u5c06\u6587\u4ef6\u540d\u4e0d\u5e26\u540e\u7f00\uff0c\u7136\u540e\u6293\u5305\u6dfb\u52a0\u540e\u7f00\u4e3a\uff1a \u7a81\u7136\u60f3\u8d77\u6765\u53ef\u4ee5\u76f4\u63a5\u5f39shell\uff1a<\/p>\n \u7136\u540e\u641c\u96c6\u53d1\u73b0\uff1a<\/p>\n \u53d1\u73b0 Liceo \u4eca\u5929\u65b0\u4e0a\u7684\u9776\u573a\uff0c\u633a\u65b0\u9c9c\uff0c\u6253\u5f00\u770b\u4e00\u4e0b\uff1a \u914d\u7f6e\u9776\u573a \u611f\u89c9\u8981\u574f\u4e8b\uff0c\u626b\u4e00\u4e0b\uff0c\u4e0d\u80fd\u626b\u51fa\u6765\u8fd8\u662f\u8001\u8001\u5b9e\u5b9e\u7528vir […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,24,18],"tags":[],"class_list":["post-431","post","type-post","status-publish","format-standard","hentry","category-ctf-and-protest","category-penetration-test","category-web"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/431","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=431"}],"version-history":[{"count":1,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/431\/revisions"}],"predecessor-version":[{"id":432,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/431\/revisions\/432"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=431"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=431"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=431"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}virtualbox<\/code>\u505a\u5427\u3002\u3002<\/p>\n![\"image-20240320173001693\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403201954980.png\")
<\/div><\/p>\n\n
sed -i 's\/prompt_symbol=\u327f\/prompt_symbol=\ud83d\udc80\/' ~\/.zshrc\nsource ~\/.zshrc<\/code><\/pre>\n![\"image-20240320173210897\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403201954981.png\")
<\/div><\/p>\nrustscan -a 10.161.61.78 -- -A -sT -T4 -sV<\/code><\/pre>\nOpen 10.161.61.78:903\nOpen 10.161.61.78:913\nOpen 10.161.61.78:4002\nOpen 10.161.61.78:5040\nOpen 10.161.61.78:5357<\/code><\/pre>\nnc 10.161.61.78 903\n# 220 VMware Authentication Daemon Version 1.10: SSL Required, ServerDaemonProtocol:SOAP, MKSDisplayProtocol:VNC , , NFCSSL supported\/t, <\/code><\/pre>\n![\"image-20240320180912965\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403201954982.png\")
<\/div><\/p>\n![\"image-20240320180943969\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403201954983.png\")
<\/div><\/p>\n\u4fe1\u606f\u641c\u96c6<\/h2>\n
\u7aef\u53e3\u626b\u63cf<\/h3>\n
rustscan -a 10.0.2.7 -- -A -sT -T4 -sV<\/code><\/pre>\n.----. .-. .-. .----..---. .----. .---. .--. .-. .-.\n| {} }| { } |{ {__ {_ _}{ {__ \/ ___} \/ {} \\ | `| |\n| .-. \\| {_} |.-._} } | | .-._} }\\ }\/ \/\\ \\| |\\ |\n`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'\nThe Modern Day Port Scanner.