banner
lca

lca

真正的不自由,是在自己的心中设下牢笼。

pte-Practical Tactical Card System

This is also a practical question. Opening the website page shows an authentication page, which tells us that the username is admin, so we need to crack the password.

image

Packet capture reveals that it is Authorization authentication.

image

Send the packet to intruder and set the traversal node.

image

The above traversal point is base64 encoded. After decoding, it is admin:123, so we need to set the payload to match this format.

image

Set payload type: Custom iterator.

image

The first value is the username admin.

image

The second value is a colon.

image

The third value loads the dictionary file.

image

Add payload processing to base64 the above content (admin:123).

image

After setting is complete, you can start the brute force attack and successfully obtain the result.

image

Obtained username and password: admin.

image

After logging in with the username and password, there is a key.

image

Try weak password login, but it is unsuccessful. Access robots.txt to see if there are any other directories, and find an SQL file.

image

Try to access the SQL file and find an account and password for the admin user, with the password encrypted in MD5.

image

Crack the MD5 and find the password: qwerty.

image

Try directory traversal to see if there are other directories. Use a scanner and find phpmyadmin, but it shows 401 unauthorized.

image

Since there is no authentication, you can only use authentication to brute force the directory.

image

No useful information is found through brute force.

image

Log in with the password cracked by MD5 and successfully log in. The backend interface is as follows:

image

There is a function to upload images in the backend. Try file upload.

Directly uploading a PHP file fails.

image

Change the content-type to image/jpeg format, and the file is uploaded successfully.

image

Go back to the backend page and copy the link.

image

The webshell link is http://10.1.10.71/uploadfile/16899143312s.php. Connect to the webshell, add HTTP headers, and use base64 authentication.

image

Encode in base64.

image

Successfully connect to the webshell.

image

Execute commands with system privileges.

image

Add an account.

image

Enable port 3389, directly use the system's built-in tools to enable it.

image

The key cannot be obtained with the account created by oneself, so the administrator's password needs to be modified.

image

The key is in the recycle bin, restore it.

image

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.