Web Range-126-127

# Web Range-126-127 ## Challenge 126 ## Challenge 127 ![image](https://hackmd.io/_uploads/ryF-WzNKxx.png) * Nmap * ![image](https://hackmd.io/_uploads/BJX3bzEFxg.png) * 主要就這表單 * ![image](https://hackmd.io/_uploads/ry2mfM4Fle.png) * 有gitleak, 載下來研究發現幾個php, 先看到上傳路徑 * ![image](https://hackmd.io/_uploads/BJKWvM4Kex.png) * ![image](https://hackmd.io/_uploads/H1xuDfEFgl.png) * 看來就限定application type而已, 傳個phphinfo試試 * ![image](https://hackmd.io/_uploads/rJGl_zNFgg.png) * ![image](https://hackmd.io/_uploads/BygkFzEFxl.png) * 附檔名前端就有過濾了 * ![image](https://hackmd.io/_uploads/SyotFzNYgl.png) * * 繞過前端就行 * ![image](https://hackmd.io/_uploads/rynpm7NKex.png) * ![image](https://hackmd.io/_uploads/Sy63XXVFee.png) * ![image](https://hackmd.io/_uploads/Hkp0XQEtxl.png) * 上webshell * ![image](https://hackmd.io/_uploads/S1rDEQEFge.png) * ![image](https://hackmd.io/_uploads/By58N7EYlg.png) * Got shell as www-data * ![image](https://hackmd.io/_uploads/Sy3GrmNKxx.png) * Found DB credentials * ![image](https://hackmd.io/_uploads/HyEZeSFKgx.png) * ![image](https://hackmd.io/_uploads/r1emeHYFxl.png) * `myvalue:#D@yZer0UnhackUserMYVALUE` * `find` has SUID permission * ![image](https://hackmd.io/_uploads/SybJXLFtle.png) * ![image](https://hackmd.io/_uploads/By-BfLYFgl.png) * ![image](https://hackmd.io/_uploads/HkS3f8KYlx.png) ## Answer * Challenge 126:`customerrequirementdocs` * Challenge 127:`H2W34DLpbv` ## Poc ```python= import requests, argparse if __name__ == "__main__" parser = argparse.ArgumentParser(description="CPENT Web Range Challenge 126") parser.add_argument("-u", "--url", required=True, help="Target.") parser.add_argument("-c"), "--command", help="Command to execute. If not use interactive mode it's required." parser.add_argument("--path", help="Upload path.", default="/customerrequirementdoc") ```