[OSCP] Directory Traversal
- 보안/OSCP
- 2024. 11. 6.
반응형
- How many ../ do you need to go from the /var/log/ directory to the root file system (/)? Enter the number below.
--> 2 - Enter the command in combination with the relative path containing the minimum number of ../ sequences to display the contents of the /etc/passwd file when the current working directory of the terminal is /usr/share/webshells/.
--> cat ../../../etc/passwd
- Follow the steps above and leverage the directory traversal vulnerability in the "Mountain Desserts" web application on VM #1. Use curl or Burp to obtain the SSH private key for the user offsec. Use it to connect via SSH on port 2222 and find the flag in the SSH banner, which is displayed after you log in.
--> OS{48332f8355cc2024bcf8725654268a98} - The target VM #2 runs Grafana on port 3000. The service is vulnerable to CVE-2021-43798, which is a directory traversal vulnerability. Search for "golangexample cve-2021-43798" in a search engine to get familiar with how the vulnerability can be exploited. Use curl and the --path-as-is parameter to find the flag in C:\Users\install.txt.
--> OS{12f6934232b8e39ea4a3cb155c3baeff}
# curl -i http://mountaindesserts.com/meteor/index.php?page=../../../../../../../../../home/offsec/.ssh/id_rsa
위 명령을 통해 ssh 개인키를 확인 및 복사 (하단에 ----BEGIN으로 시작)
해당키를 dt_key로 복사한 다음 위 명령어로 ssh 접근 시도시 성공
2번째 문제는 더 간단하다.
../ 이동 명령어를 사용후 c:\users\install.txt로 넣어서 400에러 나오길래 한참 고민했다..시간아깝다..
반응형
'보안 > OSCP' 카테고리의 다른 글
[OSCP] Local file include (0) | 2024.11.08 |
---|---|
[OSCP]Directory Traversal - Encoding Special Characters (0) | 2024.11.07 |
[OSCP] XSS (Cross site script) (0) | 2024.11.01 |
[OSCP] Cross-site script (0) | 2024.10.31 |
[OSCP] Enumerating and Abusing APIs (0) | 2024.10.29 |