기본 상호작용mysql 명령을 사용하면 사용자 이름과 비밀번호에 root를 지정하고 기본 MySQL 서버 포트 3306을 지정하여 원격 SQL 인스턴스에 연결kali@kali:~$ mysql -u root -p'root' -h 192.168.50.16 -P 3306 MySQL 콘솔 셸에서 version() 함수를 실행하면 실행 중인 SQL 인스턴스의 버전을 검색할 수 있다.MySQL [(none)]> select version();+-----------+| version() |+-----------+| 8.0.21 |+-----------+1 row in set (0.107 sec) system_user() 함수를 통해 현재 세션의 현재 데이터베이스 사용자를 확인MySQL [(none)]> sele..
패키지 업데이트$ sudo apt-get update 크롬 다운로드$ sudo wget https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb 크롬 설치$ sudo apt install ./google-chrome-stable_current_amd64.deb
Follow the steps above and exploit the command injection vulnerability on VM #1 to obtain a reverse shell. Since the machine is not connected to the internet, you have to skip the step of cloning the repository from the beginning of this section. Find the flag on the Desktop for the Administrator user.--> OS{cb43ca00e82089ed5bd2f17742c76c25}위 submit 버튼을 통해 git 명령어를 보내면 커맨드 인젝션 탐지로 거부되었다는 알림이 나오고..
이번건은 파일업로드는 가능하나 해당파일을 실행 할수없는 환경일때 대안인 내용이다.Follow the steps above on VM #1 to overwrite the authorized_keys file with the file upload mechanism. Connect to the system via SSH on port 2222 and find the flag in /root/flag.txt.--> OS{b613707f7166ade1bb0e13ad8f1eb485}파일업로드 위치를 찾아 업로드를 하고 파일 경로를 변경해서 응답값을 확인해보는데 위와 같이 나온데 저게 진짜로 상위폴더에 업로드 된건지 단순 사용자 입력값을 출력해주는지 확신은 안되나 해당 위치에 업로드 됐다는 가정하에root의 홈디렉토..
Follow the steps above on VM #1 and exploit the file upload vulnerability. The flag is located in the C:\xampp\passwords.txt file as a password for the mountainadmin user.--> OS{8850c8b0a8cb0e654ae7dcfadc5b0d4f}홈페이지를 살펴보면 업로드 할수 있는 부분이 보이고 simple-backdoor.php를 업로드하면 php필터로 업로드가 불가하다.php -> phP로 확장자를 변경해서 업로드 한다.업로드 성공이 되며파워쉘 윈라이너를 사용해서 문자열로 저장하는데 사용할 변수 text를 만들고 내용을 인코딩한다.파라미터에 파워쉘 실행을 위해 명령어를 ..
Follow the steps from this section to leverage RFI to remotely include the /usr/share/webshells/php/simple-backdoor.php PHP file. Use the "cmd" parameter to execute commands on VM #1 and use the cat command to view the contents of the authorized_keys file in the /home/elaine/.ssh/ directory. The file contains one entry including a restriction for allowed commands. Find the flag specified as the ..
Exploit the Local File Inclusion vulnerability on WEB18 (VM #1) by using the php://filter with base64 encoding to include the contents of the /var/www/html/backup.php file with Burp or curl. Copy the output, decode it, and find the flag.-->OS{4d59cd004b853a37683343a5c4399bb3}Follow the steps above and use the data:// PHP Wrapper in combination with the URL encoded PHP snippet we used in this sec..
Follow the steps in this section and leverage the LFI vulnerability in the web application (located at http://mountaindesserts.com/meteor/) to receive a reverse shell on WEB18 (VM #1). Get the flag from the /home/ariella/flag.txt file. To display the contents of the file, check your sudo privileges with sudo -l and use them to read the flag.--> OS{33a3e4aa90a99657854e9683233a488c}Exploit the LFI..
In this section, we used URL encoding to exploit the directory traversal vulnerability in Apache 2.4.49 on VM #1. Use Burp or curl to display the contents of the /opt/passwords file via directory traversal in the vulnerable Apache web server. Remember to use URL encoding for the directory traversal attack. Find the flag in the output of the file.--> OS{9ca180636c5b6843678c569fde624361}단순히 인코딩만 요..
How many ../ do you need to go from the /var/log/ directory to the root file system (/)? Enter the number below.--> 2Enter the command in combination with the relative path containing the minimum number of ../ sequences to display the contents of the /etc/passwd file when the current working directory of the terminal is /usr/share/webshells/.--> cat ../../../etc/passwdFollow the steps above and ..