记录黑客技术中优秀的内容,传播黑客文化,分享黑客技术精华

Hackthebox—— Breadcrumbs

2021-02-27 10:26
前言
online靶机费用将归属靶机wp的投稿作者所有

Breadcrumbs[1]

10.10.10.228 Windows

立足点

入门第一步先开nmap ,有http服务开启gobuster跑就完了。

nmap扫描: nmap -sC -sV -v 10.10.10.228 -oA nmap/nmap

# Nmap 7.91 scan initiated Thu Feb 25 01:09:30 2021 as: nmap -sC -sV -v -oA nmap/nmap 10.10.10.228Nmap scan report for 10.10.10.228Host is up (0.13s latency).Not shown: 993 closed portsPORT     STATE SERVICE       VERSION22/tcp   open  ssh           OpenSSH for_Windows_7.7 (protocol 2.0)| ssh-hostkey: |   2048 9d:d0:b8:81:55:54:ea:0f:89:b1:10:32:33:6a:a7:8f (RSA)|   256 1f:2e:67:37:1a:b8:91:1d:5c:31:59:c7:c6:df:14:1d (ECDSA)|_  256 30:9e:5d:12:e3:c6:b7:c6:3b:7e:1e:e7:89:7e:83:e4 (ED25519)80/tcp   open  http          Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1h PHP/8.0.1)| http-cookie-flags: |   /: |     PHPSESSID: |_      httponly flag not set| http-methods: |_  Supported Methods: GET HEAD POST OPTIONS|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1h PHP/8.0.1|_http-title: Library135/tcp  open  msrpc         Microsoft Windows RPC139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn443/tcp  open  ssl/http      Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1h PHP/8.0.1)| http-cookie-flags: |   /: |     PHPSESSID: |_      httponly flag not set| http-methods: |_  Supported Methods: GET HEAD POST|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1h PHP/8.0.1|_http-title: Library| ssl-cert: Subject: commonName=localhost| Issuer: commonName=localhost| Public Key type: rsa| Public Key bits: 1024| Signature Algorithm: sha1WithRSAEncryption| Not valid before: 2009-11-10T23:48:47| Not valid after:  2019-11-08T23:48:47| MD5:   a0a4 4cc9 9e84 b26f 9e63 9f9e d229 dee0|_SHA-1: b023 8c54 7a90 5bfa 119c 4e8b acca eacf 3649 1ff6|_ssl-date: TLS randomness does not represent time| tls-alpn: |_  http/1.1445/tcp  open  microsoft-ds?3306/tcp open  mysql?| fingerprint-strings: |   Kerberos, LDAPSearchReq, LPDString, NCP, RTSPRequest, SSLSessionReq, TerminalServer, giop: |_    Host '10.10.16.28' is not allowed to connect to this MariaDB server1 service unrecognized despite returning data. If you know the service/version, please submit Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

开放端口80、443,均为同一网站,books.php页面按钮无法使用,查看源代码发现

<script type="text/javascript" src="http://img403.hackdig.com/imgpxy.php?url=sj.skoob%2Fsj%2F.."></script>

重点关注函数:getInfo()、searchBooks(),泄露请求参数以及方法,其中getInfo函数中的book参数存在LFI漏洞。


知识来源: https://mp.weixin.qq.com/s?__biz=MzI0NDI2MzgzNQ==&mid=2651185281&idx=1&sn=e0ddb74f7f807140f6edcbc9d3cf2e05

阅读:201131 | 评论:0 | 标签:hack

想收藏或者和大家分享这篇好文章→复制链接地址

“Hackthebox—— Breadcrumbs”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

永久免费持续更新精选优质黑客技术文章Hackdig,帮你成为掌握黑客技术的英雄

求打赏·赞助·支持💖

标签云