This is also a practical question. When opening the website page, it is an authentication page, telling us that the username is admin, so we need to brute force the password.
Capture the packet and find that it is an Authorization authentication.
Send the packet to intruder and set the traversal node.
The above traversal point is base64 encoded, and after decoding, it is admin:123, so we need to set the payload to match its format.
Set payload type: Custom iterator.
The first value is the username admin.
The second value is a colon.
The third value loads the dictionary file.
Add payload processing to base64 the above content (admin:123).
After setting is complete, you can start brute forcing and successfully obtain the result.
Obtain the username and password admin.
After logging in with the username and password, there is a key.
Try weak password login, but it is unsuccessful. Access robots.txt to see if there are any other directories, and find an SQL file.
Try to access the SQL file and find an account and password for the admin user, with the password encrypted in MD5.
Crack the MD5 and find the password qwerty.
Try directory traversal to see if there are other directories. Use Yujian to scan and find phpmyadmin, but it shows 401.
Due to the lack of auth authentication, we can only brute force the directory with auth authentication.
No useful information was found through brute force.
Log in with the password cracked by MD5 and successfully log in. The backend interface is as follows:
There is a function to upload images in the backend, so try file upload.
Directly uploading PHP files fails.
Change the content-type to image/jpeg format, and the file upload is successful.
Go back to the backend page and copy the link.
The webshell link is http://10.1.10.71/uploadfile/16899143312s.php. Connect to the webshell, add HTTP headers, and perform base64 authentication.
Encode with base64 encoding.
Successfully connect to the webshell.
Execute commands with system privileges.
Add an account.
Open port 3389, directly use the system's built-in tools to open.
The key cannot be obtained with the account created by myself, so the administrator's password needs to be modified.
The key is in the recycle bin, so restore it.