当前位置:网站首页>Vulnhub tre1
Vulnhub tre1
2022-07-07 20:07:00 【Plum_ Flowers_ seven】
Catalog
3、 ... and 、 Service version discovery
5、 ... and 、 Break through the border
1. Try to make use of mantis Of RCE Loophole
2. Advanced directory explosion , A lot of information collection
3.Pre-Auth Remote Password Reset
6、 ... and 、shell Script authorization
3. Write bounce shell sentence
Be careful : Use as much as possible vmvare To deploy the target aircraft , And network mode selection NAT Pattern .
One 、 The host found
Two 、 Port scanning
3、 ... and 、 Service version discovery
22 ssh
80 8082 All of them are open http The service is different web Server software .
Four 、 information gathering
1.80 and 8082
It's all open http service , And deployed the same site , Same page . There is no information available in the source code .,
2. Catalog explosion
(1)adminer.php
(2)info.php
I know some configuration file path addresses , Website environment, etc .
(3)system
Return code 401, Login is required to access the site , We tried weak password admin/admin Successful entry
(4) Return packet
This one in the response packet is used to verify identity .
Authorization:Basic YWRtaW46YWRtaW4=
5、 ... and 、 Break through the border
1. Try to make use of mantis Of RCE Loophole
cp Come to the local , change exp Of rhost ,lhost,mantisloc , Add validation header , And then execute
nc -nvlp 4444
2. Advanced directory explosion , A lot of information collection
That is to add the verification head and then blast
dirsearch -u url --header="Authorization:Basic YWRtaW46YWRtaW4="
There are many new paths .
(1)config
We got the account and password of the data , name . Before integration adminer.php Interface , Try signing in
(2) Collect information after login
Here we can find the original account and the account we registered , In the previous registration , We didn't enter the password , So it is inferred that the blank column is the password . To try ssh Sign in
(3)ssh Sign in
3.Pre-Auth Remote Password Reset
It is a vulnerability of pre authorized remote password modification
Here is also an introduction to usage , This is the remote password change to hash Verified , But we changed it to empty , Go straight around
Log in to the administrator user state , We can also see the account password , And then through ssh Sign in .
6、 ... and 、shell Script authorization
1.shell grammar
find / -user root -type f -perm -o=rw -ls 2>/dev/null | grep -v "/proc"
check-system It's not the system's own command , Sure , To view the .
2 .check-system
The program started at startup is systemd
, Systems and services Manager control . systemd
Is the first process to run at startup . It always has process ID (PID)1. All other processes running on the computer are controlled by systemd
Starting up , Or by systemd
The process that has been started starts . Combine the above sudo jurisdiction , Guess it may be related to the startup of the boot
3. Write bounce shell sentence
4. Restart triggers
边栏推荐
- My creation anniversary
- Tp6 realize Commission ranking
- Force buckle 674 Longest continuous increasing sequence
- R language ggplot2 visualization: use the ggqqplot function of ggpubr package to visualize the QQ graph (Quantitative quantitative plot)
- 831. KMP string
- LeetCode_7_5
- vulnhub之school 1
- The DBSCAN function of FPC package of R language performs density clustering analysis on data, checks the clustering labels of all samples, and the table function calculates the two-dimensional contin
- Data island is the first danger encountered by enterprises in their digital transformation
- IP 工具类
猜你喜欢
Automatic classification of defective photovoltaic module cells in electroluminescence images-论文阅读笔记
力扣 2319. 判断矩阵是否是一个 X 矩阵
BI的边界:BI不适合做什么?主数据、MarTech?该如何扩展?
Nunjuks template engine
Leetcode force buckle (Sword finger offer 36-39) 36 Binary search tree and bidirectional linked list 37 Serialize binary tree 38 Arrangement of strings 39 Numbers that appear more than half of the tim
The state cyberspace Office released the measures for data exit security assessment: 100000 information provided overseas needs to be declared
ASP. Net kindergarten chain management system source code
9 原子操作类之18罗汉增强
ASP. Net learning & ASP's one word
关于cv2.dnn.readNetFromONNX(path)就报ERROR during processing node with 3 inputs and 1 outputs的解决过程【独家发布】
随机推荐
pom. Brief introduction of XML configuration file label function
Flink并行度和Slot详解
831. KMP字符串
8 CAS
Leetcode force buckle (Sword finger offer 36-39) 36 Binary search tree and bidirectional linked list 37 Serialize binary tree 38 Arrangement of strings 39 Numbers that appear more than half of the tim
Introduction to bit operation
R语言dplyr包select函数、group_by函数、filter函数和do函数获取dataframe中指定因子变量中指定水平中特定数值数据列的值第三大的值
力扣 2315.统计星号
一锅乱炖,npm、yarn cnpm常用命令合集
Ucloud is a basic cloud computing service provider
Compiler optimization (4): inductive variables
mock. JS returns an array from the optional data in the object array
浏览积分设置的目的
8 CAS
torch. nn. functional. Pad (input, pad, mode= 'constant', value=none) record
国家网信办公布《数据出境安全评估办法》:累计向境外提供10万人信息需申报
Mysql, sqlserver Oracle database connection mode
Chapter 9 Yunji datacanvas was rated as 36 krypton "the hard core technology enterprise most concerned by investors"
MRS离线数据分析:通过Flink作业处理OBS数据
pom. XML configuration file label: differences between dependencies and dependencymanagement