\n________________________________________\n: https:\/\/discord.gg\/GFrQsGy :\n: https:\/\/github.com\/RustScan\/RustScan :\n --------------------------------------\nReal hackers hack time \u231b\n\n[~] The config file is expected to be at "\/home\/kali\/.rustscan.toml"\n[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers\n[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. \nOpen 10.0.2.7:21\nOpen 10.0.2.7:22\nOpen 10.0.2.7:80\n[~] Starting Script(s)\n[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")\n\nPORT STATE SERVICE REASON VERSION\n21\/tcp open ftp syn-ack vsftpd 3.0.5\n| ftp-syst: \n| STAT: \n| FTP server status:\n| Connected to ::ffff:10.0.2.4\n| Logged in as ftp\n| TYPE: ASCII\n| No session bandwidth limit\n| Session timeout in seconds is 300\n| Control connection is plain text\n| Data connections will be plain text\n| At session startup, client count was 3\n| vsFTPd 3.0.5 - secure, fast, stable\n|_End of status\n| ftp-anon: Anonymous FTP login allowed (FTP code 230)\n|_-rw-rw-r-- 1 1000 1000 191 Feb 01 14:29 note.txt\n22\/tcp open ssh syn-ack OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0)\n| ssh-hostkey: \n| 256 68:4c:42:8d:10:2c:61:56:7b:26:c4:78:96:6d:28:15 (ECDSA)\n| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEwZ1vknI6B5ldjpFrlrBx3wmdRq0g9D2vHkGSZF0mqDslvgXA+SYmiBN3ETYhTH8Hh1tVKjGtZADp40fHMfQ1I=\n| 256 7e:1a:29:d8:9b:91:44:bd:66:ff:6a:f3:2b:c7:35:65 (ED25519)\n|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDWFL2zQHLdSxoHaT8QP6jL3ok4bNN0uWWAMCwK7a5Nx\n80\/tcp open http syn-ack Apache httpd 2.4.52 ((Ubuntu))\n|_http-server-header: Apache\/2.4.52 (Ubuntu)\n| http-methods: \n|_ Supported Methods: GET POST OPTIONS HEAD\n|_http-title: Liceo\nService Info: OSs: Unix, Linux; CPE: cpe:\/o:linux:linux_kernel<\/code><\/pre>\n\u76ee\u5f55\u626b\u63cf<\/h3>\n
gobuster dir -u http:\/\/10.0.2.7\/ -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -t 60<\/code><\/pre>\n\/images (Status: 301) [Size: 305] [--> http:\/\/10.0.2.7\/images\/]\n\/uploads (Status: 301) [Size: 306] [--> http:\/\/10.0.2.7\/uploads\/]\n\/css (Status: 301) [Size: 302] [--> http:\/\/10.0.2.7\/css\/]\n\/js (Status: 301) [Size: 301] [--> http:\/\/10.0.2.7\/js\/]\n\/server-status (Status: 403) [Size: 273]<\/code><\/pre>\nferoxbuster -u http:\/\/10.0.2.7<\/code><\/pre>\n200 GET 11l 40w 2246c http:\/\/10.0.2.7\/images\/c2.png\n301 GET 9l 28w 301c http:\/\/10.0.2.7\/js => http:\/\/10.0.2.7\/js\/\n301 GET 9l 28w 305c http:\/\/10.0.2.7\/images => http:\/\/10.0.2.7\/images\/\n200 GET 8l 14w 753c http:\/\/10.0.2.7\/images\/call.png\n200 GET 13l 60w 4621c http:\/\/10.0.2.7\/images\/c1.png\n200 GET 19l 67w 4742c http:\/\/10.0.2.7\/images\/f1.png\n200 GET 9l 35w 1909c http:\/\/10.0.2.7\/images\/c4.png\n200 GET 191l 308w 3216c http:\/\/10.0.2.7\/css\/responsive.css\n200 GET 10038l 19587w 192348c http:\/\/10.0.2.7\/css\/bootstrap.css\n301 GET 9l 28w 306c http:\/\/10.0.2.7\/uploads => http:\/\/10.0.2.7\/uploads\/\n200 GET 317l 1858w 171993c http:\/\/10.0.2.7\/images\/experience-img.jpg\n200 GET 9l 