Catalog

One 、nmap Full port scanning

  Two 、 Service version detection

3、 ... and 、 information gathering

1. Source code check

2. There is xss

 3. Online front-end code editing website

Four 、ssh Login to break the border

5、 ... and 、 Internal information collection

1.、etc/passwd

2. View port services

6、 ... and 、redis Unauthorized access

One 、nmap Full port scanning

nmap -sT ip

  Two 、 Service version detection

3、 ... and 、 information gathering

1. Source code check

There is a note , It's about AES Encrypted .

function viewDetails(str) {

  window.location.href = "opus-details.php?id="+str;
}

/*
var CryptoJS = require("crypto-js");
var decrypted = CryptoJS.AES.decrypt(encrypted, "SecretPassphraseMomentum");
console.log(decrypted.toString(CryptoJS.enc.Utf8));
*/

2. There is xss

And in cookie Next, I saw a string of encrypted characters , Obviously, he wants us to use AES Decrypt him

 3. Online front-end code editing website

codepen.io

  Use what has been written crypto-js modular , Make a slight change AES Decrypt

Get this , It should be an account - password .

  auxerre-alienum##

Four 、ssh Login to break the border

account number :  auxerre

password ：  auxerre-alienum##

Got one flag.txt

5、 ... and 、 Internal information collection

1.、etc/passwd

Yes redis This account , Yes redis Non relational database

2. View port services

Confirm that the local is enabled redis database , Not open to the Internet .

ss -pantu

6、 ... and 、redis Unauthorized access

1. Open client

 redis_cli

perform info Confirm whether there is unauthorized access vulnerability .

2.redis In the database root password

3. Switch to root

su

Just enter the password

  7、 ... and 、scp command

Download a picture to this computer

scp -r ip: route ./