22,5000,8000三个端口 编辑hosts
打开网站,找不到有用信息,dir也扫不到有用目录,5000端口暂且也用不上
?page=
尝试lfi
成功,并发现phil和developer两个用户
遍历cmdline,这里是相当于在终端执行了
python3 /home/developer/app/app.py
,有关cmdline问题可以查一下
注意这句话
don't forget to run the order app first with "dotnet <path to .dll>" command. Use your ssh key to access the machine.
不要忘记使用dotnet命令(.dll的路径)
找到目标
curl <http://bagel.htb:8000/\\?page\\=../../../../../../../../../opt/bagel/bin/Debug/net6.0/bagel.dll> -o bagel.dll