banner
lca

lca

真正的不自由,是在自己的心中设下牢笼。
HomeArchives图文

pte- Practical Card System

#考证644
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
This is a practical exercise where the user needs to crack the password for the admin username. The user discovers that the website uses Authorization authentication. They use a base64-encoded payload to brute force the password and successfully obtain the username and password as admin:qwerty. They find an SQL file with an encrypted password, which they crack to find the password qwerty. They attempt directory traversal and find a phpmyadmin directory but are unable to access it due to authentication. They successfully log in using the cracked password and find an upload image function. They attempt to upload a PHP file but fail, but succeed when they change the content-type to image/jpeg. They copy the webshell link and connect to it using base64 authentication. They gain system privileges and add an account. They enable port 3389 and use the system's built-in tools to open it. They are unable to retrieve the key and need to change the administrator's password. The key is found in the recycle bin and can be restored.

This is also a practical question. When opening the website page, it is an authentication page, telling us that the username is admin, so we need to brute force the password.

image

Capture the packet and find that it is an Authorization authentication.

image

Send the packet to intruder and set the traversal node.

image

The above traversal point is base64 encoded, and after decoding, it is admin:123, so we need to set the payload to match its format.

image

Set payload type: Custom iterator.

image

The first value is the username admin.

image

The second value is a colon.

image

The third value loads the dictionary file.

image

Add payload processing to base64 the above content (admin:123).

image

After setting is complete, you can start brute forcing and successfully obtain the result.

image

Obtain the username and password admin.

image

After logging in with the username and password, there is a key.

image

Try weak password login, but it is unsuccessful. Access robots.txt to see if there are any other directories, and find an SQL file.

image

Try to access the SQL file and find an account and password for the admin user, with the password encrypted in MD5.

image

Crack the MD5 and find the password qwerty.

image

Try directory traversal to see if there are other directories. Use Yujian to scan and find phpmyadmin, but it shows 401.

image

Due to the lack of auth authentication, we can only brute force the directory with auth authentication.

image

No useful information was found through brute force.

image

Log in with the password cracked by MD5 and successfully log in. The backend interface is as follows:

image

There is a function to upload images in the backend, so try file upload.

Directly uploading PHP files fails.

image

Change the content-type to image/jpeg format, and the file upload is successful.

image

Go back to the backend page and copy the link.

image

The webshell link is http://10.1.10.71/uploadfile/16899143312s.php. Connect to the webshell, add HTTP headers, and perform base64 authentication.

image

Encode with base64 encoding.

image

Successfully connect to the webshell.

image

Execute commands with system privileges.

image

Add an account.

image

Open port 3389, directly use the system's built-in tools to open.

image

The key cannot be obtained with the account created by myself, so the administrator's password needs to be modified.

image

The key is in the recycle bin, so restore it.

image

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.