task1

How many TCP ports are open?

问多少个tcp端口开放，用nmap扫描

nmap -sV -sT IP

Task1

When visiting the web service using the IP address, what is the domain that we are being redirected to?

访问web服务的时候，被重定向的域是什么？

浏览器访问目标靶机的IP，发现重定位了地址

Task1

What Nmap scanning switch employs the use of default scripts during a scan?

问nmap什么选项是使用默认脚本进行扫描

-sC

Task1

During our scan, which port do we find serving MySQL?

问Mysql的端口，通过fscan扫描得

Task1

What does the acronym SQL stand for?

问SQL的全称是什么

SQL的全称是 Structured Query Language

Task1

Which TCP port is open on the machine?

问哪个TCP端口是开放的，用fscan扫描，fscan -h能扫出来有一个端口是6379

Intrasight

先是看题目源码说有公开的服务

然后这里找到有一段说有个fetch端点

signin

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

<?php
highlight_file(__FILE__);

$blacklist = ['/', 'convert', 'base', 'text', 'plain'];

$file = $_GET['file'];

foreach ($blacklist as $banned) {
    if (strpos($file, $banned) !== false) {
        die("这个是不允许的哦~");
    }
}

if (isset($file) && strlen($file) <= 20){
    include $file;
}; 

给了waf，说不能用/，convert，base，text，plain

filter伪协议算是用不了了，然把目光放到data伪协议，data伪协议可以省略MIME类型，可以不需要//text/plain

web279

Java的struct2-001漏洞

到/S2-001页面，输入用户名和密码

用户名随便输，比如admin，密码换成漏洞利用的poc