14w 14126c http:\/\/10.0.2.7\/css\/style.css.map\n200 GET 2l 1276w 88145c http:\/\/10.0.2.7\/js\/jquery-3.4.1.min.js\n200 GET 229l 1429w 169780c http:\/\/10.0.2.7\/images\/freelance-img.jpg\n301 GET 9l 28w 302c http:\/\/10.0.2.7\/css => http:\/\/10.0.2.7\/css\/\n200 GET 3l 13w 1071c http:\/\/10.0.2.7\/images\/linkedin.png\n200 GET 4l 7w 256c http:\/\/10.0.2.7\/images\/menu.png\n200 GET 569l 3608w 288111c http:\/\/10.0.2.7\/images\/slider-img.png\n200 GET 3l 10w 681c http:\/\/10.0.2.7\/images\/c3.png\n200 GET 5l 17w 726c http:\/\/10.0.2.7\/images\/location.png\n200 GET 12l 38w 3001c http:\/\/10.0.2.7\/images\/f4.png\n200 GET 3l 13w 708c http:\/\/10.0.2.7\/images\/quote.png\n200 GET 20l 35w 448c http:\/\/10.0.2.7\/js\/custom.js\n200 GET 7l 23w 1461c http:\/\/10.0.2.7\/images\/c5.png\n200 GET 14l 78w 5070c http:\/\/10.0.2.7\/images\/f3.png\n200 GET 10l 35w 1896c http:\/\/10.0.2.7\/images\/c6.png\n200 GET 6l 17w 918c http:\/\/10.0.2.7\/images\/mail.png\n200 GET 621l 1442w 21487c http:\/\/10.0.2.7\/index.html\n200 GET 878l 1703w 17458c http:\/\/10.0.2.7\/css\/style.css\n200 GET 4440l 10999w 131868c http:\/\/10.0.2.7\/js\/bootstrap.js\n200 GET 200l 1784w 176281c http:\/\/10.0.2.7\/images\/about-img.jpg\n200 GET 4l 7w 497c http:\/\/10.0.2.7\/images\/prev-angle.png\n200 GET 5l 26w 2031c http:\/\/10.0.2.7\/images\/instagram.png\n200 GET 5l 48w 1493c http:\/\/10.0.2.7\/images\/fb.png\n200 GET 13l 56w 3899c http:\/\/10.0.2.7\/images\/logo.png\n200 GET 9l 37w 3663c http:\/\/10.0.2.7\/images\/f2.png\n200 GET 621l 1442w 21487c http:\/\/10.0.2.7\/\n200 GET 792l 1274w 12988c http:\/\/10.0.2.7\/css\/style.scss\n200 GET 3l 11w 353c http:\/\/10.0.2.7\/images\/next.png\n200 GET 5l 9w 430c http:\/\/10.0.2.7\/images\/prev.png\n200 GET 4l 12w 414c http:\/\/10.0.2.7\/images\/next-angle.png\n200 GET 4l 11w 1080c http:\/\/10.0.2.7\/images\/youtube.png\n200 GET 8l 23w 1323c http:\/\/10.0.2.7\/images\/twitter.png\n200 GET 3l 10w 524c http:\/\/10.0.2.7\/images\/search-icon.png<\/code><\/pre>\n\u6f0f\u6d1e\u5229\u7528<\/h2>\n
![\"image-20240320181510968\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403201954984.png\")
<\/div><\/p>\nAnonymous<\/code>\u767b\u5f55\uff1a<\/p>\n![\"image-20240320182829656\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403201954985.png\")
<\/div><\/p>\n![\"image-20240320183253256\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403201954986.png\")
<\/div><\/p>\nuploads<\/code>\u6587\u4ef6\u5939\uff0c\u90a3\u4e48\u5e94\u8be5\u6709\u4e0a\u4f20\u70b9\u624d\u5bf9\u554a\uff0c\u5c1d\u8bd5\/upload.php<\/code>\u53d1\u73b0\u786e\u5b9e\u6709\uff0c\u771f\u5947\u602a\uff0c\u5c45\u7136\u6ca1\u626b\u5230\uff1a<\/p>\ngobuster dir -u http:\/\/10.0.2.7\/ -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -t 60 -r 2 -x php,txt,html,png<\/code><\/pre>\n\/.html (Status: 403) [Size: 273]\n\/uploads (Status: 200) [Size: 