渗透测试系列 — VulnHub–ctf-usv

正文:

一.

1.

进去主机:
Grub的引导装载程序菜单上
在quiet后面增加init=/bin/bash

2.修改network文件

warning:changing a readonly file   没有权限
ls -la
rw
read-only
passwd root  没有权限
解决

二.

得到:Nmap scan report for 192.168.244.142
查看源码,得到:
var _0xeb5f=[“\x76\x61\x6C\x75\x65″,”\x70\x61\x73\x73\x69\x6E\x70″,”\x70\x61\x73\x73\x77\x6F\x72\x64″,”\x66\x6F\x72\x6D\x73″,”\x63\x6F\x6C\x6F\x72″,”\x73\x74\x79\x6C\x65″,”\x76\x61\x6C\x69\x64″,”\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x42\x79\x49\x64″,”\x67\x72\x65\x65\x6E”,”\x69\x6E\x6E\x65\x72\x48\x54\x4D\x4C”,”\x49\x74\x61\x6C\x79\x3A”,”\x72\x65\x64″,”\x49\x6E\x63\x6F\x72\x72\x65\x63\x74\x21″];function validate(){var _0xb252x2=123211;var _0xb252x3=3422543454;var _0xb252x4=document[_0xeb5f[3]][_0xeb5f[2]][_0xeb5f[1]][_0xeb5f[0]];var _0xb252x5=md5(_0xb252x4);_0xb252x4+= 4469;_0xb252x4-= 234562221224;_0xb252x4*= 1988;_0xb252x2-= 2404;_0xb252x3+= 2980097;if(_0xb252x4== 1079950212331060){document[_0xeb5f[7]](_0xeb5f[6])[_0xeb5f[5]][_0xeb5f[4]]= _0xeb5f[8];document[_0xeb5f[7]](_0xeb5f[6])[_0xeb5f[9]]= _0xeb5f[10]+ _0xb252x5}else {document[_0xeb5f[7]](_0xeb5f[6])[_0xeb5f[5]][_0xeb5f[4]]= _0xeb5f[11];document[_0xeb5f[7]](_0xeb5f[6])[_0xeb5f[9]]= _0xeb5f[12]};return false
原先以为是js编码和编程之类的,简单的反着解就行了
(1079950212331060÷1988+234562221224)-4469 = 77779673
输入得到:
Italy:46202df2ae6c46db8efc0af148370a78

2.

nmap -A -p0-65535 192.168.244.142

3.涨知识

15020/tcp open ssl/http Apache httpd
flag在HTTPS签名里

4.dirb  加上端口扫描

dirb https://192.168.244.142:15020

5.本地文件包含

出现:
‘image’ parameter is empty. Please provide file path in ‘image’ parameter
1)本来想?image=/etc/passwd,没有反应
2)所以,这个页面加上
post image=/etc/passwd
刷新,下载passwd文件
 
2017.7.10

发表评论

电子邮件地址不会被公开。 必填项已用*标注