Cyberstrikelab-Lab3
CMS fscan扫描到3590端口运行了taoCMS 用dirsearch扫描一下目录 [root@Hacking] /home/kali/lab3 ❯ dirsearch -u http://192.168.10.10:3590/ _|. _ _ _ _ _ _|_ v0.4.3 (_||| _) (/_(_|| (_| ) Extensions: php, asp, aspx, jsp, html, htm | HTTP method: GET | Threads: 25 | Wordlist size: 12289 Target: http://192.168.10.10:3590/ [04:11:00] Scanning: [04:11:18] 301 - 240B - /ADMIN -> http://192.168.10.10:3590/ADMIN/ [04:11:18] 301 - 240B - /Admin -> http://192.168.10.10:3590/Admin/ [04:11:18] 301 - 240B - /admin -> http://192.168.10.10:3590/admin/ [04:11:18] 200 - 77B - /admin%20/ [04:11:18] 301 - 241B - /admin. -> http://192.168.10.10:3590/admin./ [04:11:19] 200 - 77B - /Admin/ [04:11:19] 200 - 77B - /admin/ [04:11:19] 200 - 66B - /admin/admin.php [04:11:20] 200 - 77B - /admin/index.php [04:11:32] 200 - 0B - /api.php [04:11:37] 200 - 0B - /config.php [04:11:38] 301 - 239B - /data -> http://192.168.10.10:3590/data/ [04:11:44] 200 - 894B - /favicon.ico [04:11:50] 200 - 0B - /include/ [04:11:50] 301 - 242B - /include -> http://192.168.10.10:3590/include/ [04:11:50] 200 - 4KB - /index.php [04:11:50] 200 - 4KB - /index.pHp [04:11:50] 200 - 4KB - /index.php. [04:11:51] 200 - 740B - /install.php [04:11:51] 200 - 740B - /install.php?profile=default [04:11:51] 404 - 0B - /index.php/login/ [04:11:53] 200 - 1KB - /LICENSE [04:11:53] 200 - 1KB - /license [04:12:04] 200 - 2KB - /README.MD [04:12:04] 200 - 2KB - /README.md [04:12:04] 200 - 2KB - /readme.md [04:12:04] 200 - 2KB - /ReadMe.md [04:12:04] 200 - 2KB - /Readme.md [04:12:05] 200 - 977B - /rss.php [04:12:11] 301 - 243B - /template -> http://192.168.10.10:3590/template/ Task Completed 尝试爆破密码失败,经过搜索得到默认的用户凭证:admin/tao,来到文件管理界面添加后门 连接成功 根目录拿到flag1,并且上线msf,可以看到是最高权限 并且上线cs 拿一下哈希 ...