banner
lca

lca

真正的不自由,是在自己的心中设下牢笼。

pte- Practical Card System

This is also a practical question. When opening the website page, it is an authentication page, telling us that the username is admin, so we need to brute force the password.

image

Capture the packet and find that it is an Authorization authentication.

image

Send the packet to intruder and set the traversal node.

image

The above traversal point is base64 encoded, and after decoding, it is admin:123, so we need to set the payload to match its format.

image

Set payload type: Custom iterator.

image

The first value is the username admin.

image

The second value is a colon.

image

The third value loads the dictionary file.

image

Add payload processing to base64 the above content (admin:123).

image

After setting is complete, you can start brute forcing and successfully obtain the result.

image

Obtain the username and password admin.

image

After logging in with the username and password, there is a key.

image

Try weak password login, but it is unsuccessful. Access robots.txt to see if there are any other directories, and find an SQL file.

image

Try to access the SQL file and find an account and password for the admin user, with the password encrypted in MD5.

image

Crack the MD5 and find the password qwerty.

image

Try directory traversal to see if there are other directories. Use Yujian to scan and find phpmyadmin, but it shows 401.

image

Due to the lack of auth authentication, we can only brute force the directory with auth authentication.

image

No useful information was found through brute force.

image

Log in with the password cracked by MD5 and successfully log in. The backend interface is as follows:

image

There is a function to upload images in the backend, so try file upload.

Directly uploading PHP files fails.

image

Change the content-type to image/jpeg format, and the file upload is successful.

image

Go back to the backend page and copy the link.

image

The webshell link is http://10.1.10.71/uploadfile/16899143312s.php. Connect to the webshell, add HTTP headers, and perform base64 authentication.

image

Encode with base64 encoding.

image

Successfully connect to the webshell.

image

Execute commands with system privileges.

image

Add an account.

image

Open port 3389, directly use the system's built-in tools to open.

image

The key cannot be obtained with the account created by myself, so the administrator's password needs to be modified.

image

The key is in the recycle bin, so restore it.

image

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.