banner
lca

lca

真正的不自由,是在自己的心中设下牢笼。
HomeArchives图文

pte-Practical Exercise: A comprehensive question

#考证314
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
This text provides instructions and steps for accessing a virtual machine using VMware with the password "admin123". It mentions that the default firewall is enabled and ping scanning is disabled. It highlights two important ports, the database port 1433 and the web port 27689. It discusses attempts to find weak passwords and perform directory scanning. It mentions finding a backup file with database credentials and connecting to the database using Navicat. It explores the website's backend, including file uploads and accessing uploaded files. It mentions finding keys in different locations but lacking permission to access the last one. It suggests connecting to the database using the "sa" account to view files. The text concludes by providing a link to access the environment.

Prepare the environment and open it with VMware, the password is admin123.

Port Scanning#

The firewall is enabled by default, and ping scanning is disabled.

image

Pay attention to the following ports: database port 1433 and web port 27689.

Web Application#

Access port 27689, the interface is as follows:

image

Attempted weak password but failed.

Directory Scanning#

Use Yujian for directory scanning.

robots.txt file

image

Found a backup file web.config.bak, download it and find the database account and password from the file.

image

Database Connection#

Based on the previous port information, port 1433 is open on the target. Use Navicat to connect.

image

Found a key in the database.

image

Looking for the website's backend password.

image.png

Backend Login#

Logged in to the backend with the account and password. After logging in, found another key.

image.png

The backend has a file upload function.

image.png

Accessing an uploaded file randomly will display an error message with the file path.

image.png

D:\web\upfile\affix\

File Upload#

Upload a normal image file randomly.

image.png

In the image above, the file with ID 44 has a file description.

Note: If the file name is too long, the system will truncate it to the first 32 characters, including the system time, as the file name. Please do not use a file name that is too long. We apologize for any inconvenience caused.

The system will truncate the uploaded file's .jpg extension using the truncation function. Since it is not necessary to have the .jpg extension, according to the above prompt, the truncation will start at 32 characters. So, we need 8 characters for the image name.

Prepare the following file:

image.png

The uploaded file will look like this:

image.png

Webshell Connection#

Concatenate the webshell URL based on the website path.

D:\web\upfile\affix\

http://192.168.10.22:27689/upfile/affix/638252986630625000-88888888.aspx

image.png

View the current user's permissions, which are ordinary user permissions.

image.png

At the same time, the second key can be found in the website's web directory.

image.png

The last key is on the desktop in the administrator directory, but we don't have permission to access the contents of this directory at the moment.

image.png

Database Connection to Obtain Key as sa#

Continue to search for the website's configuration file and find the file D:/web/web.config.bak.2017-12-12 containing the sa account for the database.

image.png

Log in to the database using the sa account, and then use xp_cmdshell to view the file, right?

use master;
exec master..xp_cmdshell 'dir "c:\Documents and Settings\Administrator\桌面\"'

image.png

Obtained the last key.

image.png

Environment Link#

Link: https://pan.baidu.com/s/140cLWvmzs0CauuA_JOro5A
Password: 6666

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.