banner
lca

lca

真正的不自由,是在自己的心中设下牢笼。
HomeArchives图文

pte-Practical Tactical Card System

#考证647
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
This is a practical exercise where the task is to crack the password for the admin username on a website. The process involves capturing packets and discovering that the authentication method is Authorization. By decoding the base64 encoded traversal point, the username and password are found to be admin:123. Using this information, a payload is set up to brute force the password. The successful result is the username and password admin:qwerty. After logging in with these credentials, a key is obtained. Weak password login attempts are unsuccessful, but accessing the robots.txt file reveals an SQL file. The SQL file contains an admin username and an MD5 encrypted password. The password is cracked and found to be qwerty. Directory traversal is attempted, and a scan with the tool "御剑" reveals a phpmyadmin directory, but it requires authentication. The next step is to brute force the directory with authentication. However, no useful information is found. Logging in with the cracked MD5 password is successful, and the backend interface allows for image uploads. Attempting to upload a PHP file directly fails, but changing the content-type to image/jpeg allows for successful file upload. A webshell link is copied from the backend page and accessed with base64 authentication. The webshell connection is successful, providing system-level privileges. An account is added, and port 3389 is opened using the system's built-in tools. The created account cannot access the key, so the administrator's password needs to be modified. The key is found in the recycle bin and can be restored.

This is also a practical question. Opening the website page shows an authentication page, which tells us that the username is admin, so we need to crack the password.

image

Packet capture reveals that it is Authorization authentication.

image

Send the packet to intruder and set the traversal node.

image

The above traversal point is base64 encoded. After decoding, it is admin:123, so we need to set the payload to match this format.

image

Set payload type: Custom iterator.

image

The first value is the username admin.

image

The second value is a colon.

image

The third value loads the dictionary file.

image

Add payload processing to base64 the above content (admin:123).

image

After setting is complete, you can start the brute force attack and successfully obtain the result.

image

Obtained username and password: admin.

image

After logging in with the username and password, there is a key.

image

Try weak password login, but it is unsuccessful. Access robots.txt to see if there are any other directories, and find an SQL file.

image

Try to access the SQL file and find an account and password for the admin user, with the password encrypted in MD5.

image

Crack the MD5 and find the password: qwerty.

image

Try directory traversal to see if there are other directories. Use a scanner and find phpmyadmin, but it shows 401 unauthorized.

image

Since there is no authentication, you can only use authentication to brute force the directory.

image

No useful information is found through brute force.

image

Log in with the password cracked by MD5 and successfully log in. The backend interface is as follows:

image

There is a function to upload images in the backend. Try file upload.

Directly uploading a PHP file fails.

image

Change the content-type to image/jpeg format, and the file is uploaded successfully.

image

Go back to the backend page and copy the link.

image

The webshell link is http://10.1.10.71/uploadfile/16899143312s.php. Connect to the webshell, add HTTP headers, and use base64 authentication.

image

Encode in base64.

image

Successfully connect to the webshell.

image

Execute commands with system privileges.

image

Add an account.

image

Enable port 3389, directly use the system's built-in tools to enable it.

image

The key cannot be obtained with the account created by oneself, so the administrator's password needs to be modified.

image

The key is in the recycle bin, restore it.

image

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.