banner
lca

lca

真正的不自由,是在自己的心中设下牢笼。

pte-Practical Exercise: A Comprehensive Question

Prepare the environment and open it with VMware, the password is admin123.

Port Scanning#

The firewall is enabled by default, and ping scanning is disabled.

image

Pay attention to the following ports: database port 1433 and web port 27689.

Web Application#

Access port 27689, the interface is as follows:

image

Attempted weak password but no success.

Directory Scanning#

Use Yujian for directory scanning.

robots.txt file

image

Found a backup file web.config.bak, downloaded it and found the database account password from the file.

image

Database Connection#

Based on the previous port information, the target has port 1433 open. Use Navicat to connect.

image

Found a key in the database.

image

Looking for the website's backend password.

image.png

Backend Login#

Logged in to the backend with the account password and found a key.

image.png

The backend has a file upload function.

image.png

Accessing an uploaded file randomly will display an error message with the path shown.

image.png

D:\web\upfile\affix\

File Upload#

Upload a normal image file randomly.

image.png

In the image above, you can see that the image with number 44 has a file description.

Note: If the file name is too long, the system will truncate it to the first 32 characters, including the system time, as the file name. Please do not use a file name that is too long. We apologize for any inconvenience caused.

You can use the system's truncation function to remove the .jpg extension from the uploaded file. According to the above prompt, the truncation will start at 32 characters. Truncate the content to 32 characters.

The file name format is 18-digit number + - + image name + image extension. We need to upload an .aspx file, so besides the image name, we have 24 characters, and we need 8 more characters. This means the image name needs to be 8 characters.

Prepare the following files:

image.png

The uploaded file will look like this:

image.png

Webshell Connection#

Concatenate the webshell URL based on the website path.

D:\web\upfile\affix\

http://192.168.10.22:27689/upfile/affix/638252986630625000-88888888.aspx

image.png

View the current user's permissions, which are normal user permissions.

image.png

At the same time, in the website's web directory, you can find the second key.

image.png

The last key is on the desktop in the administrator directory, but we don't have permission to access the contents of this directory at the moment.

image.png

Database Connection to Retrieve Key as sa#

Continue to search for the website's configuration file and find the file D:/web/web.config.bak.2017-12-12 containing the sa account for the database.

image.png

Log in to the database using the sa account, and then use xp_cmdshell to view the files, right?

use master;
exec master..xp_cmdshell 'dir "c:\Documents and Settings\Administrator\桌面\"'

image.png

Obtained the last key.

image.png

Link: https://pan.baidu.com/s/140cLWvmzs0CauuA_JOro5A
Password: 6666

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.