banner
lca

lca

真正的不自由,是在自己的心中设下牢笼。
HomeArchives图文

pte-Practical Exercise: A Comprehensive Question

#考证224
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
This text provides instructions on how to set up the environment and open it using VMware with the password "admin123". It mentions that the default firewall is enabled and ping scanning is disabled. The important ports to note are the database port 1433 and web port 27689. It discusses attempts to crack weak passwords and performs directory scanning. It finds a backup file called web.config.bak and retrieves the database account password from it. The text also mentions connecting to the database using port 1433 and finding a key within it. It discovers a website backend password and mentions the ability to upload files. It notes that accessing an uploaded file results in an error message with a displayed path. The text explains the process of uploading a file and connecting to a webshell using the website's path. It mentions the user's permissions and the presence of keys in the website's web directory. It also discusses the last key being in the administrator directory, which cannot be accessed without permission. The text suggests connecting to the database using the "sa" account to retrieve the key. It mentions finding the file "D:/web/web.config.bak.2017-12-12" and using the "sa" account to access it. The text concludes by providing a link to the environment.

Prepare the environment and open it with VMware, the password is admin123.

Port Scanning#

The firewall is enabled by default, and ping scanning is disabled.

image

Pay attention to the following ports: database port 1433 and web port 27689.

Web Application#

Access port 27689, the interface is as follows:

image

Attempted weak password but no success.

Directory Scanning#

Use Yujian for directory scanning.

robots.txt file

image

Found a backup file web.config.bak, downloaded it and found the database account password from the file.

image

Database Connection#

Based on the previous port information, the target has port 1433 open. Use Navicat to connect.

image

Found a key in the database.

image

Looking for the website's backend password.

image.png

Backend Login#

Logged in to the backend with the account password and found a key.

image.png

The backend has a file upload function.

image.png

Accessing an uploaded file randomly will display an error message with the path shown.

image.png

D:\web\upfile\affix\

File Upload#

Upload a normal image file randomly.

image.png

In the image above, you can see that the image with number 44 has a file description.

Note: If the file name is too long, the system will truncate it to the first 32 characters, including the system time, as the file name. Please do not use a file name that is too long. We apologize for any inconvenience caused.

You can use the system's truncation function to remove the .jpg extension from the uploaded file. According to the above prompt, the truncation will start at 32 characters. Truncate the content to 32 characters.

The file name format is 18-digit number + - + image name + image extension. We need to upload an .aspx file, so besides the image name, we have 24 characters, and we need 8 more characters. This means the image name needs to be 8 characters.

Prepare the following files:

image.png

The uploaded file will look like this:

image.png

Webshell Connection#

Concatenate the webshell URL based on the website path.

D:\web\upfile\affix\

http://192.168.10.22:27689/upfile/affix/638252986630625000-88888888.aspx

image.png

View the current user's permissions, which are normal user permissions.

image.png

At the same time, in the website's web directory, you can find the second key.

image.png

The last key is on the desktop in the administrator directory, but we don't have permission to access the contents of this directory at the moment.

image.png

Database Connection to Retrieve Key as sa#

Continue to search for the website's configuration file and find the file D:/web/web.config.bak.2017-12-12 containing the sa account for the database.

image.png

Log in to the database using the sa account, and then use xp_cmdshell to view the files, right?

use master;
exec master..xp_cmdshell 'dir "c:\Documents and Settings\Administrator\桌面\"'

image.png

Obtained the last key.

image.png

Environment Link#

Link: https://pan.baidu.com/s/140cLWvmzs0CauuA_JOro5A
Password: 6666

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.