一、信息收集

        第一步：确定靶机IP为192.168.0.107

        第二步：扫描后台及开放端口

        第三步：进行敏感目录及文件扫描

+ http://192.168.0.107/index.html (CODE:200|SIZE:1620)                    
+ http://192.168.0.107/server-status (CODE:403|SIZE:278)                        
+ http://192.168.0.107/javascript/jquery/jquery (CODE:200|SIZE:275451)                                                                             
==> DIRECTORY: http://192.168.0.107/javascript/jquery/                          
==> DIRECTORY: http://192.168.0.107/javascript/                

        第四步： 使用kali自带的字典，进一步扫描后缀php、html、txt、py、js、asp的文件

gobuster dir -u http://192.168.0.107 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt,sh,js,asp

        第五步：访问扫描出来的可能有价值的文件

        

        二、网站爆破

        第一步：发现http://192.168.0.107/exploit.html可以上传文件，提交后出现404

        第二步：F12打开控制台，在查看器处进行修改，重新提交查询后得到前一半FLAG

        第三步：打开bp，抓取http://192.168.0.107/enter_network/admin.php的数据包

GET /enter_network/admin.php HTTP/1.1
Host: 192.168.0.107
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko/20100101 Firefox/136.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: user=JGFyZ29uMmkkdj0xOSRtPTY1NTM2LHQ9NCxwPTEkY0d0YU1GWkRhamxQTmxjNE1sQlZWZyREcHZGOTlpS0RDMy9aV0h3SlBvUzMrbThyZGFTbmgzTEs5cm5yZ1ZQWktv; role=MjEyMzJmMjk3YTU3YTVhNzQzODk0YTBlNGE4MDFmYzM%253D
Upgrade-Insecure-Requests: 1
Priority: u=0, i

        第四步：将role字段进行两次URL解码，再进行MD5解密后得到admin

        %253D是等号=，也可以不选中%253D，直接进行MD5解码得到admin

        第五步：把数据包发送至重放器，将role字段改为admin，发送，得到后半段flag

                                                                                                                        FROM  IYU_