Loading

Pickle Rick

Pickle Rick

####################
正在进行目录扫描...

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, asp, aspx, jsp, html, htm | HTTP method: GET | Threads: 25 | Wordlist size: 12266

Target: http://10.201.85.253/

[23:30:49] Scanning: 
[23:31:18] 403 -   278B - /.php                                            
[23:32:29] 200 -    2KB - /assets/                                         
[23:32:29] 301 -   315B - /assets  ->  http://10.201.85.253/assets/        
[23:33:48] 200 -    1KB - /index.html                                      
[23:34:03] 200 -   882B - /login.php                                       
[23:35:05] 200 -    17B - /robots.txt                                      
[23:35:14] 403 -   278B - /server-status/                                  
[23:35:14] 403 -   278B - /server-status                                   
                                                                            
Task Completed

主界面F12提示:

  <!--

    Note to self, remember username!

    Username: R1ckRul3s

  -->

/robots.txt中有:Wubbalubbadubdub,猜测是密码.

/login.php 登陆一下

登进去有rce:

-rwxr-xr-x 1 ubuntu ubuntu   17 Feb 10  2019 Sup3rS3cretPickl3Ingred.txt
drwxrwxr-x 2 ubuntu ubuntu 4096 Feb 10  2019 assets
-rwxr-xr-x 1 ubuntu ubuntu   54 Feb 10  2019 clue.txt
-rwxr-xr-x 1 ubuntu ubuntu 1105 Feb 10  2019 denied.php
-rwxrwxrwx 1 ubuntu ubuntu 1062 Feb 10  2019 index.html
-rwxr-xr-x 1 ubuntu ubuntu 1438 Feb 10  2019 login.php
-rwxr-xr-x 1 ubuntu ubuntu 2044 Feb 10  2019 portal.php
-rwxr-xr-x 1 ubuntu ubuntu   17 Feb 10  2019 robots.txt

但使用cat读取的时候发现Command disabled to make it hard for future **PICKLEEEE RICCCKKKK**

应该是被waf了,我们来尝试绕过一下或者换其他命令比如nl

读到Sup3rS3cretPickl3Ingred.txt为:mr. meeseek hair

clue.txt:Look around the file system for the other ingredient.

在home下找到原料2

利用sudo -l提权,发现任意命令都可以无密码获得root权限,在root下有原料3.

posted @ 2025-11-19 00:15  幽暗天琴沙雕  阅读(6)  评论(0)    收藏  举报