739]\n\/images (Status: 200) [Size: 6711]\n\/index.html (Status: 200) [Size: 21487]\n\/.php (Status: 403) [Size: 273]\n\/upload.php (Status: 200) [Size: 371]\n\/css (Status: 200) [Size: 1742]\n\/js (Status: 200) [Size: 1343]\n\/.php (Status: 403) [Size: 273]\n\/.html (Status: 403) [Size: 273]\n\/server-status (Status: 403) [Size: 273]<\/code><\/pre>\nphp<\/code>\uff0c\u6362\u4e00\u4e2a\u540d\u5b57php4<\/code>\u8bd5\u8bd5\uff0c\u4f3c\u4e4e\u6210\u529f\u4e86\uff0c\u6253\u5f00\u770b\u4e00\u4e0b\uff0c\u8fde\u63a5\u4e00\u4e0b\uff0c\u8fde\u63a5\u4e0d\u4e0a\u554a\u3002\u3002\u3002<\/p>\nphtml<\/code>\uff0c\u6210\u529f<\/p>\n![\"image-20240320192512082\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403201954987.png\")
<\/div><\/p>\n![\"image-20240320194043934\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403201954988.png\")
<\/div><\/p>\n\u63d0\u6743<\/h2>\n
\u4fe1\u606f\u641c\u96c6<\/h3>\n
![\"image-20240320194647839\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403201954989.png\")
<\/div><\/p>\n71ab613fa286844425523780a7ebbab2<\/code><\/pre>\n$ find \/ -perm -u=s -type f 2>\/dev\/null\n\/snap\/snapd\/20671\/usr\/lib\/snapd\/snap-confine\n\/snap\/snapd\/21184\/usr\/lib\/snapd\/snap-confine\n\/snap\/core20\/2105\/usr\/bin\/chfn\n\/snap\/core20\/2105\/usr\/bin\/chsh\n\/snap\/core20\/2105\/usr\/bin\/gpasswd\n\/snap\/core20\/2105\/usr\/bin\/mount\n\/snap\/core20\/2105\/usr\/bin\/newgrp\n\/snap\/core20\/2105\/usr\/bin\/passwd\n\/snap\/core20\/2105\/usr\/bin\/su\n\/snap\/core20\/2105\/usr\/bin\/sudo\n\/snap\/core20\/2105\/usr\/bin\/umount\n\/snap\/core20\/2105\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n\/snap\/core20\/2105\/usr\/lib\/openssh\/ssh-keysign\n\/snap\/core20\/1974\/usr\/bin\/chfn\n\/snap\/core20\/1974\/usr\/bin\/chsh\n\/snap\/core20\/1974\/usr\/bin\/gpasswd\n\/snap\/core20\/1974\/usr\/bin\/mount\n\/snap\/core20\/1974\/usr\/bin\/newgrp\n\/snap\/core20\/1974\/usr\/bin\/passwd\n\/snap\/core20\/1974\/usr\/bin\/su\n\/snap\/core20\/1974\/usr\/bin\/sudo\n\/snap\/core20\/1974\/usr\/bin\/umount\n\/snap\/core20\/1974\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n\/snap\/core20\/1974\/usr\/lib\/openssh\/ssh-keysign\n\/usr\/lib\/snapd\/snap-confine\n\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n\/usr\/lib\/openssh\/ssh-keysign\n\/usr\/bin\/passwd\n\/usr\/bin\/pkexec\n\/usr\/bin\/newgrp\n\/usr\/bin\/gpasswd\n\/usr\/bin\/su\n\/usr\/bin\/chsh\n\/usr\/bin\/chfn\n\/usr\/bin\/mount\n\/usr\/bin\/umount\n\/usr\/bin\/sudo\n\/usr\/bin\/bash\n\/usr\/bin\/fusermount3\n\/usr\/libexec\/polkit-agent-helper-1<\/code><\/pre>\nbash<\/code>\u6709suid<\/code>\uff0c\u5229\u7528\u4e00\u4e0b\uff1a<\/p>\n![\"image-20240320195344655\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403201954990.png\")
<\/div><\/p>\nBF9A57023EDD8CFAB92B8EA516676B0D<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"